CN109963282A - Secret protection access control method in the wireless sensor network that IP is supported - Google Patents
Secret protection access control method in the wireless sensor network that IP is supported Download PDFInfo
- Publication number
- CN109963282A CN109963282A CN201910245853.4A CN201910245853A CN109963282A CN 109963282 A CN109963282 A CN 109963282A CN 201910245853 A CN201910245853 A CN 201910245853A CN 109963282 A CN109963282 A CN 109963282A
- Authority
- CN
- China
- Prior art keywords
- user
- access control
- group
- control server
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/18—Self-organising networks, e.g. ad-hoc networks or sensor networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses the secret protection access control methods in the wireless sensor network that IP is supported.System user is divided into different user groups by different access authority by this method application group ranking technology, and group user carries out anonymous access using group ranking to ensure that user data accesses privacy, prevents the leakage of user behavior pattern.This method utilizes group ranking technology, user is divided into different user groups according to different access authority, group user generates group ranking and carries out authentication, anyone in network can verify the correctness of group ranking, but can not know the identity of signer;Mechanism is demonstrate,proved using false tickets and self-renewing ticket mechanism improves the authentication of Hidra agreement and licensing process, the Unlinkability of guarantee agreement message;Using block chain technical management group public key, so that the user of key management and Hidra agreement revocation process is more flexible;Using block chain technological improvement accountability mechanism, so that accountability open process is transparent, accountability dispute that may be present is solved.
Description
Technical field
The invention belongs to Internet of Things security fields more particularly to a kind of privacy guarantors in the wireless sensor network that IP is supported
Protect access control method.
Background technique
In recent years, the development for having benefited from 6LoWPAN standard solves the problems, such as obstruction sensor and the primary combination in internet,
It is truly realized the communication of Internet user and node end-to-end, promotes the application of sensor network.But it has also been introduced simultaneously
New security crisis, the attacker on internet can be by way of overall situation addressing, it is easier to which sensor node is accessed in ground.
Due to the height fragility of wireless sensor network itself, such as device resource is limited, deployed environment complexity etc., is easy to it
As many security attacks target or become hacker start security attack tool (such as: Mira is by internet of things equipment structure
The Botnet of Cheng Shiwan number of levels has once initiated KrebsonSecurity etc. mad resource depletion attack).Therefore
Must the data access to node carry out stringent control.One basic access control solution includes at least three groups
Part: authentication, authorization and audit.Certification and licensing process mean that user needs to provide identity-related information and takes to target
Business, then bring new safety problem again: user data accesses privacy.User's accesses behavior into the mesh of data collection
Mark therefrom summarizes the behavior pattern and preference for obtaining user, threatens the personal secrets of user.Therefore in order to guarantee wireless sensing
The secure access of device network, it is necessary to stringent control be carried out to accessed node data while not revealing privacy of user.
Implement traditional access control scheme in wireless sensor network mainly has the following two problems: 1) sensor
Resource-constrained: sensor is whether on computing capability, storage capacity or the transport overhead that can carry, all by stringent money
Source limitation, so that complicated security mechanism is not available.2) privacy leakage: access behavior of the user to sensor-service, it may
The privacy informations such as social work, preference with user are closely related.Implement access control, need user provide the information such as identity into
Line justification.User identity and data access record are collected and are analyzed, further obtained and use by possible potential malice listener
The privacy information at family causes security threat to user.
Current secret protection access control method substantially there are two types of type, one kind by introduce cryptography mechanism (such as:
Group ranking, ring signatures etc.) Lai Yinzang user true identity, the personal secrets of user are typically based on difficulty and ask in these methods
Topic, there is stronger personal secrets.But these methods lack in constrained devices scene to feasibility the considerations of.Another kind of side
Case implements access control by introducing the third party of an absolute confidence, and third party stores the true identity and assumed name of user
Mapping table, therefore user can authenticate and authorize to third party by sending assumed name during accessing data.But this
Class method entrusts privacy of user in third party safely completely, once third party causes leaking data, all users by attack
Data access personal secrets will all be on the hazard.Blindly trusting third party may cause more serious consequence, such as third
Side sells "under the counter" the data access record of user, or transfers government organs, and access trend, the privacy and preference of user will all be supervised
Control.
Summary of the invention
The purpose of the present invention is to provide the secret protection access control method in the wireless sensor network that IP is supported, solutions
The access control Privacy Protection in wireless sensor network that certainly IP is supported.
The purpose of the present invention is realized at least through one of following technical solution.
The method of the present invention frame includes system user, block chain network, an objective sensor node and as third party
Access control server (access control server) and local law mechanism (LA).In order to ensure the access privacy of user, it is
System user has been divided into different groups according to different access control rights, and group user carries out authentication using group ranking.?
System set-up stage, access control server and legal agency cooperation generate group key, wherein group public key is by access control service
Device is published on block chain, manages public key using block platform chain.New user organizes public key on block chain by obtaining accordingly, holds
Operation is added in row group.
Secret protection access control method provided by the invention in the wireless sensor network that IP is supported, is applied to IP branch
In the wireless sensor network held, access control is based on Hidra agreement, guarantees the feasibility in resource constrained environment;It utilizes
User is divided into different user groups according to different access authority by group ranking technology, and group user generates group ranking and carries out identity
It authenticates, anyone in network can verify the correctness of group ranking, but can not know the identity of signer;Mechanism is demonstrate,proved using false tickets
The authentication of Hidra agreement and licensing process are improved with self-renewing ticket mechanism, guarantee agreement message can not
Link property;Using block chain technical management group public key, so that the user of key management and Hidra agreement revocation process is cleverer
It is living;Using block chain technological improvement accountability mechanism, so that accountability open process is transparent, accountability dispute that may be present is solved.
Further, the opening key in group ranking is divided into two parts by the method for the present invention, by two different arbitrations
Mechanism access control server and legal agency are generated and are saved.Either party arbitration organ can not individually open group ranking, only
Have when thering is user illegal act occur to need to start accountability process, is held by two and open the arbitration organ of key and cooperate ability
It opens group ranking and discloses signer identity.
Further, Hidra agreement is improved using self-renewing ticket mechanism, access control server encrypts user's authorization
Ticket Granting Ticket (TGT) in request message is simultaneously sent to request user, and user uses the updated ticket as next
The voucher of sub-authorization request, guarantees the unlinkability of licensing process twice.Hidra agreement is improved using false tickets card mechanism, is visited
Ask that control server is filled in former resource ticket field using invalid data, and really resource ticket uses a guarantor
The newer field of integrality confidentiality is demonstrate,proved to carry and transmit, guarantee licensing process and has secure access to the unlinkability of journey.
Further, group ranking public key is managed using block chain, by access control server by group's public key information of generation
It is published on block chain.When thering is user to need to be revoked in group, without broadcast revocation information and updated public key to not by
The user of revocation, but traded comprising the revocation of revocation information to block chain network by access control server publication, and update
Group public key on chain.
It further carries out, the method for the present invention includes following execution process:
1) system starts: legal agency and access control server are each user group generation group public key;
2) new user is added: new user's generation member's private key carries out registration at access control server and obtains group membership's body
Part proves;
3) the authentication stage;User generates group ranking and carries out authentication, access control at access control server
Server is able to validate only whether user belongs to the group that it is stated, without can know that member in specifically group.
4) authorization stages: the request for credentials access control server that user is obtained using the authentication stage issues resource ticket
Card.
5) secure access and audit phase: the resource ticket access target sensor that user uses authorization stages to obtain passes
The sensor stage generates log for each secure connection, and is sent to access control server and audits;
6) user cancels: after the life cycle of user or there is malfeasance in user, needs to cancel the group of user
Membership qualification.Access control server update group public key is wanted, and the publication revocation transaction on block chain;
7) accountability and settling entanglements stage: when there is user the illegal act for violating access strategy occur, legal agency and
Access control server is cooperated as arbitration organ by block platform chain, partially opens key using what is respectively held
Open the identity of signer.
In access control server, group management relevant operation include: group cipher generate, user be added and revocation, all by
Group management service device (GMS) executes.Ticket Granting Ticket is authenticated and issues to be responsible for by authentication server (AS).In authorization rank
Section, authentication server give group ranking validator (GMS) to be verified after extracting group ranking in request message.Group ranking
Validator returns to verification result to authentication server.Ticket issues server (TGS) and is responsible for authorization and issues resource ticket.
Accountability administrator (ACM) audits to be operated with accountability.
The present invention is based on enhanced edition Kerberos agreements --- Hidra access-control protocol, in conjunction with group ranking technical guarantee
The Unlinkability of anonymity and protocol message of the user in protocol authentication process.In addition the method for the present invention combination block chain skill
Art improves traditional accountability mechanism, makes accountability process open and clear, solves dispute that may be present.
Detailed description of the invention
Fig. 1 is the frame diagram of the secret protection access control method in embodiment in the wireless sensor network that IP is supported.
Fig. 2 is the agreement flow chart in embodiment.
Fig. 3 is the accountability mechanism flow chart in embodiment.
Specific embodiment
Specific implementation of the invention is described further below in conjunction with drawings and examples, but implementation and guarantor of the invention
Protect it is without being limited thereto, if it is noted that below have not especially detailed description process or symbol, be that those skilled in the art can
Referring to the prior art realize or understand.
Such as Fig. 1, a kind of secret protection access control method in the wireless sensor network that IP is supported, specific implementation step
It is rapid as follows.
Symbol description:
U: the registration user of wireless sensor network, specific sensor node in Internet access network
IK: issuing key, and access control server issues group membership's proof of identification to registration user using the key
OK: opening key, it includes two part { ξ1, ξ2, the two parts are respectively by access control server and law
Mechanism generates.
eX: the graceful private key of elliptic curve diffie-hellman of entity X (entities such as access control server, user).For example, with
The graceful private key of elliptic curve diffie-hellman of family U is eU。
EX: the graceful public key of elliptic curve diffie-hellman of entity X (entities such as access control server, user)
Gsk: group private key
Gpk: group public key
UK: user key is generated by registration user and is saved, and carries out authentication to generate a group signature
UCert: group membership's proof of identification
Cert: registration individual subscriber letter of identity
Upk: the corresponding public key of registration individual subscriber letter of identity
Usk: the corresponding private key of registration individual subscriber letter of identity
ACS access control server
AS: the authentication server in access control server
TGS: the ticket in access control server authorizes server
σ: the group signature that registration user generates
GIDj: the group mark of j-th of user group
BCAddrX: the block chain address of entity X (entities such as access control server, user)
ESKX, y: it is graceful based on elliptic curve diffie-hellman between entity X and Y (entities such as access control server, user)
Interim conversation key
KX, y: the shared key between entity X and Y (entities such as access control server, user)
KX: the shared key between entity X (entities such as user) and access control server
I-th of value of one-way key chain, for provide entity X and Y (entities such as access control server, user) it
Between the freshness of communication information prove
Subkey: the session key between user and sensor node.
Step 1: system starting
Access control server is each user group generation group public key, partially opens key and elliptic curve diffie-hellman
Graceful (ECDH) public private key pair (EACS, eACS), the wherein graceful public key E of elliptic curve diffie-hellmanACSA part hair as group public key
Cloth, published method are that access control server calls intelligent contract that a group public key is stored on block chain.Due in access control
Access control server not can know that the true identity of request user in the process, cannot session between preset and each user
Key, so establishing access control server using based on the graceful cipher key agreement algorithm of elliptic curve diffie-hellman in method
With the interim conversation key ESK of request userU, ACS。
Specifically, the process of access control server is as follows:
1)WithIt is the Bilinear Groups that three ranks are prime number p, G1, K isTwo independent generations members, G2
ForGeneration member.ψ isIt arrivesA unidirectional isomorphism mapping: ψ (G2)=G2。 Being one has
The bilinear map of effect.
2) the modulus n of RSA is selected, andMaximal order element element g.
3) graceful (Diffie-Hellman) key of diffie-hellman is generatedIK is known as issuing key, for issuing
Group membership's proof of identification and user member keys.It calculatesAs the corresponding public key of IK.
4) generating portion opens keyCalculate its corresponding public key H=K ξ1。
5) random number is selectedAs the graceful private key of elliptic curve diffie-hellman, it is conspicuous to calculate elliptic curve diffie-
Germania public key EACS=eACS×K。
Legal agency executes following procedure:
1) generating portion opens key ξ2, calculate corresponding public key G=Kξ2。
2) G is sent to access control server.
After this stage, generate group public key gpk and group private key gsk (including issue key IK, open key OK and
ECDH private key eACS).It is specific as follows:
——
--- gsk={ IK, OK, eACS}
-- OK={ ξ1, ξ2}
After complete public key generates, access control server calls intelligent contract to store public key onto block chain.
Step 2: new user is added
Before user group is added in application, new user u needs are registered with its true identity, it is assumed here that each user
U has been obtained for personal authentication's public key and associated private key (upk, usk).When some user group is added in application, he is necessary
Verifying to access control server oneself is registered legitimate user, to obtain his group membership's certificate and user key, mistake
Journey is as follows:
1) from acquisition group public key on block chain.
2) user key is selectedAnd calculate C=HUK。
3) extractable promise c=g is calculatedUK。
4) zero-knowledge proof NIZKPEqDL is generated: selection random number r ∈R(Z nZ) calculates R1=grmod n2, R2=Hr,
H=Hash (g, n2, c, C, H, R1, R2), s=r-hUK.
5) { C, c, h, s } is sent by safe lane and arrives access control server.
NIZKPEqDL in step (4) is zero-knowledge proof, and the extractable promise in step (3) is knowledge proof: user
U knows user key UK.
After receiving the message, access control server will execute following work:
1) it verifies zero-knowledge proof NIZKPEqDL: calculating R1=gs·chmod n2, R2=Hs·Ch, and verify challenge
Whether value h is correct.If being proved to be successful, voucher UCert is generated for user U;It is no
Then terminator.
2) it selectsAnd calculate A=(G1·C)1/(IK+x).Group membership's identity card of user U be UCert=(A,
x)。
3) B=e (G is calculated1C, G2)/e (A, W), D=e (A, G2), T1=BIKand T2=DIK.Generate NIZKPoKDL
(B, D): selectionCalculate temporary variable s=r-cx
4) { A, T, s } is sent to user U by safe lane, wherein A is the left side of group membership's proof of identification.
NIZKPoKDL (B, D) is discrete logarithm zero-knowledge proof of the B based on D.
Access control server executes following process after receiving message:
1) B=e (G is calculated1C, G2)/e (A, W), D=e (A, G2),
If 2) challenging value h is correct, user U carries out signature to A using personal private key usk and generates digital signature S, S=
Signusk(A), it sends binary group (Cert, S) and arrives access control server.
The validity of access control server verifying Cert and group membership's proof of identification that signature is extracted from digital signature S
Left side A '.If certificate Cert is effective, and A '=A.Access control server registers user U in the database, then
User U is given by right side part x that safe lane sends group membership's proof of identification.User U saves group membership's proof of identification
{ UCert (A, x), UK }.
Step 3: authentication stage
In authenticating phase, user is signed using user key generation group, to carry out identity to access control server
Verifying.It can only check whether requestor is the member of respective sets, and cannot identify specifically which user.If above-mentioned inspection
Success, authentication server will provide Ticket Granting Ticket (TGT) to requestor by block chain.The operation in this stage is as follows
(subscript n of symbol is only used for being different from the temporary variable symbol used on last stage):
User terminal executes following steps:
1) user generates disposable block chain address BCAddrU;Select a random numberECDH as user U
Private key, subscript U refer to user terminal parameter, calculate corresponding public key EU=eU× K (K is the public key parameter generated in step 1).It is raw
At request message Mn, the group mark GID comprising j-th of user groupj, the ticket in access control server authorize server (TGS)
Mark IDTGS, the life cycle Lifetime of Ticket Granting Ticket, user U disposable block chain address BCAddrUAnd
E for interim conversation key between foundation and access control serverU。
2) it randomly choosesIt calculates
3) { α is generatedn, βn, UCert } proof: random selection(subscript α, β, x,
Y, z are only used for distinguishing each random number, and n is for being different from temporary variable used in system set-up stage);It calculates:
cn=Hash (Mn, T1, n, T2, n, T3, n, R1, n, R2, n, R3, n);
It calculates:
sα, n=rα, n+cn·αnMod p, sβ, n=rβ, n+cn·βnMod p, sX, n=rX, n+cnX mod p, sY, n=rY, n
+cn·ynmod p and sZ, n=rZ, n+cn·znmod p where yn=x βnMod p, zn=x αn+UK mod p。
4) group ranking σ (T is generated1, n, T2, n, T3, n, cn, sα, n, sβ, n, sX, n, sY, n, sZ, n)。
5) disposable block chain address is randomly choosed, request message is packaged into transaction, is dealt into access control server
Block chain address.
Certificate server in access control server monitors all transaction for being sent to local block chain address, therefrom extracts
Group ranking σ outn, and be sent to a group signature verifier (GSV) and verified, process is as follows:
1) it calculates
2) it verifies
If above-mentioned is proved to be successful, authentication server is that requestor generates temporary identity (ID), which only exists
In Ticket Granting Ticket life cycle effectively, which is stored in active connection information database by authentication server.
Authentication server provides Ticket Granting Ticket, temporary identity and key K for requestorU, TGS(user U and ticket
Authorize the session key of server TGS) example, so that user can be communicated by authorizing server TGS with ticket.Body
Part certificate server uses ESKU, ACS=EU×eACSHID_AS_REP is replied message to authentication to encrypt, and passes through area
Block chain network is by the encrypted disposable block chain address for transmitting a reply message to requestor.
Step 4: authorization stages
After the completion of a upper stage, user U obtains the temporary identity of Ticket Granting Ticket and he, does not have in the whole process
People knows his true identity, including access control server.Authentication server.Such as Fig. 2, in this stage, user U passes through
Server (TGS) transmission HID_TGS_REQ authorization request message is authorized to the ticket of access control server to apply for resource ticket
Card.In order to support service access Unlinkability and exchange anonymity controlled, TGS respond request person is modified using two kinds of mechanism
HID_TGS_REP message, the Ticket Granting Ticket mechanism and false tickets mechanism of self-renewing.About the former, Ticket Granting Ticket
New Ticket Granting Ticket is generated for requestor, which is embedded in referred to as PA-SR-TGT (by Kerberos v5
Support) new type field in, PA-PRIV field in HID_TGS_REP message carries.On the other hand, former resource ticket
Field is filled using nonsignificant digit, and real resource bill is embedded in the referred to as newer field of PA-TICKET, is included in PA-PRIV
In field, PA-PRIV field provides integrality, confidentiality and anti-Replay Attack, so attacker can not hand over subsequent message
It changes and establishes any connection.
Step 5: secure access and audit phase
User obtain resource bill after, can to constrained devices initiate service request, by message HID_U_R_REQ to
The equipment for providing service sends resource bill.If device authentication resource bill is effective, it can determine that requestor has passed through body
Part authentication vs. authorization sends message HID_U_S_REP and responds requestor to establish security association.It is asked for further servicing
It asks, equipment, to match rule appropriate, will execute local access control according to the action checking policy instance of request.Subsequent
Service providing process, equipment and requestor are guaranteed using the session key Subkey encryption transmission in message HID_U_R_REQ
Communication security end to end.In addition, each resource access request can trigger message HID_S_IND to send activity log to
Access control server.After access control server receives, according to the customer temporary identity in message by the label of log and user
Name is associated, and stores the entry to track, record keeping and further audit objective for recording.It is to be received to arrive access control
After the message HID_S_ACK that server returns, equipment, which deletes log buffer, prevents storage from overflowing.
Step 6: user's revocation
Terminate when the life cycle of user, or improper activity occur and be revoked, access control server needs update group
Common parameter and the identity card of unrepealed group membership.Assuming that possessing member identities demonstrate,proves UCerm=(Am, xm) user m want
It is revoked, access control server will execute revocation process below:
1) update group public key:
2) the revocation function for calling intelligent contract, sending includes xrRevocation transaction, modify chain on corresponding group of public key.It is false
If unrepealed user U listens to revocation transaction, he will execute following operation:
1) the group public key that updated group of public key on chain updates local cache is obtained
2) according to the revocation parameter x in updated group of public key and revocation transactionrUpdate proof of identification:
3) it verifiesValidity:
4) it is signed using private key upkAccess control server is sent by the result after signature.
After access control server receives the proof of identification signature of user's update,
1) it calculates
2) it usesC is updated, is usedUpdate A.
Step 7: accountability and settling entanglements stage
If user behavior violates network access policies, access control server and legal agency for cooperation revocation group's label
The anonymity of name, as Fig. 3 discloses signer identity by block chain technology in a kind of open and clear mode.
When there is user illegal act occur, system needs to open the true identity of user to affix the responsibility.Accountability process
It is as follows:
1) access control server partially opens key ξ using oneself1It calculates(
Referring to step 3), calculate V1Cryptographic Hash h (V1), the accountability function in intelligent contract is called, by h (V1) be published to as promise
On block chain.Equally, legal agency opens key ξ using the portion of oneself2It calculates(Referring to step
It is rapid three), calculate V2Cryptographic Hash h (V2), the accountability function in intelligent contract is called, by h (V2) promise is used as to be published to block chain
On.
2) control server to be visited and legal agency detect that both sides have had been filed on promise, just call intelligent contract each
From submission V1、V2.Group membership's proof of identification A of access control server calculate the signature persons=T3, n×V1×V2(AsFor signer
Group membership's proof of identification, T3, nReferring to step 3).
3) access control server searches A in user registry databasesCorresponding user real identification, by As, user identity
With user to AsSignature Signusk(As) be published on block chain.
Above-mentioned process is the preferable specific embodiment of the present invention, but scope of protection of the present invention is not limited thereto, is appointed
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of, all by what those familiar with the art
It is covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of protection of the claims
It is quasi-.
Claims (5)
1. the secret protection access control method in the wireless sensor network that IP is supported, which is characterized in that be applied to IP and support
Wireless sensor network in, access control be based on Hidra agreement, guarantee the feasibility in resource constrained environment;Utilize group
User is divided into different user groups according to different access authority by signature technology, and group user generates group ranking progress identity and recognizes
It demonstrate,proves, anyone in network can verify the correctness of group ranking, but can not know the identity of signer;Using false tickets card mechanism and
Self-renewing ticket mechanism improves the authentication of Hidra agreement and licensing process, guarantee agreement message can not chain
Connecing property;Using block chain technical management group public key, so that the user of key management and Hidra agreement revocation process is more flexible;
Using block chain technological improvement accountability mechanism, so that accountability open process is transparent, accountability dispute that may be present is solved.
2. the secret protection access control method of the wireless sensor network according to claim 1 supported in IP, special
Sign is: the opening key in group ranking is divided into two parts, by two different arbitration organ's access control servers and
Legal agency is generated and is saved;Either party arbitration organ can not individually open group ranking, only when there is user illegal row occur
When to need to start accountability process, the arbitration organ's cooperation for holding opening key by two could open group ranking and disclose signer
Identity.
3. the secret protection access control method of the wireless sensor network according to claim 1 supported in IP, special
Sign is: improving Hidra agreement using self-renewing ticket mechanism, access control server encrypts user authorization request message
In Ticket Granting Ticket and be sent to request user, user use the updated ticket as authorization requests next time with
Card, to guarantee the unlinkability of licensing process twice;Hidra agreement, access control server are improved using false tickets card mechanism
It is filled in former resource ticket field using invalid data, and really resource ticket uses a guarantee integrality secret
Property newer field carry and transmit, ensure that licensing process and have secure access to the unlinkability of process.
4. the secret protection access control method of the wireless sensor network according to claim 1 supported in IP, special
Sign is: managing group ranking public key using block chain, group's public key information of generation is published to block by access control server
On chain;When thering is user to need to be revoked in group, without broadcasting revocation information and updated public key to unrepealed user,
But it is traded comprising the revocation of revocation information to block chain network by access control server publication, and update the public affairs of the group on chain
Key.
5. the secret protection access control method of the wireless sensor network according to claim 1 supported in IP, special
Sign is: include following execution process:
1) system starts: legal agency and access control server are each user group generation group public key;
2) new user is added: new user's generation member's private key carries out registration at access control server and obtains group membership's identity card
It is bright;
3) the authentication stage;User generates group ranking and carries out authentication, access control service at access control server
Device is able to validate only whether user belongs to the group that it is stated, without can know that member in specifically group;
4) authorization stages: the request for credentials access control server that user is obtained using the authentication stage issues resource ticket;
5) secure access and audit phase: the resource ticket access target sensor that user uses authorization stages to obtain, sensor
Stage generates log for each secure connection, and is sent to access control server and audits;
6) user cancels: after the life cycle of user or there is malfeasance in user, needs to cancel the group membership of user
Qualification;Access control server update group public key, and the publication revocation transaction on block chain;
7) accountability and settling entanglements stage: when there is user the illegal act for violating access strategy occur, legal agency and access
Control server is cooperated as arbitration organ by block platform chain, is opened using the key that partially opens respectively held
The identity of signer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910245853.4A CN109963282B (en) | 2019-03-28 | 2019-03-28 | Privacy protection access control method in IP-supported wireless sensor network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910245853.4A CN109963282B (en) | 2019-03-28 | 2019-03-28 | Privacy protection access control method in IP-supported wireless sensor network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109963282A true CN109963282A (en) | 2019-07-02 |
| CN109963282B CN109963282B (en) | 2022-07-26 |
Family
ID=67025293
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910245853.4A Active CN109963282B (en) | 2019-03-28 | 2019-03-28 | Privacy protection access control method in IP-supported wireless sensor network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109963282B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110502931A (en) * | 2019-08-15 | 2019-11-26 | 广东工业大学 | A kind of internet arbitration and method for secret protection based on block chain |
| CN110572268A (en) * | 2019-09-12 | 2019-12-13 | 腾讯科技(深圳)有限公司 | anonymous authentication method and device |
| CN110784488A (en) * | 2019-11-07 | 2020-02-11 | 深圳职业技术学院 | Controllable anonymous block chain system |
| CN111324881A (en) * | 2020-02-20 | 2020-06-23 | 铭数科技(青岛)有限公司 | Data security sharing system and method fusing Kerberos authentication server and block chain |
| CN112003705A (en) * | 2020-08-12 | 2020-11-27 | 北京天融信网络安全技术有限公司 | Identity authentication method and device based on zero-knowledge proof |
| CN112307116A (en) * | 2020-09-17 | 2021-02-02 | 北京沃东天骏信息技术有限公司 | Data access control method, device and equipment based on block chain |
| CN112566106A (en) * | 2020-12-11 | 2021-03-26 | 杭州叙简科技股份有限公司 | Multi-network and multi-link equipment authentication method based on 5G |
| CN112887339A (en) * | 2021-04-22 | 2021-06-01 | 杭州雅观科技有限公司 | Distributed grouping management method of terminal equipment |
| CN113127910A (en) * | 2021-04-30 | 2021-07-16 | 复旦大学 | Controllable anonymous voting system based on block chain and decentralization traceable attribute signature |
| CN115941232A (en) * | 2022-05-31 | 2023-04-07 | 福州大学 | Efficient anonymous single sign-on system and method based on secret key verification certificate |
| CN117675412A (en) * | 2024-01-31 | 2024-03-08 | 中国民用航空总局第二研究所 | Data sharing method with strong privacy protection in industrial Internet of things scene |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090098933A (en) * | 2008-03-15 | 2009-09-18 | 고려대학교 산학협력단 | Method for protecting location privacy in wireless sensor network, and wireless sensor network system and recording medium using thereof |
| CN103428692A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Wireless access network authentication method and wireless access network authentication system capable of holding accountability and protecting privacy |
| CN107749836A (en) * | 2017-09-15 | 2018-03-02 | 江苏大学 | User oriented secret protection and the mobility aware system and its mobile awareness method of data reliability |
-
2019
- 2019-03-28 CN CN201910245853.4A patent/CN109963282B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090098933A (en) * | 2008-03-15 | 2009-09-18 | 고려대학교 산학협력단 | Method for protecting location privacy in wireless sensor network, and wireless sensor network system and recording medium using thereof |
| CN103428692A (en) * | 2013-08-07 | 2013-12-04 | 华南理工大学 | Wireless access network authentication method and wireless access network authentication system capable of holding accountability and protecting privacy |
| CN107749836A (en) * | 2017-09-15 | 2018-03-02 | 江苏大学 | User oriented secret protection and the mobility aware system and its mobile awareness method of data reliability |
Non-Patent Citations (2)
| Title |
|---|
| 于斌斌、武欣雨、初剑峰、胡亮: "基于群密钥协商的无线传感器网络签名协议", 《吉林大学学报(工学版)》 * |
| 赵宝康: "《无线传感器网络隐私保护关键技术研究》", 《中国博士学位论文全文数据库》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110502931B (en) * | 2019-08-15 | 2021-05-04 | 广东工业大学 | Block chain-based internet arbitration and privacy protection method |
| CN110502931A (en) * | 2019-08-15 | 2019-11-26 | 广东工业大学 | A kind of internet arbitration and method for secret protection based on block chain |
| CN110572268A (en) * | 2019-09-12 | 2019-12-13 | 腾讯科技(深圳)有限公司 | anonymous authentication method and device |
| CN110572268B (en) * | 2019-09-12 | 2021-06-15 | 腾讯科技(深圳)有限公司 | Anonymous authentication method and device |
| CN110784488B (en) * | 2019-11-07 | 2021-10-19 | 深圳职业技术学院 | Controllable anonymous block chain system |
| CN110784488A (en) * | 2019-11-07 | 2020-02-11 | 深圳职业技术学院 | Controllable anonymous block chain system |
| CN111324881A (en) * | 2020-02-20 | 2020-06-23 | 铭数科技(青岛)有限公司 | Data security sharing system and method fusing Kerberos authentication server and block chain |
| CN112003705A (en) * | 2020-08-12 | 2020-11-27 | 北京天融信网络安全技术有限公司 | Identity authentication method and device based on zero-knowledge proof |
| CN112003705B (en) * | 2020-08-12 | 2021-06-08 | 北京天融信网络安全技术有限公司 | Identity authentication method and device based on zero-knowledge proof |
| CN112307116A (en) * | 2020-09-17 | 2021-02-02 | 北京沃东天骏信息技术有限公司 | Data access control method, device and equipment based on block chain |
| CN112566106A (en) * | 2020-12-11 | 2021-03-26 | 杭州叙简科技股份有限公司 | Multi-network and multi-link equipment authentication method based on 5G |
| CN112887339A (en) * | 2021-04-22 | 2021-06-01 | 杭州雅观科技有限公司 | Distributed grouping management method of terminal equipment |
| CN112887339B (en) * | 2021-04-22 | 2021-07-13 | 杭州雅观科技有限公司 | Distributed grouping management method of terminal equipment |
| CN113127910A (en) * | 2021-04-30 | 2021-07-16 | 复旦大学 | Controllable anonymous voting system based on block chain and decentralization traceable attribute signature |
| CN113127910B (en) * | 2021-04-30 | 2022-04-12 | 复旦大学 | Controllable anonymous voting system based on block chain and decentralization traceable attribute signature |
| CN115941232A (en) * | 2022-05-31 | 2023-04-07 | 福州大学 | Efficient anonymous single sign-on system and method based on secret key verification certificate |
| CN117675412A (en) * | 2024-01-31 | 2024-03-08 | 中国民用航空总局第二研究所 | Data sharing method with strong privacy protection in industrial Internet of things scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109963282B (en) | 2022-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109963282A (en) | Secret protection access control method in the wireless sensor network that IP is supported | |
| Dwivedi et al. | Privacy preserving authentication system based on non-interactive zero knowledge proof suitable for Internet of Things | |
| JP4639084B2 (en) | Encryption method and encryption apparatus for secure authentication | |
| US7334255B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
| US7840806B2 (en) | System and method of non-centralized zero knowledge authentication for a computer network | |
| CN112425136B (en) | Internet of things security with multiparty computing (MPC) | |
| CN107360571B (en) | Method for anonymous mutual authentication and key agreement protocol in mobile network | |
| Chattaraj et al. | A new two-server authentication and key agreement protocol for accessing secure cloud services | |
| CN106295393A (en) | Electronic prescription operational approach, Apparatus and system | |
| JPH06223041A (en) | Rarge-area environment user certification system | |
| JP2007517303A (en) | Privacy protection while using authorization certificate | |
| ES2665887T3 (en) | Secure data system | |
| CN109347626A (en) | A kind of safety identification authentication method with antitracking characteristic | |
| WO2008020991A2 (en) | Notarized federated identity management | |
| CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
| Hussain et al. | An improved authentication scheme for digital rights management system | |
| Aiash | A formal analysis of authentication protocols for mobile devices in next generation networks | |
| CN113545004A (en) | Authentication system with reduced attack surface | |
| Srinivas et al. | An authentication framework for roaming service in global mobility networks | |
| Kiennert et al. | Authentication systems | |
| Soni et al. | Provably secure and biometric-based secure access of E-Governance services using mobile devices | |
| Zhu | Cryptanalysis and improvement of a mobile dynamic ID authenticated key agreement scheme based on chaotic maps | |
| JP3983561B2 (en) | Secret management key management system, verification center, communication terminal, verification center program, communication terminal program, and secret management key management method | |
| Li et al. | A biometric-based password authentication with key exchange scheme using mobile device for multi-server environment | |
| CN114915494B (en) | Anonymous authentication method, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |