CN105530253B - Wireless sensor network access authentication method under Restful framework based on CA certificate - Google Patents

Wireless sensor network access authentication method under Restful framework based on CA certificate Download PDF

Info

Publication number
CN105530253B
CN105530253B CN201510947803.2A CN201510947803A CN105530253B CN 105530253 B CN105530253 B CN 105530253B CN 201510947803 A CN201510947803 A CN 201510947803A CN 105530253 B CN105530253 B CN 105530253B
Authority
CN
China
Prior art keywords
web server
certificate
public key
data
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510947803.2A
Other languages
Chinese (zh)
Other versions
CN105530253A (en
Inventor
韩志杰
贾培艳
吕新宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University
Original Assignee
Henan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University filed Critical Henan University
Priority to CN201510947803.2A priority Critical patent/CN105530253B/en
Publication of CN105530253A publication Critical patent/CN105530253A/en
Application granted granted Critical
Publication of CN105530253B publication Critical patent/CN105530253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Wireless sensor network access authentication method under the invention discloses a kind of Restful framework based on CA certificate, sensor node and aggregation node are organized themselves into as network, aggregation node is connected to the Web server based on Restful framework, certification between client and Web server, certification, sensor node between aggregation node and Web server and the certification between aggregation node and the certification between client and aggregation node are based on CA certificate completion, and user accesses the data that Web server obtains wireless sensor node by client.The present invention can effectively prevent destruction of the malicious attacker to data, protect the safety of data in wireless sensor network.

Description

Wireless sensor network access authentication under Restful framework based on CA certificate Method
Technical field
The present invention relates under technical field of the computer network more particularly to a kind of Restful framework based on CA certificate Wireless sensor network access authentication method.
Background technique
Wireless sensor network (Wireless Sensor Networks, WSN) be by one group of microsensor node with The wireless network that Ad hoc mode is constituted, the purpose is to collaboratively perceive, acquire and handle in the covering geographic area of network to perceive The information of object, and it is distributed to observer.Each sensor in wireless sensor network has one or more nodes, sensing Device node is usually a miniature embedded system.Each node monitors oneself sensing range object, and monitoring is specific Behavior acquires data using node, by collected data transmission to nearest aggregation node, subsequently enters the convergence stage, It is analyzed and is handled from close to the collected data of node institute, then result is sent to base station as needed, base station will most Termination fruit sends observer to.
Since sensor network configuration surroundings are generally relatively severe, the fragility of wireless network inherently in addition, thus It is highly prone to various attacks.For the safety transmitting for guaranteeing information, a kind of mechanism is needed to verify communication parties identity Legitimacy.In traditional cable network, Public Key Infrastructure efficiently solves this problem, it passes through to digital certificate Use and manage, to provide comprehensive public key encryption and digital signature service.By Public Key Infrastructure, can by public key with The identity binding of lawful owner gets up, to establish and safeguard a believable network environment.However, asymmetry sampling Very high calculating, communication and storage overhead are needed, which dictates that using digital signature and public key on resource-constrained sensor Certificate mechanism is infeasible.For the safety transmitting for guaranteeing information, a kind of mechanism is needed to verify the conjunction of communication parties identity Method, it is necessary to establish and a set of comprehensively consider safety, efficiency and performance and carry out reasonable sensor network identity authentication scheme.
Summary of the invention
Wireless sensor network access under the object of the present invention is to provide a kind of Restful framework based on CA certificate is recognized Card method effectively prevent destruction of the malicious attacker to data, protects the safety of data in wireless sensor network.
A kind of the technical solution adopted by the present invention are as follows: the wireless sensor network under the Restful framework based on CA certificate Sensor node and aggregation node are organized themselves into as network, aggregation node are connected to based on Restful by access authentication method The Web server of framework, the certification between client and Web server, certification, biography between aggregation node and Web server The certification between certification and client and aggregation node between sensor node and aggregation node is based on CA certificate completion, uses Family accesses the data that Web server obtains wireless sensor node by client.
It further include the certification based on token between third party application and Web server.
In verification process, the side of being certified holds the first CA certificate, the first public key and the first private key, and authenticating party holds the 2nd CA Certificate, the second public key and the second private key, verification process include the following steps:
A is certified direction authenticating party and sends access request, and receives the first random number and the 2nd CA card of authenticating party return Book;
The CA public key that the side of being certified B is saved with itself verifies the second CA certificate received, if being verified, C is entered step, D is otherwise entered step;
The side of being certified C obtains the second public key of the carrying in the second CA certificate, using the first private key itself saved to the One random number is encrypted, and is encrypted again using the second public key obtained to the first random number after the first private key encryption;
The side of being certified D determines that authenticating party is illegal identity, refuses to send data information to authenticating party;
The side of being certified E carries the first public key in the first CA certificate that itself is saved, using obtaining the second public key to the One CA certificate is encrypted, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to authenticating party;
The second private key that F authenticating party uses itself to save decrypts encrypted first CA certificate received, obtains First CA certificate, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, enter Step G, otherwise enters step H;
G authenticating party obtains the first public key for carrying in the first CA certificate, using the second private key that itself is saved, to again plus The first random number after close is decrypted, and is decrypted again using the first public key to the first random number after decryption;
When H authenticating party determines that decrypted result is identical as the first random number that itself sends, it is logical that confirmation is returned to the side of being certified Know and encrypted second random number;
The side of being certified I obtains the second random number, and using the second random number as session key.
In verification process, the side of being certified generates and saves the first public key and the first private using error checking correct algorithm Key, authenticating party are generated using error checking correct algorithm and are saved the second public key and the second private key.
Verification process between aggregation node and Web server further includes the certification to the ID of aggregation node, specifically:
The side of being certified encrypts the ID of itself using the first public key obtained, and is sent to authenticating party;
ID after the first private key pair encryption that authenticating party is saved using itself is decrypted, and obtains the ID for the side of being certified, and Whether the ID for verifying the side of being certified is legal.
Certification between third party application and Web server uses the token authentication based on restful framework, certification Process is divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to sensing data when registration Operating rights authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that Certification between third party application and Web server at this time, comprising the following steps:
A1, third party application issue access request of data to Web server, enter step B1;
B1, Web server decide whether that generating interim token returns to third party application, if not allowing, refuses Access;If allowing, C1 is entered step;
C1, Web server send interim token to third party application, enter step D1;
D1, third party application receive interim token, and send the data for carrying interim token again to Web server Access request enters step E1;
E1, Web server parse interim token after receiving data access request, judge whether interim token loses Effect, if not failing, returns to the data that third party application wants access to;If failure, regenerates interim token and returns Back to third party application, third party application sends data access request using new interim token;
Situation two: user carries out identity registration after completing authentication with Web server, to the biography possessed when registration The operating rights of sensor data do not carry out authorization or third party application and be not authorization can square, third-party application journey at this time Authenticating step between sequence and Web server has:
A2, third party application issue access request of data to Web server, enter step B2;
Whether B2, Web server requry the users allows to access data, if not allowing, denied access;If allowing, Enter step C2;
C2, user give Web server authorization, and Web server sends interim token to third party application, enter Step D2;
D2, third party application receive interim token, and send the data for carrying interim token again to Web server Access request enters step E2;
E2, Web server parse interim token after receiving data access request, judge whether interim token loses Effect, if not failing, returns to the data that third party application wants access to;If failure, enters step B2;
Wireless sensor network access authentication method under Restful framework based on CA certificate, it is characterised in that:
In step C1 and step C2, returned to inside Web server with the Element generation of current time one interim token Third party application;
In step E1 and step E2, interim token is parsed, the generation time of interim token is reduced into, to judge Whether interim token fails.
The present invention organizes themselves into sensor node and aggregation node for network, and aggregation node is connected to and is based on The Web server of Restful framework, the certification between client and Web server, between aggregation node and Web server The certification between certification and client and aggregation node between certification, sensor node and aggregation node is based on CA certificate It completes, user accesses the data that Web server obtains wireless sensor node by client.The present invention can effectively prevent malice The safety of data in wireless sensor network is protected in destruction of the attacker to data.
Detailed description of the invention
Fig. 1 is that the present invention is based on the wireless sensor network topology figures of Restful framework;
Fig. 2 is authentication topological diagram of the invention;
Fig. 3 is the identifying procedure figure of the authenticating party and the side of being certified in the present invention based on CA certificate;
Fig. 4 is the identifying procedure figure in the present invention between aggregation node and Web server;
Fig. 5 is the authentication process figure between third party application and Web server in the present invention.
Specific embodiment
Wireless sensor network access authentication method under Restful framework of the present invention based on CA certificate, will Sensor node sensor and aggregation node sink node organizes themselves into as network, and aggregation node sink node is connected to base Certification, aggregation node sink node between the Web server of Restful framework, client user and Web server with Certification and client between certification, sensor node sensor between Web server and aggregation node sink node Certification between user and aggregation node sink node is based on CA certificate completion, client user, Web server, convergence section Point sink node and sensor node sensor all has the CA certificate that CA certificate center is issued;Third party application and Web Certification between server, using the token authentication based on restful framework;User accesses Web service by client user The data of device acquisition wireless sensor node
REST full name is Representational State Transfer, i.e., declarative state transfer refers to one group Framework constraint condition and principle, if as soon as framework meets the constraint condition and principle of REST, it is called Restful framework. HTTP is unique example relevant to REST at present.
Restful framework follows stateless communication principle.Stateless communication principle refers to client user and Web service Device interaction during each time request between be stateless.REST claimed condition otherwise be placed into resource status or by It is stored on client user, i.e., Web server is not able to maintain any client communicated with other than single request The communications status of user.Such communications status makes the available space of Web server have scalability, if Web server It needs to keep client user state, then the memory that a large amount of client user interaction can seriously affect Web server is available Space (footprint).To realize stateless communication, the certification request based on Restful framework should be independent of cookie Or session, and each request should carry certain type of Service Ticket.
CA certificate include the information of E-VISA organ, public key user information, public key, private key, authoritative institution signature and Validity period etc..The true and false for identifying CA certificate need to verify the signature on CA certificate with CA public key, be verified, CA card Book is regarded as effectively.Currently, the format and verification method of certificate generally follow X.509 international standard.
Fig. 1 is the wireless sensor network topology figure based on Restful framework, an aggregation node sink node connection For collecting measurement data, aggregation node sink node is mainly born by several sensor node sensor, sensor node sensor Duty manipulation sensor node sensor collects data, receives the data of all the sensors node sensor and connect with outer net, Gateway node can be regarded as.One Web server can access a large amount of aggregation node sink node, and Web server is used to store convergence The measurement data that node sink node is sent, user can log in Web server by the client user of webpage, pass through Browser sends data operation request and dominates node completion task or check the collection data saved in Web server.If with Family possesses private aggregation node sink node, then client user can directly be established with aggregation node sink node connection without It needs that data are checked or manipulated by Web server.
Fig. 2 is authentication topological diagram of the invention, in entire Verification System, client user, Web server, remittance The CA certificate that there is CA certificate center to issue by poly- node sink node and sensor node sensor, and four all save There is the CA public key of verifying CA certificate.Token authentication is carried out between third party application and Web server.
It is unified the certification between client user and Web server, aggregation node sink node in identifying procedure Certification between Web server, certification and client between sensor node sensor and aggregation node sink node The former in certification between user and aggregation node sink node is known as the side of being certified, and the latter is known as authenticating party, the side of being certified Hold the first CA certificate, the first public key and the first private key, authenticating party holds the second CA certificate, the second public key and the second private key, by The data of first public key encryption can only be decrypted by the first private key, by the first private key encryption data can only by the first public key into Row decryption, similarly, can only be decrypted by the data of the second public key encryption by the second private key, by the data of the second private key encryption It can be decrypted by the second public key, therefore, even if the data packet in the side of being certified and authenticating party verification process is intercepted, the illegal It threatens due to there is no key that cannot obtain critical data, thus not can be carried out identity to pretend to be to data.
In the present embodiment, since aggregation node sink node and the computing capability of sensor node sensor are limited, no The biggish algorithm of computational complexity can be effectively supported, for example, public key encryption RSA Algorithm, is authenticated when using RSA Algorithm When, very long authenticated time can be consumed, thus the communication efficiency between reducing communication network.Therefore in order to improve between communication network Communication efficiency, sensor node sensor, aggregation node sink node, Web server and client user in the verification process (Error Correcting Code, ECC) algorithm is corrected using error checking and generates and save the first public key, the first private key, the Two public keys and the second private key, corresponding algorithms for encryption and decryption are also to be encrypted and decrypted according to ECC algorithm.
Fig. 3 is the certification between client user and Web server in the present invention, aggregation node sink node and Web Certification between server, certification and client user between sensor node sensor and aggregation node sink node With the certification between aggregation node sink node, verification process includes the following steps:
S101, it is certified direction authenticating party transmission access request, and receives the first random number and second of authenticating party return CA certificate;
In the present embodiment, when the side of being certified is communicated with authenticating party, first access request, authenticating party to be sent to authenticating party After receiving the access request, the first random number is generated, and return to the first random number to the side of being certified.In order to further increase by The safety for the data information that authenticating party is sent, authenticating party will also return to the second CA certificate of itself preservation to the side of being certified.
The CA public key that S102, the side of being certified are saved with itself verifies the second CA certificate received, if verifying is logical It crosses, enters step S103, otherwise enter step S104;
In the present embodiment, the side of being certified can according to itself save CA public key, to the second CA certificate received into Row verifying, i.e., verify authenticating party.
S103, the side of being certified obtain the second public key of the carrying in the second CA certificate, the first private key saved using itself First random number is encrypted, and the first random number after the first private key encryption is added again using the second public key obtained It is close;
When being verified, that is, when determining that authenticating party is legal, it is public that the side of being certified obtains second carried in the second CA certificate Key, the first private key saved using itself encrypt first random number, and using the second public key to encrypted first Random number is encrypted again.
S104, the side of being certified determine that authenticating party is illegal identity, refuse to send data information to authenticating party;
Obstructed out-of-date when verifying, that is, when determining that the side of being certified is illegal, the side of being certified refuses to send data information to authenticating party.
S105, the side of being certified carry the first public key in the first CA certificate that itself is saved, public using the second of acquisition Key encrypts the first CA certificate, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to Authenticating party;
In the present embodiment, first public key that the side of being certified saves itself carries in the first CA certificate, and uses It obtains the second public key to encrypt the first CA certificate, this in encrypted first CA certificate and step S103 is added again The first random number after close is sent to authenticating party.
The second private key that S106, authenticating party use itself to save, decrypts encrypted first CA certificate received, obtains The first CA certificate is taken, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, into Enter step S107, otherwise enters step S110;
Authenticating party obtains the second CA certificate using the second CA certificate decryption after the second private key pair encryption itself saved, The CA public key saved according to itself verifies the first CA certificate of acquisition, i.e., verifies to the side of being certified.
S107, authenticating party obtain the first public key carried in the first CA certificate, using the second private key that itself is saved, to again Encrypted first random number is decrypted, and is decrypted again using the first public key to the first random number after decryption;
When being verified, authenticating party obtains the first public key for carrying in the first CA certificate, and the saved using itself The first random number after this is re-encrypted is decrypted in two private keys, using the first public key, to the first random number after decryption again into Row decryption.
When S108, authenticating party determine that decrypted result is identical as the first random number that itself sends, returned to the side of being certified true Recognize notice and using the second random number after the first public key encryption;
In the present embodiment, the decrypted result after authenticating party decrypt twice to the first random number after re-encrypting, When identical as first random number that itself sends, the side's of being certified safety is determined, return to acknowledgement notification and use to the side of being certified The second random number after first public key encryption, the second random number is for encrypting the data information in communication process.
S109, the side of being certified are decrypted the second random number after the encryption received using the first private key, obtain second Random number, and using the second random number as session key.
S110, authenticating party determine that the side of being certified is illegal identity, the data information that the rejection side of being certified is sent;
In the present embodiment, the first private key that the side of being certified is saved using itself is to the second random number after the encryption received It is decrypted, obtains the second random number, and using the second random number as the session key of the data information in communication process.
In above process, when the second CA certificate that verifying receives passes through, i.e., authentication verification side passes through for the side of being certified When, the second public key carried in the second CA certificate is obtained, the first private key saved using itself is to the first random number received It is encrypted, and the first random number after the first private key encryption is encrypted again using the second public key, using the second public key pair The first CA certificate for carrying the first public key is encrypted, and first by encrypted first CA certificate, and after re-encrypting is random Number is sent to authenticating party, and authenticating party is being verified using the first CA certificate decryption after the second private key pair encryption itself saved When first CA certificate passes through, the first public key is obtained, the second private key saved using itself is to the first random number after re-encrypting Decryption, and the first random number after decryption is decrypted again using the first public key, in first for determining decrypted result and itself sending When random number is identical, acknowledgement notification is returned to aggregation node sink node and is used for using after the first public key encryption to communication The second random number that data information in the process is encrypted, greatly improves the safety for the data information that the side of being certified is sent Property.
In practical applications, illegal aggregation node sink node may use more than two difference ID frequent Access request is sent to Web server side, i.e., malicious attack is carried out to the Web server, since authentication process itself needs one The fixed time, thus will lead to Web server due to and meanwhile the verification process that carries out it is excessive and generate data and overstock, finally make Web server paralysis.Attack of the illegal aggregation node sink node to Web server in order to prevent, in the present embodiment, Before Web server is to the encrypted CA certificate decryption of the aggregation node sink node received, aggregation node is also received The sequence number (Identity, ID) for the node that sink node is sent, and verifies the ID, when verify the ID it is legal when, Subsequent step is carried out again.
Fig. 4 is the certification in the present invention between aggregation node sink node and Web server, specifically includes the following steps:
S201: aggregation node sink node sends registration request to Web server.
In the present embodiment, identity note is carried out when aggregation node sink node and Web server establish connection for the first time Volume, i.e., be sent to Web server for the ID of itself, and Web server saves the ID of aggregation node sink node.
S202: aggregation node sink node sends access request to Web server, and receives the of Web server return One random number and the second CA certificate.
In the present embodiment, it when aggregation node sink node is communicated with Web server, first to be sent to Web server Access request after Web server receives the access request, generates the first random number, and return to aggregation node sink node First random number.In order to further increase the safety for the data information that aggregation node sink node is sent, Web server is also The second CA certificate of itself preservation is returned to aggregation node sink node.
S203: aggregation node sink node according to the CA public key itself saved, and the second CA certificate received, to Web Server is verified, if carrying out step S204 by verifying, otherwise carries out step S205.
In the present embodiment, aggregation node sink node can be according to the CA public key itself saved, to second received CA certificate is verified, i.e., verifies to Web server.
The second public key for carrying in S204: aggregation node sink node the second CA certificate of acquisition, using the first private key to the One random number encryption, and the first random number after the first private key encryption is encrypted again using the second public key obtained.
When being verified, that is, when determining that Web server is legal, aggregation node sink node is obtained in the second CA certificate The second public key carried, encrypts first random number using first private key, and using the second public key to encrypted First random number is encrypted again.
S205: aggregation node sink node determines that Web server is illegal Web server, refuses to Web server Send data information.
Obstructed out-of-date when verifying, that is, when determining that Web server is illegal, aggregation node sink node refuses to Web server Send data information.
S206: aggregation node sink node carries the first public key in the first CA certificate that itself is saved, using acquisition The second public key the ID of its own is encrypted, which is encrypted, and by encrypted ID, the first CA demonstrate,prove Book, and the first random number after re-encrypting are sent to Web server.
In the present embodiment, in order to further increase aggregation node sink node transmission data information safety, converge The first public key that poly- node sink node saves itself carries in the first CA certificate, and using the second public key pair obtained First CA certificate is encrypted, by the first random number after re-encrypting in encrypted second CA certificate and step S204 It is sent to Web server.Also, attack of the illegal aggregation node sink node to Web server in order to prevent, convergence section Point sink node will also be encrypted using ID of second public key to itself, and encrypted ID is also sent to Web server.
The second private key that S207:Web server uses itself to save decrypts encrypted ID, obtains the ID, and verifying should The legitimacy of ID carries out step S208 if being verified, and otherwise carries out step S212.
Web server first uses the ID decryption after the second private key pair encryption, obtains the ID of aggregation node sink node, and Judge whether the ID is stored in Web server local, if then to be legal, it is otherwise, illegal.
The second private key that S208:Web server uses itself to save decrypts encrypted first CA certificate, obtains First CA certificate, the CA public key saved according to itself verifies first CA certificate of acquisition, if being verified, into Otherwise row step S209 carries out step S212.
When Web server determine aggregation node sink node ID it is legal when, using first after the second private key pair encryption CA certificate is decrypted, and obtains the first CA certificate, and verify to first CA certificate according to the CA public key that itself is saved, i.e., Further whether verifying aggregation node sink node is safe.
S209:Web server obtains the first public key for carrying in the first CA certificate, using the second private key that itself is saved, To encrypted first random nnrber decryption, and the first public key is used, the first random number after decryption is decrypted again, judges decryption knot Whether first random number that fruit sends with itself is identical, if they are the same, then carries out step S210, otherwise, carries out step S212.
When the first CA certificate of verifying passes through, the first public key carried in the first CA certificate is obtained, using the second private key pair The first random number after re-encrypting is decrypted, and is solved again using the first public key obtained to the first random number after decryption It is close, decrypted result is obtained, whether first random number for judging that decrypted result is sent with itself is identical, to judge aggregation node Whether sink node is safe.
S210:Web server encrypts the second random number using the first public key, will confirm that notice and encrypted the Two random numbers return to aggregation node sink node.
When determining that the decrypted result is identical as the first random number that itself sends, Web server determines aggregation node Sink node safety, is generated acknowledgement notification and the second random number, is encrypted using the first public key to the second random number, by this Acknowledgement notification and encrypted second random number are sent to aggregation node sink node.
S211: aggregation node sink node receives the acknowledgement notification that Web server returns and encrypted second at random Number, the second random nnrber decryptions after the first private key pair encryption saved using itself, obtains second random number, and by second with Machine number is as session key.
It is encrypted second random to this using the first private key after aggregation node sink node receives the acknowledgement notification Number be decrypted, obtain the second random number, using the second random number to sent data information encrypt, i.e., Web server with Aggregation node sink node agreement is using the second random number as subsequent session key.
S212:Web server determines that aggregation node sink node is dangerous, rejection aggregation node sink node hair The data information sent.
When Web server determine aggregation node sink node ID it is illegal when, or verify first CA certificate and do not pass through When, or when determining decrypted result and not identical the first random number itself sent, determine that aggregation node sink node is dangerous, Reject the data information that aggregation node sink node is sent.
Wherein, the first public key in the above process and the first private key are that aggregation node sink node is generated according to ECC algorithm And save, the second public key and the second private key are what Web server was generated and saved according to ECC algorithm, corresponding encryption with Decipherment algorithm is also to be encrypted and decrypted according to ECC algorithm.
In above process, aggregation node sink node receives the first random number that Web server returns, using itself The first private key saved is returned to the first random number encryption, and by the first public key itself saved and encrypted first random number It returns, whether Web server is decrypted encrypted first random number using the first public key, sent out with itself according to decrypted result The first random number sent is identical, judges whether safety receives aggregation node when determining safe to aggregation node sink node The data information that sink node is sent.Due to the first random number for using the first private key to be encrypted in the embodiment of the present invention, only The first public key decryptions, if first public key is stolen by illegal aggregation node sink node, illegal convergence section can be used After point sink node encrypts the first random number using the first public key stolen, Web server cannot use the first public key Encrypted first random number is decrypted, so that the first random number cannot be obtained correctly, refuses illegal aggregation node The data information that sink node is sent, therefore improve the data information that aggregation node sink node is sent to Web server Safety.
Also, attack of the illegal aggregation node sink node to Web server in order to prevent, cause Web server because Data overstock and paralyse, and aggregation node sink node also sends the ID of its own to Web server, and Web server verifies the ID Legitimacy, subsequent step is just carried out when being verified, otherwise determine aggregation node sink node it is dangerous, refusal connects Receive the data information that aggregation node sink node is sent.
Meanwhile Web server also returns to the second CA certificate to aggregation node sink node, aggregation node sink node exists It verifies after the second CA certificate passes through, determines that Web server is legal, obtain the second public key carried in the second CA certificate, using the Two public keys are to itself ID and carry the first CA certificate of the first public key and encrypt, and to first after the first private key encryption with Machine number is encrypted again, and the first random number by encrypted ID and the first CA certificate, and after re-encrypting returns to Web service Device, Web server is after the ID and the first CA certificate for determining aggregation node sink node are legal, using corresponding manner of decryption The first random number after re-encrypting to this is decrypted, and decrypted result is obtained, further according to the decrypted result and first random number It is whether identical, judge whether aggregation node sink node is safe, further improves the number of aggregation node sink node transmission It is believed that the safety of breath.
In addition, the first public key, the first private key, the second public key and the second private key in the above process are according to ECC algorithm It generates, since aggregation node sink node can effectively support the ECC algorithm, improves aggregation node sink Communication efficiency between node and mobile communications network.
Fig. 5 is the authentication process figure between third party application and Web server in the present invention, and third party answers Use the token authentication based on Restful framework with the certification between program and Web server, access token can by with Uniquely to identify and authenticate a user, each request of user requires to carry safety of the token to realize access, here The granting of token is divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to sensing data when registration Operating rights authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that Certification between third party application and Web server at this time successively the following steps are included:
S301: third party application issues access request of data to Web server;
S302:Web server decides whether that generating interim token Token returns to third party application, if not allowing, Then denied access;If allowing, S303 is entered step;
S303:Web server sends interim token Token to third party application;
Third-party application journey is returned to the Element generation of current time one interim token Token inside Web server Sequence;
S304: third party application receives interim token Token, and sends the interim order of carrying again to Web server The data access request of board Token;
S305:Web server parses interim token Token after receiving data access request, judges interim token Whether Token fails, if not failing, returns to the data that third party application wants access to;If failure, regenerates Interim token Token returns to third party application, and third party application sends data using new interim token Token Access request;
Web server receive request after to interim token Token carry out parsing restore the generation of interim token Token when Between, judge whether interim token Token fails, if not failing, returns to the data that third party application wants access to;If Failure then regenerates interim token Token and returns to third party application, and third party application uses new interim order Board Token sends data access request.
Situation two: user carries out identity registration after completing authentication with Web server, to the biography possessed when registration The operating rights of sensor data do not carry out authorization or third party application and be not authorization can square, third-party application journey at this time Authenticating step between sequence and Web server has:
S401: third party application issues access request of data to Web server;
Whether S402:Web server requries the users allows to access data, if not allowing, denied access;If allowing, Then enter step S403;
S403: user gives Web server authorization, and Web server sends interim token Token and gives third-party application journey Sequence;
Third-party application journey is returned to the Element generation of current time one interim token Token inside Web server Sequence;
S404: third party application receives interim token Token, and sends the interim order of carrying again to Web server The data access request of board Token;
S405:Web server parses interim token Token after receiving data access request, judges interim token Whether Token fails, if not failing, returns to the data that third party application wants access to;If failure, enters step S402。
Existing token authentication generallys use dynamic-password technique.Dynamic-password technique is to traditional static password technology Improvement, user will possess some vouchers, and such as the interim token Token that system is issued, and the number on interim token Token is It is continually changing, and be synchronous with the Web server of certification, therefore it is also constantly to become that user, which logs on to the password of system, Change, i.e., it is so-called " one-time pad ".
There are two types of synchronization schemes for existing dynamic-password technique: time synchronization, event synchronization.
1. time synchronization refers to interim token Token using a seed of the time as dynamic password, Web server The password generated by using the time as the interim token Token of a seed certification.
2. event synchronization refers to when interim token Token generates dynamic password every time using current counting as one kind Son is generated every time after completing dynamic password, which can be incremented by automatically, when Web server equally uses number as verifying Seed.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (6)

1. the wireless sensor network access authentication method under a kind of Restful framework based on CA certificate, it is characterised in that: will Sensor node and aggregation node organize themselves into as network, and aggregation node is connected to the Web service based on Restful framework Device, certification, aggregation node between client and Web server and the certification between Web server, sensor node and convergence The certification between certification and client and aggregation node between node is based on CA certificate completion, and user is visited by client Ask that Web server obtains the data of wireless sensor node;In verification process, the side of being certified holds the first CA certificate, the first public affairs Key and the first private key, authenticating party are held the second CA certificate, the second public key and the second private key, verification process and are included the following steps:
A, it is certified direction authenticating party and sends access request, and receive the first random number and the second CA certificate of authenticating party return;
B, the CA public key that the side of being certified is saved with itself verifies the second CA certificate received, if being verified, enters Step C, otherwise enters step D;
C, the side of being certified obtains the second public key for carrying in the second CA certificate, using the first private key itself saved to first with Machine number is encrypted, and is encrypted again using the second public key obtained to the first random number after the first private key encryption;
D, the side of being certified determines that authenticating party is illegal identity, refuses to send data information to authenticating party;
E, the side of being certified carries the first public key in the first CA certificate that itself is saved, using the second public key of acquisition to first CA certificate is encrypted, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to authenticating party;
F, the second private key that authenticating party uses itself to save decrypts encrypted first CA certificate received, obtains first CA certificate, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, enter step Otherwise G enters step H;
G, authenticating party obtains the first public key carried in the first CA certificate, using the second private key that itself is saved, after re-encrypting The first random number be decrypted, and the first random number after decryption is decrypted again using the first public key;
H, when authenticating party determines that decrypted result is identical as the first random number that itself sends, acknowledgement notification is returned to the side of being certified With encrypted second random number;
I, the side of being certified obtains the second random number, and using the second random number as session key.
2. the wireless sensor network access authentication side under the Restful framework according to claim 1 based on CA certificate Method, it is characterised in that: further include the certification based on token between third party application and Web server.
3. the wireless sensor network access authentication side under the Restful framework according to claim 1 based on CA certificate Method, it is characterised in that: in verification process, the side of being certified generates and save the first public key and the using error checking correct algorithm One private key, authenticating party are generated using error checking correct algorithm and are saved the second public key and the second private key.
4. the wireless sensor network access authentication under the Restful framework according to claim 1 or 3 based on CA certificate Method, it is characterised in that: the verification process between aggregation node and Web server further includes the certification to the ID of aggregation node, Specifically:
The side of being certified encrypts the ID of itself using the first public key obtained, and is sent to authenticating party;
ID after the first private key pair encryption that authenticating party is saved using itself is decrypted, and obtains the ID for the side of being certified, and verifies Whether the ID for the side of being certified is legal.
5. the wireless sensor network access authentication side under the Restful framework according to claim 2 based on CA certificate Method, which is characterized in that the certification between third party application and Web server is recognized using the token based on Restful framework Card, verification process are divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to the behaviour of sensing data when registration Make power to be authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that at this time Certification between third party application and Web server, comprising the following steps:
A1, third party application issue access request of data to Web server, enter step B1;
B1, Web server decide whether that generating interim token returns to third party application, if not allowing, denied access; If allowing, C1 is entered step;
C1, Web server send interim token to third party application, enter step D1;
D1, third party application receive interim token, and send the data access for carrying interim token again to Web server Request, enters step E1;
E1, Web server parse interim token after receiving data access request, judge whether interim token fails, if It does not fail, then returns to the data that third party application wants access to;If failure, regenerates interim token and return to the Tripartite's application program, third party application send data access request using new interim token;
Situation two: user carries out identity registration after completing authentication with Web server, to the sensor possessed when registration The operating rights of data do not carry out authorization or third party application be not authorization can square, at this time third party application with Authenticating step between Web server has:
A2, third party application issue access request of data to Web server, enter step B2;
Whether B2, Web server requry the users allows to access data, if not allowing, denied access;If allowing, enter Step C2;
C2, user give Web server authorization, and Web server sends interim token to third party application, enters step D2;
D2, third party application receive interim token, and send the data access for carrying interim token again to Web server Request, enters step E2;
E2, Web server parse interim token after receiving data access request, judge whether interim token fails, if It does not fail, then returns to the data that third party application wants access to;If failure, enters step B2.
6. according to the method described in claim 5, it is characterized in that, wireless sensing under the Restful framework based on CA certificate Device network access verifying method, it is characterised in that:
In step C1 and step C2, third is returned to the Element generation of current time one interim token inside Web server Square application program;
In step E1 and step E2, interim token is parsed, is reduced into the generation time of interim token, so that judgement is interim Whether token fails.
CN201510947803.2A 2015-12-17 2015-12-17 Wireless sensor network access authentication method under Restful framework based on CA certificate Active CN105530253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510947803.2A CN105530253B (en) 2015-12-17 2015-12-17 Wireless sensor network access authentication method under Restful framework based on CA certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510947803.2A CN105530253B (en) 2015-12-17 2015-12-17 Wireless sensor network access authentication method under Restful framework based on CA certificate

Publications (2)

Publication Number Publication Date
CN105530253A CN105530253A (en) 2016-04-27
CN105530253B true CN105530253B (en) 2018-12-28

Family

ID=55772235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510947803.2A Active CN105530253B (en) 2015-12-17 2015-12-17 Wireless sensor network access authentication method under Restful framework based on CA certificate

Country Status (1)

Country Link
CN (1) CN105530253B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073964A (en) * 2020-10-26 2020-12-11 河南大学 Unmanned aerial vehicle and base station communication identity authentication method based on elliptic curve encryption

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872445B (en) * 2016-09-28 2021-01-29 华为技术有限公司 Access authentication method, device and authentication system
CN107918731A (en) * 2016-10-11 2018-04-17 百度在线网络技术(北京)有限公司 Method and apparatus for controlling the authority to access to open interface
CN107241341B (en) * 2017-06-29 2020-07-07 北京五八信息技术有限公司 Access control method and device
CN109391594B (en) * 2017-08-09 2021-07-30 中国电信股份有限公司 Security authentication system and method
CN108429732B (en) * 2018-01-23 2021-01-08 平安普惠企业管理有限公司 Method and system for acquiring resources
CN109286639A (en) * 2018-11-29 2019-01-29 郑静 A kind of digital certificate compatibility control system and application method based on RESTful framework
CN110351385B (en) * 2019-07-11 2022-03-11 苏州高博软件技术职业学院 Home gateway system and data forwarding method
CN111988779B (en) * 2020-07-13 2022-10-18 北京工业大学 Wireless sensor network node access authentication method based on trusted connection architecture
CN114629651A (en) * 2020-12-14 2022-06-14 南京如般量子科技有限公司 Anti-quantum computing communication method and system based on CA
CN114070649A (en) * 2021-12-15 2022-02-18 武汉天喻信息产业股份有限公司 Method and system for secure communication between devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729565A (en) * 2009-12-31 2010-06-09 卓望数码技术(深圳)有限公司 Safety access method for sensor, sensor and safety access system
CN102916810A (en) * 2011-08-05 2013-02-06 中国移动通信集团公司 Method, system and apparatus for authenticating sensor
CN103220285A (en) * 2013-04-10 2013-07-24 中国科学技术大学苏州研究院 Access system based on RESTful interface in ubiquitous service environment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9043886B2 (en) * 2011-09-29 2015-05-26 Oracle International Corporation Relying party platform/framework for access management infrastructures
US20140085050A1 (en) * 2012-09-25 2014-03-27 Aliphcom Validation of biometric identification used to authenticate identity of a user of wearable sensors

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729565A (en) * 2009-12-31 2010-06-09 卓望数码技术(深圳)有限公司 Safety access method for sensor, sensor and safety access system
CN102916810A (en) * 2011-08-05 2013-02-06 中国移动通信集团公司 Method, system and apparatus for authenticating sensor
CN103220285A (en) * 2013-04-10 2013-07-24 中国科学技术大学苏州研究院 Access system based on RESTful interface in ubiquitous service environment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073964A (en) * 2020-10-26 2020-12-11 河南大学 Unmanned aerial vehicle and base station communication identity authentication method based on elliptic curve encryption
CN112073964B (en) * 2020-10-26 2021-11-19 河南大学 Unmanned aerial vehicle and base station communication identity authentication method based on elliptic curve encryption

Also Published As

Publication number Publication date
CN105530253A (en) 2016-04-27

Similar Documents

Publication Publication Date Title
CN105530253B (en) Wireless sensor network access authentication method under Restful framework based on CA certificate
Al‐Turjman et al. An overview of security and privacy in smart cities' IoT communications
Wang et al. Blockchain-based anonymous authentication with key management for smart grid edge computing infrastructure
Das et al. Taxonomy and analysis of security protocols for Internet of Things
Ashibani et al. Cyber physical systems security: Analysis, challenges and solutions
Dhillon et al. A lightweight biometrics based remote user authentication scheme for IoT services
Malik et al. A survey of key bootstrapping protocols based on public key cryptography in the Internet of Things
EP3318037B1 (en) Content security at service layer
Moghadam et al. An efficient authentication and key agreement scheme based on ECDH for wireless sensor network
US9832024B2 (en) Methods and systems for PKI-based authentication
Turkanovic et al. An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks
Mahalle et al. Identity authentication and capability based access control (iacac) for the internet of things
CN105516980B (en) A kind of wireless sensor network token authentication method based on Restful frameworks
US20140298037A1 (en) Method, apparatus, and system for securely transmitting data
Tsai et al. Secure session key generation method for LoRaWAN servers
Rao et al. A review on lightweight cryptography for Internet-of-Things based applications
KR101753859B1 (en) Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device
CN109716724A (en) The method and system authenticated with double nets of the communication equipment of server communication
KR20100134745A (en) Method for distributed identification, a station in a network
Park et al. A selective group authentication scheme for IoT-based medical information system
Srikanth et al. An efficient Key Agreement and Authentication Scheme (KAAS) with enhanced security control for IIoT systems
Naoui et al. Novel enhanced LoRaWAN framework for smart home remote control security
Nikooghadam et al. Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme
Rizzardi et al. Analysis on functionalities and security features of Internet of Things related protocols
Singh et al. Cryptanalysis and improvement in user authentication and key agreement scheme for wireless sensor network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant