CN112436940B - Internet of things equipment trusted boot management method based on zero-knowledge proof - Google Patents

Internet of things equipment trusted boot management method based on zero-knowledge proof Download PDF

Info

Publication number
CN112436940B
CN112436940B CN202110109089.5A CN202110109089A CN112436940B CN 112436940 B CN112436940 B CN 112436940B CN 202110109089 A CN202110109089 A CN 202110109089A CN 112436940 B CN112436940 B CN 112436940B
Authority
CN
China
Prior art keywords
internet
things equipment
iot cloud
cloud platform
things
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110109089.5A
Other languages
Chinese (zh)
Other versions
CN112436940A (en
Inventor
高建彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202110109089.5A priority Critical patent/CN112436940B/en
Publication of CN112436940A publication Critical patent/CN112436940A/en
Application granted granted Critical
Publication of CN112436940B publication Critical patent/CN112436940B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Abstract

The invention provides a zero-knowledge-proof-based trusted boot management method for equipment of the Internet of things, which comprises the following steps: 1) the administrator distributes the key pair of the Internet of things equipment and stores the node registration information of the Internet of things equipment into the block chain; 2) the IoT cloud platform carries out identity authentication on the Internet of things equipment, allows the Internet of things equipment passing the identity authentication to access the network, and opens the read authority and the write authority of data on the block chain; 3) performing bidirectional zero knowledge verification with a plurality of IoT cloud platforms when the node is started; the node periodically performs zero-knowledge bidirectional verification with a plurality of IoT cloud platforms during operation, judges whether the node meets the multi-signature mechanism condition or not according to the bidirectional zero-knowledge verification, and allows the node to start if the node meets the multi-signature mechanism condition; otherwise, the node is not started. The method designs the credible starting management of the equipment of the Internet of things according to the non-tamper property of the data on the block chain and the network layer structure, and has better stability.

Description

Internet of things equipment trusted boot management method based on zero-knowledge proof
Technical Field
The invention relates to the technology of the Internet of things, in particular to the technology of trusted startup management of Internet of things equipment based on zero knowledge certification.
Technical Field
With the continuous increase of the types and the number of the access terminals in the internet of things, a social internet of things (sio) of "internet of everything" is gradually formed, and compared with the traditional internet, the network architecture of the social internet of things expands the network into a richer physical space, and the membership accessed in the network is more complex. In the application scenario of the internet of things in the aspects of energy and the like, any device can be an initiator of each transaction and can also be a receiver of the transaction. However, in the present day when malicious attacks are more frequent, the internet of things is required to find a more suitable novel architecture for the difficult problems of data sharing, user privacy protection and the like in the internet of things and the requirements for means of member identity authentication and the like in the network. How to carry out credible management to the thing networking equipment, guarantee that equipment is legally started is the problem that needs to be solved at present urgently.
Disclosure of Invention
The invention aims to solve the technical problem of providing a method for managing the starting of equipment of the Internet of things based on the identity authentication of the equipment of the Internet of things under the control of an IoT cloud platform of the Internet of things.
The invention adopts the technical scheme that the trusted boot management method of the Internet of things equipment based on zero knowledge certification comprises the following steps:
1) the method comprises the steps that the Internet of things equipment sends a network access application to an administrator, the administrator distributes a key pair of the Internet of things equipment, and node registration information of the Internet of things equipment is stored in a block chain;
2) the method comprises the steps that the Internet of things equipment sends a network access application to a nearby IoT cloud platform; the IoT cloud platform carries out identity authentication on the Internet of things equipment, if the identity authentication is passed, the Internet of things equipment is allowed to access the network, and the read authority and the write authority of data on the block chain are opened to the Internet of things equipment; if the authentication fails, the Internet of things equipment is not allowed to access the network;
3) broadcasting a start application after the Internet of things equipment is plugged into a power grid, verifying the identity of the Internet of things equipment by each IoT cloud platform receiving the start application, and confirming the establishment of connection after the identity verification is passed; the method comprises the following steps that bidirectional zero-knowledge proof is conducted on the Internet of things equipment and an IoT cloud platform which confirms establishment of connection; after the verification of the two-way knowledge proof is completed, the Internet of things equipment broadcasts the verification result of the zero knowledge proof of each IoT cloud platform to the whole network, and the system presets a threshold valueWEach IoT cloud platform adopts a multi-sign mechanism to control whether the Internet of things equipment can be started;
the specific process of the multi-label mechanism is as follows:
after each IoT cloud platform verifies the zero knowledge proof given by the Internet of things equipment, each IoT cloud platform links the zero knowledge proof result of the Internet of things equipment, attaches own signature and weight value to the Internet of things equipment which passes the verification of the zero knowledge proof after receiving the start application of the Internet of things equipment which is not subjected to local signature to complete signature, and broadcasts the start application of the Internet of things equipment subjected to local signature to the whole network; when the set time is up, each IoT cloud platform captures a starting application with the longest field from the received starting applications of the Internet of things equipment, and then performs starting judgment according to a verification result of zero knowledge proof from the Internet of things equipment:
judging whether the multi-signature mechanism condition is met
Figure 281516DEST_PATH_IMAGE001
Figure 103979DEST_PATH_IMAGE002
If the verification result is not the zero knowledge proof of each IoT cloud platform, the Internet of things equipment is not started, the read-write authority of the Internet of things equipment to the block chain is recovered, and the Internet of things equipment is controlled to return to the state of power-on waiting;
wherein the content of the first and second substances,nfor the total number of verified IoT cloud platforms that passed zero knowledge proof,iindicating verification that zero knowledge proof has been passediThe number of IoT cloud platforms,W i indicating verification that zero knowledge proof has been passediThe weight value of each of the IoT cloud platforms,jthe first to represent verification that fails zero knowledge proofjThe number of IoT cloud platforms,p k a set of IoT cloud platforms representing verifications that do not pass zero knowledge proof,W j the first to indicate that verification of zero knowledge proof has not been passedjA weight value of the individual IoT cloud platforms;
4) the started Internet of things equipment enters a working state, the Internet of things equipment in the working state performs bidirectional zero knowledge certification with each IoT cloud platform regularly, each IoT cloud platform adopts a multi-sign mechanism to control whether the Internet of things equipment keeps the working state or not, the Internet of things equipment meeting the conditions of the multi-sign mechanism is allowed to keep the working state, and the Internet of things equipment packs and chains verification results of the zero knowledge certification of each IoT cloud platform; for the Internet of things equipment which does not meet the multi-sign mechanism condition, each IoT cloud platform withdraws the read-write permission of the Internet of things equipment to the block chain, and the Internet of things equipment is controlled to return to the state of power-on waiting.
The method has the advantages that the device management mode in the Internet of things based on the block chain is adopted, and the device credible management scheme is designed through the time sequence chain-shaped data structure and the network layer structure of the block chain, wherein the device of the Internet of things is added into the network by an administrator, the node credible starting, the node identity verification, the node data verification based on zero knowledge certification, the credible management of the device of the Internet of things and the equipment quitting the network are carried out.
Drawings
Fig. 1 is a schematic diagram of a system configuration.
FIG. 2 is a diagram of uplink registration of node information.
Fig. 3 illustrates challenge-response authentication between a node and an IoT cloud platform.
FIG. 4 is a trusted boot of a node based on zero knowledge proof.
Detailed Description
As shown in fig. 1, the internet of things management system includes an administrator, a small number of IoT cloud platforms, and a large number of internet of things devices. The internet of things equipment serving as the network terminal node is used for providing services under the control of the IoT cloud platform. The IoT cloud platform has higher concurrent processing capabilities than the internet of things devices within the network. The IoT cloud platform is mainly responsible for maintaining underlying zone block chain data and verifying the identity of the Internet of things equipment based on the zone block chain. The administrator is responsible for processing information records of the Internet of things equipment applying for network access, and the administrator in the scheme is considered to be honest.
When a node (Internet of things equipment) wants to join the whole system, the system carries out the following steps:
1) the node sends a network access application to an administrator; the administrator assigns a key pair to the node and stores the node registration information into the block chain.
2) The node sends a network access application to an IoT cloud platform; the IoT cloud platform authenticates the node through a challenge/response mechanism.
3) Performing bidirectional authentication with a plurality of IoT cloud platforms when the node is started; the node periodically performs bidirectional zero knowledge verification with a plurality of IoT cloud platforms during operation, judges whether the node meets the multi-signature mechanism condition or not according to the bidirectional zero knowledge verification, and allows the node to start if the node meets the multi-signature mechanism condition; otherwise, the node is not started.
The scheme allows the nodes to freely join and exit the network. And for nodes in the network, the write permission and the read permission of the block chain are both open. As shown in fig. 2, when an internet of things device attempts to access a network, the internet of things device sends a network access request to an administrator, and attaches an internet of things device ID to the request. The internet of things device ID may be its IP address, an ID of some hardware, or other sequence that may be used for identification. After the administrator performs basic correctness check on the internet of things equipment ID, a key pair Ska/pKa is generated for each newly added node through an intelligent contract layer carried by a block chain based on the selected random number and the internet of things equipment ID, a private key Ska is distributed to the node, node registration information containing the public key pKa and the internet of things equipment ID is used as a transaction data uplink, and the credibility of the public key is ensured through the time sequence structure and the non-removable property of the block chain. The newly joining node stores the private key locally. The block chain replaces the digital certificate function of the traditional public key system pki, is a decentralized structure, and is more stable compared with the traditional public key infrastructure.
After the node registration information is linked up, the node can send a network access application to any IoT cloud platform in the system, after the IoT cloud platform receives the application, the corresponding Internet of things equipment ID and the public key of the node are found by searching the transaction data recorded on the block chain, and after the Internet of things equipment ID is verified to be correct, the identity of the node is verified through a challenge/response mechanism. The specific method is shown in fig. 3:
1) sending an application to an IoT cloud platform by the Internet of things equipment, and requesting to perform identity authentication, wherein the identity authentication application comprises an Internet of things equipment ID;
2) the IoT cloud platform extracts an Internet of things equipment ID from the received identity verification application, reads registration information of each node on a block chain, and judges whether the Internet of things equipment ID is uplink or not, if yes, the equipment is successfully verified in legality, and then the step 3 is carried out, otherwise, the equipment is illegal, and no further processing is carried out;
3) the IoT cloud platform generates a random number r, and sends the random number r to the Internet of things equipment as a 'challenge';
4) after the Internet of things equipment receives the random number r, combining (r, ID) the Internet of things equipment ID with the random number, encrypting the Eska (r, ID) by using a private key of the Internet of things equipment, and returning encrypted data serving as a response C = Eska (r, ID) to the IoT cloud platform;
5) after receiving the returned response C within the preset time, the IoT cloud platform searches a public key corresponding to the Internet of things equipment in the block to decrypt the received response Dpka (C), compares the decrypted data with a result of combining the locally generated Internet of things equipment ID and a random number, if the decrypted data is consistent with the result, the identity authentication is passed, the Internet of things equipment is allowed to access the network, the IoT cloud platform sends a dynamic network access password S to the node, and the dynamic network access password S is opened to the read authority and the write authority of the data on the block chain in the local system of the node; and if the authentication fails or a returned response is not received within the preset time, the network is not accessed.
After a node is networked, the node performs trusted boot under the authentication of a plurality of IoT cloud platforms in the system, as shown in fig. 4. After the power is connected, the node to be verified firstly broadcasts a start application to all IoT cloud platforms in the system, each IoT cloud platform receiving the start application verifies the node identity by reading the node registration information of the node on the block chain, and after the identity verification is passed, the connection establishment is confirmed. And the node to be verified performs bidirectional zero-knowledge proof with the plurality of IoT cloud platforms confirming the establishment of the connection. Zero knowledge proves to be prior art in cryptography and block chaining, and the invention does not need to describe the algorithm in detail. In the whole zero-knowledge proof process, the nodes only need to interact with the IoT cloud platform in a small amount, and finally generated proofs are short. The purpose of the multiple IoT cloud platforms for zero-knowledge proof of the nodes is to prevent the node data from being tampered and illegally started; the purpose of node zero-knowledge proof of the IoT cloud platform is to prevent the influence of the IoT cloud platform with data falsification on node startup. After the bidirectional knowledge proof is verified, the node broadcasts a verification result of the zero knowledge proof of each IoT cloud platform to the whole network, the system presets a threshold value W, and a multi-signature mechanism is adopted to control whether the node can be started or not.
The specific process of the multi-label mechanism is as follows:
after each IoT cloud platform completes zero knowledge proof of a certain node, the firstiThe IoT cloud platform attaches the signature sig of the IoT cloud platform after receiving the start application of the node which is not locally signed yetiAnd a weight value of 1W i Completing signing, and broadcasting the signed start application of the node to the whole network; when the set time is up, each IoT cloud platform captures the node with the longest field in the network to start the application, and then the application comes fromAnd judging whether all IoT cloud platforms corresponding to the signatures in the startup application pass the verification of the zero knowledge proof according to the verification result of the zero knowledge proof of the node.
If all IoT cloud platforms verify with zero knowledge proof,nin order to sign the total number of IoT cloud platforms in the startup application of A, it is directly determined whether the usage weight is greater than a preset thresholdW
Figure 308695DEST_PATH_IMAGE003
If the verification result is not the last verification result, the node is not started, the read-write authority of the node to the block chain is recovered, and the node is controlled to return to the state of power-on waiting.
If the IoT cloud platform fails to pass the verification of the zero knowledge proof, the IoT cloud platform set p which does not pass the verification of the zero knowledge proof is obtainedkSet p ofkIf there is a possibility of tampering with the IoT cloud platform data, the sum of the weights of the signatures is subtracted by the weight of the cloud platform that is not certified by zero knowledge, and the preset threshold is also subtracted by the weight of the cloud platform that is not certified by zero knowledge
Figure 445279DEST_PATH_IMAGE004
(
Figure 114157DEST_PATH_IMAGE005
) And (4) invalidating the influence of the IoT cloud platform corresponding to the signature on whether the node can be started. Determining whether the sum of the weights of the verified IoT cloud platforms that pass the zero knowledge proof is greater than the updated preset threshold,nfor the total number of verified IoT cloud platforms certified with zero knowledge,
Figure 543739DEST_PATH_IMAGE001
Figure 298069DEST_PATH_IMAGE002
if yes, the node is allowed to complete trusted boot, and the node is trustedAnd (4) packaging and chaining the verification results of the zero knowledge proofs of all IoT cloud platforms in the starting process, if not, not starting the node, recovering the read-write authority of the node to the block chain, and controlling the node to return to the state of power-on waiting. Verify as a set when all IoT cloud platforms pass zero knowledge proof
Figure 972764DEST_PATH_IMAGE006
A special case of null.
In the multi-sign mechanism, signed start applications broadcasted among IoT cloud platforms and judgment results of whether the node is allowed to finish trusted start all reach consensus in the whole network through a practical Byzantine fault-tolerant algorithm PBFT.
And if the IoT cloud platform finds that data of the nodes are tampered through zero knowledge proof, the read-write permission of the node to the block chain is recovered, and the data is excluded from the Internet of things. The administrator can regularly read the verification results of the zero-knowledge proofs of all IoT cloud platforms and all Internet of things equipment on the uplink, so as to judge whether data of the IoT cloud platforms or the Internet of things equipment are tampered, and repair the IoT cloud platforms or the Internet of things equipment with the tampered data or exclude the IoT cloud platforms or the Internet of things equipment from the Internet of things.
Examples
In the embodiment, the scheme is implemented on the basis of the internet of things of an Ethernet workshop and an MQTT protocol, an intelligent camera is selected as a node (A), and an EMQ server is used as an IoT cloud platform (B).
The messages needed in the network include:
CONNECT: only flow from the client to the server, and are responsible for initiating the link;
CONNACK: only flow from the server to the client, and are responsible for confirming the initiated link;
PUBLISH: a message type for communication;
ACTIVE: the node is activated only from the server to the client.
When the intelligent camera A tries to access the network, a network access application is sent to an administrator, and the application is accompanied by the equipment ID of the Internet of things. The internet of things device ID may be a device model, IP or MAC address, etc. of a. After checking the basic correctness of the internet of things device ID and the like, the administrator generates a key pair Ska/Pka for a, assigns a private key Ska to the node, and uplinks the node registration information including the public key Pka and the internet of things device ID of a.
A sends a network access application to an EMQ server B, and the interactive flow of the two parties is as follows:
1) a sends CONNECT message to B to request to establish connection;
2) b, after receiving the CONNECT message, sending a CONNACK message to A to confirm the establishment of the connection;
3) after connection is confirmed, the A sends a PUBLISH message to the B, and the ID of the equipment of the Internet of things is stored in a Payload field;
4) b, reading the transaction on the blockchain to obtain the Internet of things equipment ID of the A, comparing the Internet of things equipment ID with the Internet of things equipment ID sent by the A, if the information is consistent, sending a PUBLISH message, and storing a random number r in a Payload field as a challenge, and if the information is inconsistent, disconnecting the link;
5) after receiving the challenge sent by the server B in the preset time, the A encrypts (r, ID) by using a private key Ska of the A, stores the result Ska (r, ID) in a Payload field and sends the result to the B;
6) b, after the content in the Payload field is decrypted by using the public key Pka of A, if the data can be recovered, the identity information of A is considered to be correct, the A is allowed to access the network, the network access password S is stored in the Payload field and is transmitted to the A, the read authority and the write authority of the data on the block chain of the A are opened, and otherwise, the connection with the A is disconnected.
A is credibly started after accessing the network, A firstly broadcasts a starting application to all B in the system, each B receiving the starting application verifies the identity of A by reading the node registration information of A on the block chain, and after the identity verification is passed, the connection establishment is confirmed. And carrying out bidirectional zero-knowledge proof on the A and a plurality of B confirming to establish connection.
After a plurality of B finishes zero knowledge proof of A, attaching own signature sig and a weighted value W with a value of 1 to finish signing after the received starting application of A which is not signed yet, and broadcasting the starting application of A after signing to the whole network; when the set time is up, B captures the node start application with the longest field in the network, counts the sum of weights in the start application, and then judges whether B corresponding to the signature in the start application passes the verification of the zero knowledge proof according to the verification result of the zero knowledge proof from A, if so, no operation is performed, otherwise, the data of B is shown to be possible to be tampered, the sum of weights is updated by subtracting 1, namely, the weight of the IoT cloud platform is subtracted, meanwhile, the preset threshold value is updated by subtracting 1, and the influence of B corresponding to the signature on whether A can be started is invalidated; and after updating the sum of the weights of the verification results of the zero knowledge proof of the B corresponding to all the signatures after the application for starting and the preset threshold, judging whether the updated sum of the weights is larger than or equal to the updated preset threshold, if so, allowing the A to finish the trusted starting, packaging and chaining the verification results of the zero knowledge proof of the B in the trusted starting process by the A, if not, not starting the A, recovering the read-write authority of the A to the block chain, and controlling the A to return to the state of waiting for power plugging.
The verification process of the zero knowledge proof of the A by the B is as follows:
1) a sends CONNECT message to B, and adds the received password S' into the CONNECT message;
2) b, comparing the password S with the password S 'stored locally, if the password S is consistent with the password S', sending a CONNACK message to A, and confirming the establishment of the connection;
3) b, configuring parameters alpha and s and sending the parameters alpha and s to A;
4) a is used as a prover, parameters alpha and s transmitted by B are used for approximating the integrity problem of components such as a chip facing to safety in A to a polynomial problem f (-), then an encryption mode pre-negotiated by a system is used for calculating E (alpha f (s)) for E (-), and finally E (alpha f (s)) is stored in a Payload field of a message and transmitted to B;
5) and B, checking the polynomial by using the characteristic of elliptic curve pairing, and if the polynomial is correct, determining that the node A is credible and sending an ACTIVE message to the node A.

Claims (5)

1. A zero-knowledge-proof-based trusted boot management method for Internet of things equipment is characterized by comprising the following steps:
1) the method comprises the steps that the Internet of things equipment sends a network access application to an administrator, the administrator distributes a key pair of the Internet of things equipment, and node registration information of the Internet of things equipment is stored in a block chain; the node registration information comprises a public key and an Internet of things equipment ID;
2) the method comprises the steps that the Internet of things equipment sends a network access application to a nearby IoT cloud platform; the IoT cloud platform carries out identity authentication on the Internet of things equipment, if the identity authentication is passed, the Internet of things equipment is allowed to access the network, and the read authority and the write authority of data on the block chain are opened to the Internet of things equipment; if the authentication fails, the Internet of things equipment is not allowed to access the network;
3) broadcasting a start application after the Internet of things equipment is plugged into a power grid, verifying the identity of the Internet of things equipment by each IoT cloud platform receiving the start application, and confirming the establishment of connection after the identity verification is passed; the method comprises the following steps that bidirectional zero-knowledge proof is conducted on the Internet of things equipment and an IoT cloud platform which confirms establishment of connection; after the verification of the two-way knowledge proof is completed, the Internet of things equipment broadcasts the verification result of the zero knowledge proof of each IoT cloud platform to the whole network, and the system presets a threshold valueWEach IoT cloud platform adopts a multi-sign mechanism to control whether the Internet of things equipment can be started;
the specific process of the multi-label mechanism is as follows:
after each IoT cloud platform verifies the zero knowledge proof given by the Internet of things equipment, each IoT cloud platform links the zero knowledge proof result of the Internet of things equipment; for the Internet of things equipment which passes verification proved by zero knowledge, each IoT cloud platform attaches the signature and the weight value of the IoT cloud platform to complete signature after receiving the start application of the Internet of things equipment which is not subjected to local signature, and broadcasts the start application of the Internet of things equipment subjected to local signature to the whole network; when the set time is up, each IoT cloud platform captures a starting application with the longest field from the received starting applications of the Internet of things equipment, and then the starting judgment is carried out according to the verification result of the zero knowledge proof of the Internet of things equipment on each IoT cloud platform:
judging whether the multi-signature mechanism condition is met
Figure 986532DEST_PATH_IMAGE001
Figure 319424DEST_PATH_IMAGE002
If the verification result is not the zero knowledge proof of each IoT cloud platform, the Internet of things equipment is not started, the read-write authority of the Internet of things equipment to the block chain is recovered, and the Internet of things equipment is controlled to return to the state of power-on waiting;
wherein the content of the first and second substances,nfor the total number of verified IoT cloud platforms that passed zero knowledge proof,iindicating verification that zero knowledge proof has been passediThe number of IoT cloud platforms,W i indicating verification that zero knowledge proof has been passediThe weight value of each of the IoT cloud platforms,jthe first to represent verification that fails zero knowledge proofjThe number of IoT cloud platforms,p k a set of IoT cloud platforms representing verifications that do not pass zero knowledge proof,W j the first to represent verification that fails zero knowledge proofjA weight value of the individual IoT cloud platforms;
4) the started Internet of things equipment enters a working state, the Internet of things equipment in the working state performs bidirectional zero knowledge certification with each IoT cloud platform regularly, each IoT cloud platform adopts a multi-sign mechanism to control whether the Internet of things equipment keeps the working state or not, the Internet of things equipment meeting the conditions of the multi-sign mechanism is allowed to keep the working state, and the Internet of things equipment packs and chains verification results of the zero knowledge certification of each IoT cloud platform; for the Internet of things equipment which does not meet the multi-sign mechanism condition, each IoT cloud platform withdraws the read-write permission of the Internet of things equipment to the block chain, and the Internet of things equipment is controlled to return to the state of power-on waiting.
2. The method of claim 1, wherein a consensus among IoT cloud platforms in the multi-sign mechanism is achieved across the entire network through a pragmatine fault-tolerant algorithm PBFT.
3. The method of claim 1, wherein after the step 4), the administrator periodically reads the verification results of the zero-knowledge proofs of the IoT cloud platforms and the internet-of-things devices on the uplink, so as to determine whether data of the IoT cloud platforms or the internet-of-things devices has been tampered with, and repair or exclude the tampered IoT cloud platforms or the tampered internet-of-things devices from the internet of things.
4. The method according to claim 1, wherein step 1) is specifically:
the Internet of things equipment sends a network access application with an attached Internet of things equipment ID to an administrator; the Internet of things equipment ID is an IP address or other sequences used for identity identification;
after checking the correctness of the Internet of things equipment ID, the administrator generates a public and private key pair for the Internet of things equipment based on the selected random number and the Internet of things equipment ID through an intelligent contract layer carried by the block chain, distributes a private key to the Internet of things equipment, and links up node registration information containing the public key and the Internet of things equipment ID; the Internet of things equipment stores the private key locally.
5. The method as claimed in claim 4, wherein the step 2) of identity verification comprises the following specific steps:
2-1) sending an application to an IoT cloud platform by the Internet of things equipment, and requesting to perform identity authentication, wherein the identity authentication application comprises an Internet of things equipment ID;
2-2) extracting an Internet of things equipment ID from the received identity authentication application by the IoT cloud platform, reading registration information of each node on a block chain, and judging whether the extracted Internet of things equipment ID is uplink or not, if so, successfully verifying the validity of the equipment, and entering the step 2-3), otherwise, if not, carrying out further processing;
2-3) the IoT cloud platform generates a random number r and sends the random number r to the Internet of things equipment;
2-4) after the internet of things equipment receives the random number r, combining (r, ID) the internet of things equipment ID and the random number, encrypting by using a private key of the equipment to obtain encrypted data Eska (r, ID), and returning the encrypted data serving as a response C = Eska (r, ID) to the IoT cloud platform;
2-5) after receiving the returned response C within the preset time, the IoT cloud platform searches a public key corresponding to the Internet of things equipment in the block to decrypt the received response C to obtain decrypted data Dpka (C), and compares the decrypted data with a result of combining the locally generated Internet of things equipment ID and the random number, if the decrypted data is consistent with the result, the identity authentication is passed; and if the authentication is inconsistent or the returned response is not received within the preset time, the authentication is judged to be failed.
CN202110109089.5A 2021-01-27 2021-01-27 Internet of things equipment trusted boot management method based on zero-knowledge proof Active CN112436940B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110109089.5A CN112436940B (en) 2021-01-27 2021-01-27 Internet of things equipment trusted boot management method based on zero-knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110109089.5A CN112436940B (en) 2021-01-27 2021-01-27 Internet of things equipment trusted boot management method based on zero-knowledge proof

Publications (2)

Publication Number Publication Date
CN112436940A CN112436940A (en) 2021-03-02
CN112436940B true CN112436940B (en) 2021-04-30

Family

ID=74697330

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110109089.5A Active CN112436940B (en) 2021-01-27 2021-01-27 Internet of things equipment trusted boot management method based on zero-knowledge proof

Country Status (1)

Country Link
CN (1) CN112436940B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113326504B (en) * 2021-07-01 2022-07-05 厦门致联科技有限公司 Block chain chaining method for preventing data tampering
CN113472546B (en) * 2021-09-02 2022-05-24 杭州链城数字科技有限公司 Data trusted processing method, block chain platform and terminal equipment
CN113949535B (en) * 2021-09-18 2024-03-29 陈德周 Networking equipment supervision authentication method and system based on blockchain
CN114070586A (en) * 2021-10-19 2022-02-18 中诚区块链研究院(南京)有限公司 Cooperative working method of block chain and Internet of things
CN113890768A (en) * 2021-11-22 2022-01-04 京东方科技集团股份有限公司 Equipment authentication method and system, Internet of things equipment and authentication server
CN114499988B (en) * 2021-12-30 2022-11-08 电子科技大学 Block chain-based Internet of things key distribution and equipment authentication method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109428892A (en) * 2017-09-01 2019-03-05 埃森哲环球解决方案有限公司 Multistage rewritable block chain
CN110024352A (en) * 2016-12-30 2019-07-16 英特尔公司 Decentralized data for IOT device stores and processs

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9785369B1 (en) * 2016-05-23 2017-10-10 Accenture Global Solutions Limited Multiple-link blockchain
US11146380B2 (en) * 2017-08-03 2021-10-12 Parity Technologies Ltd. Methods and systems for a heterogeneous multi-chain framework
DE112018007052T5 (en) * 2018-02-09 2020-10-22 Intel Corporation Configuration and onboarding of trusted IOT devices
CN109327457A (en) * 2018-11-09 2019-02-12 广州大学 A kind of internet of things equipment identity identifying method and system based on block chain
CN109614820A (en) * 2018-12-06 2019-04-12 山东大学 Intelligent contract authentication data method for secret protection based on zero-knowledge proof
CN109981639B (en) * 2019-03-23 2021-04-06 西安电子科技大学 Block chain based distributed trusted network connection method
US10826684B1 (en) * 2019-06-06 2020-11-03 Syniverse Technologies, Llc System and method of validating Internet of Things (IOT) devices
CN110995448A (en) * 2019-12-19 2020-04-10 杭州羿贝科技有限公司 Block chain-based Internet of things equipment identity authentication method and system
CN111193730B (en) * 2019-12-25 2022-06-14 上海沄界信息科技有限公司 IoT trusted scene construction method and device
CN111461722A (en) * 2020-04-17 2020-07-28 支付宝(杭州)信息技术有限公司 Intelligent contract deployment method, device and equipment
CN111970691B (en) * 2020-08-28 2022-02-01 北京邮电大学 Equipment authentication access method, device, equipment and computer readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110024352A (en) * 2016-12-30 2019-07-16 英特尔公司 Decentralized data for IOT device stores and processs
CN109428892A (en) * 2017-09-01 2019-03-05 埃森哲环球解决方案有限公司 Multistage rewritable block chain

Also Published As

Publication number Publication date
CN112436940A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN112436940B (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
CN110602096B (en) Data processing method, device, storage medium and equipment in block chain network
CN106878318B (en) Block chain real-time polling cloud system
US10992670B1 (en) Authenticating identities for establishing secure network tunnels
CN101951603B (en) Access control method and system for wireless local area network
CN109981639B (en) Block chain based distributed trusted network connection method
CN108282779B (en) Space-ground integrated space information network low-delay anonymous access authentication method
CN103747036A (en) Trusted security enhancement method in desktop virtualization environment
CN103312691A (en) Method and system for authenticating and accessing cloud platform
CN111182545B (en) Micro base station authentication method and terminal
CN110020524A (en) A kind of mutual authentication method based on smart card
CN111490968A (en) Block chain technology-based alliance multi-node network identity authentication method
CN114867014B (en) Internet of vehicles access control method, system, medium, equipment and terminal
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
CN112383557A (en) Security access gateway and industrial equipment communication management method
CN101577620A (en) Authentication method of Ethernet passive optical network (EPON) system
CN101867588A (en) Access control system based on 802.1x
CN115865320A (en) Block chain-based security service management method and system
CN114697963A (en) Terminal identity authentication method and device, computer equipment and storage medium
Weimerskirch et al. Identity certified authentication for ad-hoc networks
CN110891067B (en) Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system
Kwon et al. Certificate transparency with enhanced privacy
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN105610667B (en) The method and apparatus for establishing Virtual Private Network channel
CN109981662A (en) A kind of safe communication system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant