CN110971415A - Space-ground integrated space information network anonymous access authentication method and system - Google Patents
Space-ground integrated space information network anonymous access authentication method and system Download PDFInfo
- Publication number
- CN110971415A CN110971415A CN201911283127.8A CN201911283127A CN110971415A CN 110971415 A CN110971415 A CN 110971415A CN 201911283127 A CN201911283127 A CN 201911283127A CN 110971415 A CN110971415 A CN 110971415A
- Authority
- CN
- China
- Prior art keywords
- message
- key
- satellite
- access authentication
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a space-ground integrated space information network anonymous access authentication method and a system, wherein terminal equipment and a satellite register with a ground management center respectively, the terminal equipment sends a first access authentication request to the satellite, the satellite forwards the access authentication request and an identity authentication message of the terminal equipment, the ground management center replies a first response of the first access authentication of the satellite, the terminal equipment receives and verifies a second response of the first access authentication sent by the satellite, the first access authentication process is completed, the terminal equipment sends a second access authentication request to the satellite, receives the second access authentication response of the satellite, and the second access authentication process is completed.
Description
Technical Field
The invention relates to the field of information network security, in particular to a space-ground integrated space information network anonymous access authentication method.
Background
With the rapid development of space-ground integrated spatial information network technology. Meanwhile, with the continuous enhancement of the requirements of national security, aerospace, disaster early warning and the like and the continuous development of various strategic information tasks in different dimensions such as land, sea, air, sky and the like, the original mutually independent networks are enabled to share information as required, cross-region and cross-airspace communication and the cooperative work of each node of the network are realized, so that the spatial information network is further developed, the access authentication is used as a first defense line of network security protection, the access authentication can be used for identity identification among each node in the network per se, and malicious and illegal terminal equipment is prevented from occupying network resources, so that the security access authentication scheme is very important for the space-ground integrated spatial information network.
Due to the characteristics of limited resources, large time delay, dynamic change of network topology, high exposure and vulnerability of a channel and more types of access terminal equipment in the space-ground integrated spatial information network, the terminal with different security level requirements faces the problem of frequent access authentication when accessing the satellite. However, the traditional space-ground integrated space information network anonymous access authentication method is based on a public key cryptosystem, has high calculation overhead and high key updating overhead, can only realize one-way authentication of a satellite on terminal equipment, cannot prevent replay attack, and cannot select a proper access authentication mode for the terminal equipment with different security requirements. Therefore, it becomes more difficult to provide services for the terminal device in the space-ground integrated spatial information network with limited resources, and the service experience of the terminal device is greatly influenced.
Therefore, the invention provides a space-ground integrated space information network anonymous access authentication method and system, which can reduce the number of access authentication interaction, reduce the access authentication delay and the calculation overhead and ensure the security of the access authentication process of the terminal equipment.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a method and a system for anonymous access authentication of a space-ground integrated space information network, which can reduce the interaction times of access authentication, reduce the access authentication delay and the calculation overhead and ensure the security of the access authentication process of terminal equipment.
According to one aspect of the invention, a method for anonymous access authentication of a space-ground integrated space information network is provided, and the method comprises the following steps:
step 1, the terminal equipment and the satellite respectively send information carrying inherent identity to a ground management center for registration, and the ground management center sends information containing real identity ID of the terminal equipment to the terminal equipmentuA registration response of the first secret key K and the first random number r, and the ground management center sends a registration response containing the true identity ID of the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
step 2, the terminal equipment sends a first access authentication request message to the satellite, wherein the first access authentication request message comprises: a third random number calculated using an exclusive-or operation and a hash functionTerminal equipment pseudo identity obtained by utilizing third random number H to calculateFirst message authentication code MACu=h(IDu||Ru| T) and a fourth random numberWherein R isuA fifth random number generated when the terminal transmits the authentication request, T being a first time stamp,the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
step 3, the satellite receives the first access authentication request message, judges whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on the satellite, and forwards the access authentication of the terminal equipment if the current terminal equipment is accessed for the first timeThe identity authentication method comprises the following steps of sending an identity authentication message of a satellite and a certificate request message to a ground management center, wherein the identity authentication message of the satellite comprises: the satellite calculates a sixth random number by using an exclusive-or operation and a hash function Satellite pseudo-identity calculated by using sixth random number HSecond message authentication code MACs=h(IDs||Rs| T') and a seventh random numberWhere T' is a second time stamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
step 4, the ground management center receives and verifies the first access authentication request message of the terminal equipment and the identity authentication message of the satellite, and if the authentication fails, the ground management center replies an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCInformation;
step 5, the satellite receives a first response message of the first access authentication, and a public key P of the ground management center is usedNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third messageCode MAC, and whether the timestamp information is in the allowed time range is judged, and the true identity ID of the successfully authenticated terminal equipment is obtaineduAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
step 6, the satellite sends a first access authentication second response message to the terminal device, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
step 7, the terminal equipment receives and verifies the first access authentication second response message, and calculates the satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
step 8, when the terminal device needs to perform access authentication again, calculating a second message verification code key MAC _ key ═ h (K | | | ID)u||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA second session key SK and a second message authentication codeMessage encrypted by Key MAC _ Key, ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
step 9, the satellite receives and verifies the re-access authentication request message, if the verification is successful, negotiates with the terminal device for a third session key SK 'and a third message verification code key MAC _ key', calculates a second identification message session _ id, deletes the session key information stored before, and replies a re-access authentication response message to the terminal device, wherein the re-access authentication response message includes: second identification message session _ id, signature message signed by using first key K of terminal, tenth random number Rs' and sixth time stamp Ts”;
And step 10, the terminal equipment receives the re-access authentication response message, calculates a third session key SK 'and a third message verification code key MAC _ key' for data security transmission, and completes the re-access authentication process.
According to another aspect of the present invention, a system for anonymous access authentication of a space-ground integrated spatial information network is provided, where the system includes at least 1 satellite, a plurality of terminal devices, and 1 trusted ground management center, and the system specifically includes:
a terminal device for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing real identity of terminal equipment sent by the ground management centeruA registration response of the first key K and the first random number r;
sending a first access authentication request message to a satellite, wherein the first access authentication request message comprises: a third random number calculated using an exclusive-or operation and a hash functionTerminal pseudo identity calculated by using third random number HFirst disappearInformation verification code MACu=h(IDu||Ru| T) and a fourth random numberWherein R isuA fifth random number generated when the terminal transmits the authentication request, T being a first time stamp,the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
receiving and verifying a first access authentication second response message sent by a satellite, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing true identity of satellite equipment sent by the ground management centersA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by a terminal, judging whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on a satellite, if the current terminal equipment is accessed for the first time, forwarding the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, wherein the identity authentication message of the satellite comprises: the satellite calculates a sixth random number by using an exclusive-or operation and a hash function Satellite pseudo-identity calculated by using sixth random number HSecond message authentication code MACs=h(IDs||Rs| T') and a seventh random numberWhere T' is a second time stamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
receiving first response message of first access authentication sent by ground control center, using public key P of ground management centerNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC and judging whether the time stamp information is in the allowed time range,solving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And a first identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
sending a first access authentication second response message to the terminal equipment, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
receiving and verifying a re-access authentication request message sent by the terminal equipment, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment if the verification is successful, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: a second identification message session _ id, a signature message signed using a first key K of the terminal, a tenth random number Rs' and sixth time stamp Ts”;
A ground management center for:
receiving registration information which is respectively sent by terminal equipment and a satellite and carries inherent identity, and sending ID containing real identity of the terminal equipment to the terminal equipmentuA registration response containing the first secret key K and the first random number r sends a real identity ID containing the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving and verifying first access authentication request message of terminal equipment and identity authentication of satelliteThe authentication information, if the verification fails, the authentication failure information is replied; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message encrypted by the key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCAnd (4) information.
The invention has the beneficial effects that the invention provides the space-ground integrated space information network anonymous access authentication method and system, which can effectively judge the legality of the terminal equipment and avoid the illegal access of illegal malicious users to network resources. When the terminal equipment sends an access authentication request to the satellite for the first time, the satellite forwards the authentication request and identity information carrying the satellite to a ground management center for verification, if the verification is successful, the ground management center sends an access authentication response message and the encrypted real identity information of the terminal equipment to the satellite, and meanwhile the satellite stores the real identity information of the terminal equipment passing the current authentication, so that the access authentication request of the terminal equipment can be directly verified when the terminal equipment is accessed to the authentication again, meanwhile, the anonymous authentication of the terminal equipment is realized by using the identity of the pseudo terminal equipment, the privacy of the terminal equipment is protected, and the real identity of a malicious user can be tracked through the pseudo identity and the responsibility can be traced to the malicious user. When the terminal equipment requests to access authentication again, the invention transfers the authentication function to the satellite, and authenticates the terminal equipment by using a symmetric encryption mode, thereby greatly reducing the complexity of access authentication, reducing the access authentication delay and the calculation cost, providing various access authentication security level options for users with different security requirements, and simultaneously effectively ensuring the security of the system.
Drawings
FIG. 1 is a flowchart of the overall operation of a space-ground integrated space information network anonymous access authentication method provided by the present invention;
FIG. 2 is a schematic flow chart of another method for authenticating space-ground integrated space information network anonymous access provided by the present invention;
fig. 3 is a flowchart of authentication for a terminal device to access a satellite for the first time according to the present invention;
fig. 4 is a flowchart of the authentication process for re-accessing the terminal device to the satellite according to the present invention;
fig. 5 is an overall architecture diagram of a space-ground integrated space information network anonymous access authentication system provided by the invention.
Detailed Description
The following description will be made for the purpose of further explaining the starting point and the corresponding technical solutions of the present invention.
Fig. 1 shows a flow chart of an anonymous access authentication method for a space-ground integrated space information network, which mainly includes the following three stages: system initialization phase, registration phase and authentication phase. These three phases are described in detail below.
Firstly, a system initialization stage: establishing system parameters, wherein the established system parameters mainly comprise: two prime numbers p and q, and an Euler formula phi (n) modular operation; public and private key pairs of the ground management center NCC; a public and private key pair of a satellite; a one-way hash function h.
II, a registration stage: the terminal device registers and registers with the ground management center to obtain the relevant terminal device information, and meanwhile, when the terminal device is completely registered, the satellite registers and registers with the ground management center to obtain the relevant satellite information and the public key information of the ground management center.
Thirdly, authentication stage: the terminal equipment generates authentication related parameter information by utilizing the terminal equipment information and sends the authentication related parameter information to an access satellite, the satellite firstly judges whether the terminal equipment is firstly accessed for authentication, if not, the terminal equipment access authentication request information and the identity authentication information of the satellite are forwarded to a ground management center for verification, meanwhile, the ground management center sends the real identity information of the terminal equipment passing the verification and the corresponding key information to the satellite, the satellite replies an authentication response message to the terminal equipment, and meanwhile, the two parties negotiate out a session key and a message verification code for later key updating, and the first access authentication is completed. If the terminal equipment initiates the authentication request again, the access satellite judges the authentication request message, if the authentication is passed, the session key of the terminal equipment which is accessed to the authentication negotiation for the first time is used for generating new session key information and a message authentication code, and the re-access authentication is completed.
Fig. 2 is a schematic flow chart of another method for anonymous access authentication of space-ground integrated spatial information network provided by the present invention, the method includes the following steps:
step 201, the terminal device carries inherent identity information to register with a ground management center, the satellite terminal carries satellite inherent device information to register with the ground management center, and the ground management center sends registration response to the terminal device and the satellite and stores the registration information of the terminal device and the satellite. Completing the registration of the terminal equipment and the satellite, specifically: the inherent identity information comprises 18-bit identity card numbers or equipment production numbers, if the inherent identity information is less than 18 bits, the information is filled by random numbers, and the ground management center calculates the real identity ID of the terminal equipment after acquiring the inherent identity information of the terminal equipmentuGenerating a secret key K corresponding to 256 bits in a symmetric encryption mode (SHA 1 (identity card number or equipment production number | | | 18-byte random number), simultaneously generating a random number r of the 256 bits and sending the random number r to a registered terminal equipment, and sending the ID to the terminal equipmentuK and r are stored; the function SHA1() is a hash function of the secure hash algorithm 1, SHA1 (random number of 18 bytes of identity card number or equipment production number) operation represents, and the identity card number or the equipment production number is spliced with the random number of 18 bytes and then one-way hash calculation is performed.
The inherent equipment information of the satellite comprises 18-bit satellite production numbers, if the number is less than 18, the number is filled with random numbers, and the ground management center calculates the true identity ID of the satellite after acquiring the inherent identity information of the satellite equipmentsGenerating a secret key K 'corresponding to 256 bits in a symmetric encryption mode, generating a random number r' of 256 bits at the same time, generating a public and private key pair by a ground management center in an asymmetric encryption algorithm mode, sending the public and private key pair to a registered satellite, and sending the ID to the registered satellite by the satellite, wherein the SHA1 (random number of 18 bytes in the satellite production number | |)sPublic keys P of K ', r' and NCCNCCStoring the data;
step 202, the terminal device sends an access authentication request message to the satellite, including a random number calculated using an exclusive-or operation and a hash functionFurther calculating the pseudo-identityH, message authentication code MACu=h(IDu||RuT) and random numbersWhere T is a time stamp, RuRandom numbers generated by the terminal when the terminal sends an authentication request are all used for ensuring the freshness of the message; r isuIs a random number R generated by the terminaluThe random number r is obtained by common calculation with the random number r obtained by previous registration;the operation sign represents an exclusive or operation,represents K and RuAnd performing Hash calculation after splicing, and then performing XOR operation with r to obtain H.
Preferably, the terminal device sends the access authentication request message to the satellite, and the access authentication method of the security level selected by the terminal device is also included, the access authentication method of the security level is forwarded to the ground management center through the satellite, and the ground management center selects the corresponding calculation method for authentication. The terminal equipment can select access authentication modes with different security levels to comprise a hash Algorithm option, a random number length option and a symmetric Encryption Algorithm option, wherein the hash Algorithm option comprises a secure hash Algorithm SHA1, a secure hash Algorithm SHA128 and a secure hash Algorithm SHA256, the random number length option comprises 32bit, 64bit and 128bit, and the symmetric Encryption Algorithm option comprises AES (advanced Encryption Standard), DES (Data Encryption Standard) and 3DES (Triple Data Encryption Standard).
Step 203, the satellite receives the access authentication request message of the terminal device, and judges whether the current terminal device is accessed for the first time through a legal access user verification table maintained on the satellite, for example, whether the terminal device carries session _ id information or whether the carried session _ id information is in the legal access user verification table to judge whether the terminal device is accessed for the first time. If the terminal equipment is the first access authentication, the access authentication request message of the terminal equipment and the identity authentication message of the satellite are forwarded to the ground management center, so that the legality of the terminal equipment is inquired from the ground.
The identity authentication message of the satellite specifically includes: satellite obtains random number by using XOR operation and Hash function calculationFurther calculating to obtain a pseudo identityMessage authentication code MACs=h(IDs||Rs| T') and random numbersWhere T' is a time stamp, RsA random number generated by the satellite itself when sending the authentication request.
204, the ground management center receives and verifies the access authentication request message of the terminal equipment and the identity authentication message of the satellite, and solves the true identity IDs of the terminal equipment and the satellite by using the XOR operationuAnd IDsThe ground management center finds out the secret keys K and K ' of the terminal equipment and the satellite by looking up the registry, further calculates random numbers R and R ' by using inverse exclusive-or operation, calculates h (K ' | R ') by using the random numbers R and R ' through a hash function, and further calculates the random number R for generating the message authentication code MAC by using the inverse exclusive-or operationuAnd RsCalculate MACuAnd MACsMAC transmitted with terminal equipment and satelliteuAnd MACsComparing, judging whether the time stamp is in the allowed time range, if the verification fails, replying an authentication failure message, and if the verification succeeds, calculating a master key h (K | | R' | R) for updating the keys) Signing the message S by using a private key of the NCC, simultaneously replying a satellite access authentication response message, wherein the message S comprises a negotiation key generation algorithm and an ID pair by using a session key skuK, signing the message S by using the message verification code key MAC _ key to obtain the message verification code MAC and the time stamp TNCCInformation;
step 205, the satellite receives the access authentication response message, verifies the message S using the public key of the NCC, and if the verification is successful, calculates a session key sk ═ h (h (K | | R' | R |) for key update according to a key generation algorithm negotiated with the ground management centers) K '), sk is a session key negotiated between the satellite and the ground, and MAC _ key ═ h (K ' | | h (K | | | R ' | | | R)s)||rs) Verifying the message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding secret key K, establishing a corresponding relation table, storing the corresponding relation table on the satellite, and calculating an element H of the secret key SK for generating data secure transmissionsat=h(K’||r’||r||Ts'), message authentication code MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a time stamp.
In step 206, the satellite sends an access authentication response message to the terminal device, including using the terminal device registration key K to HsatAnd session _ id encrypted messages, using MACSATSigning the message by the key to obtain a message verification code and a time stamp Ts’;
Step 207, after receiving the access authentication response message, the terminal device verifies the message, specifically: terminal device computing MACSAT_key=h(IDu||K||ru) Verifying the signature if the verification is successfulDecrypting with its own key K to obtain HsatAnd a session _ id, storing the session _ id, and further calculating a key SK h (h (K' | r) | K) for data secure transmission, wherein the SK is a session key generated by negotiation between the terminal and the satellite, and a message authentication code MACUS_key=h(IDu||Hsat) And finishing the first access authentication process of the terminal equipment.
Step 208, when the terminal device needs to perform access authentication again (for example, when the terminal device needs to re-access the network after being disconnected), the message authentication code key MAC _ key is calculated as h (K | | ID)u||Ru') sending a re-access authentication request message including session _ ID of first access authentication and real identity ID of terminal equipment using secret key KuMessage encrypted by session Key SK and message authentication code Key MAC _ Key, and random number Ru' sum time stamp Tu', and sign the message using the MAC _ key;
step 209, the satellite receives the re-access authentication request message, and verifies the access authentication request message, specifically: finding out the key K of the terminal equipment uniquely appointed by the user according to the received session _ ID, and further decrypting the key K to obtain the IDu', SK and MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDuIf the signature message is consistent with the signature message, the signature message is verified, and the verification is successful, otherwise, an authentication failure message is replied. After the verification is successful, negotiating a new session key SK 'and a message verification code MAC _ key' with the terminal equipment, calculating a new session _ id, deleting the previously stored session key information, and replying a re-access authentication response message;
step 210, the terminal device receives the re-access authentication response message, including the new session _ id, signature using the terminal key K, and the random number Rs' sum time stamp TsCalculating a new session key SK and a message verification code MAC _ key for data secure transmission, and completing the re-access authentication process.
To explain the present invention in detail, the process of the terminal device performing access authentication for the first time is shown in fig. 3, and the specific steps are as follows:
step 301: terminal equipment generates random number RuAnd a time stamp T, the terminal equipment sends an access authentication request message to the satellite, wherein the access authentication request message comprises a random number obtained by using exclusive-or operation and hash function calculationFurther calculating the pseudo-identityMessage authentication code MACu=h(IDu||RuT) and random numbers
Step 302: the method comprises the following steps that a satellite receives an access authentication request message of terminal equipment, whether the current terminal equipment is accessed for the first time or not is judged through a legal access user verification table maintained on the satellite, if the current terminal equipment is accessed for the first time, the satellite forwards the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, and the method specifically comprises the following steps: satellite generated random number RsAnd a timestamp T', the satellite calculates a random number by using an exclusive OR operation and a Hash functionFurther calculating to obtain a pseudo identityMessage authentication code MACs=h(IDs||Rs| T') and random numbers
Step 303: the ground management center receives and verifies the access authentication request message of the terminal equipment and the identity authentication message of the satellite, and solves the real identity IDs of the terminal equipment and the satellite by using the XOR operationuAnd IDsGround managementThe center finds out the secret keys K and K ' of the terminal equipment and the satellite by looking up the registry, further calculates random numbers R and R ' by using an exclusive-or operation, calculates h (K ' | R ') by using the random numbers R and R ' through a hash function, and further calculates the random number R for generating the message authentication code MAC by using the exclusive-or operationuAnd RsCalculate MACuAnd MACsMAC transmitted with terminal equipment and satelliteuAnd MACsComparing and judging whether the time stamp is in the allowed time range, if the verification fails, disconnecting the connection, and if the verification succeeds, generating the time stamp TNCCAnd calculates the master key h (K | | R' | | R) for updating the keys) Signing the message S by using a private key of the NCC, simultaneously replying a satellite access authentication response message, wherein the message S comprises a negotiation key generation algorithm and an ID pair by using a session key skuAnd K encrypted message Esk{IDuK, signature MAC of message using MAC _ key, and timestamp TNCCAnd (4) information.
Step 304: the satellite receives the access authentication response message, verifies the message S by using the public key of the NCC, and if the verification is successful, calculates a session key sk (h (K | | R' | R |) for updating the key according to a key generation algorithm negotiated with the ground management centers) K ') and MAC _ key ═ h (K ' | | h (K | | | R ' | | R)s)||rs) Verifying the signature MAC, judging whether the timestamp information is in the allowed time range, and solving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding secret key K, establishing a corresponding relation table, storing the corresponding relation table on the satellite, and calculating an element H of the secret key SK for generating data secure transmissionsat=h(K’||r’||r||Ts'), message authentication code MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts’)。
Step 305: after receiving the access authentication response message, the terminal device verifies the message, specifically: terminal device computing MACSAT_key=h(IDu||K||ru) Verifying the signature, and if the verification is successful, decrypting by using the own secret key KTo HsatAnd a session _ id, storing the session _ id, and further calculating a key SK h (h (K' | r) | K) for data security transmission and a message authentication code MACUS_key=h(IDu||Hsat) And finishing the first access authentication process of the terminal equipment.
When the terminal device is disconnected, the access authentication needs to be performed again, and the access authentication again is as shown in fig. 4, and the specific steps are as follows:
step 401: generating a random number Ru' sum time stamp Tu', calculate MAC _ key ═ h (K | | | ID)u||Ru') sends a re-access authentication request message including a session _ ID for first access authentication, a pair of IDs using a secret key KusessionKey (i.e., SK) and MAC _ Key encrypted message EK{ IDu, sessionKey, MAC _ Key }, random number Ru' sum time stamp Tu', and signs the message using the MAC _ key.
Step 402: the satellite receives the re-access authentication request message, and verifies the access authentication request message, specifically: finding out the key K of the terminal equipment uniquely appointed by the user according to the received session _ ID, and further decrypting the key K to obtain the IDu', SK and MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDuIf yes, the signature message is verified, and the verification is successful, otherwise, the connection is disconnected. After the verification is successful, a random number R is generateds' sum time stamp Ts' negotiate a new session key SK ' and a message verification code MAC _ key ' with the terminal device, calculate a new session _ id, delete the previously saved session key information, and reply with a re-access authentication response message.
Step 403: the terminal equipment receives the re-access authentication response message which comprises a new session _ id, a signature by using a terminal key K and a random number Rs' sum time stamp TsCalculating a new session key SK and a message verification code MAC _ key for data secure transmission, and completing the re-access authentication process.
Fig. 5 is an overall architecture diagram of an anonymous access authentication system for a space-ground integrated space information network provided by the present invention, where the system includes a plurality of terminal devices 501, at least 1 satellite 502, and 1 trusted ground management center 503, and the system specifically includes:
a terminal device 501, configured to:
sending information carrying inherent identity to the ground management center 503 for registration, and receiving the information containing the real identity ID of the terminal device sent by the ground management center 503uA registration response of the key K and the random number r;
sending a first access authentication request message to the satellite 502, the first access authentication request message comprising: random number computed using an exclusive-or operation and a hash functionPseudo-identity calculated using a random number HMessage authentication code MACu=h(IDu||RuT) and random numbers Wherein R isuA random number generated when the terminal transmits an authentication request, T is a time stamp,the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
receiving and verifying the first access authentication second response message sent by the satellite 502, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the own secret key K to obtain an element H of a second session secret key SKsatAnd a first identification message session _ id for identifying the first labelThe session id is stored and calculated for the second session key SK ═ h (h (K' | r) | K), and the terminal message authentication code key MACUS_key=h(IDu||Hsat) The first access authentication process of the terminal device 501 is completed;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), transmit a re-access authentication request message to the satellite 502, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication and real identity ID of terminal equipment by using secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a random number Ru' sum time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite 502, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite 502 for:
sending information carrying inherent identity to the ground management center 503 for registration, and receiving the information containing the satellite equipment true identity ID sent by the ground management center 503sSecret key K', random number r and public key P of ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by the terminal device 501, determining whether the current terminal device 501 is first accessed for authentication through a legal access user verification table maintained on the satellite 502, and if the current terminal device 501 is first accessed for authentication, forwarding the access authentication request message of the terminal device 501 and an identity authentication message of the satellite 502 to the ground management center 503, wherein the identity authentication message of the satellite 502 includes: satellite 502 computes a random number using an XOR operation and a hash functionCalculated pseudo-random number HIdentityMessage authentication code MACs=h(IDs||Rs| T') and random numbers Where T' is a time stamp, RsA random number generated when the satellite 502 sends the identity authentication message;
receiving a first response message of first access authentication sent by the ground control center 503, using the public key P of the ground management center 503NCCIf the verification is successful, the verification message S calculates a first session key sk-h (h (K | | R' | R) for key update according to a key generation algorithm negotiated with the ground management center 503s) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the true identity ID of the successfully authenticated terminal equipmentuAnd the corresponding key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite 502 and the terminal 501sat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a timestamp;
sending a first access authentication second response message to the terminal device 501, where the first access authentication second response message includes: element H of the registration key K for the second session key SK using the terminal device 501satAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a timestamp Ts';
receiving and verifying the re-access authentication request message sent by the terminal device 501, if the verification is successful, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal device, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message for the terminal device, where the re-access authentication response message includes: second identification message session _ id, signed message signed by using terminal key K, and random number Rs' sum time stamp Ts”;
A ground management center 503 for:
receiving registration information with inherent identity respectively sent by a terminal device 501 and a satellite 502, and sending a registration message containing a terminal device real identity ID to the terminal device 501uThe registration response, key K and random number r, sends a registration response containing the satellite device true identity ID to the satellite 502sSecret key K ', random number r' and public key P of ground management centerNCCThe registration response of (1);
receiving and verifying a first access authentication request message of the terminal device 501 and an identity authentication message of the satellite 502, and if the authentication fails, replying an authentication failure message; if the verification is successful, replying to the satellite 502 to access the first authentication response message for the first time, wherein the first authentication response message for the first time comprises: message S, negotiated key generation algorithm, true ID of terminal device using first session key sk negotiated by satellite 502 and ground management center 503uA message encrypted with the key K, a message authentication code MAC obtained by signing the message S with the first message authentication code key MAC _ key, and a third timestamp TNCCAnd (4) information.
Preferably, the first access authentication request message sent by the terminal device 501 to the satellite 502 further includes: the access authentication mode of the security level selected by the terminal device 501;
the access authentication mode of the security level is forwarded to a ground management center 503 through a satellite 502, and the ground management center 503 selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
Preferably, the verifying, by the ground management center 503, the access authentication request message of the terminal device 501 and the identity authentication message of the satellite 502 includes:
the ground management center 503 uses the xor operation to solve the true identity IDs of the terminal device 501 and the satellite 502uAnd IDsKeys K and K' of the terminal device 501 and the satellite 502 are found by looking up the registry; further calculating random numbers r and r 'by using an inverse exclusive-or operation, and calculating h (K' | | r ') by using the random numbers r and r' through a hash function; further using an exclusive-OR operation to calculate a random number R for generating a message authentication code MACuAnd RsCalculating message authentication code MACuAnd MACsMessage authentication code MAC transmitted with terminal device 501 and satellite 502uAnd MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management 503 center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
Preferably, the satellite 502 receives and verifies the re-access authentication request message, including:
the satellite 502 finds the key K of the uniquely specified terminal device 501 according to the received first identification message session _ id; further using the secret key K for decryption to obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
The above examples are to be construed as merely illustrative and not limitative of the remainder of the disclosure. After reading the description of the invention, the skilled person can make various changes or modifications to the invention, and these equivalent changes and modifications also fall into the scope of the invention defined by the claims.
Claims (8)
1. A method for anonymous access authentication of a space-ground integrated space information network is characterized by comprising the following steps:
step 1, the terminal equipment and the satellite respectively send information carrying inherent identity to a ground management center for registration, and the ground management center sends information containing real identity ID of the terminal equipment to the terminal equipmentuA registration response of the first secret key K and the first random number r, and the ground management center sends a registration response containing the true identity ID of the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
step 2, the terminal equipment sends a first access authentication request message to the satellite, wherein the first access authentication request message comprises a third random number H-R ⊕ H (K-R) calculated by using exclusive-or operation and a hash functionu) And the terminal equipment pseudo-identity PID obtained by utilizing the third random number H for calculationu=IDu⊕ H, first message authentication code MACu=h(IDu||Ru| T) and a fourth random number ru=Ru⊕ h (K | | R), wherein RuGenerating a fifth random number when the authentication request is sent to the terminal, wherein T is a first timestamp, ⊕ operation symbols represent exclusive-or operation, | | the operation symbols represent splicing operation, and h () function is a hash function;
step 3, the satellite receives the first access authentication request message, judges whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on the satellite, and forwards the access authentication request message of the terminal equipment if the current terminal equipment is accessed for the first timeAnd sending the satellite identity authentication message to a ground management center, wherein the satellite identity authentication message comprises a sixth random number H ' ═ R ' ⊕ H (K ' | | R) calculated by the satellite by using exclusive-or operation and a hash functions) Satellite pseudo-identity PID calculated by utilizing sixth random number HsIDs ⊕ H', second message authentication code MACs=h(IDs||Rs| T') and a seventh random number rs=Rs⊕ h (K ' | R '), where T ' is the second timestamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
step 4, the ground management center receives and verifies the first access authentication request message of the terminal equipment and the identity authentication message of the satellite, and if the authentication fails, the ground management center replies an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCInformation;
step 5, the satellite receives a first response message of the first access authentication, and a public key P of the ground management center is usedNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the successful authentication terminal equipment real identity IDuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And a unique fingerIdentification message session _ ID ═ h (ID) for a given terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
step 6, the satellite sends a first access authentication second response message to the terminal device, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
step 7, the terminal equipment receives and verifies the first access authentication second response message, and calculates the satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
step 8, when the terminal device needs to perform access authentication again, calculating a second message verification code key MAC _ key ═ h (K | | | ID)u||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
step 9, the satellite receives and verifies the re-access authentication request message, if the verification is successful, the satellite negotiates a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment, and calculates a second identification message sesAnd (2) deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: second identification message session _ id, signature message signed by using first key K of terminal, tenth random number Rs' and sixth time stamp Ts”;
And step 10, the terminal equipment receives the re-access authentication response message, calculates a third session key SK 'and a third message verification code key MAC _ key' for data security transmission, and completes the re-access authentication process.
2. The method of claim 1, wherein the step 2 of the terminal device sending the first access authentication request message to the satellite further comprises: the access authentication mode of the security level selected by the terminal equipment;
the access authentication mode of the security level is forwarded by the satellite to reach a ground management center, and the ground management center selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
3. The method according to claim 1, wherein the step 4 of verifying the access authentication request message of the terminal device and the identity authentication message of the satellite by the ground management center comprises:
the ground management center uses the inverse XOR operation to solve the real identity ID of the terminal equipmentuAnd true identity ID of the satellitesFinding a first key K and a second key K' of the terminal equipment and the satellite by looking up a registry; further calculated using an inverse exclusive OR operationA first random number r and a second random number r ', and calculating h (K' | | r ') by a hash function using the first random number r and the second random number r'; further using an inverse exclusive-or operation, a fifth random number R for generating a third message authentication code MAC is calculateduAnd an eighth random number RsCalculating a first message authentication code MACuAnd a second message authentication code MACsMAC, first message authentication code transmitted with terminal equipment and satelliteuAnd a second message authentication code MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
4. The method of claim 1, wherein the step 9 of the satellite receiving and verifying the re-access authentication request message comprises:
the satellite searches a first secret key K of the uniquely-assigned terminal equipment according to the received first identification message session _ id; further using the first secret key K to decrypt and obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSLooking up the real identity ID of the terminal equipment corresponding to the first key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
5. A space-ground integrated space information network anonymous access authentication system comprises at least 1 satellite, a plurality of terminal devices and 1 credible ground management center, and is characterized by specifically comprising:
a terminal device for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing real identity of terminal equipment sent by the ground management centeruFirst key K and second keyA registration response of a random number r;
sending a first access authentication request message to the satellite, wherein the first access authentication request message comprises a third random number H-R ⊕ H (K | | | R) calculated by using exclusive-or operation and a hash functionu) And the terminal equipment pseudo-identity PID obtained by utilizing the third random number H for calculationu=IDu⊕ H, first message authentication code MACu=h(IDu||Ru| T) and a fourth random number ru=Ru⊕ h (K | | R), wherein RuGenerating a fifth random number when the authentication request is sent to the terminal, wherein T is a first timestamp, ⊕ operation symbols represent exclusive-or operation, | | the operation symbols represent splicing operation, and h () function is a hash function;
receiving and verifying a first access authentication second response message sent by a satellite, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication and real identity ID of terminal equipment by using secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing true identity of satellite equipment sent by the ground management centersA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by a terminal, judging whether the current terminal equipment is firstly accessed for authentication through a legal access user verification table maintained on a satellite, if so, forwarding the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, wherein the identity authentication message of the satellite comprises a sixth random number H ' ═ R ' ⊕ H (K ' | R) calculated by the satellite by using exclusive or operation and a hash functions) Satellite pseudo-identity PID calculated by utilizing sixth random number Hs=IDs⊕ H', second message authentication code MACs=h(IDs||Rs| T') and a seventh random number rs=Rs⊕ h (K ' | R '), where T ' is the second timestamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
receiving first response message of first access authentication sent by ground control center, using public key P of ground management centerNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the successful authentication terminal equipment real identity IDuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authenticationCode key MACSAT_key=h(IDu||K||ru) And a first identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
sending a first access authentication second response message to the terminal equipment, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
receiving and verifying a re-access authentication request message sent by the terminal equipment, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment if the verification is successful, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: a second identification message session _ id, a signature message signed using a first key K of the terminal, a tenth random number Rs' and sixth time stamp Ts”;
A ground management center for:
receiving registration information which is respectively sent by terminal equipment and a satellite and carries inherent identity, and sending ID containing real identity of the terminal equipment to the terminal equipmentuA registration response containing the first secret key K and the first random number r sends a real identity ID containing the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving and verifying a first access authentication request message of the terminal equipment and an identity authentication message of the satellite, and if the authentication fails, replying an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, and setting of terminal using first session key sk negotiated between satellite and groundBackup real identity IDuA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCAnd (4) information.
6. The system of claim 5, wherein the first access authentication request message sent by the terminal device to the satellite further comprises: the access authentication mode of the security level selected by the terminal equipment;
the access authentication mode of the security level is forwarded by the satellite to reach a ground management center, and the ground management center selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
7. The system of claim 5, wherein the ground management center verifies the access authentication request message of the terminal device and the identity authentication message of the satellite, comprising:
the ground management center uses the inverse XOR operation to solve the true identity IDs of the terminal equipment and the satelliteuAnd IDsFinding a first secret key K of the terminal equipment and a second secret key K' of the satellite by looking up a registry; further calculating a first random number r and a second random number r 'by using an inverse exclusive-or operation, and calculating h (K' | r ') by using the first random number r and the second random number r' through a hash function; further using an inverse exclusive-or operation, a fifth random number R for generating a third message authentication code MAC is calculateduAnd an eighth random number RsCalculating a first message authentication code MACuAnd a second message authentication code MACsMAC, first message authentication code transmitted with terminal equipment and satelliteuAnd a second message authentication code MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
8. The system of claim 5, wherein the satellite receives and verifies the re-access authentication request message, comprising:
the satellite searches a first secret key K of the uniquely-assigned terminal equipment according to the received first identification message session _ id; further using the first secret key K to decrypt and obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSLooking up the real identity ID of the terminal equipment corresponding to the first key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911283127.8A CN110971415B (en) | 2019-12-13 | 2019-12-13 | Space-ground integrated space information network anonymous access authentication method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911283127.8A CN110971415B (en) | 2019-12-13 | 2019-12-13 | Space-ground integrated space information network anonymous access authentication method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110971415A true CN110971415A (en) | 2020-04-07 |
CN110971415B CN110971415B (en) | 2022-05-10 |
Family
ID=70034341
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911283127.8A Active CN110971415B (en) | 2019-12-13 | 2019-12-13 | Space-ground integrated space information network anonymous access authentication method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110971415B (en) |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111711955A (en) * | 2020-06-15 | 2020-09-25 | 华中师范大学 | Wearable computing autonomous security authentication system and security authentication method |
CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
CN112087750A (en) * | 2020-08-05 | 2020-12-15 | 西安电子科技大学 | Access and switching authentication method and system under satellite network intermittent communication scene |
CN112235792A (en) * | 2020-09-15 | 2021-01-15 | 西安电子科技大学 | Multi-type terminal access and switching authentication method, system, equipment and application |
CN112332900A (en) * | 2020-09-27 | 2021-02-05 | 贵州航天计量测试技术研究所 | Low-earth-orbit satellite communication network rapid switching authentication method |
CN112564775A (en) * | 2020-12-18 | 2021-03-26 | 江苏省未来网络创新研究院 | Spatial information network access control system and authentication method based on block chain |
CN112615721A (en) * | 2020-12-18 | 2021-04-06 | 江苏省未来网络创新研究院 | Access authentication and authority management control flow method of spatial information network based on block chain |
CN112867004A (en) * | 2020-12-31 | 2021-05-28 | 北京芯安微电子技术有限公司 | Remote configuration system and user data replacement method |
CN112953726A (en) * | 2021-03-01 | 2021-06-11 | 西安电子科技大学 | Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication |
CN113068187A (en) * | 2021-02-20 | 2021-07-02 | 西安电子科技大学 | Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application |
CN113079016A (en) * | 2021-03-23 | 2021-07-06 | 中国人民解放军国防科技大学 | Identity-based authentication method facing space-based network |
CN113660026A (en) * | 2021-07-26 | 2021-11-16 | 长光卫星技术有限公司 | Satellite security management method based on multi-user autonomous access control |
WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
CN114051241A (en) * | 2022-01-13 | 2022-02-15 | 中移(上海)信息通信科技有限公司 | Communication processing method and device |
CN114172669A (en) * | 2022-02-15 | 2022-03-11 | 之江实验室 | Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication |
CN114339735A (en) * | 2021-12-10 | 2022-04-12 | 重庆邮电大学 | NTRU-based (network to equipment) heaven and earth integrated network anonymous access authentication method |
CN114363034A (en) * | 2021-12-29 | 2022-04-15 | 上海众源网络有限公司 | Verification code generation and verification method and device, electronic equipment and storage medium |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
CN114827998A (en) * | 2022-03-17 | 2022-07-29 | 北京航天科工世纪卫星科技有限公司 | Satellite terminal network access authentication device based on encryption chip |
CN115022879A (en) * | 2022-05-11 | 2022-09-06 | 西安电子科技大学 | Enhanced Beidou user terminal access authentication method and system based on position key |
CN116938321A (en) * | 2023-09-14 | 2023-10-24 | 成都本原星通科技有限公司 | Satellite communication method based on anti-quantum access authentication of position key low orbit satellite |
CN117376917A (en) * | 2023-12-05 | 2024-01-09 | 成都本原星通科技有限公司 | Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070105600A1 (en) * | 2005-11-08 | 2007-05-10 | Shantidev Mohanty | Techniques to communicate information between foreign agents and paging controllers |
CN105491076A (en) * | 2016-01-28 | 2016-04-13 | 西安电子科技大学 | Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network |
CN108282778A (en) * | 2018-01-23 | 2018-07-13 | 中国科学技术大学 | Anonymous quick roaming access authentication method in a kind of space networks |
CN108282779A (en) * | 2018-01-24 | 2018-07-13 | 中国科学技术大学 | Incorporate Information Network low time delay anonymous access authentication method |
-
2019
- 2019-12-13 CN CN201911283127.8A patent/CN110971415B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070105600A1 (en) * | 2005-11-08 | 2007-05-10 | Shantidev Mohanty | Techniques to communicate information between foreign agents and paging controllers |
CN105491076A (en) * | 2016-01-28 | 2016-04-13 | 西安电子科技大学 | Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network |
CN108282778A (en) * | 2018-01-23 | 2018-07-13 | 中国科学技术大学 | Anonymous quick roaming access authentication method in a kind of space networks |
CN108282779A (en) * | 2018-01-24 | 2018-07-13 | 中国科学技术大学 | Incorporate Information Network low time delay anonymous access authentication method |
Cited By (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111711955A (en) * | 2020-06-15 | 2020-09-25 | 华中师范大学 | Wearable computing autonomous security authentication system and security authentication method |
CN111711955B (en) * | 2020-06-15 | 2022-04-29 | 华中师范大学 | Wearable computing autonomous security authentication system and security authentication method |
CN111885604A (en) * | 2020-06-28 | 2020-11-03 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
CN111885604B (en) * | 2020-06-28 | 2021-08-27 | 北京交通大学 | Authentication method, device and system based on heaven and earth integrated network |
WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
CN112087750A (en) * | 2020-08-05 | 2020-12-15 | 西安电子科技大学 | Access and switching authentication method and system under satellite network intermittent communication scene |
CN112235792A (en) * | 2020-09-15 | 2021-01-15 | 西安电子科技大学 | Multi-type terminal access and switching authentication method, system, equipment and application |
CN112235792B (en) * | 2020-09-15 | 2022-03-11 | 西安电子科技大学 | Multi-type terminal access and switching authentication method, system, equipment and application |
CN112332900B (en) * | 2020-09-27 | 2023-03-10 | 贵州航天计量测试技术研究所 | Low-orbit satellite communication network rapid switching authentication method |
CN112332900A (en) * | 2020-09-27 | 2021-02-05 | 贵州航天计量测试技术研究所 | Low-earth-orbit satellite communication network rapid switching authentication method |
CN112615721A (en) * | 2020-12-18 | 2021-04-06 | 江苏省未来网络创新研究院 | Access authentication and authority management control flow method of spatial information network based on block chain |
CN112564775A (en) * | 2020-12-18 | 2021-03-26 | 江苏省未来网络创新研究院 | Spatial information network access control system and authentication method based on block chain |
CN112867004A (en) * | 2020-12-31 | 2021-05-28 | 北京芯安微电子技术有限公司 | Remote configuration system and user data replacement method |
CN112867004B (en) * | 2020-12-31 | 2022-10-14 | 北京芯安微电子技术有限公司 | Remote configuration system and user data replacement method |
CN113068187A (en) * | 2021-02-20 | 2021-07-02 | 西安电子科技大学 | Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application |
CN113068187B (en) * | 2021-02-20 | 2022-03-11 | 西安电子科技大学 | Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application |
CN112953726A (en) * | 2021-03-01 | 2021-06-11 | 西安电子科技大学 | Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication |
CN112953726B (en) * | 2021-03-01 | 2022-09-06 | 西安电子科技大学 | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network |
CN113079016A (en) * | 2021-03-23 | 2021-07-06 | 中国人民解放军国防科技大学 | Identity-based authentication method facing space-based network |
CN113660026A (en) * | 2021-07-26 | 2021-11-16 | 长光卫星技术有限公司 | Satellite security management method based on multi-user autonomous access control |
CN114339735A (en) * | 2021-12-10 | 2022-04-12 | 重庆邮电大学 | NTRU-based (network to equipment) heaven and earth integrated network anonymous access authentication method |
CN114339735B (en) * | 2021-12-10 | 2023-09-08 | 重庆邮电大学 | Method for authenticating anonymous access of world integrated network based on NTRU |
CN114363034A (en) * | 2021-12-29 | 2022-04-15 | 上海众源网络有限公司 | Verification code generation and verification method and device, electronic equipment and storage medium |
CN114363034B (en) * | 2021-12-29 | 2024-02-02 | 上海众源网络有限公司 | Verification code generation and verification method and device, electronic equipment and storage medium |
CN114051241B (en) * | 2022-01-13 | 2022-05-03 | 中移(上海)信息通信科技有限公司 | Communication processing method and device |
CN114051241A (en) * | 2022-01-13 | 2022-02-15 | 中移(上海)信息通信科技有限公司 | Communication processing method and device |
WO2023134281A1 (en) * | 2022-01-13 | 2023-07-20 | 中移(上海)信息通信科技有限公司 | Communication processing method and apparatus, terminal, storage medium, and computer program product |
CN114172669A (en) * | 2022-02-15 | 2022-03-11 | 之江实验室 | Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication |
WO2023077706A1 (en) * | 2022-02-15 | 2023-05-11 | 之江实验室 | Spatial-temporal characteristic fused dual-stage secure access authentication method in satellite-ground communication |
CN114172669B (en) * | 2022-02-15 | 2022-05-03 | 之江实验室 | Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
CN114584975B (en) * | 2022-02-23 | 2023-09-15 | 重庆邮电大学 | SDN-based anti-quantum satellite network access authentication method |
CN114827998A (en) * | 2022-03-17 | 2022-07-29 | 北京航天科工世纪卫星科技有限公司 | Satellite terminal network access authentication device based on encryption chip |
CN114827998B (en) * | 2022-03-17 | 2023-11-17 | 北京航天科工世纪卫星科技有限公司 | Satellite terminal network access authentication device based on encryption chip |
CN115022879B (en) * | 2022-05-11 | 2023-11-21 | 西安电子科技大学 | Enhanced Beidou user terminal access authentication method and system based on position key |
CN115022879A (en) * | 2022-05-11 | 2022-09-06 | 西安电子科技大学 | Enhanced Beidou user terminal access authentication method and system based on position key |
CN116938321A (en) * | 2023-09-14 | 2023-10-24 | 成都本原星通科技有限公司 | Satellite communication method based on anti-quantum access authentication of position key low orbit satellite |
CN116938321B (en) * | 2023-09-14 | 2023-11-24 | 成都本原星通科技有限公司 | Satellite communication method based on anti-quantum access authentication of position key low orbit satellite |
CN117376917A (en) * | 2023-12-05 | 2024-01-09 | 成都本原星通科技有限公司 | Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm |
CN117376917B (en) * | 2023-12-05 | 2024-03-26 | 成都本原星通科技有限公司 | Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm |
Also Published As
Publication number | Publication date |
---|---|
CN110971415B (en) | 2022-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110971415B (en) | Space-ground integrated space information network anonymous access authentication method and system | |
CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
He et al. | A strong user authentication scheme with smart cards for wireless communications | |
KR101490214B1 (en) | Systems and methods for encoding exchanges with a set of shared ephemeral key data | |
CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
CN112332900B (en) | Low-orbit satellite communication network rapid switching authentication method | |
KR101982237B1 (en) | Method and system for data sharing using attribute-based encryption in cloud computing | |
CN101116284A (en) | Clone resistant mutual authentication in a radio communication network | |
US20200195446A1 (en) | System and method for ensuring forward & backward secrecy using physically unclonable functions | |
CN112351037B (en) | Information processing method and device for secure communication | |
CN110881177A (en) | Anti-quantum computing distributed Internet of vehicles method and system based on identity secret sharing | |
CN108353279A (en) | A kind of authentication method and Verification System | |
CN105491076A (en) | Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network | |
He et al. | An accountable, privacy-preserving, and efficient authentication framework for wireless access networks | |
Noh et al. | Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks | |
CN116056080A (en) | Satellite switching authentication method for low-orbit satellite network | |
Alzahrani et al. | A Resource‐Friendly Authentication Protocol for UAV‐Based Massive Crowd Management Systems | |
Indushree et al. | Mobile-Chain: Secure blockchain based decentralized authentication system for global roaming in mobility networks | |
CN114760046A (en) | Identity authentication method and device | |
CN110417722B (en) | Business data communication method, communication equipment and storage medium | |
CN111245611A (en) | Anti-quantum computing identity authentication method and system based on secret sharing and wearable equipment | |
CN111836260A (en) | Authentication information processing method, terminal and network equipment | |
US11570008B2 (en) | Pseudonym credential configuration method and apparatus | |
CN111404667B (en) | Key generation method, terminal equipment and network equipment | |
CN114760043A (en) | Identity authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |