CN116321147A - Zero trust-based multi-attribute terminal identity authentication method and system - Google Patents
Zero trust-based multi-attribute terminal identity authentication method and system Download PDFInfo
- Publication number
- CN116321147A CN116321147A CN202310081032.8A CN202310081032A CN116321147A CN 116321147 A CN116321147 A CN 116321147A CN 202310081032 A CN202310081032 A CN 202310081032A CN 116321147 A CN116321147 A CN 116321147A
- Authority
- CN
- China
- Prior art keywords
- unmanned aerial
- server
- terminal
- aerial vehicle
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 230000004044 response Effects 0.000 claims abstract description 41
- 238000004891 communication Methods 0.000 claims abstract description 17
- 230000008569 process Effects 0.000 claims description 45
- 238000004364 calculation method Methods 0.000 claims description 31
- 238000012790 confirmation Methods 0.000 claims description 24
- 238000001514 detection method Methods 0.000 claims description 23
- 238000004422 calculation algorithm Methods 0.000 claims description 22
- 230000000739 chaotic effect Effects 0.000 claims description 15
- 238000013507 mapping Methods 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000013135 deep learning Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 4
- 241000533950 Leucojum Species 0.000 claims description 2
- 238000012946 outsourcing Methods 0.000 claims description 2
- 238000012795 verification Methods 0.000 abstract description 7
- 238000011156 evaluation Methods 0.000 description 10
- 238000012544 monitoring process Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000003068 static effect Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 230000011664 signaling Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 208000016831 Congenital muscular dystrophy with hyperlaxity Diseases 0.000 description 3
- 101100290485 Medicago sativa CMDH gene Proteins 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000005034 decoration Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013209 evaluation strategy Methods 0.000 description 1
- 230000008713 feedback mechanism Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 229920003087 methylethyl cellulose Polymers 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/40—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a multi-attribute terminal identity authentication method and a system based on zero trust, wherein in a registration stage, a cloud server registers each edge computing server and a vehicle terminal; in the edge authentication stage, the vehicle terminal generates a session key for a session through authentication of an edge computing server; in an unmanned aerial vehicle initializing stage, each edge server sends initializing information of the unmanned aerial vehicle for the unmanned aerial vehicle controlled by the edge server; in an emergency task scheduling stage, each edge computing server starts an application service response selection target unmanned aerial vehicle according to the task emergency degree; and in the identity authentication stage of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle and the vehicle terminal pass through verification and generate a temporary session key, so that the temporary session key is used for session. The invention can ensure the efficient, timely and safe communication of the network of the vehicle terminal under the emergency condition.
Description
Technical Field
The invention belongs to the technical field of Internet of vehicles, and particularly relates to a zero trust-based multi-attribute terminal identity authentication method and system.
Background
With the development of communication technology and the increase of information demand, the sixth generation mobile communication system has attracted extensive attention and research in academia and industry. Compared with the 5G network, the 6G network can further improve the performances of transmission rate, reliability, connection density, spectrum efficiency and the like so as to meet diversified and complicated service requirements. For the vehicle-mounted ad hoc network, the mobile edge computing service of the sixth generation of vehicle networking application needs multidimensional and ubiquitous network coverage to realize intensive computing tasks and data issuing, but the design goal of the traditional cellular network is to provide services for a two-dimensional networking environment, so that the interconnection and intercommunication of a 6G network and the connection of an integration of the heaven and earth are difficult to meet. The unmanned aerial vehicle has the characteristics of high flexibility, powerful functions, low cost and the like, can effectively promote the development of a multidimensional wireless communication network, provides an efficient wireless coverage scheme for the Internet of vehicles, and is beneficial to promoting the vehicle-mounted self-organizing network to form a multi-source heterogeneous and cross-domain fusion network. For example, the drone may act as an over-the-air base station to provide network coverage services for ground vehicle terminals, and may also act as a relay to transfer data between vehicle-to-vehicle or vehicle-to-server. In addition, unmanned aerial vehicles mutually cooperate to form a bee colony, and dangerous tasks such as target detection, disaster management, reconnaissance monitoring and the like can be executed in remote areas. For unmanned aerial vehicle networks, their communication is typically task driven, and when performing complex tasks, unmanned aerial vehicles need to autonomously learn policies such as surrounding environment, data transmission, and task execution. With the complicating of 6G car networking business demand and task environment, the edge server of fixed position probably can not in time, accurately master global information, and unmanned aerial vehicle need carry out the decision to the resource after task drive, even do not have ground station real-time control, unmanned aerial vehicle network also should guarantee the safety and the validity of communication.
Existing unmanned aerial vehicle communication network architectures can be divided into four types: instruction preset, base station assisted, fully distributed, clustered network. For a fully distributed network, the performance requirement is high, the management is inconvenient, and the task expansion is not facilitated. The clustering network is suitable for scenes with fixed tasks and environments, and is difficult to deal with the joining or exiting of the unmanned aerial vehicle at any time. The base station assisted communication network enables the unmanned aerial vehicle to be connected with a ground edge computing server (MEC server) all the time so as to realize real-time and multidimensional auxiliary service functions such as hot spot coverage, air monitoring and the like. The communication network preset by the instruction can load the instruction information into the unmanned aerial vehicle in advance, and the unmanned aerial vehicle can execute tasks according to the preset instruction. Therefore, researchers obtain a time period with dense and sparse traffic flow and a processing strategy of common traffic emergency based on methods such as deep learning, game theory and the like, and can realize that an unmanned aerial vehicle can provide multidimensional and dense edge computing service for the unmanned aerial vehicle in the air to assist the Internet of vehicles under normal conditions, and a MEC (media player) issues tasks for the unmanned aerial vehicle under the emergency conditions, and obtains task implementation strategies based on preset instructions so as to realize timely processing of the emergency conditions. For example, under normal conditions, in order to avoid the vehicle terminal being hijacked illegally, when an Unmanned Aerial Vehicle (UAV) monitors that the vehicle terminal deviates from a track route or is parked in a remote or unsafe place for a long time during driving, the vehicle terminal can request to acquire a monitoring video in the vehicle terminal, analyze and process data nearby, judge whether the terminal is hijacked maliciously, and if the condition in the vehicle is found abnormal, immediately send the video to a related department for alarming or emergency response so as to ensure the safety of a terminal user. If the vehicle is out of the monitoring range of the MEC server (enters a network coverage blind area) or is maliciously provided with a signal shielding device or the like, the MEC server may not monitor the signal or the position of the vehicle terminal, and if the signal suddenly disappears and cannot be reconnected in the normal running process of the vehicle, the possible state abnormality of the vehicle is judged. The drone may therefore be scheduled to search centered on the last place where the signal was present. After the vehicle terminal is found, the in-vehicle video is acquired for analyzing whether the vehicle terminal safely needs emergency services. The situation can schedule the dynamic unmanned aerial vehicle group to finally monitor the vehicle signal place range, search by means of the visual field, acquire the video information in the vehicle and analyze and process the video information. After searching the vehicle, the unmanned aerial vehicle equipped with the MEC Server can request to acquire monitoring resources in the vehicle, and in order to ensure the safety of communication, identity authentication and authentication between the vehicle terminal and the UAV are required to be realized before data transmission.
LEI et al propose an authentication protocol under a lightweight unmanned aerial vehicle network based on the China remainder theorem to achieve authentication between User Equipment (UE) and a UAV. The protocol has lower computational overhead, but the authentication process requires assistance from a server, so the signaling overhead is large, and the authentication process message is not integrity protected and lacks a key confirmation step. In addition, the scheme realizes the i+1 round of identity authentication based on the i round of secret key and the identity ID, and updates the secret key after the identity authentication. If an attacker intercepts and falsifies the message, the session key of the UAV and the UE fails to be synchronized, and the emergency service process in the Internet of vehicles cannot be supported. The unmanned aerial vehicle authentication scheme provided by Mohammad et al is based on hash and exclusive OR, has small calculation cost and has higher security compared with the scheme provided by LEI et al. However, the same problem exists as the solution proposed by LEI et al, namely, the authentication process needs the assistance of a server, the authentication process of the UE cannot be remotely assisted by the UAV, and the solution lacks a key confirmation process, and the UE cannot receive the key parameters for a long time, which results in authentication failure.
Through the above analysis, the prior art has the following problems and drawbacks:
(1) The existing cellular network is mainly fixedly deployed by means of ground base stations, and cannot provide 3D and ubiquitous network coverage for the next generation (6G) Internet of vehicles application to realize intensive calculation tasks and data distribution.
(2) For the unmanned aerial vehicle group managed by the edge computing server, there is a possibility of being physically captured at the time of assisted scheduling, in which privacy information of the vehicle terminals is often stored. How to dynamically evaluate the trust index of the unmanned aerial vehicle according to the relevant process of the auxiliary service of the unmanned aerial vehicle, and to carry out dynamic unmanned aerial vehicle identity authentication management based on the trust index, the prior art lacks a corresponding solution.
(3) The prior art lacks analysis and processing of the connection status of the vehicle terminals (e.g. long break-in-line), and it is unclear how to autonomously define the urgency and security level of the services required by the vehicle terminals.
(4) The prior art lacks a solution for a situation in which a vehicle terminal is illegally hijacked. A server that is disposed only depending on a fixed location manages the safety of the vehicle terminal only in a normal communication situation, and in a special situation (for example, the vehicle terminal enters a network coverage blind area or is maliciously equipped with a signal shield), a countermeasure for detecting the safety of the vehicle is lacking.
(5) For unmanned aerial vehicles with weaker computing power and storage power, the authentication scheme in the existing internet of vehicles has the defects of more entities and more signaling quantity involved in the authentication process, and the real-time performance of the unmanned aerial vehicle is difficult to ensure when the unmanned aerial vehicle is directly applied to a vehicle terminal-the unmanned aerial vehicle.
Aiming at the emergency situations that the vehicle terminal is hijacked, the vehicle terminal is out of connection and the like in the scene of the internet of vehicles, a scene of the dynamic unmanned aerial vehicle assisted V2X is necessary to be provided, so that 3D and ubiquitous network coverage is provided for the edge computing service of the next generation V2X to realize intensive computing tasks and data issuing. Based on the characteristics of low computing capacity, low storage capacity, high power consumption and easy physical capture of the unmanned aerial vehicle, the authentication protocol of the vehicle terminal-unmanned aerial vehicle not only needs to meet the requirements of instantaneity, reliability and high efficiency, but also adopts a lightweight cryptographic algorithm design protocol, reduces the calculation cost of the protocol on the premise of ensuring the safety of the protocol, realizes the bidirectional identity authentication and key negotiation of the unmanned aerial vehicle-vehicle terminal in edge calculation, and transmits in-vehicle data based on the key for analyzing the safety of the vehicle terminal. In addition, potential safety hazards in the unmanned aerial vehicle dispatching process and credibility after disconnection of the vehicle terminals are considered, so that a mechanism is needed to dynamically evaluate trust values of the vehicle terminals and the unmanned aerial vehicle in the whole service process, and based on the trust values, unmanned aerial vehicle dispatching selection and identity authentication of the two parties are dynamically realized.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a multi-attribute terminal identity authentication method and system based on zero trust. The technical problems to be solved by the invention are realized by the following technical scheme:
the invention provides a zero-trust-based multi-attribute terminal identity authentication method, which is applied to a zero-trust-based multi-attribute terminal identity authentication system, wherein an edge computing server and a cloud server of the zero-trust-based multi-attribute terminal identity authentication system are respectively in communication with a plurality of unmanned aerial vehicles and a plurality of vehicle terminals, and the zero-trust-based multi-attribute terminal identity authentication method comprises the following steps:
in a registration stage, each edge computing server and a vehicle terminal send a registration request to the cloud server, and the cloud server returns first registration information of each edge computing server and second registration information of the vehicle terminal;
in the edge authentication stage, the vehicle terminal sends an access authentication request to an edge computing server, and the edge computing server authenticates the vehicle terminal by combining information carried by the access authentication request with self information and negotiates session keys of session of the two parties with the vehicle terminal;
In an unmanned aerial vehicle initializing stage, each edge server sends initializing information of the unmanned aerial vehicle for the unmanned aerial vehicle controlled by the edge server;
in an emergency task scheduling stage, each edge computing server determines the task emergency degree according to the connection state of the vehicle terminal, selects a target unmanned aerial vehicle with sufficient resources and highest trust value from an unmanned aerial vehicle list maintained by the edge computing server when the task emergency degree meets the requirement, and issues a service scheduling request for the target unmanned aerial vehicle so as to start application service response; the target unmanned aerial vehicle verifies whether the service scheduling request is legal or not, and obtains authentication parameters of the auxiliary vehicle terminal and generates a response safety detection identifier under the legal condition;
in the identity authentication stage of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle completes authentication of the vehicle terminal through a session key negotiated with the vehicle terminal in the edge authentication stage, authentication parameters of the auxiliary vehicle terminal and a responsive safety detection identifier, and negotiates a temporary session key by using a Chebyshev chaotic mapping algorithm, so that communication is established between the temporary session key and the vehicle terminal.
The invention provides a zero-trust-based multi-attribute terminal identity authentication system which is used for realizing a zero-trust-based multi-attribute terminal identity authentication method.
The invention has the beneficial effects that:
1. aiming at the vehicle emergency scene in intelligent traffic, the invention designs a rapid authentication scheme of a zero trust architecture of the unmanned plane-vehicle terminal, avoids using a MEC (media access control) auxiliary authentication method before disconnection, and effectively reduces signaling overhead; based on the Hash algorithm, the algorithm with larger calculation cost such as dot multiplication, bilinear mapping and the like is avoided, and the calculation cost is effectively reduced, so that timeliness and high efficiency under emergency network service are ensured.
2. The invention provides a multi-attribute mutual identity authentication mechanism based on a zero trust architecture, which manages application services based on security levels and is based on static identification (session key SK and attribute set construction generated before disconnection) and dynamic identification (security detection identification C and disconnection time length T generated after disconnection) Δ ) And realizing quick identity authentication and key negotiation between the unmanned aerial vehicle and the vehicle terminal in the emergency.
3. The invention provides a continuous trust evaluation mechanism based on a zero trust architecture, which dynamically evaluates the trust value of a vehicle terminal through a history service request of the vehicle terminal, the connection state of the terminal and an attribute set { V } of the vehicle terminal; and dynamically evaluating the trust value of the unmanned aerial vehicle through a data access list maintained by the unmanned aerial vehicle and comparison of the historical auxiliary service response time length and the resource consumption with expected values. The emergency service of the vehicle terminal is matched and the unmanned aerial vehicle issuing the task is selected through a feedback mechanism of the trust value, the safety level of the application service and the emergency degree analysis, so that emergency accidents on intelligent traffic can be dealt with.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a flowchart of a vehicle terminal identity authentication method in a UAV assisted edge calculation scenario provided by an embodiment of the present invention;
fig. 2 is a model diagram of a vehicle terminal identity authentication system in a UAV assisted edge calculation scenario provided by an embodiment of the present invention;
FIG. 3 is a diagram of a multi-attribute mutual identity authentication model based on a zero trust architecture provided by an embodiment of the present invention;
FIG. 4 is a diagram of a dynamic authentication mechanism model based on trust evaluation values provided by an embodiment of the present invention;
fig. 5 is a schematic diagram of a registration process of a vehicle terminal and an edge computing server according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an initialization and task scheduling process of an unmanned aerial vehicle according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an identity authentication process of a vehicle terminal-UAV according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.
The technical scheme adopted by the invention is as follows: a multi-attribute terminal identity authentication method and system based on zero trust, the said terminal identity authentication and key agreement implementation method imitates the 5G AKA mechanism; adopting a terminal offline registration mechanism; based on the idea of zero trust architecture and continuous trust evaluation; based on session key negotiated in access authentication stage, realizing fast authentication between terminal and unmanned aerial vehicle; the method comprises the steps of realizing the derivation of a session key between a terminal and an unmanned aerial vehicle based on a Chebyshev chaotic mapping algorithm; and the key update during unmanned aerial vehicle assistance is realized based on a one-way hash algorithm, so that the anonymity and privacy of the terminal and the unmanned aerial vehicle are ensured. The invention reduces bandwidth expenditure and calculation expenditure while realizing the identity authentication of the vehicle terminal in the unmanned aerial vehicle auxiliary edge calculation scene, avoids the problem of realizing the bidirectional authentication of the terminal and the unmanned aerial vehicle through server assistance in the emergency dispatch stage, and overcomes the defect of inflexible service network caused by the deployment of the server at a fixed position; meanwhile, the security of data transmission and confidentiality of user privacy can be guaranteed.
The meaning of solving the prior art problem is: based on a key negotiated in an access authentication process of the vehicle terminal and the edge computing server, an authentication protocol of the unmanned aerial vehicle and the vehicle terminal under an emergency situation is constructed by adopting a lightweight Chebyshev chaotic mapping algorithm, and an access control strategy is computed in real time by using an identity as an access control basis based on a security principle of 'never trust and always verification' through a zero trust multi-attribute concept. The key technologies of vehicle terminal registration, MEC Server registration, vehicle terminal access authentication, unmanned aerial vehicle initialization, static authentication, service scheduling, unmanned aerial vehicle-vehicle terminal dynamic identity authentication and the like are completed to ensure that an UAV is deployed under an intelligent traffic system to realize auxiliary edge computing service, so that rapid data processing and decision issuing are realized, emergency services are flexibly provided on demand and in time, road blind areas are flexibly monitored, road monitoring cost is reduced, and construction and development of safe, efficient and stable road traffic are promoted.
The following describes the technical noun meanings involved in the scheme of the invention in detail:
UAV (unmanned aerial vehicle): unmanned plane; v: a vehicle terminal; MEC Server: an edge calculation server; RC: a registry. The technical scheme of the invention is described in detail below with reference to the accompanying drawings.
The invention provides a zero-trust-based multi-attribute terminal identity authentication method which is applied to a zero-trust-based multi-attribute terminal identity authentication system, wherein an edge computing server and a cloud server of the zero-trust-based multi-attribute terminal identity authentication system are respectively in communication with a plurality of unmanned aerial vehicles and a plurality of vehicle terminals.
As shown in fig. 1, the zero trust-based multi-attribute terminal identity authentication method of the present invention includes:
in a registration stage, each edge computing server and a vehicle terminal send a registration request to the cloud server, and the cloud server returns first registration information of each edge computing server and second registration information of the vehicle terminal;
in the edge authentication stage, the vehicle terminal sends an access authentication request to an edge computing server, and the edge computing server authenticates the vehicle terminal by combining information carried by the access authentication request with self information and negotiates session keys of session of the two parties with the vehicle terminal;
in an unmanned aerial vehicle initializing stage, each edge server sends initializing information of the unmanned aerial vehicle for the unmanned aerial vehicle controlled by the edge server;
in an emergency task scheduling stage, each edge computing server determines the task emergency degree according to the connection state of the vehicle terminal, selects a target unmanned aerial vehicle with sufficient resources and highest trust value from an unmanned aerial vehicle list maintained by the edge computing server when the task emergency degree meets the requirement, and issues a service scheduling request for the target unmanned aerial vehicle so as to start application service response; the target unmanned aerial vehicle verifies whether the service scheduling request is legal or not, and obtains authentication parameters of the auxiliary vehicle terminal and generates a response safety detection identifier under the legal condition;
In the identity authentication stage of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle completes authentication of the vehicle terminal through a session key negotiated with the vehicle terminal in the edge authentication stage, authentication parameters of the auxiliary vehicle terminal and a responsive safety detection identifier, and negotiates a temporary session key by using a Chebyshev chaotic mapping algorithm, so that communication is established between the temporary session key and the vehicle terminal.
The vehicle terminal identity authentication system model under the unmanned aerial vehicle auxiliary edge computing scene is shown in fig. 2, and the MEC Server maintains a UAV list, wherein the initialization process (shown in fig. 6) comprises system parameters generated for the UAVs, and the system parameters are used for data interaction and task issuing between the MEC Server and the UAVs. The session key generated based on the access authentication process (as shown in fig. 5) between the MEC Server and V provides an edge computing service under the V2X network, and an abnormal disconnection table is maintained in V for subsequent restoration of connection or for subsequent security verification of V. The MEC Server should maintain multiple UAVs, including static UAVs as well as dynamic UAVs. All UAVs in the flight domain are in charge of direct or indirect edge calculation auxiliary service of the vehicle terminals in the domain, so that the safety and the order of daily traffic are ensured. And in an emergency, assigning an application service task for the UAV according to the vehicle monitoring condition by the MEC Server, and providing the security level, the emergency degree, the route planning and the expected auxiliary service duration of the task so as to ensure that the UAV can finish service in a safe time under the condition of being far away from the MEC Server. Because the object of the auxiliary service is the vehicle terminal, the identity authentication of both parties is realized before the service no matter the signaling interaction or the data transmission.
As shown in FIG. 3, the vehicle terminal V should construct its attribute set { V }, which at least contains an ID, an appearance feature, a personalized identification point and a real-time connection state. Wherein, in order to ensure the anonymity of the vehicle terminal, a pseudo identity identifier should be adopted to construct an attribute set; the appearance characteristics are the fixed states of the vehicle terminal such as the vehicle type, the color and the like; the personalized identification points comprise long-term loss, personalized appearance decoration and the like, can be photographed and uploaded to an edge calculation server, and are converted into fixed personalized identifications by adopting a deep learning mode; the real-time connection state is defined as whether the connection between the current V and the MEC server or UAV is normal, including normal connection, normal disconnection, and abnormal disconnection states. The services provided by the MEC server are divided by application security level. For example, the primary service is a normal service, including basic intelligent traffic services such as route planning, real-time road condition notification, etc., and can be provided after the access authentication is completed by the V. The secondary services are related to privacy property services, such as in-car video analysis, vehicle positioning and the like, and can be started by the user with consent. The third-level service is emergency service and comprises emergency auxiliary driving, video data analysis during abnormal disconnection and the like. Because the above services require very low latency decisions and responses in emergency situations, the MEC server can provide emergency services to users directly based on decisions. The UAV does not keep continuous trust with V when sending emergency assistance service, but realizes identity authentication and security assistance of both sides based on zero trust principle of no trust, always verification and policy of continuous dynamic trust evaluation. The dynamic authentication process between UAV-V based on zero trust evaluation consists of two parts. One is for authenticating the end vehicle V, a double authentication factor will be employed: firstly, based on the existing static authentication parameters: session keys and security detection identifiers between V-MECs; and secondly, constructing { V } and connection states based on the V attribute set to complete continuous updating of dynamic parameters. The more the generation factors of the personalized parameters of the attribute set { V }, the higher the security level of the personalized parameters; the connection state is the disconnection time or the disconnection time recorded when the disconnection is abnormal, and the longer the disconnection time is, the lower the security level is. And secondly, the authentication of the UAV by the V in the emergency service situation depends on static authentication parameters contained in the assignment task of the MEC server to the UAV so as to ensure the validity and timeliness of the service. After the service is completed, the MEC Server dynamically performs continuous trust evaluation for the UAV based on a data access list and request response time length maintained by the UAV. The result of the continuous trust evaluation is fed back to the authentication of the identity and the safety state of the UAV and the evaluation of the safety trust level of the UAV by the MEC Server.
As shown in FIG. 4, the dynamic authentication mechanism model based on the trust evaluation value provided by the embodiment of the invention mainly comprises two parts: for V, the terminal connection state change is a main factor for evaluating the trust value of the terminal connection state change, and further comprises service request analysis and attribute value analysis of the terminal; for UAVs, the data access list it maintains, the request response time, and the resource consumption are the main factors in evaluating their trust values. The more abnormal disconnection times of the terminal connection state are, the lower the trust index is; the terminal requests unauthorized service or requests for acquiring other data can correspondingly reduce the trust index of the terminal; since updating the attribute value { V } of the terminal device increases its security level, the more the attribute value is personalized, the higher the trust index thereof should be. When the V trust index is lower than the lowest threshold, emergency permission can be directly obtained by the MEC-S or the UAV to provide emergency measures and responses in emergency. In addition, for all UAVs maintained by the MEC, the trust index should be determined according to the data access list, for the dynamic UAVs, the validity and effectiveness of the external service should be analyzed according to the predicted duration, the response duration and the resource consumption of the external service, and the trust index value of the UAVs is dynamically updated.
The MEC S is based on trust index values of the V and the UAV, matches service and safety indexes according to an application service management strategy, and can rapidly realize task assignment and safety parameter issuing under emergency conditions so as to treat emergency conditions of the vehicle terminal.
The registration procedure of the present invention is described below.
In the registration phase, the registration process of each edge computing server is:
(1) Jth edge computing Server MEC Server j Sending a registration request message to a registration center RC deployed on a cloud Server, wherein the registration request message comprises MEC Server j Is a unique identity ID of (a) Vj ;
(2) After receiving the registration request message, the registration center checks the unique identity ID Vj Whether or not it already exists, if so, then MEC Server is required j Sending a new identity mark; otherwise, it is MEC Server j Selecting a random number S j And master key K Vj And calculating an initial Chebyshev chaotic mapping value
And sends the registration response message to the MEC Server j ;
Wherein the registration response message includes: master key K Vj Initial chebyshev chaotic map value
Parameters (ID) Vj ||S j );/>
Is MEC Server j The disclosure parameters of (2);
(3)MEC Server j store registration response message and will
As a public parameter, RC stores { ID } Vj ,K Vj }。
In the registration phase, the registration process of each vehicle terminal is:
(1) Ith vehicle terminal V i Sending a registration request message to a registry RC deployed on a cloud server, comprisingIts unique identity ID Oi ;
(2) After receiving the registration request message, the RC checks the legal identity list and the malicious identity list and judges whether the identity mark exists or not: if present, then require V i Transmitting new identity, otherwise RC is V i Selecting a random number O i And master key K Oi Calculating an initial specific snowflake chaotic mapping value
Pseudo-identity identifier SID i =H(ID Oi ||O i ) And register response message ++>
Sent to V i ;
(3)V i Storage of
RC stores each V i Corresponding to
Referring to fig. 6, in the initialization stage, the process of sending initialization information of the unmanned aerial vehicle by the unmanned aerial vehicle controlled by the edge computing server is as follows:
(1) Jth edge computing Server MEC Server j For the kth unmanned aerial vehicle UAV k Generating random number U i As UAVs k Is the identity of the mobile terminal; according to random number U i Calculating secret value r k =H(S j ,U i ) Initial chebyshev chaotic map value
And will initialize the information->
Transmitting to UAV through secure channel k ;
(2)UAV k Will initialize the information
Storing in a local memory; wherein r is k For UAVs k And MEC Server j Shared key between them for information interaction, +.>
And the authentication parameter is used for carrying out identity authentication with the vehicle terminal in the dynamic unmanned aerial vehicle dispatch process.
Referring to fig. 6, in an emergency task scheduling stage, each edge computing server determines a task emergency degree according to a connection state of a vehicle terminal, and when the task emergency degree meets a requirement, selects a target unmanned aerial vehicle with sufficient resources and highest trust value from a unmanned aerial vehicle list maintained by the edge computing server, and issues a service scheduling request for the target unmanned aerial vehicle so as to start a process of application service response, wherein the process comprises:
(1) Jth edge computing Server MEC Server j According to the connection state of the vehicle terminal, the safety level and the emergency degree of the application service of the edge computing server are evaluated, and an application service response is actively initiated to the vehicle terminal under the condition of three-level emergency degree;
the application service response process is as follows: estimating the predicted service response time length and the resource consumption value of the outsourcing task based on deep learning; selecting a target unmanned aerial vehicle with sufficient resources and highest trust value from an unmanned aerial vehicle UAV list maintained by an edge calculation server according to task response time and resource consumption values; and issues a service scheduling request for the target unmanned aerial vehicle<T s1 ,M,MAC 1 >;
Wherein T is s1 Is MEC Server j A time stamp when the abnormal condition of the vehicle terminal is identified;
generating a symmetric encryption algorithm and a symmetric key for dispatching ciphertext; MAC (media access control) 1 =H(T s1 ,M)。
In the emergency task scheduling stage, the target unmanned aerial vehicle verifies whether the service scheduling request is legal, and the process of obtaining the authentication parameters of the auxiliary vehicle terminal and generating the security detection identification of the response under the legal condition is as follows:
(2) After receiving the service scheduling request, the unmanned aerial vehicle verifies the validity of the time stamp and the service scheduling request, so as to generate a service confirmation message and a corresponding security detection identifier, and sends the service confirmation message to the edge computing server, wherein the service confirmation message is used for confirming the key of the edge computing server. The specific process is as follows:
①UAV k after receiving the service dispatch request, firstly verifying the validity of the time stamp, if and only if T cur1 -T s1 When delta T is less than or equal to the delta T, the service scheduling request is effective; wherein DeltaT is the maximum time interval allowed by the system, T cur1 For UAVs k A timestamp generated when the service scheduling request is received;
②UAV k decrypting ciphertext M by using a symmetric encryption and decryption algorithm and a symmetric key to obtain<T s1 ,{V},SK ij >;
③UAV k Computing MAC 1 '=H(T s1 M), if and only if MAC 1 '=MAC 1 The integrity of the time service scheduling request is verified;
④UAV k computing security detection identities
⑤UAV k Generating a current timestamp T s2 ;
⑥UAV k Computing MAC 2 =H(T s2 ,C jk ) And to MEC Server j Sending service confirmation response message<T s2 ,MAC 2 >For MEC Server j Key confirmation of (c).
(3) And after receiving the service confirmation information, the jth edge computing server MEC Serverj verifies the validity of the timestamp and generates a corresponding safety detection identifier for verifying the validity of the service confirmation information.
(1) Jth edge computing Server MEC Server j Upon receipt of the service confirmation messageAfter the message is complete, the validity of the timestamp is verified if and only if T cur2 -T s2 Service confirmation information is valid when delta T is less than or equal to;
②MEC Server j computing security detection identity C jk '=H(SID i ,ID Vj );
③MEC Server j Computing MAC 2 '=H(T s2 ,C jk ) If and only if MAC 2 '=MAC 2 MEC Server j Validating UAVs k Security check identifier C for receiving dispatch service request and generating response jk 。
As shown in fig. 7, in the identity authentication phase of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle completes authentication of the vehicle terminal through the session key negotiated with the vehicle terminal in the edge authentication phase, the authentication parameter of the auxiliary vehicle terminal and the responsive security detection identifier, and negotiates a new session key by using chebyshev chaotic mapping algorithm, so that the process of establishing communication with the vehicle terminal by using the new session key is as follows:
(1) When UAV k Finding vehicle terminal V i The following procedure was then performed:
(1) generating a timestamp T s3 ;
(2) Using symmetric encryption algorithm and session key SK ij Generating ciphertext
(3) Calculation of
Wherein T is Δ =T s3 -T s1 ;
④UAV k To V i Sending identity authentication request message<T s3 ,M 1 ,MAC 3 >;
(2) When V is i Receipt of UAVs k After the identity authentication request message, the following procedure is performed:
(1) verifying the validity of the timestamp if and only if T cur3 -T s3 The message is valid at less than or equal to DeltaT;
(2) searching the abnormal disconnection table to obtain the session key SK between the vehicle terminal and the MEC Server, and decrypting M 1 ;
(3) Computing security detection identity C jk '=H(SID i ,ID Vj ) And judge
(4) If and only if C jk '=C jk When calculating MAC 3 '=H(C jk ',T Uk ,T s3 ,T Δ ) And judge
(5) If and only if MAC 3 '=MAC 3 When completing the UAV k And generates a random number
(6) Computing temporary session keys between UAVs-V
(7) Calculating a temporary key parameter T i-k =T a (ID Vj ||S j )mod p;
(8) Ciphertext calculation based on symmetric encryption algorithm and temporary session key
(9) Generating a timestamp T s4 ;
One calculation
V i To UAV (unmanned aerial vehicle) k Transmitting identity authentication response message<T i-k ,T s4 ,M 2 ,MAC 4 >。
(3) When UAV k Received V i The following procedure is performed:
(1) verifying the validity of the timestamp if and only if T cur4 -T s4 The message is valid at less than or equal to DeltaT;
(2) calculation of
(3) Based on symmetric encryption and decryption algorithm and SK ik ' decryption ciphertext M 2 ;
(4) Calculation of
And judge->
(5) If and only if MAC 4 '=MAC 4 When the UAV completes identity authentication of the V and generates a time stamp T s5 ;
(6) Computing MAC 5 =H(T s5 ,SK ik );
⑦UAV k To V i Sending key confirmation messages<T s5 ,MAC 5 >;
(4) When V is i Receipt of UAVs k After the key confirmation message, the following procedure is performed:
(1) verifying the validity of the timestamp if and only if T cur5 -T s5 The message is valid at less than or equal to DeltaT;
(2) computing MAC 5 '=H(T s5 ,SK ik ) The method comprises the steps of carrying out a first treatment on the surface of the If and only if MAC 5 '=MAC 5 When the key negotiation process is completed;
(3) the unmanned aerial vehicle and the vehicle terminal use the temporary session key SK ik Data or video transmission is performed.
The identity authentication of the vehicle terminal of the present invention is analyzed as follows:
(1) Mutual identity authentication: the vehicle terminal will pass the MAC in the authentication request message 3 To verify the legitimacy of the UAV. Because of
From SK ij Encryption, SK ij For the session key negotiated in the process of accessing the vehicle terminal and the MEC Server before disconnection, only the vehicle terminal and the MEC Server can know; in addition, the disconnection time period T Δ By a break-off time stamp T s1 The calculation is obtained, and only the vehicle terminal and the MEC Server are known, so that only the legal UAV can obtain the secret parameter from the MEC Server before disconnection for authentication through the secure service scheduling request message, and the transmission of the secret parameter is realized by the symmetric key r k Encryption, the key is owned only by the MEC Server and the UAV that it maintains. UAV through MAC 4 To verify the legitimacy of the vehicle terminals, since only the legal vehicle terminals have their own attribute value { V }, and only the legal vehicle terminals are able to pass SK ij Decryption M 1 Obtain->
To calculate the temporary session key SK ik Corresponding key parameter T a (ID Vj ||S j )mod p。
(2) Session key negotiation: the vehicle terminal and UAV will be based on secret values in the mutual authentication process
To calculate SK ik The secret value is calculated based on the CMDH or CMDL problem, and any secret value a or r is not found k Cannot calculate SK for an attacker ik 。
(3) Key confirmation: the vehicle terminal passes the verification H (T s5 ,SK ik ) Confirm whether the UAV successfully negotiates the session key SK ik The method comprises the steps of carrying out a first treatment on the surface of the UAV decrypts ciphertext M 2 And confirming whether the vehicle terminal successfully obtains the session key.
(4) Identity anonymity: in the identity authentication process, the true identity IDoi of the vehicle terminal is not transmitted, and the false identity SID i From C jk =H(SID i ,ID Vj ) And (5) protecting. Unmanned aerial vehicle's trueReal label U i Does not transmit, and uses the identity ID of MEC Server before disconnection in the authentication process Vj Authentication is completed and the identity is likewise defined by C jk And (5) protecting. Therefore, the SID of the vehicle terminal cannot be obtained for any attacker i Unmanned aerial vehicle's U i . The protocol presented herein thus enables identity anonymity of vehicle terminals and drones.
(5) Unlinkability: in this protocol, since the vehicle terminal and the UAV generate the time stamp Ts each time they are in a session, the two parties generate the same time stamp in different sessions, there is no link between messages sent in the same session, all messages are associated with the time stamp, and an attacker cannot obtain any useful information of the vehicle terminal or the UAV from the common data, so the attacker cannot distinguish whether the two messages are from one vehicle terminal or UAV.
(6) PFS/PBS: in this protocol, the vehicle terminal and UAV will be based on secret values
To calculate SK ik Wherein a is a temporary secret value of the vehicle terminal, < >>
Is the initial chebyshev value for the UAV. Even if an attacker obtains the long-term key K Oi 、r k Nor can the previous or future session keys be obtained. According to the CMDH and CMDL problems, it is difficult to calculate T a (ID Vj ||S j )mod p。
(7) Protocol attack resistance: in the proposed protocol, the use of a timestamp Ts can be resistant to replay attacks. Since mutual authentication and key agreement between the vehicle terminal and the UAV are already achieved, and the interactive messages are all based on the symmetric key SK ij And SK ik Encryption is performed, and only the receivers with which both parties desire to interact can obtain the temporary key SK ij Negotiating to obtain SK ik Thus an attacker cannot masquerade as a legitimate vehicle terminal or UAV to fool a server or vehicle terminal into launching a man-in-the-middle attack. In addition, in the case of the optical fiber,since the important information is the symmetric key SK ij And SK ik Encrypted and symmetric key SK ij And SK ik Based on the CMDH difficulty problem, the attacker cannot calculate SK ij And SK ik Therefore, the invention can resist eavesdropping attacks.
The innovative points of the proposed solution of the invention are summarized below.
1. The invention provides a scheme for realizing multidimensional and dense edge calculation scenes by using an unmanned aerial vehicle to assist a vehicle networking so as to realize identity authentication and key negotiation between a vehicle terminal and the unmanned aerial vehicle in an emergency. According to the invention, based on the zero trust architecture, after the vehicle terminal is successfully accessed to the edge computing server, the continuous trust evaluation of the edge computing server on the vehicle terminal and the unmanned aerial vehicle can be realized, the mutual authentication of the unmanned aerial vehicle and the vehicle terminal can be completed only by a small amount of hash operation and chebyshev chaotic mapping algorithm, the auxiliary authentication is not required by the edge computing server which is not connected, the signaling cost and the computing cost of both sides in the authentication period are effectively reduced, and the low-time-delay emergency auxiliary service can be supported. The safety of the proposed solution is fully demonstrated using formal verification tools, and performance analysis versus results show that the solution is superior to other existing solutions. Therefore, the lightweight scheme is more suitable for realizing a dense edge computing scene by using the unmanned aerial vehicle to assist the internet of vehicles with limited resources.
2. The invention creatively provides the unmanned aerial vehicle auxiliary internet of vehicles for realizing multidimensional and dense edge computing scenes and auxiliary service scheduling under emergency conditions, and designs an application service management strategy for the auxiliary service scheduling. The method has the advantages that the dynamic unmanned aerial vehicle group and the static unmanned aerial vehicle group are simultaneously maintained by the edge calculation server, the functions of monitoring road traffic road conditions in the air and serving as an air base station by the unmanned aerial vehicle group under normal conditions are achieved, and the auxiliary Internet of vehicles achieves multidimensional and intensive edge calculation. Through deep learning and other modes, the dynamic unmanned aerial vehicle group in the pre-dispatching idle state can also realize auxiliary service at the position where dense traffic road conditions will appear, so that resource sharing is realized, and resource waste is avoided. In addition, the dynamic unmanned aerial vehicle can be scheduled to realize long-distance emergency service without assistance of an edge computing server so as to cope with emergency events outside the network coverage range of the edge computing server.
3. The invention creatively provides a continuous trust evaluation strategy for unmanned aerial vehicles and vehicle terminals. Dynamically evaluating the trust value of the vehicle terminal through the historical service request of the vehicle terminal, the connection state of the terminal and the attribute set { V } of the vehicle terminal; and dynamically evaluating the trust value of the unmanned aerial vehicle through a data access list maintained by the unmanned aerial vehicle and comparison of the historical auxiliary service response time length and the resource consumption with expected values. And matching the emergency service of the vehicle terminal and the unmanned aerial vehicle for selecting the issuing task through the feedback of the trust value, the security level and the emergency degree of the application service.
4. In the identity authentication process, the invention realizes the security principle of never trust and always verification between the vehicle terminal and the unmanned aerial vehicle based on a zero trust frame, and does not need MEC (media access control) auxiliary authentication before disconnection. Furthermore, the addition of the construction of the set of attributes { V } to the authentication factors of the vehicle terminal stimulates the security needs of the end user by defining the security level of the personalized identity. And by the disconnection time T Δ Dynamic authentication of both parties is realized.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
Although the present application has been described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the figures, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.
Claims (10)
1. The multi-attribute terminal identity authentication method based on zero trust is characterized by being applied to a multi-attribute terminal identity authentication system based on zero trust, wherein the multi-attribute terminal identity authentication system based on zero trust comprises an edge calculation server and a cloud server, the edge calculation server is respectively communicable with a plurality of unmanned aerial vehicles and a plurality of vehicle terminals, and the multi-attribute terminal identity authentication method based on zero trust comprises the following steps:
in a registration stage, each edge computing server and a vehicle terminal send a registration request to the cloud server, and the cloud server returns first registration information of each edge computing server and second registration information of the vehicle terminal;
in the edge authentication stage, the vehicle terminal sends an access authentication request to an edge computing server, and the edge computing server authenticates the vehicle terminal by combining information carried by the access authentication request with self information and negotiates session keys of session of the two parties with the vehicle terminal;
In an unmanned aerial vehicle initializing stage, each edge server sends initializing information of the unmanned aerial vehicle for the unmanned aerial vehicle controlled by the edge server;
in an emergency task scheduling stage, each edge computing server determines the task emergency degree according to the connection state of the vehicle terminal, selects a target unmanned aerial vehicle with sufficient resources and highest trust value from an unmanned aerial vehicle list maintained by the edge computing server when the task emergency degree meets the requirement, and issues a service scheduling request for the target unmanned aerial vehicle so as to start application service response; the target unmanned aerial vehicle verifies whether the service scheduling request is legal or not, and obtains authentication parameters of the auxiliary vehicle terminal and generates a response safety detection identifier under the legal condition;
in the identity authentication stage of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle completes authentication of the vehicle terminal through a session key negotiated with the vehicle terminal in the edge authentication stage, authentication parameters of the auxiliary vehicle terminal and a responsive safety detection identifier, and negotiates a temporary session key by using a Chebyshev chaotic mapping algorithm, so that communication is established between the temporary session key and the vehicle terminal.
2. The zero-trust-based multi-attribute terminal identity authentication method according to claim 1, wherein in the registration phase, the registration process of each edge computing server is:
(1) Jth edge computing Server MEC Server j Sending a registration request message to a registration center RC deployed on a cloud Server, wherein the registration request message comprises MEC Server j Is a unique identity ID of (a) Vj ;
(2) After receiving the registration request message, the registration center checks the unique identity ID Vj Whether or not it already exists, if so, then MEC Server is required j Sending a new identity mark; otherwise, it is MEC Server j Selecting a random number S j And master key K Vj And calculating an initial Chebyshev chaotic mapping value
And sends the registration response message to the MEC Server j ;
Wherein the registration response message includes: master key K Vj Initial chebyshev chaotic map value
Parameters (ID) Vj ||S j );/>
Is MEC Server j The disclosure parameters of (2);
(3)MEC Server j store registration response message and will
As a public parameter, RC stores { ID } Vj ,K Vj }。
3. The zero-trust-based multi-attribute terminal identity authentication method according to claim 1, wherein in the registration phase, the registration procedure of each vehicle terminal is:
(1) Ith vehicle terminal V i Sending a registration request message to a registration center RC deployed on a cloud server, wherein the registration request message comprises unique identity ID Oi ;
(2) After receiving the registration request message, the RC checks the legal identity list and the malicious identity list and judges whether the identity mark exists or not: if present, then require V i Transmitting new identity, otherwise RC is V i Selecting a random number O i And master key K Oi Calculating an initial specific snowflake chaotic mapping value
Pseudo-identity identifier SID i =H(ID Oi ||O i ) And register response message ++>
Sent to V i ;
(3)V i Storage of
RC stores each V i Corresponding->
4. The zero-trust-based multi-attribute terminal identity authentication method according to claim 1, wherein in the initialization phase, the process of each edge server sending initialization information of the unmanned aerial vehicle to the unmanned aerial vehicle controlled by the edge server is as follows:
(1) Jth edge computing Server MEC Server j For the kth unmanned aerial vehicle UAV k Generating random number U i As UAVs k Is the identity of the mobile terminal; according to random number U i Calculating secret value r k =H(S j ,U i ) Initial chebyshev chaotic map value
And will initialize the information->
Transmitting to UAV through secure channel k ;
(2)UAV k Will initialize the information
Storing in a local memory; wherein r is k For UAVs k And MEC Server j Shared key between them for information interaction, +.>
And the authentication parameter is used for carrying out identity authentication with the vehicle terminal in the dynamic unmanned aerial vehicle dispatch process.
5. The zero-trust-based multi-attribute terminal identity authentication method according to claim 4, wherein in an emergency task scheduling stage, each edge computing server determines a task emergency degree according to a connection state of a vehicle terminal, and when the task emergency degree meets a requirement, selects a target unmanned aerial vehicle with sufficient resources and highest trust value from a unmanned aerial vehicle list maintained by the edge computing server, and issues a service scheduling request for the target unmanned aerial vehicle so as to start an application service response, wherein the process comprises the following steps:
Jth edge computing Server MEC Server j According to the connection state of the vehicle terminal, the safety level and the emergency degree of the application service of the edge computing server are evaluated, and the vehicle terminal actively performs the opposite under the condition of three-level emergency degreeThe vehicle terminal initiates an application service response;
the application service response process is as follows: estimating the predicted service response time length and the resource consumption value of the outsourcing task based on deep learning; selecting a target unmanned aerial vehicle with sufficient resources and highest trust value from an unmanned aerial vehicle UAV list maintained by an edge calculation server according to task response time and resource consumption values; and issues a service scheduling request for the target unmanned aerial vehicle<T s1 ,M,MAC 1 >;
Wherein T is s1 Is MEC Server j A time stamp when the abnormal condition of the vehicle terminal is identified;
generating a symmetric encryption algorithm and a symmetric key for dispatching ciphertext; MAC (media access control) 1 =H(T s1 ,M)。
6. The zero-trust-based multi-attribute terminal identity authentication method according to claim 5, wherein in the emergency task scheduling stage, the target unmanned aerial vehicle verifies whether the service scheduling request is legal, and the process of obtaining the authentication parameters of the auxiliary vehicle terminal and generating the security detection identifier of the response in the legal case is:
(1) After receiving the service scheduling request, the unmanned aerial vehicle verifies the validity of the time stamp and the service scheduling request, so as to generate a service confirmation message and a corresponding safety detection identifier; the service confirmation message is sent to the edge computing server and is used for confirming the key of the edge computing server;
(2) Jth edge computing Server MEC Server j After receiving the service confirmation information, verifying the validity of the time stamp and generating a corresponding security detection identifier C jk For verifying the validity of the service confirmation message.
7. The zero-trust-based multi-attribute terminal identity authentication method of claim 6, wherein in the emergency task scheduling phase (1) the process is:
①UAV k after receiving the service dispatch request, firstly verifying the validity of the time stamp, if and only if T cur1 -T s1 When delta T is less than or equal to the delta T, the service scheduling request is effective; wherein DeltaT is the maximum time interval allowed by the system, T cur1 For UAVs k A timestamp generated when the service scheduling request is received;
②UAV k decrypting ciphertext M by using a symmetric encryption and decryption algorithm and a symmetric key to obtain<T s1 ,{V},SK ij >;
③UAV k Computing MAC 1 '=H(T s1 M), if and only if MAC 1 '=MAC 1 The integrity of the time service scheduling request is verified;
④UAV k computing security detection identities
⑤UAV k Generating a current timestamp T s2 ;
⑥UAV k Computing MAC 2 =H(T s2 ,C jk ) And to MEC Server j Sending service confirmation response message<T s2 ,MAC 2 >For MEC Server j Key confirmation of (c).
8. The zero-trust-based multi-attribute terminal identity authentication method of claim 6, wherein in the emergency task scheduling phase (2) the process is:
(1) Jth edge computing Server MEC Server j After receiving the service confirmation information, verifying the validity of the time stamp if and only if T cur2 -T s2 Service confirmation information is valid when delta T is less than or equal to;
②MEC Server j computing security detection identity C jk '=H(SID i ,ID Vj );
③MEC Server j Computing MAC 2 '=H(T s2 ,C jk ) If and only if MAC 2 '=MAC 2 MEC Server j Validating UAVs k Security check identifier C for receiving dispatch service request and generating response jk 。
9. The zero-trust-based multi-attribute terminal identity authentication method according to claim 8, wherein in the identity authentication stage of the terminal and the unmanned aerial vehicle, the unmanned aerial vehicle completes the authentication of the vehicle terminal through the session key negotiated with the vehicle terminal in the edge authentication stage, the authentication parameter of the auxiliary vehicle terminal and the responsive security detection identifier, and negotiates a new session key by using chebyshev chaos mapping algorithm, so that the process of establishing communication with the vehicle terminal by using the new session key is as follows:
(1) When UAV k Finding vehicle terminal V i The following procedure was then performed:
(1) generating a timestamp T s3 ;
(2) Using symmetric encryption algorithm and session key SK ij Generating ciphertext
(3) Calculation of
Wherein T is Δ =T s3 -T s1 ;
④UAV k To V i Sending identity authentication request message<T s3 ,M 1 ,MAC 3 >;
(2) When V is i Receipt of UAVs k After the identity authentication request message, the following procedure is performed:
(1) Verifying the validity of the timestamp if and only if T cur3 -T s3 The message is valid at less than or equal to DeltaT;
(2) searching the abnormal disconnection table to obtain the session key SK between the vehicle terminal and the MEC Server, and decrypting M 1 ;
(3) Computing security detection identity C jk '=H(SID i ,ID Vj ) And judge
(4) If and only if C jk '=C jk When calculating
And judge->
(5) If and only if MAC 3 '=MAC 3 When completing the UAV k And generates a random number
(6) Computing temporary session keys between UAVs-V
(7) Calculating a temporary key parameter T i-k =T a (ID Vj ||S j )mod p;
(8) Ciphertext calculation based on symmetric encryption algorithm and temporary session key
(9) Generating a timestamp T s4 ;
One calculation
V i To UAV (unmanned aerial vehicle) k Transmitting identity authentication response message<T i-k ,T s4 ,M 2 ,MAC 4 >。
(3) When UAV k Received V i The following procedure is performed:
(1) verifying the validity of the timestamp if and only if T cur4 -T s4 The message is valid at less than or equal to DeltaT;
(2) calculation of
(3) Based on symmetric encryption and decryption algorithm and SK ik ' decryption ciphertext M 2 ;
(4) Calculation of
And judge->
(5) If and only if MAC 4 '=MAC 4 When the UAV completes identity authentication of the V and generates a time stamp T s5 ;
(6) Computing MAC 5 =H(T s5 ,SK ik );
⑦UAV k To V i Sending key confirmation messages<T s5 ,MAC 5 >;
(4) When V is i Receipt of UAVs k After the key confirmation message, the following procedure is performed:
(1) verifying the validity of the timestamp if and only if T cur5 -T s5 The message is valid at less than or equal to DeltaT;
(2) computing MAC 5 '=H(T s5 ,SK ik ) The method comprises the steps of carrying out a first treatment on the surface of the If and only if MAC 5 '=MAC 5 When the key negotiation process is completed;
(3) the unmanned aerial vehicle and the vehicle terminal use the temporary session key SK ik Data or video transmission is performed.
10. A zero-trust-based multi-attribute terminal identity authentication system, characterized in that a zero-trust-based multi-attribute terminal identity authentication method according to any one of claims 1 to 9 is implemented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310081032.8A CN116321147A (en) | 2023-02-01 | 2023-02-01 | Zero trust-based multi-attribute terminal identity authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310081032.8A CN116321147A (en) | 2023-02-01 | 2023-02-01 | Zero trust-based multi-attribute terminal identity authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116321147A true CN116321147A (en) | 2023-06-23 |
Family
ID=86819472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310081032.8A Pending CN116321147A (en) | 2023-02-01 | 2023-02-01 | Zero trust-based multi-attribute terminal identity authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116321147A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116528235A (en) * | 2023-06-30 | 2023-08-01 | 华侨大学 | Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial |
| CN116723511A (en) * | 2023-08-11 | 2023-09-08 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Position management method and system for realizing privacy protection in Internet of vehicles and Internet of vehicles |
| CN117614752A (en) * | 2024-01-24 | 2024-02-27 | 明阳点时科技(沈阳)有限公司 | Double-layer zero-trust enterprise production network security ad hoc network method and system |
-
2023
- 2023-02-01 CN CN202310081032.8A patent/CN116321147A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116528235A (en) * | 2023-06-30 | 2023-08-01 | 华侨大学 | Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial |
| CN116528235B (en) * | 2023-06-30 | 2023-10-20 | 华侨大学 | Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial |
| CN116723511A (en) * | 2023-08-11 | 2023-09-08 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Position management method and system for realizing privacy protection in Internet of vehicles and Internet of vehicles |
| CN116723511B (en) * | 2023-08-11 | 2023-10-20 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Position management method and system for realizing privacy protection in Internet of vehicles and Internet of vehicles |
| CN117614752A (en) * | 2024-01-24 | 2024-02-27 | 明阳点时科技(沈阳)有限公司 | Double-layer zero-trust enterprise production network security ad hoc network method and system |
| CN117614752B (en) * | 2024-01-24 | 2024-03-22 | 明阳点时科技(沈阳)有限公司 | Double-layer zero-trust enterprise production network security ad hoc network method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Privacy-preserving content dissemination for vehicular social networks: Challenges and solutions | |
| Kang et al. | Privacy-preserved pseudonym scheme for fog computing supported internet of vehicles | |
| Lu et al. | 5G vehicle-to-everything services: Gearing up for security and privacy | |
| Lai et al. | Security and privacy challenges in 5G-enabled vehicular networks | |
| Alnasser et al. | Cyber security challenges and solutions for V2X communications: A survey | |
| Xie et al. | Blockchain-based secure and trustworthy Internet of Things in SDN-enabled 5G-VANETs | |
| Sharma et al. | Security challenges in Internet of Vehicles (IoV) environment | |
| Masood et al. | Security and privacy challenges in connected vehicular cloud computing | |
| Chowdhury et al. | Secure information sharing among autonomous vehicles in NDN | |
| CN116321147A (en) | Zero trust-based multi-attribute terminal identity authentication method and system | |
| Mahapatra et al. | A survey on secure transmission in internet of things: taxonomy, recent techniques, research requirements, and challenges | |
| EP2823595A1 (en) | Methods, apparatuses, and computer-readable storage media for securely accessing social networking data | |
| US11431508B1 (en) | Distributed ledger-based ad-hoc system, apparatus and method | |
| CN110636495B (en) | Method for terminal user safety roaming authentication in fog computing system | |
| Singh et al. | CPESP: Cooperative pseudonym exchange and scheme permutation to preserve location privacy in VANETs | |
| CN109362062A (en) | VANETs anonymous authentication system and method based on ID-based group ranking | |
| Hoque et al. | Towards an analysis of the architecture, security, and privacy issues in vehicular fog computing | |
| Akilandeswari et al. | Minimum latency-secure key transmission for cloud-based internet of vehicles using reinforcement learning | |
| Chatterjee et al. | Fog Computing and Its security issues | |
| Qureshi et al. | Authentication scheme for unmanned aerial vehicles based internet of vehicles networks | |
| Chen et al. | A summary of security techniques-based blockchain in iov | |
| El-Zawawy et al. | Setcap: Service-based energy-efficient temporal credential authentication protocol for internet of drones | |
| Wang et al. | Secure long-range autonomous valet parking: A reservation scheme with three-factor authentication and key agreement | |
| Kaur et al. | Comprehensive view of security practices in vehicular networks | |
| US9979539B2 (en) | Method and system of authenticating a network device in a location based verification framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |