WO2020133655A1 - Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario - Google Patents

Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario Download PDF

Info

Publication number
WO2020133655A1
WO2020133655A1 PCT/CN2019/075660 CN2019075660W WO2020133655A1 WO 2020133655 A1 WO2020133655 A1 WO 2020133655A1 CN 2019075660 W CN2019075660 W CN 2019075660W WO 2020133655 A1 WO2020133655 A1 WO 2020133655A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
edge computing
access
computing node
terminal
Prior art date
Application number
PCT/CN2019/075660
Other languages
French (fr)
Chinese (zh)
Inventor
尚文利
曾鹏
陈春雨
赵剑明
刘贤达
尹隆
Original Assignee
中国科学院沈阳自动化研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院沈阳自动化研究所 filed Critical 中国科学院沈阳自动化研究所
Publication of WO2020133655A1 publication Critical patent/WO2020133655A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the invention belongs to the field of edge computing information security, and specifically is a lightweight authentication mechanism that supports anonymous access of heterogeneous terminals in an edge computing scenario.
  • Edge computing expands traditional cloud services To the edge of the network, with network edge equipment as the core, services can reside on the edge equipment, while processing massive data, it can also ensure efficient network operation and service delivery, closer to users, suitable for networks with low latency requirements Services, but the rise of edge computing has also brought new challenges to the information security protection of users, edge nodes, and cloud servers in edge computing networks, especially in terms of security and privacy.
  • Edge computing equipment is a development platform that integrates connectivity, computing, storage, and applications. As a small data center located on the edge of the network, it is closer to users. Heterogeneous access environments and diverse business requirements make edge equipment face more complex In the network environment, attacks from the user layer and cloud servers will bring serious security threats to the entire edge computing network. Traditional network security technologies are difficult to resist such multi-source, cross-domain, layered attacks and intrusions. Not only that, edge computing nodes/servers need to provide services to large-scale end users. The deployment locations of edge computing nodes and terminal devices have natural distributed characteristics, and their computing and storage capabilities are poor, and they cannot support traditional asymmetric passwords.
  • Identity authentication is an important issue of edge computing security.
  • An efficient identity authentication mechanism is the first line of defense for information security protection of edge computing nodes.
  • the traditional PKI-based identity verification mechanism will be implemented in a three-tier "cloud-edge-end" architecture. No longer applicable, the efficiency is not high and its scalability is poor.
  • the edge device needs to use the services provided by the edge computing, if there is no authentication service, a flowing edge computing node/server can pretend to be a legitimate edge computing device or edge computing instance and induce the edge side The terminal device is connected to it.
  • the adversary can manipulate the incoming and outgoing requests from the end user or the cloud, secretly collect or tamper with the terminal device data, and easily initiate further attacks.
  • the fake edge computing node Or, the existence of a server is a serious threat to user data security and privacy.
  • the present invention proposes an access authentication mechanism based on a lightweight signature and verification mechanism.
  • the pseudo-identity information distributed by the cloud platform can allow any terminal device to perform access authentication with any edge computing node in the edge computing network system under the authorization of the cloud platform, which can effectively resist replay attacks and middlemen Attacks and other types of attacks can be applied to devices with limited computing resources and storage resources on the edge, and support anonymous access authentication to ensure the privacy of the terminal device's identity information.
  • the present invention proposes a lightweight authentication mechanism that supports anonymous access of heterogeneous terminals in an edge computing scenario , Reduces the computing resources in the authentication process, and guarantees the identity privacy of the terminal device, and improves the authentication efficiency.
  • the technical solution adopted by the present invention to achieve the above object is: a lightweight authentication method supporting anonymous access of heterogeneous terminals in an edge computing scenario, including the following steps:
  • Initialization stage The cloud platform first selects its own master key information and keeps it privately, then establishes public parameters, and at the same time, the edge computing node initializes its own public and private key pair and sends the public key information to the cloud platform;
  • Terminal device registration and pseudo-identity generation each terminal device uses its own identity information to send a registration request to the cloud platform.
  • the cloud platform uses the master key information to create pseudo-identity information and public key information for the terminal device, and uses the public computing of the edge computing node
  • the key information encrypts the pseudo identity of the registered terminal and sends it to the designated edge computing node, and then the edge computing node decrypts it through its own private key, and stores the decrypted registered device pseudo identity information list locally;
  • Terminal device access authentication When the edge computing node receives the access request sent by the terminal device, it will verify the request time stamp and identity legitimacy of the terminal device, and then verify the access request through signature and signature verification; if If the verification fails, the access request of the terminal device is rejected; otherwise, the access request of the terminal device is received.
  • the initialization phase includes the following steps:
  • Cloud platform generation system public parameter PP ⁇ q, G, g, A, H 0 , H 1 , H 2 , H 3 ⁇ ; where, select the cyclic group G and large integer group of order q
  • the edge computing node generates its own public-private key pair (PK ES , SK ES ) from the cyclic group G, which is used to encrypt and sign the transmitted data, and sends the public key PK ES and identity information ID ES to the cloud platform.
  • PK ES public-private key pair
  • SK ES public-private key pair
  • the terminal device registration and pseudo-identity generation include the following steps:
  • the edge computing node After receiving the information sent by the terminal device, the edge computing node first judges whether the timestamp is valid. If the timestamp T has expired, the received data packet is discarded and the terminal is denied access. At the same time, the verification is terminated. If the timestamp T is not If it expires, it will receive the data packet and accept the access of the terminal device;
  • the PID information of the terminal device belongs to the locally stored list of registered devices. If it does not, discard the received data packet and reject the terminal's access, and terminate the verification; if it belongs, receive the data packet and accept the terminal device's Access
  • the terminal device's access authentication request is accepted, otherwise the data packet is discarded and the terminal's access is denied.
  • Terminal device batch access authentication specifically batch authentication when multiple terminal devices request access to an edge computing node at the same time, first verify the request time stamp and identity legitimacy of the terminal device, and reject the illegal terminal device , Through the method of exponential multiplication to achieve batch verification of the request, if the verification is successful, the access request is accepted, otherwise the request is authenticated one by one, and the illegal terminal equipment is reported to the cloud platform to realize the traceability of the illegal terminal equipment.
  • the terminal device batch access authentication specifically includes the following steps:
  • the edge computing node When the edge computing node simultaneously receives the access request sent by n terminal devices, the edge computing node first judges whether the time stamp T i is valid, if the time stamp T i has expired, the corresponding terminal device has expired, otherwise, the corresponding terminal The device has not expired; the terminal device whose time stamp has expired is rejected;
  • edge computing node uses exponential multiplication and terminal device identity information to calculate and determine whether the following formula holds:
  • H′ i H 2 (M i , PID i , ID ES , R i , T i ), M i , T i , sig i, and R i represent the information and time stamp sent by the i-th terminal device, respectively , Signature and random number;
  • ID ES is the identity information of the edge computing node;
  • the terminal devices that exclude the timestamp that has expired and the remaining unregistered terminal devices send requests are legal, and receive the access request of the terminal device, otherwise there is an illegal terminal device, and then through the terminal device access authentication to achieve the illegal Traceability of terminal equipment.
  • the present invention proposes a lightweight authentication method that supports anonymous access of heterogeneous terminals in an edge computing scenario in combination with the three-tier system architecture of "cloud-edge-end" in an edge computing scenario. This method can be applied to computing Terminal equipment with limited resources and storage resources.
  • the lightweight access authentication method proposed by the present invention can support batch authentication when a mass device sends an access request at the same time, and can realize the anonymous authentication of the terminal device and the traceback of malicious terminal devices, improving the mass of heterogeneous terminals The efficiency and privacy of identity authentication for concurrent access.
  • FIG. 1 is a schematic diagram of the three-layer architecture of the edge computing of the present invention.
  • Figure 2 is a flow chart of lightweight authentication supporting anonymous access to heterogeneous terminals in an edge computing scenario.
  • the lightweight access authentication mechanism supporting anonymous terminals in the edge computing scenario includes three entities, namely a cloud platform, edge computing nodes and terminal devices.
  • the cloud platform is responsible for issuing fake identities for each terminal device Information, the edge computing node can authenticate the terminal device that is accessed.
  • a lightweight authentication mechanism that supports anonymous access to heterogeneous terminals in an edge computing scenario includes the following steps:
  • Initialization stage The cloud platform will first initialize and generate its own public and private key pair and master key information, and then use the master key information to calculate and publish the public parameter information.
  • the public and private key information is stored in the cloud platform and is used to carry out the transmission data. Sign to prevent data from being tampered with.
  • Terminal device registration and pseudo-identity generation the terminal device uses its real identity information to send a registration request to the cloud platform, and the cloud platform generates a pseudo-signal for access authentication for the terminal device based on the master key information and the terminal's identity information Identity and public key information, and send the pseudo-identity information authorized to register to the edge computing node.
  • Terminal device access authentication When the terminal device needs to access an edge computing node, the edge computing node can verify the legitimacy of the terminal identity without using a third-party cloud platform, which improves the efficiency of access authentication .
  • Terminal device batch access authentication is performed on a large number of terminal devices that simultaneously send access requests to edge computing nodes, reducing authentication delay and ensuring real-time service processing,
  • Initialization stage The cloud platform first selects its own master key information and keeps it privately, then instantiates the relevant group, hash function and other information as public parameters, and at the same time the edge computing node initializes its own public and private key pair and sends the public key information to the cloud platform.
  • Terminal device registration and pseudo-identity generation each terminal device uses its own real identity information to send a registration request to the cloud platform.
  • the cloud platform uses the master key to create pseudo-identity information and public key information for the terminal device, and uses the public computing of the edge computing node
  • the key encrypts the pseudo identity of the registered terminal and sends it to the designated edge computing node, and then the edge computing node decrypts it by its own private key, and stores the decrypted registered device pseudo identity information list locally.
  • Terminal device access authentication When the edge computing node receives the access request sent by the terminal device, it will verify the request time stamp and identity legitimacy of the terminal device to ensure that the sender is a legitimate user, and then pass the lightweight The signature and verification methods verify the access request. If the verification fails, the access request of the terminal device is rejected.
  • Terminal device batch access authentication The present invention supports batch access authentication when multiple terminal devices request simultaneous access to edge computing nodes. First, the request time stamp and identity legitimacy of the terminal device are verified, and illegal terminals are rejected After the device, the batch verification of a large number of requests is realized through exponential multiplication. If the verification is successful, the access request is accepted. Otherwise, the request is authenticated one by one, and the illegal terminal device is reported to the cloud platform to trace the illegal terminal device.
  • the cloud platform During the initialization phase, the cloud platform generates the master key, public parameters, and public and private key pair information for each edge computing node, including the following steps:
  • the cloud platform performs a series of preparations, including given a bilinear pairing group, selecting the system master key and selecting four different hash functions, generating its own public and private key pairs, etc.
  • the cloud platform calculates and discloses system parameters.
  • the edge computing node then generates its own public and private key pair information, which is used to encrypt and sign the transmitted data, and sends the public key and identity information to the cloud platform.
  • the terminal device uses its real identity information to send a registration request to the cloud platform.
  • the cloud platform generates pseudo-identity information and corresponding public key information for the terminal device based on the identity information of the terminal device, including the following steps:
  • the cloud platform generates a pseudo-identity and public key information for the terminal device based on its identity information. After that, the pseudo-identity information is used not only to communicate with the edge computing node, but also to track the true identity of the malicious terminal device. The feedback public key and pseudo-identity information are calculated to generate their own private key information.
  • the cloud platform uses the public key information of the edge computing node to encrypt the pseudo identity, and sends the generated encrypted data to the edge computing node, and sends the registered terminal device pseudo identity information to the designated edge computing node.
  • the edge computing node receives The ciphertext data sent to the cloud platform is decrypted using the private key to restore the pseudo identity information of the registered terminal device, and the pseudo identity information of the registered terminal device is saved in a list to complete the registration of the terminal device.
  • the lightweight signature and verification mechanism is used to verify the legitimacy of the terminal identity, and does not need to be performed with the cloud platform.
  • the terminal device generates a timestamp for message validity verification, which is used to resist replay attacks, and then uses its own private key to generate a signature for the information, and then sends the request message and signature to the registered edge computing node.
  • the edge computing node After receiving the information sent by the terminal, the edge computing node first judges whether the timestamp is valid. If the timestamp has expired, the received data packet is discarded and the terminal is denied access. At the same time, the verification is terminated, and then the identity of the terminal device is judged It belongs to the list of registered devices stored locally, and judges the legality of the device's identity. If it does not, it discards the received data packets and denies access to the terminal. At the same time, the verification is terminated. Finally, the identity verification of the terminal device is used to verify whether the following formula is established. If the equation is established, the access authentication request of the terminal device is accepted, otherwise the data packet is discarded and the terminal is denied access.
  • the edge computing node can batch verify the legitimacy of the terminal device that sends the access request at the same time, which specifically includes the following steps:
  • the edge computing node when the edge computing node receives the access request sent by n terminal devices at the same time, the edge computing node first judges whether the time stamp T i is valid and rejects the terminal device in which the time stamp has expired.
  • the edge computing node uses exponential multiplication and the identity information of the terminal device to calculate and determine whether the following formula is established. If the equation is established, the terminal device that sent the request is legal and receives the access request from the terminal device, otherwise there is an illegal terminal device. The illegal terminal equipment can be traced through one-to-one authentication.
  • the cloud platform will first generate the authentication master key and public parameters, and the initialization phase is described as follows:
  • the cloud platform first randomly selects an integer ⁇ as a security parameter to ensure the efficiency and safety of the generated group, and generates a cyclic group G and a large integer group of order q
  • the cloud platform generates public and private key pairs (PK C , SK C ) from group G to sign the transmitted data to prevent the data from being tampered with.
  • the edge computing node generates its own public and private key pair (PK ES , SK ES ) from group G for encryption and signature of the transmitted data, and then sends the public key PK ES and identity information ID ES to the cloud platform.
  • PK ES public and private key pair
  • SK ES identity information
  • the terminal device uses its real identity information ID to send a registration request to the cloud platform, and the cloud platform generates it for the terminal device based on the identity information of the terminal device, its accessible edge computing nodes, and master key information a.
  • Pseudo-identity information and public key information are described as follows:
  • the encrypted data M is sent to the edge computing node, where PK ES is the public key of the edge computing node, and E is an asymmetric encryption encryption algorithm, which means that PK ES is used as the key to encrypt PID i and generate ciphertext data M.
  • the decryption algorithm means that using SK ES as the key to decrypt M restores the PID information, so that the edge computing node will generate a pseudo-identity information list of registered terminal devices.
  • the edge computing node needs to authenticate the terminal device before receiving, and does not need to interact with the cloud platform, specific description as follows:
  • the edge computing nodes When a large number of terminal devices apply for access to edge computing nodes at the same time, if the edge computing nodes complete the authentication of the terminal devices one by one, it may have an impact on the real-time nature of the business, so the present invention supports multiple access terminals at the same time
  • the device performs batch authentication to reduce latency and ensure the real-time performance of business processing. The specific description is as follows:
  • M i ,T i ,sig i and R i represent The information, time stamp, signature and random number sent by the i-th terminal device are identified as PID i .
  • the edge computing node first judges whether the time stamp T i is valid and rejects the terminal device in which the time stamp has expired, where 0 ⁇ i ⁇ n indicates the index, and n indicates the total number of terminal devices.
  • the terminal device sending the request is legal and receives the access request of the terminal device, otherwise there is an illegal terminal device, and the illegal terminal device can be traced through one-to-one authentication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided by the present invention is a lightweight authentication method supporting anonymous access of heterogeneous terminal in an edge computing scenario. The present invention uses a cloud platform to create a pseudo identity for each terminal device to hide the true identity information, and can meanwhile trace a malicious terminal device. During the authentication process of terminal devices accessing an edge computing node, the edge computing node can verify the legality of the identities of all accessing devices without communicating with the cloud platform, and will not learn the true identity information of the terminals. The present invention guarantees the identity privacy of terminal devices, improves the efficiency of access authentication, and can resist common threats such as replay attacks, thereby enhancing the security and reliability of the entire edge computing system, and solving the problem of access authentication of terminal devices with limited resources in an edge computing scenario.

Description

边缘计算场景下支持异构终端匿名接入的轻量级认证方法Lightweight authentication method supporting anonymous access of heterogeneous terminals in edge computing scenarios 技术领域Technical field
本发明属于边缘计算信息安全领域,具体的说是一种边缘计算场景下支持异构终端匿名接入的轻量级认证机制。The invention belongs to the field of edge computing information security, and specifically is a lightweight authentication mechanism that supports anonymous access of heterogeneous terminals in an edge computing scenario.
背景技术Background technique
随着万物互联的趋势不断加深,物联网技术和智能设备越来越多地渗透到人们的日常生活,智能技术已经率先在制造、电力、交通等行业开始应用,边缘计算将传统的云服务扩展到网络边缘,以网络边缘设备为核心,服务可以驻留在边缘设备上,在处理海量数据的同时还可以确保高效的网络运营和服务交付,更贴近用户,适用于具有低时延需求的网络服务,但是,边缘计算兴起的同时也给边缘计算网络中的用户、边缘节点、云服务器的信息安全防护带来了新的挑战,尤其是安全和隐私方面。As the trend of the Internet of Everything continues to deepen, the Internet of Things technology and smart devices are increasingly permeating people's daily life. Smart technology has been the first to be applied in industries such as manufacturing, power, and transportation. Edge computing expands traditional cloud services To the edge of the network, with network edge equipment as the core, services can reside on the edge equipment, while processing massive data, it can also ensure efficient network operation and service delivery, closer to users, suitable for networks with low latency requirements Services, but the rise of edge computing has also brought new challenges to the information security protection of users, edge nodes, and cloud servers in edge computing networks, especially in terms of security and privacy.
边缘计算设备是一个集连接、计算、存储和应用的开发平台,其作为位于网络边缘侧的小型数据中心,更靠近用户,异构的接入环境和多样的业务需求,使得边缘设备面临更复杂的的网络环境,来自用户层和云服务器的攻击都会对整个边缘计算网络带来严重的安全威胁,传统的网络安全技术很难抵御这种多源、跨域、分层的攻击和入侵。不仅如此,边缘计算节点/服务器需要向大规模终端用户提供服务,边缘计算节点和终端设备部署位置具有天然的分布式特征,其计算能力和存储能力都较差,无法支撑传统的基于非对称密码学的网络安全防护技术的资源开销,而海量的终端设备互联需要一个高效的身份认证和信任管理体系,海量终端设备需要向边缘计算节点发送接入请求时,传统的集中式安全认证机制面临巨大的性能压力,特别是在设备集中接入时认证系统往往不堪重负。Edge computing equipment is a development platform that integrates connectivity, computing, storage, and applications. As a small data center located on the edge of the network, it is closer to users. Heterogeneous access environments and diverse business requirements make edge equipment face more complex In the network environment, attacks from the user layer and cloud servers will bring serious security threats to the entire edge computing network. Traditional network security technologies are difficult to resist such multi-source, cross-domain, layered attacks and intrusions. Not only that, edge computing nodes/servers need to provide services to large-scale end users. The deployment locations of edge computing nodes and terminal devices have natural distributed characteristics, and their computing and storage capabilities are poor, and they cannot support traditional asymmetric passwords. The resource overhead of the network security protection technology learned, and the interconnection of massive terminal devices requires an efficient identity authentication and trust management system. When massive terminal devices need to send access requests to edge computing nodes, the traditional centralized security authentication mechanism faces huge The performance pressure, especially when the equipment is centralized access, authentication system is often overwhelmed.
身份认证是边缘计算安全的一个重要问题,高效的身份认证机制是边缘计算节点信息安全防护的第一道防线,传统的基于PKI的身份验证机制在“云—边—端”三层体系架构将不再适用,效率不高且其可扩展性较差。除此之外,当边缘设备需要使用边缘计算提供的服务时,如果缺乏身份验证服务,一个流动的边缘计算节点/服务器可以假装成一个合法的边缘计算设备或边缘计算实例,并诱使边缘侧终端设备连接到它。一旦终端设备与虚假的边缘计算节点建立连接,敌手就可以操纵来自终端用户或云的传入和传出请求,秘密地收集或篡改终端设备数据,并很容易发起进一步的攻击,虚假边缘计算节点或服务器的存在是对用户数据安全和隐私的严重威胁。Identity authentication is an important issue of edge computing security. An efficient identity authentication mechanism is the first line of defense for information security protection of edge computing nodes. The traditional PKI-based identity verification mechanism will be implemented in a three-tier "cloud-edge-end" architecture. No longer applicable, the efficiency is not high and its scalability is poor. In addition, when the edge device needs to use the services provided by the edge computing, if there is no authentication service, a flowing edge computing node/server can pretend to be a legitimate edge computing device or edge computing instance and induce the edge side The terminal device is connected to it. Once the terminal device is connected to the fake edge computing node, the adversary can manipulate the incoming and outgoing requests from the end user or the cloud, secretly collect or tamper with the terminal device data, and easily initiate further attacks. The fake edge computing node Or, the existence of a server is a serious threat to user data security and privacy.
在边缘计算这种分层体系架构下的身份认证机制中,当前关于边缘计算身份认证机制的研究尚未形成较为完善的研究体系和方法,已有的研究方案大多用于解决边缘侧设备的身份授权及单一作用域内的身份认证问题,本发明提出基于轻量级签名和验签机制的接入认证机制,该方案不需要纳入传统的PKI体系,只是在注册阶段,每个终端设备只需保存一个云平台分配的伪身份信息,就能够允许任何终端设备在已获得云平台授权的情况下, 与边缘计算网络体系中的任一边缘计算节点进行接入认证,能够有效的抵抗重放攻击、中间人攻击等多种类型攻击,能够适用于边缘侧计算资源和存储资源受限的设备,且支持匿名接入认证,保证了终端设备的身份信息隐私性。In the identity authentication mechanism under the hierarchical architecture of edge computing, the current research on the identity authentication mechanism of edge computing has not yet formed a relatively complete research system and method, and most of the existing research programs are used to solve the identity authorization of edge-side devices And the problem of identity authentication within a single scope, the present invention proposes an access authentication mechanism based on a lightweight signature and verification mechanism. This solution does not need to be incorporated into the traditional PKI system, but only needs to save one for each terminal device during the registration phase The pseudo-identity information distributed by the cloud platform can allow any terminal device to perform access authentication with any edge computing node in the edge computing network system under the authorization of the cloud platform, which can effectively resist replay attacks and middlemen Attacks and other types of attacks can be applied to devices with limited computing resources and storage resources on the edge, and support anonymous access authentication to ensure the privacy of the terminal device's identity information.
发明内容Summary of the invention
针对在背景技术中提出的边缘侧海量异构设备集中接入时认证系统不堪重负且不支持匿名的问题,本发明提出一种边缘计算场景下支持异构终端匿名接入的轻量级认证机制,降低了认证过程中的计算资源,且保障了终端设备的身份隐私性,提高了认证效率。In view of the problem that the authentication system is overwhelmed and does not support anonymity in the centralized access of massive heterogeneous devices on the edge side proposed in the background technology, the present invention proposes a lightweight authentication mechanism that supports anonymous access of heterogeneous terminals in an edge computing scenario , Reduces the computing resources in the authentication process, and guarantees the identity privacy of the terminal device, and improves the authentication efficiency.
本发明为实现上述目的所采用的技术方案是:边缘计算场景下支持异构终端匿名接入的轻量级认证方法,包括以下步骤:The technical solution adopted by the present invention to achieve the above object is: a lightweight authentication method supporting anonymous access of heterogeneous terminals in an edge computing scenario, including the following steps:
初始化阶段:云平台首先选择自己的主密钥信息并私密保存,然后建立公共参数,同时边缘计算节点初始化自己的公私钥对并将公钥信息发送给云平台;Initialization stage: The cloud platform first selects its own master key information and keeps it privately, then establishes public parameters, and at the same time, the edge computing node initializes its own public and private key pair and sends the public key information to the cloud platform;
终端设备注册及伪身份生成:每个终端设备利用自己的身份信息向云平台发送注册请求,云平台利用主密钥信息为终端设备创建伪身份信息和公钥信息,并利用边缘计算节点的公钥信息对已注册终端的伪身份进行加密并发送给指定的边缘计算节点,然后边缘计算节点通过自己的私钥对其进行解密,将解密出的已注册设备伪身份信息列表本地存储;Terminal device registration and pseudo-identity generation: each terminal device uses its own identity information to send a registration request to the cloud platform. The cloud platform uses the master key information to create pseudo-identity information and public key information for the terminal device, and uses the public computing of the edge computing node The key information encrypts the pseudo identity of the registered terminal and sends it to the designated edge computing node, and then the edge computing node decrypts it through its own private key, and stores the decrypted registered device pseudo identity information list locally;
终端设备接入认证:边缘计算节点收到终端设备发送的接入请求时,将对终端设备的请求时间戳和身份合法性进行验证,然后通过签名和验签方式对接入请求进行验证;若验证失败,则拒绝终端设备的接入请求;否则,接收终端设备的接入请求。Terminal device access authentication: When the edge computing node receives the access request sent by the terminal device, it will verify the request time stamp and identity legitimacy of the terminal device, and then verify the access request through signature and signature verification; if If the verification fails, the access request of the terminal device is rejected; otherwise, the access request of the terminal device is received.
所述初始化阶段,包括了以下步骤:The initialization phase includes the following steps:
云平台生成系统公共参数PP={q,G,g,A,H 0,H 1,H 2,H 3};其中,选取阶为q的循环群G和大整数群
Figure PCTCN2019075660-appb-000001
群的生成元为g,从整数群
Figure PCTCN2019075660-appb-000002
中随机选取整数a作为主密钥信息,然后计算A=g a;选取四个不同的Hash函数
Figure PCTCN2019075660-appb-000003
Figure PCTCN2019075660-appb-000004
Cloud platform generation system public parameter PP = {q, G, g, A, H 0 , H 1 , H 2 , H 3 }; where, select the cyclic group G and large integer group of order q
Figure PCTCN2019075660-appb-000001
The generator of the group is g, from the integer group
Figure PCTCN2019075660-appb-000002
Randomly select the integer a as the master key information, and then calculate A = g a ; select four different Hash functions
Figure PCTCN2019075660-appb-000003
Figure PCTCN2019075660-appb-000004
边缘计算节点从循环群G中生成自己的公私钥对(PK ES,SK ES),用于对传输数据的加密和签名,并将公钥PK ES和身份信息ID ES发送给云平台。 The edge computing node generates its own public-private key pair (PK ES , SK ES ) from the cyclic group G, which is used to encrypt and sign the transmitted data, and sends the public key PK ES and identity information ID ES to the cloud platform.
所述终端设备注册及伪身份生成,包括以下步骤:The terminal device registration and pseudo-identity generation include the following steps:
云平台根据终端设备的身份信息ID为其生成伪身份信息
Figure PCTCN2019075660-appb-000005
和公钥信息PK=g k,k为整数;终端设备根据云平台反馈的公钥信息PK以及伪身份信息PID生成自己的私钥信息SK=b·H 1(PID),b为整数; The cloud platform generates pseudo identity information for the terminal device based on its identity information ID
Figure PCTCN2019075660-appb-000005
And public key information PK=g k , where k is an integer; the terminal device generates its own private key information SK=b·H 1 (PID) based on the public key information PK and pseudo-identity PID fed back by the cloud platform, and b is an integer;
云平台利用边缘计算节点的公钥PK ES对伪身份进行加密,并将生成的密文数据M=E(PK ES,PID)发送给边缘计算节点,将已注册的终端设备伪身份信息发送给指定的边缘计算节点,边缘计算节点接收到云平台发送的密文数据M,利用私钥对其进行解密还原 出已注册的终端设备伪身份信息,以列表形式保存已注册终端设备的伪身份信息,完成终端设备的注册。 The cloud platform uses the public key PK ES of the edge computing node to encrypt the pseudo-identity, and sends the generated ciphertext data M=E(PK ES , PID) to the edge computing node, and sends the registered terminal device pseudo-identity information to The designated edge computing node, the edge computing node receives the ciphertext data M sent by the cloud platform, decrypts it with the private key to restore the registered terminal device pseudo identity information, and saves the registered terminal device pseudo identity information in a list To complete the registration of the terminal device.
所述终端设备接入认证,具体步骤如下:The specific steps of the terminal device access authentication are as follows:
终端设备生成消息有效性验证的时间戳T,用于抵抗重放攻击,然后利用自己的私钥生成对信息的签名Sig=H 3(R-SK·H′)·r -1,整数
Figure PCTCN2019075660-appb-000006
R=g r,H′=H 2(M,PID,ID ES,R,T),SK为终端设备的私钥信息,ID ES为边缘计算节点的身份信息;然后将请求消息和签名发送给注册过的边缘计算节点; The terminal device generates a timestamp T for message validity verification, which is used to resist replay attacks, and then uses its own private key to generate a signature for the message Sig=H 3 (R-SK·H′)·r -1 , integer
Figure PCTCN2019075660-appb-000006
R = gr , H'= H 2 (M, PID, ID ES , R, T), SK is the private key information of the terminal device, ID ES is the identity information of the edge computing node; then send the request message and signature to Registered edge computing nodes;
当边缘计算节点接收到终端设备发送的信息后,首先判断时间戳是否有效,若时间戳T已过期,则丢弃接收到的数据包并拒绝终端的接入,同时终止验证,若时间戳T未过期,则接收数据包并接受终端设备的接入;After receiving the information sent by the terminal device, the edge computing node first judges whether the timestamp is valid. If the timestamp T has expired, the received data packet is discarded and the terminal is denied access. At the same time, the verification is terminated. If the timestamp T is not If it expires, it will receive the data packet and accept the access of the terminal device;
然后判断终端设备的身份信息PID是否属于本地存储的已注册设备列表,若不属于则丢弃接收到的数据包并拒绝终端的接入,同时终止验证;若属于则接收数据包并接受终端设备的接入;Then determine whether the PID information of the terminal device belongs to the locally stored list of registered devices. If it does not, discard the received data packet and reject the terminal's access, and terminate the verification; if it belongs, receive the data packet and accept the terminal device's Access
利用终端设备的身份验证验证下式是否成立:Use the identity verification of the terminal device to verify whether the following formula holds:
Figure PCTCN2019075660-appb-000007
Figure PCTCN2019075660-appb-000007
若等式成立,则接受终端设备的接入认证请求,否则丢弃数据包并拒绝终端的接入。If the equation holds, the terminal device's access authentication request is accepted, otherwise the data packet is discarded and the terminal's access is denied.
终端设备批量接入认证,具体为多台终端设备同时请求接入边缘计算节点时进行批量接入认证,首先对终端设备的请求时间戳和身份合法性进行验证,拒绝其中不合法的终端设备后,通过指数乘法的方式实现对请求的批量验证,验证成功则接受接入请求,否则对请求进行逐一认证,将非法终端设备上报云平台,实现对非法终端设备的追溯。Terminal device batch access authentication, specifically batch authentication when multiple terminal devices request access to an edge computing node at the same time, first verify the request time stamp and identity legitimacy of the terminal device, and reject the illegal terminal device , Through the method of exponential multiplication to achieve batch verification of the request, if the verification is successful, the access request is accepted, otherwise the request is authenticated one by one, and the illegal terminal equipment is reported to the cloud platform to realize the traceability of the illegal terminal equipment.
所述终端设备批量接入认证,具体包括以下步骤:The terminal device batch access authentication specifically includes the following steps:
边缘计算节点同时接收到n个终端设备发送的接入请求时,边缘计算节点首先判断时间戳T i是否有效,若时间戳T i已过期,则对应的终端设备已过期,否则,对应的终端设备未过期;拒绝时间戳已过期的终端设备; When the edge computing node simultaneously receives the access request sent by n terminal devices, the edge computing node first judges whether the time stamp T i is valid, if the time stamp T i has expired, the corresponding terminal device has expired, otherwise, the corresponding terminal The device has not expired; the terminal device whose time stamp has expired is rejected;
然后判断排除时间戳已过期的终端设备剩余的所有终端设备的身份信息PID i是否存在于本地存储的已注册设备列表中;若存在,则设备已注册,表示身份合法;否则,设备未注册,表示不合法;拒绝其中未注册的终端设备; Then it is determined whether the identity information PID i of all the terminal devices remaining excluding the terminal device whose time stamp has expired exists in the locally stored list of registered devices; if it exists, the device is registered, indicating that the identity is legal; otherwise, the device is not registered, Means illegal; reject unregistered terminal equipment;
最后,边缘计算节点利用指数乘法及终端设备的身份信息计算并判断下式是否成立:Finally, the edge computing node uses exponential multiplication and terminal device identity information to calculate and determine whether the following formula holds:
Figure PCTCN2019075660-appb-000008
Figure PCTCN2019075660-appb-000008
其中,H′ i=H 2(M i,PID i,ID ES,R i,T i),M i,T i,sig i和R i分别表示由第i个终端设备发送的信息、时间戳、签名和随机数;ID ES为边缘计算节点的身份信息; Where H′ i = H 2 (M i , PID i , ID ES , R i , T i ), M i , T i , sig i, and R i represent the information and time stamp sent by the i-th terminal device, respectively , Signature and random number; ID ES is the identity information of the edge computing node;
若等式成立,则排除时间戳已过期和未注册终端设备剩余的发送请求的终端设备均合法,接收终端设备的接入请求,否则存在非法终端设备,再通过终端设备接入认证实现对非法终端设备的追溯。If the equation is established, the terminal devices that exclude the timestamp that has expired and the remaining unregistered terminal devices send requests are legal, and receive the access request of the terminal device, otherwise there is an illegal terminal device, and then through the terminal device access authentication to achieve the illegal Traceability of terminal equipment.
本发明具有以下优点及有益效果:The invention has the following advantages and beneficial effects:
1.本发明结合边缘计算场景下的“云—边—端”三层体系架构,提出了一种边缘计算场景下支持异构终端匿名接入的轻量级认证方法,该方法能够适用于计算资源和存储资源受限的终端设备。1. The present invention proposes a lightweight authentication method that supports anonymous access of heterogeneous terminals in an edge computing scenario in combination with the three-tier system architecture of "cloud-edge-end" in an edge computing scenario. This method can be applied to computing Terminal equipment with limited resources and storage resources.
2.本发明提出的轻量级接入认证方法,能够支持对海量设备同时发送接入请求时的批量认证,且可以实现终端设备的匿名认证和恶意终端设备的追溯,提高了海量异构终端并发接入的身份认证效率和隐私性。2. The lightweight access authentication method proposed by the present invention can support batch authentication when a mass device sends an access request at the same time, and can realize the anonymous authentication of the terminal device and the traceback of malicious terminal devices, improving the mass of heterogeneous terminals The efficiency and privacy of identity authentication for concurrent access.
附图说明BRIEF DESCRIPTION
图1为本发明的边缘计算三层体系架构示意图;1 is a schematic diagram of the three-layer architecture of the edge computing of the present invention;
图2为边缘计算场景下支持异构终端匿名接入的轻量级认证流程图。Figure 2 is a flow chart of lightweight authentication supporting anonymous access to heterogeneous terminals in an edge computing scenario.
具体实施方式detailed description
下面结合附图及实施例对本发明做进一步的详细说明。The present invention will be further described in detail below with reference to the drawings and embodiments.
如图1所示,面向边缘计算场景下支持匿名的终端轻量级接入认证机制包含三个实体,即云平台、边缘计算节点和终端设备,云平台负责为每个终端设备颁发伪装的身份信息,边缘计算节点可以对接入的终端设备进行身份认证。As shown in Figure 1, the lightweight access authentication mechanism supporting anonymous terminals in the edge computing scenario includes three entities, namely a cloud platform, edge computing nodes and terminal devices. The cloud platform is responsible for issuing fake identities for each terminal device Information, the edge computing node can authenticate the terminal device that is accessed.
如图2所示,一种边缘计算场景下支持异构终端匿名接入的轻量级认证机制,包括以下步骤:As shown in Figure 2, a lightweight authentication mechanism that supports anonymous access to heterogeneous terminals in an edge computing scenario includes the following steps:
1)初始化阶段:云平台首先会初始化生成自己的公私钥对和主密钥信息,然后利用主密钥信息计算并公开公共参数信息,其中公私钥信息保存在云平台,用于对传输数据进行签名,防止数据被篡改。1) Initialization stage: The cloud platform will first initialize and generate its own public and private key pair and master key information, and then use the master key information to calculate and publish the public parameter information. The public and private key information is stored in the cloud platform and is used to carry out the transmission data. Sign to prevent data from being tampered with.
2)终端设备注册及伪身份生成:终端设备利用自己的真实身份信息向云平台发送注册请求,云平台根据主密钥信息和该终端的身份信息为该终端设备生成用于接入认证的伪身份和公钥信息,并将授权注册的伪身份信息发送给边缘计算节点。2) Terminal device registration and pseudo-identity generation: the terminal device uses its real identity information to send a registration request to the cloud platform, and the cloud platform generates a pseudo-signal for access authentication for the terminal device based on the master key information and the terminal's identity information Identity and public key information, and send the pseudo-identity information authorized to register to the edge computing node.
3)终端设备接入认证:当终端设备需要接入到某个边缘计算节点时,边缘计算节点不需要通过第三方云平台即可对终端身份的合法性进行验证,提高了接入认证的效率。3) Terminal device access authentication: When the terminal device needs to access an edge computing node, the edge computing node can verify the legitimacy of the terminal identity without using a third-party cloud platform, which improves the efficiency of access authentication .
4)终端设备批量接入认证:对同时向边缘计算节点发出接入请求的大量终端设备进行批量认证,降低了认证时延,保证业务处理的实时性,4) Terminal device batch access authentication: batch authentication is performed on a large number of terminal devices that simultaneously send access requests to edge computing nodes, reducing authentication delay and ensuring real-time service processing,
初始化阶段:云平台首先选择自己的主密钥信息并私密保存,然后实例化相关的群、Hash函数等信息作为公共参数,同时边缘计算节点初始化自己的公私钥对并将公钥信息发送给云平台。Initialization stage: The cloud platform first selects its own master key information and keeps it privately, then instantiates the relevant group, hash function and other information as public parameters, and at the same time the edge computing node initializes its own public and private key pair and sends the public key information to the cloud platform.
终端设备注册及伪身份生成:每个终端设备利用自己的真实身份信息向云平台发送注册请求,云平台利用主密钥为终端设备创建伪身份信息和公钥信息,并利用边缘计算节点的公钥对已注册终端的伪身份进行加密并发送给指定的边缘计算节点,然后边缘计算节点通过自己的私钥对其进行解密,将解密出的已注册设备伪身份信息列表本地存储。Terminal device registration and pseudo-identity generation: each terminal device uses its own real identity information to send a registration request to the cloud platform. The cloud platform uses the master key to create pseudo-identity information and public key information for the terminal device, and uses the public computing of the edge computing node The key encrypts the pseudo identity of the registered terminal and sends it to the designated edge computing node, and then the edge computing node decrypts it by its own private key, and stores the decrypted registered device pseudo identity information list locally.
终端设备接入认证:边缘计算节点收到终端设备发送的接入请求时,将对终端设备的请求时间戳和身份合法性进行验证,以确保发送方为合法的用户,然后通过轻量级的签名和验签方式对接入请求进行验证,若验证失败,则拒绝终端设备的接入请求。Terminal device access authentication: When the edge computing node receives the access request sent by the terminal device, it will verify the request time stamp and identity legitimacy of the terminal device to ensure that the sender is a legitimate user, and then pass the lightweight The signature and verification methods verify the access request. If the verification fails, the access request of the terminal device is rejected.
终端设备批量接入认证:本发明支持对多台终端设备同时请求接入边缘计算节点时进行批量接入认证,首先对终端设备的请求时间戳和身份合法性进行验证,拒绝其中不合法的终端设备后,通过指数乘法的方式实现对大量请求的批量验证,验证成功则接受接入请求,否则对请求进行逐一认证,将非法终端设备上报云平台,实现对非法终端设备的追溯。Terminal device batch access authentication: The present invention supports batch access authentication when multiple terminal devices request simultaneous access to edge computing nodes. First, the request time stamp and identity legitimacy of the terminal device are verified, and illegal terminals are rejected After the device, the batch verification of a large number of requests is realized through exponential multiplication. If the verification is successful, the access request is accepted. Otherwise, the request is authenticated one by one, and the illegal terminal device is reported to the cloud platform to trace the illegal terminal device.
初始化阶段中,云平台会生成主密钥、公共参数和每个边缘计算节点的公私钥对信息,包括了以下步骤:During the initialization phase, the cloud platform generates the master key, public parameters, and public and private key pair information for each edge computing node, including the following steps:
云平台进行一系列的准备工作,包括给定双线性配对组、选取系统主密钥和选择四个不同的Hash函数、生成自己的公私钥对等,云平台计算并公开系统参数。The cloud platform performs a series of preparations, including given a bilinear pairing group, selecting the system master key and selecting four different hash functions, generating its own public and private key pairs, etc. The cloud platform calculates and discloses system parameters.
然后边缘计算节点生成自己的公私钥对信息,用于对传输数据的加密和签名,并将公钥和身份信息发送给云平台。The edge computing node then generates its own public and private key pair information, which is used to encrypt and sign the transmitted data, and sends the public key and identity information to the cloud platform.
终端设备注册及伪身份生成中,终端设备利用自己的真实身份信息向云平台发送注册请求,云平台根据终端设备的身份信息为其生成伪身份信息和对应的公钥信息,包括以下步骤:In terminal device registration and pseudo-identity generation, the terminal device uses its real identity information to send a registration request to the cloud platform. The cloud platform generates pseudo-identity information and corresponding public key information for the terminal device based on the identity information of the terminal device, including the following steps:
云平台根据终端设备的身份信息为其生成一个伪身份和公钥信息,此后伪身份信息既用于与边缘计算节点通信,同时可以用于追踪恶意的终端设备的真实身份,终端设备根据云平台反馈的公钥以及伪身份信息计算生成自己的私钥信息。The cloud platform generates a pseudo-identity and public key information for the terminal device based on its identity information. After that, the pseudo-identity information is used not only to communicate with the edge computing node, but also to track the true identity of the malicious terminal device. The feedback public key and pseudo-identity information are calculated to generate their own private key information.
云平台利用边缘计算节点的公钥信息对伪身份进行加密,并将生成的加密的数据发送给边缘计算节点,将已注册的终端设备伪身份信息发送给指定的边缘计算节点,边缘计算节点接收到云平台发送的密文数据,利用私钥对其进行解密还原出已注册的终端设备伪身份信息,以列表形式保存已注册终端设备的伪身份信息,完成终端设备的注册。The cloud platform uses the public key information of the edge computing node to encrypt the pseudo identity, and sends the generated encrypted data to the edge computing node, and sends the registered terminal device pseudo identity information to the designated edge computing node. The edge computing node receives The ciphertext data sent to the cloud platform is decrypted using the private key to restore the pseudo identity information of the registered terminal device, and the pseudo identity information of the registered terminal device is saved in a list to complete the registration of the terminal device.
终端设备接入认证中,当某个终端设备向边缘计算节点发送接入认证请求时,通过轻量级签名和验签机制,实现对终端身份的合法性进行验证,且不需要和云平台进行交互,具体步骤如下:In terminal device access authentication, when a terminal device sends an access authentication request to an edge computing node, the lightweight signature and verification mechanism is used to verify the legitimacy of the terminal identity, and does not need to be performed with the cloud platform The specific steps are as follows:
终端设备生成消息有效性验证的时间戳,用于抵抗重放攻击,然后利用自己的私钥生成对信息的签名,然后将请求消息喝签名发送给注册过的边缘计算节点。The terminal device generates a timestamp for message validity verification, which is used to resist replay attacks, and then uses its own private key to generate a signature for the information, and then sends the request message and signature to the registered edge computing node.
当边缘计算节点接收到终端发送的信息后,首先判断时间戳是否有效,若时间戳已过期,则丢弃接收到的数据包并拒绝终端的接入,同时终止验证,然后判断终端设备的身份是否属于本地存储的已注册设备列表,判断设备身份的合法性,若不属于则丢弃接收到的 数据包并拒绝终端的接入,同时终止验证。最后,利用终端设备的身份验证验证下式是否成立,若等式成立,则接受终端设备的接入认证请求,否则丢弃数据包并拒绝终端的接入。After receiving the information sent by the terminal, the edge computing node first judges whether the timestamp is valid. If the timestamp has expired, the received data packet is discarded and the terminal is denied access. At the same time, the verification is terminated, and then the identity of the terminal device is judged It belongs to the list of registered devices stored locally, and judges the legality of the device's identity. If it does not, it discards the received data packets and denies access to the terminal. At the same time, the verification is terminated. Finally, the identity verification of the terminal device is used to verify whether the following formula is established. If the equation is established, the access authentication request of the terminal device is accepted, otherwise the data packet is discarded and the terminal is denied access.
Figure PCTCN2019075660-appb-000009
Figure PCTCN2019075660-appb-000009
终端设备批量接入认证中,边缘计算节点可以批量的对同时发送接入请求的终端设备的合法性进行验证,具体包括以下步骤:In the terminal device batch access authentication, the edge computing node can batch verify the legitimacy of the terminal device that sends the access request at the same time, which specifically includes the following steps:
假设边缘计算节点同时接收到了n个终端设备发送的接入请求时,边缘计算节点首先判断时间戳T i是否有效,拒绝其中时间戳已过期的终端设备。 Suppose that when the edge computing node receives the access request sent by n terminal devices at the same time, the edge computing node first judges whether the time stamp T i is valid and rejects the terminal device in which the time stamp has expired.
然后判断所有的终端设备的身份信息是否存在于本地存储的已注册设备列表中,判断设备身份的合法性,拒绝其中未注册的终端设备。Then determine whether the identity information of all terminal devices exists in the locally stored list of registered devices, determine the legality of the device identity, and reject the unregistered terminal devices.
最后,边缘计算节点利用指数乘法及终端设备的身份信息计算并判断下式是否成立,若等式成立,则发送请求的终端设备均合法,接收终端设备的接入请求,否则存在非法终端设备,可通过一一认证实现对非法终端设备的追溯。Finally, the edge computing node uses exponential multiplication and the identity information of the terminal device to calculate and determine whether the following formula is established. If the equation is established, the terminal device that sent the request is legal and receives the access request from the terminal device, otherwise there is an illegal terminal device. The illegal terminal equipment can be traced through one-to-one authentication.
Figure PCTCN2019075660-appb-000010
Figure PCTCN2019075660-appb-000010
1.初始化阶段1. Initialization phase
云平台首先会生成认证主密钥和公共参数,初始化阶段具体描述如下:The cloud platform will first generate the authentication master key and public parameters, and the initialization phase is described as follows:
(1)云平台首先随机选取一个整数λ作为安全参数,用以保证生成的群的高效性和安全性,生成阶为q的循环群G和大整数群
Figure PCTCN2019075660-appb-000011
群的生成元为g,从整数群
Figure PCTCN2019075660-appb-000012
中随机选取整数a作为主密钥信息,然后计算A=g a作为公共参数的一部分。 (1) The cloud platform first randomly selects an integer λ as a security parameter to ensure the efficiency and safety of the generated group, and generates a cyclic group G and a large integer group of order q
Figure PCTCN2019075660-appb-000011
The generator of the group is g, from the integer group
Figure PCTCN2019075660-appb-000012
Randomly select the integer a as the master key information, and then calculate A=g a as a part of the common parameters.
(2)选取如下四个不同的Hash函数
Figure PCTCN2019075660-appb-000013
Figure PCTCN2019075660-appb-000014
作为公共参数的一部分,其中
Figure PCTCN2019075660-appb-000015
是阶为q的整数群,公开系统公共参数PP={q,G,g,A,H 0,H 1,H 2,H 3}。 (2) Select the following four different Hash functions
Figure PCTCN2019075660-appb-000013
Figure PCTCN2019075660-appb-000014
As part of the public parameters, where
Figure PCTCN2019075660-appb-000015
It is an integer group of order q, and public system public parameters PP = {q, G, g, A, H 0 , H 1 , H 2 , H 3 }.
(3)云平台从群G中生成公私钥对(PK C,SK C)用于对传输数据进行签名,防止数据被篡改。 (3) The cloud platform generates public and private key pairs (PK C , SK C ) from group G to sign the transmitted data to prevent the data from being tampered with.
(4)边缘计算节点从群G中生成自己的公私钥对(PK ES,SK ES)用于对传输数据的加密和签名,然后将公钥PK ES和身份信息ID ES发送给云平台。 (4) The edge computing node generates its own public and private key pair (PK ES , SK ES ) from group G for encryption and signature of the transmitted data, and then sends the public key PK ES and identity information ID ES to the cloud platform.
2.终端设备注册及伪身份生成2. Terminal device registration and pseudo-identity generation
为了保证身份的匿名性,终端设备利用自己的真实身份信息ID向云平台发送注册请求,云平台根据终端设备的身份信息、其可接入的边缘计算节点和主密钥信息a等为其生成伪身份信息和公钥信息,具体描述如下:In order to ensure the anonymity of the identity, the terminal device uses its real identity information ID to send a registration request to the cloud platform, and the cloud platform generates it for the terminal device based on the identity information of the terminal device, its accessible edge computing nodes, and master key information a. Pseudo-identity information and public key information are described as follows:
(1)当云平台接收到终端设备U发送的注册请求时,首先从大整数群
Figure PCTCN2019075660-appb-000016
中随机选取整数k,然后为终端设备生成公钥信息PK=g k及一个伪身份信息
Figure PCTCN2019075660-appb-000017
此后伪身份信息既用于与边缘计算节点通信,同时可以用于追踪恶意的终端设备的真实身份。 (1) When the cloud platform receives the registration request sent by the terminal device U, firstly from the large integer group
Figure PCTCN2019075660-appb-000016
Randomly select an integer k in, then generate public key information PK=g k and a pseudo-identity information for the terminal device
Figure PCTCN2019075660-appb-000017
After that, the pseudo-identity information is used not only to communicate with the edge computing node, but also to track the true identity of the malicious terminal device.
(2)云平台通过安全信道将生成的PK以及伪身份信息PID发送给终端设备,终端设备从大整数群
Figure PCTCN2019075660-appb-000018
中随机选取整数b,计算生成自己的私钥信息SK=b·H 1(PID)。 (2) The cloud platform sends the generated PK and pseudo-identity information PID to the terminal device through a secure channel, and the terminal device selects from a large integer group
Figure PCTCN2019075660-appb-000018
Randomly select the integer b in the calculation and generate its own private key information SK=b·H 1 (PID).
(3)云平台需将已注册的终端设备伪身份信息发送给指定的边缘计算节点,利用边缘计算节点的公钥信息对伪身份进行加密M=E(PK ES,PID),并将生成的加密的数据M发送给边缘计算节点,其中PK ES是边缘计算节点的公钥,E是非对称加密的加密算法,表示以PK ES为密钥对PID i进行加密并生成密文数据M。 (3) The cloud platform needs to send the registered terminal device pseudo-identity information to the designated edge computing node, use the edge computing node's public key information to encrypt the pseudo-identity M = E (PK ES , PID), and the generated The encrypted data M is sent to the edge computing node, where PK ES is the public key of the edge computing node, and E is an asymmetric encryption encryption algorithm, which means that PK ES is used as the key to encrypt PID i and generate ciphertext data M.
(4)边缘计算节点接收到云平台发送的密文数据M后,利用私钥对其进行解密还原出已注册的终端设备伪身份信息PID=D(SK ES,M),其中D是非对称加密的解密算法,表示以SK ES为密钥对M进行解密还原出PID信息,这样边缘计算节点中就会生成已注册终端设备的伪身份信息列表。 (4) After receiving the ciphertext data M sent by the cloud platform, the edge computing node decrypts it using the private key to restore the registered terminal device pseudo-identity information PID = D (SK ES , M), where D is asymmetric encryption The decryption algorithm means that using SK ES as the key to decrypt M restores the PID information, so that the edge computing node will generate a pseudo-identity information list of registered terminal devices.
3.终端设备接入认证3. Terminal device access authentication
当终端设备U需要接入到边缘计算节点ID ES并发送信息时,为了保证信息认证以及完整性,边缘计算节点需要在接收之前对终端设备进行认证,并且不需要和云平台进行交互,具体描述如下: When the terminal device U needs to access the edge computing node ID ES and send information, in order to ensure information authentication and integrity, the edge computing node needs to authenticate the terminal device before receiving, and does not need to interact with the cloud platform, specific description as follows:
(1)U从大整数群
Figure PCTCN2019075660-appb-000019
中随机选取整数
Figure PCTCN2019075660-appb-000020
计算R=g r和H′=H 2(M,PID,ID ES,R,T),其中T是当前的时间戳数字,用于抵抗重放攻击,M是被发送的信息,然后利用自己的私钥SK计算生成对信息M的签名Sig=H 3(R-SK·H′)·r -1(1) U from large integer group
Figure PCTCN2019075660-appb-000019
Random integer
Figure PCTCN2019075660-appb-000020
Calculate R = gr and H'= H 2 (M, PID, ID ES , R, T), where T is the current timestamp number, used to resist replay attacks, M is the information being sent, and then use its own The private key SK is calculated to generate the signature Sig=H 3 (R-SK·H′)·r -1 for the information M.
(2)U将信息及签名Msg={M,PID,R,T,Sig}发送给注册后的边缘计算节点。(2) U sends the information and signature Msg = {M, PID, R, T, Sig} to the registered edge computing node.
(3)当边缘计算节点接收到终端U发送的信息Msg={M,PID,R,T,Sig}后,首先判断时间戳T是否有效,若时间戳T已过期,则丢弃接收到的数据包并拒绝终端U的接入,同时终止下述步骤。(3) After receiving the information Msg={M, PID, R, T, Sig} sent by the terminal U, the edge computing node first judges whether the time stamp T is valid, and discards the received data if the time stamp T has expired Packet and refuse the access of terminal U, at the same time terminate the following steps.
(4)然后判断PID是否属于本地存储的已注册设备列表,判断设备身份的合法性,若不属于则丢弃接收到的数据包并拒绝终端U的接入,同时终止下述步骤。(4) Then determine whether the PID belongs to the locally stored list of registered devices, determine the legality of the device's identity, if not, discard the received data packet and reject the access of the terminal U, and terminate the following steps.
(5)最后,利用PID计算H 1(PID)和H′=H 2(M,PID,ID ES,R,T),并且验证等式(1)是否成立,若等式成立,则接受终端设备的接入认证请求,否则丢弃数据包并拒绝终端的接入。 (5) Finally, use PID to calculate H 1 (PID) and H′=H 2 (M, PID, ID ES , R, T), and verify whether equation (1) holds, if the equation holds, then accept the terminal The device's access authentication request, otherwise discard the data packet and refuse the terminal's access.
Figure PCTCN2019075660-appb-000021
Figure PCTCN2019075660-appb-000021
4.终端设备批量接入认证4. Terminal equipment batch access authentication
当同时有大量终端设备申请接入边缘计算节点时,若边缘计算节点一一完成对终端设备的认证,那么可能会对业务的实时性产生影响,因此本发明支持同时对多个接入的终端设备进行批量认证,降低时延,保证业务处理的实时性,具体描述如下:When a large number of terminal devices apply for access to edge computing nodes at the same time, if the edge computing nodes complete the authentication of the terminal devices one by one, it may have an impact on the real-time nature of the business, so the present invention supports multiple access terminals at the same time The device performs batch authentication to reduce latency and ensure the real-time performance of business processing. The specific description is as follows:
(1)假设边缘计算节点同时接收到了n个终端设备发送的消息Msg i={M i,PID i,R i,T i,Sig i}时,M i,T i,sig i和R i表示由第i个终端设备发送的信息、时间戳、签名和随机数,其身份标识为PID i,边缘计算节点首先判断时间戳T i是否有效,拒绝其中时间戳已过期的终端设备,其中0<i≤n表示索引,n表示终端设备总数。 (1) Assuming that the edge computing node receives the message Msg i ={M i ,Pd i ,R i ,T i ,Sig i } sent by n terminal devices at the same time, M i ,T i ,sig i and R i represent The information, time stamp, signature and random number sent by the i-th terminal device are identified as PID i . The edge computing node first judges whether the time stamp T i is valid and rejects the terminal device in which the time stamp has expired, where 0< i≤n indicates the index, and n indicates the total number of terminal devices.
(2)然后判断所有的PID i是否存在于本地存储的已注册设备列表,判断设备身份的合法性,拒绝其中未注册的终端设备。 (2) Then determine whether all PID i exists in the locally stored registered device list, determine the legality of the device identity, and reject the unregistered terminal device.
(3)边缘计算节点利用PID i计算H 1(PID i)和H′ i=H 2(M i,PID i,ID ES,R i,T i),其中0<i≤n表示索引,并且判断等式(2)是否成立, (3) The edge computing node uses PID i to calculate H 1 (PID i ) and H′ i = H 2 (M i , PID i , ID ES , R i , T i ), where 0< i ≦n represents an index, and Determine whether equation (2) holds,
Figure PCTCN2019075660-appb-000022
Figure PCTCN2019075660-appb-000022
若等式成立,则发送请求的终端设备均合法,接收终端设备的接入请求,否则存在非法终端设备,可通过一一认证实现对非法终端设备的追溯。If the equation is established, the terminal device sending the request is legal and receives the access request of the terminal device, otherwise there is an illegal terminal device, and the illegal terminal device can be traced through one-to-one authentication.

Claims (6)

  1. 边缘计算场景下支持异构终端匿名接入的轻量级认证方法,其特征在于,包括以下步骤:The lightweight authentication method supporting anonymous access of heterogeneous terminals in an edge computing scenario is characterized by the following steps:
    初始化阶段:云平台首先选择自己的主密钥信息并私密保存,然后建立公共参数,同时边缘计算节点初始化自己的公私钥对并将公钥信息发送给云平台;Initialization stage: The cloud platform first selects its own master key information and keeps it privately, then establishes public parameters, and at the same time, the edge computing node initializes its own public and private key pair and sends the public key information to the cloud platform;
    终端设备注册及伪身份生成:每个终端设备利用自己的身份信息向云平台发送注册请求,云平台利用主密钥信息为终端设备创建伪身份信息和公钥信息,并利用边缘计算节点的公钥信息对已注册终端的伪身份进行加密并发送给指定的边缘计算节点,然后边缘计算节点通过自己的私钥对其进行解密,将解密出的已注册设备伪身份信息列表本地存储;Terminal device registration and pseudo-identity generation: each terminal device uses its own identity information to send a registration request to the cloud platform. The cloud platform uses the master key information to create pseudo-identity information and public key information for the terminal device, and uses the public computing of the edge computing node The key information encrypts the pseudo identity of the registered terminal and sends it to the designated edge computing node, and then the edge computing node decrypts it through its own private key, and stores the decrypted registered device pseudo identity information list locally;
    终端设备接入认证:边缘计算节点收到终端设备发送的接入请求时,将对终端设备的请求时间戳和身份合法性进行验证,然后通过签名和验签方式对接入请求进行验证;若验证失败,则拒绝终端设备的接入请求;否则,接收终端设备的接入请求。Terminal device access authentication: When the edge computing node receives the access request sent by the terminal device, it will verify the request time stamp and identity legitimacy of the terminal device, and then verify the access request through signature and signature verification; if If the verification fails, the access request of the terminal device is rejected; otherwise, the access request of the terminal device is received.
  2. 根据权利要求1所述的边缘计算场景下支持异构终端匿名接入的轻量级认证方法,其特征在于,所述初始化阶段,包括了以下步骤:The lightweight authentication method for supporting anonymous access of heterogeneous terminals in an edge computing scenario according to claim 1, wherein the initialization stage includes the following steps:
    云平台生成系统公共参数PP={q,G,g,A,H 0,H 1,H 2,H 3};其中,选取阶为q的循环群G和大整数群
    Figure PCTCN2019075660-appb-100001
    群的生成元为g,从整数群
    Figure PCTCN2019075660-appb-100002
    中随机选取整数a作为主密钥信息,然后计算A=g a;选取四个不同的Hash函数
    Figure PCTCN2019075660-appb-100003
    Figure PCTCN2019075660-appb-100004
    Cloud platform generation system public parameter PP = {q, G, g, A, H 0 , H 1 , H 2 , H 3 }; where, select the cyclic group G and large integer group of order q
    Figure PCTCN2019075660-appb-100001
    The generator of the group is g, from the integer group
    Figure PCTCN2019075660-appb-100002
    Randomly select the integer a as the master key information, and then calculate A = g a ; select four different Hash functions
    Figure PCTCN2019075660-appb-100003
    Figure PCTCN2019075660-appb-100004
    边缘计算节点从循环群G中生成自己的公私钥对(PK ES,SK ES),用于对传输数据的加密和签名,并将公钥PK ES和身份信息ID ES发送给云平台。 The edge computing node generates its own public-private key pair (PK ES , SK ES ) from the cyclic group G, which is used to encrypt and sign the transmitted data, and sends the public key PK ES and identity information ID ES to the cloud platform.
  3. 根据权利要求1所述的边缘计算场景下支持异构终端匿名接入的轻量级认证方法,其特征在于,所述终端设备注册及伪身份生成,包括以下步骤:The lightweight authentication method supporting anonymous access of heterogeneous terminals in an edge computing scenario according to claim 1, characterized in that the terminal device registration and pseudo identity generation include the following steps:
    云平台根据终端设备的身份信息ID为其生成伪身份信息
    Figure PCTCN2019075660-appb-100005
    和公钥信息PK=g k,k为整数;终端设备根据云平台反馈的公钥信息PK以及伪身份信息PID生成自己的私钥信息SK=b·H 1(PID),b为整数;     The cloud platform generates pseudo identity information for the terminal device based on its identity information ID
    Figure PCTCN2019075660-appb-100005
    And public key information PK=g k , where k is an integer; the terminal device generates its own private key information SK=b·H 1 (PID) based on the public key information PK and pseudo-identity PID fed back by the cloud platform, and b is an integer;
    云平台利用边缘计算节点的公钥PK ES对伪身份进行加密,并将生成的密文数据M=E(PK ES,PID)发送给边缘计算节点,将已注册的终端设备伪身份信息发送给指定的边缘计算节点,边缘计算节点接收到云平台发送的密文数据M,利用私钥对其进行解密还原出已注册的终端设备伪身份信息,以列表形式保存已注册终端设备的伪身份信息,完成终端设备的注册。 The cloud platform uses the public key PK ES of the edge computing node to encrypt the pseudo-identity, and sends the generated ciphertext data M=E(PK ES , PID) to the edge computing node, and sends the registered terminal device pseudo-identity information to The designated edge computing node, the edge computing node receives the ciphertext data M sent by the cloud platform, decrypts it with the private key to restore the registered terminal device pseudo identity information, and saves the registered terminal device pseudo identity information in a list To complete the registration of the terminal device.
  4. 根据权利要求1所述的一种边缘计算场景下支持异构终端匿名接入的轻量级认证机制,其特征在于,所述终端设备接入认证,具体步骤如下:The lightweight authentication mechanism supporting anonymous access of heterogeneous terminals in an edge computing scenario according to claim 1, wherein the specific steps of the terminal device access authentication are as follows:
    终端设备生成消息有效性验证的时间戳T,用于抵抗重放攻击,然后利用自己的私钥生成对信息的签名Sig=H 3(R-SK·H′)·r -1,整数
    Figure PCTCN2019075660-appb-100006
    R=g r,H′=H 2(M,PID,ID ES,R,T),SK为终端设备的私钥信息,ID ES为边缘计算节点的身份信息;然后将请求消息和签名发送给注册过的边缘计算节点;     The terminal device generates a timestamp T for message validity verification, which is used to resist replay attacks, and then uses its own private key to generate a signature for the message Sig=H 3 (R-SK·H′)·r -1 , integer
    Figure PCTCN2019075660-appb-100006
    R = gr , H'= H 2 (M, PID, ID ES , R, T), SK is the private key information of the terminal device, ID ES is the identity information of the edge computing node; then send the request message and signature to Registered edge computing nodes;
    当边缘计算节点接收到终端设备发送的信息后,首先判断时间戳是否有效,若时间戳T已过期,则丢弃接收到的数据包并拒绝终端的接入,同时终止验证,若时间戳T未过期,则接收数据包并接受终端设备的接入;After receiving the information sent by the terminal device, the edge computing node first judges whether the timestamp is valid. If the timestamp T has expired, the received data packet is discarded and the terminal is denied access. At the same time, the verification is terminated. If the timestamp T is not If it expires, it will receive the data packet and accept the access of the terminal device;
    然后判断终端设备的身份信息PID是否属于本地存储的已注册设备列表,若不属于则丢弃接收到的数据包并拒绝终端的接入,同时终止验证;若属于则接收数据包并接受终端设备的接入;Then determine whether the PID information of the terminal device belongs to the locally stored list of registered devices. If it does not, discard the received data packet and reject the terminal's access, and terminate the verification; if it belongs, receive the data packet and accept the terminal device's Access
    利用终端设备的身份验证验证下式是否成立:Use the identity verification of the terminal device to verify whether the following formula holds:
    Figure PCTCN2019075660-appb-100007
    Figure PCTCN2019075660-appb-100007
    若等式成立,则接受终端设备的接入认证请求,否则丢弃数据包并拒绝终端的接入。If the equation holds, the terminal device's access authentication request is accepted, otherwise the data packet is discarded and the terminal's access is denied.
  5. 根据权利要求1所述的边缘计算场景下支持异构终端匿名接入的轻量级认证方法,其特征在于,终端设备批量接入认证,具体为多台终端设备同时请求接入边缘计算节点时进行批量接入认证,首先对终端设备的请求时间戳和身份合法性进行验证,拒绝其中不合法的终端设备后,通过指数乘法的方式实现对请求的批量验证,验证成功则接受接入请求,否则对请求进行逐一认证,将非法终端设备上报云平台,实现对非法终端设备的追溯。The lightweight authentication method for supporting anonymous access of heterogeneous terminals in an edge computing scenario according to claim 1, characterized in that the terminal device batch access authentication is specifically when multiple terminal devices simultaneously request access to an edge computing node For batch access authentication, first verify the request timestamp and identity legitimacy of the terminal device. After rejecting the illegal terminal device, implement batch verification of the request by exponential multiplication. If the verification is successful, the access request is accepted. Otherwise, the request is authenticated one by one, and the illegal terminal equipment is reported to the cloud platform, so as to trace the illegal terminal equipment.
  6. 根据权利要求5所述的边缘计算场景下支持异构终端匿名接入的轻量级认证方法,其特征在于,所述终端设备批量接入认证,具体包括以下步骤:The lightweight authentication method for supporting anonymous access of heterogeneous terminals in an edge computing scenario according to claim 5, wherein the terminal device batch access authentication specifically includes the following steps:
    边缘计算节点同时接收到n个终端设备发送的接入请求时,边缘计算节点首先判断时间戳T i是否有效,若时间戳T i已过期,则对应的终端设备已过期,否则,对应的终端设备未过期;拒绝时间戳已过期的终端设备; When the edge computing node simultaneously receives the access request sent by n terminal devices, the edge computing node first judges whether the time stamp T i is valid, if the time stamp T i has expired, the corresponding terminal device has expired, otherwise, the corresponding terminal The device has not expired; the terminal device whose time stamp has expired is rejected;
    然后判断排除时间戳已过期的终端设备剩余的所有终端设备的身份信息PID i是否存在于本地存储的已注册设备列表中;若存在,则设备已注册,表示身份合法;否则,设备未注册,表示不合法;拒绝其中未注册的终端设备; Then it is determined whether the identity information PID i of all the terminal devices remaining excluding the terminal device whose time stamp has expired exists in the locally stored list of registered devices; if it exists, the device is registered, indicating that the identity is legal; otherwise, the device is not registered, Means illegal; reject unregistered terminal equipment;
    最后,边缘计算节点利用指数乘法及终端设备的身份信息计算并判断下式是否成立:Finally, the edge computing node uses exponential multiplication and terminal device identity information to calculate and determine whether the following formula holds:
    Figure PCTCN2019075660-appb-100008
    Figure PCTCN2019075660-appb-100008
    其中,H′ i=H 2(M i,PID i,ID ES,R i,T i),M i,T i,sig i和R i分别表示由第i个终端设备发送的信息、时间戳、签名和随机数;ID ES为边缘计算节点的身份信息; Where H′ i = H 2 (M i , PID i , ID ES , R i , T i ), M i , T i , sig i, and R i represent the information and time stamp sent by the i-th terminal device, respectively , Signature and random number; ID ES is the identity information of the edge computing node;
    若等式成立,则排除时间戳已过期和未注册终端设备剩余的发送请求的终端设备均合法,接收终端设备的接入请求,否则存在非法终端设备,再通过终端设备接入认证实现对非法终端设备的追溯。If the equation is established, the terminal devices that exclude the timestamp that has expired and the remaining unregistered terminal devices send requests are legal, and receive the access request of the terminal device, otherwise there is an illegal terminal device, and then through the terminal device access authentication to achieve the illegal Traceability of terminal equipment.
PCT/CN2019/075660 2018-12-26 2019-02-21 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario WO2020133655A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811598108.XA CN111371730B (en) 2018-12-26 2018-12-26 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN201811598108.X 2018-12-26

Publications (1)

Publication Number Publication Date
WO2020133655A1 true WO2020133655A1 (en) 2020-07-02

Family

ID=71129021

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/075660 WO2020133655A1 (en) 2018-12-26 2019-02-21 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario

Country Status (2)

Country Link
CN (1) CN111371730B (en)
WO (1) WO2020133655A1 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291222A (en) * 2020-10-22 2021-01-29 南方电网科学研究院有限责任公司 Electric power edge calculation safety protection system and method
CN112468490A (en) * 2020-11-25 2021-03-09 国网辽宁省电力有限公司信息通信分公司 Authentication method for power grid terminal layer equipment access
CN112583796A (en) * 2020-11-30 2021-03-30 国电南瑞科技股份有限公司 Method and system for accessing terminal equipment to power Internet of things and Internet of things management platform
CN112671844A (en) * 2020-12-09 2021-04-16 交控科技股份有限公司 Registration method and system of equipment
CN112817819A (en) * 2021-01-26 2021-05-18 北京交通大学 Method for carrying out logic monitoring on deployment running program on cloud by edge security node
CN112865974A (en) * 2021-01-20 2021-05-28 杨雯雯 Safety protection system based on edge computing access equipment
CN112953727A (en) * 2021-03-02 2021-06-11 西安电子科技大学 Internet of things-oriented equipment anonymous identity authentication method and system
CN113271598A (en) * 2021-05-18 2021-08-17 全球能源互联网研究院有限公司 Edge safety protection architecture for electric power 5G network
CN113285806A (en) * 2021-05-10 2021-08-20 湖南大学 Dynamic execution method and system for control instruction of power heterogeneous equipment
CN113452762A (en) * 2021-06-11 2021-09-28 青岛海尔科技有限公司 Edge computing node, method and device for registering terminal equipment and smart home system
CN113472734A (en) * 2021-05-07 2021-10-01 北京明朝万达科技股份有限公司 Identity authentication method and device
CN113591103A (en) * 2021-06-29 2021-11-02 中国电力科学研究院有限公司 Identity authentication method and system between intelligent terminals of power internet of things
CN113612750A (en) * 2021-07-27 2021-11-05 长安大学 User identity privacy protection method facing mobile crowd sensing network
CN113873508A (en) * 2021-09-23 2021-12-31 国网辽宁省电力有限公司电力科学研究院 Edge computing bidirectional authentication method and system based on user double public and private keys
CN113872759A (en) * 2021-09-29 2021-12-31 湘潭大学 Lightweight identity authentication method for smart power grid
CN114024757A (en) * 2021-11-09 2022-02-08 国网山东省电力公司电力科学研究院 Electric power Internet of things edge terminal access method and system based on identification cryptographic algorithm
CN114065193A (en) * 2021-11-23 2022-02-18 北京邮电大学 Deep learning safety method applied to image task in edge cloud environment
CN114531234A (en) * 2022-01-28 2022-05-24 北京秒如科技有限公司 Distributed system and equipment registration and verification method thereof
CN114710320A (en) * 2022-03-03 2022-07-05 湖南科技大学 Edge calculation privacy protection method based on block chain and multi-key fully homomorphic encryption
CN114785615A (en) * 2022-05-23 2022-07-22 科大天工智能装备技术(天津)有限公司 Lightweight authentication method for Internet of things system in cloud computing environment
CN114978712A (en) * 2022-05-25 2022-08-30 中南财经政法大学 Remote secure communication method, system, equipment and terminal of touch Internet of things
CN115208922A (en) * 2022-07-15 2022-10-18 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN115514560A (en) * 2022-09-21 2022-12-23 中凯智慧物联科技(广东)有限公司 Internet of things terminal identity authentication system based on edge calculation
WO2023010688A1 (en) * 2021-08-04 2023-02-09 深圳前海微众银行股份有限公司 Key management method and apparatus
CN115967499A (en) * 2022-11-29 2023-04-14 国网山东省电力公司信息通信公司 Switching terminal access method, system, device and medium based on edge calculation
CN115987519A (en) * 2022-12-02 2023-04-18 杭州电子科技大学 Block chain intelligent cooperative authentication method facing multi-user common management
CN116192392A (en) * 2023-02-15 2023-05-30 南京航空航天大学 Lightweight anonymous authentication method with privacy protection based on elliptic curve
CN116321156A (en) * 2023-05-18 2023-06-23 合肥工业大学 Lightweight vehicle cloud identity authentication method and communication method
CN116527372A (en) * 2023-05-16 2023-08-01 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN117061243A (en) * 2023-10-11 2023-11-14 国网信息通信产业集团有限公司 Terminal-oriented edge zero trust engine, authentication protection system and method

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935714B (en) * 2020-07-13 2022-11-22 兰州理工大学 Identity authentication method in mobile edge computing network
CN112039886A (en) * 2020-08-31 2020-12-04 成都卫士通信息产业股份有限公司 Edge computing-based terminal device management and control method, electronic device and medium
CN112153067B (en) * 2020-09-28 2022-08-12 周口师范学院 Edge computing safety system based on block chain
CN112437055B (en) * 2020-11-10 2022-05-31 国网宁夏电力有限公司电力科学研究院 Electric power internet of things network terminal NTRU safe access method based on edge calculation
CN112702171B (en) * 2020-12-23 2021-10-15 北京航空航天大学 Distributed identity authentication method facing edge gateway
CN113055886B (en) * 2021-03-15 2023-02-24 中国联合网络通信集团有限公司 Terminal authentication method, system, server and medium in edge computing network
CN113067626B (en) * 2021-03-15 2022-03-04 西安电子科技大学 Unmanned system bee colony credibility certification method based on edge computing
CN113315762B (en) * 2021-05-20 2022-04-19 西安电子科技大学 Distributed network authentication method for realizing secure communication by identity cryptography
CN114124548B (en) * 2021-11-26 2024-01-26 中通服咨询设计研究院有限公司 Data cross-domain flow security method based on edge calculation
CN114978635B (en) * 2022-05-11 2023-10-03 中国电信股份有限公司 Cross-domain authentication method and device, user registration method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN105187405A (en) * 2015-08-14 2015-12-23 中国人民解放军理工大学 Reputation-based cloud computing identity management method
CN107342859A (en) * 2017-07-07 2017-11-10 安徽大学 A kind of anonymous authentication method and its application
CN107770263A (en) * 2017-10-16 2018-03-06 电子科技大学 A kind of internet-of-things terminal safety access method and system based on edge calculations
US9973342B2 (en) * 2016-06-16 2018-05-15 International Business Machines Corporation Authentication via group signatures
CN108173882A (en) * 2018-03-01 2018-06-15 北京科技大学 Edge calculations node identities authentication method based on aes algorithm

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170303150A1 (en) * 2016-02-16 2017-10-19 Saguna Networks Ltd. Methods Circuits Devices Systems and Functionally Associated Computer Executable Code to Support Edge Computing on a Communication Network
CN106961451A (en) * 2017-05-25 2017-07-18 网宿科技股份有限公司 Method for authenticating, right discriminating system, fringe node and authentication server in CDN
CN107342990B (en) * 2017-06-23 2020-03-13 西南交通大学 Distributed authorized attribute-based network ring signature method
CN108718334B (en) * 2018-05-11 2020-06-26 电子科技大学 Network perception data security uploading method based on Internet of vehicles group perception
CN108810026B (en) * 2018-07-20 2019-05-17 电子科技大学 A kind of terminal device access authentication method and system based on edge calculations
CN109005538B (en) * 2018-07-27 2021-03-02 安徽大学 Message authentication method between unmanned vehicle and multi-mobile-edge computing server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN105187405A (en) * 2015-08-14 2015-12-23 中国人民解放军理工大学 Reputation-based cloud computing identity management method
US9973342B2 (en) * 2016-06-16 2018-05-15 International Business Machines Corporation Authentication via group signatures
CN107342859A (en) * 2017-07-07 2017-11-10 安徽大学 A kind of anonymous authentication method and its application
CN107770263A (en) * 2017-10-16 2018-03-06 电子科技大学 A kind of internet-of-things terminal safety access method and system based on edge calculations
CN108173882A (en) * 2018-03-01 2018-06-15 北京科技大学 Edge calculations node identities authentication method based on aes algorithm

Cited By (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291222A (en) * 2020-10-22 2021-01-29 南方电网科学研究院有限责任公司 Electric power edge calculation safety protection system and method
CN112468490A (en) * 2020-11-25 2021-03-09 国网辽宁省电力有限公司信息通信分公司 Authentication method for power grid terminal layer equipment access
CN112468490B (en) * 2020-11-25 2023-09-08 国网辽宁省电力有限公司信息通信分公司 Authentication method for access of power grid terminal layer equipment
CN112583796A (en) * 2020-11-30 2021-03-30 国电南瑞科技股份有限公司 Method and system for accessing terminal equipment to power Internet of things and Internet of things management platform
CN112671844A (en) * 2020-12-09 2021-04-16 交控科技股份有限公司 Registration method and system of equipment
CN112671844B (en) * 2020-12-09 2023-07-25 交控科技股份有限公司 Equipment registration method and system
CN112865974A (en) * 2021-01-20 2021-05-28 杨雯雯 Safety protection system based on edge computing access equipment
CN112817819A (en) * 2021-01-26 2021-05-18 北京交通大学 Method for carrying out logic monitoring on deployment running program on cloud by edge security node
CN112817819B (en) * 2021-01-26 2023-02-28 北京交通大学 Method for carrying out logic monitoring on deployment running program on cloud by edge security node
CN112953727A (en) * 2021-03-02 2021-06-11 西安电子科技大学 Internet of things-oriented equipment anonymous identity authentication method and system
CN113472734B (en) * 2021-05-07 2022-04-19 北京明朝万达科技股份有限公司 Identity authentication method and device
CN113472734A (en) * 2021-05-07 2021-10-01 北京明朝万达科技股份有限公司 Identity authentication method and device
CN113285806B (en) * 2021-05-10 2022-04-29 湖南大学 Dynamic execution method and system for control instruction of power heterogeneous equipment
CN113285806A (en) * 2021-05-10 2021-08-20 湖南大学 Dynamic execution method and system for control instruction of power heterogeneous equipment
CN113271598A (en) * 2021-05-18 2021-08-17 全球能源互联网研究院有限公司 Edge safety protection architecture for electric power 5G network
CN113452762A (en) * 2021-06-11 2021-09-28 青岛海尔科技有限公司 Edge computing node, method and device for registering terminal equipment and smart home system
CN113452762B (en) * 2021-06-11 2023-10-27 青岛海尔科技有限公司 Edge computing node, terminal equipment registration method and device and intelligent home system
CN113591103B (en) * 2021-06-29 2024-02-23 中国电力科学研究院有限公司 Identity authentication method and system between intelligent terminals of electric power Internet of things
CN113591103A (en) * 2021-06-29 2021-11-02 中国电力科学研究院有限公司 Identity authentication method and system between intelligent terminals of power internet of things
CN113612750B (en) * 2021-07-27 2023-06-27 长安大学 User identity privacy protection method for mobile crowd sensing network
CN113612750A (en) * 2021-07-27 2021-11-05 长安大学 User identity privacy protection method facing mobile crowd sensing network
WO2023010688A1 (en) * 2021-08-04 2023-02-09 深圳前海微众银行股份有限公司 Key management method and apparatus
CN113873508B (en) * 2021-09-23 2024-02-23 国网辽宁省电力有限公司电力科学研究院 Edge calculation bidirectional authentication method and system based on double public and private keys of user
CN113873508A (en) * 2021-09-23 2021-12-31 国网辽宁省电力有限公司电力科学研究院 Edge computing bidirectional authentication method and system based on user double public and private keys
CN113872759A (en) * 2021-09-29 2021-12-31 湘潭大学 Lightweight identity authentication method for smart power grid
CN114024757B (en) * 2021-11-09 2024-02-02 国网山东省电力公司电力科学研究院 Electric power internet of things edge terminal access method and system based on identification password algorithm
CN114024757A (en) * 2021-11-09 2022-02-08 国网山东省电力公司电力科学研究院 Electric power Internet of things edge terminal access method and system based on identification cryptographic algorithm
CN114065193B (en) * 2021-11-23 2024-05-07 北京邮电大学 Deep learning security method applied to image task in edge cloud environment
CN114065193A (en) * 2021-11-23 2022-02-18 北京邮电大学 Deep learning safety method applied to image task in edge cloud environment
CN114531234B (en) * 2022-01-28 2022-12-16 北京秒如科技有限公司 Distributed system and equipment registration and verification method thereof
CN114531234A (en) * 2022-01-28 2022-05-24 北京秒如科技有限公司 Distributed system and equipment registration and verification method thereof
CN114710320A (en) * 2022-03-03 2022-07-05 湖南科技大学 Edge calculation privacy protection method based on block chain and multi-key fully homomorphic encryption
CN114785615A (en) * 2022-05-23 2022-07-22 科大天工智能装备技术(天津)有限公司 Lightweight authentication method for Internet of things system in cloud computing environment
CN114785615B (en) * 2022-05-23 2023-07-25 北京科技大学 Lightweight authentication method for Internet of things system in cloud computing environment
CN114978712A (en) * 2022-05-25 2022-08-30 中南财经政法大学 Remote secure communication method, system, equipment and terminal of touch Internet of things
CN114978712B (en) * 2022-05-25 2023-08-22 中南财经政法大学 Remote secure communication method, system, equipment and terminal of touch Internet of things
CN115208922A (en) * 2022-07-15 2022-10-18 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN115208922B (en) * 2022-07-15 2023-11-03 鹿马智能科技(上海)有限公司 Hotel management system based on edge calculation
CN115514560A (en) * 2022-09-21 2022-12-23 中凯智慧物联科技(广东)有限公司 Internet of things terminal identity authentication system based on edge calculation
CN115967499A (en) * 2022-11-29 2023-04-14 国网山东省电力公司信息通信公司 Switching terminal access method, system, device and medium based on edge calculation
CN115987519A (en) * 2022-12-02 2023-04-18 杭州电子科技大学 Block chain intelligent cooperative authentication method facing multi-user common management
CN115987519B (en) * 2022-12-02 2024-03-26 杭州电子科技大学 Block chain intelligent collaborative authentication method for multi-user common management
CN116192392B (en) * 2023-02-15 2023-11-24 南京航空航天大学 Lightweight anonymous authentication method with privacy protection based on elliptic curve
CN116192392A (en) * 2023-02-15 2023-05-30 南京航空航天大学 Lightweight anonymous authentication method with privacy protection based on elliptic curve
CN116527372B (en) * 2023-05-16 2023-12-15 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116527372A (en) * 2023-05-16 2023-08-01 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116321156B (en) * 2023-05-18 2023-08-04 合肥工业大学 Lightweight vehicle cloud identity authentication method and communication method
CN116321156A (en) * 2023-05-18 2023-06-23 合肥工业大学 Lightweight vehicle cloud identity authentication method and communication method
CN117061243A (en) * 2023-10-11 2023-11-14 国网信息通信产业集团有限公司 Terminal-oriented edge zero trust engine, authentication protection system and method
CN117061243B (en) * 2023-10-11 2024-02-06 国网信息通信产业集团有限公司 Terminal-oriented edge zero trust engine, authentication protection system and method

Also Published As

Publication number Publication date
CN111371730B (en) 2021-11-30
CN111371730A (en) 2020-07-03

Similar Documents

Publication Publication Date Title
WO2020133655A1 (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario
CN108964919B (en) Lightweight anonymous authentication method with privacy protection based on Internet of vehicles
US10243742B2 (en) Method and system for accessing a device by a user
Yang et al. Delegating authentication to edge: A decentralized authentication architecture for vehicular networks
Sun et al. A privacy-preserving mutual authentication resisting DoS attacks in VANETs
CN111797427A (en) Block chain user identity supervision method and system considering privacy protection
Xi et al. ZAMA: A ZKP-based anonymous mutual authentication scheme for the IoV
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Xie et al. [Retracted] Provable Secure and Lightweight Vehicle Message Broadcasting Authentication Protocol with Privacy Protection for VANETs
CN111682936B (en) Kerberos authentication method based on physical unclonable function
Buhari et al. Web applications login authentication scheme using hybrid cryptography with user anonymity
Chen et al. Encryption and authentication mechanism of 10G EPON systems based on GCM
Cheng et al. Research on vehicle-to-cloud communication based on lightweight authentication and extended quantum key distribution
CN100596066C (en) Entity identification method based on H323 system
Jiang et al. Pseudonym authentication on network layer in information-centric networks
Lai et al. Efficient Group Authentication and Key Agreement Scheme for Vehicular Digital Twin
CN117155692B (en) Smart grid data aggregation method and system based on security mask
CN115665749B (en) Safe and trusted access method and system for mass industrial equipment
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
Zhang et al. Certificateless Authentication Scheme Based on Blockchain in Smart Home Network
Deng et al. Identity-based secret sharing access control framework for information-centric networking
Yang et al. PkT-SIN: A Secure Communication Protocol for Space Information Networks with Periodic k-Time Anonymous Authentication
Li et al. A Novel Localized Authentication Protocol in 3G-WLAN Integrated Networks
Chen et al. Micro-application security authentication based on key agreement hybrid encryption algorithm

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19902220

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19902220

Country of ref document: EP

Kind code of ref document: A1