CN108471402A - Internet of Things identity identifying method based on connector secret signal anonymity - Google Patents
Internet of Things identity identifying method based on connector secret signal anonymity Download PDFInfo
- Publication number
- CN108471402A CN108471402A CN201810140301.2A CN201810140301A CN108471402A CN 108471402 A CN108471402 A CN 108471402A CN 201810140301 A CN201810140301 A CN 201810140301A CN 108471402 A CN108471402 A CN 108471402A
- Authority
- CN
- China
- Prior art keywords
- node
- internet
- secret signal
- certification
- executes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims abstract description 13
- 238000004364 calculation method Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 20
- 230000006854 communication Effects 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 210000001503 joint Anatomy 0.000 claims description 3
- 235000013399 edible fruits Nutrition 0.000 claims 1
- 230000002457 bidirectional effect Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 241000208340 Araliaceae Species 0.000 description 2
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 2
- 235000003140 Panax quinquefolius Nutrition 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 235000008434 ginseng Nutrition 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to Internet of Things field of identity authentication, disclose a kind of Internet of Things identity identifying method based on connector secret signal anonymity, and this method includes:Step 1, using safe secret signal negotiate that other participation node integralities anonymities are completed trust authority and calculated with multi-party computations method, protection node connector secret signal information;Step 2, the Receiver algorithms that the Sender algorithms and recipient executed by sender executes complete the certification of identity.The Internet of Things identity identifying method based on connector secret signal anonymity can safely, be rapidly completed multinode bidirectional identity authentication in environment of internet of things, ensure that node key message is anonymous, the calculating for saving verification process is spent.
Description
Technical field
The present invention relates to Internet of Things field of identity authentication, and in particular, to the Internet of Things identity based on connector secret signal anonymity
Authentication method.
Background technology
Internet of Things (Internet of Things, abbreviation IoT), Massachusetts Institute of Technology Kevin Ahs-ton were in 1999
It is put forward for the first time, is a kind of generalized internet, is i.e. the internet of object object interconnection.Internet of Things application enumerates the more of people's life production
A field, such as agriculture Internet of Things, industrial Internet of Things, Internet of Things medical treatment, smart city, technology of Internet of things is generation information skill
Art important composition greatly pushes social informatization to develop.Internet of Things is the product that internet continues development, can be by penetrating
The cognition technologies such as frequency technology, Intellisense, general fit calculation complete interconnecting between object and object, but its core is still
Network, therefore, the Cyberthreat in internet also exist in environment of internet of things, simultaneously as the complexity of Internet of Things is various, section
Point quantity is huge more, this makes Internet of Things that will face more serious safety problem.
Multi-party computations technology, which is one kind, can protect user data information not participated in his user by it to know, while again
Energy is completed multi-party participation and is calculated, and it is anonymous that this technology can be very good completion user data information.RSA cryptographic algorithms are most common
Signcryption Algorithm be usually only used for encrypting some critical data information, such as symmetric key, abstract since its calculating is complicated
Information etc..Develop against cryptological technique, elliptic curve cryptography (ECC) algorithm is suggested, because of identical digit key, ECC is calculated
Method is than RSA Algorithm safety, so people prefer to carry out cryptography key information using ECC algorithm.Message digest computation technology also by
Referred to as Hash calculation (Hash) technology can select corresponding data position to the data of indefinite length according to certain rule, composition
The data of one fixed length, common digits long have 160,224,256,384,512 etc..
Its Main Patterns of the safety approach of Internet of Things authentication can be divided into two kinds:It is taken one is trusted third party is taken
Business is provided trusted service by third party, the legitimacy of confirmation request object is carried out with this;Another kind is recognizing for without TTP
Card scheme, this scheme are one kind woth no need to trusted third party's bidirectional identity authentication scheme.Mahalle et al. proposes one kind and is based on
The access control model of node capacity, node can access related resource according to the permission of oneself, this models coupling node
Access control policy carrys out predicate node identity legitimacy;Zhang et al. proposes a kind of authentication side based on geographical location
Method, this authentication method calculate the credible of oneself using the believable interstitial content adjacent within the scope of certain distance with oneself
Degree, has ignored the secret protection to node location information, does not analyze and occurs attack node around the node within a certain range
How should handle;Reddy et al. proposes the mobile node identity verification scheme based on ellipse curve encryption and decryption method, still
There are the defects of man-in-the-middle attack, are easy leakage nodal information, this point is pointed out by Niu et al., and is improved, Jin Erda
To anonymous effect, Niu et al. certificate schemes are to belong to the certification mode based on trusted service, while increasing section again
The operation link of point personal information anonymity, increases the complexity of certification policy, in verification process initiator and respective party it
Between there are false identities attack threaten.
Identity identifying technology is the effective ways of nodal method, and common identity identifying method includes password, biological characteristic, intelligence
Can block etc., different application scene has different ID authentication mechanisms again.In order to ensure Internet of Things net system safety, need to Internet of Things
Architecture interior joint authentication prevents illegal node invasion, illegal node from carrying out data eavesdropping and other multiple networks
Attack.In internet of things structure frame, including multiclass node, according to the layer of structure of Internet of Things can be divided into end point node and
Network node, terminal node include mobile terminal, PC terminals, perception terminal (Various types of data detecting sensor), Cloud Server end
End etc.;Network node includes the aggregation gateway of sensor network, communication network routing and rete mirabile Convergence gateway etc..Node identities are recognized
Card seeks to ensure all node legitimacies in entire environment of internet of things, and illegal node illegal invasion is resisted and other are non-with this
Judicial act.
The above content simply describes Internet of Things basic technology, information security technology, and recognizes Internet of Things identity in recent years
Card scheme advantage and disadvantage are briefly described.Comprehensive analysis, there are following several respects for current Internet of things node identity verification scheme
It is insufficient:Dependent on online service certification, authentication calculations spend big and key message leakage etc..
Invention content
The object of the present invention is to provide a kind of Internet of Things identity identifying methods based on connector secret signal anonymity, should be based on connector
The Internet of Things identity identifying method of secret signal anonymity can safely, multinode bidirectional identity authentication in environment of internet of things is rapidly completed,
Ensure that node key message is anonymous, the calculating for saving verification process is spent.
To achieve the goals above, the present invention provides a kind of Internet of Things identity identifying method based on connector secret signal anonymity,
This method includes:
Step 1, negotiated using safe secret signal and multi-party computations method, protection node connector secret signal information join other
It is anonymous with node integrality, it completes to trust authority calculating;
Step 2, the Receiver algorithms that the Sender algorithms and recipient executed by sender executes complete identity
Certification.
Preferably, in step 1,
S1, strange participation node broadcasts oneself public key in security scenario, and receives other node public keys, and is recorded in section
In point catalogue record sheet PUCT, convenient for verifying node signature validity in common scene;
S2, node butt joint secret signal information carry out initialization operation, will own in connector secret signal according to number of nodes n is participated in
Element random division is n part tuple PT [n], random selection part tuple PT [k] as oneself private information, k belong to [0,
N-1] an integer, private information do not make communication process, and only participating in node section result PR in intra-node calculates, other portions
Point tuple PT [i] node makees communication process, is received and calculating section result PR, i ≠ k by other nodes;
S3, each node receive the portion of other all nodes to other all participation node transmitting portion tuple PT [i]
Tuple PT [j], j is divided to belong to [0, n-2], j value differences indicate that part tuple PT [j] from different nodes, passes through following formula
Calculating section result PR,
S4, each node receive the portion of other nodes to other all participation node transmitting portion result of calculation PR [k]
Result PR [j], all some numerical results is divided to calculate overall result WR using addition, multiplication or other complicated calculations methods, and
Using overall result WR as trust authority CR,
Wherein, PR [k] indicates that node oneself partial results, PR [j] indicate to come from other nodes.
Preferably, in step 2, the step of Sender algorithms of sender's execution include:
S5, all participation nodes are completed multi-party secret signal and are negotiated, and node can trust authority CR having the same and all ginsengs
With nodal directory record sheet PUCT, authority CR and all participation nodal directory record sheet PUCT is trusted in input;
S6 sets node type to transmission types if node, which is in idle condition, can initiate certification request, if section
Point can set node in processing state to receive type;
S7, decision node type are then true, execute step 8 if it is transmission types;If not transmission types, then for
Vacation executes step 9;
S8 executes Sender algorithms, completes sender's authentication processing, executes S10;
S9 executes Receiver algorithms, completes recipient's authentication processing, executes S10;
S10 executes S14 if certification passes through;If certification is not over executing S11;
Requesting node information is added in illegal nodes records table _ PUCT S11, records illegal nodal information, resists illegal
Whether entity authentication is asked, and computing cost is saved, if sending certification request, first judge the node in illegal nodes records
In, if directly abandoning request, otherwise continuing with, executing S14;
S12 judges illegal number of nodes, after newly increasing illegal node and reaching certain amount, is carried out S13, notifies it
The new illegal nodal information of his node, otherwise executes S14;
Illegal nodal information is broadcast to other and participates in node _ PUCT by S13, inhibits these illegal entity authentication requests, section
Save Internet resources;
S14 judges whether all nodes are fully completed certification in all participation nodal directory record sheet PUCT, if all
It participates in then returning to True without strange node in nodal directory record sheet PUCT, completing certification, otherwise execute S6.
Preferably, in step 2, the method for the Sender algorithms of sender's execution includes:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S15, node input;
S16, node generate random number N 1 according to system random function Random (), counter t1=1 are generated, if certification is asked
Failure is asked, then t1=t1+1, if t1<T is invalid, then after waiting for a period of time, enables t1=1, continues to send certification request;
S17, node pass through software digest calculations and signature interface or hardware interface using trust authority CR and node private key
To (CR | | N1 | | t1) progress digest calculations go out m, and it is m1 to use node private key signature, executes S18;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | t1), use node private
M computations are generated m1 by key sk, execute next step S18;
S18 sends authentication data (m1, N1, t1), illustrates oneself identity legitimacy to recipient, into S19;
S19 waits for the response message (m2, N2, t2) of receiving node;
S20, after receiving response, in t2<In the case that T is set up with following formula, response is to be with validity, signature
With correctness and node has legitimacy, wherein N1 illustrates that it is corresponding to respond with request;
EReceiver pk(m2)=Hash (CR | | N1 | | N2 | | t2);
S21, after both sides are by verification, sending node is according to N2, oneself trust authority CR and the random number in certification message
N1 establishes safely session key sessionKey;
SessionKey=Hash (CR | | N1 | | N2).
Preferably, in step 2, the step of Receiver algorithms of recipient's execution include:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S22, node input;
S23 waits for the response message (m1, N1, t1) of receiving node;
S24:After receiving response, if t1<T, then request is effective, and otherwise request is invalid;If following formula are set up, sender
Identifier node is legal, executes S25, and otherwise node is illegal, returns to False;
ESender pk(m1)=Hash (CR | | N1 | | t1);
S25, node generate random number N 2 according to system random function Random (), generate counter t2=1, if certification is rung
It should fail, then t2=t2+1;If t2<T is invalid, then after waiting for a period of time, enables t2=1, continues to send authentication response;
S26, node are connect using authority CR and node private key sk is trusted by software digest calculations and signature interface or hardware
Mouthful to (CR | | N1 | | N2 | | t2) carry out digest calculations and go out m, and the use of node private key signature is m2, executes S27;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | N2 | | t2), use section
M computations are generated m2 by point private key sk, execute next step S27;
S27 sends authentication data (m2, N2, t2), illustrates oneself identity legitimacy to sending node;
S28:After both sides are by verification, receiving node is according to N1, oneself trust authority CR and the random number in certification message
N2 establishes safely session key sessionKey by following formula;
SessionKey=Hash (CR | | N1 | | N2).
Through the above technical solutions, inventive joint secret signal integrality is anonymous, connector secret signal initialization operation is dark by connector
Number element random division is multiple tuples, and retains a tuple as private information so that participation node can not obtain other
Node integrity of welded joint secret signal information;In two side's authentication procedures, two side's authentications are completed using 1 wheel communication;In session
When key is established, crucial Session key establishment information is embedded in certification message, reduces the communication overhead of structure session key;This hair
It is bright to support the bidirectional identity authentication between multiple nodes that complete the identity between multiple nodes in public offline scenario
Certification, and illegal node is filtered, save computing cost.
Other features and advantages of the present invention will be described in detail in subsequent specific embodiment part.
Description of the drawings
Attached drawing is to be used to provide further understanding of the present invention, an and part for constitution instruction, with following tool
Body embodiment is used to explain the present invention together, but is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is to illustrate that a kind of multi-party secret signal of preferred embodiment of the present invention negotiates flow chart;
Fig. 2 is to illustrate that a kind of two side's secret signals of preferred embodiment of the present invention negotiate structure diagram;
Fig. 3 is to illustrate that a kind of multi-party secret signal of preferred embodiment of the present invention negotiates structure diagram;
Fig. 4 is the multipart identification authentication flow based on connector secret signal anonymity for illustrating a kind of preferred embodiment of the present invention
Figure;
Fig. 5 is a kind of two side's identity authentication protocol block diagrams of preferred embodiment of the present invention;
Fig. 6 is a kind of authentication procedures sender based on connector secret signal anonymity of preferred embodiment of the present invention
Sender algorithm performs flow charts;And
Fig. 7 is a kind of authentication procedures recipient based on connector secret signal anonymity of preferred embodiment of the present invention
Receiver algorithm performs flow charts.
Specific implementation mode
The specific implementation mode of the present invention is described in detail below in conjunction with attached drawing.It should be understood that this place is retouched
The specific implementation mode stated is merely to illustrate and explain the present invention, and is not intended to restrict the invention.
The present invention provides a kind of Internet of Things identity identifying method based on connector secret signal anonymity, and this method includes:
Step 1, negotiated using safe secret signal and multi-party computations method, protection node connector secret signal information join other
It is anonymous with node integrality, it completes to trust authority calculating;
Step 2, the Receiver algorithms that the Sender algorithms and recipient executed by sender executes complete identity
Certification.
The Internet of Things identity identifying method based on connector secret signal anonymity of the present invention, in practical application scene, Ke Yian
Entirely, bidirectional nodes authentication between multiple nodes is efficiently completed, complicated environment of internet of things is more applicable for, is suitble to node
Higher two side of privacy requirement or multipart identification authentication are suitable for online or offline network environment.
Hardware realization can be used in elliptic curve encryption algorithm signature used herein, and signature chip is then embedded into object
Networked node equipment can also use software realization mode, and hardware realization has signature and verification signature calculation speed fast, special
Property it is strong the features such as, software realization needs to expend the certain computing resource of internet of things equipment and storage resource, specifically uses any reality
Existing mode can select according to actual needs.
Message digest computation involved in the present invention can be used internet of things equipment system and carry Hash interfaces or User Defined
Software or hardware realization such as use hardware realization, and the two is designed into a safety chip in combination with signature algorithm, both may be used in this way
To improve calculating speed, physical space can also be saved;.
The present invention is applied to internet of things equipment, and it is dark for storing connector that each equipment needs certain secure memory space
Number, participate in nodal directory table and illegal nodal directory record sheet.
In a kind of specific implementation mode of the present invention, in step 1,
S1, strange participation node broadcasts oneself public key in security scenario, and receives other node public keys, and is recorded in section
In point catalogue record sheet PUCT, convenient for verifying node signature validity in common scene;
S2, node butt joint secret signal information carry out initialization operation, will own in connector secret signal according to number of nodes n is participated in
Element random division is n part tuple PT [n], random selection part tuple PT [k] as oneself private information, k belong to [0,
N-1] an integer, private information do not make communication process, and only participating in node section result PR in intra-node calculates, other portions
Point tuple PT [i] node makees communication process, is received and calculating section result PR, i ≠ k by other nodes;
S3, each node receive the portion of other all nodes to other all participation node transmitting portion tuple PT [i]
Tuple PT [j], j is divided to belong to [0, n-2], j value differences indicate that part tuple PT [j] from different nodes, passes through following formula
Calculating section result PR,
S4, each node receive the portion of other nodes to other all participation node transmitting portion result of calculation PR [k]
Result PR [j], all some numerical results is divided to calculate overall result WR using addition, multiplication or other complicated calculations methods, and
Using overall result WR as trust authority CR,
Wherein, PR [k] indicates that node oneself partial results, PR [j] indicate to come from other nodes.
The multi-party secret signal negotiation step S1~S4 of security scenario, which describes multi-party secret signal, to be negotiated in Internet of Things distributed node ring
Detailed process in border needs to carry out concrete analysis realization to S1~S4, Fig. 2 describes 2 when internet of things equipment implements
A multi-party secret signal for participating in node negotiates a specific example, and the multi-party secret signal that Fig. 3 describes 4 participation nodes negotiates a tool
Body example.
The present invention a kind of specific implementation mode in, in step 2, sender execute Sender algorithms the step of wrap
It includes:
S5, all participation nodes are completed multi-party secret signal and are negotiated, and node can trust authority CR having the same and all ginsengs
With nodal directory record sheet PUCT, authority CR and all participation nodal directory record sheet PUCT is trusted in input;
S6 sets node type to transmission types if node, which is in idle condition, can initiate certification request, if section
Point can set node in processing state to receive type;
S7, decision node type are then true, execute step 8 if it is transmission types;If not transmission types, then for
Vacation executes step 9;
S8 executes Sender algorithms, completes sender's authentication processing, executes S10;
S9 executes Receiver algorithms, completes recipient's authentication processing, executes S10;
S10 executes S14 if certification passes through;If certification is not over executing S11;
Requesting node information is added in illegal nodes records table _ PUCT S11, records illegal nodal information, resists illegal
Whether entity authentication is asked, and computing cost is saved, if sending certification request, first judge the node in illegal nodes records
In, if directly abandoning request, otherwise continuing with, executing S14;
S12 judges illegal number of nodes, after newly increasing illegal node and reaching certain amount, is carried out S13, notifies it
The new illegal nodal information of his node, otherwise executes S14;
Illegal nodal information is broadcast to other and participates in node _ PUCT by S13, inhibits these illegal entity authentication requests, section
Save Internet resources;
S14 judges whether all nodes are fully completed certification in all participation nodal directory record sheet PUCT, if all
It participates in then returning to True without strange node in nodal directory record sheet PUCT, completing certification, otherwise execute S6.
Two side's identity authentication protocols of safety as shown in Figure 5, safely and fast complete secure two-way body between two nodes
Part certification, while being also Secure authentication important component, including the Sender algorithms of sender's execution and reception
The Receiver algorithms of Fang Zhihang, are shown in shown in Fig. 6, Fig. 7.
In a kind of specific implementation mode of the present invention, in step 2, the method for the Sender algorithms that sender executes can
To include:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S15, node input;
S16, node generate random number N 1 according to system random function Random (), counter t1=1 are generated, if certification is asked
Failure is asked, then t1=t1+1, if t1<T is invalid, then after waiting for a period of time, enables t1=1, continues to send certification request;Continue
Certification request is sent, the certification that counter effectively enhances Internet of things node distributed environment is stablized, while overcoming distribution
Formula ambient time stationary problem, has effectively resisted the Replay Attack of illegal node;
S17, node pass through software digest calculations and signature interface or hardware interface using trust authority CR and node private key
To (CR | | N1 | | t1) progress digest calculations go out m, and it is m1 to use node private key signature, executes S18;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | t1), use node private
M computations are generated m1 by key sk, execute next step S18;
S18 sends authentication data (m1, N1, t1), illustrates oneself identity legitimacy to recipient, into S19;
S19 waits for the response message (m2, N2, t2) of receiving node;
S20, after receiving response, in t2<In the case that T is set up with following formula, response is to be with validity, signature
With correctness and node has legitimacy, wherein N1 illustrates that it is corresponding to respond with request;
EReceiver pk(m2)=Hash (CR | | N1 | | N2 | | t2);
S21, after both sides are by verification, sending node is according to N2, oneself trust authority CR and the random number in certification message
N1 establishes safely session key sessionKey;
SessionKey=Hash (CR | | N1 | | N2).
The present invention a kind of specific implementation mode in, in step 2, recipient execute Receiver algorithms the step of
May include:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S22, node input;
S23 waits for the response message (m1, N1, t1) of receiving node;
S24:After receiving response, if t1<T, then request is effective, and otherwise request is invalid;If following formula are set up, sender
Identifier node is legal, executes S25, and otherwise node is illegal, returns to False;
ESender pk(m1)=Hash (CR | | N1 | | t1);
S25, node generate random number N 2 according to system random function Random (), generate counter t2=1, if certification is rung
It should fail, then t2=t2+1;If t2<T is invalid, then after waiting for a period of time, enables t2=1, continues to send authentication response;
S26, node are connect using authority CR and node private key sk is trusted by software digest calculations and signature interface or hardware
Mouthful to (CR | | N1 | | N2 | | t2) carry out digest calculations and go out m, and the use of node private key signature is m2, executes S27;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | N2 | | t2), use section
M computations are generated m2 by point private key sk, execute next step S27;
S27 sends authentication data (m2, N2, t2), illustrates oneself identity legitimacy to sending node;
S28:After both sides are by verification, receiving node is according to N1, oneself trust authority CR and the random number in certification message
N2 establishes safely session key sessionKey by following formula;
SessionKey=Hash (CR | | N1 | | N2).
In the present invention, scenes of internet of things characteristic is considered, first, in conjunction with user privacy information anonymous methods, by node
Connector secret signal information is divided into the data structure form of multiple portions tuple, is completely hidden with partial information safety assurance privacy information
Secret signal is negotiated between the method for name completes multiple nodes, and node lawful basis is provided for multinode authentication;Next, in conjunction with
Internet of Things identity identifying technology is studied, and multinode Verify Your Identity questions in Internet of Things distributed network environment are divided into two sections
Safety identification authentication problem between point simplifies problem hard and devises a wheel in two side's authentication of design safety and communicated
At the flow of identity, saves general more wheel communications and complete the communication consumption of authentication, while using message when authentication
Authentication information length is greatly reduced in digest calculations, has quickly finished node identities legitimate verification, and counter is used for Internet of Things
In net environment, environment of internet of things time synchronization problem is efficiently solved, reaches and inhibits Replay Attack purpose, in structure session key
When, the mechanism of certification message is embedded into using session key key message, the independent communication for establishing session key is not only saved and disappears
Consumption, while also increasing the speed and reliability of information transmission;Finally, under two side's authentication base support of safety, wound
Complete to the property made the safety identification authentication between multiple nodes in environment of internet of things.The present invention completes in environment of internet of things safely
Under the premise of authentication between multiple nodes, calculating cost and the communication overhead in authentication procedures are simplified.
Secure authentication is not limited to Internet of Things offline scenario, can also be applied to online service certification, such as
The present invention can be combined with actual scene in actual use, complete two sides by mobile Internet, P2P networks, car networking etc.
Or the safety identification authentication between multi-party node, ensure actual scene interior joint private information safety and network security.
The preferred embodiment of the present invention is described in detail above in association with attached drawing, still, the present invention is not limited to above-mentioned realities
The detail in mode is applied, within the scope of the technical concept of the present invention, a variety of letters can be carried out to technical scheme of the present invention
Monotropic type, these simple variants all belong to the scope of protection of the present invention.
It is further to note that specific technical features described in the above specific embodiments, in not lance
In the case of shield, can be combined by any suitable means, in order to avoid unnecessary repetition, the present invention to it is various can
The combination of energy no longer separately illustrates.
In addition, various embodiments of the present invention can be combined randomly, as long as it is without prejudice to originally
The thought of invention, it should also be regarded as the disclosure of the present invention.
Claims (5)
1. a kind of Internet of Things identity identifying method based on connector secret signal anonymity, which is characterized in that this method includes:
Step 1, negotiated using safe secret signal and multi-party computations method, protection node connector secret signal information save other participations
Point integrality is anonymous, completes to trust authority calculating;
Step 2, the Receiver algorithms that the Sender algorithms and recipient executed by sender executes complete the certification of identity.
2. the Internet of Things identity identifying method according to claim 1 based on connector secret signal anonymity, which is characterized in that in step
In rapid 1,
S1, strange participation node broadcasts oneself public key in security scenario, and receives other node public keys, and is recorded in node mesh
It records in record sheet PUCT, convenient for verifying node signature validity in common scene;
S2, node butt joint secret signal information carry out initialization operation, according to participating in number of nodes n by all elements in connector secret signal
Random division is n part tuple PT [n], and random selection part tuple PT [k] is used as oneself private information, k to belong to [0, n-1]
An integer, private information do not make communication process, and only participating in node section result PR in intra-node calculates, other parts member
Group PT [i] node makees communication process, and simultaneously calculating section result PR, i ≠ k are received by other nodes;
S3, each node receive the part member of other all nodes to other all participation node transmitting portion tuple PT [i]
Group PT [j], j belong to [0, n-2], and j value differences indicate that part tuple PT [j] from different nodes, is calculated by following formula
Partial results PR,
S4, each node receive the part knot of other nodes to other all participation node transmitting portion result of calculation PR [k]
Fruit PR [j], all some numerical results calculate overall result WR using addition, multiplication or other complicated calculations methods, and will be total
As a result WR, which is used as, trusts authority CR,
Wherein, PR [k] indicates that node oneself partial results, PR [j] indicate to come from other nodes.
3. the Internet of Things identity identifying method according to claim 1 based on connector secret signal anonymity, which is characterized in that in step
In rapid 2, sender execute Sender algorithms the step of include:
S5, all participation nodes are completed multi-party secret signal and are negotiated, and node can trust authority CR having the same and all participations section
Authority CR and all participation nodal directory record sheet PUCT is trusted in point catalogue record sheet PUCT, input;
S6 sets node type to transmission types if node, which is in idle condition, can initiate certification request, if at node
It can set node in processing state to receive type;
S7, decision node type are then true, execute step 8 if it is transmission types;Then it is vacation if not transmission types,
Execute step 9;
S8 executes Sender algorithms, completes sender's authentication processing, executes S10;
S9 executes Receiver algorithms, completes recipient's authentication processing, executes S10;
S10 executes S14 if certification passes through;If certification is not over executing S11;
Requesting node information is added in illegal nodes records table _ PUCT, records illegal nodal information, resist illegal node by S11
Certification request saves computing cost, if sending certification request, first judges the node whether in illegal nodes records, such as
Fruit exists, and directly abandons request, otherwise continues with, and executes S14;
S12 judges illegal number of nodes, after newly increasing illegal node and reaching certain amount, is carried out S13, notifies other sections
The new illegal nodal information of point, otherwise executes S14;
Illegal nodal information is broadcast to other and participates in node _ PUCT by S13, is inhibited these illegal entity authentication requests, is saved net
Network resource;
S14 judges whether all nodes are fully completed certification in all participation nodal directory record sheet PUCT, if all participations
Without strange node in nodal directory record sheet PUCT, then True is returned to, completes certification, otherwise execute S6.
4. the Internet of Things identity identifying method according to claim 1 based on connector secret signal anonymity, which is characterized in that in step
In rapid 2, the method for the Sender algorithms that sender executes includes:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S15, node input;
S16, node generate random number N 1 according to system random function Random (), generate counter t1=1, if certification request is lost
It loses, then t1=t1+1, if t1<T is invalid, then after waiting for a period of time, enables t1=1, continues to send certification request;
S17, node is using trust authority CR and node private key by software digest calculations and signature interface or hardware interface to (CR
| | N1 | | t1) progress digest calculations go out m, and it is m1 to use node private key signature, executes S18;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | t1), use node private key sk
M computations are generated into m1, execute next step S18;
S18 sends authentication data (m1, N1, t1), illustrates oneself identity legitimacy to recipient, into S19;
S19 waits for the response message (m2, N2, t2) of receiving node;
S20, after receiving response, in t2<In the case that T is set up with following formula, it is to have that response, which is with validity, signature,
Correctness and node there is legitimacy, wherein N1 illustrates that response with request is corresponding;
EReceiver pk(m2)=Hash (CR | | N1 | | N2 | | t2);
S21, after both sides are by verification, sending node is pacified according to N2, oneself trust authority CR and the random number N 1 in certification message
Establish session key sessionKey entirely;
SessionKey=Hash (CR | | N1 | | N2).
5. the Internet of Things identity identifying method according to claim 1 based on connector secret signal anonymity, which is characterized in that in step
In rapid 2, recipient execute Receiver algorithms the step of include:
Authority CR and all participation nodal directory record sheet PUCT is trusted in S22, node input;
S23 waits for the response message (m1, N1, t1) of receiving node;
S24:After receiving response, if t1<T, then request is effective, and otherwise request is invalid;If following formula are set up, sender's identity
Node is legal, executes S25, and otherwise node is illegal, returns to False;
ESender pk(m1)=Hash (CR | | N1 | | t1);
S25, node generate random number N 2 according to system random function Random (), generate counter t2=1, if authentication response loses
It loses, then t2=t2+1;If t2<T is invalid, then after waiting for a period of time, enables t2=1, continues to send authentication response;
S26, node pass through software digest calculations and signature interface or hardware interface pair using authority CR and node private key sk is trusted
(CR | | N1 | | N2 | | t2) progress digest calculations go out m, and it is m2 to use node private key signature, executes S27;
Node call software or hardware Hash interfaces calculate summary info m=Hash (CR | | N1 | | N2 | | t2), use node private
M computations are generated m2 by key sk, execute next step S27;
S27 sends authentication data (m2, N2, t2), illustrates oneself identity legitimacy to sending node;
S28:After both sides are by verification, receiving node leads to according to N1, oneself trust authority CR and random number N 2 in certification message
It crosses following formula and establishes session key sessionKey safely;
SessionKey=Hash (CR | | N1 | | N2).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810140301.2A CN108471402B (en) | 2018-02-11 | 2018-02-11 | Internet of things identity authentication method based on joint secret number anonymity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810140301.2A CN108471402B (en) | 2018-02-11 | 2018-02-11 | Internet of things identity authentication method based on joint secret number anonymity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108471402A true CN108471402A (en) | 2018-08-31 |
| CN108471402B CN108471402B (en) | 2021-02-09 |
Family
ID=63266447
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810140301.2A Active CN108471402B (en) | 2018-02-11 | 2018-02-11 | Internet of things identity authentication method based on joint secret number anonymity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108471402B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109787998A (en) * | 2019-02-28 | 2019-05-21 | 矩阵元技术(深圳)有限公司 | Data processing method, device, smart card, terminal device and server |
| CN111092735A (en) * | 2019-12-20 | 2020-05-01 | 杭州涂鸦信息技术有限公司 | Device authorization off-line verification method and system based on elliptic curve algorithm |
| CN113672890A (en) * | 2020-05-15 | 2021-11-19 | 中移(上海)信息通信科技有限公司 | Identity authentication method and device, electronic equipment and computer storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599959A (en) * | 2009-07-10 | 2009-12-09 | 西北工业大学 | Anonymous bidirectional authentication method based on identity |
| CN102196431A (en) * | 2011-05-13 | 2011-09-21 | 南京邮电大学 | Internet of things application scene-based protection method of privacy query and private identity verification |
| CN102594820A (en) * | 2012-02-17 | 2012-07-18 | 南京邮电大学 | Secure multi-party computation privacy-protecting evaluation method based on scenes of internet of things |
| CN104933654A (en) * | 2015-05-29 | 2015-09-23 | 安徽师范大学 | Community medical internet of things privacy protection method |
| US20160149878A1 (en) * | 2014-11-21 | 2016-05-26 | Mcafee, Inc. | Protecting user identity and personal information by sharing a secret between personal iot devices |
-
2018
- 2018-02-11 CN CN201810140301.2A patent/CN108471402B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599959A (en) * | 2009-07-10 | 2009-12-09 | 西北工业大学 | Anonymous bidirectional authentication method based on identity |
| CN102196431A (en) * | 2011-05-13 | 2011-09-21 | 南京邮电大学 | Internet of things application scene-based protection method of privacy query and private identity verification |
| CN102594820A (en) * | 2012-02-17 | 2012-07-18 | 南京邮电大学 | Secure multi-party computation privacy-protecting evaluation method based on scenes of internet of things |
| US20160149878A1 (en) * | 2014-11-21 | 2016-05-26 | Mcafee, Inc. | Protecting user identity and personal information by sharing a secret between personal iot devices |
| CN104933654A (en) * | 2015-05-29 | 2015-09-23 | 安徽师范大学 | Community medical internet of things privacy protection method |
Non-Patent Citations (1)
| Title |
|---|
| 周文钦: "基于安全多方计算的匿名认证方法", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109787998A (en) * | 2019-02-28 | 2019-05-21 | 矩阵元技术(深圳)有限公司 | Data processing method, device, smart card, terminal device and server |
| CN111092735A (en) * | 2019-12-20 | 2020-05-01 | 杭州涂鸦信息技术有限公司 | Device authorization off-line verification method and system based on elliptic curve algorithm |
| CN113672890A (en) * | 2020-05-15 | 2021-11-19 | 中移(上海)信息通信科技有限公司 | Identity authentication method and device, electronic equipment and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108471402B (en) | 2021-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | SMAKA: Secure many-to-many authentication and key agreement scheme for vehicular networks | |
| Abdmeziem et al. | An end-to-end secure key management protocol for e-health applications | |
| Mwitende et al. | Certificateless authenticated key agreement for blockchain-based WBANs | |
| CN110234111B (en) | Two-factor authentication key agreement protocol suitable for multi-gateway wireless sensor network | |
| Hu et al. | A two-factor security authentication scheme for wireless sensor networks in IoT environments | |
| Wu et al. | A provably secure three-factor authentication protocol for wireless sensor networks | |
| Ghahramani et al. | A secure biometric-based authentication protocol for global mobility networks in smart cities | |
| Khan et al. | [Retracted] A Robust and Privacy‐Preserving Anonymous User Authentication Scheme for Public Cloud Server | |
| Rafique et al. | An efficient and provably secure certificateless protocol for industrial Internet of Things | |
| Yang et al. | Efficient and anonymous authentication for healthcare service with cloud based WBANs | |
| Shuai et al. | Lightweight and privacy‐preserving authentication scheme with the resilience of desynchronisation attacks for WBANs | |
| CN108471402A (en) | Internet of Things identity identifying method based on connector secret signal anonymity | |
| Yang et al. | Selective blockchain system for secure and efficient D2D communication | |
| Li et al. | A lightweight and secure three-factor authentication protocol with adaptive privacy-preserving property for wireless sensor networks | |
| Chen et al. | Enhanced authentication protocol for the Internet of Things environment | |
| Abdussami et al. | LASSI: a lightweight authenticated key agreement protocol for fog-enabled IoT deployment | |
| Yu et al. | LAKA-UAV: Lightweight authentication and key agreement scheme for cloud-assisted Unmanned Aerial Vehicle using blockchain in flying ad-hoc networks | |
| Singh et al. | Mutual authentication framework using fog computing in healthcare | |
| Zhang et al. | Is Today's End-to-End Communication Security Enough for 5G and Its Beyond? | |
| Zeng et al. | Deniable-based privacy-preserving authentication against location leakage in edge computing | |
| Kumar et al. | A secure and efficient computation based multifactor authentication scheme for Intelligent IoT-enabled WSNs | |
| Ma et al. | A secure and efficient certificateless authenticated key agreement protocol for smart healthcare | |
| Qiao et al. | Anonymous lightweight authenticated key agreement protocol for fog-assisted healthcare IoT system | |
| Kumar et al. | A robust and secure user authentication scheme based on multifactor and multi‐gateway in IoT enabled sensor networks | |
| Mahmood et al. | A security enhanced chaotic-map based authentication protocol for internet of drones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220913 Address after: Block D, 23rd Floor, Xizhen Building, No. 33, Songshan Road, Nangang Concentration Zone, Harbin Development Zone, Harbin, Heilongjiang 150040 Patentee after: Heilongjiang Zhenning Technology Co.,Ltd. Address before: 241002 Science and Technology Service Department, No. 189 Jiuhua South Road, Yijiang District, Wuhu City, Anhui Province Patentee before: ANHUI NORMAL University |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: An Internet of Things Identity Authentication Method Based on Anonymous Joint Password Effective date of registration: 20231013 Granted publication date: 20210209 Pledgee: Heilongjiang Xinzheng financing guarantee Group Co.,Ltd. Pledgor: Heilongjiang Zhenning Technology Co.,Ltd. Registration number: Y2023230000086 |