CN103428692B - Can accountability and the Radio Access Network authentication method of secret protection and Verification System thereof - Google Patents

Abstract

The invention discloses a kind of can accountability and the Radio Access Network authentication method of secret protection, comprise the following steps: step 1, customer group manager register at Virtual network operator；Step 2, user and customer group manager contact to be authenticated, and make user become user in group；If step 3 finds that user is broken, Virtual network operator is cancelled and is broken user；Step 4, user are successfully accessed wireless network；Step 5, having two or more signatures at access point when needing certification, access point carries out batch signature checking to these signatures；Step 6, authority of law determine the user being responsible for ad-hoc communication session.The invention also discloses a kind of realize can the Verification System of Radio Access Network authentication method of accountability and secret protection, including user and authority of law in Virtual network operator, access point, customer group manager, group.Have and make the degree of belief of each entity item limited, effectively prevent the problem of managing on behalf of another and single point failure problem.

Description

Can accountability and the Radio Access Network authentication method of secret protection and Verification System thereof

Technical field

The present invention relates to a kind of wireless communication technology, can accountability and the wireless of secret protection connect particularly to a kind of Enter method for network authorization and Verification System thereof.

Background technology

The universal quality significantly improving life of Radio Access Network and the efficiency of work, allow user almost Can access network whenever and wherever possible.And along with increasing to the demand of Radio Access Network, wireless access network Network starts to have played the part of irreplaceable role in life.But it is a concern that Radio Access Network apoplexy Danger is the most ubiquitous, and these risks include lacking experience or the sensitive information leakage, wireless of user without Vigilance The easy implementation of signal intercept and quickly tend to ripe monitoring device etc..So, if desired any wide-area deployment This Radio Access Network, safety, privacy, can accountability and high efficiency be need to consider main Problem.But, in the prior art, actual available can recognize the Radio Access Network of accountability and secret protection Card system is the most few.It addition, existing great majority guarantee that the Verification System of privacy is required for one can The third party trusted.But, in the presence of third party trusty, system can face the problem of managing on behalf of another and single-point Problem of Failure.Opponent can destroy the configuration of whole system by destroying third party trusty.Therefore, exist On the premise of being not related to third party trusty, simultaneously ensure Radio Access Network Verification System can accountability, Safety, privacy just seem the most necessary with high efficiency.In addition, accountability and privacy are two and see Like the target of contradiction, during therefore prior art cannot be applied directly to Radio Access Network Verification System, from And the privacy that can not lose system while accountability is provided to system.And the present invention separates former based on responsibility Then, this problem is solved well.In the present invention, Virtual network operator has group private key (group private Key, lower with), but do not know member keys (member secret keys, lower with) and subscriber identity information Mapping pair, and customer group manager (group manager, lower same) knows member keys and user identity letter Mapping pair (the mapping between the member secret keys and the essential of breath Attributes of the users, lower same), but there is no group private key, which ensure that the privacy of system. And under the needs of authority of law, Virtual network operator and customer group manager can provide information jointly, to find out Responsible user, which ensure that can accountability.The present invention be not related to one trusty third-party Under premise, ensure that simultaneously the safety of system, privacy, can accountability and high efficiency, this is existing skill Art cannot realize.

Existing wireless access Verification System relates to tripartite: a wireless roaming user U, an access points AP and Virtual network operator NO.A number of AP is deployed in the different location of coverage, whole to cover Region, and provide network service to the network user.User can access anywhere by their mobile device This network.Existing Radio Access Network authentication method and Verification System thereof mainly have two shortcomings.First, Existing method and system thereof generally require a third party trusty, such as member management person, trust authority (Trust Authority, lower same), home server, off line Secure Manager and aaa server.This Individual third party trusty manages all of keying material.If but if these keying materials leak out, using The privacy at family can face the danger being disclosed.Unfortunately, when there being third party trusty, security system The problem of managing on behalf of another and single point failure problem can be faced.Opponent can destroy whole by destroying third party trusty The configuration of system.Second, existing Radio Access Network cannot can ensure privacy while accountability providing. If wanting to allow authority of law can find the user that ad-hoc communication session is responsible for, then user profile can more or less by Reveal；If but want to ensure the privacy of user, then authority of law is difficult to carry out user according to limited information Follow the trail of.Prior being to provide can not lose privacy while accountability, and this is two and seems contradiction Target.There are currently no the relevant (privacy of available privacy that can directly dispose and can reach above target Aware) cryptographic primitives.

Summary of the invention

The primary and foremost purpose of the present invention is to overcome the shortcoming of prior art with not enough, it is provided that one can accountability and hidden The Radio Access Network authentication method of private protection, the method efficiently avoid the problem of managing on behalf of another and single point failure Problem.

Another object of the present invention is to the shortcoming overcoming prior art with not enough, it is provided that a kind of realization can accountability And the Verification System of the Radio Access Network authentication method of secret protection, this system is not related to the trusty 3rd Side, safety is high, and privacy is high.

The primary and foremost purpose of the present invention is achieved through the following technical solutions: a kind of can accountability and secret protection wireless Access network authentication method, comprises the following steps:

Step 1, customer group manager register at Virtual network operator, and Virtual network operator generates group's private key and portion Hive off PKI (partial group public key, lower same), and partial group PKI is issued customer group pipe Reason person；Customer group manager returns after generating group PKI (group public key, lower same) and transports to network Battalion business；Virtual network operator the group's public key broadcasts received at customer group manager to each access point；

Step 2, user and customer group manager contact to be authenticated, and hereafter customer group manager will be to It sends a member keys for access network and group's PKI；Now user is successfully joined customer group, becomes For user in group；

If step 3 finds that user is broken, then customer group manager will be broken user these and be considered as removing The user of pin, and the list cancelling user is sent to Virtual network operator；Virtual network operator is number on this list It is broadcast to each access point after word signature, is broken user to cancel；Now, user is revoked；

Step 4, user are to access network, it is necessary first to ensure to lay oneself open to the communication range of an access point In；After carrying out being mutually authenticated with this access point and exchanging with key, one between access point and user, can be set up Share symmetric key, for communication session backward；Now, user is successfully accessed wireless network；

Step 5, having two or more signatures at access point when needing certification, these are signed by access point Carry out batch signature checking.Our batch signature verification technique is signed institute in a large number considerably reducing checking While the time consumed, also reduce what this potential bottleneck problem of signature verification at access point was caused Disconnecting rate.

If step 6 authority of law is wanted to follow the trail of the user being responsible for ad-hoc communication session, only need to be from Virtual network operator Place obtains group's private key, and obtains member keys and the mapping pair of subscriber identity information at customer group manager； Group's private key and above-mentioned mapping pair is utilized to can determine that user.

Described step 4 comprises the following steps:

A, access point periodically broadcast the beacon message of this access point digital signature, thus announce that it services Exist；

B, after user receives beacon message, can be according to beacon message, the effectiveness of proving time stamp, access The certificate expiry time of point and the reliability of its PKI.If these checkings have any one not pass through, user This access point will not be linked；If these checkings are all passed through, user generates solicited message, and utilizes oneself Member keys it is carried out group ranking, and clean culture replies to access point；

C, after access point receives the above-mentioned information that user sends, will first check the freshness (message of information Freshness, lower same).Subsequently, check whether this user exists in its list cancelling user.If existing, Then refuse link；If not existing, then be calculated shared symmetric key and send response message to Family；

D, user, after receiving the information that above-mentioned access point is sent, can verify the effectiveness of this information.If letter It is invalid to cease, then refuse link；If effectively, then, this link is successfully established.

Described step 6 comprises the following steps:

(1) authority of law requires to follow the trail of the user being responsible for ad-hoc communication session；

(2) Virtual network operator is based on network linking and session identification, finds corresponding meeting from network log file Words authentication information；

(3) first three element of the digital signature in above-mentioned session authentication information is linearly added by Virtual network operator Close, and the member keys of this user is obtained with group's private key.Hereafter, net operation business is this user obtained Member keys report to authority of law；

(4) the member that authority of law sends, to customer group manager, this user obtained at Virtual network operator is close Key；

(5) customer group manager is according to the member keys of this user obtained at authority of law, stores at oneself Member keys and subscriber identity information mapping pair in search, and the subscriber identity information found is replied to Authority of law.

The method for network authorization of the present invention has the following six stage: system is set up, adds new user, cancelled User, be mutually authenticated and key exchange, batch signature checking, user tracking.At system establishment stage, net Network operator and each customer group manager each generating unit are hived off PKI.Group's PKI is assigned to each and connects Access point.System enters when there being new user to enter group adds new user's stage, and when one or more users are removed Enter during pin and cancel user's stage.It is being mutually authenticated and cipher key exchange phase, as a user wants to be linked to one Individual access point, he/her needs and carries out between access point being mutually authenticated to exchange with key, then sets up one and share Symmetric key.At batch signature Qualify Phase, access point can verify the request that many receives simultaneously, and not It is to process each request individually.In the user tracking stage, Virtual network operator and customer group manager help Authority of law follows the trail of a user being responsible for particular network link.

Another object of the present invention is achieved through the following technical solutions: a kind of realization can accountability and secret protection The Verification System of Radio Access Network authentication method, it is characterised in that including: Virtual network operator, access point, User and authority of law in customer group manager, group；Described Virtual network operator is to customer group manager's sending part Hive off PKI and at customer group manager receive group's PKI, Virtual network operator also to access point broadcast group's PKI； Access point and user in group carry out being mutually authenticated and key exchange, and in group, user also obtains at customer group manager Take the member keys in access network and group's PKI；Authority of law obtains group private key at Virtual network operator, And at customer group manager, obtain member keys and the mapping pair of subscriber identity information.

Key management model in the Verification System of the present invention relates to four typical network entities altogether: network is transported User in battalion business, access point, customer group manager and group.In the present invention, user not directly to network Operator registers, but is represented its users inside the group all by customer group manager and subscribe to Virtual network operator Service.Virtual network operator generates group's private key and group's PKI of part, but maintains secrecy group's private key.When receiving During one gerentocratic registration request of group, the network operation chamber of commerce is distributed to this customer group pipe partial group PKI Reason person.Then, group manager generates group PKI and is returned to Virtual network operator.Finally, network operation Business is sent to each access point group's PKI.To access network, each user needs please to its crowd of managers Ask its member keys and group's PKI.

This key managing project has several prominent feature, for the purpose firstly, for control access, The user of what each was legal have effective member keys can generate an effective access certificate, newly connects Enter the group ranking of request.This access certificate can be verified by each access point with group's PKI.Therefore, connect Enter safety to be guaranteed.Second, the present invention is group's private key and member keys and the mapping pair of subscriber identity information It is saved in respectively in two autonomous entity items: group's user administrator and Virtual network operator.Wherein network operation Business has group private key, but does not knows mapping pair.And group manager knows mapping pair, but do not know group private key. It is assumed herein that group manager will not gang up with Virtual network operator.This hypothesis is rational, because user Group manager and Virtual network operator are substantially from different groups, and even have the conflict of interest between them.This Result in customer group manager and can not determine that the identity information of specific user can not utilize with network operation commercial city The access authentication of user invades the privacy of user.Therefore, the privacy of user is strengthened.

Finally, under the gerentocratic common help of Virtual network operator and customer group, have and only authority of law can To track the corresponding network user according to arbitrary communication linkage.Therefore, there is service dispute or swindle Time, authority of law can determine accurately needs responsible user, and pursues its responsibility.So, Yong Huwen Duty also is able to realize.Meanwhile, whole cipher key management procedures can complete when system is set up, and therefore this is not The expense of any calculating and communication can be brought behind.

By amendment key schedule develop new short group ranking (Short group signature, under With) scheme.Thereafter, novel group ranking is integrated in the certification of the present invention and the design of IKMP. In addition, in order to realize high efficiency, based on novel group ranking, it is proposed that novel batch signature authentication Method.In order to cancel a user being broken, have employed Verifier-Local Revocation(this locality and test Card is revoked) method.This method designs based on novel group signature scheme.In addition, in order to support Renewal and the large-scale user of system cancel, and some additional mechanism have also been incorporated in the present invention.

The present invention can accountability and the efficient wireless access network system of secret protection, including: system set up In the stage, customer group manager registers at Virtual network operator, and Virtual network operator generates group's private key and partial group PKI, and partial group PKI is issued customer group manager；Customer group manager return after generating group PKI to Virtual network operator, subsequently Virtual network operator by group's public key broadcasts to each access point.Adding new user rank Section, user and customer group manager contact to be authenticated, and hereafter acquisition is used for access network by user A member keys and group's PKI.If finding, user is broken, and customer group manager will be broken these User is considered as the user that need to cancel, and the list cancelling user is sent to Virtual network operator, Virtual network operator This list is broadcast to after digital signature each access point, is broken user to cancel.User is to connect Enter network, it is necessary first to guarantee lays oneself open in the communication range of an access point；Carrying out with this access point It is mutually authenticated after exchanging with key, a shared symmetric key can be set up between access point and user, for past After communication session.If authority of law is wanted to follow the trail of the user being responsible for ad-hoc communication session, only need to transport from network Obtain group's private key at battalion business, and at customer group manager, obtain member keys and the mapping of subscriber identity information Right；Group's private key and above-mentioned mapping pair is utilized to can determine that user.

The present invention is first to support that Radio Access Network can accountability, safety, privacy and high efficiency simultaneously System.In the past system do not accomplish a bit, the privacy that can ensure system while accountability is being provided. But in the present invention, Virtual network operator has a group private key, but do not know member keys and subscriber identity information Mapping pair；And customer group manager knows the mapping pair of member keys and subscriber identity information, but do not have group private Key；Which ensure that privacy.And under the requirement of authority of law, Virtual network operator and customer group manager can Jointly providing information, to find out responsible user, this provides can accountability.The present invention supports system Update and large-scale user cancels, which ensure that the high efficiency of system.In addition, another of the present invention Feature is not dependent on any third party trusty.In the present invention, the degree of belief of each entity item Being limited, this makes system avoid the problem of managing on behalf of another and single point failure problem.

The operation principle of the present invention: the present invention propose a kind of can accountability and the Radio Access Network of secret protection Verification System.Within the system, having six stages, respectively system is set up, adds new user, is cancelled User, be mutually authenticated with key exchange and, batch signature checking, user tracking.First, at the beginning of system needs Beginningization, this is the stage that system is set up.In this stage, system completes the task of group public key distribution.System After system is successfully established, each access point divides a group's PKI.Hereafter, to add new user, then Enter and add new user's stage；To cancel user, then enter and cancel user's stage.Want to be linked to user During access point, need to carry out being mutually authenticated and key exchange with this access point, at this moment enter and be mutually authenticated and key Switching phase.And when authority of law needs to follow the trail of a specific user, system enters the user tracking stage. The present invention on the premise of being not related to a third party trusty, ensure that simultaneously system safety, Privacy, can accountability and high efficiency.Firstly, for for the purpose that control accesses, each is legal The user having effective member keys can generate an effective access certificate, and the group of such as new access request signs Name.This access certificate can be verified by each access point with group's PKI.Therefore, access safety to be protected Card.Second, the present invention protects the mapping pair between member keys and subscriber identity information and group's private key respectively Exist in two autonomous entity items: customer group manager and Virtual network operator.Wherein Virtual network operator has Group's private key, but do not know the mapping pair between member keys and subscriber identity information.And customer group manager knows Road mapping pair, does not but know group private key.It is assumed herein that group manager will not gang up with Virtual network operator. This hypothesis is rational, because customer group manager and Virtual network operator are substantially from different groups, and The conflict of interest is even had between them.Which results in customer group manager and can not determine spy with network operation commercial city The identity information determining user can not utilize the access authentication of user to invade the privacy of user.Therefore, system Privacy be guaranteed.3rd, under the gerentocratic common help of Virtual network operator and customer group, have And only authority of law can track the corresponding network user according to arbitrary communication linkage.Therefore, sending out When raw service dispute or swindle, authority of law can determine accurately needs responsible user, and pursues its duty Appoint.So, user's accountability also is able to realize.Meanwhile, whole cipher key management procedures can be set up in system Time complete, therefore this During Process of Long-term Operation of system behind will not bring the expense of any calculating and communication. Finally, different short group signature schemes is developed by amendment key schedule.Thereafter, novel group is signed Name is integrated in the certification of the present invention and the design of IKMP.In addition, based on novel group ranking, Propose novel batch signature verification method.In order to cancel a user being broken, have employed Verifier-Local Revocation(local verification is revoked) method.This method is to sign based on novel group Name conceptual design.In addition, in order to the renewal and large-scale user supporting system is cancelled, some are attached The mechanism added also has been incorporated in the present invention.Therefore, the high efficiency of system is guaranteed.

The present invention has such advantages as relative to prior art and effect:

1, the present invention does not relies on any third party trusty, and the degree of belief of each entity item is limited , this avoids the problem of managing on behalf of another and single point failure problem.

2, the present invention is especially suitable for Radio Access Network, it is based on responsibility separation principle and attainable batch The integration of the new group ranking algorithm of signature verification.

3, the present invention sets up with key by realizing clear and definite being mutually authenticated between user and access point, it is ensured that The safety of system.

4, the present invention is by the anonymous authentication realized between user and access point in one direction, it is ensured that user's Anonymity and Unlinkability.

5, the present invention is providing and can not lose privacy while accountability.Because it is private that Virtual network operator has group Key, but do not know mapping pair, and customer group manager knows mapping pair, but there is no group private key, this ensures Privacy.And under the needs of authority of law, Virtual network operator and customer group manager can provide letter jointly Breath, to find out responsible user, which ensure that can accountability.

6, the present invention by use Verifier-Local Revocation(local verification revoke) method with Some additional mechanisms, support that the renewal of system and large-scale user cancel, it is ensured that the high efficiency of system.

7, the present invention allows dynamically adding and the Dynamic Revocation being broken user of new user.The present invention is first Support that Radio Access Network can accountability, safety, privacy and the system of high efficiency simultaneously.

Accompanying drawing explanation

Fig. 1 is the flow chart of the present invention

Fig. 2 is trust and the key management model schematic diagram of the present invention.

Detailed description of the invention

Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but the embodiment party of the present invention Formula is not limited to this.

Embodiment

Existing wireless access Verification System relates to tripartite: a wireless roaming user U, an access points AP and Virtual network operator NO.A number of AP is deployed in the different location of coverage, whole to cover Region, and provide network service to the network user.User can access anywhere by their mobile device This network.

Fig. 2 is the Radio Access Network Verification System of the present invention, the key management in the Verification System of the present invention Model relates to four typical network entities altogether: in Virtual network operator, access point, customer group manager and group User.In the present invention, user also registers not directly to Virtual network operator, but is managed by customer group Person represents its users inside the group all to Virtual network operator subscription service.Virtual network operator generates group's private key and part Group's PKI, but group's private key is maintained secrecy.When receiving a gerentocratic registration request of group, network is transported The chamber of commerce of battalion is distributed to this customer group manager partial group PKI.Then, group manager generates group PKI also It is returned to Virtual network operator.Finally, Virtual network operator is sent to each access point group's PKI.To Access network, each user needs to ask its member keys and group's PKI to its crowd of managers.

This key managing project has several prominent feature.For purpose firstly, for control access, The user of what each was legal have effective member keys can generate an effective access certificate, newly connects Enter the group ranking of request.This access certificate can be verified by each access point with group's PKI.Therefore, connect Enter safety to be guaranteed.Second, the present invention is group's private key and member keys and the mapping pair of subscriber identity information It is saved in respectively in two autonomous entity items: group manager and Virtual network operator.Wherein Virtual network operator is gathered around There is group private key, but do not know mapping pair.And group manager knows mapping pair, but do not know group private key.At this In, it is assumed that group reason person will not gang up with Virtual network operator.This hypothesis is rational, because customer group management Person and Virtual network operator are substantially from different groups, and even have the conflict of interest between them.Which results in Customer group manager and network operation commercial city can not determine that the identity information of specific user can not utilize user's Access authentication invades the privacy of user.Therefore, the privacy of user is strengthened.

Finally, under the gerentocratic common help of Virtual network operator and customer group, have and only authority of law can To track the corresponding network user according to arbitrary communication linkage.Therefore, there is service dispute or swindle Time, authority of law can determine accurately needs responsible user, and pursues its responsibility.So, Yong Huwen Duty also is able to realize.Meanwhile, whole cipher key management procedures can complete when system is set up, and therefore this is not The expense of any calculating and communication can be brought behind.

The present invention develops new short group ranking (short group by amendment key schedule Signature) scheme.Thereafter, novel group ranking is integrated into the certification of the present invention and IKMP In design.In addition, in order to realize high efficiency, based on novel group ranking, it is proposed that novel batch label Name verification method.In order to cancel a user being broken, have employed Verifier-Local Revocation (local verification is revoked) method.This method designs based on novel group signature scheme.In addition, Renewal and large-scale user in order to support system are cancelled, and some additional mechanism have also been incorporated into this In bright.

The present invention was made up of the following six stage: system is set up, adds new user, cancelled user, is mutually authenticated With key exchange, batch signature checking and user tracking.At system establishment stage, Virtual network operator and each Customer group manager each generating unit is hived off PKI.Group's PKI is assigned to each access point.System is having newly Enter when user enters group and add new user's stage, and enter when one or more users are revoked and cancel user rank Section.Being mutually authenticated and cipher key exchange phase, as a user wants to be linked to an access point, he/her needs And it is mutually authenticated between access point, then sets up a shared symmetric key.At batch signature Qualify Phase, Access point can be verified request that many receives simultaneously rather than process each request individually.Chase after user Track stage, Virtual network operator and customer group manager help authority of law tracking one to be responsible for particular network link User.

As shown in Figure 1, it is achieved six stage tools of the authentication method of the Radio Access Network Verification System of the present invention Body is as follows:

A. system establishment stage

What Virtual network operator was responsible for is group's private key and the generation operation of partial group PKI of all customer groups.Net The detailed process that network operator processes is as follows:

1. select one to be randomly generated unit g₂∈G₂, and calculate g₁=ψ(g₂)。

2. randomly selects₁,s₂∈Z_pAnd u, v ∈ G is set₁,s₁u=s₂V=η, can obtain u=s₁ ^(-1)η,v=s₂ ^(-1)η.Wherein s₁ ^(-1)It is s₁Inverse, s₂ ^(-1)It is s₂Inverse.

3. by group private key gsk=(s₁,s₂) secrecy.

4. randomly chooseAnd h is set₁,h₂∈G₂,h₁=s₁·h₀,h₂=s₂·h₀。

5. Virtual network operator once receives group identity is grp_iGroup manager GM_jRegistration information, network Operator need to be to group manager GM_jIt is authenticated.This certification based on well-established group manager with Trusting relationship between Virtual network operator.This trusting relationship is probably the foundation when I contacts. Then Virtual network operator randomly chooses j ∈ Z_pGroup as this customer group indexes and stores pairing (j,grp_j).Next Virtual network operator sends information (j, g to group manager₁,g₂, η, u, v), wherein (g₁,g₂, η, u, v) it is partial group PKI.In the present invention, Virtual network operator uses a safe transmission association View (such as wired Transport Layer Security) and group manager GM_jCommunicate.Imagination strong Diffie-Hellman (SDH) is at (G₁,G₂It is to maintain on), and linear Diffie-Hellman At G₁On be to maintain.

In order to improve the efficiency of proposed system, Virtual network operator is distributed to systematic parameter h of each group₀And portion Hive off PKI (g₁,g₂, η) and it is the same.In order to realize non-repudiation, in above-mentioned 5th step, network is transported Seek business under standard digital signature scheme to information (j, g₁,g₂, η, u, v) signature.Relevant digital signature scheme There is RSA and ECDSA.After it should be noted that crowd manager registers at Virtual network operator, network Operator can send its PKI to group manager.Therefore, there is no need to Public Key Infrastructure (PKI).Assume this Bright employ ECDSA-160.The digital signature public private key-pair of this Virtual network operator is defined as (OPK,OSK)。

Each crowd of manager GM_jReceiving (j, g₁,g₂, η, u, v) after, will generate group PKI in accordance with the following steps:

1. randomly choose a digital gamma ∈ Z_p, and w is set_j=γg₂。

2. return information (j, gpk_j) give Virtual network operator, its group of PKIs are gpk_j=(g₁,g₂,η,u,v,w_j).It is similar to, In order to realize non-repudiation, group manager according to ECDSA-160 to information (j, gpk_j) carry out numeral label Name.

Virtual network operator is upon receipt of (j, gpk_jAfter), j and w will be stored in his/her local record_jIt Between pairing.Finally, Virtual network operator is by { g₁,g₂,η,u,v,h₀,h₁,h₂And map (j, w_j) it is sent to each connecing Access point.In addition, Virtual network operator (is designated as AP to each access point_k) give a public/private key pair Right, it is expressed as (PPK_k,PSK_k).Each access point also obtains subsidiary being signed by Virtual network operator numeral The public key certificate of name, for the verity of verification key.The certificate of one simple form is by following sections Composition: Cert_k={AP_k,PPK_k,ExpT,SIG_OSK{h(AP_k||PPK_k||ExpT)}}.Wherein h (.) represents Hash letter Number operation, if SHA-1, ExpT are certificate expiry time, SIG_OSK{h(AP_k||PPK_k| | ExpT) } it is network Operator with its private key OSK at h (AP_k||PPK_k| | ExpT) go up digital signature and generate.

B. new user's stage is added

Before accessing to a network, a network user must I be authenticated to group manager contact.To often One identity is grp_jCustomer group, an identity is UID_iUser i be endowed as follows one with The member keys of machine and group's PKI:

1. crowd manager GM_jRandomly choose x_i∈Z_p, and calculate with γGM_jAt his/her record Middle storage is to (A_i,UID_i)。

2. crowd manager GM_jTransmitted to user i by a secure transfer protocol (such as wired Transport Layer Security) Information (j, gpk_j,msk[i]).Now the member keys of user i is msk [i]=(A_i,x_i)。

It should be noted that in the environment of above two steps:

● group manager GM_jOnly retain member keys and the mapping (A of subscriber identity information_i,UID_i), and do not retain group Private key gsk.

● Virtual network operator only knows that crowd private key gsk does not knows to map (A_i,UID_i)。

The most only Virtual network operator knows mapping (j, grp_j).Certainly, each user and each crowd of managers can only Calculate his/her group's index and the mapping of group's identity.

C. user's stage is cancelled

Customer group manager GM_jOnce find some users 1 ..., r} is broken, these will be broken use Family is considered as the user that need to cancel, and cancelling the list URL of user_J={A₁,...A_rIt is sent to network operation Business.Then, Virtual network operator is at URL_JUpper digital signature is also broadcasted to each access point.

D. it is mutually authenticated and cipher key exchange phase

One network user i, to access network, needs at an access point AP_kDirect communications range in, And follow the steps below be mutually authenticated and key exchange:

1. access point AP_kSelect a random number r_P∈Z_pAnd generate r_P·g₁.Next AP_kAccording to ECDSA-160 To r_P·g₁And timestamp ts₁It is digitally signed.Then, AP_kBroadcast following message as periodically The beacon message that declaration its service in ground exists:

r_P·g₁,ts₁,SIG_PSK{r_P·g₁||ts₁},Cert_k (M1)

2. user i once receives (M1), will perform to operate as follows:

A. review time stamp ts₁Effectiveness to prevent Replay Attack.Cert is checked with OPK_kCarry out verification public key Reliability and AP_kCertificate expiry time.Then PPK is passed through_kChecking SIG_PSK{r_P·g₁||ts₁}。 And if only if, and they are all effective, just can perform next step.

B. a random number r is selected_U∈Z_pThe identity another name alias interim with one, then calculates r_U·g₁。

C. in information M, generate group ranking σ.Now M={alias, j, r_P·g₁,r_U·g₁,ts₂}.To grouping PKI gpk_j=(g₁,g₂,η,u,v,w_j), member keys msk [i]=(A_i,x_i), and information M, group ranking σ can Calculate according to following steps:

Randomly choose α, β ∈ Z_p。

Calculate A_iEncryption and (T₁,T₂,T₃), wherein:

T₁=αu,T₂=βv,T₃=A_i+(α+β)η (1)

δ=α x is set_i,μ=βx_i。

Randomly select blind value r_α,r_β,r_x,r_δ,r_μ∈Z_p.Arrange

$R_1=r_{a}u,R_2=r_{\mathrm{\β}}v,R_3=\hat{e}{(T_3,g_2)}^{r_x}\hat{e}(\mathrm{\η},(-r_a-r_{\mathrm{\β}})w_j+(-r_{\mathrm{\δ}}-r_{\mathrm{\μ}})g_2),R_4=r_x{T}_1-r_{\mathrm{\δ}}u,R_5=r_x{T}_2-r_{\mathrm{\μ}}v$

It is calculated c by above value and M:

c=H(M,T₁,T₂,T₃,R₁,R₂,R₃,R₄,R₅)

Wherein h (.) be one output range of results be Z_pHash function.

Arrange: s_α=r_α+cα,s_β=r_β+cβ,s_x=r_x+cx_i,s_δ=r_δ+cδ,s_μ=r_μ+cμ。

Finally, the above value obtained formation group ranking is merged:

σ=(T₁,T₂,T₃,c,s_α,s_β,s_x,s_δ,s_μ)

D. with AP_kGenerate the key shared: SK_k=r_U·(r_P·g₁)。

E. clean culture replies to AP_k

alias,j,r_P·g₁,r_U·g₁,ts₂,σ (M2)

It should be noted that the most optional AP of user i_kPKI PPK_kTo information { alias, j, r_P·g₁,r_U·g₁,ts₂} Encryption, then generates group ranking σ on encrypted information.Subsequently, user i is to AP_kClean culture has added secret letter Breath and group ranking σ rather than information (M2).It is obvious that in this case, only Virtual network operator And AP_kCan be by using AP_kPrivate key PSK_kObtain:

{alias,j,r_P·g₁,r_U·g₁,ts₂}

3. after receiving information (M2), AP_kFollow the steps below certification user i:

A. r is checked_P·g₁And ts₂Effectiveness to guarantee the freshness of (M2).

B. group PKI gpk is selected according to index j_j, then carry out group ranking verification operation.First recalculate Challenger c, then reconstructs according to following steps

Arrange

${\tilde{R}}_1=-c{T}_1+s_{\mathrm{\α}}u,{\tilde{R}}_2=-c{T}_2+s_{\mathrm{\β}}v,{\tilde{R}}_3=\hat{e}(s_x{T}_3,g_2)\hat{e}(c{T}_3,w_j)\hat{e}{(\mathrm{\η},w_j)}^{-s_{\mathrm{\α}}-s_{\mathrm{\β}}}\·\hat{e}{(\mathrm{\η},g_2)}^{-s_{\mathrm{\δ}}-s_{\mathrm{\μ}}}\hat{e}{(g_1,g_2)}^{-c}$

Arrange ${\tilde{R}}_4=s_x{T}_1-s_{\mathrm{\δ}}u,{\tilde{R}}_5=s_x{T}_2-s_{\mathrm{\μ}}v.$

And if only if, and c is equal toTime accept this information.

C. select to cancel user list URL according to index j_j, perform the most as follows to cancel inspection: Labelling A is cancelled for each_i∈URL_j, AP_kCheck A_iWhether by the (T of σ₁,T₂,T₃) coding. Check whether equation is set up:

$\hat{e}(T_3-A_i,h_0)=\hat{e}(T_1,h_1)\hat{e}(T_2,h_2)---\left(2\right)$

Because

$\hat{e}(T_3-A_i,h_0)=\hat{e}((\mathrm{\α}+\mathrm{\β})\mathrm{\η},h_0)=\hat{e}(\mathrm{\α}\·\mathrm{\η}+\mathrm{\β}\·\mathrm{\η},h_0)$

$=\hat{e}(\mathrm{\α}\·\mathrm{\η},h_0)\hat{e}(\mathrm{\β}\·\mathrm{\η},h_0)=\hat{e}(\mathrm{\α}\·s_1\·u,h_0)\hat{e}(\mathrm{\β}\·s_2\·v,h_0)$

$=\hat{e}(\mathrm{\α}\·u_1,s_1\·h_0)\hat{e}(\mathrm{\β}\·v,s_2\·h_0)=\hat{e}(T_1,h_1)\hat{e}\left(T_2{h}_2\right),$

Without coding from (T₁,T₂,T₃) URL cancel labelling, then the signer of σ is not revoked.

If all above inspections are all successful, AP_kAccess request will be considered as effectively and without authorized user Change, and make user and established a shared symmetric key SK_kConclusion.Although AP_kDo not know Road this be which user actually.It should be noted that UID_iIt is never during agreement is run Compromised or propagation.

4.AP_kUtilize (r_U·g₁,r_P) information, calculate and share symmetric key SK_k=r_P·(r_U·g₁) and send following information (M3) user i is given:

$\mathrm{alias},{\mathrm{AP}}_k,r_U\·g_1,E_{{\mathrm{SK}}_k}({\mathrm{AP}}_k,r_U\·g_1,r_P\·g_1),\left(M3\right)$

Wherein E_K(X) information X has been encrypted with symmetric key K.

5., after have received (M3), user i deciphering also verifies SK with symmetric key_k.If being (M3) effective, User i will be considered that AP_kEstablish a shared key with him/her.Otherwise, user i can refuse link. Above agreement not only make between an access point and a legitimate network user be explicitly mutually authenticated can OK, monolateral user anonymity user checking is also made to be possibly realized.Once agreement is successfully completed, access point And a shared symmetric key between user, can be set up.This key can be used for communication meeting backward Words.This session is by (alias, AP_k,r_U·g₁) uniquely identified.

The computing cost of one access point digital signature of checking is mainly by 13 scalar multiplication (scalar Multiplications, lower with) and 5 pairings (pairing, lower together) operate and cause.Obviously, wherein The computing cost of matching operation is far above the expense of scalar multiplication operation.

E. batch signature Qualify Phase

Calculate R₃It it is the part expending most resource in proof procedure.Because each R₃All it is hashed in checking equation If the most not contemplating and being relatively difficult to see this and can be batch processing.Arrange σ=(T₁,T₂,T₃,R₃,c,s_α,s_β,s_x,s_δ,s_μ).It is to say, R₃A part as σ is transmitted.Build in system In the vertical stage, NO selects a random number ε ∈ Z_p, and ε (as a part for group's PKI) is transferred to each Individual group manager and each AP.Arrange

$c={\mathrm{\ϵ}}^{H(M,T_1,T_2,T_3,R_1,R_2,R_3,R_4,R_5)}\mathrm{mod}p$

Here < M¹,σ¹>,<M²,σ²>,...,<Mⁿ,σⁿ> represent n the different user coming from same customer group respectively U₁,U₂,...,U_nThe access request information being labeled as.AP_kCheck whether below equation is set up:If this equation is set up, then AP_kCheck below equation Whether set up:Therefore, check for current, AP_kOnly need to check whether below equation is set up: $\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{R}_3^i=\hat{e}({\mathrm{\&Sigma;}}_{i=1}^n(s_x^i{T}_3^i-c^i{g}_1-(s_{\mathrm{\&delta;}}^i+s_{\mathrm{\&mu;}}^i)\mathrm{\&eta;}),g_2)\hat{e}({\mathrm{\&Sigma;}}_{i=1}^n{c}^i{T}_3^i-(s_{\mathrm{\&alpha;}}^i+s_{\mathrm{\&beta;}}^i)\mathrm{\&eta;}),w_j).$

More than criticizing checking equation is to set up, and reason is:

$\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}{\tilde{R}}_3^i=\underset{i=1}{\overset{n}{\mathrm{\&Pi;}}}\hat{e}(s_x^i{T}_3^i,g_2)\hat{e}(c^i{T}_3^i,w_j)\&CenterDot;\hat{e}((-s_{\mathrm{\&alpha;}}^i-s_{\mathrm{\&beta;}}^i)\mathrm{\&eta;},w_j)\hat{e}((-s_{\mathrm{\&delta;}}^i-s_{\mathrm{\&mu;}}^i)\mathrm{\&eta;},g_2)\hat{e}((-c^i)g_1,g_2)$

$=\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{s}_x^i{T}_3^i,g_2)\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{c}^i{T}_3^i,w_j)\&CenterDot;\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}(-s_{\mathrm{\&alpha;}}^i-s_{\mathrm{\&beta;}}^i)\mathrm{\&eta;},w_j)\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}(-s_{\mathrm{\&delta;}}^i-s_{\mathrm{\&mu;}}^i)\mathrm{\&eta;},g_2)\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}(-c^i)g_1,g_2)$

$=\hat{e}\left(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}\right(s_x^i{T}_3^i-c^i{g}_1-(s_{\mathrm{\&delta;}}^i+s_{\mathrm{\&mu;}}^i)\mathrm{\&eta;},g_2)\hat{e}(\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}(c^i{T}_3^i-(s_{\mathrm{\&alpha;}}^i+s_{\mathrm{\&beta;}}^i)\mathrm{\&eta;}),w_j).$

All signature sigma¹,σ²,...,σⁿWhen two above that and if only if checks all correct just effectively.Test in above-mentioned criticizing In card equation, verify that n the calculation consumption signed is essentially from 2 pairings and 13n scalar multiplication operation. Thus this dramatically reduces checking and sign the time consumed in a large number, decrease simultaneously and tested by AP signature Demonstrate,prove the disconnecting rate that this potential bottleneck problem is caused.Should be noted that proposed method inherits All security features of short group ranking (SGS) technology, additionally, the method also supports batch checking.

If batch checking returns a negative value, it will use " dividing and rule " method of a recurrence.Namely Say, simply set is divided into two equal portions, then these two equal portions is verified the most again.When this process At the end of, AP exports the index of each invalid signature.It is contemplated herein, that: the probability that invalid bag occurs is the least 's.

F. the user tracking stage

When authority of law wants to follow the trail of the user being responsible for ad-hoc communication session, following step will be carried out:

1. Virtual network operator is based on link and session identification, finds corresponding session authentication to believe from network log file Breath (M2).

2. Virtual network operator is first three element (T of group ranking σ₁,T₂,T₃) it is considered as a linear encryption, and use group's private key (s₁,s₂) obtain the A of user_i, as shown in equation (3).Then Virtual network operator is reported to authority of law (A_i,j)。

A_i=T₃-(s₁·T₁+s₂·T₂) (3)

Because:

T₃-(s₁·T₁+s₂·T₂)=A_i+(α+β)η-(s₁·T₁+s₂·T₂)

=A_i+α·η+β·η-s₁·α·u-s₂·β·v=A_i

Authority of law is to customer group manager GM_jSend A_i。GM_jRecord (A can be checked_i,UID_i) find correspondence Identity UID_i, then UID_iReply to authority of law.In this step, only authority of law can be by network Operator and the gerentocratic help of customer group, confirm the user need to being responsible for ad-hoc communication session in examination.

Relevant technical term is as follows:

g₂Represent G₂Stochastic generation unit；

G₁Represent circled addition group 1；

G₂Represent circled addition group 2；

G_TRepresent and G₁And G₂Have the circulation multiplicative group of same Prime Orders；

ψ represents from G₂To G₁Isomorphism map；

Gsk represents group private key；

grp_iRepresent the identity of group manager i；

GM_jRepresent group manager j；

Z_pRepresent less than or be equal to the integer field of p；

(OPK, OSK) represents the public private key-pair that Virtual network operator digital signature uses；

(PPK_k,PSK_k) represent that Virtual network operator gives the public private key-pair of each access point；

UID_iRepresent the identity of user i；

Msk [i] represents the member keys of member i；

Represent computable bilinear map G₁×G₂→G_T。

Above-described embodiment is the present invention preferably embodiment, but embodiments of the present invention are not by above-mentioned reality Execute the restriction of example, the change made under other any spirit without departing from the present invention and principle, modification, Substitute, combine, simplify, all should be the substitute mode of equivalence, within being included in protection scope of the present invention.

Claims (3)

1. one kind can accountability and the Radio Access Network authentication method of secret protection, it is characterised in that include with Lower step:

Step 1, customer group manager register at Virtual network operator, and Virtual network operator generates group's private key and portion Hive off PKI, and partial group PKI is issued customer group manager；Customer group manager is according to partial group PKI Issuing Virtual network operator after generating group's PKI and group's PKI, Virtual network operator is receiving at customer group manager The group's public key broadcasts arrived is to access point；

Step 2, user and customer group manager contact to be authenticated, and customer group manager will be sent to use In member keys and group's PKI of access network, now user is successfully joined customer group, becomes user in group；

If step 3 finds that user is broken, then customer group manager will be broken user these and be considered as removing The user of pin, and the list list cancelling user is sent to Virtual network operator, Virtual network operator is by described name Singly it is broadcast to access point, described in cancelling, is broken user；

Step 4, access point communication range in user and described access point carry out being mutually authenticated and key exchange After, set up the symmetric key shared, described symmetric key is used for communication session, and now user is successfully accessed nothing Gauze network；

Step 5, having two or more signatures at access point when needing certification, these are signed by access point Carry out batch signature checking；

If step 6 authority of law needs to follow the trail of the user being responsible for ad-hoc communication session, only need to be from network operation Obtain group's private key at business, and at customer group manager, obtain the member to the user that ad-hoc communication session is responsible for Key and the mapping pair of subscriber identity information, utilize group's private key of described acquisition to determine specific with mapping pair The user that communication session is responsible for；

Described step 4 comprises the following steps:

1. access point periodically broadcasts the beacon message with this access point digital signature, connects described in representing Access point is in service state；

2. after user receives described beacon message, according to the described beacon message proving time stamp effectiveness, connect The certificate expiry time of access point and the verity of the PKI of access point；If the effectiveness of timestamp, access point Certificate expiry time or any one of verity of PKI not verified, then user refuses link and receives letter Access point corresponding to mark information；If the certificate expiry time of the effectiveness of timestamp, access point and access The verity of the PKI of point is all by checking, then user generates solicited message, and utilizes the member of oneself close Key carries out group ranking to it, and clean culture replies to access point；

3., after access point receives the solicited message that step that user sends is 2. described, the freshness of information is first checked, Reexamine whether this user is present in the list list cancelling user；If existing, then refuse link；Otherwise, It is calculated the symmetric key shared with user and sends response message to user；

4. user receive step 3. described in the information sent of access point after, verify whether this information has Effect, if information is invalid, then refuses link；Otherwise, establish the link.

The most according to claim 1 can accountability and the Radio Access Network authentication method of secret protection, its Being characterised by, described step 6 comprises the following steps:

A, authority of law require that Virtual network operator follows the trail of, with customer group manager, the use being responsible for ad-hoc communication session Family；

B, Virtual network operator, based on network linking and session identification, find corresponding meeting from network log file Words authentication information；

First three element of digital signature in session authentication information described in step B is entered by C, Virtual network operator Line linearity is encrypted, and obtains the member keys of this user with group's private key；Hereafter, net operation business is obtaining The member keys of this user report to authority of law；

D, authority of law send the member keys obtained at Virtual network operator to customer group manager；

E, customer group manager are according to the member keys obtained at authority of law, close the member of oneself storage The mapping pair of key and subscriber identity information is searched, and the subscriber identity information found is replied to authority of law.

3. one kind realize described in claim 1 can the Radio Access Network authentication method of accountability and secret protection Verification System, it is characterised in that including: use in Virtual network operator, access point, customer group manager, group Family and authority of law；Described Virtual network operator hives off PKI from customer group pipe to customer group manager's sending part Reason person locates to receive group's PKI, and Virtual network operator also broadcasts group's PKI to access point；Access point enters with user in group Row is mutually authenticated and exchanges with key, and in group, user also obtains the one-tenth for access network at customer group manager Member's key and group's PKI；Authority of law obtains group private key at Virtual network operator, and at customer group manager Obtain member keys and the mapping pair of subscriber identity information.