CN112738130B - Named data network communication method and communication system based on identity - Google Patents

Named data network communication method and communication system based on identity Download PDF

Info

Publication number
CN112738130B
CN112738130B CN202110055022.8A CN202110055022A CN112738130B CN 112738130 B CN112738130 B CN 112738130B CN 202110055022 A CN202110055022 A CN 202110055022A CN 112738130 B CN112738130 B CN 112738130B
Authority
CN
China
Prior art keywords
data packet
signature
public key
consumer
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110055022.8A
Other languages
Chinese (zh)
Other versions
CN112738130A (en
Inventor
张丽
朱明悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202110055022.8A priority Critical patent/CN112738130B/en
Publication of CN112738130A publication Critical patent/CN112738130A/en
Application granted granted Critical
Publication of CN112738130B publication Critical patent/CN112738130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a named data network communication method and a communication system based on identity, wherein the method comprises the following steps: signing the public parameters of the system based on a private key of a root PKG (public Key generator) of the HIBC (hybrid information Block code), and recording the signed parameters to a signature information field of a data packet; forming the name of the data packet by the identity information of the producer, the data information and the validity period of the system public parameter; in the process of acquiring the data packet, the consumer sends an interest packet including the name of the data packet to the producer, and the producer sends the data packet to the consumer; a consumer sends an interest packet requesting a public key to a third party authority; the third party authority sends a digital certificate comprising a public key corresponding to the root PKG to the consumer; and the consumer verifies the signature information of the data packet by using the public key in the received digital certificate, and acquires the data packet content in the data packet after the verification is successful. By the technical scheme of the invention, malicious users can be prevented from carrying out data injection attack, and the guarantee of communication safety is realized.

Description

Named data network communication method and communication system based on identity
Technical Field
The invention relates to the technical field of named data network communication, in particular to an identity-based named data network communication method and an identity-based named data network communication system.
Background
Compared with the current IP network, the NDN (Named Data Networking) is a completely open, decentralized and content-oriented network model, so that the NDN is more easily attacked by some traditional networks in the IP network and a plurality of novel attacks which do not exist in the traditional networks are introduced.
The named data network adopts a cache mechanism and has no concept of network connection, so that the safety of data is not dependent on the address of the data. NDN only concerns the data itself, and the security of the data is built on the security of the data itself, not the channel security. NDN therefore has been designed with 'security' as a layer in the hourglass model at the beginning of the design, trying to incorporate security into the network protocol. In the NDN, a producer signs data, and a consumer verifies the digital signature to determine the integrity of the data. If the data needs to be trusted, an appropriate information side-any mechanism needs to be provided, so that a data consumer can trust the received data. The producer uses the private key to sign the data, the consumer uses the public key to verify the digital signature, the successful verification indicates that a certain private key signs the data, the user wants to determine whether the data is credible, a proper trust mechanism needs to be adopted to authenticate the identity of the public key, and if the public key belongs to the credible, the generated data is credible.
Although this basic security measure cannot resist all network attacks, at least the following security requirements should be met:
(1) Integrity: since the content packets are vulnerable to tampering during transmission over the insecure channel, it is desirable to provide a security mechanism to ensure that valid data packets sent out by a legitimate publisher are not modified, damaged, or lost.
(2) Authentification: on one hand, the authentification in the NDN needs to be capable of obtaining the publishing source of the message from the data packet, verifying the authenticity of the data publisher and confirming that the data publisher is not pretended; on the other hand, the relevance of the data name and the content is guaranteed.
(3) Non-repudiation: an effective responsibility mechanism is established to prevent a user from denying that a certain piece of content is published or requested. That is, the content publisher cannot deny the published data package, and the consumer cannot deny the published interest package. Therefore, the attack of interest packet flooding and the attack of false content packet injection can be effectively avoided.
(4) Confidentiality: for information that needs to be kept secret, such as e-mails, confidential documents, communication keys, etc., only authorized legitimate users have the ability to read the information.
However, most of the existing NDN communication methods have the problem of low efficiency, and a unique association is not established between the packet name and the public key, so that an attacker can launch a data injection attack in the following way: the attacker intercepts the interest packet and sends a forged data packet to the requester, wherein the forged data packet comprises the same name, false data, key information about the attacker and a related signature, and the requester can recover the public key and the certificate of the attacker after receiving the interest packet, but the attacker cannot find the attack, so that the safety of data communication cannot be effectively guaranteed.
Disclosure of Invention
In order to solve the above problems, the present invention provides an identity-based named data network communication method and a communication system, based on a hybrid trust model of HIBC (hierarchical identity based encryption) and PKI, a hierarchical naming structure of NDN is extended by using PKG (Private Key Generator), a unique association is established between a data packet name and a Public Key, so as to prevent a malicious user from performing data injection attack, in addition, a PARAM (system Public parameter) is signed by a Private Key of HIBC PKG, and a third authority of PKI (Public Key Infrastructure) verifies a certificate signature so as to obtain trust of PARAM, thereby ensuring communication security.
In order to achieve the above object, the present invention provides an identity-based named data network communication method, which comprises: a producer signs a system public parameter based on a private key of a root PKG of the HIBC in the process of producing a data packet; recording the signed system public parameters to a signature information field of the data packet; forming the name of the data packet by using the identity information and data information of the producer and the validity period of the system public parameter, wherein the identity information of the producer is formed by combining IDs generated by a PKG at the current level in the HIBC and all ancestor PKGs; the consumer sends an interest packet including the data packet name to the producer in the process of acquiring the data packet; the producer sends the data packet to the consumer when receiving the interest packet; the consumer sends an interest packet requesting a public key corresponding to a root PKG in the data packet to a third party authority; the third party authority sends a digital certificate comprising a public key corresponding to the root PKG to the consumer; and the consumer verifies the signature information of the data packet by using the received public key in the digital certificate, and acquires the data packet content in the data packet after the verification is successful.
In the foregoing technical solution, preferably, the data packet includes a name of the data packet, data packet content information, data packet content, and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field includes signature information on the system public parameter calculated according to the root PKG, and the system public parameter is used in a signature, signature verification, encryption, and decryption algorithm of the HIBC.
In the foregoing technical solution, preferably, after the consumer obtains the digital certificate through the third party authority, the consumer verifies the digital certificate according to the public key of the third party authority, and then performs matching verification on the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate.
In the foregoing technical solution, preferably, the digital certificate sent by the third party authority to the consumer includes public key owner information, a public key, issuing authority information, validity time, and an issuing authority signature, where the issuing authority signature is that the third party authority signs the digital certificate by using its own private key.
The invention also provides an identity-based named data network communication system, which applies any one of the technical schemes to the identity-based plain data network communication method, and comprises the following steps: the system comprises a PARAM signature module, a signature module and a data packet processing module, wherein the PARAM signature module is used for signing a system public parameter based on a private key of a root PKG of the HIBC in the process of producing the data packet by a producer and recording the signed system public parameter to a signature information field of the data packet; the data packet naming module is used for combining IDs generated by the PKG of the current level and all ancestor PKGs in the HIBC to form the identity information of the producer, and forming the name of the data packet by the identity information of the producer, the data information and the validity period of the system public parameter; the data packet acquisition module is used for sending an interest packet comprising the data packet name to the producer in the process of acquiring the data packet by the consumer; a data packet returning module, configured to send the data packet to the consumer when the producer receives the interest packet; the public key request module is used for sending an interest packet which requests a public key corresponding to the root PKG in the data packet to a third party authority and sending a digital certificate returned by the third party authority to the consumer; and the signature verification module is used for verifying the signature information of the data packet by using the public key in the digital certificate received by the consumer and acquiring the data packet content in the data packet after the verification is successful.
In the foregoing technical solution, preferably, the data packet includes a name of the data packet, data packet content information, data packet content, and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field includes signature information on the system public parameter calculated according to the root PKG, and the system public parameter is used in a signature, signature verification, encryption, and decryption algorithm of the HIBC.
In the foregoing technical solution, preferably, after the consumer obtains the digital certificate through the third party authority, the consumer verifies the digital certificate according to the public key of the third party authority, and then performs matching verification on the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate.
In the foregoing technical solution, preferably, the digital certificate sent by the third party authority to the consumer includes public key owner information, a public key, issuing authority information, validity time, and an issuing authority signature, where the issuing authority signature is that the third party authority signs the digital certificate by using its own private key.
Compared with the prior art, the invention has the beneficial effects that: a mixed trust model based on HIBC and PKI utilizes PKG to carry out extension design on a hierarchical naming structure of NDN, unique association is established between a data packet name and a public key, a malicious user is prevented from carrying out data injection attack, in addition, a PARAM is signed through a private key of HIBC root PKG, and a certificate signature is verified through a third party authority of PKI, so that the trust of the PARAM is obtained, and the guarantee of communication safety is realized.
Drawings
FIG. 1 is a schematic flow chart of a named data network communication method based on identity according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a structure of an interest packet and a data packet according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a naming structure of an NDN packet according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a logic flow of data exchange in a communication process according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an identity-based named data network communication system according to an embodiment of the present invention.
In the drawings, the correspondence between each component and the reference numeral is:
11.PARAM signature module, 12. Data packet naming module, 13. Data packet obtaining module, 14. Data packet returning module, 15. Public key request module, 16. Signature verification module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
as shown in fig. 1 and fig. 2, the method for naming data network based on identity according to the present invention includes: a producer signs a public parameter of the system based on a private key of a root PKG of the HIBC in the process of producing the data packet; recording the signed system public parameters to a signature information field of the data packet; the identity information of the producer is formed by combining IDs generated by a PKG of the current level and all ancestor PKGs in the HIBC; in the process of acquiring the data packet, the consumer sends an interest packet including the name of the data packet to the producer; when receiving the interest packet, the producer sends a data packet to the consumer; the consumer sends an interest packet of the public key corresponding to the root PKG in the request data packet to the third party authority; the third party authority sends a digital certificate comprising a public key corresponding to the root PKG to the consumer; and the consumer verifies the signature information of the data packet by using the public key in the received digital certificate, and acquires the data packet content in the data packet after the verification is successful.
In the embodiment, based on a hybrid trust model of HIBC and PKI, a hierarchical naming structure of NDN is expanded and designed by using PKG, unique association is established between a data packet name and a public key, so that a malicious user is prevented from carrying out data injection attack, in addition, a PARAM is signed by a private key of HIBC root PKG, and certificate signature is verified by a third party authority of PKI, so that the trust of PARAM is obtained, and the guarantee of communication security is realized.
In particular, HIBC is a variant of IBC that reflects the hierarchical structure of an organization, such as an inverted tree. IBC (identity based encryption) represents a public key cryptosystem in which any unique string can be used as a public key. The associated private key is generated based on the public key and public parameters of a trusted Private Key Generator (PKG) and the private key. The IBC records information of the PKG common parameter in the signature information field of the NDN packet (see fig. 1). The IBC has two important functions, an Identity-based Encryption (IBE) function and an Identity-based Signature (IBS) function.
Unlike IBC, there are several PKGs in the HIBC, each having its own master private key, the PKG generating and passing the private key for the users adjacent to it, the Rootpkg in the HIBC located at the root is called the root PKG.
The ID of each user consists of the IDs of all its ancestor PKGs. For example, a user is at level t, and the ID of a is an ID tuple (ID 1, ID2, …, IDt), where IDi represents a node at level i. The PKG at level t generates a private key for the user immediately adjacent to it, whose ID is the ID tuple (ID 1, ID2, … IDt, IDt + 1).
HIBC has two important functions: an Identity-based Hierarchical Encryption (HIBE) function and an Identity-based Hierarchical Signature (HIBS) function.
The identity-based signature function comprises four algorithms: setting, extracting a private key, signing and verifying. The setting algorithm and the key extraction algorithm are the same as those in HIBE.
Root Setup (. Lamda.) → (MSK (root pkg), PARAM) set algorithm. The security parameter lambda is used as input, the Root PKG runs the setting algorithm to generate a main private key MSK (Root PKG) and a system public parameter PARAM, the Root PKG can ensure the privacy of the MSK (Root PKG), and the system public parameter PARAM is public and is used by all users and PKGs in the system.
Lower Level Setup (λ) → MSKpkkg. The security parameter λ is used as input and each non-Root PKG runs the set-up algorithm, generating its own master private key MSKpkg.
KeyGen (MSKpkg, ID-tuple (ID 1, ID 2.,. IDt)) → DID: private key extraction algorithm. A user with an identity ID-tuple (ID 1, ID 2.., IDt) is given the computation of their corresponding private key DID, and the PKG at layer t-1 executes the algorithm. Before the algorithm is executed, the PKG will authenticate the applicant if it has the identity ID-tuple (ID 1, ID 2.., IDt). The DID is the private key that is securely sent to the user.
Sign (PARAM, DID, M) → σ signature Algorithm. The algorithm is executed by a signer, and a private key DID of the signer, a system public parameter PARAM and a plaintext M to be signed are input to calculate a signature sigma.
Verify (PARAM, ID-tuple (ID 1, ID 2.,. IDt), M, σ) signature algorithm. The algorithm is executed by a signature verification person, a system public parameter PARAM, identity information ID-tuple (ID 1, ID 2.. And IDt) of the signature verification person, a plaintext M and a signature sigma are input, the algorithm is operated to verify the signature sigma, if the signature verification is successful, 1 is output, and otherwise, 0 is output.
The encryption and signature operations in the HIBC are similar to those in the IBC, except that a plurality of PKGs are arranged in the HIBC, the setting algorithm can act on all the PKGs, only the root PKG has a system public parameter PARAM, and other PKGs share the public parameter. The ID-tuple (ID 1, ID 2., IDt) is used as a public key, system public parameters are used in a signature, signature verification, encryption and decryption algorithm, and the security of the HIBC depends on the system public parameter PARAM, so that the security of the PARAM is ensured.
In addition, public Key Infrastructure (PKI) is the foundation and core of the current network security construction, and is the basic guarantee for communication security implementation. The PKI is mainly used in the scenes with higher security requirements, such as electronic commerce, internet banking and the like, and is used for authenticating the identity, encrypted data and signature data of a communicator. To obtain the correct public key, a third party Authority (CA) issues a digital Certificate to the user, the digital Certificate containing information about the owner of the public key, the time of issue and validity, and the signature of the issue. The certificate binds the public key and the owner information of the public key together, and the CA signs the certificate by using the private key of the CA. The user obtains the public key of the CA, verifies the signature of the certificate to determine the authenticity of the digital certificate, and trusts the public key in the digital certificate by trusting the CA. It follows that the CA is an important component of PKI for authenticating users, issuing digital certificates, and managing certificates.
As shown in fig. 3, in the extended NDN naming structure, the name is added with information about the real identity of the producer, information about the data, and the edit date of the data or the validity period of the public parameters of the PKG, while maintaining the same structure as the original one. In addition, each component of the name (separated by "/") is associated with a PKG. The PKG is responsible for the uniqueness of the identification at this level and the distribution of the generated private key to its owner. The naming not only keeps the same overall system architecture and routing and caching mechanism of the NDN, but also establishes unique association between the data packet name and the public key, and better meets the security requirement in the NDN. The name extension may ensure that the producer verifies identity, data integrity, name authenticity and relevance. The security extension name can bypass the false data injection attack, an attacker cannot generate a forged data packet consisting of the intercepted name and the false data, and cannot generate a private key corresponding to the name.
As shown in fig. 2, taking the data packet of the student achievement list of the school period of the bjut university 2020 as an example, the data name thereof serves as a HIBC public key, in this name,/bjut.edu.cn/admin/section represents information on the identity of a producer to ensure identification of data, 201861888 \\\ score _report2020 section represents name information on the request of specific data content, and represents the achievement list of the school period of the student 2020 with the school number 201861888, thereby ensuring correlation. Finally,/1_1_2021 indicates the validity period of the public parameters of PKG.
In the above embodiment, preferably, the data packet includes a name of the data packet, information of content of the data packet, and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field includes signature information on a system public parameter calculated according to the root PKG, and the system public parameter is used in a signature, signature verification, encryption, and decryption algorithm of the HIBC.
In the foregoing embodiment, preferably, after the consumer obtains the digital certificate through the third party authority, the consumer verifies the digital certificate according to the public key of the third party authority, and then performs matching verification on the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate.
As shown in fig. 4, in particular, trust is established on the public parameter PARAM based on PKI, and in order to ensure the security and the trustiness of the public parameter PARAM of the system, the private key of the HIBC root PKG is used to calculate the signature on the PARAM, and the signature information is recorded in the signature information field of the NDN data packet. In order to securely retrieve the corresponding public key to verify the signature, a digital certificate is passed, which is retrievable as an NDN packet and signed by a private key generated by the third party authority identity and known public parameters. And verifying the signature of the digital certificate by using the identity of the third party authority as a public key so as to obtain the trust of the PARAM.
In the above embodiment, preferably, the digital certificate sent by the third party authority to the consumer includes public key owner information, a public key, issuer information, a valid time, and an issuer signature, where the issuer signature is that the third party authority signs the digital certificate with its own private key.
In the above embodiment, a group of producers share a certificate, for example, all data issuers under/bjut.
As shown in fig. 5, the present invention further provides an identity-based named data network communication system, to which any one of the identity-based plain data network communication methods in the foregoing embodiments is applied, including: the PARAM signature module 11 is used for signing the system public parameters based on a private key of a root PKG of the HIBC in the process of producing the data packet by a producer, and recording the signed system public parameters to a signature information field of the data packet; the data packet naming module 12 is used for combining IDs generated by the PKG of the current hierarchy in the HIBC and all ancestor PKGs to form identity information of a producer, and forming the name of a data packet by the identity information of the producer, the data information and the validity period of a system public parameter; the data packet acquisition module 13 is used for sending an interest packet including a data packet name to a producer in the process of acquiring the data packet by the consumer; a data packet returning module 14, configured to send a data packet to the consumer when the producer receives the interest packet; the public key request module 15 is used for sending an interest packet requesting a public key corresponding to the root PKG in the data packet to the third party authority, and sending the digital certificate returned by the third party authority to the consumer; and the signature verification module 16 is configured to verify the signature information of the data packet by using the public key in the digital certificate received by the consumer, and obtain the content of the data packet in the data packet after the verification is successful.
In the above embodiment, preferably, the data packet includes a name of the data packet, information of content of the data packet, and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field includes signature information on a system public parameter calculated according to the root PKG, and the system public parameter is used in a signature, signature verification, encryption, and decryption algorithm of the HIBC.
In the foregoing embodiment, preferably, after the consumer obtains the digital certificate through the third party authority, the consumer verifies the digital certificate according to the public key of the third party authority, and then performs matching verification on the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate.
In the above embodiment, preferably, the digital certificate sent by the third party authority to the consumer includes the public key owner information, the public key, the issuer information, the validity time, and the issuer signature is that the third party authority signs the digital certificate with its own private key.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. An identity-based named data network communication method, comprising:
in the process of producing the data packet, a producer encrypts a private key of a root PKG of the HIBC based on the identity hierarchy and signs a public parameter of the system;
recording the signed system public parameters to a signature information field of the data packet;
the identity information of the producer, the data information and the validity period of the system public parameter form the name of the data packet, the identity information of the producer is formed by combining IDs generated by a PKG at the current level and all ancestor PKGs in the HIBC, the data packet comprises the name of the data packet, content information of the data packet, content of the data packet and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field comprises signature information of the system public parameter calculated according to the root PKG, and the system public parameter is used in algorithms of signature, verification signature, encryption and decryption of the HIBC;
the consumer sends an interest packet including the data packet name to the producer in the process of acquiring the data packet;
the producer sends the data packet to the consumer when receiving the interest packet;
the consumer sends an interest packet requesting a public key corresponding to a root PKG in the data packet to a third party authority;
the third party authority sends a digital certificate comprising a public key corresponding to the root PKG to the consumer;
and after verifying the digital certificate according to the public key of the third party authority by using the received digital certificate, the consumer performs matching verification on the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate, and acquires the data packet content in the data packet after the verification is successful.
2. The identity-based named data networking method of claim 1, wherein the digital certificate sent by the third party authority to the consumer includes public key owner information, a public key, issuer information, a validity time, and an issuer signature, wherein the issuer signature is used by the third party authority to sign the digital certificate with its own private key.
3. An identity-based named data network communication system, to which the identity-based named data network communication method of claim 1 or 2 is applied, comprising:
the system comprises a PARAM signature module, a signature module and a data packet processing module, wherein the PARAM signature module is used for signing a system public parameter based on a private key of a root PKG of the HIBC in the process of producing the data packet by a producer and recording the signed system public parameter to a signature information field of the data packet;
the data packet naming module is used for combining IDs generated by a PKG at the current level and all ancestor PKGs in the HIBC to form identity information of the producer, and forming the name of the data packet by using the identity information and the data information of the producer and the validity period of the system public parameter, wherein the data packet comprises the name of the data packet, content information of the data packet, content of the data packet and a signature information field, the name of the data packet is used as a public key of the HIBC, the signature information field comprises signature information of the system public parameter calculated according to the root PKG, and the system public parameter is used in signature, verification signature, encryption and decryption algorithms of the HIBC;
the data packet acquisition module is used for sending an interest packet comprising the data packet name to the producer in the process of acquiring the data packet by the consumer;
a data packet return module for sending the data packet to the consumer when the producer receives the interest packet;
the public key request module is used for sending an interest packet which requests a public key corresponding to the root PKG in the data packet to a third party authority and sending a digital certificate returned by the third party authority to the consumer;
and the signature verification module is used for verifying the digital certificate according to the public key of the third party authority by using the digital certificate received by the consumer, matching and verifying the private key of the root PKG signed in the signature information field according to the public key of the root PKG in the digital certificate, and acquiring the data packet content in the data packet after successful verification.
4. The identity-based named data networking communication system of claim 3, wherein the digital certificate sent by the third party authority to the consumer comprises public key owner information, a public key, issuer information, a validity time, and an issuer signature, wherein the issuer signature is that the third party authority signs the digital certificate with its own private key.
CN202110055022.8A 2021-01-15 2021-01-15 Named data network communication method and communication system based on identity Active CN112738130B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110055022.8A CN112738130B (en) 2021-01-15 2021-01-15 Named data network communication method and communication system based on identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110055022.8A CN112738130B (en) 2021-01-15 2021-01-15 Named data network communication method and communication system based on identity

Publications (2)

Publication Number Publication Date
CN112738130A CN112738130A (en) 2021-04-30
CN112738130B true CN112738130B (en) 2023-04-07

Family

ID=75591674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110055022.8A Active CN112738130B (en) 2021-01-15 2021-01-15 Named data network communication method and communication system based on identity

Country Status (1)

Country Link
CN (1) CN112738130B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544452A (en) * 2012-07-11 2014-01-29 株式会社日立制作所 Signature generation and verification system and signature verification apparatus
CN106257882A (en) * 2015-12-28 2016-12-28 重庆邮电大学 Identity-based and the access control method of encryption in name data network
CN106936833A (en) * 2017-03-15 2017-07-07 广东工业大学 A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group
CN110401637A (en) * 2019-06-28 2019-11-01 中南民族大学 Trust method based on name in a kind of name data network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020010515A1 (en) * 2018-07-10 2020-01-16 Apple Inc. Identity-based message integrity protection and verification for wireless communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544452A (en) * 2012-07-11 2014-01-29 株式会社日立制作所 Signature generation and verification system and signature verification apparatus
CN106257882A (en) * 2015-12-28 2016-12-28 重庆邮电大学 Identity-based and the access control method of encryption in name data network
CN106936833A (en) * 2017-03-15 2017-07-07 广东工业大学 A kind of content center network method for secret protection based on Hybrid Encryption and anonymous group
CN110401637A (en) * 2019-06-28 2019-11-01 中南民族大学 Trust method based on name in a kind of name data network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
命名数据网络中基于区块链技术的身份认证;夏荣;《电子世界》;20190223(第04期);全文 *

Also Published As

Publication number Publication date
CN112738130A (en) 2021-04-30

Similar Documents

Publication Publication Date Title
CN106789090B (en) Public key infrastructure system based on block chain and semi-random combined certificate signature method
CN108810895B (en) Wireless Mesh network identity authentication method based on block chain
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
CN108768652B (en) Coalition block chain bottom layer encryption method capable of resisting quantum attack
EP3659082B1 (en) Computer-implemented system and method enabling secure storage of a large blockchain over a plurality of storage nodes
CN114186248B (en) Zero-knowledge proof verifiable certificate digital identity management system and method based on block chain intelligent contracts
CN111372243A (en) Safe distributed aggregation and access system and method based on fog alliance chain
CN101212293B (en) Identity authentication method and system
CN109450843B (en) SSL certificate management method and system based on block chain
CN101989984A (en) Electronic document safe sharing system and method thereof
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
CN113536389B (en) Fine-grained controllable decentralized editable block chain construction method and system
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
Tong et al. CCAP: A complete cross-domain authentication based on blockchain for Internet of things
CN115865320A (en) Block chain-based security service management method and system
CN110945833B (en) Method and system for multi-mode identification network privacy protection and identity management
Ma et al. Be-trdss: Blockchain-enabled secure and efficient traceable-revocable data-sharing scheme in industrial internet of things
Mao et al. BTAA: Blockchain and TEE Assisted Authentication for IoT Systems
Huszti et al. A simple authentication scheme for clouds
CN116432204B (en) Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN112738130B (en) Named data network communication method and communication system based on identity
Yao et al. DIDs-Assisted Secure Cross-Metaverse Authentication Scheme for MEC-Enabled Metaverse
CN112950356B (en) Personal loan processing method, system, equipment and medium based on digital identity
GB2395304A (en) A digital locking system for physical and digital items using a location based indication for unlocking
Hassouna et al. A New Level 3 Trust Hierarchal Certificateless Public Key Cryptography Scheme in the Random Oracle Model.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant