CN106304046B - Method for encrypting and authenticating iBeacon broadcast message - Google Patents

Method for encrypting and authenticating iBeacon broadcast message Download PDF

Info

Publication number
CN106304046B
CN106304046B CN201510290512.0A CN201510290512A CN106304046B CN 106304046 B CN106304046 B CN 106304046B CN 201510290512 A CN201510290512 A CN 201510290512A CN 106304046 B CN106304046 B CN 106304046B
Authority
CN
China
Prior art keywords
base station
ibeacon
ibeacon base
broadcast packet
authentication code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201510290512.0A
Other languages
Chinese (zh)
Other versions
CN106304046A (en
Inventor
陈晓华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201510290512.0A priority Critical patent/CN106304046B/en
Publication of CN106304046A publication Critical patent/CN106304046A/en
Application granted granted Critical
Publication of CN106304046B publication Critical patent/CN106304046B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services

Abstract

The invention discloses a method for encrypting and authenticating an iBeacon broadcast message. The invention effectively solves the problem that the iBeacon base station is used by a third party by adding an extra Bluetooth broadcast packet, namely, by sending a dynamic Identifier (ID) in the Bluetooth broadcast packet except the iBeacon original broadcast packet. The problem that the iBeacon base station is forged is solved at the same time by sending a Message Authentication Code (Message Authentication Code) or a digital signature which dynamically changes along with time in the broadcast packets except the original iBeacon broadcast packet. The method for generating the dynamic identification and the method for generating the message authentication code are combined, so that the problems that the signal of the iBeacon base station is rubbed and forged are solved.

Description

Method for encrypting and authenticating iBeacon broadcast message
Technical Field
The invention relates to a broadcast message method for mobile equipment, in particular to an iBeacon broadcast message encryption and authentication method.
Background
iBeacon is a neighborhood (proximity) localization technology commonly issued by apple, inc 2013, in autumn along with iOS 7. The principle of the iBeacon technology is that an iBeacon base station broadcasts identification information to the surroundings through an ultra Low power consumption Bluetooth (Bluetooth Low Energy) technology, and when a mobile device (such as an iPhone) monitors the identification information, the location of the device can be determined, so that targeted services are provided, such as pushing a local coupon to a user, automatic sign-in of the user, and the like.
Fig. 1 is a schematic diagram illustrating a structure of a unique ID included in iBeacon broadcast information in the prior art. The message 101 broadcasted by the iBeacon base station contains a unique ID, which is composed of three parts, namely, a uuid (universal uniqueidentifier) universal unique identifier, a Major and a Minor (both Major and Minor are set by the iBeacon issuer by the self, and are both 16-bit identifiers). In a general application, the three pieces of information indicate a specific location or scene from large to small like an address, for example, in a specific application, UUID represents a chain-linked dining company, Major indicates a city, and Minor indicates the number of branch stores, so that together, the company can indicate a specific branch store in the city.
However, the message broadcast by the iBeacon base station is plaintext and does not contain other security information, which causes two problems:
firstly, the message broadcast by the iBeacon base station can be rubbed by anyone; for example, if a chain-lock supermarket competitor's APP can identify the iBeacon base station that the supermarket has deployed in the store, when a user enters the store, their APP can be woken up to promote the merchandise in their own store.
Secondly, the iBeacon base station can be easily forged; for example, now a user can easily simulate an iBeacon base station by downloading an application, a merchant who arranges the iBeacon base station cannot really determine whether the user is in the store, and therefore, it is difficult to provide further services based on the iBeacon base station.
Disclosure of Invention
In view of the first problem, the present invention provides a method for transmitting a dynamic Identifier (ID) in a bluetooth broadcast packet other than an iBeacon original broadcast packet. In view of the second problem, the present invention proposes a method for transmitting a Message Authentication Code (Message Authentication Code) or a digital signature, which dynamically changes over time, in a broadcast packet other than an iBeacon original broadcast packet. For the case of solving the above two problems at the same time, the present invention proposes a method for transmitting dynamic identification and Message authentication code (Message authentication code) or digital signature dynamically changing with time in the broadcast packet except the iBeacon original bluetooth broadcast packet.
In view of the above, the present invention is directed to provide a method for encrypting and authenticating an iBeacon broadcast message, which effectively prevents the defect that the message broadcast by an iBeacon base station in the prior art can be rubbed by anyone, and the defect that the iBeacon base station can be easily forged.
Based on the above purpose, the present invention provides a method for encrypting an iBeacon broadcast message, which transmits a bluetooth broadcast packet from an iBeacon base station to a receiving end, and comprises the steps of:
at the iBeacon base station(s),
adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first dynamic identifier;
at the receiving end of the said data stream,
based on every the iBeacon basic station, produce with the second dynamic identification that first dynamic identification is the same, according to whether first dynamic identification with second dynamic identification is the same, the iBeacon basic station that the definite signal came from and its UUID that corresponds, Major, Minor.
The invention provides a method for authenticating an iBeacon broadcast message, which transmits a Bluetooth broadcast packet to a receiving end from an iBeacon base station, and comprises the following steps:
at the iBeacon base station(s),
adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first Message Authentication Code for each iBeacon base station;
at the receiving end of the said data stream,
based on each iBeacon base station, after a receiving end receives the first message authentication code, a second message authentication code is generated by using a key corresponding to the iBeacon base station from which the first message authentication code comes and a plaintext message identical to the iBeacon base station, the first message authentication code and the second message authentication code are compared,
if so, the authenticity of the message is determined.
The invention also provides a method for authenticating the iBeacon broadcast message, which sends a Bluetooth broadcast packet to a receiving end from the iBeacon base station and comprises the following steps:
at the iBeacon base station(s),
adding an additional Bluetooth broadcast packet, the additional Bluetooth broadcast packet including a digital signature;
at the receiving end of the said data stream,
based on each iBeacon base station, after a receiving end receives a digital signature, the receiving end uses a public key corresponding to the iBeacon base station from which the digital signature comes and a plaintext message identical to the base station to identify the authenticity of the signature according to a corresponding digital signature algorithm.
The invention also provides a method for encrypting and authenticating the iBeacon broadcast message, which sends a Bluetooth broadcast packet to a receiving end from the iBeacon base station and comprises the following steps:
at the iBeacon base station(s),
adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first dynamic identifier and a first message authentication code aiming at each iBeacon base station;
at the receiving end of the said data stream,
generating a second dynamic identifier which is the same as the first dynamic identifier based on each iBeacon base station, and determining the iBeacon base station from which the signal comes and the UUID, the Major and the Minor corresponding to the iBeacon base station according to whether the first dynamic identifier is the same as the second dynamic identifier;
generating a second message authentication code with a key corresponding to the iBeacon base station from which the first message authentication code came and a plaintext message identical to the iBeacon base station, comparing the first message authentication code and the second message authentication code,
if so, the authenticity of the message is determined.
The invention also provides a method for encrypting and authenticating the iBeacon broadcast message, which sends a Bluetooth broadcast packet to a receiving end from the iBeacon base station and comprises the following steps:
at the iBeacon base station(s),
adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first dynamic identifier and a digital signature;
at the receiving end of the said data stream,
generating a second dynamic identifier which is the same as the first dynamic identifier based on each iBeacon base station, and determining the iBeacon base station from which the signal comes and the UUID, the Major and the Minor corresponding to the iBeacon base station according to whether the first dynamic identifier is the same as the second dynamic identifier;
and identifying the authenticity of the signature according to a corresponding digital signature algorithm by using a public key corresponding to the iBeacon base station from which the digital signature comes and a plaintext message identical to the base station
In some embodiments, the additional Bluetooth broadcast packet,
is a common broadcast packet obtained when the BLE Scanning equipment Passive Scanning scans,
or (and) a Scan Response Scanning broadcast packet sent by the broadcasting equipment when the Scanning equipment is actively Scanning.
In some embodiments, the first dynamic identifier changes at regular intervals to form a sequence, and the dynamic identifier sequence sent by each iBeacon base station is different; the first dynamic identification is a pseudo-random number generated by a random number generation algorithm.
In some embodiments, the UUID, Major, and Minor originally sent by the iBeacon base station are set to meaningless values, that is, all the iBeacon base stations use the same set of UUID, Major, and Minor, or use several sets of the same sets;
generating a hash value by the information containing the real UUID, Major and Minor;
using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node;
and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station.
In some embodiments, the message authentication code or digital signature is time varying to prevent replay attacks;
the message authentication code is intercepted to save space or increase the difficulty of attack,
or, to drop in a bluetooth broadcast packet;
the message authentication code or digital signature generates a key that is used differently at each of the iBeacon base stations.
In some embodiments, a static ID is generated for each iBeacon base station, which does not change with time, and is sent along with the message authentication code or the digital signature to indicate the key corresponding to the message authentication code or the public key corresponding to the digital signature and the plaintext information for generating the message authentication code or the digital signature;
the static ID may be truncated.
In some embodiments, the first dynamic identifier changes at regular intervals to form a sequence, and the dynamic identifier sequence sent by each iBeacon base station is different; the first dynamic identification is a pseudo-random number generated by a random number generation algorithm.
In some embodiments, the UUID, Major, and Minor originally sent by the iBeacon base station are set to meaningless values, that is, all the iBeacon base stations use the same set of UUID, Major, and Minor, or use several sets of the same sets;
generating a hash value by the information containing the real UUID, Major and Minor;
using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node;
and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station.
Has the advantages that:
the invention effectively solves the problem that the iBeacon base station is used by a third party by adding an extra Bluetooth broadcast packet, namely, by sending a dynamic Identifier (ID) in the Bluetooth broadcast packet except the iBeacon original broadcast packet. The problem that the iBeacon base station is forged is solved at the same time by sending a Message authentication code (Message authentication code) or a digital signature which dynamically changes along with time in the broadcast packets except the iBeacon original broadcast packet. The method for generating the dynamic identification and the method for generating the message authentication code are combined, so that the problems that the signal of the iBeacon base station is rubbed and forged are solved.
Drawings
Fig. 1 is a schematic diagram of a structure of a unique ID included in iBeacon broadcast information in the prior art.
Fig. 2 is a schematic structural diagram illustrating that an additional bluetooth broadcast packet including a first dynamic identifier is added to an iBeacon broadcast message in an embodiment of the present invention.
Fig. 3 is a schematic structural diagram illustrating an embodiment of adding an additional bluetooth broadcast packet including a message authentication code to an iBeacon broadcast message.
Fig. 4 is a schematic structural diagram illustrating that an additional bluetooth broadcast packet is added to an iBeacon broadcast message according to an embodiment of the present invention and includes a digital signature.
Fig. 5 is a schematic flow chart of an iBeacon broadcast message encryption method (based on dynamic identifier) in an embodiment of the present invention.
Fig. 6 is a flowchart illustrating a method for authenticating an iBeacon broadcast message according to an embodiment of the present invention (based on a message authentication code).
Fig. 7 is a flowchart illustrating an authentication method for an iBeacon broadcast message according to an embodiment of the present invention (based on a digital signature).
Fig. 8 is a flowchart illustrating a method for encrypting and authenticating an iBeacon broadcast message according to an embodiment of the present invention.
Fig. 9 is a flowchart illustrating a method for encrypting and authenticating an iBeacon broadcast message according to an embodiment of the present invention.
Detailed Description
The receiving end may be a handheld device or a server, and for the latter, the information received by the receiving end is generally obtained by forwarding the information received by the handheld device after the information is received by the iBeacon base station.
Please refer to fig. 2 to fig. 4, which are schematic structural diagrams illustrating an embodiment of adding an additional bluetooth broadcast packet to an iBeacon broadcast message, wherein the additional bluetooth broadcast packet includes a dynamic identifier, a message authentication code, and a digital signature.
The message broadcasted by the original iBeacon base station comprises a Unique ID which consists of three parts, namely a UUID (Universal Unique identifier), a Major and a Minor (both Major and Minor are set by an iBeacon publisher by themselves and are identifiers with 16 bits); a dynamic mark 201 is added on the basis; a message authentication code 301 and a digital signature 401.
Please refer to fig. 5, which is a flowchart illustrating an iBeacon broadcast message encryption method according to an embodiment of the present invention (based on dynamic id).
S501 at the iBeacon base station,
s502, adding an extra Bluetooth broadcast packet, wherein the extra Bluetooth broadcast packet comprises a first dynamic identifier;
at the receiving end, the step S503 is executed,
s504, based on each iBeacon base station, generating a second dynamic identification which is the same as the first dynamic identification, according to whether the first dynamic identification is the same as the second dynamic identification,
s505, the iBeacon base station from which the signal comes and the corresponding UUID, Major and Minor are determined.
Specifically, in order to solve the problem that the iBeacon base station is rubbed by a third party, the method in this embodiment includes the following steps:
1) in a recommended implementation, the length of the dynamic identifier 201 is 16 bytes to ensure that dynamic identifiers of different base stations are difficult to collide, the dynamic identifier changes at regular intervals to form a sequence, and the dynamic identifier sequence sent by each iBeacon base station is different;
2) the dynamic identifier 201 may be a pseudo random number or a Cryptographically secure pseudo random number (cryptographicaily secure pseudo random number), and the algorithm for generating the pseudo random number may be any possible random number generation algorithm in the field, including a linear congruence algorithm, a mersene-twist algorithm, an Xorshift algorithm, or a Yarrow algorithm;
3) the aforementioned pseudo random number may be truncated;
4) at a receiving end, generating the same dynamic identification aiming at each iBeacon base station, wherein the dynamic identification synchronously changes with the iBeacon base station along with the time, and after receiving the dynamic identification of the base station, the receiving end compares the dynamic identification with the dynamic identification generated by the receiving end, so that which iBeacon base station the signal comes from and the corresponding UUID, Major and Minor of the iBeacon base station are determined;
5) setting UUIDs, Major and Minor originally sent by the iBeacon base stations as meaningless values, for example, all iBacon base stations use the same set of UUIDs, Major and Minor or use several sets of same sets;
6) the additional bluetooth broadcast packet of the iBeacon base station may be a general broadcast packet obtained when ble (bluetooth Low energy) Scanning equipment is used for Passive Scanning, or may be a Scan Response broadcast packet sent by the Scanning equipment when Active Scanning is performed. The Scan Response broadcast packet is sent only when the central device sends a Scan request, and therefore, sending the aforementioned encryption and authentication information using the Scan Response broadcast packet is a more energy-saving method.
The first dynamic identification is obtained according to the following method: generating a hash value by the information containing the real UUID, Major and Minor; using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node; and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station. In one implementation, the input to the aforementioned pseudo random number generator may be, but is not limited to, a pseudo random number seed, an Initialization Vector (Initialization Vector), a key, a Nonce (Nonce), and the like.
To solve the problem of counterfeit iBeacon base stations, please refer to fig. 6, which is a schematic flow chart (based on message authentication codes) of an iBeacon broadcast message authentication method according to an embodiment of the present invention.
S601 is at the iBeacon base station,
s602, adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first Message Authentication Code for each iBeacon base station;
s603 at the receiving end, the method,
s604, based on each iBeacon base station, after receiving the first message authentication code, the receiving end generates a second message authentication code by using a key corresponding to the iBeacon base station from which the first message authentication code comes and a plaintext message identical to the iBeacon base station, compares the first message authentication code with the second message authentication code,
s605 if they are consistent, the authenticity of the message is determined.
The following is a preferred embodiment of an embodiment of the invention: 1) generating a Message Authentication Code (Message Authentication Code) or key Hash (Keyed Hash) for each iBeacon base station specific information, where the generation algorithm may include any cryptographic primitive (cryptographic primitives), such as a cryptographic Hash function or from a packet encryption algorithm, e.g., HMAC, CBC-MAC, CCM, GCM, etc.;
2) the message authentication code is varied with time to prevent replay attack (replay attack);
3) the message authentication code can be intercepted so as to save space or increase attack difficulty;
4) the message authentication code is sent in an additional bluetooth broadcast packet of the iBeacon base station, where the broadcast packet may be a normal broadcast packet obtained when ble (bluetooth Low energy) Scanning equipment performs Passive Scanning, or a Scan Response broadcast packet sent by the broadcasting equipment when Active Scanning equipment performs Active Scanning;
5) after receiving the message authentication code, the receiving end generates a message authentication code by using a secret key corresponding to a base station from which the message authentication code comes and a plaintext message identical to the base station, compares the two message authentication codes, and determines the authenticity of the message if the two message authentication codes are identical;
6) the message authentication code generates a used key, and the used keys of all iBeacons are different;
7) generating a static ID for each iBeacon base station, which does not change with time, and sending the static ID together with the message authentication code to indicate a key corresponding to the message authentication code and generate plaintext information of the message authentication code, where the static ID generation algorithm may be, but is not limited to, various known information digest generation algorithms or hash algorithms;
8) the aforementioned static ID may be truncated.
In one example, a hash value is generated from information including UUID, Major, and Minor, a part of the hash value is taken as a static ID, another part of the hash value is taken as a message with timestamp information, an HMAC algorithm is used to generate an information authentication code in combination with a key and intercept the information authentication code, and the finally generated static ID and the message authentication code are transmitted in a ScanResponse broadcast packet of an iBeacon base station. After the server receives the static ID and the message authentication code submitted by the handheld device, the server takes out the corresponding secret key according to the static ID and obtains the message by using the method the same as that of the base station, calculates the message authentication code by using the HMAC algorithm and the corresponding secret key, compares the calculated message authentication code with the received authentication code, and if the obtained message authentication code is consistent with the received authentication code, proves that the message source is reliable.
Similarly, to solve the problem that the iBeacon base station is forged, please refer to fig. 7, which is a schematic flow chart (based on digital signature) of an iBeacon broadcast message authentication method according to an embodiment of the present invention.
S701 at the iBeacon base station,
s702, adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a digital signature;
at the receiving end, the step S703 is that,
s704, based on each iBeacon base station, after the receiving end receives the digital signature, the receiving end uses the public key corresponding to the iBeacon base station from which the digital signature comes and the plaintext message identical to the base station,
s705 authenticates the authenticity of the signature according to the corresponding digital signature algorithm.
The following is a preferred embodiment of an embodiment of the invention: 1) generating digital signatures of each iBeacon base station specific information by using a digital Signature algorithm, wherein the digital Signature algorithm can be various feasible digital Signature algorithms, particularly Short Signature (Short Signature) algorithms, such as BLS (Boneh-Lynn-Shacham) algorithm, BB (Boneh-Boyen) algorithm, ZSS (Zhang-Safavi-Susilo) algorithm and the like;
2) the aforementioned digital signature is time-varying to prevent Replay Attack (Replay Attack);
3) the length of the digital signature is determined to be less than or equal to 31 bytes so as to be dropped in a Bluetooth broadcast packet;
4) the digital signature is sent in an additional bluetooth broadcast packet of the iBeacon base station, where the broadcast packet may be a normal broadcast packet obtained when ble (bluetooth Low energy) Scanning equipment performs Passive Scanning, or a Scan Response broadcast packet sent by the broadcasting equipment when Active Scanning equipment performs Active Scanning;
5) after receiving the digital signature, the receiving end uses a public key corresponding to the base station from which the digital signature comes and a plaintext message identical to the base station to identify the authenticity of the signature according to a specific digital signature algorithm;
6) the private key and the public key pair of the digital signature generation algorithm are different from those used by each iBeacon base station;
7) generating a static ID for each iBeacon base station, wherein the static ID does not change along with the time and is transmitted together with the digital signature to indicate a public key corresponding to the digital signature and a message for generating the digital signature, and the generation algorithm of the static ID can be, but is not limited to, various known information digest generation algorithms or hash algorithms;
8) the aforementioned static ID may be truncated.
In one example, a hash value is generated by information containing UUID, Major and Minor, a part of the hash value is taken as a static ID, another part of the hash value is taken as a message with timestamp information, a short digital signature of 20 bytes is generated by using a BLS algorithm in combination with a private key, and the finally generated static ID and the short signature are transmitted together in a Scan Response broadcast packet of the iBeacon base station. And after receiving the static ID and the short signature submitted by the handheld device, the server takes out a corresponding public key according to the static ID, obtains a message by using the same method as the base station, and identifies the authenticity of the short signature according to the BLS algorithm.
The method proposed here using digital signatures has two benefits compared to the aforementioned method using message authentication codes due to the use of an asymmetric key system: 1) when the receiving end authenticates the authenticity of the message, the public key is used instead of the shared secret key, so that the risk of secret key leakage is avoided, and the private key can only exist in the iBeacon base station; 2) has non-repudiation (non-repudiation), i.e. the digital signature can only be issued by the party with the private key, so that in case the private key is not revealed, the signature can be concluded to be from the iBeacon base station.
In order to solve the problem that the iBeacon base station signal is stolen and forged at the same time, the above methods of generating the dynamic identifier and generating the message authentication code may be combined, and please refer to fig. 8, which is a schematic flow chart of a method for encrypting and authenticating the iBeacon broadcast message in an embodiment of the present invention.
At S801 at the iBeacon base station,
s802, adding an extra Bluetooth broadcast packet, wherein the extra Bluetooth broadcast packet comprises a first dynamic identifier and a first message authentication code aiming at each iBeacon base station;
at the receiving end of S803, the method,
s804, generating a second dynamic identifier which is the same as the first dynamic identifier based on each iBeacon base station, and determining the iBeacon base station from which the signal comes and the corresponding UUID, Major and Minor according to whether the first dynamic identifier is the same as the second dynamic identifier;
s805 generates a second message authentication code using a key corresponding to the iBeacon base station from which the first message authentication code comes and a plaintext message identical to the iBeacon base station, compares the first message authentication code and the second message authentication code,
s806, if consistent, determines the authenticity of the message.
For reference, the above method may comprise the following parts:
1) sending a dynamic Identification (ID) in an additional Bluetooth broadcast packet of the iBeacon base station, wherein the dynamic identification changes at regular intervals so as to form a sequence, and the dynamic identification sequence sent by each iBeacon base station is different;
2) the dynamic identifier may be a pseudo random number or a Cryptographically secure pseudo random number (cryptographicaily secure pseudo random number), and the algorithm for generating the pseudo random number may be any random number generation algorithm possible in the field, including a linear congruence algorithm, a mersene-twist algorithm, an Xorshift algorithm, a Yarrow algorithm, and the like;
3) the aforementioned pseudo random number may be truncated;
4) for each base station specific information or the aforementioned dynamic identity, a Message Authentication Code (Message Authentication Code) or key Hash (Keyed Hash) is generated using a key, where the generation algorithm of the Message Authentication Code or key Hash may include any Cryptographic Primitives (Cryptographic Primitives), such as Cryptographic Hash functions or from packet encryption algorithms, e.g., HMAC, CBC-MAC, CCM, GCM, etc.;
5) the message authentication code is varied with time to prevent replay attack (replay attack);
6) the message authentication code can be intercepted so as to save space or increase attack difficulty;
7) the dynamic identifier and the message authentication code are sent together in an additional bluetooth broadcast packet of the iBeacon base station, where the broadcast packet may be a normal broadcast packet obtained when ble (bluetooth Low energy) Scanning equipment performs Passive Scanning, or a Scan Response broadcast packet sent by the broadcasting equipment during Active Scanning;
8) at a receiving end, generating the same dynamic identification aiming at each iBeacon base station, wherein the dynamic identification synchronously changes with the iBeacon base station along with the time, and after receiving the dynamic identification of the base station, the receiving end compares the dynamic identification with the dynamic identification generated by the receiving end, so that which iBeacon base station the signal comes from and the corresponding UUID, Major, Minor and message authentication code key are determined;
9) after receiving the message authentication code, the receiving end generates a message authentication code by using a secret key corresponding to a base station from which the message authentication code comes and a plaintext message identical to the base station, compares the two message authentication codes, and determines the authenticity of the message if the two message authentication codes are identical;
10) the key of the message authentication code generation algorithm is different for each iBeacon;
11) the UUID, Major, and Minor originally sent by the iBeacon base station are set to meaningless values, for example, all the iBeacon base stations use the same set of UUID, Major, and Minor or use several sets of the same.
In one implementation, a hash value is generated by information including a real UUID, a Major and a Minor, part or all of the hash value is used as an input of a pseudo-random number generator, a pseudo-random number is generated at a fixed time node, all or part of the random number is used as a dynamic identifier, all or part of the hash value is taken to be added with time stamp information to generate a message, a message authentication code is calculated and intercepted by using an HMAC algorithm and combining a key, and the finally generated dynamic identifier and the message authentication code are transmitted in a Scan Response broadcast packet of an iBeacon base station. After the server receives the dynamic identification and the message authentication code submitted by the handheld device, the server compares the dynamic identification synchronously generated by the server with the dynamic identification, takes out the corresponding message authentication code key, obtains the message by using the same method as the base station, calculates the message authentication code by using the HMAC algorithm and the corresponding key, compares the calculated message authentication code with the received authentication code, and if the calculated message authentication code is consistent with the received authentication code, proves that the information source is reliable. The input to the pseudo random number generator may be, but is not limited to, a seed, an Initialization Vector (Initialization Vector), a key, a Nonce (Nonce), and the like.
Based on the above, in order to solve the problem that the iBeacon base station signal is rubbed and forged at the same time, the above methods for generating the dynamic identifier and the digital signature may be combined, as a reference, please refer to fig. 9, which is a schematic flow chart of the method for encrypting and authenticating the iBeacon broadcast message.
S901 at the iBeacon base station,
s902, adding an additional Bluetooth broadcast packet, wherein the additional Bluetooth broadcast packet comprises a first dynamic identifier and a digital signature;
at the receiving end, the step S903 is performed,
s904, generating a second dynamic identifier which is the same as the first dynamic identifier based on each iBeacon base station, and determining the iBeacon base station from which the signal comes and the corresponding UUID, Major and Minor according to whether the first dynamic identifier is the same as the second dynamic identifier;
s905 uses the public key corresponding to the iBeacon base station from which the digital signature comes and the plaintext message same as the base station to identify the authenticity of the signature according to the corresponding digital signature algorithm.
For reference, the above method may comprise the following parts:
1) sending a dynamic Identification (ID) in an additional Bluetooth broadcast packet of the iBeacon base station, wherein the dynamic identification changes at regular intervals so as to form a sequence, and the dynamic identification sequence sent by each iBeacon base station is different;
2) the dynamic identifier may be a pseudo random number or a Cryptographically secure pseudo random number (cryptographicaily secure pseudo random number), and the algorithm for generating the pseudo random number may be any random number generation algorithm possible in the field, including a linear congruence algorithm, a mersene-twist algorithm, an Xorshift algorithm, a Yarrow algorithm, and the like;
3) the aforementioned pseudo random number may be truncated;
4) generating a digital Signature by using a digital Signature algorithm aiming at the specific information of each iBeacon base station or the dynamic identification, wherein the digital Signature algorithm comprises various known digital Signature algorithms, in particular Short Signature (Short Signature) algorithms, such as a BLS algorithm, a BS algorithm, a ZSS algorithm and the like;
5) the aforementioned digital signature is time-varying to prevent replay attacks (replay attack);
6) the dynamic identifier and the digital signature are sent together in an additional bluetooth broadcast packet of the iBeacon base station, where the broadcast packet may be a normal broadcast packet obtained when ble (bluetooth Low energy) Scanning equipment performs Passive Scanning, or a Scan Response broadcast packet sent by the broadcasting equipment during Active Scanning;
7) at a receiving end, generating the same dynamic identification aiming at each iBeacon base station, wherein the dynamic identification synchronously changes with the iBeacon base station along with the time, and after receiving the dynamic identification of the base station, the receiving end compares the dynamic identification with the dynamic identification generated by the receiving end, so that which iBeacon base station the signal comes from and the corresponding UUID, Major, Minor and the public key of the digital signature are determined;
8) after receiving the digital signature, the receiving end uses a public key corresponding to the base station from which the digital signature comes and a plaintext message identical to the base station to identify the authenticity of the signature according to a specific digital signature algorithm;
9) the private key and the public key pair of the digital signature generation algorithm are different from those used by each iBeacon base station;
10) the UUID, Major, and Minor originally sent by the iBeacon base station are set to meaningless values, for example, all the iBeacon base stations use the same set of UUID, Major, and Minor or use several sets of the same.
In one implementation, a hash value is generated by information containing real UUID, Major and Minor, part or all of the hash value is used as input of a pseudo-random number generator, a pseudo-random number is generated at a fixed time node, all or part of the random number is used as a dynamic identifier, all or part of the hash value is taken as a message together with timestamp information, a short digital signature of 20 bytes is generated by using a BLS algorithm and combining a private key, and the finally generated dynamic identifier and the digital signature are transmitted in a Scan Response broadcast packet of an iBeacon base station. After the server receives the dynamic identification and the digital signature submitted by the handheld device, the server compares the dynamic identification synchronously generated by the server, takes out the corresponding mathematical signature public key, obtains the message by using the method same as that of the base station, and identifies the authenticity of the short signature according to the BLS algorithm. The input to the pseudo random number generator may be, but is not limited to, a seed, an Initialization Vector (Initialization Vector), a key, a Nonce (Nonce), and the like.
All examples mentioned above are intended to be illustrative only and not limiting, and any possible combination is contemplated herein.

Claims (4)

1. A method for encrypting an iBeacon broadcast message, which transmits a Bluetooth broadcast packet from an iBeacon base station to a receiving end, comprises the following steps:
adding an extra Bluetooth broadcast packet at an iBeacon base station, wherein the extra Bluetooth broadcast packet comprises a first dynamic identifier;
generating a second dynamic identification at the receiving end based on each iBeacon base station, determining the iBeacon base station from which a signal comes and the corresponding UUID, Major and Minor according to whether the first dynamic identification is the same as the second dynamic identification, wherein the first dynamic identification changes at regular intervals to form a sequence, and the dynamic identification sequence sent by each iBeacon base station is different;
setting UUIDs, Major and Minor sent by the iBeacon base stations to be meaningless values, namely all the iBacon base stations use at least one set of same UUIDs, Major and Minor; generating a hash value by the information containing the real UUID, Major and Minor; using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node; and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station.
2. A method for encrypting and authenticating an iBeacon broadcast message, which transmits a Bluetooth broadcast packet from an iBeacon base station to a receiving end, comprises the following steps:
adding an additional Bluetooth broadcast packet at the iBeacon base station, wherein the additional Bluetooth broadcast packet comprises a first dynamic identifier and a first message authentication code aiming at each iBeacon base station;
generating a second dynamic identification on the basis of each iBeacon base station at the receiving end, and determining the iBeacon base station from which the signal comes and the UUID, the Major and the Minor corresponding to the iBeacon base station according to whether the first dynamic identification is the same as the second dynamic identification;
generating a second message authentication code by using a key corresponding to the iBeacon base station from which the first message authentication code comes and a plaintext message identical to the iBeacon base station, comparing the first message authentication code with the second message authentication code, and if the first message authentication code and the second message authentication code are identical, determining the authenticity of the message,
the first dynamic identification changes at regular intervals to form a sequence, and the dynamic identification sequences sent by each iBeacon base station are different;
setting UUIDs, Major and Minor sent by the iBeacon base stations to be meaningless values, namely all the iBacon base stations use at least one set of same UUIDs, Major and Minor; generating a hash value by the information containing the real UUID, Major and Minor; using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node; and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station.
3. A method for encrypting and authenticating an iBeacon broadcast message, which transmits a Bluetooth broadcast packet from an iBeacon base station to a receiving end, comprises the following steps:
adding an extra Bluetooth broadcast packet at an iBeacon base station, wherein the extra Bluetooth broadcast packet comprises a first dynamic identifier and a digital signature;
generating a second dynamic identification on the basis of each iBeacon base station at the receiving end, and determining the iBeacon base station from which the signal comes and the UUID, the Major and the Minor corresponding to the iBeacon base station according to whether the first dynamic identification is the same as the second dynamic identification;
the authenticity of the signature is verified according to a corresponding digital signature algorithm by using a public key corresponding to the iBeacon base station from which the digital signature comes and a plaintext message which is the same as the base station,
the first dynamic identification changes at regular intervals to form a sequence, and the dynamic identification sequences sent by each iBeacon base station are different;
setting UUIDs, Major and Minor sent by the iBeacon base stations to be meaningless values, namely all the iBacon base stations use at least one set of same UUIDs, Major and Minor; generating a hash value by the information containing the real UUID, Major and Minor; using part or all of the hash value as the input of a pseudo-random number generator, and generating a pseudo-random number at a fixed time node; and all or part of the random number is used as a dynamic identifier and is sent by a broadcast packet of the iBeacon base station.
4. The method of claim 3 in which the additional Bluetooth broadcast packets are normal broadcast packets obtained when a Bluetooth scanning device is passively scanning or scan response broadcast packets sent by a broadcasting device when a scanning device is actively scanning.
CN201510290512.0A 2015-06-01 2015-06-01 Method for encrypting and authenticating iBeacon broadcast message Expired - Fee Related CN106304046B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510290512.0A CN106304046B (en) 2015-06-01 2015-06-01 Method for encrypting and authenticating iBeacon broadcast message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510290512.0A CN106304046B (en) 2015-06-01 2015-06-01 Method for encrypting and authenticating iBeacon broadcast message

Publications (2)

Publication Number Publication Date
CN106304046A CN106304046A (en) 2017-01-04
CN106304046B true CN106304046B (en) 2020-01-07

Family

ID=57655433

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510290512.0A Expired - Fee Related CN106304046B (en) 2015-06-01 2015-06-01 Method for encrypting and authenticating iBeacon broadcast message

Country Status (1)

Country Link
CN (1) CN106304046B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11558741B2 (en) 2017-09-20 2023-01-17 Visa International Service Association Hands free interaction system and method
CN109525940B (en) * 2018-12-18 2021-10-22 京信网络系统股份有限公司 Positioning method and device based on antenna and electronic equipment
CN110113753A (en) * 2019-05-14 2019-08-09 苏州霞客说导览科技有限公司 A kind of anti-rub of the base station beacon uses method
CN110177000A (en) * 2019-05-21 2019-08-27 重庆邮电大学 A kind of encrypted transmission method of wearable device
CN110784529B (en) * 2019-10-22 2022-04-29 飞天诚信科技股份有限公司 Information pushing method and device, electronic device and computer readable storage medium
CN110798526B (en) * 2019-11-01 2021-05-14 美的集团股份有限公司 Intelligent household appliance message pushing method and system, electronic equipment and storage medium
CN111898164B (en) * 2020-07-02 2024-03-29 武汉纺织大学 Data integrity auditing method supporting label block chain storage and query
CN115694599A (en) * 2021-07-31 2023-02-03 华为技术有限公司 Transmission method, system and related device
CN115334486B (en) * 2022-10-18 2023-03-03 成都锐成芯微科技股份有限公司 Bluetooth communication method and Bluetooth system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101203025A (en) * 2006-12-15 2008-06-18 上海晨兴电子科技有限公司 Method for transmitting and receiving safe mobile message
CN102917313A (en) * 2012-10-17 2013-02-06 重庆邮电大学 Method suitable for broadcast authentication of wireless sensor network
CN104008498A (en) * 2014-06-18 2014-08-27 胡继强 IBeacon advertizing method and system
CN104202295A (en) * 2014-07-25 2014-12-10 苏州寻息电子科技有限公司 Beacon node based safeguard system and implementation method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101203025A (en) * 2006-12-15 2008-06-18 上海晨兴电子科技有限公司 Method for transmitting and receiving safe mobile message
CN102917313A (en) * 2012-10-17 2013-02-06 重庆邮电大学 Method suitable for broadcast authentication of wireless sensor network
CN104008498A (en) * 2014-06-18 2014-08-27 胡继强 IBeacon advertizing method and system
CN104202295A (en) * 2014-07-25 2014-12-10 苏州寻息电子科技有限公司 Beacon node based safeguard system and implementation method thereof

Also Published As

Publication number Publication date
CN106304046A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
CN106304046B (en) Method for encrypting and authenticating iBeacon broadcast message
Islam et al. A robust and efficient password-based conditional privacy preserving authentication and group-key agreement protocol for VANETs
Cui et al. HCPA-GKA: A hash function-based conditional privacy-preserving authentication and group-key agreement scheme for VANETs
US8769285B2 (en) Methods and apparatus for deriving, communicating and/or verifying ownership of expressions
Mershad et al. A framework for secure and efficient data acquisition in vehicular ad hoc networks
Yoon Efficiency and security problems of anonymous key agreement protocol based on chaotic maps
Zhou et al. Access control in wireless sensor networks
Zeng et al. On the security of an enhanced novel access control protocol for wireless sensor networks
Tan et al. Comments on “dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks”
Cheneau et al. Significantly improved performances of the cryptographically generated addresses thanks to ECC and GPGPU
Ostad-Sharif et al. Efficient utilization of elliptic curve cryptography in design of a three-factor authentication protocol for satellite communications
CN108769023A (en) A kind of method for secret protection and system applied to intelligent perception
JP2013520070A (en) Discovery of credibility in communication networks
Albrecht et al. Mesh messaging in large-scale protests: Breaking Bridgefy
Liu et al. An improved secure and efficient password and chaos-based two-party key agreement protocol
CN104604206A (en) Obfuscating a MAC address
CN111699706B (en) Master-slave system for communication via bluetooth low energy connection
CN110475249A (en) A kind of authentication method, relevant device and system
CN108964896B (en) Kerberos identity authentication system and method based on group key pool
CN108306732A (en) A kind of random digit generation method, relevant device and system
CN107483429B (en) A kind of data ciphering method and device
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN106161472A (en) A kind of method of data encryption, Apparatus and system
CN109068322A (en) Decryption method, system, mobile terminal, server and storage medium
GB2494550A (en) Dynamic address allocation to a radio device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200107

Termination date: 20210601