CN110971415A - Space-ground integrated space information network anonymous access authentication method and system - Google Patents

Space-ground integrated space information network anonymous access authentication method and system Download PDF

Info

Publication number
CN110971415A
CN110971415A CN201911283127.8A CN201911283127A CN110971415A CN 110971415 A CN110971415 A CN 110971415A CN 201911283127 A CN201911283127 A CN 201911283127A CN 110971415 A CN110971415 A CN 110971415A
Authority
CN
China
Prior art keywords
message
key
satellite
access authentication
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911283127.8A
Other languages
Chinese (zh)
Other versions
CN110971415B (en
Inventor
徐川
刘子琦
赵国锋
孙南彬
韩珍珍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201911283127.8A priority Critical patent/CN110971415B/en
Publication of CN110971415A publication Critical patent/CN110971415A/en
Application granted granted Critical
Publication of CN110971415B publication Critical patent/CN110971415B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a space-ground integrated space information network anonymous access authentication method and a system, wherein terminal equipment and a satellite register with a ground management center respectively, the terminal equipment sends a first access authentication request to the satellite, the satellite forwards the access authentication request and an identity authentication message of the terminal equipment, the ground management center replies a first response of the first access authentication of the satellite, the terminal equipment receives and verifies a second response of the first access authentication sent by the satellite, the first access authentication process is completed, the terminal equipment sends a second access authentication request to the satellite, receives the second access authentication response of the satellite, and the second access authentication process is completed.

Description

Space-ground integrated space information network anonymous access authentication method and system
Technical Field
The invention relates to the field of information network security, in particular to a space-ground integrated space information network anonymous access authentication method.
Background
With the rapid development of space-ground integrated spatial information network technology. Meanwhile, with the continuous enhancement of the requirements of national security, aerospace, disaster early warning and the like and the continuous development of various strategic information tasks in different dimensions such as land, sea, air, sky and the like, the original mutually independent networks are enabled to share information as required, cross-region and cross-airspace communication and the cooperative work of each node of the network are realized, so that the spatial information network is further developed, the access authentication is used as a first defense line of network security protection, the access authentication can be used for identity identification among each node in the network per se, and malicious and illegal terminal equipment is prevented from occupying network resources, so that the security access authentication scheme is very important for the space-ground integrated spatial information network.
Due to the characteristics of limited resources, large time delay, dynamic change of network topology, high exposure and vulnerability of a channel and more types of access terminal equipment in the space-ground integrated spatial information network, the terminal with different security level requirements faces the problem of frequent access authentication when accessing the satellite. However, the traditional space-ground integrated space information network anonymous access authentication method is based on a public key cryptosystem, has high calculation overhead and high key updating overhead, can only realize one-way authentication of a satellite on terminal equipment, cannot prevent replay attack, and cannot select a proper access authentication mode for the terminal equipment with different security requirements. Therefore, it becomes more difficult to provide services for the terminal device in the space-ground integrated spatial information network with limited resources, and the service experience of the terminal device is greatly influenced.
Therefore, the invention provides a space-ground integrated space information network anonymous access authentication method and system, which can reduce the number of access authentication interaction, reduce the access authentication delay and the calculation overhead and ensure the security of the access authentication process of the terminal equipment.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a method and a system for anonymous access authentication of a space-ground integrated space information network, which can reduce the interaction times of access authentication, reduce the access authentication delay and the calculation overhead and ensure the security of the access authentication process of terminal equipment.
According to one aspect of the invention, a method for anonymous access authentication of a space-ground integrated space information network is provided, and the method comprises the following steps:
step 1, the terminal equipment and the satellite respectively send information carrying inherent identity to a ground management center for registration, and the ground management center sends information containing real identity ID of the terminal equipment to the terminal equipmentuA registration response of the first secret key K and the first random number r, and the ground management center sends a registration response containing the true identity ID of the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
step 2, the terminal equipment sends a first access authentication request message to the satellite, wherein the first access authentication request message comprises: a third random number calculated using an exclusive-or operation and a hash function
Figure BDA0002317301940000021
Terminal equipment pseudo identity obtained by utilizing third random number H to calculate
Figure BDA0002317301940000022
First message authentication code MACu=h(IDu||Ru| T) and a fourth random number
Figure BDA0002317301940000023
Wherein R isuA fifth random number generated when the terminal transmits the authentication request, T being a first time stamp,
Figure BDA0002317301940000024
the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
step 3, the satellite receives the first access authentication request message, judges whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on the satellite, and forwards the access authentication of the terminal equipment if the current terminal equipment is accessed for the first timeThe identity authentication method comprises the following steps of sending an identity authentication message of a satellite and a certificate request message to a ground management center, wherein the identity authentication message of the satellite comprises: the satellite calculates a sixth random number by using an exclusive-or operation and a hash function
Figure BDA0002317301940000031
Figure BDA0002317301940000032
Satellite pseudo-identity calculated by using sixth random number H
Figure BDA0002317301940000033
Second message authentication code MACs=h(IDs||Rs| T') and a seventh random number
Figure BDA0002317301940000034
Where T' is a second time stamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
step 4, the ground management center receives and verifies the first access authentication request message of the terminal equipment and the identity authentication message of the satellite, and if the authentication fails, the ground management center replies an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCInformation;
step 5, the satellite receives a first response message of the first access authentication, and a public key P of the ground management center is usedNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third messageCode MAC, and whether the timestamp information is in the allowed time range is judged, and the true identity ID of the successfully authenticated terminal equipment is obtaineduAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
step 6, the satellite sends a first access authentication second response message to the terminal device, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
step 7, the terminal equipment receives and verifies the first access authentication second response message, and calculates the satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
step 8, when the terminal device needs to perform access authentication again, calculating a second message verification code key MAC _ key ═ h (K | | | ID)u||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA second session key SK and a second message authentication codeMessage encrypted by Key MAC _ Key, ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
step 9, the satellite receives and verifies the re-access authentication request message, if the verification is successful, negotiates with the terminal device for a third session key SK 'and a third message verification code key MAC _ key', calculates a second identification message session _ id, deletes the session key information stored before, and replies a re-access authentication response message to the terminal device, wherein the re-access authentication response message includes: second identification message session _ id, signature message signed by using first key K of terminal, tenth random number Rs' and sixth time stamp Ts”;
And step 10, the terminal equipment receives the re-access authentication response message, calculates a third session key SK 'and a third message verification code key MAC _ key' for data security transmission, and completes the re-access authentication process.
According to another aspect of the present invention, a system for anonymous access authentication of a space-ground integrated spatial information network is provided, where the system includes at least 1 satellite, a plurality of terminal devices, and 1 trusted ground management center, and the system specifically includes:
a terminal device for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing real identity of terminal equipment sent by the ground management centeruA registration response of the first key K and the first random number r;
sending a first access authentication request message to a satellite, wherein the first access authentication request message comprises: a third random number calculated using an exclusive-or operation and a hash function
Figure BDA0002317301940000051
Terminal pseudo identity calculated by using third random number H
Figure BDA0002317301940000052
First disappearInformation verification code MACu=h(IDu||Ru| T) and a fourth random number
Figure BDA0002317301940000053
Wherein R isuA fifth random number generated when the terminal transmits the authentication request, T being a first time stamp,
Figure BDA0002317301940000054
the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
receiving and verifying a first access authentication second response message sent by a satellite, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing true identity of satellite equipment sent by the ground management centersA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by a terminal, judging whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on a satellite, if the current terminal equipment is accessed for the first time, forwarding the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, wherein the identity authentication message of the satellite comprises: the satellite calculates a sixth random number by using an exclusive-or operation and a hash function
Figure BDA0002317301940000061
Figure BDA0002317301940000062
Satellite pseudo-identity calculated by using sixth random number H
Figure BDA0002317301940000063
Second message authentication code MACs=h(IDs||Rs| T') and a seventh random number
Figure BDA0002317301940000064
Where T' is a second time stamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
receiving first response message of first access authentication sent by ground control center, using public key P of ground management centerNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC and judging whether the time stamp information is in the allowed time range,solving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And a first identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
sending a first access authentication second response message to the terminal equipment, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
receiving and verifying a re-access authentication request message sent by the terminal equipment, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment if the verification is successful, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: a second identification message session _ id, a signature message signed using a first key K of the terminal, a tenth random number Rs' and sixth time stamp Ts”;
A ground management center for:
receiving registration information which is respectively sent by terminal equipment and a satellite and carries inherent identity, and sending ID containing real identity of the terminal equipment to the terminal equipmentuA registration response containing the first secret key K and the first random number r sends a real identity ID containing the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving and verifying first access authentication request message of terminal equipment and identity authentication of satelliteThe authentication information, if the verification fails, the authentication failure information is replied; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message encrypted by the key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCAnd (4) information.
The invention has the beneficial effects that the invention provides the space-ground integrated space information network anonymous access authentication method and system, which can effectively judge the legality of the terminal equipment and avoid the illegal access of illegal malicious users to network resources. When the terminal equipment sends an access authentication request to the satellite for the first time, the satellite forwards the authentication request and identity information carrying the satellite to a ground management center for verification, if the verification is successful, the ground management center sends an access authentication response message and the encrypted real identity information of the terminal equipment to the satellite, and meanwhile the satellite stores the real identity information of the terminal equipment passing the current authentication, so that the access authentication request of the terminal equipment can be directly verified when the terminal equipment is accessed to the authentication again, meanwhile, the anonymous authentication of the terminal equipment is realized by using the identity of the pseudo terminal equipment, the privacy of the terminal equipment is protected, and the real identity of a malicious user can be tracked through the pseudo identity and the responsibility can be traced to the malicious user. When the terminal equipment requests to access authentication again, the invention transfers the authentication function to the satellite, and authenticates the terminal equipment by using a symmetric encryption mode, thereby greatly reducing the complexity of access authentication, reducing the access authentication delay and the calculation cost, providing various access authentication security level options for users with different security requirements, and simultaneously effectively ensuring the security of the system.
Drawings
FIG. 1 is a flowchart of the overall operation of a space-ground integrated space information network anonymous access authentication method provided by the present invention;
FIG. 2 is a schematic flow chart of another method for authenticating space-ground integrated space information network anonymous access provided by the present invention;
fig. 3 is a flowchart of authentication for a terminal device to access a satellite for the first time according to the present invention;
fig. 4 is a flowchart of the authentication process for re-accessing the terminal device to the satellite according to the present invention;
fig. 5 is an overall architecture diagram of a space-ground integrated space information network anonymous access authentication system provided by the invention.
Detailed Description
The following description will be made for the purpose of further explaining the starting point and the corresponding technical solutions of the present invention.
Fig. 1 shows a flow chart of an anonymous access authentication method for a space-ground integrated space information network, which mainly includes the following three stages: system initialization phase, registration phase and authentication phase. These three phases are described in detail below.
Firstly, a system initialization stage: establishing system parameters, wherein the established system parameters mainly comprise: two prime numbers p and q, and an Euler formula phi (n) modular operation; public and private key pairs of the ground management center NCC; a public and private key pair of a satellite; a one-way hash function h.
II, a registration stage: the terminal device registers and registers with the ground management center to obtain the relevant terminal device information, and meanwhile, when the terminal device is completely registered, the satellite registers and registers with the ground management center to obtain the relevant satellite information and the public key information of the ground management center.
Thirdly, authentication stage: the terminal equipment generates authentication related parameter information by utilizing the terminal equipment information and sends the authentication related parameter information to an access satellite, the satellite firstly judges whether the terminal equipment is firstly accessed for authentication, if not, the terminal equipment access authentication request information and the identity authentication information of the satellite are forwarded to a ground management center for verification, meanwhile, the ground management center sends the real identity information of the terminal equipment passing the verification and the corresponding key information to the satellite, the satellite replies an authentication response message to the terminal equipment, and meanwhile, the two parties negotiate out a session key and a message verification code for later key updating, and the first access authentication is completed. If the terminal equipment initiates the authentication request again, the access satellite judges the authentication request message, if the authentication is passed, the session key of the terminal equipment which is accessed to the authentication negotiation for the first time is used for generating new session key information and a message authentication code, and the re-access authentication is completed.
Fig. 2 is a schematic flow chart of another method for anonymous access authentication of space-ground integrated spatial information network provided by the present invention, the method includes the following steps:
step 201, the terminal device carries inherent identity information to register with a ground management center, the satellite terminal carries satellite inherent device information to register with the ground management center, and the ground management center sends registration response to the terminal device and the satellite and stores the registration information of the terminal device and the satellite. Completing the registration of the terminal equipment and the satellite, specifically: the inherent identity information comprises 18-bit identity card numbers or equipment production numbers, if the inherent identity information is less than 18 bits, the information is filled by random numbers, and the ground management center calculates the real identity ID of the terminal equipment after acquiring the inherent identity information of the terminal equipmentuGenerating a secret key K corresponding to 256 bits in a symmetric encryption mode (SHA 1 (identity card number or equipment production number | | | 18-byte random number), simultaneously generating a random number r of the 256 bits and sending the random number r to a registered terminal equipment, and sending the ID to the terminal equipmentuK and r are stored; the function SHA1() is a hash function of the secure hash algorithm 1, SHA1 (random number of 18 bytes of identity card number or equipment production number) operation represents, and the identity card number or the equipment production number is spliced with the random number of 18 bytes and then one-way hash calculation is performed.
The inherent equipment information of the satellite comprises 18-bit satellite production numbers, if the number is less than 18, the number is filled with random numbers, and the ground management center calculates the true identity ID of the satellite after acquiring the inherent identity information of the satellite equipmentsGenerating a secret key K 'corresponding to 256 bits in a symmetric encryption mode, generating a random number r' of 256 bits at the same time, generating a public and private key pair by a ground management center in an asymmetric encryption algorithm mode, sending the public and private key pair to a registered satellite, and sending the ID to the registered satellite by the satellite, wherein the SHA1 (random number of 18 bytes in the satellite production number | |)sPublic keys P of K ', r' and NCCNCCStoring the data;
step 202, the terminal device sends an access authentication request message to the satellite, including a random number calculated using an exclusive-or operation and a hash function
Figure BDA0002317301940000111
Further calculating the pseudo-identity
Figure BDA0002317301940000112
H, message authentication code MACu=h(IDu||RuT) and random numbers
Figure BDA0002317301940000113
Where T is a time stamp, RuRandom numbers generated by the terminal when the terminal sends an authentication request are all used for ensuring the freshness of the message; r isuIs a random number R generated by the terminaluThe random number r is obtained by common calculation with the random number r obtained by previous registration;
Figure BDA0002317301940000114
the operation sign represents an exclusive or operation,
Figure BDA0002317301940000115
represents K and RuAnd performing Hash calculation after splicing, and then performing XOR operation with r to obtain H.
Preferably, the terminal device sends the access authentication request message to the satellite, and the access authentication method of the security level selected by the terminal device is also included, the access authentication method of the security level is forwarded to the ground management center through the satellite, and the ground management center selects the corresponding calculation method for authentication. The terminal equipment can select access authentication modes with different security levels to comprise a hash Algorithm option, a random number length option and a symmetric Encryption Algorithm option, wherein the hash Algorithm option comprises a secure hash Algorithm SHA1, a secure hash Algorithm SHA128 and a secure hash Algorithm SHA256, the random number length option comprises 32bit, 64bit and 128bit, and the symmetric Encryption Algorithm option comprises AES (advanced Encryption Standard), DES (Data Encryption Standard) and 3DES (Triple Data Encryption Standard).
Step 203, the satellite receives the access authentication request message of the terminal device, and judges whether the current terminal device is accessed for the first time through a legal access user verification table maintained on the satellite, for example, whether the terminal device carries session _ id information or whether the carried session _ id information is in the legal access user verification table to judge whether the terminal device is accessed for the first time. If the terminal equipment is the first access authentication, the access authentication request message of the terminal equipment and the identity authentication message of the satellite are forwarded to the ground management center, so that the legality of the terminal equipment is inquired from the ground.
The identity authentication message of the satellite specifically includes: satellite obtains random number by using XOR operation and Hash function calculation
Figure BDA0002317301940000121
Further calculating to obtain a pseudo identity
Figure BDA0002317301940000122
Message authentication code MACs=h(IDs||Rs| T') and random numbers
Figure BDA0002317301940000123
Where T' is a time stamp, RsA random number generated by the satellite itself when sending the authentication request.
204, the ground management center receives and verifies the access authentication request message of the terminal equipment and the identity authentication message of the satellite, and solves the true identity IDs of the terminal equipment and the satellite by using the XOR operationuAnd IDsThe ground management center finds out the secret keys K and K ' of the terminal equipment and the satellite by looking up the registry, further calculates random numbers R and R ' by using inverse exclusive-or operation, calculates h (K ' | R ') by using the random numbers R and R ' through a hash function, and further calculates the random number R for generating the message authentication code MAC by using the inverse exclusive-or operationuAnd RsCalculate MACuAnd MACsMAC transmitted with terminal equipment and satelliteuAnd MACsComparing, judging whether the time stamp is in the allowed time range, if the verification fails, replying an authentication failure message, and if the verification succeeds, calculating a master key h (K | | R' | R) for updating the keys) Signing the message S by using a private key of the NCC, simultaneously replying a satellite access authentication response message, wherein the message S comprises a negotiation key generation algorithm and an ID pair by using a session key skuK, signing the message S by using the message verification code key MAC _ key to obtain the message verification code MAC and the time stamp TNCCInformation;
step 205, the satellite receives the access authentication response message, verifies the message S using the public key of the NCC, and if the verification is successful, calculates a session key sk ═ h (h (K | | R' | R |) for key update according to a key generation algorithm negotiated with the ground management centers) K '), sk is a session key negotiated between the satellite and the ground, and MAC _ key ═ h (K ' | | h (K | | | R ' | | | R)s)||rs) Verifying the message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding secret key K, establishing a corresponding relation table, storing the corresponding relation table on the satellite, and calculating an element H of the secret key SK for generating data secure transmissionsat=h(K’||r’||r||Ts'), message authentication code MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a time stamp.
In step 206, the satellite sends an access authentication response message to the terminal device, including using the terminal device registration key K to HsatAnd session _ id encrypted messages, using MACSATSigning the message by the key to obtain a message verification code and a time stamp Ts’;
Step 207, after receiving the access authentication response message, the terminal device verifies the message, specifically: terminal device computing MACSAT_key=h(IDu||K||ru) Verifying the signature if the verification is successfulDecrypting with its own key K to obtain HsatAnd a session _ id, storing the session _ id, and further calculating a key SK h (h (K' | r) | K) for data secure transmission, wherein the SK is a session key generated by negotiation between the terminal and the satellite, and a message authentication code MACUS_key=h(IDu||Hsat) And finishing the first access authentication process of the terminal equipment.
Step 208, when the terminal device needs to perform access authentication again (for example, when the terminal device needs to re-access the network after being disconnected), the message authentication code key MAC _ key is calculated as h (K | | ID)u||Ru') sending a re-access authentication request message including session _ ID of first access authentication and real identity ID of terminal equipment using secret key KuMessage encrypted by session Key SK and message authentication code Key MAC _ Key, and random number Ru' sum time stamp Tu', and sign the message using the MAC _ key;
step 209, the satellite receives the re-access authentication request message, and verifies the access authentication request message, specifically: finding out the key K of the terminal equipment uniquely appointed by the user according to the received session _ ID, and further decrypting the key K to obtain the IDu', SK and MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDuIf the signature message is consistent with the signature message, the signature message is verified, and the verification is successful, otherwise, an authentication failure message is replied. After the verification is successful, negotiating a new session key SK 'and a message verification code MAC _ key' with the terminal equipment, calculating a new session _ id, deleting the previously stored session key information, and replying a re-access authentication response message;
step 210, the terminal device receives the re-access authentication response message, including the new session _ id, signature using the terminal key K, and the random number Rs' sum time stamp TsCalculating a new session key SK and a message verification code MAC _ key for data secure transmission, and completing the re-access authentication process.
To explain the present invention in detail, the process of the terminal device performing access authentication for the first time is shown in fig. 3, and the specific steps are as follows:
step 301: terminal equipment generates random number RuAnd a time stamp T, the terminal equipment sends an access authentication request message to the satellite, wherein the access authentication request message comprises a random number obtained by using exclusive-or operation and hash function calculation
Figure BDA0002317301940000141
Further calculating the pseudo-identity
Figure BDA0002317301940000142
Message authentication code MACu=h(IDu||RuT) and random numbers
Figure BDA0002317301940000143
Step 302: the method comprises the following steps that a satellite receives an access authentication request message of terminal equipment, whether the current terminal equipment is accessed for the first time or not is judged through a legal access user verification table maintained on the satellite, if the current terminal equipment is accessed for the first time, the satellite forwards the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, and the method specifically comprises the following steps: satellite generated random number RsAnd a timestamp T', the satellite calculates a random number by using an exclusive OR operation and a Hash function
Figure BDA0002317301940000144
Further calculating to obtain a pseudo identity
Figure BDA0002317301940000145
Message authentication code MACs=h(IDs||Rs| T') and random numbers
Figure BDA0002317301940000146
Step 303: the ground management center receives and verifies the access authentication request message of the terminal equipment and the identity authentication message of the satellite, and solves the real identity IDs of the terminal equipment and the satellite by using the XOR operationuAnd IDsGround managementThe center finds out the secret keys K and K ' of the terminal equipment and the satellite by looking up the registry, further calculates random numbers R and R ' by using an exclusive-or operation, calculates h (K ' | R ') by using the random numbers R and R ' through a hash function, and further calculates the random number R for generating the message authentication code MAC by using the exclusive-or operationuAnd RsCalculate MACuAnd MACsMAC transmitted with terminal equipment and satelliteuAnd MACsComparing and judging whether the time stamp is in the allowed time range, if the verification fails, disconnecting the connection, and if the verification succeeds, generating the time stamp TNCCAnd calculates the master key h (K | | R' | | R) for updating the keys) Signing the message S by using a private key of the NCC, simultaneously replying a satellite access authentication response message, wherein the message S comprises a negotiation key generation algorithm and an ID pair by using a session key skuAnd K encrypted message Esk{IDuK, signature MAC of message using MAC _ key, and timestamp TNCCAnd (4) information.
Step 304: the satellite receives the access authentication response message, verifies the message S by using the public key of the NCC, and if the verification is successful, calculates a session key sk (h (K | | R' | R |) for updating the key according to a key generation algorithm negotiated with the ground management centers) K ') and MAC _ key ═ h (K ' | | h (K | | | R ' | | R)s)||rs) Verifying the signature MAC, judging whether the timestamp information is in the allowed time range, and solving the true identity ID of the successfully authenticated terminal equipmentuAnd a corresponding secret key K, establishing a corresponding relation table, storing the corresponding relation table on the satellite, and calculating an element H of the secret key SK for generating data secure transmissionsat=h(K’||r’||r||Ts'), message authentication code MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts’)。
Step 305: after receiving the access authentication response message, the terminal device verifies the message, specifically: terminal device computing MACSAT_key=h(IDu||K||ru) Verifying the signature, and if the verification is successful, decrypting by using the own secret key KTo HsatAnd a session _ id, storing the session _ id, and further calculating a key SK h (h (K' | r) | K) for data security transmission and a message authentication code MACUS_key=h(IDu||Hsat) And finishing the first access authentication process of the terminal equipment.
When the terminal device is disconnected, the access authentication needs to be performed again, and the access authentication again is as shown in fig. 4, and the specific steps are as follows:
step 401: generating a random number Ru' sum time stamp Tu', calculate MAC _ key ═ h (K | | | ID)u||Ru') sends a re-access authentication request message including a session _ ID for first access authentication, a pair of IDs using a secret key KusessionKey (i.e., SK) and MAC _ Key encrypted message EK{ IDu, sessionKey, MAC _ Key }, random number Ru' sum time stamp Tu', and signs the message using the MAC _ key.
Step 402: the satellite receives the re-access authentication request message, and verifies the access authentication request message, specifically: finding out the key K of the terminal equipment uniquely appointed by the user according to the received session _ ID, and further decrypting the key K to obtain the IDu', SK and MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDuIf yes, the signature message is verified, and the verification is successful, otherwise, the connection is disconnected. After the verification is successful, a random number R is generateds' sum time stamp Ts' negotiate a new session key SK ' and a message verification code MAC _ key ' with the terminal device, calculate a new session _ id, delete the previously saved session key information, and reply with a re-access authentication response message.
Step 403: the terminal equipment receives the re-access authentication response message which comprises a new session _ id, a signature by using a terminal key K and a random number Rs' sum time stamp TsCalculating a new session key SK and a message verification code MAC _ key for data secure transmission, and completing the re-access authentication process.
Fig. 5 is an overall architecture diagram of an anonymous access authentication system for a space-ground integrated space information network provided by the present invention, where the system includes a plurality of terminal devices 501, at least 1 satellite 502, and 1 trusted ground management center 503, and the system specifically includes:
a terminal device 501, configured to:
sending information carrying inherent identity to the ground management center 503 for registration, and receiving the information containing the real identity ID of the terminal device sent by the ground management center 503uA registration response of the key K and the random number r;
sending a first access authentication request message to the satellite 502, the first access authentication request message comprising: random number computed using an exclusive-or operation and a hash function
Figure BDA0002317301940000161
Pseudo-identity calculated using a random number H
Figure BDA0002317301940000162
Message authentication code MACu=h(IDu||RuT) and random numbers
Figure BDA0002317301940000163
Figure BDA0002317301940000164
Wherein R isuA random number generated when the terminal transmits an authentication request, T is a time stamp,
Figure BDA0002317301940000165
the operation symbol represents exclusive-or operation, | the operation symbol represents splicing operation, and the h () function is a hash function;
receiving and verifying the first access authentication second response message sent by the satellite 502, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the own secret key K to obtain an element H of a second session secret key SKsatAnd a first identification message session _ id for identifying the first labelThe session id is stored and calculated for the second session key SK ═ h (h (K' | r) | K), and the terminal message authentication code key MACUS_key=h(IDu||Hsat) The first access authentication process of the terminal device 501 is completed;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), transmit a re-access authentication request message to the satellite 502, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication and real identity ID of terminal equipment by using secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a random number Ru' sum time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite 502, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite 502 for:
sending information carrying inherent identity to the ground management center 503 for registration, and receiving the information containing the satellite equipment true identity ID sent by the ground management center 503sSecret key K', random number r and public key P of ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by the terminal device 501, determining whether the current terminal device 501 is first accessed for authentication through a legal access user verification table maintained on the satellite 502, and if the current terminal device 501 is first accessed for authentication, forwarding the access authentication request message of the terminal device 501 and an identity authentication message of the satellite 502 to the ground management center 503, wherein the identity authentication message of the satellite 502 includes: satellite 502 computes a random number using an XOR operation and a hash function
Figure BDA0002317301940000171
Calculated pseudo-random number HIdentity
Figure BDA0002317301940000181
Message authentication code MACs=h(IDs||Rs| T') and random numbers
Figure BDA0002317301940000182
Figure BDA0002317301940000183
Where T' is a time stamp, RsA random number generated when the satellite 502 sends the identity authentication message;
receiving a first response message of first access authentication sent by the ground control center 503, using the public key P of the ground management center 503NCCIf the verification is successful, the verification message S calculates a first session key sk-h (h (K | | R' | R) for key update according to a key generation algorithm negotiated with the ground management center 503s) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the true identity ID of the successfully authenticated terminal equipmentuAnd the corresponding key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite 502 and the terminal 501sat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And an identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a timestamp;
sending a first access authentication second response message to the terminal device 501, where the first access authentication second response message includes: element H of the registration key K for the second session key SK using the terminal device 501satAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a timestamp Ts';
receiving and verifying the re-access authentication request message sent by the terminal device 501, if the verification is successful, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal device, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message for the terminal device, where the re-access authentication response message includes: second identification message session _ id, signed message signed by using terminal key K, and random number Rs' sum time stamp Ts”;
A ground management center 503 for:
receiving registration information with inherent identity respectively sent by a terminal device 501 and a satellite 502, and sending a registration message containing a terminal device real identity ID to the terminal device 501uThe registration response, key K and random number r, sends a registration response containing the satellite device true identity ID to the satellite 502sSecret key K ', random number r' and public key P of ground management centerNCCThe registration response of (1);
receiving and verifying a first access authentication request message of the terminal device 501 and an identity authentication message of the satellite 502, and if the authentication fails, replying an authentication failure message; if the verification is successful, replying to the satellite 502 to access the first authentication response message for the first time, wherein the first authentication response message for the first time comprises: message S, negotiated key generation algorithm, true ID of terminal device using first session key sk negotiated by satellite 502 and ground management center 503uA message encrypted with the key K, a message authentication code MAC obtained by signing the message S with the first message authentication code key MAC _ key, and a third timestamp TNCCAnd (4) information.
Preferably, the first access authentication request message sent by the terminal device 501 to the satellite 502 further includes: the access authentication mode of the security level selected by the terminal device 501;
the access authentication mode of the security level is forwarded to a ground management center 503 through a satellite 502, and the ground management center 503 selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
Preferably, the verifying, by the ground management center 503, the access authentication request message of the terminal device 501 and the identity authentication message of the satellite 502 includes:
the ground management center 503 uses the xor operation to solve the true identity IDs of the terminal device 501 and the satellite 502uAnd IDsKeys K and K' of the terminal device 501 and the satellite 502 are found by looking up the registry; further calculating random numbers r and r 'by using an inverse exclusive-or operation, and calculating h (K' | | r ') by using the random numbers r and r' through a hash function; further using an exclusive-OR operation to calculate a random number R for generating a message authentication code MACuAnd RsCalculating message authentication code MACuAnd MACsMessage authentication code MAC transmitted with terminal device 501 and satellite 502uAnd MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management 503 center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
Preferably, the satellite 502 receives and verifies the re-access authentication request message, including:
the satellite 502 finds the key K of the uniquely specified terminal device 501 according to the received first identification message session _ id; further using the secret key K for decryption to obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSA key, and simultaneously searching the real identity ID of the terminal equipment corresponding to the key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
The above examples are to be construed as merely illustrative and not limitative of the remainder of the disclosure. After reading the description of the invention, the skilled person can make various changes or modifications to the invention, and these equivalent changes and modifications also fall into the scope of the invention defined by the claims.

Claims (8)

1. A method for anonymous access authentication of a space-ground integrated space information network is characterized by comprising the following steps:
step 1, the terminal equipment and the satellite respectively send information carrying inherent identity to a ground management center for registration, and the ground management center sends information containing real identity ID of the terminal equipment to the terminal equipmentuA registration response of the first secret key K and the first random number r, and the ground management center sends a registration response containing the true identity ID of the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
step 2, the terminal equipment sends a first access authentication request message to the satellite, wherein the first access authentication request message comprises a third random number H-R ⊕ H (K-R) calculated by using exclusive-or operation and a hash functionu) And the terminal equipment pseudo-identity PID obtained by utilizing the third random number H for calculationu=IDu⊕ H, first message authentication code MACu=h(IDu||Ru| T) and a fourth random number ru=Ru⊕ h (K | | R), wherein RuGenerating a fifth random number when the authentication request is sent to the terminal, wherein T is a first timestamp, ⊕ operation symbols represent exclusive-or operation, | | the operation symbols represent splicing operation, and h () function is a hash function;
step 3, the satellite receives the first access authentication request message, judges whether the current terminal equipment is accessed for the first time through a legal access user verification table maintained on the satellite, and forwards the access authentication request message of the terminal equipment if the current terminal equipment is accessed for the first timeAnd sending the satellite identity authentication message to a ground management center, wherein the satellite identity authentication message comprises a sixth random number H ' ═ R ' ⊕ H (K ' | | R) calculated by the satellite by using exclusive-or operation and a hash functions) Satellite pseudo-identity PID calculated by utilizing sixth random number HsIDs ⊕ H', second message authentication code MACs=h(IDs||Rs| T') and a seventh random number rs=Rs⊕ h (K ' | R '), where T ' is the second timestamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
step 4, the ground management center receives and verifies the first access authentication request message of the terminal equipment and the identity authentication message of the satellite, and if the authentication fails, the ground management center replies an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, ID of true identity of terminal equipment by using first session key sk negotiated between satellite and grounduA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCInformation;
step 5, the satellite receives a first response message of the first access authentication, and a public key P of the ground management center is usedNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the successful authentication terminal equipment real identity IDuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authentication code key MACSAT_key=h(IDu||K||ru) And a unique fingerIdentification message session _ ID ═ h (ID) for a given terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
step 6, the satellite sends a first access authentication second response message to the terminal device, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
step 7, the terminal equipment receives and verifies the first access authentication second response message, and calculates the satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
step 8, when the terminal device needs to perform access authentication again, calculating a second message verification code key MAC _ key ═ h (K | | | ID)u||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication, and real identity ID of terminal equipment by using first secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
step 9, the satellite receives and verifies the re-access authentication request message, if the verification is successful, the satellite negotiates a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment, and calculates a second identification message sesAnd (2) deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: second identification message session _ id, signature message signed by using first key K of terminal, tenth random number Rs' and sixth time stamp Ts”;
And step 10, the terminal equipment receives the re-access authentication response message, calculates a third session key SK 'and a third message verification code key MAC _ key' for data security transmission, and completes the re-access authentication process.
2. The method of claim 1, wherein the step 2 of the terminal device sending the first access authentication request message to the satellite further comprises: the access authentication mode of the security level selected by the terminal equipment;
the access authentication mode of the security level is forwarded by the satellite to reach a ground management center, and the ground management center selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
3. The method according to claim 1, wherein the step 4 of verifying the access authentication request message of the terminal device and the identity authentication message of the satellite by the ground management center comprises:
the ground management center uses the inverse XOR operation to solve the real identity ID of the terminal equipmentuAnd true identity ID of the satellitesFinding a first key K and a second key K' of the terminal equipment and the satellite by looking up a registry; further calculated using an inverse exclusive OR operationA first random number r and a second random number r ', and calculating h (K' | | r ') by a hash function using the first random number r and the second random number r'; further using an inverse exclusive-or operation, a fifth random number R for generating a third message authentication code MAC is calculateduAnd an eighth random number RsCalculating a first message authentication code MACuAnd a second message authentication code MACsMAC, first message authentication code transmitted with terminal equipment and satelliteuAnd a second message authentication code MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
4. The method of claim 1, wherein the step 9 of the satellite receiving and verifying the re-access authentication request message comprises:
the satellite searches a first secret key K of the uniquely-assigned terminal equipment according to the received first identification message session _ id; further using the first secret key K to decrypt and obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSLooking up the real identity ID of the terminal equipment corresponding to the first key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
5. A space-ground integrated space information network anonymous access authentication system comprises at least 1 satellite, a plurality of terminal devices and 1 credible ground management center, and is characterized by specifically comprising:
a terminal device for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing real identity of terminal equipment sent by the ground management centeruFirst key K and second keyA registration response of a random number r;
sending a first access authentication request message to the satellite, wherein the first access authentication request message comprises a third random number H-R ⊕ H (K | | | R) calculated by using exclusive-or operation and a hash functionu) And the terminal equipment pseudo-identity PID obtained by utilizing the third random number H for calculationu=IDu⊕ H, first message authentication code MACu=h(IDu||Ru| T) and a fourth random number ru=Ru⊕ h (K | | R), wherein RuGenerating a fifth random number when the authentication request is sent to the terminal, wherein T is a first timestamp, ⊕ operation symbols represent exclusive-or operation, | | the operation symbols represent splicing operation, and h () function is a hash function;
receiving and verifying a first access authentication second response message sent by a satellite, and calculating a satellite message verification code key MACSAT_key=h(IDu||K||ru) Verifying the signature message, and if the verification is successful, decrypting by using the first secret key K of the signature message to obtain an element H of the second session secret key SKsatAnd a first identification message session _ id, storing the first identification message session _ id, and calculating a second session key SK ═ h (h (K '| | r' | r) | | K) and a terminal message authentication code key MACUS_key=h(IDu||Hsat) Completing the first access authentication process of the terminal equipment;
when access authentication needs to be performed again, a second message verification code key MAC _ key h (K | | | ID) is calculatedu||Ru'), sending a re-access authentication request message to the satellite, the re-access authentication request message comprising: first identification information session _ ID stored in the process of first access authentication and real identity ID of terminal equipment by using secret key KuA message encrypted by the second session Key SK and the second message authentication code Key MAC _ Key, and a ninth random number Ru' and fifth time stamp Tu', using a second message verification code key MAC _ key to sign the message of the re-access authentication request message;
receiving a re-access authentication response message sent by the satellite, and calculating a third session key SK 'and a third message verification code key MAC _ key' for data security transmission to complete a re-access authentication process;
a satellite for:
sending information carrying inherent identity to a ground management center for registration, and receiving ID containing true identity of satellite equipment sent by the ground management centersA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving a first access authentication request message sent by a terminal, judging whether the current terminal equipment is firstly accessed for authentication through a legal access user verification table maintained on a satellite, if so, forwarding the access authentication request message of the terminal equipment and an identity authentication message of the satellite to a ground management center, wherein the identity authentication message of the satellite comprises a sixth random number H ' ═ R ' ⊕ H (K ' | R) calculated by the satellite by using exclusive or operation and a hash functions) Satellite pseudo-identity PID calculated by utilizing sixth random number Hs=IDs⊕ H', second message authentication code MACs=h(IDs||Rs| T') and a seventh random number rs=Rs⊕ h (K ' | R '), where T ' is the second timestamp, RsAn eighth random number generated when the identity authentication message is sent for the satellite;
receiving first response message of first access authentication sent by ground control center, using public key P of ground management centerNCCIf the verification is successful, the verification message S calculates a first session key sk ═ h (h (K | | R' | | R) for key update according to a key generation algorithm negotiated with the ground management centers) K '), and a first message authentication code key MAC _ key ═ h (K ' | | | h (K | | R ' | | | R)s)||rs) Verifying the third message verification code MAC, judging whether the timestamp information is in the allowed time range, and resolving the successful authentication terminal equipment real identity IDuAnd a corresponding first key K, establishing a corresponding relation table, and calculating an element H of a second session key SK for generating data secure transmission between the satellite and the terminalsat=h(K’||r’||r||Ts'), satellite message authenticationCode key MACSAT_key=h(IDu||K||ru) And a first identification message session _ ID ═ h (ID) uniquely specifying the terminal deviceu||Ts') wherein T iss' is a fourth timestamp;
sending a first access authentication second response message to the terminal equipment, wherein the first access authentication second response message comprises: element H of second session key SK using first key KsatAnd a message obtained by encrypting a first identification message session _ id uniquely specifying the terminal device, using a satellite message authentication code key MACSATA signature message of the key to the second response message and a fourth timestamp Ts';
receiving and verifying a re-access authentication request message sent by the terminal equipment, negotiating a third session key SK 'and a third message verification code key MAC _ key' with the terminal equipment if the verification is successful, calculating a second identification message session _ id, deleting the session key information stored before, and replying a re-access authentication response message of the terminal equipment, wherein the re-access authentication response message comprises: a second identification message session _ id, a signature message signed using a first key K of the terminal, a tenth random number Rs' and sixth time stamp Ts”;
A ground management center for:
receiving registration information which is respectively sent by terminal equipment and a satellite and carries inherent identity, and sending ID containing real identity of the terminal equipment to the terminal equipmentuA registration response containing the first secret key K and the first random number r sends a real identity ID containing the satellite equipment to the satellitesA second secret key K ', a second random number r' and a public key P of a ground management centerNCCThe registration response of (1);
receiving and verifying a first access authentication request message of the terminal equipment and an identity authentication message of the satellite, and if the authentication fails, replying an authentication failure message; if the verification is successful, replying a first response message of the satellite first access authentication, wherein the first response message of the satellite first access authentication comprises: message S, negotiation key generation algorithm, and setting of terminal using first session key sk negotiated between satellite and groundBackup real identity IDuA message obtained by encrypting with the first key K, a third message verification code MAC obtained by signing the message S by using the first message verification code key MAC _ key and a third timestamp TNCCAnd (4) information.
6. The system of claim 5, wherein the first access authentication request message sent by the terminal device to the satellite further comprises: the access authentication mode of the security level selected by the terminal equipment;
the access authentication mode of the security level is forwarded by the satellite to reach a ground management center, and the ground management center selects a corresponding authentication mode for authentication according to the access authentication mode of the security level;
the access authentication mode of the security level comprises a Hash algorithm option, a random number length option and a symmetric encryption algorithm option, wherein the Hash algorithm option at least comprises a secure Hash algorithm SHA1, a secure Hash algorithm SHA128 and a secure Hash algorithm SHA256, the random number length option at least comprises 32 bits, 64 bits and 128 bits, and the symmetric encryption algorithm option at least comprises an Advanced Encryption Standard (AES), a Data Encryption Standard (DES) and a triple data encryption standard (3 DES).
7. The system of claim 5, wherein the ground management center verifies the access authentication request message of the terminal device and the identity authentication message of the satellite, comprising:
the ground management center uses the inverse XOR operation to solve the true identity IDs of the terminal equipment and the satelliteuAnd IDsFinding a first secret key K of the terminal equipment and a second secret key K' of the satellite by looking up a registry; further calculating a first random number r and a second random number r 'by using an inverse exclusive-or operation, and calculating h (K' | r ') by using the first random number r and the second random number r' through a hash function; further using an inverse exclusive-or operation, a fifth random number R for generating a third message authentication code MAC is calculateduAnd an eighth random number RsCalculating a first message authentication code MACuAnd a second message authentication code MACsMAC, first message authentication code transmitted with terminal equipment and satelliteuAnd a second message authentication code MACsComparing; if the time stamps are consistent and the time stamps are within the allowed time range, the verification is successful, and a master key h (K | | R' | | R) for updating the key is calculateds) Signing the message by using a private key of a ground management center to obtain a message S; otherwise, the verification fails, and an authentication failure message is replied.
8. The system of claim 5, wherein the satellite receives and verifies the re-access authentication request message, comprising:
the satellite searches a first secret key K of the uniquely-assigned terminal equipment according to the received first identification message session _ id; further using the first secret key K to decrypt and obtain the true identity ID of the terminal equipment for verificationu', second session key SK and terminal message authentication code key MACUSLooking up the real identity ID of the terminal equipment corresponding to the first key K through the corresponding relation tableuComparison of IDuAnd IDu'; if the signature message is consistent with the signature message, the signature message is verified successfully; otherwise, the verification fails, and an authentication failure message is replied.
CN201911283127.8A 2019-12-13 2019-12-13 Space-ground integrated space information network anonymous access authentication method and system Active CN110971415B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911283127.8A CN110971415B (en) 2019-12-13 2019-12-13 Space-ground integrated space information network anonymous access authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911283127.8A CN110971415B (en) 2019-12-13 2019-12-13 Space-ground integrated space information network anonymous access authentication method and system

Publications (2)

Publication Number Publication Date
CN110971415A true CN110971415A (en) 2020-04-07
CN110971415B CN110971415B (en) 2022-05-10

Family

ID=70034341

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911283127.8A Active CN110971415B (en) 2019-12-13 2019-12-13 Space-ground integrated space information network anonymous access authentication method and system

Country Status (1)

Country Link
CN (1) CN110971415B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111711955A (en) * 2020-06-15 2020-09-25 华中师范大学 Wearable computing autonomous security authentication system and security authentication method
CN111885604A (en) * 2020-06-28 2020-11-03 北京交通大学 Authentication method, device and system based on heaven and earth integrated network
CN112087750A (en) * 2020-08-05 2020-12-15 西安电子科技大学 Access and switching authentication method and system under satellite network intermittent communication scene
CN112235792A (en) * 2020-09-15 2021-01-15 西安电子科技大学 Multi-type terminal access and switching authentication method, system, equipment and application
CN112332900A (en) * 2020-09-27 2021-02-05 贵州航天计量测试技术研究所 Low-earth-orbit satellite communication network rapid switching authentication method
CN112564775A (en) * 2020-12-18 2021-03-26 江苏省未来网络创新研究院 Spatial information network access control system and authentication method based on block chain
CN112615721A (en) * 2020-12-18 2021-04-06 江苏省未来网络创新研究院 Access authentication and authority management control flow method of spatial information network based on block chain
CN112867004A (en) * 2020-12-31 2021-05-28 北京芯安微电子技术有限公司 Remote configuration system and user data replacement method
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
CN113068187A (en) * 2021-02-20 2021-07-02 西安电子科技大学 Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network
CN113660026A (en) * 2021-07-26 2021-11-16 长光卫星技术有限公司 Satellite security management method based on multi-user autonomous access control
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium
CN114051241A (en) * 2022-01-13 2022-02-15 中移(上海)信息通信科技有限公司 Communication processing method and device
CN114172669A (en) * 2022-02-15 2022-03-11 之江实验室 Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication
CN114339735A (en) * 2021-12-10 2022-04-12 重庆邮电大学 NTRU-based (network to equipment) heaven and earth integrated network anonymous access authentication method
CN114363034A (en) * 2021-12-29 2022-04-15 上海众源网络有限公司 Verification code generation and verification method and device, electronic equipment and storage medium
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
CN114827998A (en) * 2022-03-17 2022-07-29 北京航天科工世纪卫星科技有限公司 Satellite terminal network access authentication device based on encryption chip
CN115022879A (en) * 2022-05-11 2022-09-06 西安电子科技大学 Enhanced Beidou user terminal access authentication method and system based on position key
CN116938321A (en) * 2023-09-14 2023-10-24 成都本原星通科技有限公司 Satellite communication method based on anti-quantum access authentication of position key low orbit satellite
CN117376917A (en) * 2023-12-05 2024-01-09 成都本原星通科技有限公司 Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070105600A1 (en) * 2005-11-08 2007-05-10 Shantidev Mohanty Techniques to communicate information between foreign agents and paging controllers
CN105491076A (en) * 2016-01-28 2016-04-13 西安电子科技大学 Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network
CN108282778A (en) * 2018-01-23 2018-07-13 中国科学技术大学 Anonymous quick roaming access authentication method in a kind of space networks
CN108282779A (en) * 2018-01-24 2018-07-13 中国科学技术大学 Incorporate Information Network low time delay anonymous access authentication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070105600A1 (en) * 2005-11-08 2007-05-10 Shantidev Mohanty Techniques to communicate information between foreign agents and paging controllers
CN105491076A (en) * 2016-01-28 2016-04-13 西安电子科技大学 Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network
CN108282778A (en) * 2018-01-23 2018-07-13 中国科学技术大学 Anonymous quick roaming access authentication method in a kind of space networks
CN108282779A (en) * 2018-01-24 2018-07-13 中国科学技术大学 Incorporate Information Network low time delay anonymous access authentication method

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111711955A (en) * 2020-06-15 2020-09-25 华中师范大学 Wearable computing autonomous security authentication system and security authentication method
CN111711955B (en) * 2020-06-15 2022-04-29 华中师范大学 Wearable computing autonomous security authentication system and security authentication method
CN111885604A (en) * 2020-06-28 2020-11-03 北京交通大学 Authentication method, device and system based on heaven and earth integrated network
CN111885604B (en) * 2020-06-28 2021-08-27 北京交通大学 Authentication method, device and system based on heaven and earth integrated network
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium
CN112087750A (en) * 2020-08-05 2020-12-15 西安电子科技大学 Access and switching authentication method and system under satellite network intermittent communication scene
CN112235792A (en) * 2020-09-15 2021-01-15 西安电子科技大学 Multi-type terminal access and switching authentication method, system, equipment and application
CN112235792B (en) * 2020-09-15 2022-03-11 西安电子科技大学 Multi-type terminal access and switching authentication method, system, equipment and application
CN112332900B (en) * 2020-09-27 2023-03-10 贵州航天计量测试技术研究所 Low-orbit satellite communication network rapid switching authentication method
CN112332900A (en) * 2020-09-27 2021-02-05 贵州航天计量测试技术研究所 Low-earth-orbit satellite communication network rapid switching authentication method
CN112615721A (en) * 2020-12-18 2021-04-06 江苏省未来网络创新研究院 Access authentication and authority management control flow method of spatial information network based on block chain
CN112564775A (en) * 2020-12-18 2021-03-26 江苏省未来网络创新研究院 Spatial information network access control system and authentication method based on block chain
CN112867004A (en) * 2020-12-31 2021-05-28 北京芯安微电子技术有限公司 Remote configuration system and user data replacement method
CN112867004B (en) * 2020-12-31 2022-10-14 北京芯安微电子技术有限公司 Remote configuration system and user data replacement method
CN113068187A (en) * 2021-02-20 2021-07-02 西安电子科技大学 Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application
CN113068187B (en) * 2021-02-20 2022-03-11 西安电子科技大学 Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
CN112953726B (en) * 2021-03-01 2022-09-06 西安电子科技大学 Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network
CN113660026A (en) * 2021-07-26 2021-11-16 长光卫星技术有限公司 Satellite security management method based on multi-user autonomous access control
CN114339735A (en) * 2021-12-10 2022-04-12 重庆邮电大学 NTRU-based (network to equipment) heaven and earth integrated network anonymous access authentication method
CN114339735B (en) * 2021-12-10 2023-09-08 重庆邮电大学 Method for authenticating anonymous access of world integrated network based on NTRU
CN114363034A (en) * 2021-12-29 2022-04-15 上海众源网络有限公司 Verification code generation and verification method and device, electronic equipment and storage medium
CN114363034B (en) * 2021-12-29 2024-02-02 上海众源网络有限公司 Verification code generation and verification method and device, electronic equipment and storage medium
CN114051241B (en) * 2022-01-13 2022-05-03 中移(上海)信息通信科技有限公司 Communication processing method and device
CN114051241A (en) * 2022-01-13 2022-02-15 中移(上海)信息通信科技有限公司 Communication processing method and device
WO2023134281A1 (en) * 2022-01-13 2023-07-20 中移(上海)信息通信科技有限公司 Communication processing method and apparatus, terminal, storage medium, and computer program product
CN114172669A (en) * 2022-02-15 2022-03-11 之江实验室 Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication
WO2023077706A1 (en) * 2022-02-15 2023-05-11 之江实验室 Spatial-temporal characteristic fused dual-stage secure access authentication method in satellite-ground communication
CN114172669B (en) * 2022-02-15 2022-05-03 之江实验室 Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
CN114584975B (en) * 2022-02-23 2023-09-15 重庆邮电大学 SDN-based anti-quantum satellite network access authentication method
CN114827998A (en) * 2022-03-17 2022-07-29 北京航天科工世纪卫星科技有限公司 Satellite terminal network access authentication device based on encryption chip
CN114827998B (en) * 2022-03-17 2023-11-17 北京航天科工世纪卫星科技有限公司 Satellite terminal network access authentication device based on encryption chip
CN115022879B (en) * 2022-05-11 2023-11-21 西安电子科技大学 Enhanced Beidou user terminal access authentication method and system based on position key
CN115022879A (en) * 2022-05-11 2022-09-06 西安电子科技大学 Enhanced Beidou user terminal access authentication method and system based on position key
CN116938321A (en) * 2023-09-14 2023-10-24 成都本原星通科技有限公司 Satellite communication method based on anti-quantum access authentication of position key low orbit satellite
CN116938321B (en) * 2023-09-14 2023-11-24 成都本原星通科技有限公司 Satellite communication method based on anti-quantum access authentication of position key low orbit satellite
CN117376917A (en) * 2023-12-05 2024-01-09 成都本原星通科技有限公司 Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm
CN117376917B (en) * 2023-12-05 2024-03-26 成都本原星通科技有限公司 Satellite communication method for satellite terminal authentication based on lattice proxy signcryption algorithm

Also Published As

Publication number Publication date
CN110971415B (en) 2022-05-10

Similar Documents

Publication Publication Date Title
CN110971415B (en) Space-ground integrated space information network anonymous access authentication method and system
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
He et al. A strong user authentication scheme with smart cards for wireless communications
KR101490214B1 (en) Systems and methods for encoding exchanges with a set of shared ephemeral key data
CN106788989B (en) Method and equipment for establishing secure encrypted channel
CN112332900B (en) Low-orbit satellite communication network rapid switching authentication method
KR101982237B1 (en) Method and system for data sharing using attribute-based encryption in cloud computing
CN101116284A (en) Clone resistant mutual authentication in a radio communication network
US20200195446A1 (en) System and method for ensuring forward & backward secrecy using physically unclonable functions
CN112351037B (en) Information processing method and device for secure communication
CN110881177A (en) Anti-quantum computing distributed Internet of vehicles method and system based on identity secret sharing
CN108353279A (en) A kind of authentication method and Verification System
CN105491076A (en) Heterogeneous network end-to-end authentication secret key exchange method based on space-sky information network
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Noh et al. Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks
CN116056080A (en) Satellite switching authentication method for low-orbit satellite network
Alzahrani et al. A Resource‐Friendly Authentication Protocol for UAV‐Based Massive Crowd Management Systems
Indushree et al. Mobile-Chain: Secure blockchain based decentralized authentication system for global roaming in mobility networks
CN114760046A (en) Identity authentication method and device
CN110417722B (en) Business data communication method, communication equipment and storage medium
CN111245611A (en) Anti-quantum computing identity authentication method and system based on secret sharing and wearable equipment
CN111836260A (en) Authentication information processing method, terminal and network equipment
US11570008B2 (en) Pseudonym credential configuration method and apparatus
CN111404667B (en) Key generation method, terminal equipment and network equipment
CN114760043A (en) Identity authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant