CN108566240B - Inter-satellite networking authentication system and method suitable for double-layer satellite network - Google Patents

Inter-satellite networking authentication system and method suitable for double-layer satellite network Download PDF

Info

Publication number
CN108566240B
CN108566240B CN201810262750.4A CN201810262750A CN108566240B CN 108566240 B CN108566240 B CN 108566240B CN 201810262750 A CN201810262750 A CN 201810262750A CN 108566240 B CN108566240 B CN 108566240B
Authority
CN
China
Prior art keywords
authentication
satellite
leo
geo
orbit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810262750.4A
Other languages
Chinese (zh)
Other versions
CN108566240A (en
Inventor
朱辉
武衡
张之义
李晖
赵海强
王宇辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
CETC 54 Research Institute
Original Assignee
Xidian University
CETC 54 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University, CETC 54 Research Institute filed Critical Xidian University
Priority to CN201810262750.4A priority Critical patent/CN108566240B/en
Publication of CN108566240A publication Critical patent/CN108566240A/en
Application granted granted Critical
Publication of CN108566240B publication Critical patent/CN108566240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18521Systems of inter linked satellites, i.e. inter satellite service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • General Physics & Mathematics (AREA)
  • Radio Relay Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention belongs to the technical field of information security, and discloses an inter-satellite networking authentication system and method suitable for a double-layer satellite network, wherein the system comprises a ground authentication server, a high-orbit satellite authentication client and a low-orbit satellite authentication client; the ground authentication server is responsible for finishing the initialization of the satellite authentication system, namely generating and distributing identity information, keys and orbit parameters required by the authentication between the satellites; the high orbit satellite authentication client and the low orbit satellite authentication client are main bodies of inter-satellite networking authentication, and inter-satellite identity authentication and key agreement are realized through interactive authentication parameters. By utilizing the characteristics of high synchronization of satellite network clocks and predictable node running track, the invention designs an authentication precomputation mechanism and effectively improves the authentication efficiency among satellites. The invention can realize the safe and efficient identity authentication and key agreement of the high-orbit satellite and the low-orbit satellite in the networking stage of the double-layer satellite network, and can be used for the networking authentication between the high-orbit satellite and the low-orbit satellite.

Description

Inter-satellite networking authentication system and method suitable for double-layer satellite network
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an inter-satellite networking authentication system and method suitable for a double-layer satellite network. The method can be used for providing satellite identity authentication service for a commercial satellite network during satellite networking, and can realize trust establishment and secure communication between satellites without participation of a trusted third party.
Background
Currently, the current state of the art commonly used in the industry is such that:
because the existing satellite network comprises a small number of satellites such as Iridium (66) and GPS (24), the satellite networking is mainly completed under the control of a ground station. The satellite networking authentication usually adopts a mode that an earth station directly distributes authentication parameters, session keys and the like for the satellite. In such control architectures, satellites typically do not have autonomous networking capability, rendering their networking certification heavily dependent on ground stations.
However, with the development of aerospace technology, satellite networks tend to be complicated, such as the number of satellite nodes is large, and the satellite control model is complex. Under the trend, the traditional satellite networking control mode has certain application limitation due to the problems of deployment position, processing capacity, management capacity and the like of the ground station. Meanwhile, as the satellite communication link adopts a wireless transmission medium, the channel is highly open, the communication content is easy to monitor, tamper and forge, and the satellite networking is very likely to be impossible due to malicious interference. In addition, the special deployment environment of the satellite network puts higher requirements on the design of the inter-satellite identity authentication protocol. Firstly, the satellite resources are limited, large calculation overhead is difficult to deal with, and the scheme requiring complex calculation can seriously affect the authentication efficiency. Secondly, the distance between the satellites is long, the communication delay is not negligible, and the communication overhead becomes a problem which needs to be considered in the scheme design.
Some solutions have been proposed to the networking problem of satellite networks, such as:
the patent "an on-orbit satellite identity authentication method" (application number CN 2017101415439 application publication number CN106850674A) applied by the thirtieth research institute of china electronic technology group corporation discloses an on-orbit satellite identity authentication method, which adopts a public and private key authentication mechanism based on the periodicity of satellite orbit, and solves the problem of identity authentication between satellites and the ground.
However, with the development of the aerospace technology, the number of nodes included in a designed satellite network is increased, and if the satellite networking authentication needs frequent participation of a ground station, the authentication efficiency is seriously affected due to problems such as satellite-ground communication delay and the like. Therefore, in order to ensure the safety and high efficiency of satellite networking, the authentication protocol needs to reduce the participation of third parties such as ground stations and the like as much as possible, and the autonomy and the independence of authentication nodes are improved, so that the satellite network can be ensured to operate safely under the condition of ground station faults.
In summary, the problems of the prior art are as follows:
(1) the inter-satellite identity authentication requires ground participation, and under the condition that trusted third parties such as ground stations do not participate, independent and autonomous trust establishment and safe communication between satellites are difficult to realize, so that the inter-satellite identity authentication is not suitable for a satellite network networking scene with massive nodes;
(2) the inter-satellite identity authentication does not protect the identity information of the inter-satellite identity authentication, so that an attacker can forge an access request by using the intercepted plaintext identity information, thereby implementing attacks such as denial of service and the like and interfering with satellite networking;
(3) the computing overhead of inter-satellite identity authentication can influence the authentication delay, and compared with a satellite network with a small number of nodes, in the satellite network with massive nodes, because networking authentication is more frequent, inter-satellite networking can generate the authentication delay due to the computing power problem of on-satellite computers. The difficulty and significance for solving the technical problems are as follows:
(1) designing an independent and autonomous inter-satellite networking authentication method, designing a safe and efficient key updating mode for the method, reducing participation of ground stations, and ensuring that a satellite can accurately update an authentication key;
(2) designing an inter-satellite networking authentication method for protecting the identity information of the satellite, wherein the extra calculation cost caused by the extra calculation cost needs to be considered, the confidentiality of the identity information of the satellite is ensured, and the calculation cost caused by the extra calculation cost is reduced;
(3) the inter-satellite networking authentication method suitable for the complex satellite network is designed, the calculation cost in the authentication process needs to be considered, and the calculation time delay caused by the limitation of calculation resources when the multi-satellite simultaneous authentication is carried out is avoided as much as possible.
With the development of the aerospace technology, future satellite networks must contain more and more satellite nodes, and the design of the inter-satellite networking authentication method capable of realizing independent and autonomous networking without frequent participation of ground stations has important significance in ensuring that the satellite network with massive satellite nodes can stably operate.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an inter-satellite networking authentication system and method suitable for a double-layer satellite network.
The present invention is achieved in such a way that,
the invention relates to an inter-satellite networking authentication system suitable for a double-layer satellite network, which comprises:
the ground authentication server is responsible for finishing the initialization of the satellite authentication system, namely generating and distributing identity information, keys and orbit parameters required by the authentication between the satellites;
the system comprises an overhead earth orbit satellite (GEO) authentication client, an authentication server and a server, wherein the GEO authentication client is responsible for receiving an authentication request from an LEO, calculating and returning an authentication Token, calculating an expected response XRES and a session key CK, checking whether a temporary identity TID used by the LEO in the authentication request is valid or not, checking whether a response value RES returned by the LEO is correct or not, and maintaining an authentication information table for the LEO;
and the low earth orbit satellite (LEO) authentication client is responsible for submitting an authentication request to the GEO, checking whether an authentication Token returned by the GEO is valid, calculating a temporary identity TID, a response value RES and a session key CK, and maintaining an authentication information table for the GEO.
The ground authentication server includes:
the system initialization module is used for completing the initialization of the satellite authentication system, namely writing the identity information generated by the identity information generation module, the secret key generated by the secret key generation module and the orbit parameters distributed by the orbit distribution module into the satellite authentication system;
the identity information generation module is used for generating identity information required by authentication for the satellite according to the production sequence, the transmitting sequence and the like of the satellite;
the key generation module is used for generating a key required by authentication for the satellite;
and the orbit allocation module is used for allocating the operation orbit for the satellite.
The high earth orbit satellite (GEO) authentication client comprises:
the system initialization module is used for completing initialization of the satellite authentication system, namely acquiring identity information, a secret key and orbit parameters required by satellite authentication from a ground authentication server;
the networking authentication module comprises three sub-modules: the system comprises an authentication sub-module, a data processing sub-module and a pre-calculation management sub-module. The authentication submodule is used for interacting parameters required by authentication with a low earth orbit satellite (LEO) authentication client; the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid; the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
and the authentication information management module is used for managing registration and updating of the LEO authentication information.
A low earth orbit satellite (LEO) authentication client comprising:
the system initialization module is used for completing initialization of the satellite authentication system, namely acquiring identity information, a secret key and orbit parameters required by satellite authentication from a ground authentication server;
the networking authentication module comprises three sub-modules: the system comprises an authentication sub-module, a data processing sub-module and a pre-calculation management sub-module. The authentication submodule is used for interacting parameters required by authentication with a high earth orbit satellite (GEO) authentication client; the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid; the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
and the authentication information management module is used for managing the registration and the update of the GEO authentication information.
Another object of the present invention is to provide an information data processing terminal equipped with the above-described inter-satellite networking authentication system suitable for a two-layer satellite network.
In order to achieve the above object, the present invention provides an inter-satellite networking authentication method suitable for a dual-layer satellite network, comprising:
1. authentication system initialization
(1a) In the transmission preparation phase, the satellite submits a system initialization application to the ground authentication server.
(1b) After receiving the application, the ground authentication server generates and distributes identity information, a secret key and orbit parameters for the satellite, wherein the identity information, the secret key and the orbit parameters comprise an identity information ID, a group identity information SGID, an anonymous protection secret key IDKey of the identity information of the satellite and an authentication master secret key MainKey of the satellite.
2. Satellite authentication information registration
(2a) And the LEO sends self accurate orbit data, such as orbit height, orbit inclination angle and other orbit parameters required for satellite orbit prediction to the GEO.
(2b) After receiving the orbit information sent by the LEO, the GEO adds the authentication information of the LEO to the authentication information table, that is, the ID of the LEO is stored in the authentication information database on the satellite together with the orbit data. After registration is completed, the GEO returns its precise orbit data to the LEO.
(2c) After receiving the returned orbit data, the LEO stores the data into its own authentication database by the same operation.
3. Inter-satellite identity authentication and key agreement
The inter-satellite identity authentication and key agreement is divided into two sub-protocols according to the execution stage of inter-satellite networking authentication, namely an authentication sub-protocol before satellite authentication information registration and an authentication sub-protocol after satellite authentication information registration.
3.1) authentication subprotocol before registration of authentication information
(3.1.a) LEO obtains time stamp T by satellite-borne clockTID. Based on acquired TTIDAnd a preset IDKey, LEO calculates the temporary identity TID which should be used in the authentication, and the TID is fTID(IDKey,TTID| RID). After the computation is completed, the LEO sends the TID to the GEO along with the authentication request.
(3.1b) after receiving the TID, the GEO uses the preset IDKey to decrypt the TID, and the T obtained by decryptionTIDAnd the RID determines the freshness and validity of the authentication request.
(3.1.c) GEO obtains the time stamp T needed by AuthKey generation through the satellite-borne clockAuth. Based on acquired TAuthAnd a preset MainKey, AuthKey fAK(MainKey,TAuth) (ii) a GEO generates a disposable random number RAND; calculating a time stamp protection sequence TK based on the generated RAND and AuthKey and GEO, wherein the TK is fTK(AuthKey, RAND); GEO obtains the time stamp T needed by generating Token through satellite-borne clockToken. Based on generated RAND, acquired TTokenThe stored SGID and GEO calculate a message authentication code MAC, wherein the MAC is fMAC(AuthKey,RAND||TToken| SGID); GEO will RAND, TTokenTK, SGID and MAC are combined into an authentication Token,
Figure BDA0001610647000000051
and calculates an expected response XRES and a session key CK, CK ═ fCK(AuthKey,RAND),XRES=fRES(CK,RAND)。
(3.1.d) LEO uses AuthKey generated in the same way and uses the generated AuthKey to determine the freshness and validity of Token.
(3.1.e) after the verification is passed, LEO calculates CK and RES in the same way and returns RES to GEO.
(3.1.f) upon receipt of the RES, the GEO compares whether the received RES and the stored XRES are equal. If the LEO is equal to the LEO, the authentication of the LEO is completed; otherwise, authentication fails.
3.2) authentication subprotocol after registration of authentication information
(3.2.a) after establishing the communication link, the LEO first determines whether the orbit parameters of the LEO have changed. If the track perturbation occurs, the protocol needs to be terminated and the authentication subprotocol (3.1) is executed again because the authentication parameters obtained by authentication precomputation are invalid. If the orbit is normal, the LEO sends the pre-calculated TID and RES to the GEO together with the access request.
(3.2.b) upon receipt of the access request, the GEO compares the received TID and RES with the stored XTID and XRES. If the two are equal, completing the authentication of the LEO, and returning the stored Token to the LEO; if not, an error is returned and the authentication subprotocol is re-executed (3.1).
And (3.2.c) the LEO utilizes the AuthKey obtained by pre-calculation to carry out validity judgment on the authentication token.
(3.2.d) if the verification is passed, the LEO calculates the session key CK by using AuthKey.
4. Authentication precomputation
The authentication precomputation is divided into two sub-protocols according to the execution stage of the inter-satellite networking authentication, wherein the two sub-protocols are respectively a prediction operator protocol before the satellite authentication information is registered and a prediction operator protocol after the satellite authentication information is registered.
4.1) authentication predictor protocol before registration of authentication information
(4.1.a) LEO applies a blank Token to GEO.
(4.1.b) GEO calculates and returns a blank Token.
(4.1.c) the LEO calculates the time point of authentication with the target GEO next time through the rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Next, LEO passes through T respectivelyTIDAnd TAuthThe TID and AuthKey that should be used at the next authentication are generated. Based on the blank Token returned by the GEO, the LEO calculates the RES that should be used for the next authentication. And after the calculation is finished, the LEO stores the TID and the RES.
(4.1.d) the GEO calculates the time point of authentication with the target LEO next time through the rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Based on the acquired time parameter, the stored satellite ID, the stored key IDKey and the MainKey, the GEO calculates the XTID, XRES, Token and CK required to be used in the next authentication. After the calculation, the GEO stores XTID, XRES, Token and CK.
4.2) authentication predictor protocol after registration of authentication information
(4.1.a) calculating the time point of authentication with the target GEO next time by the LEO through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Next, LEO passes through T respectivelyTIDAnd TAuthThe TID and AuthKey that should be used at the next authentication are generated. Based on the GEO return Token in the authentication subprotocol (3.2), the LEO calculates the RES to be used in the next authentication. And after the calculation is finished, the LEO stores the TID and the RES.
(4.1.b) the GEO calculates the time point of the next authentication with the target LEO through the rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Based on the acquired time parameter, the stored satellite ID, the stored key IDKey and the MainKey, the GEO calculates the XTID, XRES, Token and CK required to be used in the next authentication. After the calculation is finished, the GEO stores XTID, XRES, Token and CK.
Another object of the present invention is to provide a computer program for implementing the method for authenticating an inter-satellite network suitable for a two-layer satellite network.
Another object of the present invention is to provide an information data processing terminal for implementing the inter-satellite networking authentication method suitable for a dual-layer satellite network.
Another object of the present invention is to provide a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to execute the inter-satellite networking authentication method for a two-tier satellite network.
The invention achieves the aim of anti-replay attack by reasonably using the timestamp in the generation process of the authentication parameter. When identity authentication is carried out, the authentication parameters needing to be transmitted between the GEO and the LEO include TID, Token and RES. Wherein the generation of the TID requires a timestamp TTIDThe GEO is able to determine thereby the freshness of the TID; the Token comprises an encrypted time parameter TTokenThe LEO can judge whether the received Token is a replay message or not by combining the MAC value; RES and Token have a corresponding relation, and whether RES is a replay message can be judged through the message return speed.
The inter-satellite identity authentication and key agreement is divided into two sub-protocols according to the execution stage of inter-satellite networking authentication, wherein the two sub-protocols are an authentication sub-protocol before satellite authentication information registration and an authentication sub-protocol after satellite authentication information registration. After the satellite finishes the registration of the authentication information, the authentication parameters can be pre-calculated through the exchanged precise satellite orbit parameters. By designing a pre-calculation mechanism, the light networking authentication protocol can be executed by the inter-satellite authentication after the authentication information registration is completed, and the authentication efficiency is greatly improved.
The temporary identity generating method of the invention is characterized in that when the temporary identity is generated, the satellite uses the IDKey shared between the GEO and LEO groups to carry out the timestamp TTIDAnd carrying out password operation on the synthesized character string of the real identity RID, and using the operation result to represent the temporary identity of the satellite. Because the temporary identity is generated based on time, the LEO can be ensured to use different identity information every time the authentication is initiated.
The invention discloses an AuthKey generation method for an authentication key, wherein the authentication key is derived by a ground authentication server to distribute a master key MainKey based on time. By utilizing the characteristics of high synchronization of the satellite network clock and predictable operation track, GEO and LEO can finish the updating of the authentication key according to the predicted time. And the authentication parameters are calculated in advance based on the predicted time, so that the calculation synchronism of both sides of the protocol is ensured, and the authentication efficiency between the satellites is improved.
The invention reduces the method of computing cost in the process of inter-satellite authentication, designs the authentication pre-computing step by utilizing the characteristics of high synchronization of the satellite network clock and predictable operation orbit, and computes each parameter required in the next authentication in advance during the period of low utilization rate of the on-satellite computer. When the next authentication is carried out, the identity authentication can be realized only by parameter comparison, and the authentication delay caused by insufficient computing power of a computer on the planet during the networking authentication between the planets can be effectively avoided.
In summary, the advantages and positive effects of the invention are:
the invention realizes the bidirectional identity authentication between satellites.
In the invention, after the ground station initializes the authentication system of the satellite, LEO and GEO can independently and autonomously perform networking authentication. The LEO realizes the identity authentication of the GEO by judging whether the MAC in the XMAC obtained by local calculation is equal to the MAC in Token; and the GEO realizes identity authentication of the LEO by judging whether the locally stored XRES is equal to the returned RES or not. The bidirectional identity authentication mechanism can resist network attacks such as impersonation and tampering in the satellite networking process, and ensures the safe and orderly satellite networking.
The invention realizes the anonymous protection of the satellite identity information.
In the invention, when the LEO sends an authentication request, a temporary identity is used, the temporary identity is generated by encrypting real identity information based on a timestamp, and the identity information used in each authentication can be different; meanwhile, due to the arrangement of an authentication precomputation mechanism, the verification of the identity information in the authentication process mainly adopts a character comparison mode, and the satellite does not increase extra calculation cost.
The invention reduces the calculation cost of the satellite in the authentication process.
The invention designs the authentication pre-calculation step by combining the scene characteristics of high unification of satellite network clocks and predictable running track, so that the satellite can calculate each parameter required by the next authentication in advance by using the time parameter obtained by orbit prediction, and the authentication can be completed only by performing simple parameter comparison operation when networking is performed again. According to the invention, by designing an authentication precomputation mechanism, a large amount of calculation required in the authentication process is arranged at the low utilization rate stage of the satellite processor, so that the authentication delay caused by insufficient satellite calculation force under the condition of multi-satellite simultaneous authentication is avoided.
Drawings
Fig. 1 is a diagram of an inter-satellite networking authentication system suitable for a two-tier satellite network according to an embodiment of the present invention.
Fig. 2 is a flowchart of an inter-satellite networking authentication method suitable for a two-tier satellite network according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating authentication of low earth orbit satellites according to an embodiment of the invention.
Fig. 4 is a flowchart illustrating authentication of an orbiting satellite according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The prior art cannot realize trust establishment and safe communication between satellites without participation of a trusted third party. The invention provides an inter-satellite networking authentication method suitable for a double-layer satellite network, which comprises the following steps:
the LEO completes the identity authentication of the GEO by judging whether the XMAC obtained by local calculation is equal to the MAC in Token; the GEO finishes identity authentication on the LEO by judging whether the locally stored XRES is equal to the returned RES or not; authentication parameters transferred between GEO and LEO during identity authenticationThe number includes TID, Token and RES; generating the TID requires a timestamp TTID, and accordingly judging the freshness of the TID by the GEO; the Token comprises an encrypted time parameter TTokenThe LEO judges whether the received Token is a replay message or not by combining the MAC value; RES and Token have corresponding relation, GEO can judge whether RES is a replay message through the message return speed;
when the LEO sends an authentication request, temporary identities generated based on time are used, and identity information used in each authentication is different; the verification of the identity information in the authentication process adopts a character comparison mode; in generating temporary identities, the satellite uses the IDKey shared between GEO and LEO groups to timestamp TTIDCarrying out password operation on the synthesized character string of the real identity RID, and using an operation result to represent the temporary identity of the satellite;
by utilizing the characteristics of high synchronization of the satellite network clock and predictable running track, the GEO and the LEO update the authentication key AuthKey according to the predicted time and calculate the authentication parameters in advance.
Fig. 1 shows an inter-satellite networking authentication system suitable for a two-layer satellite network according to an embodiment of the present invention, which includes three modules, namely, a ground authentication server, a high earth orbit satellite (GEO) authentication client, and a low earth orbit satellite (LEO) authentication client.
Wherein:
the ground authentication server is used for finishing the initialization of the satellite authentication system, namely generating and distributing identity information, keys and orbit parameters required by the authentication between the satellites;
the system comprises an overhead earth orbit satellite (GEO) authentication client, a server and a server, wherein the GEO authentication client is used for receiving an authentication request from an LEO, calculating and returning an authentication Token, calculating an expected response XRES and a session key CK, checking whether a temporary identity TID used by the LEO in the authentication request is valid or not, checking whether a response value RES returned by the LEO is correct or not, and maintaining an authentication information table for the LEO;
and the low earth orbit satellite (LEO) authentication client is used for submitting an authentication request to the GEO, checking whether an authentication Token returned by the GEO is valid, calculating a temporary identity TID, a response value RES and a session key CK, and maintaining an authentication information table for the GEO.
The ground authentication server includes: the system comprises a system initialization module, an identity information generation module, a secret key generation module and a track distribution module.
The system initialization module is used for completing the initialization of the satellite authentication system, namely writing the identity information generated by the identity information generation module, the secret key generated by the secret key generation module and the orbit parameters distributed by the orbit distribution module into the satellite authentication system;
the identity information generation module is used for generating identity information required by authentication for the satellite according to the production sequence, the transmitting sequence and the like of the satellite;
the key generation module is used for generating a key required by authentication for the satellite;
the orbit allocation module is used for allocating the operation orbit for the satellite.
The high earth orbit satellite (GEO) authentication client comprises: the system comprises a system initialization module, a networking authentication module, a track prediction module and an authentication information management module.
The system initialization module is used for completing initialization of the satellite authentication system, namely acquiring identity information, a secret key and orbit parameters required by satellite authentication from a ground authentication server;
the networking authentication module comprises three sub-modules: the system comprises an authentication sub-module, a data processing sub-module and a pre-calculation management sub-module. The authentication submodule is used for interacting parameters required by authentication with a low earth orbit satellite (LEO) authentication client; the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid; the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
the authentication information management module is used for managing registration and updating of LEO authentication information.
The low earth orbit satellite (LEO) authentication client comprises: the system comprises a system initialization module, a networking authentication module, a track prediction module and an authentication information management module.
The system initialization module is used for completing initialization of the satellite authentication system, namely acquiring identity information, a secret key and orbit parameters required by satellite authentication from a ground authentication server;
the networking authentication module comprises three sub-modules: the system comprises an authentication sub-module, a data processing sub-module and a pre-calculation management sub-module. The authentication submodule is used for interacting parameters required by authentication with a high earth orbit satellite (GEO) authentication client; the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid; the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
the authentication information management module is used for managing the registration and the update of the GEO authentication information.
As shown in fig. 2 to 4, the inter-satellite networking authentication method applicable to a dual-layer satellite network according to the embodiment of the present invention includes four parts, namely, authentication system initialization, satellite authentication information registration, inter-satellite identity authentication and key agreement, and authentication pre-calculation.
The invention is further described below in connection with authentication system initialization.
1. Initialization of an authentication system:
step 1: in the transmitting preparation stage, a satellite submits a system initialization application to a ground authentication server;
step 2: after receiving the application, the ground authentication server generates ID, SGID, IDKey, MainKey and orbit parameters for the satellite according to the information of the production number, the transmitting sequence and the like of the satellite. After the parameters are generated, storing the parameters into an authentication database of the satellite, wherein:
(1) the ID is the identity information of the satellite and is used for uniquely identifying the satellite node when an inter-satellite identity authentication protocol is executed;
(2) the SGID is group identity information of the satellite, is used for identifying a group to which the satellite belongs, belongs to an auxiliary identity of the satellite, and can be configured by combining with the actual;
(3) the IDKey is an anonymous protection key of the identity information of the satellite, belongs to a shared key between a GEO and an LEO group, and is used for generating an LEO temporary identity in the authentication process;
(4) the MainKey is a master key when the satellite performs inter-satellite authentication, belongs to shared secret between GEO and LEO satellites and is used for generating an authentication key AuthKey.
The invention is further described below in connection with satellite authentication information registration.
2. Satellite authentication information registration
The satellite authentication information registration is carried out after the first inter-satellite identity authentication between the GEO and the LEO is completed, and the method comprises the following steps:
step 1: LEO sends self accurate orbit data, such as orbit height, orbit inclination angle and other orbit parameters needed for satellite orbit prediction to GEO;
step 2: after receiving the orbit information sent by the LEO, the GEO adds the authentication information of the LEO to the authentication information table, that is, the ID of the LEO is stored in the authentication information database on the satellite together with the orbit data. After the registration is finished, the GEO returns the accurate orbit data of the GEO to the LEO;
and step 3: after receiving the returned orbit data, the LEO stores the data into its own authentication database by the same operation.
The present invention is further described below in conjunction with inter-satellite authentication and key agreement.
3. Inter-satellite identity authentication and key agreement
The inter-satellite identity authentication and key agreement of the authentication method is divided into two sub-protocols according to the execution stage of inter-satellite networking authentication, wherein the two sub-protocols are an authentication sub-protocol before satellite authentication information registration and an authentication sub-protocol after satellite authentication information registration.
(1) Authentication subprotocol before registration of authentication information
The inter-satellite authentication and key agreement sub-protocol, which occurs prior to the registration of satellite authentication information, requires the following steps to be performed:
step 1: the LEO generates and sends temporary identities.
LEO obtains time stamp T through satellite-borne clockTID. Based on acquired TTIDAnd a preset IDKey, LEO calculates the temporary identity TID which should be used in the authentication, and the TID is fTID(IDKey,TTID| RID). Wherein f isTIDIs a temporary identity generation algorithm and can be realized by referring to HMAC-SM3 (hash message authentication code based on SM3 algorithm); the RID is the true identity information of the satellite. After the computation is completed, the LEO sends the TID to the GEO along with the authentication request.
Step 2: the GEO determines the validity of the authentication request.
2.1) freshness verification
After receiving the TID, the GEO uses the preset IDKey to decrypt the TID. If T is obtainedTIDSatisfy TTID-T0<ΔTTIDIf yes, the request meets the freshness requirement, and the step 2.2) is continued, otherwise, the authentication is terminated, and the connection is released;
2.2) validation
If the decrypted RID conforms to the preset naming specification, the identity verification is passed, and step 3 is executed, otherwise, the authentication is terminated, and the connection is released.
And step 3: the GEO generates and returns an authentication token.
3.1) generating an authentication Key
GEO obtains the time stamp T needed by generating AuthKey through satellite-borne clockAuth. Based on acquired TAuthAnd a preset MainKey, wherein the GEO calculates an authentication key AuthKey used for the authentication, and the AuthKey is fAK(MainKey,TAuth). Wherein f isAKIs an authentication key generation algorithm, is used for generating AuthKey, and can be realized by referring to ECB-SM4 (China cipher SM4 algorithm code book mode).
3.2) generating time stamp protection sequences
The GEO generates a nonce RAND. Calculating a time stamp protection sequence TK based on the generated RAND and AuthKey and GEO, wherein the TK is fTK(AuthKey, RAND). Wherein f isTKIs a time stamp protection sequence generation algorithm and can be realized by referring to ECB-SM 4.
3.3) generating a message authentication code
GEO obtains the time stamp T required for generating the authentication Token through the satellite-borne clockToken. Based on generated RAND, acquired TTokenThe stored SGID and GEO calculate a message authentication code MAC, wherein the MAC is fMAC(AuthKey,RAND||TToken| SGID). Wherein f isMACIs a message authentication code generation algorithm and may be implemented with reference to MAC-SM 4.
3.4) generating authentication tokens
GEO will RAND, TToken、TK、SGIDAnd the MAC are combined into a Token,
Figure BDA0001610647000000141
3.5) generating expected response and Session Key
The GEO calculates the expected response XRES and the session key CK, CK ═ fCK(AuthKey,RAND),XRES=fRES(CK, RAND). Wherein f isCKIs an authentication key generation algorithm, fRESIs an authentication response value generation algorithm that may be implemented with reference to HMAC-SM 3.
After the authentication parameters are calculated, the GEO stores XRES and CK and returns Token to LEO.
And 4, step 4: the LEO makes a validity determination on the authentication token.
4.1) freshness verification
LEO calculates TK using the generated RAND in AuthKey and Token. T is obtained by decrypting Token through TKTokenThen, T is judgedToken-T0If < Δ T is true. If T isTokenAnd step 4.2) is executed when the message freshness requirement is met, otherwise, the connection is released when the authentication fails.
4.2) authentication of identity information
LEO utilizes RAND and T in generated AuthKey and TokenTokenAnd SGID, calculate the message authentication code XMAC in the same way. And after the calculation is finished, judging whether the MAC in the XMAC obtained by calculation is equal to the MAC in Token, if so, finishing the GEO authentication, and if not, releasing the connection if the authentication fails.
And 5: the LEO generates an authentication response value and a session key.
After the verification is passed, LEO uses f by using RAND and AuthKeyCKAnd fRESCK and RES are calculated and RES is returned to GEO.
Step 6: the GEO validates the response value.
Upon receipt of the RES, the GEO compares the received RES to the stored XRES for equality. If the LEO is equal to the LEO, the authentication of the LEO is completed; otherwise, authentication fails.
Authentication subprotocol after registration of authentication information
The authentication of the identity occurring after the registration of the authentication information requires the use of authentication parameters obtained in an authentication pre-calculation, the execution of which requires the following steps:
step 1: the LEO sends an authentication request.
After establishing the communication link, the LEO first determines whether the orbit parameters of the LEO have changed. If the orbit perturbation occurs, the protocol needs to be terminated and the authentication subprotocol (1) needs to be executed again because the authentication parameters obtained by authentication precomputation are invalid. If the orbit is normal, the LEO sends the pre-calculated TID and RES to the GEO together with the access request.
Step 2: and the GEO carries out validity judgment on the access request.
Upon receiving the access request, the GEO compares the received TID and RES to the stored XTID and XRES. If the two are equal, completing the authentication of the LEO, and returning the stored Token to the LEO; if not, an error is returned, and the authentication subprotocol (1) is executed again.
And step 3: the LEO makes a validity determination on the authentication token.
3.1) freshness verification
LEO calculates TK by using the previously calculated AuthKey and RAND in Token. T is obtained by decrypting Token through TKTokenThen, T is judgedToken-T0If < Δ T is true. If T isTokenAnd 3.2) if the message freshness requirement is met, executing the step 3.2), otherwise, the authentication fails, and releasing the connection.
3.2) authentication of identity information
LEO utilizes RAND and T in generated AuthKey and TokenTokenAnd SGID, calculate the message authentication code XMAC in the same way. And after the calculation is finished, judging whether the MAC in the XMAC obtained by calculation is equal to the MAC in Token, if so, finishing the GEO authentication, and if not, releasing the connection if the authentication fails.
And 4, step 4: the LEO generates a session key.
If the verification is passed, LEO uses f by using RAND in AuthKey and Token obtained by pre-calculationCKCK is calculated.
The invention is further described below in connection with authentication algorithms.
4. Authentication precomputation
The authentication precomputation of the authentication method is divided into two sub-protocols according to the execution stage of the inter-satellite networking authentication, namely a prediction operator protocol before the registration of the satellite authentication information and a prediction operator protocol after the registration of the satellite authentication information.
(1) Authentication predictor protocol prior to registration of authentication information
The authentication predictor protocol, which occurs prior to registration of satellite authentication information, requires the following steps to be performed:
step 1: LEO applies a blank Token to GEO.
Step 2: GEO calculates and returns a blank Token.
And step 3: LEO authentication precomputation
The LEO calculates the time point of authentication with the target GEO next time through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Next, LEO passes through T respectivelyTIDAnd TAuthThe TID and AuthKey that should be used at the next authentication are generated. Based on the blank Token returned by the GEO, the LEO calculates the RES that should be used for the next authentication. And after the calculation is finished, the LEO stores the TID and the RES.
And 4, step 4: GEO authentication pre-calculation
The GEO calculates the time point of the next authentication with the target LEO through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Based onThe obtained time parameters, the stored satellite ID, the stored key IDKey and the stored key MainKey, and the XTID, XRES, Token and CK required to be used when the GEO calculates the next authentication. After the calculation, the GEO stores XTID, XRES, Token and CK.
(2) Authentication predictor protocol after registration of authentication information
The authentication predictor protocol that occurs after registration of satellite authentication information requires the following steps to be performed: step 1: LEO authentication precomputation
The LEO calculates the time point of authentication with the target GEO next time through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Next, LEO passes through T respectivelyTIDAnd TAuthThe TID and AuthKey that should be used at the next authentication are generated. Based on GEO return Token in the authentication subprotocol (2),
the LEO calculates the RES that should be used for the next authentication. And after the calculation is finished, the LEO stores the TID and the RES.
Step 2: GEO authentication pre-calculation
The GEO calculates the time point of the next authentication with the target LEO through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters. Based on the acquired time parameter, the stored satellite ID, the stored key IDKey and the MainKey, the GEO calculates the XTID, XRES, Token and CK required to be used in the next authentication. After the calculation is finished, the GEO stores XTID, XRES, Token and CK.
The steps 1 and 2 are independently calculated by LEO and GEO in the idle time of the processor respectively without considering the execution sequence.
The invention is further described below in connection with simulation experiments.
In the authentication method, if the communication and calculation overhead brought by authentication precomputation in the inter-satellite networking authentication process is not considered (because the core idea of the authentication method is to reduce the overhead of the satellite during authentication interaction by designing an authentication precomputation mechanism), the authentication overhead of the authentication method is as follows:
(1) the number of interaction, the identity authentication before the registration of the satellite authentication information needs 3 session interactions, and the identity authentication after the registration of the satellite authentication information needs 2 session interactions;
(2) the number of core operations, the identity authentication before the registration of the satellite authentication information needs 2B +2H +2M +2C operations, the identity authentication after the registration of the satellite authentication information needs 1M +2C operations, wherein B represents the operation of carrying out a packet encryption, H represents the operation of carrying out a hash operation, M represents the operation of a message verification code, and C represents the comparison operation;
(3) the method comprises the steps of calculating time, wherein the identity authentication before the satellite authentication information is registered needs 20.3 microseconds, the identity authentication after the satellite authentication information is registered needs 5.9 microseconds, the computer with the experimental environment of i 54590 +8G RAM adopts SM3-256 bits to carry out Hash calculation, SM3-HMAC-256 bits to carry out MAC calculation, SM4-128 bits to carry out block encryption, and a random number with the length of 128bits and a timestamp with the length of 48bits are adopted.
According to the experimental result, when the authentication method is used, due to the arrangement of the authentication precomputation mechanism, as long as the registration of authentication information is completed between satellites, the inter-satellite networking authentication can be completed through less expenditure, and meanwhile, the anonymous protection of the LEO identity information is realized through lower expenditure.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. An inter-satellite networking authentication method suitable for a double-layer satellite network is characterized by specifically comprising the following steps of:
firstly, an authentication system is initialized to generate and distribute identity information, a secret key and orbit parameters required by authentication between satellites;
secondly, registering satellite authentication information, wherein after receiving orbit information sent by an LEO, a GEO adds the authentication information of the LEO in an authentication information table, and stores an ID of the LEO and orbit data into an authentication information database on the satellite; after the registration is finished, the GEO returns the accurate orbit data to the LEO;
the satellite authentication information registration specifically includes:
(2a) the LEO sends self accurate orbit data to the GEO, wherein the accurate orbit data comprises orbit height and orbit dip track parameters for satellite orbit position prediction;
(2b) after receiving the orbit information sent by the LEO, the GEO adds the authentication information of the LEO in an authentication information table, and stores the ID of the LEO and the orbit data into an authentication information database on the satellite; after the registration is finished, the GEO returns the accurate orbit data to the LEO;
(2c) after receiving the returned orbit data, the LEO stores the data into an authentication database of the LEO;
thirdly, inter-satellite identity authentication and key agreement are carried out, and an authentication subprotocol before satellite authentication information registration and an authentication subprotocol after satellite authentication information registration are selected and executed according to an authentication stage;
thirdly, the inter-satellite identity authentication and key agreement specifically comprises:
executing an authentication subprotocol before the registration of the satellite authentication information and an authentication subprotocol after the registration of the satellite authentication information;
the authentication subprotocol before the registration of the authentication information comprises the following steps:
(3a) LEO obtains time stamp T through satellite-borne clockTID(ii) a Based on acquired TTIDAnd a preset IDKey, LEO calculates the temporary identity TID which should be used in the authentication, and the TID is fTID(IDKey,TTID| RID); after the calculation is finished, the LEO sends the TID together with the authentication request to the GEO;
(3b) after receiving the TID, the GEO decrypts the TID by using the preset IDKey and obtains the T through decryptionTIDAnd the RID judges the freshness and the validity of the authentication request;
(3c) GEO obtains the time stamp T needed by generating AuthKey through satellite-borne clockAuth(ii) a Based on acquired TAuthAnd a preset MainKey, AuthKey fAK(MainKey,TAuth) (ii) a GEO generates a disposable random number RAND; calculating a time stamp protection sequence TK based on the generated RAND and AuthKey and GEO, wherein the TK is fTK(AuthKey, RAND); GEO obtains and generates Token timestamp T through satellite-borne clockToken(ii) a Based on generated RAND, acquired TTokenThe stored SGID and GEO calculate a message authentication code MAC, wherein the MAC is fMAC(AuthKey,RAND||TToken| SGID); GEO will RAND, TTokenTK, SGID and MAC are combined into an authentication Token,
Figure FDA0002613313720000021
and calculates an expected response XRES and a session key CK, CK ═ fCK(AuthKey,RAND),XRES=fRES(CK,RAND);
(3d) The LEO uses the AuthKey generated in the modes of (3b) - (3c) and judges the freshness and the effectiveness of the Token by using the generated AuthKey;
(3e) after verification, the LEO calculates CK and RES, and returns the RES to the GEO;
(3f) after receiving the RES, the GEO compares whether the received RES is equal to the stored XRES or not; completing authentication of the LEO; otherwise, authentication fails;
the authentication subprotocol after the authentication information registration comprises the following steps:
after a communication link is established, the LEO firstly judges whether the track parameters of the LEO are changed; if the track perturbation occurs, the authentication parameters obtained by authentication precomputation are invalid, the protocol is terminated, and the authentication subprotocol before the registration of the authentication information is executed again; if the operation orbit is normal, the LEO sends the TID and the RES obtained by pre-calculation to the GEO together with the access request;
after receiving the access request, the GEO compares the received TID and RES with the stored XTID and XRES; if the two are equal, completing the authentication of the LEO, and returning the stored Token to the LEO; if not, returning an error, and re-executing the authentication subprotocol;
the LEO utilizes the AuthKey obtained by pre-calculation to carry out validity judgment on the authentication token;
the LEO calculates a session key CK by using the AuthKey after passing the verification;
fourthly, the authentication precalculation specifically comprises the following steps:
executing the prediction operator protocol before the registration of the satellite authentication information and the prediction operator protocol after the registration of the satellite authentication information;
the protocol of the authentication prediction operator before the registration of the authentication information specifically includes:
(4a) LEO applies a blank Token to GEO;
(4b) GEO calculates and returns a blank Token;
(4c) the LEO calculates the time point of authentication with the target GEO next time through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters; then, LEO passes through T respectivelyTIDAnd TAuthGenerating TID and AuthKey of the next authentication; blank Toke based on GEO returnn, LEO calculates RES of the next authentication; after the calculation is finished, the LEO stores the TID and the RES;
(4d) the GEO calculates the time point of the next authentication with the target LEO through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters; based on the acquired time parameters, the stored satellite ID, the stored key IDKey and the stored MainKey, GEO calculates the XTID, XRES, Token and CK of the next authentication; after the calculation is finished, the GEO stores XTID, XRES, Token and CK;
the authentication predictor protocol after the registration of the authentication information specifically includes:
the LEO calculates the time point of authentication with the target GEO next time through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters; then, LEO passes through T respectivelyTIDAnd TAuthGenerating TID and AuthKey of the next authentication; based on the Token returned by the GEO in the authentication subprotocol, the LEO calculates the RES of the next authentication; after the calculation is finished, the LEO stores the TID and the RES;
the GEO calculates the time point of the next authentication with the target LEO through a rail position prediction technology to obtain TTID、TAuth、TTokenThree time parameters; based on the acquired time parameters, the stored satellite ID, the stored key IDKey and the stored MainKey, GEO calculates the XTID, XRES, Token and CK of the next authentication; after the calculation is finished, the GEO stores XTID, XRES, Token and CK;
and fourthly, performing authentication precomputation, namely selecting the prediction operator protocol before satellite authentication information registration and the prediction operator protocol after satellite authentication information registration according to the authentication stage.
2. The method for authenticating an inter-satellite network applicable to a two-tier satellite network according to claim 1, wherein the first step, the initialization of the authentication system specifically includes:
(1a) in the transmitting preparation stage, a satellite submits a system initialization application to a ground authentication server;
(1b) after receiving the application, the ground authentication server generates and distributes identity information, a secret key and orbit parameters for the satellite, wherein the identity information, the secret key and the orbit parameters comprise an identity information ID, a group identity information SGID, an anonymous protection secret key IDKey of the identity information of the satellite and an authentication master secret key MainKey of the satellite.
3. An information data processing terminal for implementing the method for authenticating the inter-satellite networking suitable for the double-layer satellite network as claimed in any one of claims 1 to 2.
4. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of inter-satellite networking authentication for a two-tier satellite network of any of claims 1-2.
5. An inter-satellite networking authentication system applicable to the double-layer satellite network, which is applied to the inter-satellite networking authentication method of the double-layer satellite network according to claim 1, wherein the inter-satellite networking authentication system applicable to the double-layer satellite network comprises:
the ground authentication server is used for finishing the initialization of the satellite authentication system, and generating and distributing the identity information, the secret key and the orbit parameters of the authentication between the satellites;
the high orbit satellite GEO authentication client is used for receiving an authentication request from the LEO, calculating and returning an authentication Token, calculating an expected response XRES and a session key CK, checking whether a temporary identity TID used by the LEO in the authentication request is valid or not, checking whether a response value RES returned by the LEO is correct or not, and maintaining an authentication information table for the LEO;
and the low earth orbit satellite (LEO) authentication client is used for submitting an authentication request to the GEO, checking whether an authentication Token returned by the GEO is valid, calculating a temporary identity TID, a response value RES and a session key CK, and maintaining an authentication information table for the GEO.
6. The system of claim 5, wherein the ground authentication server comprises:
the system initialization module is used for completing initialization of the satellite authentication system and writing the identity information generated by the identity information generation module, the secret key generated by the secret key generation module and the orbit parameters distributed by the orbit distribution module into the satellite authentication system;
the identity information generation module is used for generating identity information required by authentication for the satellite according to the production sequence and the transmitting sequence of the satellite;
the key generation module is used for generating a key required by authentication for the satellite;
the orbit allocation module is used for allocating an operation orbit for the satellite;
the high orbit satellite GEO authentication client comprises:
the system initialization module is used for completing initialization of the satellite authentication system and acquiring identity information, a secret key and orbit parameters required by satellite authentication from the ground authentication server;
the networking authentication module comprises an authentication submodule, a data processing submodule and a precomputation management submodule;
the authentication submodule is used for interacting parameters required by authentication with a low earth orbit satellite LEO authentication client;
the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid;
the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
the authentication information management module is used for managing registration and updating of LEO authentication information;
the low earth orbit satellite LEO authentication client comprises:
the system initialization module is used for completing initialization of the satellite authentication system and acquiring identity information, a secret key and orbit parameters required by satellite authentication from the ground authentication server;
the networking authentication module comprises an authentication submodule, a data processing submodule and a precomputation management submodule;
the authentication submodule is used for interacting parameters required by authentication with the high orbit satellite GEO authentication client;
the data processing submodule is used for generating and analyzing the authentication parameters and checking whether the received authentication parameters are valid;
the pre-calculation management submodule is used for pre-calculating the authentication parameters of the data management satellite according to the authentication information table and maintaining the authentication information table;
the orbit prediction module is used for calculating a time node of the next authentication between the satellites;
and the authentication information management module is used for managing the registration and the update of the GEO authentication information.
7. An information data processing terminal equipped with the inter-satellite networking authentication system applied to the two-tier satellite network according to any one of claims 5 to 6.
CN201810262750.4A 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network Active CN108566240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810262750.4A CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810262750.4A CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Publications (2)

Publication Number Publication Date
CN108566240A CN108566240A (en) 2018-09-21
CN108566240B true CN108566240B (en) 2020-10-27

Family

ID=63533118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810262750.4A Active CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Country Status (1)

Country Link
CN (1) CN108566240B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109039436B (en) * 2018-10-23 2020-09-15 中国科学院信息工程研究所 Method and system for satellite security access authentication
CN109547213B (en) * 2018-12-14 2021-08-10 西安电子科技大学 Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
CN113965925B (en) * 2020-07-01 2023-08-25 大唐移动通信设备有限公司 Dynamic authentication method, device, equipment and readable storage medium
CN111897816B (en) * 2020-07-16 2024-04-02 中国科学院上海微系统与信息技术研究所 Interaction method of calculation information between satellites and generation method of information table applied by same
CN112019258B (en) * 2020-09-04 2022-03-22 中国电子科技集团公司第五十四研究所 GEO and LEO mixed constellation and design method thereof
CN112671452B (en) * 2020-12-17 2023-03-14 西安电子科技大学 Heterogeneous satellite network management method, system, medium, equipment, terminal and application
CN112953726B (en) * 2021-03-01 2022-09-06 西安电子科技大学 Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network
CN114007219B (en) * 2021-10-25 2024-03-26 北京计算机技术及应用研究所 Invisible identification access authentication method for low-orbit satellite communication
CN114466359B (en) * 2022-01-07 2024-03-01 中国电子科技集团公司电子科学研究院 Distributed user authentication system and authentication method suitable for low orbit satellite network
CN114584975B (en) * 2022-02-23 2023-09-15 重庆邮电大学 SDN-based anti-quantum satellite network access authentication method
CN114828005A (en) * 2022-05-24 2022-07-29 西安电子科技大学 Enhanced inter-satellite networking authentication method based on location key
CN115334505B (en) * 2022-06-21 2024-05-14 西安电子科技大学 5 G+Beidou-oriented multimode intelligent terminal secure communication method and system
CN117156433B (en) * 2023-10-31 2024-02-06 航天宏图信息技术股份有限公司 Satellite internet key management distribution method, device and deployment architecture
CN117278109B (en) * 2023-11-20 2024-03-01 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Satellite in-orbit security anomaly identification method, system and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101222329A (en) * 2006-08-17 2008-07-16 上海航天计算机系统工程有限公司 Mixed type distributed authentication system
CN102379141A (en) * 2009-02-05 2012-03-14 北方电讯网络有限公司 Method and system for user equipment location determination on a wireless transmission system
CN106059650A (en) * 2016-05-24 2016-10-26 北京交通大学 Air-ground integrated network architecture and data transmission method based on SDN and NFV technology
CN107094047A (en) * 2017-06-09 2017-08-25 西安电子科技大学 Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data
CN107409051A (en) * 2015-03-31 2017-11-28 深圳市大疆创新科技有限公司 For generating the Verification System and method of air traffic control
CN107615358A (en) * 2015-03-31 2018-01-19 深圳市大疆创新科技有限公司 For identifying the Verification System and method of authorized participant

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059939A1 (en) * 2002-09-13 2004-03-25 Sun Microsystems, Inc., A Delaware Corporation Controlled delivery of digital content in a system for digital content access control
US7602908B2 (en) * 2003-12-22 2009-10-13 Aol Llc System and method for using a streaming protocol
US9515826B2 (en) * 2010-11-18 2016-12-06 The Boeing Company Network topology aided by smart agent download

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101222329A (en) * 2006-08-17 2008-07-16 上海航天计算机系统工程有限公司 Mixed type distributed authentication system
CN102379141A (en) * 2009-02-05 2012-03-14 北方电讯网络有限公司 Method and system for user equipment location determination on a wireless transmission system
CN107409051A (en) * 2015-03-31 2017-11-28 深圳市大疆创新科技有限公司 For generating the Verification System and method of air traffic control
CN107615358A (en) * 2015-03-31 2018-01-19 深圳市大疆创新科技有限公司 For identifying the Verification System and method of authorized participant
CN106059650A (en) * 2016-05-24 2016-10-26 北京交通大学 Air-ground integrated network architecture and data transmission method based on SDN and NFV technology
CN107094047A (en) * 2017-06-09 2017-08-25 西安电子科技大学 Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
A Highly Secure Identity-Based Authenticated;Zhong Yantao;《Exchange Protocol for Satellite Communication》;20101231;全文 *
A Lightweight Certificate-based Source Authentication Protocol for Group Communication in Hybrid Wireless_Satellite Networks;Ayan Roy-Chowdhury;《 2008 IEEE Global Telecommunications Conference》;20081208;全文 *
Satellite over Satellite (SOS) Network_ A Novel Concept of Hierarchical Architecture and Routing in Satellite Network;Jae-Wook Lee;《Proceedings 25th Annual IEEE Conference on Local Computer Networks》;20020806;全文 *
Security analysis of an authentication and key agreement protocol;Yuanyuan Zhang;《INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS》;20130808;全文 *
开放网络环境下敏感信息传输安全模型研究;刘宇新;《中国优秀硕士学位论文全文库》;20150415;全文 *
空间信息网基于证书的混合式公钥基础设施;任方;《吉林大学学报(工学版)》;20120315;全文 *
面向多级安全的网络安全通信模型及其关键技术研究;曹利峰;《中国博士学位论文全文数据库》;20140131;全文 *

Also Published As

Publication number Publication date
CN108566240A (en) 2018-09-21

Similar Documents

Publication Publication Date Title
CN108566240B (en) Inter-satellite networking authentication system and method suitable for double-layer satellite network
CN109547213B (en) Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
CN109218018B (en) Identity-based unmanned aerial vehicle key management and networking authentication system and method
CN111355745B (en) Cross-domain identity authentication method based on edge computing network architecture
CN106357649B (en) User identity authentication system and method
US10243742B2 (en) Method and system for accessing a device by a user
CN112953726B (en) Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network
US8527762B2 (en) Method for realizing an authentication center and an authentication system thereof
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
CN111935714B (en) Identity authentication method in mobile edge computing network
US20060053289A1 (en) Peer-to-peer communications
CN107948156A (en) The closed key management method and system of a kind of identity-based
CN109688583B (en) Data encryption method in satellite-ground communication system
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
Wei et al. BAVP: Blockchain‐Based Access Verification Protocol in LEO Constellation Using IBE Keys
Li et al. A distributed authentication protocol using identity-based encryption and blockchain for LEO network
Pippal et al. CTES based Secure approach for Authentication and Authorization of Resource and Service in Clouds
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN112187451B (en) Quantum computation resistant communication method, device, equipment and storage medium
CN114584975B (en) SDN-based anti-quantum satellite network access authentication method
CN116208330A (en) Industrial Internet cloud-edge cooperative data secure transmission method and system based on quantum encryption
CN116015970A (en) Cross-domain identity authentication method based on SGX
CN109981662A (en) A kind of safe communication system and method
CN113949517A (en) Low-orbit satellite security authentication method based on spatial channel characteristics
Fan et al. A New Password‐and Position‐Based Authenticated Key Exchange

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant