CN111447187A - Cross-domain authentication method for heterogeneous Internet of things - Google Patents
Cross-domain authentication method for heterogeneous Internet of things Download PDFInfo
- Publication number
- CN111447187A CN111447187A CN202010198209.9A CN202010198209A CN111447187A CN 111447187 A CN111447187 A CN 111447187A CN 202010198209 A CN202010198209 A CN 202010198209A CN 111447187 A CN111447187 A CN 111447187A
- Authority
- CN
- China
- Prior art keywords
- authentication
- equipment
- domain
- key
- endorsement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a cross-domain authentication method for a heterogeneous Internet of things, and belongs to the technical field of Internet of things. Establishing a credible authentication center; the device initiates an endorsement request of cross-domain access to the registered system, the system issues an endorsement voucher for the device based on the request, generates a digital signature of the system, and then uploads the voucher and the digital signature to the authentication center together. The device initiates an access request to the accessed domain and simultaneously sends the endorsement credential of the device to the accessed domain. And the accessed domain inquires the endorsement certificate record through the authentication center and calculates the credible evaluation index. If the identity of the device passes the verification, a temporary access identity is established for the device, the negotiation of the session key is completed, and the authentication record is recorded in the authentication center. The invention breaks the problem of trust islands among systems; meanwhile, the uncertainty of different systems and different authentication modes is quantified by calculating the reliability of the equipment, and the safe use of the equipment in the Internet of things is facilitated.
Description
Technical Field
The invention belongs to the technical field of Internet of things, and relates to a cross-domain authentication method for heterogeneous Internet of things.
Background
The Internet of things is a network connected with everything, is an extended and expanded network on the basis of the Internet, combines various information sensing devices with the Internet to form a huge network, realizes the ubiquitous connection of the things and the people, and realizes the intelligent perception, identification and management of the things and the process. Nowadays, the application of the internet of things relates to the aspect of the aspect, the development of industries such as industry, traffic, smart home and the like is promoted, and the influence on daily work and life of people is more and more large. However, the rapid development of the internet of things makes the internet of things become a pair of double-edged swords, and brings security threats and security management problems of the internet of things equipment while providing convenient services. Meanwhile, the device access system needs to register first to establish a trust relationship, but repeated registration in different systems increases the use burden of the device, and meanwhile, the security is also lacked. In reality, a plurality of security events invading the internet of things system occur, so the identity authentication problem of the internet of things is an important problem of the security of the internet of things. Developing the identity authentication research of the Internet of things equipment has positive social significance for the safety of the Internet of things and the promotion of the development of the Internet of things.
At present, the identity recognition of the internet of things device is mainly researched through identity prediction in a cryptology-based mode. Different systems, different domains employ different cryptographic authentication jurisdictions for authentication. The most common method is to adopt a public key certificate mechanism to realize identity authentication, and a PKI technology is generally adopted to carry out authentication through a public key certificate; or directly generating a public key by using the unique identification of the user by adopting an identity-based cryptography (IBC). The current identity authentication research mainly aims at different cryptographic technologies, and the research on how to authenticate the same equipment under the cross-domain condition is not deeply carried out. And most of internet of things equipment resources and computing capacity are limited, and encryption technology with higher requirements may not be applied. Meanwhile, the cross-domain authentication requirement of the equipment in the heterogeneous Internet of things environment is not considered.
Disclosure of Invention
In view of the above, the present invention provides a cross-domain authentication method for a heterogeneous internet of things, which solves the problem of cross-domain identity authentication of the heterogeneous internet of things, and can effectively authenticate a device when the device needs to access different internet of things systems; the registration system provides endorsement certificates for the equipment, and the equipment can access other systems only by one-time registration and login, thereby breaking the gap of different trust domains and solving the problem of trust island. Meanwhile, uncertainty of different systems and different authentication modes is quantified through calculating the reliability of equipment, and the safety of the Internet of things system is facilitated. After the authentication is passed, key agreement is carried out based on the SM9 encryption algorithm, and the communication security is ensured.
In order to achieve the purpose, the invention provides the following technical scheme:
a cross-domain authentication method of a heterogeneous Internet of things comprises the following steps:
s1: establishing an authentication center trusted by different systems, accessing the authentication center by the different systems, and registering and logging in the equipment in one system;
s2: the device requests an authentication endorsement for cross-domain access from a registered system domain, the system issues an endorsement certificate for the device based on the request, generates a digital signature of the system, and uploads the certificate and the digital signature to an authentication center;
s3: the device initiates an access request to the accessed domain and simultaneously sends the endorsement voucher of the device to the accessed domain;
s4: the accessed domain analyzes the request sent by the equipment, the request which meets the requirement is inquired through the authentication center for endorsement certification record, and the endorsement certificate is verified; then calculating the credibility of the equipment, if the credibility reaches the threshold value of the system, the authentication is passed, if the credibility does not reach the threshold value of the system, the authentication is failed, and if the equipment wants to continue to access, the equipment needs to register in the access system again;
s5: if the identity of the device is verified, the negotiation of the session key between the device and the system is completed based on the SM9 algorithm, the negotiated key is subsequently used for communication, and the authentication record is recorded in the authentication center.
Optionally, in step S1, an authentication center is established, and the functions of the authentication center specifically include: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
Optionally, in step S2, the method for sending, by the device, a request for applying for an authentication endorsement credential for cross-domain access to the registered system domain includes: unique identification of the device, registered identity information, system expecting cross-domain access, and timestamp;
the process of the system issuing the endorsement voucher specifically comprises the following steps: the system analyzes the request of the equipment, inquires the information expected to access the system through the authentication center after confirming that the identity of the equipment is legal and the request of the equipment is legal, generates a pair of public key private keys, generates an endorsement certificate by the public key and the identity information, carries out digital signature by using the private key in a digital certificate issued by the authentication center, then sends the certificate, the digital signature and the private key to the equipment, and simultaneously writes a certification record into the authentication center;
the endorsement credential information includes: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
Optionally, in step S3, the access request specifically includes: the unique identity of the device, the content of the request, the endorsement credential, the identity of the credential issuance system, the name of the credential issuance system, the request validity period, and the timestamp.
Optionally, in step S4, the access system autonomously calculates the reliability according to the device reliability of the endorsement credential and the record of the authentication center for cross-domain access to the device, except for verifying the basic attribute field, and performs subsequent key agreement and access control processes;
the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; finally, the validity period of the certificate, the state of the issuer, whether the request is compliant or not and whether the issuer is in the trust list of the local domain or not are checked.
Optionally, in step S4, the cross-domain access authentication record of the device specifically includes: the equipment can pass through the authentication of a plurality of systems, the system can give the equipment a trust level after passing the authentication each time, and the authentication record of the equipment is recorded through the authentication center, so that the equipment can be referred to the next cross-domain authentication;
the credibility of the equipment specifically includes: describing three aspects of the trust degree Td, the entropy En and the super-entropy He as a triple < Td, En and He >, wherein the trust degree represents the credibility degree of a device which is completely credible and reflects the qualitative description of an application system to a user; the entropy describes the uncertainty of the trust degree and reflects that the comprehensive trust degree belongs to the acceptable range size of the space; the super entropy describes the uncertainty of entropy, reflecting possible random values in the comprehensive confidence sample space;
the calculation method of the device credibility specifically includes: the equipment may have a plurality of systems which pass the authentication, a plurality of trust routes may exist between the target domain and the equipment, a plurality of recommending entities may exist in each trust route, each authentication path is analyzed, and then the comprehensive trust degree is calculated;
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path;
the comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m is the number of paths;
the highest equipment trust degree is the system trust rating given by the authentication center to the system;
the system threshold specifically includes: the threshold value is the lowest comprehensive trust degree required by accessing the system, and is set when the system is added into the authentication center; and when En and He are too large, the trust is represented to be unreliable, and the risk is higher.
Optionally, in step S5, after the system verifies the identity of the device, a public key and a private key are generated for the device; the authentication center is enabled to function as a private key generation center, and the private key is calculated and generated by the authentication center and then is sent to the user; then using the temporary identity for encrypted communication; after the negotiation of the session key is completed, the authentication record is recorded in the authentication center;
the key agreement of the equipment is based on the algorithm of the SM9 cryptographic key, and the specific steps are as follows:
firstly, establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, the random number N is sent to the authentication center together with the identifier ID of the device and a key generation request, the authentication center generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} based on a bilinear pair, and selects a random number s1As part of the master key of an entity, s1<N-1; the corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub;
Then, generation of the user-part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1(ii) a Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub;
Carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together in an encrypted manner;
next, generation of the user integrity key:
the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using a part of the public and private keys if the verification is passed;
selecting a random number s2As another part of the master key of the entity, s2<N-1; the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1;
Finally, the key is sent to the device:
then, the public and private keys are encrypted by using a public key in the endorsement certificate, and are sent to an authentication center after a timestamp is added;
after detecting that the timestamp is fresh, the authentication center forwards the information to an access system;
after the access system verifies that the timestamp is fresh, the encrypted information is added with a public key of the system and then is forwarded to the equipment;
the device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
The invention has the beneficial effects that: according to the invention, a trusted authentication center is arranged to establish trust relationships among systems and trust relationships between the systems and equipment, and a comprehensive trust value is calculated through a trust transfer idea, so that authentication of the equipment among different systems is effectively realized, the problem of trust island is broken, the authentication process of the equipment of the Internet of things in different systems is simplified, key negotiation is carried out based on a SM9 algorithm after authentication is passed, subsequent communication can be encrypted, and the security of the Internet of things is facilitated.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Drawings
For the purposes of promoting a better understanding of the objects, aspects and advantages of the invention, reference will now be made to the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a schematic flow chart of a method according to a preferred embodiment of the present invention;
fig. 2 is a cross-domain authentication model diagram of heterogeneous internet of things equipment;
FIG. 3 is a diagram of a confidence model;
fig. 4 is a key agreement flow chart.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention in a schematic way, and the features in the following embodiments and examples may be combined with each other without conflict.
Wherein the showings are for the purpose of illustrating the invention only and not for the purpose of limiting the same, and in which there is shown by way of illustration only and not in the drawings in which there is no intention to limit the invention thereto; to better illustrate the embodiments of the present invention, some parts of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The same or similar reference numerals in the drawings of the embodiments of the present invention correspond to the same or similar components; in the description of the present invention, it should be understood that if there is an orientation or positional relationship indicated by terms such as "upper", "lower", "left", "right", "front", "rear", etc., based on the orientation or positional relationship shown in the drawings, it is only for convenience of description and simplification of description, but it is not an indication or suggestion that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and therefore, the terms describing the positional relationship in the drawings are only used for illustrative purposes, and are not to be construed as limiting the present invention, and the specific meaning of the terms may be understood by those skilled in the art according to specific situations.
As shown in fig. 1, a cross-domain identity authentication method for a heterogeneous internet of things includes the following specific steps:
step 11: an authentication center is established which is trusted by different systems.
As shown in fig. 2, the model mainly includes two parts, one part is an authentication center, and the other part is various heterogeneous internet of things systems. The authentication center has the specific functions of: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
Step 12: device application for trust endorsement credential for cross-domain access
The device initiates an authentication request of cross-domain access to the application system domain for registration, the system issues an endorsement credential for the device based on the request, generates a digital signature of the system, and then uploads the credential and the digital signature to the authentication center together.
Specifically, the device sending a request to a registered system domain for authentication endorsement credentials for cross-domain access comprises: unique identification of the device, registration identity information, system expecting cross-domain access, timestamp, etc.
Specifically, the process of issuing the endorsement credential by the system specifically includes: the system analyzes the request of the equipment, after the identity of the equipment and the request of the equipment are confirmed to be legal, the information expecting to access the system is inquired through the authentication center, a pair of public key and private key is generated, the public key and the identity information are generated into an endorsement certificate, a private key in a digital certificate issued by the authentication center is used for carrying out digital signature, then the certificate, the digital signature and the private key are sent to the equipment, and meanwhile, a certification record is written into the authentication center.
Specifically, the endorsement credential information comprises: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
Step 13: device-initiated cross-domain access request
The access request specifically includes: unique identification of the device, requested content, endorsement credential, identification of the credential issuing system, name of the credential issuing system, request validity period, timestamp.
Step 14: and authenticating the identity of the equipment.
The method comprises the following specific steps: firstly, a domain to be accessed is analyzed according to a request sent by equipment; then, the accessed domain inquires the authentication record of the user from the authentication center, extracts a trust value according to the equipment credibility in the endorsement voucher and the records of other systems in the authentication center, and analyzes an access path; then, the reliability is calculated autonomously; and finally, if the credibility reaches the threshold value of the system, the authentication is passed, and the subsequent key agreement and access control processes are implemented. If not, authentication fails, and if the device wants to continue access, the device needs to register again in the access system.
Specifically, the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; and finally checking the validity period of the certificate, the state of the issuer, whether the request is in compliance, whether the issuer is in a trust list of the local domain and the like.
Specifically, the record of the authentication of the device refers to: the device may pass the authentication of multiple systems, the system may give the device a trust level after each pass of the authentication, and the authentication record of the device may be recorded by the authentication center, which may be referred to for the next cross-domain authentication of the device.
Specifically, the credibility means: although the device has obtained a trust endorsement through its authentication by other systems, there still exist some uncertainties, such as the reliability and security of the authentication mechanism of different systems cannot be fully determined. When the accessed system carries out authentication judgment, comprehensive processing is needed to be carried out for adoption.
To describe this uncertainty, it is described by using three aspects of the confidence (Td), entropy (En) and super entropy (He), expressed as a triple < Td, En, He >, the confidence representing the trustworthiness of a device, reflecting the qualitative description of the user by the application system; the entropy describes the uncertainty of the confidence level, and reflects that the comprehensive confidence level belongs to the acceptable range size of the space; the super entropy describes the uncertainty of the entropy, reflecting possible random values in the comprehensive confidence sample space.
FIG. 3 is a diagram of a trust model, where a device may have multiple systems that pass authentication, and thus there may be several trust routes between a target domain and the device, there may be several recommending entities per trust route, each authentication path is resolved,
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path.
The comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m being the number of paths.
The system with low security level can not give a trust rating value higher than the security of the system, so the trust is the highest system trust rating given by the system to join the authentication center.
Specifically, the threshold of the system refers to the lowest comprehensive trust required for accessing the system, and is set when the system joins the authentication center. The domain with lower requirement on safety can only refer to the comprehensive trust, the application and the domain with high requirement on safety can comprehensively consider the risks of entropy and super entropy, and when En and He are too large, the trust is represented to be unreliable, so that the risk is higher.
Step 15: if the identity of the device passes the verification, a temporary access identity is established for the device, the negotiation of the session key is completed, and the authentication record is recorded in the authentication center. The generation negotiation of the key is based on the algorithm of the cryptographic SM 9: referring to fig. 4, the specific implementation of this step is as follows:
step 151: establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, sends the random number N to the authentication center together with the identifier ID of the device and the key generation request, generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} by the authentication center based on bilinear pairs, and selects a random number s1(s 1)<N-1) as an entityThe corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub。
Step 152: generation of user part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1. Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub。
And carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together.
Step 153: generation of user integrity key:
and the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using part of the public and private keys if the verification is passed.
Selecting a random number s2(s2<N-1) as another part of main key of entity, and the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1。
Step 154: distribution of user keys:
and then, encrypting the public and private keys by using the public key in the endorsement certificate, adding a timestamp and sending to the authentication center.
And after detecting the freshness of the timestamp, the authentication center forwards the information to the access system.
And after the access system verifies that the timestamp is fresh, the encrypted information is added with the public key of the system and then is forwarded to the equipment.
The device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
In the invention, a credible authentication center is set, after the device applies for the endorsement voucher, the device accesses other systems in a cross-domain manner, the accessed system can analyze a trust route based on the endorsement voucher and previous authentication records by inquiring the authentication center, then the comprehensive credibility of the device is calculated, if the comprehensive credibility reaches a threshold value, the authentication is successful, and the device and the system carry out key agreement. By the method and the device, cross-domain authentication between heterogeneous Internet of things systems can be realized after the equipment is registered for one time, the problem of a trust island is broken, the authentication process of the equipment of the Internet of things in different systems is simplified, meanwhile, the uncertainty problem of different systems and different authentication modes is quantified by calculating the reliability of the equipment, and the safe use of the equipment of the Internet of things is facilitated. The communication security between the equipment and the system is ensured by the encryption communication after the authentication is passed.
Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.
Claims (7)
1. A cross-domain authentication method of a heterogeneous Internet of things is characterized by comprising the following steps: the method comprises the following steps:
s1: establishing an authentication center trusted by different systems, accessing the authentication center by the different systems, registering the equipment in one system, and logging in the registered system;
s2: the device requests an authentication endorsement for cross-domain access from a registered system domain, the system issues an endorsement certificate for the device based on the request, generates a digital signature of the system, and uploads the certificate and the digital signature to an authentication center;
s3: the device initiates an access request to the accessed domain and simultaneously sends the endorsement voucher of the device to the accessed domain;
s4: the accessed domain analyzes the request sent by the equipment, the request which meets the requirement is inquired through the authentication center for endorsement certification record, and the endorsement certificate is verified; then calculating the credibility of the equipment, and if the credibility reaches the threshold value of the system, the authentication is passed; if the authentication is not achieved, the authentication fails, and if the equipment wants to continue to access, the equipment needs to register in the access system again;
s5: if the identity of the device is verified, the negotiation of the session key between the device and the system is completed based on the SM9 algorithm, the negotiated key is subsequently used for communication, and the authentication record is recorded in the authentication center.
2. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S1, an authentication center is established, and the functions of the authentication center specifically include: the information of each system accessed to the certification center can be recorded, the certification center issues a digital certificate to each system, then different trust ratings are divided according to the certification mode of each system, and the evaluation range is [0,1 ]; recording and inquiring a trust endorsement certificate issued to the equipment by the system; the device has the function of a private key generation center and assists in key agreement between the device and the system.
3. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S2, the method for sending, by the device, a request for applying for an authentication endorsement credential for cross-domain access to the registered system domain includes: unique identification of the device, registered identity information, system expecting cross-domain access, and timestamp;
the process of the system issuing the endorsement voucher specifically comprises the following steps: the system analyzes the request of the equipment, inquires the information expected to access the system through the authentication center after confirming that the identity of the equipment is legal and the request of the equipment is legal, generates a pair of public key private keys, generates an endorsement certificate by the public key and the identity information, carries out digital signature by using the private key in a digital certificate issued by the authentication center, then sends the certificate, the digital signature and the private key to the equipment, and simultaneously writes a certification record into the authentication center;
the endorsement credential information includes: the system comprises a unique identity identification of the equipment, equipment credibility, an identification of a certificate issuing system, a name of the certificate issuing system, an authentication mode of the certificate issuing system, an equipment authentication result, effective time of the certificate, a timestamp, a digital signature of the certificate issuing system, an identification of an expected access system and a public key for encrypted communication with the equipment.
4. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S3, the access request specifically includes: the unique identity of the device, the content of the request, the endorsement credential, the identity of the credential issuance system, the name of the credential issuance system, the request validity period, and the timestamp.
5. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S4, the access system autonomously calculates the reliability according to the device reliability of the endorsement credential and the record of the authentication center for cross-domain access to the device, except for verifying the basic attribute field, and performs subsequent key agreement and access control processes;
the parsing of the access request specifically includes: firstly, the system analyzes the request and checks the time stamp and the request content of the request; then, inquiring the information of the certificate issuer through the authentication center, verifying the digital signature and verifying whether the certificate is complete; finally, the validity period of the certificate, the state of the issuer, whether the request is compliant or not and whether the issuer is in the trust list of the local domain or not are checked.
6. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S4, the cross-domain access authentication record of the device specifically includes: the equipment can pass through the authentication of a plurality of systems, the system can give the equipment a trust level after passing the authentication each time, and the authentication record of the equipment is recorded through the authentication center, so that the equipment can be referred to the next cross-domain authentication;
the credibility of the equipment specifically includes: describing three aspects of the trust degree Td, the entropy En and the super-entropy He as a triple < Td, En and He >, wherein the trust degree represents the credibility degree of a device which is completely credible and reflects the qualitative description of an application system to a user; the entropy describes the uncertainty of the trust degree and reflects that the comprehensive trust degree belongs to the acceptable range size of the space; the super entropy describes the uncertainty of entropy, reflecting possible random values in the comprehensive confidence sample space;
the calculation method of the device credibility specifically includes: the equipment may have a plurality of systems which pass the authentication, a plurality of trust routes may exist between the target domain and the equipment, a plurality of recommending entities may exist in each trust route, each authentication path is analyzed, and then the comprehensive trust degree is calculated;
confidence TD of single pathiEntropy EniAnd hyper entropy HeiThe calculation formulas of (A) and (B) are respectively as follows:
wherein TDijIs the trust value of each trust entity, and the value range is [0,1]]Where Bi is the first-order center-to-center distance of the confidence value of the path, Si2Is the confidence value variance of the path;
the comprehensive trust TD, entropy En and super entropy He of the multiple trust paths are calculated by the following formula:
wherein C isiThe weight of each path is represented, the weight is set by the verifier subjectively, and the value range is [0,1]]And C is1+C2+…+CiGeneral default is 1, CiIs 1/m, m is the number of paths;
the highest equipment trust degree is the system trust rating given by the authentication center to the system;
the system threshold specifically includes: the threshold value is the lowest comprehensive trust degree required by accessing the system, and is set when the system is added into the authentication center; and when En and He are too large, the trust is represented to be unreliable, and the risk is higher.
7. The cross-domain authentication method of the heterogeneous internet of things as claimed in claim 1, wherein: in step S5, after the system verifies the identity of the device, a public key and a private key are generated for the device; the authentication center is enabled to function as a private key generation center, and the private key is calculated and generated by the authentication center and then is sent to the user; then using the temporary identity for encrypted communication; after the negotiation of the session key is completed, the authentication record is recorded in the authentication center;
the key agreement of the equipment is based on the algorithm of the SM9 cryptographic key, and the specific steps are as follows:
firstly, establishing a system master key:
when the device passes the verification, the accessed domain selects a random number N, the random number N is sent to the authentication center together with the identifier ID of the device and a key generation request, the authentication center generates and discloses system parameters { N, P1, P2, G1, G2, e, H1 and H2} based on a bilinear pair, and selects a random number s1As part of the master key of an entity, s1<N-1; the corresponding public key is Ppub=s1*P2Secret saving s1Disclosure of Ppub;
Then, generation of the user-part key:
selecting and disclosing a private key generating function identifier hid, calculating t1=H1(ID‖hid,N)+s1If t is1If 0, then s is reselected1Otherwise, calculate t2=s1*t-1The partial private key of the user is da1=t2*P1(ii) a Part of the public key of the user is Qa1=(H1(ID||hid,N))P2+Ppub;
Carrying out digital signature on part of the public and private keys, and sending the digital signature and the timestamp T to an endorsement system of the equipment together in an encrypted manner;
next, generation of the user integrity key:
the endorsement system decrypts the information, verifies the signature information if the freshness of the timestamp is verified, and generates a complete public and private key by using a part of the public and private keys if the verification is passed;
selecting a random number s2As another part of the master key of the entity, s2<N-1; the corresponding public key is Ppub2=s2*P2Secret saving s2Disclosure of Ppub2The entity public key is Qa ═ Qa1+Ppub2Calculating t3=t1+s2The private key of the entity is da ═ (t)1*da1+s2*P1)*t3 -1;
Finally, the key is sent to the device:
then, the public and private keys are encrypted by using a public key in the endorsement certificate, and are sent to an authentication center after a timestamp is added;
after detecting that the timestamp is fresh, the authentication center forwards the information to an access system;
after the access system verifies that the timestamp is fresh, the encrypted information is added with a public key of the system and then is forwarded to the equipment;
the device decrypts the information from the original endorsement system, verifies the public and private keys, and then uses the public and private keys to conduct encrypted communication with the access system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010198209.9A CN111447187A (en) | 2020-03-19 | 2020-03-19 | Cross-domain authentication method for heterogeneous Internet of things |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010198209.9A CN111447187A (en) | 2020-03-19 | 2020-03-19 | Cross-domain authentication method for heterogeneous Internet of things |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111447187A true CN111447187A (en) | 2020-07-24 |
Family
ID=71648967
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010198209.9A Pending CN111447187A (en) | 2020-03-19 | 2020-03-19 | Cross-domain authentication method for heterogeneous Internet of things |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111447187A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111917760A (en) * | 2020-07-28 | 2020-11-10 | 国家工业信息安全发展研究中心 | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis |
CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
CN112887338A (en) * | 2021-03-18 | 2021-06-01 | 南瑞集团有限公司 | Identity authentication method and system based on IBC identification password |
CN113285806A (en) * | 2021-05-10 | 2021-08-20 | 湖南大学 | Dynamic execution method and system for control instruction of power heterogeneous equipment |
CN113612770A (en) * | 2021-08-02 | 2021-11-05 | 中国科学院深圳先进技术研究院 | Cross-domain secure interaction method, system, terminal and storage medium |
CN113676447A (en) * | 2021-07-12 | 2021-11-19 | 海南大学 | Block chain-based scientific and technological service platform cross-domain identity authentication scheme |
CN113783854A (en) * | 2021-08-30 | 2021-12-10 | 湖南天河国云科技有限公司 | Block chain-based credit data cross-chain sharing method and device |
CN114205132A (en) * | 2021-12-02 | 2022-03-18 | 北京八分量信息科技有限公司 | Access authentication method and device in heterogeneous network and related products |
CN114499848A (en) * | 2022-01-26 | 2022-05-13 | 无锡融卡科技有限公司 | Session key generation device and method |
CN115913771A (en) * | 2022-12-20 | 2023-04-04 | 四川启睿克科技有限公司 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
CN116321159A (en) * | 2023-01-14 | 2023-06-23 | 国网湖北省电力有限公司荆门供电公司 | Distributed station data transmission method based on Beidou communication service |
CN116707962B (en) * | 2023-06-30 | 2024-06-07 | 北京中启赛博科技有限公司 | Network access control and detection alarm method, device and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070289006A1 (en) * | 2001-03-22 | 2007-12-13 | Novell, Inc. | Cross domain authentication and security services using proxies for http access |
CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
CN103780618A (en) * | 2014-01-22 | 2014-05-07 | 西南交通大学 | Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket |
CN108848074A (en) * | 2018-05-31 | 2018-11-20 | 西安电子科技大学 | The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain |
CN109698747A (en) * | 2019-02-15 | 2019-04-30 | 上海扈民区块链科技有限公司 | A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method |
-
2020
- 2020-03-19 CN CN202010198209.9A patent/CN111447187A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070289006A1 (en) * | 2001-03-22 | 2007-12-13 | Novell, Inc. | Cross domain authentication and security services using proxies for http access |
US7370351B1 (en) * | 2001-03-22 | 2008-05-06 | Novell, Inc. | Cross domain authentication and security services using proxies for HTTP access |
CN101453476A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
CN103780618A (en) * | 2014-01-22 | 2014-05-07 | 西南交通大学 | Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket |
CN108848074A (en) * | 2018-05-31 | 2018-11-20 | 西安电子科技大学 | The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain |
CN109698747A (en) * | 2019-02-15 | 2019-04-30 | 上海扈民区块链科技有限公司 | A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method |
Non-Patent Citations (3)
Title |
---|
汪小芬,陈原,肖国镇: "基于身份的认证密钥协商协议的安全分析与改进", 《通信学报》 * |
董贵山,陈宇翔,李洪伟,白健,郝尧,杨淳: "异构环境中基于区块链的跨域认证可信度研究", 《通信技术》 * |
马晓婷: "基于区块链技术的证书管理与跨域认证方案", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111917760B (en) * | 2020-07-28 | 2022-08-30 | 国家工业信息安全发展研究中心 | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis |
CN111917760A (en) * | 2020-07-28 | 2020-11-10 | 国家工业信息安全发展研究中心 | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis |
CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
CN112055029B (en) * | 2020-09-16 | 2023-04-07 | 全球能源互联网研究院有限公司 | User real-time trust degree evaluation method for zero-trust electric power Internet of things equipment |
CN112887338A (en) * | 2021-03-18 | 2021-06-01 | 南瑞集团有限公司 | Identity authentication method and system based on IBC identification password |
CN113285806A (en) * | 2021-05-10 | 2021-08-20 | 湖南大学 | Dynamic execution method and system for control instruction of power heterogeneous equipment |
CN113676447A (en) * | 2021-07-12 | 2021-11-19 | 海南大学 | Block chain-based scientific and technological service platform cross-domain identity authentication scheme |
CN113612770A (en) * | 2021-08-02 | 2021-11-05 | 中国科学院深圳先进技术研究院 | Cross-domain secure interaction method, system, terminal and storage medium |
WO2023010608A1 (en) * | 2021-08-02 | 2023-02-09 | 中国科学院深圳先进技术研究院 | Cross-domain secure interaction method and system, terminal, and storage medium |
CN113783854A (en) * | 2021-08-30 | 2021-12-10 | 湖南天河国云科技有限公司 | Block chain-based credit data cross-chain sharing method and device |
CN113783854B (en) * | 2021-08-30 | 2023-10-17 | 湖南天河国云科技有限公司 | Credit data cross-chain sharing method and device based on block chain |
CN114205132A (en) * | 2021-12-02 | 2022-03-18 | 北京八分量信息科技有限公司 | Access authentication method and device in heterogeneous network and related products |
CN114499848A (en) * | 2022-01-26 | 2022-05-13 | 无锡融卡科技有限公司 | Session key generation device and method |
CN114499848B (en) * | 2022-01-26 | 2023-05-30 | 无锡融卡科技有限公司 | Session key generation device and method |
CN115913771A (en) * | 2022-12-20 | 2023-04-04 | 四川启睿克科技有限公司 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
CN115913771B (en) * | 2022-12-20 | 2024-04-26 | 四川启睿克科技有限公司 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
CN116321159A (en) * | 2023-01-14 | 2023-06-23 | 国网湖北省电力有限公司荆门供电公司 | Distributed station data transmission method based on Beidou communication service |
CN116321159B (en) * | 2023-01-14 | 2024-01-02 | 国网湖北省电力有限公司荆门供电公司 | Distributed station data transmission method based on Beidou communication service |
CN116707962B (en) * | 2023-06-30 | 2024-06-07 | 北京中启赛博科技有限公司 | Network access control and detection alarm method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111447187A (en) | Cross-domain authentication method for heterogeneous Internet of things | |
CN109067801B (en) | Identity authentication method, identity authentication device and computer readable medium | |
US11824995B2 (en) | Bridging digital identity validation and verification with the FIDO authentication framework | |
JP4304362B2 (en) | PKI-compliant certificate confirmation processing method and apparatus, and PKI-compliant certificate confirmation processing program | |
US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
US10771451B2 (en) | Mobile authentication and registration for digital certificates | |
WO2005025125A1 (en) | Device authentication system | |
AU2003212617A1 (en) | A biometric authentication system and method | |
CN101262342A (en) | Distributed authorization and validation method, device and system | |
CN111147460A (en) | Block chain-based cooperative fine-grained access control method | |
CN112417494A (en) | Power block chain system based on trusted computing | |
WO2023071751A1 (en) | Authentication method and communication apparatus | |
US20140013116A1 (en) | Apparatus and method for performing over-the-air identity provisioning | |
Gao et al. | A privacy-preserving identity authentication scheme based on the blockchain | |
CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
CN114938280A (en) | Authentication method and system based on non-interactive zero-knowledge proof and intelligent contract | |
Zwattendorfer et al. | A federated cloud identity broker-model for enhanced privacy via proxy re-encryption | |
Sun et al. | Anonymous authentication and key agreement scheme combining the group key for vehicular ad hoc networks | |
WO2016171844A1 (en) | Security model for identification and authentication in encrypted communications using delegate certificate chain bound to third party key | |
CN114079645A (en) | Method and device for registering service | |
CN115412378B (en) | Credibility authentication method and device for private data and financial private data related service | |
Zhang et al. | A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial Internet | |
EP1959607B1 (en) | A method and system for authenticating the identity | |
Zwattendorfer et al. | Privacy-preserving realization of the STORK framework in the public cloud | |
WO2011152084A1 (en) | Efficient mutual authentication method, program, and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200724 |