CN114070559A - Industrial Internet of things session key negotiation method based on multiple factors - Google Patents
Industrial Internet of things session key negotiation method based on multiple factors Download PDFInfo
- Publication number
- CN114070559A CN114070559A CN202111621015.6A CN202111621015A CN114070559A CN 114070559 A CN114070559 A CN 114070559A CN 202111621015 A CN202111621015 A CN 202111621015A CN 114070559 A CN114070559 A CN 114070559A
- Authority
- CN
- China
- Prior art keywords
- user
- server
- message
- private key
- things
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004364 calculation method Methods 0.000 claims abstract description 21
- 238000004891 communication Methods 0.000 claims abstract description 19
- 230000006870 function Effects 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 10
- 238000013475 authorization Methods 0.000 claims description 9
- 238000011084 recovery Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 230000007774 longterm Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a multi-factor-based session key negotiation method for an industrial Internet of things. The invention is more realistic based on the environment of a semi-trusted management center, simultaneously the pseudonym of the user is generated by the user and the server together, and the pseudonym of the user is updated in real time after each key negotiation process, thereby ensuring that the identity information of the user cannot be leaked, ensuring the anonymity of the user, ensuring the unlinkability and the untraceability and improving the safety. The invention adopts a method of pre-distributing the key, and is based on a multi-factor authentication mode, namely, biological characteristics, passwords and smart cards, the main encryption operation is bit operation and a hash function, and the calculation cost and the communication cost of the key agreement scheme are reduced.
Description
Technical Field
The invention belongs to the industrial Internet of things communication technology, and particularly relates to a multi-factor-based session key agreement method for the industrial Internet of things.
Background
Internet of things (IoT), world wide web, refers to an internet-based extension and expanded network. It consists of many information sensing devices, wherever they are located, that can be remotely accessed and controlled over the internet at any time and place to achieve interconnection between users, machines and objects. Industrial internet of things (IIoT) is one of the main applications of the internet of things. In the internet of things environment, most internet of things devices or nodes have the capability of processing information and communication and have a locatable internet protocol address (IP address), but the resources are limited. For internet of things devices in different internet of things environments, users can access and control them through a network.
Industry 4.0 refers to the fourth industrial revolution dominated by smart manufacturing. The plant integrates production equipment, wireless signal connections and sensors into one ecosystem to autonomously monitor the entire production process and execute decisions. The high autonomy and resource limitations of industrial internet of things networks pose challenges to the security of industrial internet of things. Identity authentication and key establishment are important components of the industrial Internet of things, and factors such as safety, performance and the like must be considered in key agreement.
As shown in fig. 1, the existing industrial system model includes a user, an industrial Server, a regional gateway, and a smart device. The gateway serves as area management equipment and is deployed in a corresponding working environment together with the area intelligent equipment. Both the gateway and the device are semi-trusted. Industrial Server servers are deployed in physical secure environments that we consider fully trusted. The legal user can send an access request to the Server and establish contact with the intelligent device through the Server. During the authentication and key agreement process, the user and the device may obtain a session key. Privacy, message integrity and user authentication are critical in the IIoT environment because an adversary can eavesdrop, modify and forge communication messages. In the industrial internet of things, a user communicates with a Server, and the Server communicates with a device in an open wireless network environment, so that the Server is easily attacked by an attacker, and user information (such as user identity, password, location information and the like) is leaked. Therefore, it is necessary to employ an appropriate security scheme to protect the communication link.
In most key agreement schemes, either the key agreement flow is not light enough and cannot meet the requirements of equipment or sensor nodes with more resource constraints, or the key agreement flow cannot meet the sufficient security in the environment of the internet of things. In terms of functionality, most solutions fail to meet more desirable functional features, such as revoking users, dynamically adding devices, dynamically changing personally relevant key information (including biometrics and passwords), and the like.
Disclosure of Invention
The purpose of the invention is as follows: the invention aims to solve the defects in the prior art and provides a multi-factor-based session key agreement method for the industrial Internet of things.
The technical scheme is as follows: the invention discloses a multi-factor-based industrial Internet of things session key agreement method, which comprises the steps of initialization of an industrial Internet of things system, authentication, key agreement and system updating;
step (1), initialization of industrial Internet of things system
(1.1) Server initialization: selecting a biological characteristic probability generating function Gen (-) and a deterministic recovery function Rep (-) to set a Server private key S with the length of 160bit for each working environment of the Internet of things and establish a private key list; meanwhile, various information tables such as an equipment information table and a user information table are established for the working environments of the Internet of things; selecting a one-way hash function H (·);
(1.2) device registration: in an offline state, the device provides registration information including a device identification ID to the Server ServerjAnd the like; the Server generates a randomMechanical value rjComputing device pseudonym RIDj=h(IDj||rj) (ii) a The Server Server calculates the private key Ksd of the device using the private key S of the device' S work areaj=h(RIDj| S); the Server adds the device information into the device list SDList of the area; various information of the Server Server storage device including pseudonym RIDj=h(IDj||rj),Ksdj=h(RIDj||S);
(1.3) user registration: in a secure registration environment, user UiGenerating a random value riAnd calculates its own pseudonym RIDi=h(IDi||ri) Sending the pseudonym to a Server; the Server checks the validity of the user identity and calculates the user private key Ksu using the private key S of the registration areai=h(RIDi| S); sending the private key and the device list information in the area to the user; user Generation of probability function Gen (BIO) Using fuzzy extractioni)=(σi,τi) Obtaining a biometric Key sigmaiAnd a common recovery parameter taui(ii) a User UiSetting password PWi(ii) a The smart card calculates and stores (user's digital signature TPW)iEncrypted user private key KsuiEncrypted user pseudonym RIDiEncrypted device information list SDList, τi);σiAnd τiAre respectively a user UiThe biometric key and the public revocation parameter of (c);
step (2), authentication and key agreement process:
(2.1) user login: a user logs in and carries out identity authentication with the aid of the smart card; user UiInput identity IDiPassword PWiAnd using τiAnd fuzzy extracting a deterministic recovery function Rep (-) to recover the biometric key sigma of the user within a threshold ti(ii) a The smart card calculates to be verifiedUser digital signature TPWi’=h(IDi||PWi||σi) TPWi' AND TPW in storageiAnd comparing and verifying the user identity.
(2.2) the user initiates a request: after the user has been authenticated, the smart card calculates the encrypted stored information, m1 is an encrypted message of the user's random value, M2 is an authentication message of the user, M3 is a pseudonym encrypted message of the device and M4 is a verifiable digital signature of the user.
The smart card then generates a random value riGenerating a current time stamp T1(ii) a The smart card calculates the following parameters:
M2=h(Ksui||T1);
M4=h(RIDi||ru||Ksui||T1||RIDj||M3);
the user sends a request queue MQ1 to the Server Server, MQ1 ═ RIDi,M1,M2,M3,M4,T1}。
(2.3) Server response request: after receiving the message MQ1, the Server firstly verifies the message time; the Server generates a current timestamp T2If | T2-T1|>Δ T, then authentication operation will not be performed and the Server discards the message MQ 1; if the time meets the maximum transmission delay, the Server first uses its own information to calculate M2 ═ h (Ksu)i||T1) Verifying whether the message queues M2 and M2 are equal and checking the RIDiJudging whether the message source is legal or not, and judging whether the message source belongs to a legal user or not;
after the Server verifies the validity of the message, the Server calculates the message queue by using the private key S of the region to which the Server belongsM4’=h(RIDi||ru’||Ksui’||T1||RIDj' | M3); here, Ksui' As the private key of the user to be authenticated, ru' random value of user to be authenticated, RIDj' is a device pseudonym to be verified;
the Server verifies the calculated message to be verified M4 ', compares M4 with M4', and if equal, proves that the message is not modified;
the Server sends a new user pseudonymUpdating user information; server generates random value rsComputing temporary authentication credentialsAnd a new user private keyAnd saving the new private key of the user;
The Server transmits the message queue MQ2 to the device, MQ2 ═ Mu5, M6, M7, M8, Mu51, T2};
Here, Mu5 is a new private key encryption message of a user whose device needs to be re-encrypted, M6 is a random value encryption message of the user, M7 is a random value encryption message of a server, M8 is a digital signature message of the server, and Mu51 is an encryption message used for verifying whether the private key of the user is tampered;
(2.4) device authentication and calculation of session key:
after the device receives the message queue MQ2, the time of the message is first validated, SDjGenerating a current timestamp T3If | T3-T2|>Δ T, then authentication operations will not be performed, then the device discards the message MQ 2;
the device utilizes the private key of the device to sequentially calculate the random value r of the user to be verifiedu' and server random value r to be verifieds’,
Calculate M8 ═ h (Mu5| | | h (r)u’||rs')) to verify whether M8 is equal to message M8' to be verified, to determine whether the message is altered; if not, the device SDjGenerating a random value rdCalculated by means of the private key of the device
The device calculates SK h (Mu9 r)u||h(rd||rs)), M13=h(SK||h(rd||rs)||T3). SK is negotiated session key; the device transmits a message queue MQ3 to the user, MQ3 ═ Mu51, M10, M11, M12, M13, T3};
Mu9 is an encrypted message of a new private key that the user can decrypt, M10 is an encrypted message of a random value of the server and the device, M11 is a signed message of the server about the new private key of the user, M12 is an encrypted message of a random value of the server, and M13 is a digital signature of the device.
(2.5) user authentication and calculating a secret key:
after the user receives the MQ3, the message time is first verified. U shapeiGenerating a current timestamp T4If | T4-T3|>Δ T, then authentication operations will not continue to be performed and the user discards the message MQ 3;
The user checks that if Mu 9' is not equal to Mu9 ", the message has been modified and discards the message; if the authentication message is normal, then calculateSK’=h(SK’||h(rd||rs)’),M13’=h(SK’||h(rd||rs)’||T3);rs' secret value generated for the server to be authenticated,for the temporary authentication credentials to be verified,for the new private key 'of the user to be verified, Mu 9' calculates the signature to be verified for the user, h (r)d||rs) ' is an encrypted value of a random value to be verified, SK ' is a session key to be verified, and M13 ' is a signature message to be verified;
verifying M13 and M13 'to check if the calculation result is correct, and if the calculation result is passed, recognizing SK' as a session key and updating the private key of the userStep (3) updating the industrial Internet of things system
(3.1) user password and biometric update:
in order to simplify user operation and reduce the use of a Server, a legal user can locally update passwords and biological characteristics at any time, and under a safe operating environment, the UiReading smart cards SC through card readersiAnd provides its own IDiOld password PWi oldAnd old biometric information
SCiComputingFurther calculation ofBy verifying on the smart cardWhether equal to TPWiJudging whether the following operations need to be executed or not;
User UiObtaining SCiAfter the next instruction, UiInputting new password PWi newAnd inputting new biometric informationComputing
Smart card SCiStoring Ksu in memoryi;RIDi;SDList;TPWi;τiIs changed intoSDListnew;At this point, the password and biometric updates have been completed. U shapeiOnly passwords or biometrics can be updated, but periodic updates of passwords and biometrics are recommended for security and biometric accuracy.
(3.2) device update:
registering Internet of things equipment of different manufacturers on a Server; the Server uses the random secret value generated by the ServerUnalterable identity of packaged SDObtaining a pseudo-name identifier different from the existing node
The Server uses the private key S of the working area where the IOT equipment is to be deployed to calculate the private key of the IOT equipmentThe Server stores the registration information in the new Internet of thingsIn the memory of the equipment, the Server updates the equipment information to the equipment list of the area;
and deploying the Internet of things equipment in the working area, informing the legal user in the area to deploy new equipment, wherein the user update equipment list is safe, and the legal user can communicate with the new equipment to obtain access control and service.
(3.3) user revocation:
in practical application in a large-scale industrial environment, in order to ensure the traceability of specific implementation steps and record operation, the industrial Server registers and records legal users participating in session communication and authorized; for all registered executable users, the Server can modify the legality and revoke the executable authorization; the Server may re-encrypt and encapsulate the name of the revoked user using a direct long-term keyThe packaged user ID is still stored in an authorization list of the Internet of things area as a record and a certificate;
in the session key agreement phase, when the user sends a request message MQ1 ═ RID to the Serveri,M1,M2,M3,M4,T1When the user is authorized, the Server verifies whether the user still has legal authorization, and retrieves whether the user is authorized by the authorized user list; if the user has been revoked, the Server will not retrieve the user's pseudonym information in the list at this time, and the request information sent by the revoked user will not receive a response.
Has the advantages that: compared with the prior art, the invention has the following advantages:
(1) the method is based on multi-factor authentication and is more realistic. Meanwhile, the pseudonyms of the users need to be more than one at a time, and are respectively calculated by the Server and the users, so that the anonymity of the users is ensured. In addition, the private key of the user is used for one time, and after a session key is negotiated every time, the Server and the user update the private key of the user respectively. The scheme ensures the anonymity and unlinkability of the user.
(2) According to the invention, a bilinear mapping operation or elliptic curve encryption method with more complicated calculation in cryptography is not adopted, but bit operation and a hash function with smaller calculation overhead are adopted, so that the calculation overhead and communication overhead of the session key in the industrial Internet of things are effectively improved.
(3) The invention combines the pre-distribution key method and the certificateless signature, and eliminates the revocation operation of the user and the updating operation of the equipment outside the key agreement process, thereby reducing the storage overhead, the calculation overhead and the searching time and improving the efficiency of the message authentication.
Drawings
FIG. 1 is a schematic diagram of a network structure of the system of the present invention;
FIG. 2 is a network schematic of stages of the inventive arrangements;
FIG. 3 is a process diagram of the main steps of authentication and key agreement of the present invention;
FIG. 4 is an overall flow chart of the solution of the present invention;
FIG. 5 is a flow chart of the response of the Server to receive the request message in the solution of the present invention;
fig. 6 is a flow chart of a response of a device to receive a request message in the solution of the present invention.
Detailed Description
The technical solution of the present invention is described in detail below, but the scope of the present invention is not limited to the embodiments.
The related characters of the present embodiment have the following meanings:
as shown in fig. 1, the invention provides a multi-factor-based industrial internet of things session key negotiation method, which includes the following steps:
the system initialization comprises three stages of Server initialization, equipment registration and user registration;
step (2) authentication and key agreement including user login, user initiation request, server response request, equipment authentication and key calculation, user authentication and key calculation five stages;
and (3) updating the system by using the user password and the biological characteristics, updating the equipment and canceling the user.
Step (1) System initialization
The process mainly describes initialization of a server, registration of Internet of things equipment and registration of a legal user. The server distributes the private key and pseudonym to the device and the user.
The Server is a center of the industrial Internet of things, is a completely trusted third party, and has high computing capacity and capacity storage to be responsible for the operation of the whole industrial Internet of things. The method comprises the following specific steps:
1) the Server selects the biometric probability generation function Gen (-) and the deterministic recovery function Rep (-) to be loaded into the smart card, while selecting the one-way hash function H (-) to be used.
2) The Server randomly selects S as the system key, and it should be noted that, because the Server is a central Server, the selected key is a range key within the working range of a single internet of things, and the Server may select different keys for each area in the industrial internet of things.
3) In addition to establishing the area key list information in the industrial internet of things, the server establishes various standby information tables, such as a device information table, a user information table and the like. In case of user revocation and device connection failure, the query can be performed through the information tables.
Before the equipment is deployed in a specific working area, various Internet of things equipment and sensor nodes from different manufacturers need to be uniformly registered in a server to obtain standard equipment information, and the identification ID of the equipment is changedjAnd so on. The server registers for each registered device and assigns the private key of the device. The method comprises the following specific steps:
1) in the off-line state, the device registers with the server, provides device information including a device Identification (ID)jAnd so on.
2) The server generates a random value rjComputing device pseudonym RIDj=h(IDj||rj)。
3) The server computes the private key Ksd of the device using the private key S of the device' S work areaj=h(RIDj||S)
4) The server adds the device information to the device list SDList of the area.
5) Various information of server storage device, including pseudonym RIDj=h(IDj||rj),Ksdj=h(RIDj||S)。
Before participating in the operation of the industrial internet of things, a user needs to register himself in a server safely and obtain device information which can be used for session keys of the user from the server. In the key agreement stage, the user can carry out key agreement and communication on the internet of things equipment which can be communicated with the user, and the server can carry out validity verification on the user. The method comprises the following specific steps:
1) the user hides the identity information of the user in the RIDi=h(IDi||ri) A pseudonym is generated and transmitted to the server.
2) The server checks whether the registration of the user is legitimate and the registration unit of the user. The server sends the device list information in the area to the user and distributes the Ksu of the private key of the useri=h(RIDi||S)。
3) The user gets a smart card during registration, and the user uses the fuzzy extractor to extract his/her own biological information into Gen (BIO)i)=(σi,τi) To obtain σiAnd τi. In the intelligent card, the user uses the password and the biological characteristics to encrypt the use information of the user, calculate and store the TPWi=h(IDi||PWi||σi),
Step (2) authentication and key agreement
In the authentication and key agreement process, the user needs to communicate with the internet of things device to obtain real-time device information.
First the user needs to log in locally and get the stored information from the smart card. The method comprises the following specific steps:
1) the user logs in and carries out identity authentication with the aid of the smart card. User UiInput identity IDiPassword PWiAnd using τiAnd fuzzy extracting a deterministic recovery function Rep (-) to recover the user characteristic key sigma within a threshold value ti。
2) Calculating TPW by smart cardi’=h(IDi||PWi||σi) TPWi' AND TPW in storageiAnd comparing and verifying the user identity.
Then, after the user passes local authentication, a session request is initiated. The method comprises the following specific steps:
1) after the user has been authenticated, the smart card calculates the encrypted stored information,
2) the smart card generates a random value riGenerating a current time stamp T1。
4) The user sends a request queue MQ1 to the server, MQ1 ═ RIDi,M1,M2,M3,M4,T1}。
After receiving the request of the user, the server verifies the message, including checking the communication delay of the message and whether the message is tampered. Meanwhile, the validity of the user is checked, including whether the user is logged off or not, and whether the user is a valid user in the area or not. The response message is then computed. Containing the user's new pseudonym and private key. The method comprises the following specific steps:
1) after the Server Server receives the MQ1, the message time is first validated. The Server generates a current timestamp T2If | T2-T1|>Δ T, the authentication operation is not continuously performed. The server discards the message MQ 1.
2) If the time meets the maximum transmission delay, the server first calculates M2 ═ h (Ksu) by using its own informationi||T1) Verifying whether the message queues M2 and M2 are equal, and checking the RIDiAnd judging whether the message source is legal or not, and judging whether the message source belongs to a legal user or not.
3) After the server verifies the validity of the message, the Ksu is calculated from the message queue in sequence by using the private key S of the region to which the server belongsi’=h(RIDi||S),M4’=h(RIDi||ru’||Ksui’||T1||RIDj’||M3)。
4) The Server verifies the computed M4 ', compares M4 with M4'. If equal, the message is proved to have not been modified.
6) The Server generates a random value rs and calculates a temporary authentication certificateAnd a new user private keyThe new private key of the user is saved.
8) The Server transmits the message queue MQ2 to the device, MQ2 ═ Mu5, M6, M7, M8, Mu51, T2}。
After receiving the response message of the server, the device judges the delay of the message, checks whether the message is modified or not, and verifies that the source of the message is reliable. Some of the key values will then be decrypted. Since the message of the device is not forwarded to the user again, the server contains in the message the updated information of the user, which the device cannot calculate, but in order to prevent that some values are inadvertently changed in the calculation, the server contains in the message a temporary message that can verify whether it has been changed. The method comprises the following specific steps:
1) after the device receives the MQ2, the message time is first verified. SDjGenerating a current timestamp T3If | T3-T2|>Δ T, the authentication operation is not continuously performed. The device discards the message MQ 2.
3) Calculate M8 ═ h (Mu5| | | h (r)u’||rs')) to verify that M8 and M8' are equal to each other, to determine if the message has been altered.
5) The device calculates SK h (Mu9 r)u||h(rd||rs)), M13=h(SK||h(rd||rs)||T3). Where SK is the negotiated session key.
6) The device transmits a message queue MQ3 to the user, MQ3 ═ MU51, M10, M11, M12, M13, T3}。
After receiving the message from the device, the user calculates the hidden message transmitted from the server, and after the message of the device is verified for time delay and correctness, the device updates the identity of the device and the private key of the user.
The method comprises the following specific steps:
1) after the user receives the MQ3, the message time is first verified. U shapeiGenerating a current timestamp T4If | T4-T3|>Δ T, the authentication operation is not continuously performed. The user discards the message MQ 3.
3) The user checks that if Mu 9' is not equal to Mu9 ", the message has been modified and the message is discarded.
SK’=h(SK’||h(rd||rs)’),M13’=h(SK’||h(rd||rs)’||T3)。
5) The verifications M13 and M13' are used to check whether the calculation result is correct. If the check passes, SK' is approved as the session key. And updates the private key of the userStep (3) system updating
In order to simplify the user operation and reduce the use of the server, the password and the biological characteristics can be updated locally by a legal user at any time. Under a secure operating environment, the user UiReading smart cards SC through card readersiAnd provides its own IDiOld passwordAnd old biometric informationThe method comprises the following specific steps:
2) By verifying on the smart cardWhether equal to TPWiIt is determined whether the following operation needs to be performed.
4)UiObtaining SCiAfter the next instruction, UiInputting new password PWi newAnd inputting new biometric informationComputing
6) Smart card SCiStoring Ksu in memoryi;RIDi;SDList;TPWi;τiIs changed intoSDListnew;TPWi new;At this point, the password and biometric updates have been completed. User UiOnly passwords or biometrics can be updated, but periodic updates of passwords and biometrics are recommended for security and biometric accuracy.
In order to adapt to different internet of things devices, internet of things devices of different manufacturers need to be registered on the Server. The Server uses the random secret value generated by the ServerUnalterable identity of packaged SDObtaining a pseudo-name identifier different from the existing nodeThe Server uses the private key S of the working area where the IOT equipment is to be deployed to calculate the private key of the IOT equipment And the server stores the registration information in the memory of the new Internet of things equipment. The server updates the device information to the device list of the area. And deploying the Internet of things equipment in the working area, informing the legal user in the area to deploy new equipment, wherein the user update equipment list is safe, and the legal user can communicate with the new equipment to obtain access control and service.
In practical application in a large-scale industrial environment, in order to ensure traceability of specific implementation steps and record operation, an industrial server registers and records a legal user participating in session communication and authorized. For all registered executable users, the Server can modify its legitimacy and revoke its executablesAnd (6) performing line authorization. The server may re-encrypt and encapsulate the name of the revoked user using a direct long-term key The encapsulated user ID is still stored as a record and certificate in the authorization list of the internet of things zone. In the session key agreement phase, when the user sends a request message MQ1 ═ RID to the Serveri,M1,M2,M3,M4,T1When the user is authorized, the Server verifies whether the user still has legal authorization and retrieves whether the user is authorized by the authorized user list. If the user has been revoked, the Server will not retrieve the user's pseudonym information in the list at this time, and the request information sent by the revoked user will not receive a response.
Example (b):
the invention uses hash function, bit operation and fuzzy extraction and recovery function, and the specific implementation calculation steps are as follows:
the execution time of some symbols is defined as follows:
Th0.0001 ms: is the execution time of a one-way hash operation.
Tf0.442 ms: is the execution time of a fuzzy extractor restoration function operation.
In the process of login, bidirectional authentication and key agreement completion, the invention has 3 communication messages: MQ1 ═ RIDi,M1,M2,M3,M4,T1},MQ2={Mu5,M6,M7,M8,Mu51,T2},MQ3={M10,M11,M12,M13,M13,T3It needs (160+160+160+160+160+160+160+32) — 832 bits, (160+160+160+160+ 32) — 832 bits, respectively.
Therefore, the total communication cost of the present embodiment is 832+832+832 2496 bits.
Through the above analysis, the communication overhead results shown in table 2 can be obtained.
TABLE 2
Communication overhead (bits) of the invention | |
User' s | 832 |
Device | 832 |
Server | 832 |
Total overhead | 2496 |
The communication cost of the invention mainly considers the communication steps frequently used in the key protocol stage, and calculates the communication overhead of the scheme on the basis of uniformly assuming certain parameters. Assume that in a clock synchronization scheme, the timestamp has a size of 32 bits and the identities of all users, devices or nodes are 160 bits. All random secret values generated are 160 bits in size. In addition, assume that the output of the most common hash function is consistently 160 bits.
Through the above analysis, comparative results as shown in table 3 were obtained.
TABLE 3
General procedure | Total overhead | |
The invention | 35Th+Tf | 0.4455ms |
According to the embodiment and the experimental result analysis, the pseudonym of the user is generated by the user and the server together, and the pseudonym of the user is updated in real time after each key negotiation process, so that the identity information of the user is not leaked, the anonymity of the user is ensured, the unlinkability and the untraceability are ensured, and the safety is improved. The invention adopts a method of pre-distributing the key and adopts a multi-factor authentication mode, namely biological characteristics, passwords and intelligent cards, and the main encryption operation is bit operation and a hash function, thereby reducing the calculation overhead and the communication overhead of the key agreement scheme.
Claims (9)
1. A multi-factor based industrial Internet of things session key negotiation method is characterized by comprising the following steps: the method comprises the steps of initialization, authentication, key agreement and system updating of an industrial Internet of things system;
step (1), initialization of industrial Internet of things system
(1.1) Server initialization: generating a private key S for each Server and establishing a private key list through a biological characteristic probability generating function Gen (-) and a deterministic recovery function Rep (-);
(1.2) device registration: providing register information to Server when the equipment is in off-line state, and generating random value r by ServerjTo calculate the device pseudonym RIDjAnd device private key Ksdj,RIDj=h(IDj||rj),Ksdj=h(RIDjI S), H (-) is a one-way hash function, IDjThe equipment identifier is represented by | | which represents connection operation, and the equipment identifier, the equipment pseudonym and the equipment identifier are added into an equipment list SDList of the equipment working area and are stored by a Server;
(1.3) user registration: user UiGenerating a random value riCalculating the pseudonym RID of the useri=h(IDi||ri) The pseudonym RIDiSending the data to a Server; server checks user UiIdentity legality, if legal, calculating user private key Ksu by using private key S in registration areai=h(RIDi| S); sending the private key and the device list information in the area to the user; user UiGeneration of a function Gen (BIO) using fuzzy extraction probabilitiesi)=(σi,τi) Obtaining a biometric Key sigmaiAnd a common recovery parameter taui(ii) a User UiSetting password PWi(ii) a The smart card calculates and stores (user's digital signature TPW)iEncrypted user private key KsuiEncrypted user pseudonym RIDiEncrypted device information list SDList, τi);σiAnd τiAre respectively a user UiThe biometric key and the public revocation parameter of (c);
step (2), authentication and key agreement process:
(2.1) logging in by the user, namely, logging in and authenticating the identity of the user with the aid of the smart card; user UiInput identity IDiAnd password PWiAnd using τiAnd fuzzy extracting a deterministic recovery function Rep (-) to recover the biometric key sigma of the user within a threshold ti(ii) a The smart card calculates the digital signature of the user to be verifiedTPWi' AND TPW in storageiComparing and verifying the user identity;
(2.2) the user initiates a request: user passingAfter verification, the smart card decrypts and calculates the encrypted and stored information, and then generates the current time stamp T1And the smart card calculates each encrypted message: an encrypted message M1 of the user random value, an authentication message M2 of the user, a pseudonym encrypted message M3 of the device and a verifiable digital signature M4 of the user;
the user sends a session request queue MQ1 to the Server Server, MQ1 ═ RIDi,M1,M2,M3,M4,T1};
(2.3) Server response request: after receiving the message queue MQ1, the Server verifies the message time first, and if the verification is passed, the Server calculates M2 ═ h (Ksu)i||T1) Verifying whether the message queues M2 and M2 are equal and checking the RIDiWhether it is legal; if the Server verifies that the message is legal, the Server calculates the relevant parameters to be verified, namely the user private key Ksu to be verified in sequence from the message queuei', user random value r to be verifiedu', device pseudonym to be verified RIDj' and message to be verified M4 ', if M4 is equal to M4 ', then the message is proved not to have been modified; the Server then sends the new user pseudonym Updating user information; server generates random value rsComputing temporary authentication credentialsAnd a new user private keyAnd saving the new private key of the user;
the Server calculates new private key encryption message Mu5 of the user that the message device needs to re-encrypt, random value encryption message M6 of the user, and random value encryption and decryption of the ServerThe message M7, the digital signature message M8 of the server and the encrypted message Mu51 for verifying whether the private key of the user is tampered; the Server transmits the message queue MQ2 to the device, MQ2 ═ Mu5, M6, M7, M8, Mu51, T2};T2Is the current timestamp;
(2.4) device authentication and calculation of session key:
after the device receives the message queue MQ2, the current timestamp T is passed3Time verification is carried out, after the verification is passed, the equipment utilizes the private key of the equipment to sequentially decrypt and calculate the user random value r to be verifiedu' and server random value r to be verifieds'; if the verification M8 is equal to the message M8' to be verified, then the message is determined not to have been altered; then device SDjGenerating a random value rdAn encrypted message Mu9 of a new private key which can be decrypted by the user, a negotiation session key SK calculated by the device, an encrypted message M10 of random values of the server and the device, a signature message M11 of the server about the new private key of the user, an encrypted message M12 of random values of the server and a digital signature M13 of the device are calculated; the device transmits a message queue MQ3 to the user, MQ3 ═ Mu51, M10, M11, M12, M13, T3};
(2.5) user authentication and calculating a secret key:
after the user receives the MQ3, the current timestamp T is passed4Time verification is carried out, and after the verification is passed, the user sequentially calculates the signature Mu 9' decrypted by the user and the secret value r generated by the server to be verifieds', temporary authentication credentials to be verifiedNew private key of user to be authenticatedAnd a signature Mu9 ' to be verified calculated by a user, if Mu9 ' is equal to Mu9 ', calculating an encrypted value h (r) of a random value to be verifiedd||rs) ', the session key SK ' to be verified, and the signature message M13 ' to be verified, if M13 is equal to M13 ', the SK ' is approved as the session key, and is updatedPrivate key of user
And (3) updating the industrial Internet of things system, which sequentially comprises user password and biological characteristic updating, equipment updating and user revocation.
2. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: when the Server in the step (1) is initialized, firstly, a Server private key S with the length of 160bit is set for each working environment of the Internet of things through Gen (-) and Rep (-) and an equipment information table and a user information table are established for each working environment of the Internet of things;
3. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: when the user logs in the step (2), the intelligent card calculates the digital signature TPW of the user to be verifiedi’,TPWi’=h(IDi||PWi||σi) TPWi' AND TPW in storageiBy comparison, if TPWi' and TPWiVerifying the identity of the user;
when the user identity authentication in the step (2) passes and initiates a session request, the smart card calculates the encrypted and stored information,
the smart card then generates a random value riGenerating a current time stamp T1(ii) a The smart card calculates the following parameters:
M2=h(Ksui||T1);
M4=h(RIDi||ru||Ksui||T1||RIDj||M3);
the user sends a request queue MQ1 to the Server Server, MQ1 ═ RIDi,M1,M2,M3,M4,T1}。
4. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: when the Server in the step (2) responds to the session request of the user, the specific process is as follows:
after receiving the message MQ1, the Server firstly verifies the message time; the Server generates a current timestamp T2If | T2-T1|>Δ T, then authentication operation will not be performed and the Server discards the message MQ 1; if the time verification passes the maximum transmission delay, the Server first uses its own information to calculate the correct message M2 ═ h (Ksu) for verifying M2i||T1) Verifying whether the message queues M2 and M2 are equal and checking the RIDiWhether the message source is legal or not is judged, and whether the message source belongs to a legal user or not is judged;
if the Server verifies the validity of the message, the Ksu is calculated from the message queue in sequence by using the private key S of the region to which the Server belongsi’=h(RIDi||S),M4’=h(RIDi||ru’||Ksui’||T1||RIDj’||M3);
The Server verifies the computed M4 ', compares M4 with M4', and if equal, proves that the message has not been modified;
then the Server sends the new user pseudonymUpdating user information; server generates random value rsComputing temporary authentication credentialsAnd a new user private keyAnd saving the new private key of the user;
5. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: the specific method for authenticating the device and calculating the session key in the step (2) comprises the following steps:
the device receives the message MQ2 ═ Mu5, M6, M7, M8, Mu51, T2After that, the time of the message is first verified, SDjGenerating a current timestamp T3If | T3-T2|>Δ T, then will not continue to executeAuthentication operation, the device discards the message MQ 2;
if the time verification is passed, the equipment utilizes the private key of the equipment to sequentially calculate the random value r generated by the user to be verifiedu' and random value r generated by the server to be authenticateds’,
The message to be verified M8' h (Mu5 h (r) is then verifiedu’||rs') is equal to verification M8, thereby determining whether the message was altered;
if not, the device SDjGenerating a random value rdCalculated by means of the private key of the device
The final device transmits a message queue MQ3 to the user, MQ3 ═ Mu51, M10, M11, M12, M13, T3};
6. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: the specific process of the user authentication and the session key calculation in the step (2) is as follows:
after the user receives the MQ3, the message time is first verified. U shapeiGenerating a current timestamp T4If | T4-T3|>Δ T, then authentication operations will not continue to be performed and the user discards the message MQ 3;
The user checks that if Mu 9' is not equal to Mu9 ", the message has been modified and discards the message;
if the authentication message is normal, then calculateSK’=h(SK’||h(rd||rs)’),M13’=h(SK’||h(rd||rs)’||T3);
7. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: the specific process of updating the user password and the biological characteristics in the step (3) is as follows:
(3.1.1) user UiReading smart cards SC through card readersiAnd provides its own IDiOld password PWi oldAnd old biometric information
(3.1.3) pass authentication of TPW on Smart cardi oldWhether equal to TPWiJudging whether the following operations need to be executed or not;
(3.1.5) user UiObtaining SCiAfter the next instruction, UiInputting new password PWi newAnd inputting new biometric informationComputing
(3.1.7) Smart card SCiStoring Ksu in memoryi;RIDi;SDList;TPWi;τiIs changed intoRIDi new;SDListnew;TPWi new;At this point, the password and biometric updates have been completed;
user UiThe password and biometric are updated periodically.
8. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: the specific process of updating the equipment in the step (3) is as follows:
(3.2.1) registering Internet of things equipment of different manufacturers on the Server; the Server uses the random secret value generated by the ServerUnalterable identity of packaged SDObtaining a pseudo-name identifier different from the existing node
(3.2.2) the Server calculates the private key of the IOT equipment by using the private key S of the working area where the IOT equipment is to be deployedThe Server stores the registration information in a memory of the new Internet of things equipment, and updates the equipment information to an equipment list of the area;
and (3.2.3) deploying the Internet of things equipment in the working area, informing the legal user in the area to deploy the new equipment, updating the equipment list by the user safely, and enabling the legal user to communicate with the new equipment to obtain access control and service.
9. The multi-factor based industrial internet of things session key agreement method according to claim 1, wherein: the specific method for user revocation in the step (3) is as follows:
(3.3.1) the industrial Server registers and records the legal user participating in the session communication and authorized; for all registered executable users, the Server can modify the legality and revoke the executable authorization; the Server may re-encrypt and encapsulate the name of the revoked user using a direct long-term keyThe packaged user ID is still stored in an authorization list of the Internet of things area as a record and a certificate;
(3.3.2) in the session key agreement phase, when the user sends a request message MQ1 to the Server { RID }i,M1,M2,M3,M4,T1When the user is authorized, the Server verifies whether the user still has legal authorization, and retrieves whether the user is authorized by the authorized user list; if the user has been revoked, the Server will not retrieve the user's pseudonym information in the list at this time, and the request information sent by the revoked user will not receive a response.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111621015.6A CN114070559B (en) | 2021-12-28 | 2021-12-28 | Industrial Internet of things session key negotiation method based on multiple factors |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111621015.6A CN114070559B (en) | 2021-12-28 | 2021-12-28 | Industrial Internet of things session key negotiation method based on multiple factors |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114070559A true CN114070559A (en) | 2022-02-18 |
CN114070559B CN114070559B (en) | 2024-03-08 |
Family
ID=80230525
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111621015.6A Active CN114070559B (en) | 2021-12-28 | 2021-12-28 | Industrial Internet of things session key negotiation method based on multiple factors |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114070559B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114401153A (en) * | 2022-03-24 | 2022-04-26 | 科大天工智能装备技术(天津)有限公司 | Authentication method and system of intelligent well lid equipment |
CN114422106A (en) * | 2022-03-28 | 2022-04-29 | 科大天工智能装备技术(天津)有限公司 | Internet of things system security authentication method and system under multi-server environment |
CN115085945A (en) * | 2022-08-22 | 2022-09-20 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
CN117082514A (en) * | 2023-10-17 | 2023-11-17 | 奥鼎智通(北京)科技有限公司 | Device-to-device authentication method of 6G network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090074576A (en) * | 2008-01-02 | 2009-07-07 | 고려대학교 산학협력단 | Method and system for smart card based three party key exchange, and smart card and microprocessor used thereto |
CN103916267A (en) * | 2014-03-14 | 2014-07-09 | 兴唐通信科技有限公司 | Network space identity management system of three-layer structure |
CN106657124A (en) * | 2017-01-03 | 2017-05-10 | 宜春学院 | Pseudonym-based anonymous authentication and key negotiation optimization method and optimized authentication analysis method for Internet of Things |
CN111818039A (en) * | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | Three-factor anonymous user authentication protocol method based on PUF in Internet of things |
-
2021
- 2021-12-28 CN CN202111621015.6A patent/CN114070559B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090074576A (en) * | 2008-01-02 | 2009-07-07 | 고려대학교 산학협력단 | Method and system for smart card based three party key exchange, and smart card and microprocessor used thereto |
CN103916267A (en) * | 2014-03-14 | 2014-07-09 | 兴唐通信科技有限公司 | Network space identity management system of three-layer structure |
CN106657124A (en) * | 2017-01-03 | 2017-05-10 | 宜春学院 | Pseudonym-based anonymous authentication and key negotiation optimization method and optimized authentication analysis method for Internet of Things |
CN111818039A (en) * | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | Three-factor anonymous user authentication protocol method based on PUF in Internet of things |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114401153A (en) * | 2022-03-24 | 2022-04-26 | 科大天工智能装备技术(天津)有限公司 | Authentication method and system of intelligent well lid equipment |
CN114422106A (en) * | 2022-03-28 | 2022-04-29 | 科大天工智能装备技术(天津)有限公司 | Internet of things system security authentication method and system under multi-server environment |
CN115085945A (en) * | 2022-08-22 | 2022-09-20 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
CN115085945B (en) * | 2022-08-22 | 2022-11-29 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
CN117082514A (en) * | 2023-10-17 | 2023-11-17 | 奥鼎智通(北京)科技有限公司 | Device-to-device authentication method of 6G network |
CN117082514B (en) * | 2023-10-17 | 2024-01-23 | 奥鼎智通(北京)科技有限公司 | Device-to-device authentication method of 6G network |
Also Published As
Publication number | Publication date |
---|---|
CN114070559B (en) | 2024-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Mandal et al. | Certificateless-signcryption-based three-factor user access control scheme for IoT environment | |
Wazid et al. | Secure remote user authenticated key establishment protocol for smart home environment | |
Roy et al. | Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing Internet of Things | |
Chatterjee et al. | Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment | |
Das et al. | Provably secure user authentication and key agreement scheme for wireless sensor networks | |
Chuang et al. | An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics | |
CN114070559B (en) | Industrial Internet of things session key negotiation method based on multiple factors | |
Yu et al. | Lightweight three-factor-based privacy-preserving authentication scheme for iot-enabled smart homes | |
CN111512608B (en) | Trusted execution environment based authentication protocol | |
CN109359464B (en) | Wireless security authentication method based on block chain technology | |
Jiang et al. | Two-factor authentication protocol using physical unclonable function for IoV | |
US20170155647A1 (en) | Method for setting up a secure end-to-end communication between a user terminal and a connected object | |
Kumar et al. | An improved and secure multiserver authentication scheme based on biometrics and smartcard | |
US20210167963A1 (en) | Decentralised Authentication | |
CN113395166B (en) | Edge computing-based power terminal cloud edge terminal collaborative security access authentication method | |
CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
CN111817850B (en) | Anonymous group authentication method based on industrial Internet of things | |
Das et al. | A biometric-based user authentication scheme for heterogeneous wireless sensor networks | |
Sarvabhatla et al. | A secure biometric-based user authentication scheme for heterogeneous WSN | |
CN113569210A (en) | Distributed identity authentication method, equipment access method and device | |
CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
Khan et al. | Resource efficient authentication and session key establishment procedure for low-resource IoT devices | |
Ma et al. | A robust authentication scheme for remote diagnosis and maintenance in 5G V2N | |
US20210367775A1 (en) | Devices, Systems, And Methods For Providing Security To IoT Networks And Sensors | |
JPWO2020188679A1 (en) | Communications system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |