CN109474438B - Intelligent terminal access authentication method based on selective leakage - Google Patents
Intelligent terminal access authentication method based on selective leakage Download PDFInfo
- Publication number
- CN109474438B CN109474438B CN201811585180.9A CN201811585180A CN109474438B CN 109474438 B CN109474438 B CN 109474438B CN 201811585180 A CN201811585180 A CN 201811585180A CN 109474438 B CN109474438 B CN 109474438B
- Authority
- CN
- China
- Prior art keywords
- intelligent terminal
- node
- access unit
- authentication
- root
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000013507 mapping Methods 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 230000003993 interaction Effects 0.000 abstract description 2
- 230000007246 mechanism Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an intelligent terminal access authentication method based on selective leakage, which utilizes light operators such as a single-term HMAC function, an exclusive-or operation and the like and combines a Huffman tree to realize mutual authentication between an intelligent terminal V and an access unit R. Before formal authentication, the intelligent terminal V pre-shares a certificate containing a hash value root through the trusted third party to the access unit R. The authentication process is divided into two phases: in the first stage, the intelligent terminal V uses random numbers and secret value mapping to finish the authentication of the identity validity of an access unit R; and in the second stage, the information of the intelligent terminal V is selectively revealed by means of the Huffman tree, and the authentication of the identity validity of the intelligent terminal V by the access unit R is realized. The method and the system remarkably improve the safety and flexibility of the authentication process, can effectively avoid directly exposing sensitive data of the intelligent network connection vehicle to the roadbed unit besides defending attacks such as message replay and the like, and are suitable for a safe interaction application scene with data sharing requirements.
Description
Technical Field
The invention relates to the field of intelligent terminal safety, in particular to an intelligent terminal access authentication method based on selective leakage.
Background
With the rise of the internet of things, the application prospect of the intelligent terminal becomes wider. Nowadays, intelligent terminals are widely deployed in various systems and applied to security critical industries such as vehicle networking and industrial control, which makes the functions of the intelligent terminals more important and makes the network environment more complex. The problem of how to safely and efficiently access the intelligent terminal to the increasingly complex network needs to be solved urgently. The traditional end-to-end encryption-based communication protocol faces various threats, and replay attack can be easily realized by intercepting data packets transmitted on a channel, so that an unforeseen result is generated. Therefore, a secure authentication protocol is needed to verify the validity of the identity of the authentication object in the access link.
In the application scenarios of many intelligent terminals, the specific requirements of authentication are often different from those of most traditional networks. Taking the car networking as an example, on one hand, the performance and the storage space of the network access unit are limited, and the network access unit may need to process a large number of access requests from the intelligent terminal at the same time; on the other hand, the service received by the internet connection after accessing the network may not need to authenticate all the attribute information stored on the intelligent terminal. Many conventional authentication methods based on cryptographic algorithms are no longer suitable for this scenario. Therefore, the authentication method used by the intelligent terminal when accessing the network not only needs high efficiency and low storage, but also needs to use a selective disclosure mechanism to avoid exposing privacy information irrelevant to the session.
Disclosure of Invention
Aiming at the technical problem, the invention provides an intelligent terminal access authentication method based on selective leakage, which comprises an intelligent terminal V, an access unit R and a trusted third party, wherein the intelligent terminal V has a pseudo-identity identifier PIDVSharing secret SVAnd local data set(l∈N*) (ii) a The access unit R maintains a secret mapping table, and the secret mapping table is used for mapping the shared secret S of each intelligent terminal VVPseudo-identity identifier PID mapped to corresponding intelligent terminal VVAnd a pre-shared key kv;kvThe key of the HMAC function used for authentication between the intelligent terminal V and the access unit R is also the encryption key of the subsequent session; the intelligent terminal V also needs to be connected with a trusted third partyThe generated certificate is pre-shared to an access unit R; the method comprises the following steps:
the method comprises the following steps: the intelligent terminal V pre-shares the certificate containing the hash value root through the trusted third direction access unit R;
step two: the intelligent terminal V uses the random number and the secret value mapping to finish the authentication of the identity validity of the access unit R;
step three: and selectively revealing the information of the intelligent terminal V by means of the Huffman tree, and realizing the authentication of the identity legitimacy of the intelligent terminal V by the access unit R.
In the method for authenticating the access of the intelligent terminal based on the selective leakage, the intelligent terminal V pre-shares the certificate containing the hash value root through the trusted third direction access unit R, and the method comprises the following steps: step a 1: the intelligent terminal V utilizes a pseudo-random function generator to generate a group of pseudo-random numbersReuse ofFor local data setRecord asPerforming random processing, and calculating to obtain temporary data set
……
step a 2: the intelligent terminal V obtains a group of values by utilizing the one-way Hash function calculation
……
Step a 3: intelligent terminal V willRecord as) Will beRecording and sending to a trusted third party;
step a 5: the trusted third party takes the probability of each attribute being shown as a weight to construct a Huffman tree, and uses the probabilityAs leaf nodes, constructing a Huffman tree according to the corresponding weight of each node;calculating hash values F of non-leaf nodesnode=H(child1||child2),child1And child2Respectively representing the values of left and right child nodes of a certain non-leaf node, | | | represents cascade connection; all node values of the Huffman tree can be obtained through the calculation, and the value of the root node is marked as root;
step a 6: and the trusted third party sends the hash value root to the access unit R and sends the whole Huffman tree to the intelligent terminal V.
In the method for authenticating the access of the intelligent terminal based on the selective leakage, the intelligent terminal V uses random numbers and secret value mapping to finish the authentication of the identity validity of an access unit R, and the method comprises the following steps:
step b 1: the intelligent terminal V utilizes a pseudo-random function generator to generate pseudo-random number r'VExtracting local SV(ii) a R 'of intelligent terminal V'V||SVSending the request to an access unit R as an access request and opening a new session period;
step b 2: when access unit R receives R'V||SVThereafter, a pseudo random number r is generated using a pseudo random function generatorRAccording to SVExtracting corresponding pseudo ID PID from the secret mapping table stored locallyVAnd kvCalculating to obtain MRAnd concatenates the messages rR||MRReturning to P as a response;
step b 3: when the intelligent terminal V receives rR||MRThereafter, local PID is extractedVAnd kvCalculated using themBy comparing received MRAnd M'RThe identity authenticity of the access unit R is verified; if the two values are equal, the intelligent terminal V considers thatThe access unit R is a legal device, and the protocol continues; otherwise the protocol terminates.
In the method for authenticating the access of the intelligent terminal based on the selective leakage, the information of the intelligent terminal V is selectively leaked by means of the Huffman tree, so that the identity validity of the intelligent terminal V is authenticated by the access unit R, and the method comprises the following steps:
step c 1: the intelligent terminal V selects a part of temporary data set to be shared(i ∈ {1, 2.., m }), the remaining dataset is labeled as(i ∈ {1, 2.,. n }), can be found directly in the Huffman treeAndcorresponding leaf node(i ∈ {1, 2.,. m }) and(i e {1, 2.., n }), all inclusiveMedium node, noneRoot node set of subtree of middle nodes(i ∈ {1, 2.., k }), and then fromFinding parent node not belonging toThe nodes of (2) form a set(i ∈ {1, 2...., s }), according to a Huffman tree, utilizingAndcalculating to obtain a root node value root of the Huffman tree; intelligent terminal V calculationAnd MVAnd r isR、MVAndsending to an access unit R;
step c 2: when access unit R receives RR、MVAndfirst calculateComparison MVAnd M'V(ii) a If not, the protocol is terminated, otherwise, the process continues;
step c 3: access Unit R computationBy usingAndcalculating to obtain a root ', comparing whether the root' is equal to a locally stored root or not, and verifying the authenticity of the identity of the intelligent terminal V; if the two values are equal, the access unit R considers that the intelligent terminal V is a legal device, and the protocol is normally ended.
In the selective leakage-based intelligent terminal access authentication method, a once recursion function mark (node) is used for searchingThe process of (2), comprising:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
mark (c) is executed first1) And mark (c)2),c1And c2Is a child node of the node; and then judging c1And c2If the nodes are marked, marking the nodes, and otherwise returning.
In the selective leakage-based intelligent terminal access authentication method, a function search (node) is searched for through one-time traversalThe process of (2), comprising:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
if the node is marked, the node is addedOtherwise, execute search (c)1) And search (c)2),c1And c2Are child nodes of the node.
The method provided by the invention obviously improves the safety and flexibility of the authentication process, can effectively avoid directly exposing sensitive data of the intelligent network connection vehicle to the roadbed unit besides defending attacks such as message replay and the like, and is suitable for a safe interaction application scene with a data sharing requirement.
Drawings
Fig. 1 is a flowchart of an intelligent terminal access authentication method based on selective leakage according to the present invention.
Fig. 2 is a schematic flowchart of an intelligent terminal access authentication method based on selective leakage according to the present invention.
FIG. 3 is a hash tree constructed according to weights in an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention are described in detail below with reference to the drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present invention are described in detail in the technical solutions of the present application, and are not limited to the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.
As shown in fig. 1 and fig. 2, the present invention discloses an intelligent terminal access authentication method based on selective leakage. The method utilizes light operators such as a single HMAC function, an exclusive-or operation and the like, and combines a Huffman tree to realize mutual authentication between the intelligent terminal V and the access unit R. Before formal authentication, the intelligent terminal V pre-shares a certificate containing a hash value root through the trusted third party to the access unit R. The authentication process is divided into two phases: in the first stage, the intelligent terminal V uses random numbers and secret value mapping to finish the authentication of the identity validity of an access unit R; and in the second stage, the information of the intelligent terminal V is selectively revealed by means of the Huffman tree, and the authentication of the identity validity of the intelligent terminal V by the access unit R is realized.
The embodiment of the invention provides an intelligent terminal access authentication method based on selective leakage. The invention is realized by adopting the following technical scheme:
intelligent terminal V possesses pseudo-identity identifier PIDVSharing secret SVAnd local data set(l∈N*) (ii) a The access unit R maintains a secret mapping table which maps the shared secret S of each intelligent terminal VVPseudo-identity identifier PID mapped to corresponding intelligent terminal VVAnd a pre-shared key kv;kvThe key of the HMAC function used for authentication between the intelligent terminal V and the access unit R is also the encryption key of the subsequent session; before starting authentication, the intelligent terminal V also needs to pass through a trusted third partyThe generated certificate is pre-shared to the access unit R.
The certificate generation and pre-sharing process is as follows:
step a 1: the intelligent terminal V firstly utilizes a pseudo-random function generator to generate a group of pseudo-random numbersReuse ofFor local data set(note as) Performing random processing, and calculating to obtain temporary data set
……
step a 2: the intelligent terminal V obtains a group of values by utilizing the one-way Hash function calculation
……
Step a 3: intelligent terminal V will(note as)、(note as) To a trusted third party (e.g., a certificate authority);
step a 5: in order to reduce the storage space required for storing the certificate, a trusted third party needs to implement a selective leakage mechanism by using a huffman tree with hash values as nodes. This selective leakage authentication scheme constructs a huffman tree considering the probability (requiring advanced statistics) that each attribute is presented as a weight, and the depth of attribute nodes with high probability in the tree is smaller than nodes with low probability, which makes the scheme more efficient than the selective leakage authentication scheme based on the Merkle tree in most cases.
Trusted third party usageAnd as leaf nodes, constructing a Huffman tree according to the corresponding weight of each node. Calculating hash values F of non-leaf nodesnode=H(child1||child2),child1And child2Respectively representing the values of the left and right child nodes of a certain non-leaf node,and | represents concatenation. All node values of the Huffman tree can be obtained through the calculation, and the value of the root node is marked as root.
Step a 6: and then, the trusted third party sends the hash value root to the access unit R and sends the whole Huffman tree to the intelligent terminal V.
The security authentication method for the intelligent terminal comprises the following steps:
step b 1: the intelligent terminal V utilizes a pseudo-random function generator to generate pseudo-random number r'VExtracting local SV(ii) a R 'of intelligent terminal V'V||SVSending the request to an access unit R as an access request and opening a new session period;
step b 2: when access unit R receives R'V||SVThereafter, a pseudo random number r is generated using a pseudo random function generatorRAccording to SVExtracting corresponding pseudo ID PID from the secret mapping table stored locallyVAnd kvCalculating to obtain MRAnd concatenates the messages rR||MRReturning to P as a response;
step b 3: when the intelligent terminal V receives rR||MRThereafter, local PID is extractedVAnd kvCalculated using themBy comparing received MRAnd M'RThe identity authenticity of the access unit R is verified; if the two values are equal, the intelligent terminal V considers that the access unit R is a legal device, and the protocol continues; otherwise the protocol terminates.
Step c 1: the intelligent terminal V selects a part of temporary data set to be sharedMarking as(i ∈ {1, 2.,. n }), can be found directly in the Huffman treeAndcorresponding leaf node(i ∈ {1, 2.,. m }) and(i ∈ {1, 2., n }). All are contained inMedium node, noneRoot node set of subtree of middle nodes(i ∈ {1, 2.., k }), and then fromElecting a parent node not belonging toThe nodes of (2) form a set(i ∈ {1, 2.., s }). According to Huffman tree, usingAndthe root node value root of the huffman tree can be calculated. LookupCan be implemented by a recursion and a traversal.
The recursive function mark (node) performs the following procedure:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
mark (c) is executed first1) And mark (c)2),c1And c2Is a child node of the node; and then judging c1And c2If the nodes are marked, marking the nodes, and otherwise returning.
The traversal function search (node) performs the following:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
if the node is marked, the node is addedOtherwise, execute search (c)1) And search (c)2),c1And c2Are child nodes of the node.
Step c 2: when access unit R receives RR、MVAndfirst calculating similarly to step 3 Comparison MVAnd M'V(ii) a If not, the protocol terminates, otherwise continues.
Step c 3: access Unit R computationBy usingAndcalculating to obtain a root ', comparing whether the root' is equal to a locally stored root or not, and verifying the authenticity of the identity of the intelligent terminal V; if the two values are equal, the access unit R considers the intelligent terminal V as a legal device and the protocol is positiveAnd (5) ending the process.
Example (b):
first, system initialization
Intelligent terminal V possesses pseudo-identity identifier PIDVSharing secret SVAnd local data set(l∈N*) (ii) a The access unit R maintains a secret mapping table which maps the shared secret S of each intelligent terminal VVPseudo-identity identifier PID mapped to corresponding intelligent terminal VVAnd a pre-shared key kv;kvThe key of the HMAC function used for authentication between the intelligent terminal V and the access unit R is also the encryption key of the subsequent session; before starting authentication, the intelligent terminal V also needs to pass through a trusted third partyThe generated certificate is pre-shared to the access unit R.
Intelligent terminal V possesses pseudo-identity identifier PIDVSharing secret SVAnd local data setThe access unit R maintains a secret mapping table which is used for sharing the secret S of each intelligent terminal VVPseudo-identity identifier PID mapped to corresponding intelligent terminal VVAnd a pre-shared key kv;kvThe key of the HMAC function used for authentication between the intelligent terminal V and the access unit R is also the encryption key of the subsequent session; before starting authentication, the intelligent terminal V also needs to pass through a trusted third partyThe generated certificate is pre-shared to the access unit R.
The certificate generation and pre-sharing process is as follows:
the intelligent terminal V firstly utilizes a pseudo-random function generator to generate a group of pseudo-random numbersReuse ofFor local data setPerforming random processing, and calculating to obtain temporary data set
the intelligent terminal V obtains a group of values by utilizing the one-way Hash function calculation
Intelligent terminal V will(note as)、(note as) To a trusted third party (e.g. certificate authority) that is trustedSquare detectionThe value of (d) ensures one-to-one correspondence; in order to reduce the storage space required for storing the certificate, a selection leakage mechanism needs to be implemented by means of a huffman tree with hash values as nodes. This selective leakage authentication scheme constructs a huffman tree considering the probability (requiring advanced statistics) that each attribute is presented as a weight, and the depth of attribute nodes with high probability in the tree is smaller than nodes with low probability, which makes the scheme more efficient than the selective leakage authentication scheme based on the Merkle tree in most cases.
Trusted third party usageAnd as leaf nodes, constructing a Huffman tree according to the corresponding weight of each node. Calculating hash values F of non-leaf nodesnode=H(child1||child2),child1And child2Respectively representing the values of the left and right child nodes of a certain non-leaf node, and | l represents cascade connection. All node values of the Huffman tree can be obtained through the calculation, and the value of the root node is marked as root.
In order to explain the construction of the Huffman tree and the use of the Huffman tree in authentication in detail, a road vehicle limit behavior scene is explained. It is assumed that a certain road section is restricted according to the license plate attribution and the vehicle type, and only cars or buses with local license plates are allowed to pass. Assuming that the six attributes of the identity, the license plate, the type, the brand, the color and the service life of a certain vehicle driver are shown as 21, 31, 9, 10, 6 and 5 in sequence, and obtaining the attribute through random processing and HashThe hash tree constructed according to the weight values is as shown in fig. 3.
The hash value of each non-leaf node is:
and then, the trusted third party sends the hash value root to the access unit R and sends the whole Huffman tree to the intelligent terminal V.
Second, authentication process
The security authentication method for the intelligent terminal comprises the following steps:
the intelligent terminal V utilizes a pseudo-random function generator to generate pseudo-random number r'VExtracting local SV(ii) a R 'of intelligent terminal V'V||SVSending the request to an access unit R as an access request and opening a new session period;
when access unit R receives R'V||SVThereafter, a pseudo random number r is generated using a pseudo random function generatorRAccording to SVExtracting corresponding pseudo ID PID from the secret mapping table stored locallyVAnd kvCalculating to obtain MRAnd concatenates the messages rR||MRReturning to P as a response;
when the intelligent terminal V receives rR||MRThereafter, local PID is extractedVAnd kvCalculated using them By comparing received MRAnd M'RThe identity authenticity of the access unit R is verified; if the two values are equal, the intelligent terminal V considers that the access unit R is a legal device, and the protocol continues; otherwise, the protocol is terminated;
the intelligent terminal V selects a part of temporary data set to be sharedAndremaining data set flagCan be directly found in a Huffman treeAndcorresponding leaf nodeAndall are contained inMedium node, noneRoot node set of subtree of middle nodes(i ∈ {1, 2.., k }), and then fromElecting a parent node not belonging toThe nodes of (2) form a set(i ∈ {1, 2.., s }). According to Huffman tree, usingAndthe root node value root of the huffman tree can be calculated. LookupCan be implemented by a recursion and a traversal.
The recursive function mark (node) performs the following procedure:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
mark (c) is executed first1) And mark (c)2),c1And c2Is a child node of the node; and then judging c1And c2If the nodes are marked, marking the nodes, and otherwise returning.
The traversal function search (node) performs the following:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
if the node is marked, the node is addedOtherwise, execute search (c)1) And search (c)2),c1And c2Are child nodes of the node.
When access unit R receives RR、And MVLike calculation first Comparison MVAnd M'V(ii) a If not, the protocol terminates, otherwise continues. Access Unit R computationAnd by usingAndcalculating to obtain a root ', comparing whether the root' is equal to a locally stored root or not, and verifying the authenticity of the identity of the intelligent terminal V; if the two values are equal, the access unit R considers that the intelligent terminal V is a legal device, and the protocol is normally ended.
Still taking the vehicle restriction scene used in pre-sharing as an example, the intelligent terminal V is finally released And AV||CVAnd step 4, the access unit R is calculated as follows:
and finally comparing the root' with the root to authenticate the validity of the intelligent terminal V.
The above description is only a preferred embodiment of the present invention, and does not limit the present invention in any way. It will be understood by those skilled in the art that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. An intelligent terminal access authentication method based on selective disclosure is characterized by comprising an intelligent terminal V, an access unit R and a trusted third party, wherein the intelligent terminal V has a pseudo-identity identifier PIDVSharing secret SVAnd local data setThe access unit R maintains a secret mapping table, and the secret mapping table is used for mapping the shared secret S of each intelligent terminal VVPseudo-identity identifier PID mapped to corresponding intelligent terminal VVAnd a pre-shared key kv;kvThe key of the HMAC function used for authentication between the intelligent terminal V and the access unit R is also the encryption key of the subsequent session; the intelligent terminal V also needs to be connected with a trusted third partyThe generated certificate is pre-shared to an access unit R; the method comprises the following steps:
the method comprises the following steps: the intelligent terminal V pre-shares the certificate containing the hash value root through the trusted third direction access unit R;
step two: the intelligent terminal V uses the random number and the secret value mapping to finish the authentication of the identity validity of the access unit R;
step three: and selectively revealing the information of the intelligent terminal V by means of the Huffman tree, and realizing the authentication of the identity legitimacy of the intelligent terminal V by the access unit R.
2. The access authentication method for the intelligent terminal based on the selective leakage, according to claim 1, wherein the pre-sharing the certificate containing the hash value root by the intelligent terminal V through the trusted third party access unit R, comprises the following steps:
step a 1: the intelligent terminal V utilizes a pseudo-random function generator to generate a group of pseudo-random numbersReuse ofFor local data setRecord asPerforming random processing, and calculating to obtain temporary data set
step a 2: the intelligent terminal V obtains a group of values by utilizing the one-way Hash function calculation
Step a 3: intelligent terminal V willRecord asWill beRecord asSending the information to a trusted third party;
step a 5: the trusted third party takes the probability of each attribute being shown as a weight to construct a Huffman tree, and uses the probabilityAs leaf nodes, constructing a Huffman tree according to the corresponding weight of each node; calculating hash values F of non-leaf nodesnode=H(child1||child2),child1And child2Respectively representing the values of left and right child nodes of a certain non-leaf node, | | | represents cascade connection; all node values of the Huffman tree can be obtained through the calculation, and the value of the root node is marked as root;
step a 6: and the trusted third party sends the hash value root to the access unit R and sends the whole Huffman tree to the intelligent terminal V.
3. The intelligent terminal access authentication method based on selective leakage, according to claim 1, wherein the intelligent terminal V uses random number and secret value mapping to complete authentication of the identity validity of the access unit R, comprising the following steps:
step b 1: the intelligent terminal V utilizes a pseudo-random function generator to generate pseudo-random number r'VExtracting local SV(ii) a R 'of intelligent terminal V'V||SVSending the request to an access unit R as an access request and opening a new session period;
step b 2: when access unit R receives R'V||SVThereafter, a pseudo random number r is generated using a pseudo random function generatorRAccording to SVExtracting corresponding pseudo ID PID from the secret mapping table stored locallyVAnd kvCalculating to obtain MRAnd concatenates the messages rR||MRReturning to P as a response;
step b 3: when the intelligent terminal V receives rR||MRThereafter, local PID is extractedVAnd kvIs obtained by calculation By comparing received MRAnd M'RThe identity authenticity of the access unit R is verified; if the two values are equal, the intelligent terminal V considers that the access unit R is a legal device, and the protocol continues; otherwise the protocol terminates.
4. The intelligent terminal access authentication method based on selective leakage according to claim 1, wherein the authentication of the identity validity of the intelligent terminal V by the access unit R is realized by selectively leaking information of the intelligent terminal V through a huffman tree, comprising the following steps:
step c 1: the intelligent terminal V selects a part of temporary data set to be sharedWherein i ∈ {1, 2,..., m }; remaining data set flagWherein i ∈ {1, 2., n }, which can be directly found in a Huffman treeAndcorresponding leaf nodeWhere i ∈ {1, 2.,. m } andwhere i ∈ {1, 2., n }, it is said to include all butMedium node, noneRoot node set of subtree of middle nodesWhere i ∈ {1, 2.., k }, and then fromFinding parent node not belonging toThe nodes of (2) form a setWhere i ∈ {1, 2.,. s }, according to a Huffman tree, utilizingAndcalculating to obtain a root node value root of the Huffman tree; intelligent terminal V calculationAnd MVAnd r isR、MVAndsending to an access unit R;
step c 2: when access unit R receives RR、MVAndfirst calculateComparison MVAnd M'V(ii) a If not, the protocol is terminated, otherwise, the process continues;
step c 3: access Unit R computationBy usingAndcalculating to obtain a root ', comparing whether the root' is equal to a locally stored root or not, and verifying the authenticity of the identity of the intelligent terminal V; if the two values are equal, the access unit R considers that the intelligent terminal V is a legal device, and the protocol is normally ended.
5. The intelligent terminal access authentication method based on selective leakage of claim 1, wherein the search is performed by a recursive function mark (node)The process of (2), comprising:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
mark (c) is executed first1) And mark (c)2),c1And c2Is a child node of the node; and then judging c1And c2If the nodes are marked, marking the nodes, and otherwise returning.
6. The selective leakage-based intelligent terminal access authentication method as claimed in claim 1, wherein the search is performed by traversing a function search (node) onceThe process of (2), comprising:
(1) if the node is a leaf node, executing:
(2) if the node is not a leaf node, performing:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811585180.9A CN109474438B (en) | 2018-12-24 | 2018-12-24 | Intelligent terminal access authentication method based on selective leakage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811585180.9A CN109474438B (en) | 2018-12-24 | 2018-12-24 | Intelligent terminal access authentication method based on selective leakage |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109474438A CN109474438A (en) | 2019-03-15 |
CN109474438B true CN109474438B (en) | 2021-08-17 |
Family
ID=65677679
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811585180.9A Expired - Fee Related CN109474438B (en) | 2018-12-24 | 2018-12-24 | Intelligent terminal access authentication method based on selective leakage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109474438B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112307519B (en) * | 2020-10-23 | 2022-06-17 | 复旦大学 | Hierarchical verifiable query system based on selective leakage |
CN112887981B (en) * | 2021-01-12 | 2022-10-04 | 国网电力科学研究院有限公司 | Authentication method and system for power wireless private network terminal access |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN105553981A (en) * | 2015-12-18 | 2016-05-04 | 成都三零瑞通移动通信有限公司 | Rapid authentication and key negotiation method for WLAN |
CN105871869A (en) * | 2016-04-28 | 2016-08-17 | 湖南科技学院 | Anonymous bidirectional authentication method in mobile social network based on single hash function and false identity |
CN106790278A (en) * | 2017-02-21 | 2017-05-31 | 中国信息安全测评中心 | A kind of mutual authentication method and communication system |
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
-
2018
- 2018-12-24 CN CN201811585180.9A patent/CN109474438B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN105553981A (en) * | 2015-12-18 | 2016-05-04 | 成都三零瑞通移动通信有限公司 | Rapid authentication and key negotiation method for WLAN |
CN105871869A (en) * | 2016-04-28 | 2016-08-17 | 湖南科技学院 | Anonymous bidirectional authentication method in mobile social network based on single hash function and false identity |
CN106790278A (en) * | 2017-02-21 | 2017-05-31 | 中国信息安全测评中心 | A kind of mutual authentication method and communication system |
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
Also Published As
Publication number | Publication date |
---|---|
CN109474438A (en) | 2019-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108964919B (en) | Lightweight anonymous authentication method with privacy protection based on Internet of vehicles | |
Kumari et al. | An enhanced and secure trust‐extended authentication mechanism for vehicular ad‐hoc networks | |
Zhang et al. | A privacy-aware PUFs-based multiserver authentication protocol in cloud-edge IoT systems using blockchain | |
CN105873031B (en) | Distributed unmanned plane cryptographic key negotiation method based on credible platform | |
CN113256290A (en) | Decentralized encrypted communication and transaction system | |
Liu et al. | Bua: A blockchain-based unlinkable authentication in vanets | |
Wu et al. | A provably secure authentication and key exchange protocol in vehicular ad hoc networks | |
Rasheed et al. | Adaptive group-based zero knowledge proof-authentication protocol in vehicular ad hoc networks | |
Adil et al. | Three byte-based mutual authentication scheme for autonomous Internet of Vehicles | |
Dharminder et al. | LCPPA: Lattice‐based conditional privacy preserving authentication in vehicular communication | |
CN113452764B (en) | SM 9-based vehicle networking V2I bidirectional authentication method | |
He et al. | An accountable, privacy-preserving, and efficient authentication framework for wireless access networks | |
Patel et al. | Vehiclechain: Blockchain-based vehicular data transmission scheme for smart city | |
Lee et al. | An efficient multiple session key establishment scheme for VANET group integration | |
Zhang et al. | A Novel Privacy‐Preserving Authentication Protocol Using Bilinear Pairings for the VANET Environment | |
CN109474438B (en) | Intelligent terminal access authentication method based on selective leakage | |
CN115580488A (en) | Vehicle-mounted network message authentication method based on block chain and physical unclonable function | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
US11240661B2 (en) | Secure simultaneous authentication of equals anti-clogging mechanism | |
Gao et al. | An Anonymous Access Authentication Scheme Based on Proxy Ring Signature for CPS‐WMNs | |
Sharma et al. | Secure authentication and session key management scheme for Internet of Vehicles | |
Yao et al. | An anonymous authentication scheme in data-link layer for VANETs | |
Gao et al. | Bc-aka: Blockchain based asymmetric authentication and key agreement protocol for distributed 5g core network | |
CN112887979A (en) | Network access method and related equipment | |
CN114071463B (en) | Batch authentication method of vehicle-mounted self-organizing network based on bilinear mapping |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210817 |