CN117097561B - Trusted equipment transfer identity authentication method for industrial Internet of things - Google Patents

Trusted equipment transfer identity authentication method for industrial Internet of things Download PDF

Info

Publication number
CN117097561B
CN117097561B CN202311345057.0A CN202311345057A CN117097561B CN 117097561 B CN117097561 B CN 117097561B CN 202311345057 A CN202311345057 A CN 202311345057A CN 117097561 B CN117097561 B CN 117097561B
Authority
CN
China
Prior art keywords
server
gateway
equipment
authentication information
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311345057.0A
Other languages
Chinese (zh)
Other versions
CN117097561A (en
Inventor
万涛
李森
廖维川
周洁
江天天
封顺
梅江涛
吕浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Jiaotong University
Original Assignee
East China Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Jiaotong University filed Critical East China Jiaotong University
Priority to CN202311345057.0A priority Critical patent/CN117097561B/en
Publication of CN117097561A publication Critical patent/CN117097561A/en
Application granted granted Critical
Publication of CN117097561B publication Critical patent/CN117097561B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Abstract

The invention belongs to the technical field of internet of things authentication, and relates to an industrial internet of things-oriented trusted equipment identity authentication method, which comprises four processes of registration of equipment and a gateway, direct authentication of the equipment and authentication of the equipment; according to the invention, each device can generate own device fingerprint, so that the device fingerprint can not be tampered, and the safety of the device fingerprint is ensured; the method comprises the steps of using a random character generation algorithm, a hash function, an exclusive OR operation, character strings and other lightweight operations to realize mutual authentication among equipment, a gateway and a server of the Internet of things; the new equipment which cannot be connected to the gateway is transmitted and authenticated through the trusted equipment authenticated by the server, so that the trusted equipment assists the new equipment to authenticate, single-point faults generated by authentication of a single equipment are avoided, and meanwhile, the application range of a protocol is greatly improved.

Description

Trusted equipment transfer identity authentication method for industrial Internet of things
Technical Field
The invention belongs to the technical field of authentication of the Internet of things, and relates to a trusted equipment transfer identity authentication method for the industrial Internet of things.
Background
With the continuous development of communication technology and the internet of things, the application range of the internet of things is from smart home where only a few sensors are needed to smart cities and smart factories where a large number of internet of things devices are needed. The latter may use thousands of internet of things devices, integrating a large number of internet of things devices into a network physical system is a very challenging task. From a security privacy perspective, where large amounts of communication data will be generated, the information security of these devices requires a reliable communication protocol for protection. Therefore, the design of a reliable safety communication protocol is a basis for guaranteeing the normal operation of the large-scale internet of things system.
In large-scale internet of things applications, such as industrial internet of things or smart cities, containing thousands of devices, not all devices can be directly connected to a gateway in the internet of things system, but can be connected to devices at corresponding distances. Therefore, some internet of things devices that cannot be directly connected to the gateway need to support authentication by means of a trusted device that has been authenticated.
The invention patent application with the patent application number of CN202110386425.0 provides a double-factor identity authentication method oriented to an intelligent home scene, but the method has the following defects: 1) The cryptographic encryption technology with huge source consumption is not suitable for the resource-limited Internet of things equipment; 2) This approach is only applicable to certain scenarios and not more complex environments.
The invention patent application with the patent application number of CN202310607953.3 provides a certificate-free identity authentication and key negotiation method and a system, but the method has the following defects: 1) The key generation center has the risk of single point failure, and if the center transmits failure or is attacked, the whole security system can be paralyzed; 2) This scheme presents a privacy exposure risk.
The existing equipment authentication method has the following defects: the anonymity of the equipment cannot be guaranteed, the node capture attack cannot be resisted, the risk of shared key exposure possibly exists in the information transmission process, the forward security cannot be guaranteed, the data integrity cannot be guaranteed, most of the schemes are used for encryption calculation with larger cost, the scheme is not suitable for the internet of things equipment with limited resources, and the application range is narrow.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a trusted device transfer identity authentication method for the industrial Internet of things.
The invention is realized by the following technical scheme: the method comprises four processes of registration of equipment and a gateway, direct authentication of the equipment and transfer authentication of the equipment; the transfer authentication process of the device comprises the following steps:
Step D1: the new equipment inputs a new equipment identity and a new equipment fingerprint, generates partial new equipment authentication information by utilizing a random character generation algorithm Gen (sum) and a hash function, then selects a random number, acquires a first current time stamp and position information, generates new equipment authentication information by cascade connection, exclusive or and hash operation of the calculated information and stored information, and transmits the new equipment authentication information to trusted equipment through a public channel;
step D2: after receiving the new equipment authentication information, the trusted equipment acquires a second current time stamp and position information, and verifies the first current time stamp and position information of the new equipment; the trusted device encrypts the new device authentication information by using a session key, then obtains a device authentication parameter by combining a time stamp with the session key of the gateway, and sends the new device authentication information to the gateway through a public channel;
step D3: after receiving the new equipment authentication information, the gateway acquires a third current time stamp and compares the third current time stamp with the second current time stamp to verify whether the communication delay is within the maximum communication delay range, verifies the equipment verification parameters through the stored session key, and then sends the new equipment authentication information to the server through a public channel;
Step D4: after receiving the new equipment authentication information, the server acquires a fourth current time stamp and compares the fourth current time stamp with the third current time stamp, verifies whether the communication delay is within the maximum communication delay range, retrieves stored data in a database according to the new equipment authentication information, and verifies the equipment authentication information of the trusted equipment; then, the server verifies the new device authentication information according to the decrypted information; the server generates a random number and carries out cascading and hash operation with the decrypted new equipment authentication information to generate a session key and partial server authentication information with the new equipment;
step D5: the server uses the private key of the server to carry out hash operation and then carries out exclusive OR operation with the session key to obtain secret information corresponding to the new device and stores the secret information in a database, the server calculates the session key between the new device and the trusted device through the random number and the private key of the server, encrypts the message into server authentication information, and then the server sends the server authentication information to the gateway through a public channel;
step D6: after receiving the server authentication information, the gateway acquires a fifth current time stamp and compares the fifth current time stamp with a fourth current time stamp, verifies whether the communication delay is within a maximum communication delay range, and sends the server authentication information to trusted equipment through a public channel;
Step D7: after receiving the server authentication information, the trusted device acquires a sixth current time stamp and compares the sixth current time stamp with the fifth current time stamp, and verifies whether the communication delay is within the maximum communication delay range; after decrypting part of server authentication information by using self secret information, the trusted device obtains a session key with the new device by carrying out hash operation on the decrypted information and the secret information; the trusted device generates secret information corresponding to the new device according to the session key and the privacy data by exclusive OR and stores the secret information in a database;
step D8: after receiving the server authentication message, the new device acquires a seventh current time stamp and compares the seventh current time stamp with the sixth current time stamp, verifies whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new equipment generates a session key of the equipment which is trusted with the server through cascade connection and hash operation of the server authentication information and the private data of the new equipment; the new device generates secret information corresponding to the server and the new device according to the exclusive OR of the session key and the privacy data and stores the secret information in the database.
Further preferably, the registration process of the device includes the steps of:
The equipment selects equipment identity and equipment fingerprint, and generates corresponding equipment registration information by utilizing a random character generation algorithm Gen (level) and a hash function and sends the corresponding equipment registration information to a server through a secure channel;
after receiving the equipment registration information, the server generates a random number, uses a private key to carry out cascading and hash operation with the received equipment registration information to generate server authentication information, stores the server authentication information, and then sends the server authentication information to the equipment through a secure channel;
the device receives and stores the authentication information.
Further preferably, the registration process of the gateway is as follows:
the gateway selects gateway identity and gateway fingerprint, and generates corresponding gateway registration information by utilizing a random character generation algorithm Gen (level) and a hash function and sends the corresponding gateway registration information to the server through a secure channel;
after receiving the gateway registration information, the server generates a random number, uses the private key to carry out cascading and hash operation with the received gateway registration information to generate server authentication information, stores the server authentication information, and then sends the server authentication information to the gateway through a secure channel;
the gateway receives and stores the authentication information.
Further preferably, the direct authentication of the gateway includes the steps of:
Step B1: the gateway inputs a gateway identity and a gateway fingerprint, and generates partial gateway authentication information by utilizing a random character generation algorithm Gen (equal to zero) and a hash function; then, the gateway selects a random number and acquires a first current time stamp, generates gateway authentication information by cascading, exclusive-or and hash operation of the calculated information and the stored information, and sends the gateway authentication information to the server through a public channel;
step B2: after receiving the gateway authentication information, the server acquires a second current time stamp, compares the second current time stamp with the first current time stamp to verify whether the communication delay is within a range, retrieves data stored during registration in a database according to the gateway authentication information, verifies the gateway authentication information, and then generates a random number to carry out cascading and hash operation with the received gateway authentication information to generate a session key with the gateway and server authentication information;
step B3: the server calculates server authentication information and sends the server authentication information to the gateway through a public channel;
step B4: after receiving the server authentication information, the gateway acquires a third current time stamp, verifies whether the communication delay is in the range and the server authentication information, and verifies that the verification is successful, and the gateway performs cascade and hash operation calculation on the session key of the server through the server authentication information and the private data of the gateway. The gateway generates encryption information corresponding to the server according to the exclusive OR of the session key and the privacy data and stores the encryption information in the database.
Further preferred is a direct authentication procedure of the device comprising the steps of:
step C1: the equipment inputs equipment identity and equipment fingerprint, generates partial equipment authentication information by utilizing a random character generation algorithm Gen (sum) and a hash function, then selects a random number and acquires a first current timestamp, generates the equipment authentication information by cascade connection, exclusive or and hash operation of the calculated information and stored information, and sends the equipment authentication information to a gateway through a public channel;
step C2: after receiving the information, the gateway acquires a second current time stamp, verifies whether the time difference between the second current time stamp and the first current time stamp is within the maximum communication delay range, encrypts part of authentication information of the equipment by using a session key, and then sends the information to the server through a public channel;
step C3: after receiving the message, the server acquires a third current time stamp, verifies whether the time difference between the third current time stamp and the second current time stamp is within the maximum communication delay range, retrieves stored data in a database according to the equipment authentication information, verifies the equipment authentication information, generates a random number and performs cascading and hash operation on the random number and the received equipment authentication information to obtain a session key of the server and the equipment, a session key of the equipment and a gateway and the server authentication information;
Step C4: the server uses the private key of the server to carry out hash operation and then carries out exclusive or operation with the session key to obtain secret information corresponding to the equipment and stores the secret information in a database, and the server sends the server authentication information to the gateway through a public channel;
step C5: the gateway receives the information, acquires a fourth current time stamp, verifies whether the time difference between the gateway and the third current time stamp is within the maximum communication delay range, decrypts the server authentication information by using the secret information of the gateway, and stores the decrypted information and the secret information of the gateway in a database after exclusive or; the gateway sends the server authentication information to the device through a common channel;
step C6: after receiving the information, the device acquires a fifth current time stamp, verifies whether the time difference between the fifth current time stamp and the fourth current time stamp is within the maximum communication delay range, verifies the server authentication information, calculates a session key with the server through cascade connection and hash operation of the server authentication information and private data of the device, obtains the session key with the gateway according to the session key with the server and the private data of the device, and then exclusive-or-uses the information to obtain secret information corresponding to the server and the gateway and stores the secret information in a database.
The invention has the advantages that:
(1) By adopting the equipment fingerprint, the accuracy, stability, generation rate and safety can be effectively improved.
Some authentication factors are not high in safety and are easy to impersonate or unstable. In the scheme of the invention, the device fingerprints generated by different devices are different, the device fingerprints of each device are unique, the device characteristics extracted by using the device fingerprints through a random character generation algorithm Gen (), are unique, the device fingerprints are ensured not to be impersonated, and the accuracy rate of the device fingerprints is ensured to be repeated. The system upgrade of the Internet of things or the change of a small amount of parameters can not influence the device fingerprint, and the stability of the device fingerprint is ensured. Each device can generate own device fingerprint, so that the generation rate of the device fingerprint is ensured. The device fingerprint can not be tampered, and the safety of the device fingerprint is ensured.
(2) Lightweight cryptographic techniques are employed to ensure security.
In the current internet of things system, most of the devices of the internet of things are resource-limited, and cannot be suitable for protocols with high computing overhead and high communication overhead. Therefore, the lightweight protocol is very important for the equipment of the Internet of things, and the overall efficiency can be greatly improved. The invention uses random character generation algorithm, hash function, exclusive or operation, character string and other lightweight operations to realize mutual authentication among the equipment, gateway and server of the Internet of things. The hash function, the exclusive or operation and the character string have low calculation cost, so the security can be ensured while the resource consumption of calculation is reduced
(3) The application range is improved by using the transfer authentication.
The conventional authentication scheme generally only has direct authentication, and most protocols do not consider how to authenticate a new device directly connected to the gateway, which greatly limits the application scope of the protocols. Therefore, the invention provides the transmission authentication in the Internet of things system, and the new equipment which cannot be connected to the gateway is transmitted through the trusted equipment authenticated by the server, so that the trusted equipment assists the new equipment to authenticate, single-point faults generated by authentication of a single equipment are avoided, and meanwhile, the application range of a protocol is greatly improved.
Drawings
Fig. 1 is a flow chart of a method for transmitting identity authentication to trusted equipment facing industrial internet of things.
FIG. 2 is a schematic diagram of a network model of the method of the present invention.
Detailed Description
The invention is described in detail below with reference to the drawings and examples. It should be noted that the devices in the present invention are all devices of the internet of things.
Referring to fig. 1 and 2, a trusted device transfer identity authentication method for industrial internet of things comprises four processes of registration of a device and a gateway, direct authentication of the device and transfer authentication of the device.
The registration process of the equipment and the gateway is the same, and comprises the following steps:
step A1: the equipment or gateway selects equipment or gateway identity and equipment or gateway fingerprint, and generates corresponding equipment or gateway registration information by utilizing a random character generation algorithm Gen (level) and a hash function and sends the corresponding equipment or gateway registration information to a server through a secure channel;
step A2: after receiving the equipment or gateway registration information, the server generates a random number, uses a private key to carry out cascading and hash operation with the received equipment or gateway registration information to generate server authentication information, stores the server authentication information, and then sends the server authentication information to the equipment or gateway through a secure channel;
step A3: the device or gateway receives and stores the authentication information.
And after registration is completed, performing a direct authentication process of the gateway. The gateway direct authentication process comprises the following steps:
step B1: the gateway inputs a gateway identity and a gateway fingerprint, and generates partial gateway authentication information by utilizing a random character generation algorithm Gen (equal to zero) and a hash function; then, the gateway selects a random number and acquires a first current time stamp, generates gateway authentication information by cascading, exclusive-or and hash operation of the calculated information and the stored information, and sends the gateway authentication information to the server through a public channel;
Step B2: after receiving the gateway authentication information, the server acquires a second current time stamp, compares the second current time stamp with the first current time stamp to verify whether the communication delay is within a range, retrieves data stored during registration in a database according to the gateway authentication information, verifies the gateway authentication information, and then generates a random number to carry out cascading and hash operation with the received gateway authentication information to generate a session key with the gateway and server authentication information;
step B3: the server calculates server authentication information and sends the server authentication information to the gateway through a public channel;
step B4: after receiving the server authentication information, the gateway acquires a third current time stamp, verifies whether the communication delay is in the range and the server authentication information, and verifies that the verification is successful, and the gateway performs cascade and hash operation calculation on the session key of the server through the server authentication information and the private data of the gateway. The gateway generates encryption information corresponding to the server according to the exclusive OR of the session key and the privacy data and stores the encryption information in the database.
A direct authentication process for a device, comprising the steps of:
step C1: the equipment inputs equipment identity and equipment fingerprint, generates partial equipment authentication information by utilizing a random character generation algorithm Gen (sum) and a hash function, then selects a random number and acquires a first current timestamp, generates the equipment authentication information by cascade connection, exclusive or and hash operation of the calculated information and stored information, and sends the equipment authentication information to a gateway through a public channel;
Step C2: after receiving the information, the gateway acquires a second current time stamp, verifies whether the time difference between the second current time stamp and the first current time stamp is within the maximum communication delay range, encrypts part of authentication information of the equipment by using a session key, and then sends the information to the server through a public channel;
step C3: after receiving the message, the server acquires a third current time stamp, verifies whether the time difference between the third current time stamp and the second current time stamp is within the maximum communication delay range, retrieves stored data in a database according to the equipment authentication information, verifies the equipment authentication information, generates a random number and performs cascading and hash operation on the random number and the received equipment authentication information to obtain a session key of the server and the equipment, a session key of the equipment and a gateway and the server authentication information;
step C4: the server uses the private key of the server to carry out hash operation and then carries out exclusive or operation with the session key to obtain secret information corresponding to the equipment and stores the secret information in a database, and the server sends the server authentication information to the gateway through a public channel;
step C5: the gateway receives the information, acquires a fourth current time stamp, verifies whether the time difference between the gateway and the third current time stamp is within the maximum communication delay range, decrypts the server authentication information by using the secret information of the gateway, and stores the decrypted information and the secret information of the gateway in a database after exclusive or; the gateway sends the server authentication information to the device through a common channel;
Step C6: after receiving the information, the device acquires a fifth current time stamp, verifies whether the time difference between the fifth current time stamp and the fourth current time stamp is within the maximum communication delay range, verifies the server authentication information, calculates a session key with the server through cascade connection and hash operation of the server authentication information and private data of the device, obtains the session key with the gateway according to the session key with the server and the private data of the device, and then exclusive-or-uses the information to obtain secret information corresponding to the server and the gateway and stores the secret information in a database.
A delivery authentication process for a device, comprising the steps of:
step D1: the new equipment inputs a new equipment identity and a new equipment fingerprint, generates partial new equipment authentication information by utilizing a random character generation algorithm Gen (sum) and a hash function, then selects a random number, acquires a first current time stamp and position information, generates new equipment authentication information by cascade connection, exclusive or and hash operation of the calculated information and stored information, and transmits the new equipment authentication information to trusted equipment through a public channel;
step D2: after receiving the new equipment authentication information, the trusted equipment acquires a second current time stamp and position information, and verifies the first current time stamp and position information of the new equipment; the trusted device encrypts the new device authentication information by using a session key, then obtains a device authentication parameter by combining a time stamp with the session key of the gateway, and sends the new device authentication information to the gateway through a public channel;
Step D3: after receiving the new equipment authentication information, the gateway acquires a third current time stamp and compares the third current time stamp with the second current time stamp to verify whether the communication delay is within the maximum communication delay range, verifies the equipment verification parameters through the stored session key, and then sends the new equipment authentication information to the server through a public channel;
step D4: after receiving the new equipment authentication information, the server acquires a fourth current time stamp and compares the fourth current time stamp with the third current time stamp, verifies whether the communication delay is within the maximum communication delay range, retrieves stored data in a database according to the new equipment authentication information, and verifies the equipment authentication information of the trusted equipment; then, the server verifies the new device authentication information according to the decrypted information; the server generates a random number and carries out cascading and hash operation with the decrypted new equipment authentication information to generate a session key and partial server authentication information with the new equipment;
step D5: the server uses the private key of the server to carry out hash operation and then carries out exclusive OR operation with the session key to obtain secret information corresponding to the new device and stores the secret information in a database, the server calculates the session key between the new device and the trusted device through the random number and the private key of the server, encrypts the message into server authentication information, and then the server sends the server authentication information to the gateway through a public channel;
Step D6: after receiving the server authentication information, the gateway acquires a fifth current time stamp and compares the fifth current time stamp with a fourth current time stamp, verifies whether the communication delay is within a maximum communication delay range, and sends the server authentication information to trusted equipment through a public channel;
step D7: after receiving the server authentication information, the trusted device acquires a sixth current time stamp and compares the sixth current time stamp with the fifth current time stamp, and verifies whether the communication delay is within the maximum communication delay range; after decrypting part of server authentication information by using self secret information, the trusted device obtains a session key with the new device by carrying out hash operation on the decrypted information and the secret information; the trusted device generates secret information corresponding to the new device according to the session key and the privacy data by exclusive OR and stores the secret information in a database;
step D8: after receiving the server authentication message, the new device acquires a seventh current time stamp and compares the seventh current time stamp with the sixth current time stamp, verifies whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new equipment generates a session key of the equipment which is trusted with the server through cascade connection and hash operation of the server authentication information and the private data of the new equipment; the new device generates secret information corresponding to the server and the new device according to the exclusive OR of the session key and the privacy data and stores the secret information in the database.
In one embodiment of the invention, device D i For example, where i is the number of the device, illustrating the registration process of the device:
step A1: device D i Selecting an own device identity ID i Device fingerprint BIO i . Device D i BIO according to device fingerprint i Device D is generated using a random character generation algorithm Gen () i Characteristic data R of (2) i And auxiliary data P i And calculates device first secret information A i =h(ID i ||R i ) Device second secret information B i =h(A i ||R i ) H represents a hash function. Device D i Device registration information { ID over secure channel i ,B i And transmitted to the server S.
Step A2: the server S receives the device registration information { ID } i ,B i After } a random number r is generated i Calculating the pseudo identity (CID) of the equipment by using the private key x of the server i =h(ID i ||r i ) Device first authentication secret C i =h(CID i ||x||B i ) Device second authentication secret E i =h(B i ||C i ||CID i ). The server S stores in its database the server authentication information { CID } i ,E i And server authentication information { CID }, and i ,C i transmitted to device D via a secure channel i
Step A3: device D i Receiving server authentication information { CID i ,C i And storing.
In one embodiment of the invention, gateway G j For example, where j is the number of the gateway, illustrating the registration process of the gateway:
step A1: gateway G j Select own gateway identity GID j Gateway fingerprint GBIO j . Gateway G j According to gateway fingerprint GBIO j Gateway G is generated using a random character generation algorithm Gen () j Characteristic data GR j And auxiliary data GP j And calculates gateway first secret information GA j =h(GID j ||GR j ) Gateway second secret information GB j =h(GA j ||GR j ). Gateway G j Gateway registration information { GID over secure channel j ,GB j And transmitted to the server S.
Step A2: the server S receives gateway registration information { GID j ,GB j After } a random number Gr is generated j And respectively calculating gateway pseudo identity (GCID) by using private key x of server j =h(GID j ||Gr j ) Gateway first authentication secret GC j =h(GCID j ||x||GB j ) Gateway second authentication secret GE j =h(GB j ||GC j ||GCID j ). The server S stores the server authentication information { GCID ] in its database j ,GE j And server authentication information { GCID }, and j ,GC j transmitted to gateway G through secure channel j
Step A3: gateway G j Receiving server authentication information { GCID j ,GC j And storing.
Further, in this embodiment, the direct authentication process of the gateway includes the following steps:
step B1: gateway G j Input Gateway Identity (GID) j Gateway fingerprint GBIO j J is the gateway number, according to gateway fingerprint GBIO j Gateway G is generated using a random character generation algorithm Gen () j Characteristic data GR j Assistance data GP j And calculates gateway first secret information GA j =h(GID j ||GR j ) Gateway second secret information GB j =h(GA j ||GR j ). Gateway G j Selecting a random number GN j And obtaining a first current timestamp T 1 And uses the gateway pseudo identity (GCID) stored by the user j =h(GID j ||Gr j ),Gr j Is a random number and gateway first authentication secret GC j =h(GCID j ||x||GB j ) Computing gateway second authentication secret GE j =h(GB j ||GC j ||GCID j ) Gateway third authentication secret GF j =h(GN j )⊕GE j Gateway fourth authentication secret GQ j =h(GCID j ||GE j ) And gateway integrity verification information M 1 =h(GCID j ||h(GN j )||GE j ||GQ j ||T 1 ) And the gateway authentication information { T }, is used for 1 ,GCID j ,GF j ,GQ j ,M 1 And transmitted to the server S through the common channel.
Step B2: the server S receives the gateway authentication information { T } 1 ,GCID j ,GF j ,GQ j ,M 1 After } the second current timestamp T is obtained 2 Verifying whether the communication delay is within the maximum communication delay range, if not, terminating the communication, and if so, identifying the GCID according to the gateway pseudo-identity j Retrieving gateway second authentication secret GE in database j And calculates a gateway fourth authentication secret verification value GQ * j =h(GCID j ||GE j ). The server S verifies the gateway fourth authentication secret verification value GQ * j Whether or not to be equal to gateway fourth authentication secret GQ j If not, the communication is terminated. The server S calculates a hash value h (GN j ) * =GF j ⊕GE j Gateway integrity verification message check value M * 1 =h(GCID j ||h(GN j ) * ||GE j ||Q j ||T 1 ). The server S verifies the gateway integrity verification message check value M * 1 Whether or not to equal gateway integrity verification information M 1 Terminating communication if not equal, otherwise generating random number GN sj And calculates it and gateway G j Is a session key GSK of (1) j =h(h(GN sj )||GE j )。
Step B3: the server S calculates the corresponding gateway G j Server first authentication secret GW j =h(GN sj )⊕GE j Server integrity verification information M 2 =h(h(GN sj )||GCID j ||T 2 ||GE j ) The method comprises the steps of carrying out a first treatment on the surface of the Computing server sessions with gatewaysEncryption information GV of key sj =GSK j H (x), the server S stores the tuple { GV sj In the database, and server authentication information { T }, and 2 ,GW j ,M 2 transmitted to gateway G through common channel j
Step B4: when gateway G j Receiving server authentication information { T } 2 ,GW j ,M 2 After } the third current timestamp T is obtained 3 Verifying whether the communication delay is within the maximum communication delay range, and if not, terminating the communication. Gateway G j Calculate hash value h (GN sj ) * =GW j ⊕GE j Server integrity verification information check value M * 2 =h(h(GN sj ) * ||GCID j ||T 2 ||GE j ). Gateway G j Verifying server integrity verification information verification value M * 2 Whether or not it is equal to the server integrity verification information M 2 If not, the communication is terminated. After verification is successful, gateway G j Calculate its session key GSK with server S j =h(h(GN sj )||GE j ) And calculates the encryption information GV of the gateway and server session key j =GSK j ⊕GA j The tuple { GV will be stored j And stored in a database.
Further, the direct authentication process of the device includes the steps of:
Step C1: device D i Input device identity ID i And device fingerprint BIO i BIO according to device fingerprint i Device D is generated using a random character generation algorithm Gen () i Characteristic data R of (2) i And auxiliary data P i And calculates device first secret information A i =h(ID i ||R i ) Device second secret information B i =h(A i ||R i ). Device D i Selecting a random number N i And obtaining a first current timestamp T 1 And utilizes the self-stored equipment pseudo identity (CID) i =h(ID i ||r i ),r i Is a random number, and device first authentication secret C i =h(CID i ||x||B i ) Computing device second authentication secret E i =h(B i ||C i ||CID i ) Device third authentication secret F i =h(N i )⊕E i Device fourth authentication secret Q i =h(CID i ||E i ) And device integrity verification information M 3 =h(CID i ||h(N i )||E i ||Q i ||T 1 ) And authenticate the device with the message { T ] 1 ,CID i ,F i ,Q i ,M 3 Transmitted to gateway G through common channel j
Step C2: gateway G j Receiving device authentication message { T } 1 ,CID i ,F i ,Q i ,M 3 After } the second current timestamp T is obtained 2 With the first current timestamp T 1 The comparison verifies whether the communication delay is within the maximum communication delay range. If the communication delay is within the range, gateway G j Then the gateway identity GID is entered j Gateway fingerprint GBIO j Gateway G j According to Gen (GBIO) j )=(GR j ,GP j ) Extraction gateway G j Characteristic data GR j Assistance data GP j And calculates gateway first secret information GA j =h(GID j ||GR j ),GSK j =GV j ⊕GA j . Gateway G j Using GSK j For information { CID i ,F i ,Q i ,M 3 After symmetric encryption, gateway symmetric encryption information Mes is generated j Device authentication message { T }, is sent to the client 1 ,T 2 ,GMes j ,CID j And transmitted to the server S through the common channel.
Step C3: the server S receives the device authentication message { T 1 ,T 2 ,GMes j ,GCID j After } the third current timestamp T is obtained 3 With a second current timestamp T 2 The comparison verifies whether the communication delay is within the maximum communication delay range. The server S is based on the gateway pseudo identity (GCID) j Retrieving GVs in its database sj And GE j The server S uses the hash value of its own private keyCalculate and gateway G j Is a session key GSK of (1) j =GV sj H (x). Then, the server S uses the session key GSK j Decrypting gateway symmetric encryption information GMes j Obtaining the pseudo identity (CID) of the equipment i Device third authentication secret F i Device fourth authentication secret Q i Device integrity verification information M 3 . The server S uses the device pseudo identity CID i Retrieving the device second authentication secret E at its database i Computing device fourth authentication secret verification value Q * i =h(CID i ||E i ) Verification device fourth authentication secret verification value Q * i Whether or not to equal the device fourth authentication secret Q i . The server S calculates a hash value h (N i ) * =F i ⊕E i Device integrity verification information check value M * 3 =h(CID i ||h(N i ) * ||E i ||Q i ||T 1 ) Verification device integrity verification information verification value M * 3 Whether or not to be equal to the device integrity verification information M 3 . After passing the verification, the server S generates two random numbers N si ,N S And calculates the sum device D i Is a session key SK of (1) i =h(h(N si )||E i ) Computing device D i And gateway G j Is a session key SK of (1) ij =h(N S ||x)。
Step C4: the server S calculates a server first authentication secret W i =h(N si )⊕E i Server integrity verification information M 4 =h(h(N si )||CID i ||T 3 ||E i ) Gateway-corresponding secret information GGw j =SK ij ⊕h(E i ) Device-corresponding secret information Dev i =SK ij ⊕h(E i ) Gateway symmetric encryption GGO corresponding to secret information j =Enc GSKj (GGw j ) Symmetric encryption O of secret information corresponding to equipment i =Enc SKi (Dev i ) Encryption information V of server and device session key si =SK i H (x), the server stores the tuple { V) si Is in dataLibrary, server authentication message { T } 3 ,W i ,M 4 ,GO j ,O i Transmitted to gateway G through common channel j
Step C5: gateway G j Receiving a server authentication message { T } 3 ,W i ,M 4 ,GO j ,O i After } the fourth current timestamp T is obtained 4 With a third current timestamp T 3 The comparison verifies whether the communication delay is within the maximum communication delay range. Gateway G then j Computing GB j =h(GA j ||GR j ),GE j =h(GB j ||GC j ||GCID j ),GSK j =GV j ⊕GA j ,GGw j =Dec GSKj (GO j ) Session key SK of gateway and device ij =GGw j ⊕h(GE j ) Encryption information GZ of session key of gateway and device j =SK ij ⊕GA j Storage tuple { GZ j Is in the database. Authentication message { T for server 4 ,T 3 ,W i ,M 4 ,O i Transmitted to device D via common channel i
Step C6: device D i Receiving a server authentication message { T } 4 ,T 3 ,W i ,M 4 ,O i After } the fifth current timestamp T is obtained 5 With a fourth current timestamp T 4 The comparison verifies whether the communication delay is within the maximum communication delay range. Device D i Calculating a hash value h (N si ) * =W i ⊕E i Verifying server integrity verification information M * 4 =h(h(N si ) * ||CID i ||T 3 ||E i ) Verifying server integrity verification information check value M * 4 Whether or not it is equal to the server integrity verification information M 4 . Device D then i Calculate the session key SK between it and the server S i =h(h(N si )||E i ) Computing device correspondence information Dev i =Dec SKi (O i ) Session key SK for device and gateway ij =Dev i ⊕h(E i ) Encryption information V of device-to-server session key i =SK i ⊕A i Encryption information Z of device and gateway session key i =SK ij ⊕h(A i ) Device D i Storage tuple { V i ,Z i Is in the database.
Further, the transfer authentication process of the device in this embodiment includes the following steps:
step D1: new device D n Inputting new equipment identity ID n And new device fingerprint BIO n BIO according to new device fingerprint n Generating a new device D using a random character generation algorithm Gen () n Characteristic data R of (2) n And auxiliary data P n And calculates new device first secret information A n =h(ID n ||R n ) New device second secret information B n =h(A n ||R n ) The method comprises the steps of carrying out a first treatment on the surface of the New device D n Selecting a random number N n And a first current timestamp T 1 And utilizes the self-stored new equipment pseudo identity (CID) n =h(ID n ||r n ),r n Is a random number, and a new device first authentication secret C n =h(CID n ||x||B n ) Calculating a new device second authentication secret E n =h(B n ||C n ||CID n ) New device third authentication secret F n =h(N n )⊕E n New device fourth authentication secret Q n =h(CID n ||E n ) And new device integrity verification information M 1n =h(CID n ||h(N n )||E n ||Q n ||T 1 ) Generating a new device current location L n And authenticate the new device with message { T } 1 ,L n ,CID n ,F n ,Q n ,M 1n Transmission to trusted device D via common channel i
Step D2: trusted device D i Receiving a new device message { T ] 1 ,L n ,CID n ,F n ,Q n ,M 1n After } the second current timestamp T is obtained 2 And trusted device location information L i Trusted device D i Verifying whether the communication delay and the position distance are within the maximum range, and if so, inputting the equipment Identity (ID) i And device fingerprint BIO i Trusted device D i According to Gen (BIO i )=(R i ,P i ) Extracting characteristic data R of a device i And auxiliary data P i Calculate A i =h(ID i ||R i ),SK i =V i ⊕A i ,SK ij =Z i ⊕h(A i ) Trusted device D i And gateway G j Secret information Y of (2) i =h(SK ij ||T 2 ). Trusted device D i Using session key SK i For data { CID n ||F n ||Q n ||M 1n Symmetric encryption is carried out to obtain symmetric encryption information M of the device 5 New device authentication message { T }, will 1 ,T 2 ,Y i ,M 5 ,CID i Transmitted to gateway G through common channel j
Step D3: gateway G j Receiving a new device authentication message { T } 1 ,T 2 ,Y i ,M 5 ,CID i After } the third current timestamp T is obtained 3 Verifying whether the communication delay is within the maximum communication delay range, and if so, inputting a Gateway Identity (GID) j Gateway fingerprint GBIO j Gateway G j According to Gen (GBIO) j )=(GR j ,GP j ) Extraction gateway G j Characteristic data GR j Assistance data GP j And calculate GA j =h(GID j ||GR j ),SK ij =GZ j ⊕GA j And calculates a trusted device D i And gateway G j Secret information check value Y of (2) * i =h(SK ij ||T 2 ) Verify Y * i Whether or not to match Y i If they are equal, the communication is terminated. Authentication message { T for new device 1 ,T 3 ,M 5 ,CID i ,GCID j And transmitted to the server S through the common channel.
Step D4: the server S receives the new device authentication message { T 1 ,T 3 ,M 5 ,CID i ,GCID j After } the fourth current timestamp T is obtained 4 And verifying whether the communication delay is within the maximum communication delay range. The server S is based on the pseudo identity (CID) i Retrieving V in its database si And E is i Computing a trusted device D using its private key hash value i Is a session key SK of (1) i =V si H (x). The server S then uses the session key SK i Decryption device symmetrically encrypts information M 5 Obtaining the new equipment pseudo identity (CID) n New device third authentication secret F n New device fourth authentication secret Q n New device integrity verification information M 1n . The server S uses CID n Retrieving the new device second authentication secret E in its database n And calculates a fourth authentication secret verification value Q of the new device * n =h(CID n ||E n ) Verifying the new device fourth authentication secret verification value Q * n Whether or not to equal the new device fourth authentication secret Q n If not, terminating the communication; otherwise the server S calculates a hash value h (N n ) * =F n ⊕E n New device integrity verification information check value M * 1n =h(CID n ||h(N n ) * ||E n ||Q * n ||T 1 ) Verify M * 1n Whether or not to be equal to M 1n . If not, the communication is terminated. Otherwise the server S generates a random number N sn And calculates a new device D n Is a session key SK of (1) n =h(h(N sn )||E n ) Calculate new device D n With trusted device D i Session key SK therebetween ni =h(N sn ||x)。
Step D5: the server S calculates the corresponding new device D n Server first authentication secret W n =h(N sn )⊕E n Server integrity verification information M 6 =h(h(N sn )||CID n ||T 4 ||E n ) The trusted device corresponds to the secret information Dev' i =SK ni ⊕h(E i ) New deviceCorresponding secret information Dev n =SK ni ⊕h(E n ) Symmetric encryption O 'of trusted device corresponding to secret information' i =Enc SKi (Dev' i ) Symmetric encryption O of secret information corresponding to new device n =Enc SKn (Dev n ) Encryption information V of server and new device session key sn =SK n H (x), server S holds { V) sn In its database, server authentication message { T }, is sent to the server 4 ,W n ,M 6 ,O' i ,O n Transmitted to gateway G through common channel j
Step D6: gateway G j Receiving a server authentication message { T } 4 ,W n ,M 6 ,O' i ,O n After } the fifth current timestamp T is obtained 5 Verifying whether the communication delay is within the maximum communication delay range, and authenticating the message { T }, of the server 5 ,T 4 ,W n ,M 6 ,O' i ,O n Transmission to trusted device D via common channel i
Step D7: trusted device D i Receiving a server authentication message { T } 5 ,T 4 ,W n ,M 6 ,O' i ,O n After } the sixth current timestamp T is obtained 6 And verifying whether the communication delay is within the maximum communication delay range. Trusted device D i Calculation of Dev' i =Dec SKi (O' i ) Calculate its session key SK with the new device ni =Dev' i ⊕h(E i ) And calculates the encryption information V of the session key of the trusted device and the new device t =SK tn ⊕A i Trusted device D i Storage tuple { V t In its database, server authentication message { T }, is sent to the server 6 ,T 4 ,W n ,M 6 ,O n Transmission to new device D via common channel n
Step D8: new device D n Receiving a server authentication message { T } 6 ,T 4 ,W n ,M 6 ,O n After } the seventh current timestamp T is obtained 7 Verifying whether communication delay is at maximumThe signal delay range; new device D n Calculating a hash value h (N sn ) * =W n ⊕E n Server integrity verification message check value M * 6 =h(h(N sn )||CID n ||T 4 ||E n ) Verify M * 6 Whether or not to be equal to M 6 . If not, the communication is terminated. Otherwise calculate new device D n Session key SK with server S n =h(h(N sn )||E n ) Computing a new device corresponding secret Dev n =Dec SKn (O n ). New device D n Computing it with trusted device D i Is a session key SK of (1) ni =Dev n ⊕h(E n ) And calculates the encryption information V of the new device and server session key 1 =SK n ⊕A n Encryption information V of new device and trusted device session key 2 =SK ni ⊕h(A n ) New device D n Storage tuple { V 1 ,V 2 In its database.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.

Claims (3)

1. The method for transmitting identity authentication by the trusted equipment facing the industrial Internet of things is characterized by comprising four processes of registration of equipment and a gateway, direct authentication of the equipment and transmission authentication of the equipment; the transfer authentication process of the device comprises the following steps:
step D1: the new equipment inputs a new equipment identity and a new equipment fingerprint, generates partial new equipment authentication information by utilizing a random character generation algorithm Gen ()'s and a hash function, then selects a random number and acquires a first current time stamp and position information, generates new equipment authentication information by performing cascading, exclusive-or and hash operation with authentication information stored by the new equipment and generated by a server in a registration stage, and sends the new equipment authentication information to trusted equipment through a public channel;
step D2: after receiving the new equipment authentication information, the trusted equipment acquires a second current time stamp and position information, and verifies the first current time stamp and position information of the new equipment; the trusted device encrypts the new device authentication information by using a session key, then obtains a trusted device authentication parameter by combining a time stamp with the session key of the gateway, and sends the new device authentication information to the gateway through a public channel;
Step D3: after receiving the new equipment authentication information, the gateway acquires a third current time stamp and compares the third current time stamp with the second current time stamp to verify whether the communication delay is within the maximum communication delay range, verifies the trusted equipment verification parameters through the stored session key, and then sends the new equipment authentication information to the server through a public channel;
step D4: after receiving the new equipment authentication information, the server acquires a fourth current time stamp and compares the fourth current time stamp with the third current time stamp, verifies whether the communication delay is within the maximum communication delay range, retrieves stored data in a database according to the new equipment authentication information, and verifies the equipment authentication information of the trusted equipment; then, the server verifies the new device authentication information according to the decrypted information; the server generates a random number and carries out cascading and hash operation with the decrypted new equipment authentication information to generate a session key and partial server authentication information with the new equipment;
step D5: the server uses the private key of the server to carry out hash operation and then carries out exclusive OR operation with the session key to obtain secret information corresponding to the new device and stores the secret information in a database, the server calculates the session key between the new device and the trusted device through the random number and the private key of the server, encrypts the message into server authentication information, and then the server sends the server authentication information to the gateway through a public channel;
Step D6: after receiving the server authentication information, the gateway acquires a fifth current time stamp and compares the fifth current time stamp with a fourth current time stamp, verifies whether the communication delay is within a maximum communication delay range, and sends the server authentication information to trusted equipment through a public channel;
step D7: after receiving the server authentication information, the trusted device acquires a sixth current time stamp and compares the sixth current time stamp with the fifth current time stamp, and verifies whether the communication delay is within the maximum communication delay range; after decrypting part of server authentication information by using self secret information, the trusted device obtains a session key with the new device by carrying out hash operation on the decrypted information and the secret information; the trusted device generates secret information corresponding to the new device according to the session key and the privacy data by exclusive OR and stores the secret information in a database;
step D8: after receiving the server authentication message, the new device acquires a seventh current time stamp and compares the seventh current time stamp with the sixth current time stamp, verifies whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new equipment generates a session key of the equipment which is trusted with the server through cascade connection and hash operation of the server authentication information and the private data of the new equipment; the new equipment performs exclusive OR according to the session key and the privacy data to generate secret information corresponding to the server and the new equipment and stores the secret information in a database;
The registration process of the device is as follows:
the equipment selects equipment identity and equipment fingerprint, and generates corresponding equipment registration information by utilizing a random character generation algorithm Gen (level) and a hash function and sends the corresponding equipment registration information to a server through a secure channel;
after receiving the equipment registration information, the server generates a random number, uses a private key to carry out cascading and hash operation with the received equipment registration information to generate server authentication information, stores the server authentication information, and then sends the server authentication information to the equipment through a secure channel;
the equipment receives and stores the authentication information;
the registration process of the gateway is as follows:
the gateway selects gateway identity and gateway fingerprint, and generates corresponding gateway registration information by utilizing a random character generation algorithm Gen (level) and a hash function and sends the corresponding gateway registration information to the server through a secure channel;
after receiving the gateway registration information, the server generates a random number, uses the private key to carry out cascading and hash operation with the received gateway registration information to generate server authentication information, stores the server authentication information, and then sends the server authentication information to the gateway through a secure channel;
the gateway receives and stores the authentication information.
2. The method for authenticating the identity of the trusted device delivery oriented to the industrial internet of things according to claim 1, wherein the direct authentication of the gateway comprises the following steps:
Step B1: the gateway inputs a gateway identity and a gateway fingerprint, and generates partial gateway authentication information by utilizing a random character generation algorithm Gen (equal to zero) and a hash function; then, the gateway selects a random number and acquires a first current time stamp, generates gateway authentication information by performing cascading, exclusive-or and hash operation with authentication information stored by the gateway and generated by the server in a registration stage, and sends the gateway authentication information to the server through a public channel;
step B2: after receiving the gateway authentication information, the server acquires a second current time stamp, compares the second current time stamp with the first current time stamp to verify whether the communication delay is within a range, retrieves data stored during registration in a database according to the gateway authentication information, verifies the gateway authentication information, and then generates a random number to carry out cascading and hash operation with the received gateway authentication information to generate a session key with the gateway and server authentication information;
step B3: the server calculates server authentication information and sends the server authentication information to the gateway through a public channel;
step B4: the gateway receives the server authentication information, acquires a third current time stamp, verifies whether the communication delay is in the range and the server authentication information, verifies success, calculates a session key of the server through cascade and hash operation of the server authentication information and private data of the gateway, and generates encryption information corresponding to the server and stores the encryption information in a database according to exclusive OR of the session key and the private data.
3. The method for authenticating the identity of the trusted device delivery oriented to the industrial internet of things according to claim 1, wherein the direct authentication process of the device comprises the following steps:
step C1: the equipment inputs equipment identity and equipment fingerprint, generates partial equipment authentication information by utilizing a random character generation algorithm Gen (sum) and a hash function, then selects a random number and acquires a first current timestamp, generates equipment authentication information by performing cascading, exclusive-or and hash operation with the authentication information stored by the equipment and generated by a server in a registration stage, and sends the equipment authentication information to a gateway through a public channel;
step C2: after receiving the information, the gateway acquires a second current time stamp, verifies whether the time difference between the second current time stamp and the first current time stamp is within the maximum communication delay range, encrypts part of authentication information of the equipment by using a session key, and then sends the information to the server through a public channel;
step C3: after receiving the message, the server acquires a third current time stamp, verifies whether the time difference between the third current time stamp and the second current time stamp is within the maximum communication delay range, retrieves stored data in a database according to the equipment authentication information, verifies the equipment authentication information, generates a random number and performs cascading and hash operation on the random number and the received equipment authentication information to obtain a session key of the server and the equipment, a session key of the equipment and a gateway and the server authentication information;
Step C4: the server uses the private key of the server to carry out hash operation and then carries out exclusive or operation with the session key to obtain secret information corresponding to the equipment and stores the secret information in a database, and the server sends the server authentication information to the gateway through a public channel;
step C5: the gateway receives the information, acquires a fourth current time stamp, verifies whether the time difference between the gateway and the third current time stamp is within the maximum communication delay range, decrypts the server authentication information by using the secret information of the gateway, and stores the decrypted information and the secret information of the gateway in a database after exclusive or; the gateway sends the server authentication information to the device through a common channel;
step C6: after receiving the information, the device acquires a fifth current time stamp, verifies whether the time difference between the fifth current time stamp and the fourth current time stamp is within the maximum communication delay range, verifies the server authentication information, calculates a session key with the server through cascade connection and hash operation of the server authentication information and private data of the device, obtains the session key with the gateway according to the session key with the server and the private data of the device, and then exclusive-or-uses the information to obtain secret information corresponding to the server and the gateway and stores the secret information in a database.
CN202311345057.0A 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things Active CN117097561B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311345057.0A CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311345057.0A CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Publications (2)

Publication Number Publication Date
CN117097561A CN117097561A (en) 2023-11-21
CN117097561B true CN117097561B (en) 2024-01-16

Family

ID=88783662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311345057.0A Active CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Country Status (1)

Country Link
CN (1) CN117097561B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR20190007572A (en) * 2017-07-12 2019-01-23 덕성여자대학교 산학협력단 Method for setting secret key and authenticating mutual device of internet of things environment
WO2019083082A1 (en) * 2017-10-26 2019-05-02 순천향대학교 산학협력단 Ksi-based authentication and communication method for safe smart home environment, and system therefor
KR20210072711A (en) * 2019-12-09 2021-06-17 세종대학교산학협력단 Method and apparatus for mutual authentication between internet of things device and trusted server
CN113746632A (en) * 2021-07-20 2021-12-03 南京邮电大学 Multi-level identity authentication method for Internet of things system
WO2023071751A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Authentication method and communication apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230032099A1 (en) * 2021-07-15 2023-02-02 Nanyang Technological University Physical unclonable function based mutual authentication and key exchange
CN113872763A (en) * 2021-09-07 2021-12-31 杭州师范大学 Privacy protection authentication method based on wireless body area network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR20190007572A (en) * 2017-07-12 2019-01-23 덕성여자대학교 산학협력단 Method for setting secret key and authenticating mutual device of internet of things environment
WO2019083082A1 (en) * 2017-10-26 2019-05-02 순천향대학교 산학협력단 Ksi-based authentication and communication method for safe smart home environment, and system therefor
KR20210072711A (en) * 2019-12-09 2021-06-17 세종대학교산학협력단 Method and apparatus for mutual authentication between internet of things device and trusted server
CN113746632A (en) * 2021-07-20 2021-12-03 南京邮电大学 Multi-level identity authentication method for Internet of things system
WO2023071751A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Authentication method and communication apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WanTao ; LiaoWeichuan.《Cryptanalysis on Polynomial-Based E-Voting Schemes》.《IEEE》.2010,全文. *

Also Published As

Publication number Publication date
CN117097561A (en) 2023-11-21

Similar Documents

Publication Publication Date Title
CN110708170B (en) Data processing method and device and computer readable storage medium
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
CN111435913B (en) Identity authentication method and device for terminal of Internet of things and storage medium
CN114730420A (en) System and method for generating signatures
CN115549887A (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
CN110969431B (en) Secure hosting method, device and system for private key of blockchain digital coin
JP5224481B2 (en) Password authentication method
CN111314056A (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
CN114125833B (en) Multi-factor authentication key negotiation method for intelligent device communication
CN107809311A (en) The method and system that a kind of unsymmetrical key based on mark is signed and issued
CN114070559B (en) Industrial Internet of things session key negotiation method based on multiple factors
CN113395166B (en) Edge computing-based power terminal cloud edge terminal collaborative security access authentication method
CN111526007B (en) Random number generation method and system
WO2023050557A1 (en) Blockchain identity authentication and privacy protection core technology such as zero-knowledge proof
CN102571357A (en) Signature realization method and signature realization device
CN112422587B (en) Identity verification method and device, computer equipment and storage medium
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN111065097B (en) Channel protection method and system based on shared secret key in mobile internet
CN111770089B (en) Authentication method for blockchain sensor and blockchain network
CN113486324A (en) Method for realizing three-factor anonymous identity authentication based on SM2 algorithm
CN111342967B (en) Method and device for solving block chain user certificate loss or damage
CN111245611B (en) Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment
CN117097561B (en) Trusted equipment transfer identity authentication method for industrial Internet of things
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN116155598A (en) Authentication method and system under multi-server architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant