CN111447187A - Cross-domain authentication method for heterogeneous Internet of things - Google Patents

Cross-domain authentication method for heterogeneous Internet of things Download PDF

Info

Publication number
CN111447187A
CN111447187A CN202010198209.9A CN202010198209A CN111447187A CN 111447187 A CN111447187 A CN 111447187A CN 202010198209 A CN202010198209 A CN 202010198209A CN 111447187 A CN111447187 A CN 111447187A
Authority
CN
China
Prior art keywords
authentication
equipment
domain
key
endorsement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010198209.9A
Other languages
Chinese (zh)
Inventor
陈龙
毛浥龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN202010198209.9A priority Critical patent/CN111447187A/en
Publication of CN111447187A publication Critical patent/CN111447187A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a cross-domain authentication method for a heterogeneous Internet of things, and belongs to the technical field of Internet of things. Establishing a credible authentication center; the device initiates an endorsement request of cross-domain access to the registered system, the system issues an endorsement voucher for the device based on the request, generates a digital signature of the system, and then uploads the voucher and the digital signature to the authentication center together. The device initiates an access request to the accessed domain and simultaneously sends the endorsement credential of the device to the accessed domain. And the accessed domain inquires the endorsement certificate record through the authentication center and calculates the credible evaluation index. If the identity of the device passes the verification, a temporary access identity is established for the device, the negotiation of the session key is completed, and the authentication record is recorded in the authentication center. The invention breaks the problem of trust islands among systems; meanwhile, the uncertainty of different systems and different authentication modes is quantified by calculating the reliability of the equipment, and the safe use of the equipment in the Internet of things is facilitated.

Description

Cross-domain authentication method for heterogeneous Internet of things
Technical Field
The invention belongs to the technical field of Internet of things, and relates to a cross-domain authentication method for heterogeneous Internet of things.
Background
The Internet of things is a network connected with everything, is an extended and expanded network on the basis of the Internet, combines various information sensing devices with the Internet to form a huge network, realizes the ubiquitous connection of the things and the people, and realizes the intelligent perception, identification and management of the things and the process. Nowadays, the application of the internet of things relates to the aspect of the aspect, the development of industries such as industry, traffic, smart home and the like is promoted, and the influence on daily work and life of people is more and more large. However, the rapid development of the internet of things makes the internet of things become a pair of double-edged swords, and brings security threats and security management problems of the internet of things equipment while providing convenient services. Meanwhile, the device access system needs to register first to establish a trust relationship, but repeated registration in different systems increases the use burden of the device, and meanwhile, the security is also lacked. In reality, a plurality of security events invading the internet of things system occur, so the identity authentication problem of the internet of things is an important problem of the security of the internet of things. Developing the identity authentication research of the Internet of things equipment has positive social significance for the safety of the Internet of things and the promotion of the development of the Internet of things.
At present, the identity recognition of the internet of things device is mainly researched through identity prediction in a cryptology-based mode. Different systems, different domains employ different cryptographic authentication jurisdictions for authentication. The most common method is to adopt a public key certificate mechanism to realize identity authentication, and a PKI technology is generally adopted to carry out authentication through a public key certificate; or directly generating a public key by using the unique identification of the user by adopting an identity-based cryptography (IBC). The current identity authentication research mainly aims at different cryptographic technologies, and the research on how to authenticate the same equipment under the cross-domain condition is not deeply carried out. And most of internet of things equipment resources and computing capacity are limited, and encryption technology with higher requirements may not be applied. Meanwhile, the cross-domain authentication requirement of the equipment in the heterogeneous Internet of things environment is not considered.
Disclosure of Invention
In view of the above, the present invention provides a cross-domain authentication method for a heterogeneous internet of things, which solves the problem of cross-domain identity authentication of the heterogeneous internet of things, and can effectively authenticate a device when the device needs to access different internet of things systems; the registration system provides endorsement certificates for the equipment, and the equipment can access other systems only by one-time registration and login, thereby breaking the gap of different trust domains and solving the problem of trust island. Meanwhile, uncertainty of different systems and different authentication modes is quantified through calculating the reliability of equipment, and the safety of the Internet of things system is facilitated. After the authentication is passed, key agreement is carried out based on the SM9 encryption algorithm, and the communication security is ensured.
In order to achieve the purpose, the invention provides the following technical scheme:
a cross-domain authentication method of a heterogeneous Internet of things comprises the following steps:
s1: establishing an authentication center trusted by different systems, accessing the authentication center by the different systems, and registering and logging in the equipment in one system;
s2: the device requests an authentication endorsement for cross-domain access from a registered system domain, the system issues an endorsement certificate for the device based on the request, generates a digital signature of the system, and uploads the certificate and the digital signature to an authentication center;
s3: the device initiates an access request to the accessed domain and simultaneously sends the endorsement voucher of the device to the accessed domain;
s4: the accessed domain analyzes the request sent by the equipment, the request which meets the requirement is inquired through the authentication center for endorsement certification record, and the endorsement certificate is verified; then calculating the credibility of the equipment, if the credibility reaches the threshold value of the system, the authentication is passed, if the credibility does not reach the threshold value of the system, the authentication is failed, and if the equipment wants to continue to access, the equipment needs to register in the access system again;
s5: if the identity of the device is verified, the negotiation of the session key between the device and the system is completed based on the SM9 algorithm, the negotiated key is subsequently used for communication, and the authentication record is recorded in the authentication center.
Optionally, in step S1, an authentication center is established, and the functions of the authentication center specifically include: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
Optionally, in step S2, the method for sending, by the device, a request for applying for an authentication endorsement credential for cross-domain access to the registered system domain includes: unique identification of the device, registered identity information, system expecting cross-domain access, and timestamp;
the process of the system issuing the endorsement voucher specifically comprises the following steps: the system analyzes the request of the equipment, inquires the information expected to access the system through the authentication center after confirming that the identity of the equipment is legal and the request of the equipment is legal, generates a pair of public key private keys, generates an endorsement certificate by the public key and the identity information, carries out digital signature by using the private key in a digital certificate issued by the authentication center, then sends the certificate, the digital signature and the private key to the equipment, and simultaneously writes a certification record into the authentication center;
the endorsement credential information includes: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
Optionally, in step S3, the access request specifically includes: the unique identity of the device, the content of the request, the endorsement credential, the identity of the credential issuance system, the name of the credential issuance system, the request validity period, and the timestamp.
Optionally, in step S4, the access system autonomously calculates the reliability according to the device reliability of the endorsement credential and the record of the authentication center for cross-domain access to the device, except for verifying the basic attribute field, and performs subsequent key agreement and access control processes;
the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; finally, the validity period of the certificate, the state of the issuer, whether the request is compliant or not and whether the issuer is in the trust list of the local domain or not are checked.
Optionally, in step S4, the cross-domain access authentication record of the device specifically includes: the equipment can pass through the authentication of a plurality of systems, the system can give the equipment a trust level after passing the authentication each time, and the authentication record of the equipment is recorded through the authentication center, so that the equipment can be referred to the next cross-domain authentication;
the credibility of the equipment specifically includes: describing three aspects of the trust degree Td, the entropy En and the super-entropy He as a triple < Td, En and He >, wherein the trust degree represents the credibility degree of a device which is completely credible and reflects the qualitative description of an application system to a user; the entropy describes the uncertainty of the trust degree and reflects that the comprehensive trust degree belongs to the acceptable range size of the space; the super entropy describes the uncertainty of entropy, reflecting possible random values in the comprehensive confidence sample space;
the calculation method of the device credibility specifically includes: the equipment may have a plurality of systems which pass the authentication, a plurality of trust routes may exist between the target domain and the equipment, a plurality of recommending entities may exist in each trust route, each authentication path is analyzed, and then the comprehensive trust degree is calculated;
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
Figure BDA0002418377380000031
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path;
the comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
Figure BDA0002418377380000032
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m is the number of paths;
the highest equipment trust degree is the system trust rating given by the authentication center to the system;
the system threshold specifically includes: the threshold value is the lowest comprehensive trust degree required by accessing the system, and is set when the system is added into the authentication center; and when En and He are too large, the trust is represented to be unreliable, and the risk is higher.
Optionally, in step S5, after the system verifies the identity of the device, a public key and a private key are generated for the device; the authentication center is enabled to function as a private key generation center, and the private key is calculated and generated by the authentication center and then is sent to the user; then using the temporary identity for encrypted communication; after the negotiation of the session key is completed, the authentication record is recorded in the authentication center;
the key agreement of the equipment is based on the algorithm of the SM9 cryptographic key, and the specific steps are as follows:
firstly, establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, the random number N is sent to the authentication center together with the identifier ID of the device and a key generation request, the authentication center generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} based on a bilinear pair, and selects a random number s1As part of the master key of an entity, s1<N-1; the corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub
Then, generation of the user-part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1(ii) a Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub
Carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together in an encrypted manner;
next, generation of the user integrity key:
the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using a part of the public and private keys if the verification is passed;
selecting a random number s2As another part of the master key of the entity, s2<N-1; the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1
Finally, the key is sent to the device:
then, the public and private keys are encrypted by using a public key in the endorsement certificate, and are sent to an authentication center after a timestamp is added;
after detecting that the timestamp is fresh, the authentication center forwards the information to an access system;
after the access system verifies that the timestamp is fresh, the encrypted information is added with a public key of the system and then is forwarded to the equipment;
the device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
The invention has the beneficial effects that: according to the invention, a trusted authentication center is arranged to establish trust relationships among systems and trust relationships between the systems and equipment, and a comprehensive trust value is calculated through a trust transfer idea, so that authentication of the equipment among different systems is effectively realized, the problem of trust island is broken, the authentication process of the equipment of the Internet of things in different systems is simplified, key negotiation is carried out based on a SM9 algorithm after authentication is passed, subsequent communication can be encrypted, and the security of the Internet of things is facilitated.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Drawings
For the purposes of promoting a better understanding of the objects, aspects and advantages of the invention, reference will now be made to the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a schematic flow chart of a method according to a preferred embodiment of the present invention;
fig. 2 is a cross-domain authentication model diagram of heterogeneous internet of things equipment;
FIG. 3 is a diagram of a confidence model;
fig. 4 is a key agreement flow chart.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention in a schematic way, and the features in the following embodiments and examples may be combined with each other without conflict.
Wherein the showings are for the purpose of illustrating the invention only and not for the purpose of limiting the same, and in which there is shown by way of illustration only and not in the drawings in which there is no intention to limit the invention thereto; to better illustrate the embodiments of the present invention, some parts of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The same or similar reference numerals in the drawings of the embodiments of the present invention correspond to the same or similar components; in the description of the present invention, it should be understood that if there is an orientation or positional relationship indicated by terms such as "upper", "lower", "left", "right", "front", "rear", etc., based on the orientation or positional relationship shown in the drawings, it is only for convenience of description and simplification of description, but it is not an indication or suggestion that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and therefore, the terms describing the positional relationship in the drawings are only used for illustrative purposes, and are not to be construed as limiting the present invention, and the specific meaning of the terms may be understood by those skilled in the art according to specific situations.
As shown in fig. 1, a cross-domain identity authentication method for a heterogeneous internet of things includes the following specific steps:
step 11: an authentication center is established which is trusted by different systems.
As shown in fig. 2, the model mainly includes two parts, one part is an authentication center, and the other part is various heterogeneous internet of things systems. The authentication center has the specific functions of: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
Step 12: device application for trust endorsement credential for cross-domain access
The device initiates an authentication request of cross-domain access to the application system domain for registration, the system issues an endorsement credential for the device based on the request, generates a digital signature of the system, and then uploads the credential and the digital signature to the authentication center together.
Specifically, the device sending a request to a registered system domain for authentication endorsement credentials for cross-domain access comprises: unique identification of the device, registration identity information, system expecting cross-domain access, timestamp, etc.
Specifically, the process of issuing the endorsement credential by the system specifically includes: the system analyzes the request of the equipment, after the identity of the equipment and the request of the equipment are confirmed to be legal, the information expecting to access the system is inquired through the authentication center, a pair of public key and private key is generated, the public key and the identity information are generated into an endorsement certificate, a private key in a digital certificate issued by the authentication center is used for carrying out digital signature, then the certificate, the digital signature and the private key are sent to the equipment, and meanwhile, a certification record is written into the authentication center.
Specifically, the endorsement credential information comprises: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
Step 13: device-initiated cross-domain access request
The access request specifically includes: unique identification of the device, requested content, endorsement credential, identification of the credential issuing system, name of the credential issuing system, request validity period, timestamp.
Step 14: and authenticating the identity of the equipment.
The method comprises the following specific steps: firstly, a domain to be accessed is analyzed according to a request sent by equipment; then, the accessed domain inquires the authentication record of the user from the authentication center, extracts a trust value according to the equipment credibility in the endorsement voucher and the records of other systems in the authentication center, and analyzes an access path; then, the reliability is calculated autonomously; and finally, if the credibility reaches the threshold value of the system, the authentication is passed, and the subsequent key agreement and access control processes are implemented. If not, authentication fails, and if the device wants to continue access, the device needs to register again in the access system.
Specifically, the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; and finally checking the validity period of the certificate, the state of the issuer, whether the request is in compliance, whether the issuer is in a trust list of the local domain and the like.
Specifically, the record of the authentication of the device refers to: the device may pass the authentication of multiple systems, the system may give the device a trust level after each pass of the authentication, and the authentication record of the device may be recorded by the authentication center, which may be referred to for the next cross-domain authentication of the device.
Specifically, the credibility means: although the device has obtained a trust endorsement through its authentication by other systems, there still exist some uncertainties, such as the reliability and security of the authentication mechanism of different systems cannot be fully determined. When the accessed system carries out authentication judgment, comprehensive processing is needed to be carried out for adoption.
To describe this uncertainty, it is described by using three aspects of the confidence (Td), entropy (En) and super entropy (He), expressed as a triple < Td, En, He >, the confidence representing the trustworthiness of a device, reflecting the qualitative description of the user by the application system; the entropy describes the uncertainty of the confidence level, and reflects that the comprehensive confidence level belongs to the acceptable range size of the space; the super entropy describes the uncertainty of the entropy, reflecting possible random values in the comprehensive confidence sample space.
FIG. 3 is a diagram of a trust model, where a device may have multiple systems that pass authentication, and thus there may be several trust routes between a target domain and the device, there may be several recommending entities per trust route, each authentication path is resolved,
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
Figure BDA0002418377380000071
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path.
The comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
Figure BDA0002418377380000072
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m being the number of paths.
The system with low security level can not give a trust rating value higher than the security of the system, so the trust is the highest system trust rating given by the system to join the authentication center.
Specifically, the threshold of the system refers to the lowest comprehensive trust required for accessing the system, and is set when the system joins the authentication center. The domain with lower requirement on safety can only refer to the comprehensive trust, the application and the domain with high requirement on safety can comprehensively consider the risks of entropy and super entropy, and when En and He are too large, the trust is represented to be unreliable, so that the risk is higher.
Step 15: if the identity of the device passes the verification, a temporary access identity is established for the device, the negotiation of the session key is completed, and the authentication record is recorded in the authentication center. The generation negotiation of the key is based on the algorithm of the cryptographic SM 9: referring to fig. 4, the specific implementation of this step is as follows:
step 151: establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, sends the random number N to the authentication center together with the identifier ID of the device and the key generation request, generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} by the authentication center based on bilinear pairs, and selects a random number s1(s 1)<N-1) as an entityThe corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub
Step 152: generation of user part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1. Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub
And carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together.
Step 153: generation of user integrity key:
and the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using part of the public and private keys if the verification is passed.
Selecting a random number s2(s2<N-1) as another part of main key of entity, and the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1
Step 154: distribution of user keys:
and then, encrypting the public and private keys by using the public key in the endorsement certificate, adding a timestamp and sending to the authentication center.
And after detecting the freshness of the timestamp, the authentication center forwards the information to the access system.
And after the access system verifies that the timestamp is fresh, the encrypted information is added with the public key of the system and then is forwarded to the equipment.
The device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
In the invention, a credible authentication center is set, after the device applies for the endorsement voucher, the device accesses other systems in a cross-domain manner, the accessed system can analyze a trust route based on the endorsement voucher and previous authentication records by inquiring the authentication center, then the comprehensive credibility of the device is calculated, if the comprehensive credibility reaches a threshold value, the authentication is successful, and the device and the system carry out key agreement. By the method and the device, cross-domain authentication between heterogeneous Internet of things systems can be realized after the equipment is registered for one time, the problem of a trust island is broken, the authentication process of the equipment of the Internet of things in different systems is simplified, meanwhile, the uncertainty problem of different systems and different authentication modes is quantified by calculating the reliability of the equipment, and the safe use of the equipment of the Internet of things is facilitated. The communication security between the equipment and the system is ensured by the encryption communication after the authentication is passed.
Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.

Claims (7)

1. A cross-domain authentication method of a heterogeneous Internet of things is characterized by comprising the following steps: the method comprises the following steps:
s1: establishing an authentication center trusted by different systems, accessing the authentication center by the different systems, registering the equipment in one system, and logging in the registered system;
s2: the device requests an authentication endorsement for cross-domain access from a registered system domain, the system issues an endorsement certificate for the device based on the request, generates a digital signature of the system, and uploads the certificate and the digital signature to an authentication center;
s3: the device initiates an access request to the accessed domain and simultaneously sends the endorsement voucher of the device to the accessed domain;
s4: the accessed domain analyzes the request sent by the equipment, the request which meets the requirement is inquired through the authentication center for endorsement certification record, and the endorsement certificate is verified; then calculating the credibility of the equipment, and if the credibility reaches the threshold value of the system, the authentication is passed; if the authentication is not achieved, the authentication fails, and if the equipment wants to continue to access, the equipment needs to register in the access system again;
s5: if the identity of the device is verified, the negotiation of the session key between the device and the system is completed based on the SM9 algorithm, the negotiated key is subsequently used for communication, and the authentication record is recorded in the authentication center.
2. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S1, an authentication center is established, and the functions of the authentication center specifically include: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
3. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S2, the method for sending, by the device, a request for applying for an authentication endorsement credential for cross-domain access to the registered system domain includes: unique identification of the device, registered identity information, system expecting cross-domain access, and timestamp;
the process of the system issuing the endorsement voucher specifically comprises the following steps: the system analyzes the request of the equipment, inquires the information expected to access the system through the authentication center after confirming that the identity of the equipment is legal and the request of the equipment is legal, generates a pair of public key private keys, generates an endorsement certificate by the public key and the identity information, carries out digital signature by using the private key in a digital certificate issued by the authentication center, then sends the certificate, the digital signature and the private key to the equipment, and simultaneously writes a certification record into the authentication center;
the endorsement credential information includes: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
4. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S3, the access request specifically includes: the unique identity of the device, the content of the request, the endorsement credential, the identity of the credential issuance system, the name of the credential issuance system, the request validity period, and the timestamp.
5. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S4, the access system autonomously calculates the reliability according to the device reliability of the endorsement credential and the record of the authentication center for cross-domain access to the device, except for verifying the basic attribute field, and performs subsequent key agreement and access control processes;
the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; finally, the validity period of the certificate, the state of the issuer, whether the request is compliant or not and whether the issuer is in the trust list of the local domain or not are checked.
6. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S4, the cross-domain access authentication record of the device specifically includes: the equipment can pass through the authentication of a plurality of systems, the system can give the equipment a trust level after passing the authentication each time, and the authentication record of the equipment is recorded through the authentication center, so that the equipment can be referred to the next cross-domain authentication;
the credibility of the equipment specifically includes: describing three aspects of the trust degree Td, the entropy En and the super-entropy He as a triple < Td, En and He >, wherein the trust degree represents the credibility degree of a device which is completely credible and reflects the qualitative description of an application system to a user; the entropy describes the uncertainty of the trust degree and reflects that the comprehensive trust degree belongs to the acceptable range size of the space; the super entropy describes the uncertainty of entropy, reflecting possible random values in the comprehensive confidence sample space;
the calculation method of the device credibility specifically includes: the equipment may have a plurality of systems which pass the authentication, a plurality of trust routes may exist between the target domain and the equipment, a plurality of recommending entities may exist in each trust route, each authentication path is analyzed, and then the comprehensive trust degree is calculated;
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
Figure FDA0002418377370000021
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path;
the comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
Figure FDA0002418377370000022
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m is the number of paths;
the highest equipment trust degree is the system trust rating given by the authentication center to the system;
the system threshold specifically includes: the threshold value is the lowest comprehensive trust degree required by accessing the system, and is set when the system is added into the authentication center; and when En and He are too large, the trust is represented to be unreliable, and the risk is higher.
7. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S5, after the system verifies the identity of the device, a public key and a private key are generated for the device; the authentication center is enabled to function as a private key generation center, and the private key is calculated and generated by the authentication center and then is sent to the user; then using the temporary identity for encrypted communication; after the negotiation of the session key is completed, the authentication record is recorded in the authentication center;
the key agreement of the equipment is based on the algorithm of the SM9 cryptographic key, and the specific steps are as follows:
firstly, establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, the random number N is sent to the authentication center together with the identifier ID of the device and a key generation request, the authentication center generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} based on a bilinear pair, and selects a random number s1As part of the master key of an entity, s1<N-1; the corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub
Then, generation of the user-part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1(ii) a Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub
Carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together in an encrypted manner;
next, generation of the user integrity key:
the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using a part of the public and private keys if the verification is passed;
selecting a random number s2As another part of the master key of the entity, s2<N-1; the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1
Finally, the key is sent to the device:
then, the public and private keys are encrypted by using a public key in the endorsement certificate, and are sent to an authentication center after a timestamp is added;
after detecting that the timestamp is fresh, the authentication center forwards the information to an access system;
after the access system verifies that the timestamp is fresh, the encrypted information is added with a public key of the system and then is forwarded to the equipment;
the device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
CN202010198209.9A 2020-03-19 2020-03-19 Cross-domain authentication method for heterogeneous Internet of things Pending CN111447187A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010198209.9A CN111447187A (en) 2020-03-19 2020-03-19 Cross-domain authentication method for heterogeneous Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010198209.9A CN111447187A (en) 2020-03-19 2020-03-19 Cross-domain authentication method for heterogeneous Internet of things

Publications (1)

Publication Number Publication Date
CN111447187A true CN111447187A (en) 2020-07-24

Family

ID=71648967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010198209.9A Pending CN111447187A (en) 2020-03-19 2020-03-19 Cross-domain authentication method for heterogeneous Internet of things

Country Status (1)

Country Link
CN (1) CN111447187A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917760A (en) * 2020-07-28 2020-11-10 国家工业信息安全发展研究中心 Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis
CN112055029A (en) * 2020-09-16 2020-12-08 全球能源互联网研究院有限公司 Zero-trust power Internet of things equipment and user real-time trust degree evaluation method
CN112887338A (en) * 2021-03-18 2021-06-01 南瑞集团有限公司 Identity authentication method and system based on IBC identification password
CN113285806A (en) * 2021-05-10 2021-08-20 湖南大学 Dynamic execution method and system for control instruction of power heterogeneous equipment
CN113612770A (en) * 2021-08-02 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain secure interaction method, system, terminal and storage medium
CN113676447A (en) * 2021-07-12 2021-11-19 海南大学 Block chain-based scientific and technological service platform cross-domain identity authentication scheme
CN113783854A (en) * 2021-08-30 2021-12-10 湖南天河国云科技有限公司 Block chain-based credit data cross-chain sharing method and device
CN114205132A (en) * 2021-12-02 2022-03-18 北京八分量信息科技有限公司 Access authentication method and device in heterogeneous network and related products
CN114499848A (en) * 2022-01-26 2022-05-13 无锡融卡科技有限公司 Session key generation device and method
CN115913771A (en) * 2022-12-20 2023-04-04 四川启睿克科技有限公司 Internet of things equipment cross-domain authentication method based on distributed digital identity
CN116321159A (en) * 2023-01-14 2023-06-23 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN116707962B (en) * 2023-06-30 2024-06-07 北京中启赛博科技有限公司 Network access control and detection alarm method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070289006A1 (en) * 2001-03-22 2007-12-13 Novell, Inc. Cross domain authentication and security services using proxies for http access
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN109698747A (en) * 2019-02-15 2019-04-30 上海扈民区块链科技有限公司 A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070289006A1 (en) * 2001-03-22 2007-12-13 Novell, Inc. Cross domain authentication and security services using proxies for http access
US7370351B1 (en) * 2001-03-22 2008-05-06 Novell, Inc. Cross domain authentication and security services using proxies for HTTP access
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN109698747A (en) * 2019-02-15 2019-04-30 上海扈民区块链科技有限公司 A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
汪小芬,陈原,肖国镇: "基于身份的认证密钥协商协议的安全分析与改进", 《通信学报》 *
董贵山,陈宇翔,李洪伟,白健,郝尧,杨淳: "异构环境中基于区块链的跨域认证可信度研究", 《通信技术》 *
马晓婷: "基于区块链技术的证书管理与跨域认证方案", 《中国优秀硕士学位论文全文数据库》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917760B (en) * 2020-07-28 2022-08-30 国家工业信息安全发展研究中心 Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis
CN111917760A (en) * 2020-07-28 2020-11-10 国家工业信息安全发展研究中心 Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis
CN112055029A (en) * 2020-09-16 2020-12-08 全球能源互联网研究院有限公司 Zero-trust power Internet of things equipment and user real-time trust degree evaluation method
CN112055029B (en) * 2020-09-16 2023-04-07 全球能源互联网研究院有限公司 User real-time trust degree evaluation method for zero-trust electric power Internet of things equipment
CN112887338A (en) * 2021-03-18 2021-06-01 南瑞集团有限公司 Identity authentication method and system based on IBC identification password
CN113285806A (en) * 2021-05-10 2021-08-20 湖南大学 Dynamic execution method and system for control instruction of power heterogeneous equipment
CN113676447A (en) * 2021-07-12 2021-11-19 海南大学 Block chain-based scientific and technological service platform cross-domain identity authentication scheme
CN113612770A (en) * 2021-08-02 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain secure interaction method, system, terminal and storage medium
WO2023010608A1 (en) * 2021-08-02 2023-02-09 中国科学院深圳先进技术研究院 Cross-domain secure interaction method and system, terminal, and storage medium
CN113783854A (en) * 2021-08-30 2021-12-10 湖南天河国云科技有限公司 Block chain-based credit data cross-chain sharing method and device
CN113783854B (en) * 2021-08-30 2023-10-17 湖南天河国云科技有限公司 Credit data cross-chain sharing method and device based on block chain
CN114205132A (en) * 2021-12-02 2022-03-18 北京八分量信息科技有限公司 Access authentication method and device in heterogeneous network and related products
CN114499848A (en) * 2022-01-26 2022-05-13 无锡融卡科技有限公司 Session key generation device and method
CN114499848B (en) * 2022-01-26 2023-05-30 无锡融卡科技有限公司 Session key generation device and method
CN115913771A (en) * 2022-12-20 2023-04-04 四川启睿克科技有限公司 Internet of things equipment cross-domain authentication method based on distributed digital identity
CN115913771B (en) * 2022-12-20 2024-04-26 四川启睿克科技有限公司 Internet of things equipment cross-domain authentication method based on distributed digital identity
CN116321159A (en) * 2023-01-14 2023-06-23 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN116321159B (en) * 2023-01-14 2024-01-02 国网湖北省电力有限公司荆门供电公司 Distributed station data transmission method based on Beidou communication service
CN116707962B (en) * 2023-06-30 2024-06-07 北京中启赛博科技有限公司 Network access control and detection alarm method, device and storage medium

Similar Documents

Publication Publication Date Title
CN111447187A (en) Cross-domain authentication method for heterogeneous Internet of things
CN109067801B (en) Identity authentication method, identity authentication device and computer readable medium
US11824995B2 (en) Bridging digital identity validation and verification with the FIDO authentication framework
JP4304362B2 (en) PKI-compliant certificate confirmation processing method and apparatus, and PKI-compliant certificate confirmation processing program
US11134069B2 (en) Method for authorizing access and apparatus using the method
US10771451B2 (en) Mobile authentication and registration for digital certificates
WO2005025125A1 (en) Device authentication system
AU2003212617A1 (en) A biometric authentication system and method
CN101262342A (en) Distributed authorization and validation method, device and system
CN111147460A (en) Block chain-based cooperative fine-grained access control method
CN112417494A (en) Power block chain system based on trusted computing
WO2023071751A1 (en) Authentication method and communication apparatus
US20140013116A1 (en) Apparatus and method for performing over-the-air identity provisioning
Gao et al. A privacy-preserving identity authentication scheme based on the blockchain
CN115277010A (en) Identity authentication method, system, computer device and storage medium
CN114938280A (en) Authentication method and system based on non-interactive zero-knowledge proof and intelligent contract
Zwattendorfer et al. A federated cloud identity broker-model for enhanced privacy via proxy re-encryption
Sun et al. Anonymous authentication and key agreement scheme combining the group key for vehicular ad hoc networks
WO2016171844A1 (en) Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key
CN114079645A (en) Method and device for registering service
CN115412378B (en) Credibility authentication method and device for private data and financial private data related service
Zhang et al. A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial Internet
EP1959607B1 (en) A method and system for authenticating the identity
Zwattendorfer et al. Privacy-preserving realization of the STORK framework in the public cloud
WO2011152084A1 (en) Efficient mutual authentication method, program, and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200724