CN112073379B - Lightweight Internet of things security key negotiation method based on edge calculation - Google Patents

Lightweight Internet of things security key negotiation method based on edge calculation Download PDF

Info

Publication number
CN112073379B
CN112073379B CN202010806877.5A CN202010806877A CN112073379B CN 112073379 B CN112073379 B CN 112073379B CN 202010806877 A CN202010806877 A CN 202010806877A CN 112073379 B CN112073379 B CN 112073379B
Authority
CN
China
Prior art keywords
edge gateway
authentication
equipment
terminal equipment
edge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010806877.5A
Other languages
Chinese (zh)
Other versions
CN112073379A (en
Inventor
陈冰冰
刘强
周俊
夏伟栋
邹明翰
邵苏杰
辛辰
许洪华
李易
王徐延
吴冠儒
沙莉
张庆航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Beijing University of Posts and Telecommunications
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications, Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd filed Critical Beijing University of Posts and Telecommunications
Priority to CN202010806877.5A priority Critical patent/CN112073379B/en
Publication of CN112073379A publication Critical patent/CN112073379A/en
Application granted granted Critical
Publication of CN112073379B publication Critical patent/CN112073379B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Abstract

A lightweight Internet of things security key negotiation method based on edge calculation comprises the following steps: step 1, a cloud server performs bidirectional authentication on an edge gateway, authorizes the edge gateway, and the edge gateway obtains authentication key negotiation authority for terminal equipment; step 2, the edge gateway is responsible for the safety certification and management of the Internet of things equipment in the edge gateway local area network; step 3, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and the subsequent transmission data are transmitted to the edge gateway in a unified manner; step 4, the edge gateway can carry out primary processing on the data transmitted by the terminal equipment; and 5, in the subsequent process, the cloud server and the edge gateway server transmit and process the equipment data together. The invention realizes the lightweight and safe Internet of things authentication key agreement and ensures the security of Internet of things network data transmission.

Description

Lightweight Internet of things security key negotiation method based on edge calculation
Technical Field
The invention belongs to the technical field of internet security, and particularly relates to a lightweight internet of things security key negotiation method based on edge calculation.
Background
The Internet of Things (IoT-Internet of Things) technology has been integrated into aspects of life with the rapid development of information technology. The intelligent network formed by the internet of things and interconnecting people, things and things greatly promotes the intelligent development in various fields. But the access of a large number of devices and a large amount of information exchange at the same time also bring new security challenges. Due to the fact that the number of devices is large and the device resources are limited in the environment of the internet of things, the traditional security protocol is too complex, and the cost of resources such as calculation, storage and communication is large, so that the requirements cannot be met. Moreover, a centralized authentication key agreement mechanism taking cloud as a center brings huge burden to a server at present, and even network congestion is caused to influence the authentication and key agreement process of equipment. Therefore, how to design a safer and lighter authentication key agreement technology to ensure confidentiality and integrity of information exchange in the environment of the internet of things is an urgent need.
In order to solve the development situation of the prior art, the existing papers and patents are searched, compared and analyzed, and the following technical information with high relevance to the invention is screened out:
the technical scheme 1: a patent of "a method and a system for performing security management on internet of things equipment", with a patent number of CN108881304A, provides a method and a system for performing security management on internet of things equipment, and the method includes: the Internet of things safety management platform is registered in a recognized third-party safety mechanism platform, and the third-party safety mechanism platform signs an Internet of things safety management platform certificate after passing the authentication of the Internet of things safety management platform; the method comprises the steps that the Internet of things equipment is registered on an Internet of things safety management platform, and after the Internet of things safety management platform passes authentication of an Internet of things equipment user identity identification card, an Internet of things equipment user identity identification card certificate is signed to the user identity identification card; when the service data is transmitted between the service platform of the internet of things and the equipment of the internet of things, the safety management platform of the internet of things and the user identity identification card perform identity authentication, and after the authentication is passed, a service data transmission encryption working key is negotiated, so that the safety of data transmission of both parties is ensured. The invention can effectively protect the Internet of things equipment from illegal management and control and improve the overall anti-attack capability of the Internet of things system.
Technical scheme 1 adopts an thing networking platform management authentication mode based on identification card, its characterized in that: the Internet of things management platform needs to be registered in a third-party security mechanism, then the Internet of things equipment is registered in the Internet of things management platform, and after the identity identification card passes the authentication, a corresponding identity certificate is issued. The method can well protect the data transmission of the Internet of things equipment, so that the Internet of things equipment is not illegally controlled. However, such a management method is too centralized to satisfy the management of a large amount of devices. Meanwhile, registration, issuance and authentication are complicated, the equipment overhead is high, and the safety requirement of equipment with effective partial resources cannot be met.
The technical scheme 2 is as follows: a patent of Internet of things sensing node authentication method based on an edge gateway, with a patent number of CN110995432A, relates to an Internet of things sensing node authentication method based on an edge gateway. The method mainly comprises the following steps: the sensing node firstly reads the NodeID and the authentication Key Key stored in the self equipment, and randomly generates a random number Nonce1; if the authentication is the first authentication, randomly generating a Counter value at the same time, otherwise reading the locally stored Counter value; the sensing node calculates the node authentication credential and then sends an access request message to the edge gateway. The invention has the advantages that the invention provides an authentication implementation mode conforming to the idea of edge computing of decentralized and distributed type, the computing capacity of the system of the Internet of things is sunk to the edge gateway from the cloud end, and after the first authentication access, the edge gateway can independently complete the access authentication of the sensing node, so that the edge computing capacity of the Internet of things is enhanced, the computing pressure of the access authentication of the IoT cloud platform is greatly reduced, and the normal operation of the subordinate edge network can be ensured even if the edge gateway and the cloud end lose network connection.
The technical scheme 2 adopts a node authentication method based on an edge computing gateway, which is characterized in that: in the node authentication method based on the edge computing gateway, the edge gateway is responsible for sensing the access authentication of the node, the whole authentication method is based on the Counter value increasing sequence and fuses random numbers to equivalently practice the bidirectional authentication of the challenge/response idea, and the authentication is simple and light. Meanwhile, the computing power of the Internet of things system is sunk to the edge gateway from the cloud, so that the edge computing power of the Internet of things is enhanced, and the pressure of a cloud platform is reduced to some extent. However, in the authentication process, the edge gateway needs to query the IoT cloud platform for the H (key) to which the node id of the device node is associated. Therefore, when the number of the nodes is large and the number of the node authentication requests is large, the load of the cloud platform is still large, and effective decentralization is not realized. In addition, although the authentication protocol is lightweight, the most important security is low, and it is very vulnerable.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a dynamic password authentication key agreement method based on identity identification, and provides a cloud-edge-end cooperation authentication key agreement mechanism based on edge computing, and the authentication and key agreement task is put down on edge gateway-level equipment, so that the time delay can be greatly reduced, the huge burden of mass equipment on a cloud center can be relieved, and identity authentication and key agreement can be completed more safely and efficiently.
The invention adopts the following technical scheme. A lightweight Internet of things security key negotiation method based on edge calculation comprises the following steps:
step 1, performing bidirectional authentication on an edge gateway by a cloud server, authorizing the edge gateway after the authentication is passed, acquiring authentication key negotiation authority of terminal equipment by the edge gateway, storing identity information of the edge gateway into a cloud database, and releasing an authentication key negotiation task by the cloud server;
step 2, after the edge gateway obtains the authority through the cloud server authentication, receiving an authentication key negotiation task transferred by a corresponding cloud server, and starting to take charge of the safety authentication and management of the terminal equipment in the edge gateway local area network;
step 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and perform data transmission to the edge gateway;
step 4, the edge gateway performs primary processing on data transmitted by the terminal equipment, and partial data is coordinated with the cloud and transmitted to a cloud server;
and 5, the cloud server and the edge gateway process the data together, and the authentication key negotiation of the terminal equipment is uniformly managed by the edge gateway.
Preferably, step 2 includes registering the new network access terminal device, and the registration process includes:
step 2.1, at the terminal device, inputting the relevant device information andpresetting a password PW, generating a unique equipment identity ID by a registration system equipment end through equipment information, and generating a random number N i And calculating the password
Figure BDA0002629462960000031
Step 2.2, the terminal equipment saves ID, PW and C i ,C i And the ID is transmitted to a registration server through a secure channel for checking and storing;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment ID is not registered, the server end stores C i And the equipment identity ID and returns registration success information.
Preferably, the device information includes: a device area number, a device type number, and a device number.
Preferably, the performing, by the terminal device, bidirectional authentication and key agreement with the edge gateway in step 3 specifically includes:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication;
step 3.2, the terminal equipment and the edge gateway perform key negotiation exchange;
and 3.3, the terminal equipment and the edge gateway perform key negotiation verification.
Preferably, the step 3.1 of performing bidirectional authentication between the terminal device and the edge gateway specifically includes:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CN i And a time stamp T i The equipment identity ID and the random challenge number CN i Sending the data to an edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp T i Whether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, according to the ID of the equipment ID, searching the corresponding C i And calculating a response value
Figure BDA0002629462960000041
Generating a random number CN i+1 R and CN i+1 Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculates
Figure BDA0002629462960000042
Comparison
Figure BDA0002629462960000043
If the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number N i+1 And calculating to generate a new password
Figure BDA0002629462960000044
Calculating D i+1 =H(ID,C i+1 ) Calculating
Figure BDA0002629462960000045
Figure BDA0002629462960000046
Computing
Figure BDA0002629462960000047
Computing
Figure BDA0002629462960000048
And sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, calculating
Figure BDA0002629462960000049
Computing
Figure BDA00026294629600000410
Figure BDA00026294629600000411
Computing
Figure BDA00026294629600000412
Calculating out
Figure BDA00026294629600000416
Comparison of
Figure BDA00026294629600000413
And D i+1 If the identity is the same, the authentication fails, if the identity is the same, the authentication of the equipment end is successful, the edge gateway updates the registration information database information and uses C i+1 Replacement C i The password updating is completed, and the edge gateway calculates r = H (ID, D) i+1 ) And sending Success and r to the user to provide secondary authentication to the edge gateway;
step 3.1.5, after the terminal equipment receives r, calculating
Figure BDA00026294629600000414
Comparison
Figure BDA00026294629600000415
If the two-way authentication is the same as r, the key agreement is started, and ak = D i+1 As shared authentication material for the subsequent key agreement phase.
Preferably, step 3.2, the terminal device and the edge gateway perform key agreement exchange using the ECDH key exchange algorithm.
Preferably, the step 3.2 of the terminal device and the edge gateway performing key agreement exchange specifically includes:
step 3.2.1, the terminal equipment generates a random number KN i Generating a random integer n a Calculating the keying material KM i =n a G, G is an elliptic curve base point, and KN is sent to an edge gateway i And KM i
Step 3.2.2, the edge gateway generates a random number KN r Generating a random integer n b Calculating the keying material KM r =n b G, after receiving the key material data of the equipment end, sending KM to the terminal equipment r And KN r
Preferably, step 3.3, the key agreement verification between the terminal device and the edge gateway specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K = K i =n a ·KM r =k r =n b ·KM i Calculating a temporary session key
Figure BDA0002629462960000051
Step 3.3.2, the terminal device calculates the verification material
Figure BDA0002629462960000052
And sends the ID and the ID to the edge gateway for verification;
step 3.3.3, edge gateway computation
Figure BDA0002629462960000053
Comparison
Figure BDA0002629462960000054
And H i If the two are the same, the authentication fails, and negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generated id Calculating
Figure BDA0002629462960000055
Will N id And H r Sending the information to the terminal equipment, and enabling the edge gateway to enter a safe communication stage;
step 3.3.4, terminal device calculates
Figure BDA0002629462960000056
Comparison
Figure BDA0002629462960000057
And H r If the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed.
Compared with the prior art, the invention adopts a dynamic password authentication key agreement method based on the identity identification, provides a cloud-edge-end cooperative authentication key agreement mechanism based on edge computing, and puts down authentication and key agreement tasks on edge gateway-level equipment, so that the mechanism can greatly reduce time delay, relieve the huge burden of mass equipment on a cloud center, and complete identity authentication and key agreement more safely and efficiently. The method and the mechanism provided by the invention can effectively reduce the expenditure on equipment storage and computing resources, further improve the efficiency on the basis of ensuring the safety, and can meet the application requirements in the environment of the Internet of things.
The invention provides a dynamic password identity authentication protocol based on an identity label and a key agreement protocol taking an ECDH algorithm as a core, which can meet the communication safety requirements of resource-limited equipment with different types and provide communication safety guarantee. Meanwhile, the management problem caused by the large number of equipment in the environment of the Internet of things is solved, the pressure of the cloud center server can be relieved, the efficiency of authentication key agreement is improved, the time delay is reduced, and the safety is enhanced.
Drawings
Fig. 1 is a cloud-edge-end cooperative authentication key agreement mechanism architecture based on an edge gateway;
fig. 2 is a device registration flow diagram;
FIG. 3 is a dynamic password mutual authentication model based on identification;
fig. 4 is a key agreement protocol model.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only used to illustrate the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
As shown in fig. 1, the edge gateway-based cloud-edge-end collaborative authentication key agreement mechanism mainly includes three parts, namely, an internet of things device end, an edge gateway, and a cloud center. In this architecture, the edge gateway assumes the role of a bridge in the internet of things network. By designing the edge gateway, the equipment can be better managed, and the identity authentication and key agreement tasks of the cloud are put down to the edge gateway, so that the problems of information congestion, service congestion and time delay under high concurrency can be greatly relieved. In the whole framework, the edge gateway is directly connected with each Internet of things device downwards, and identity authentication and key agreement service, subsequent data security protection and data processing can be carried out on the devices in the region. And after passing through the authentication key negotiation of the edge gateway, each terminal device of the internet of things acquires data or provides corresponding service, and simultaneously transmits the data to the edge gateway safely. The edge gateway is accessed to the core network upwards and can cooperate with the cloud center. The cloud center authenticates the edge gateway equipment, authorizes and transfers an authentication key negotiation task of the terminal equipment to the edge gateway after authentication, processes data uploaded by the edge gateway, and completes authentication key negotiation and corresponding data processing of the equipment through the cloud-edge cooperative mode.
Each packet edge gateway server manages the corresponding internet of things equipment, and the edge gateway is accessed into the core network to cooperate with the cloud center. The cloud center manages corresponding edge gateway equipment, and therefore an edge gateway authentication mechanism is achieved based on a cloud-edge-end integrated mode.
Therefore, the invention provides a lightweight Internet of things security key negotiation method based on edge calculation, which comprises the following steps:
step 1, the cloud server performs bidirectional authentication on the edge gateway, after the authentication is passed, the edge gateway is authorized, the edge gateway obtains authentication key negotiation authority for the terminal equipment, meanwhile, identity information of the edge gateway is stored in a cloud database, and then an authentication key negotiation task is transferred by the cloud server.
And 2, after the edge gateway obtains the authority through the cloud server authentication, the edge gateway receives corresponding cloud server tasks and starts to be responsible for the safety authentication and management of the terminal equipment in the edge gateway local area network, such as but not limited to the management of registration, data acquisition, transmission and processing of the terminal equipment of the internet of things.
And 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and the subsequent transmission data are uniformly transmitted to the edge gateway.
And 4, the edge gateway performs preliminary processing on the data transmitted by the terminal device, for example, but not limited to, simple preprocessing and cleaning on the transmitted data, and partial important data, for example, but not limited to, data acquired by a terminal sensor, possibly user privacy protection data and the like cooperate with the cloud, and the data are transmitted to a cloud server, for example, but not limited to, the processed data are cooperatively processed by the cloud and the edge gateway, and a task is cooperatively completed.
And step 5, in the subsequent process, the cloud server and the edge gateway server process data together, and coordinate processing is performed at the cloud side to realize intelligent services, such as but not limited to environment monitoring, intelligent camera shooting and the like according to specific scenes and deployment, and authentication key negotiation of the terminal equipment is uniformly managed by the edge gateway.
By the method, massive Internet of things equipment can be efficiently managed, the edge gateway provides corresponding authentication key agreement, the safety of the equipment and data is guaranteed, in addition, cloud-edge cooperation can jointly process the data, intelligent service is provided, the interconnection of everything is really realized, and the development of the Internet of things is promoted.
The protocol designed by the invention mainly comprises a registration process and an authentication process, wherein the registration process is responsible for identity identification and information registration of each new network access device, and the authentication process is mutual identity authentication between the device and the edge gateway. Therefore, step 2 includes the registration of the new network-accessing terminal device, as shown in fig. 2, the registration process includes:
step 2.1, inputting relevant equipment information such as equipment area number, equipment type number and equipment number and a preset password PW at a terminal equipment, generating a unique equipment identity ID by a registration system equipment end running on the terminal equipment through the equipment information, and generating a random number N i And calculating the password
Figure BDA0002629462960000071
Figure BDA0002629462960000072
Step 2.2, the terminal equipment saves ID, PW and C i ,C i The ID is transmitted to a registration server for checking and storing through a secure channel, and the registration server is generally arranged at an edge gateway and is convenient for responding to information inquiry of the gateway;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment ID is not registered, the server end stores C i And the equipment identity ID and returns registration success information.
The step 3 of performing bidirectional authentication and key agreement between the terminal device and the edge gateway specifically includes:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication;
step 3.2, the terminal equipment and the edge gateway perform key negotiation exchange;
and 3.3, the terminal equipment and the edge gateway perform key negotiation verification.
The authentication process is realized based on the identity identification and by taking an improved one-time password authentication technology as a core. The whole authentication process of the protocol is operated based on the hash function and bidirectional identity authentication is provided, so that the occupation of equipment resources and communication is less, and the protocol is safer and more efficient. As shown in fig. 3, the step 3.1 of performing bidirectional authentication between the terminal device and the edge gateway specifically includes:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CN i And a time stamp T i The equipment identity ID and the random challenge number CN i Sending to the edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp T i Whether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, according to the equipment IDFind the corresponding C i And calculating a response value
Figure BDA0002629462960000081
Generating a random number CN i+1 R and CN i+1 Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculates
Figure BDA0002629462960000082
Comparison of
Figure BDA0002629462960000083
If the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number N i+1 And calculating to generate a new password
Figure BDA0002629462960000084
Calculating D i+1 =H(ID,C i+1 ) Calculating
Figure BDA0002629462960000085
Figure BDA0002629462960000086
Calculating out
Figure BDA0002629462960000087
Computing
Figure BDA0002629462960000088
And sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, calculating
Figure BDA0002629462960000089
Computing
Figure BDA00026294629600000810
Figure BDA00026294629600000811
Computing
Figure BDA00026294629600000812
Calculating out
Figure BDA00026294629600000813
Comparison of
Figure BDA00026294629600000814
And D i+1 If the two are the same, the authentication fails, if the two are the same, the authentication of the equipment end is successful, the edge gateway updates the information of the registration information database and uses C i+1 Replacement C i Password updating is completed, and the edge gateway calculates r = H (ID, D) i+1 ) And sending Success and r to the user to provide secondary authentication to the edge gateway;
step 3.1.5, after the terminal equipment receives r, calculating
Figure BDA0002629462960000091
Comparison
Figure BDA0002629462960000092
If the two-way authentication is the same as r, the key agreement is started, and ak = D i+1 As shared authentication material for the subsequent key agreement phase.
The whole key agreement protocol realizes the verification of the identities of both parties based on an authentication protocol, and then realizes the exchange of keys through an ECDH protocol, thereby generating a temporary session key. For the whole key agreement protocol, the core mainly consists of two stages of agreement exchange and agreement verification.
The key negotiation and exchange process is mainly realized based on an ECDH key exchange algorithm, namely a DH and an ECC are combined to form the ECDH algorithm to complete the key material exchange of the two parties on a public channel and generate a shared key. ECDH is more efficient than DH.
And a protocol verification stage, wherein the whole authentication negotiation is authenticated by combining the shared authentication material generated in the identity authentication stage and the shared key material generated in the key negotiation exchange stage, so that the reliability of the whole key negotiation data exchange is ensured, and man-in-the-middle attack can be effectively prevented. As shown in fig. 4, step 3.2 of the terminal device and the edge gateway performing key agreement exchange specifically includes:
step 3.2.1, the terminal equipment generates a random number KN i Generating a random integer n a Calculating the keying material KM i =n a G, G is an elliptic curve base point, and KN is sent to an edge gateway i And KM i
Step 3.2.2, the edge gateway generates a random number KN r Generating a random integer n b Calculating the keying material KM r = b · G, receiving keying material data of the device side, and sending KM to the terminal device r And KN r
Step 3.3, the key agreement verification of the terminal device and the edge gateway specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K = K i =a·KM r =k r =b·KM i Calculating a temporary session key
Figure BDA0002629462960000093
Step 3.3.2, the terminal device calculates the verification material
Figure BDA0002629462960000094
And sends the ID and the ID to the edge gateway for verification;
step 3.3.3, edge gateway computation
Figure BDA0002629462960000095
Comparison of
Figure BDA0002629462960000096
And H i If the two are the same, the verification fails and the negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generated id Calculating
Figure BDA0002629462960000097
Will N id And H r Sending the information to the terminal equipment, and enabling the edge gateway to enter a safety communication stage;
step 3.3.4, terminal device calculates
Figure BDA0002629462960000101
Comparison
Figure BDA0002629462960000102
And H r If the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed.
The beneficial effects of the invention at least comprise: 1. the cloud-edge-end cooperative authentication key agreement mechanism based on the edge gateway considers the huge pressure of massive Internet of things equipment on a cloud center, the problem of equipment management, the safety of authentication and key agreement, task delay, resource occupation and the like. The authentication key agreement mechanism can better perform efficient management and control on the Internet of things equipment and provide a safe and efficient authentication key agreement task.
2. In the protocol design, on the basis of ensuring the protocol security and providing the bidirectional identity authentication and key agreement function, the invention has smaller occupation cost for computing and storing resources and is lighter and more efficient compared with the related protocol.
3. The protocol designed by the invention does not need certificates and other management organizations, and is more convenient to apply. Compared with the related protocol, the method also has higher safety, excellent performance and low computing resource cost.
To more clearly describe the technical solution and the advantages of the present invention, an application example of the present invention is described below.
The method mainly tests two stages of identity authentication and key agreement. The system is started at the edge gateway server side first, and then the device client side is started. The device side initiates connection to the edge server side and starts identity authentication.
In the first stage, the client sends the ID and the challenge random number, in the second stage, the server calculates the Ahash and the random challenge book, and the client compares and verifies the received server information. And in the third stage, the client side sends the dynamically updated password related materials a and b to the server side, and the server side obtains a new password through calculation and simultaneously carries out verification. In the last stage, both parties verify rhash, and bidirectional identity authentication is completed.
And the key negotiation module is started after the identity authentication module passes, so that key negotiation between the equipment end and the edge gateway is realized. The key agreement mainly comprises two stages, wherein the first stage is to realize the exchange of key materials based on an ECDH algorithm, and the second stage is to mainly verify the agreement and then complete the whole key agreement process. And entering a key agreement module after the identity authentication is passed.
And after the identity authentication is passed, the key agreement is started, and the key agreement is completed in two stages. In the first stage, both parties generate random numbers randnum and key materials (random large integers), then both parties exchange data, in the first stage, each party calculates a Session ID (a key obtained by an ECDH algorithm), in the second stage, both parties calculate a hash value and verify the hash value, and the whole key negotiation module completes negotiation work.
The system can realize the identity authentication and key agreement function between the equipment end and the edge gateway server end according to the protocol designed by the invention. The two parties successfully obtain the session key for subsequent secure communication through authentication key negotiation, thereby providing guarantee for the security of data transmission of the equipment.
The protocol has good application effect and is lighter and safer than other protocols. The whole authentication and key agreement task has higher efficiency and performance, and can be well suitable for equipment with limited resources in the environment of the Internet of things. The performance is shown in table 1 below. Wherein, T PM : calculating the time, T, of an elliptic curve scalar multiplication PA : calculating the time, T, of an elliptic curve scalar addition operation HP : calculating the time, T, of a hash function mapped to a point H : calculating the time, T, of a one-way hash function I : calculating the time of one-time modular inverse operation; t is SE : time to symmetric encryption and decryption (AES) is calculated once.
TABLE 1 protocol Performance comparison
Figure BDA0002629462960000111
In summary, compared with other protocol algorithms, the lightweight security key agreement protocol based on the internet of things has better comprehensive performance, is suitable for device information transmission in the scene facing the internet of things, and can better provide communication security guarantee for resource-limited devices.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.

Claims (4)

1. A lightweight Internet of things security key negotiation method based on edge calculation is characterized by comprising the following steps:
step 1, the cloud server performs bidirectional authentication on an edge gateway, after the authentication is passed, the edge gateway is authorized, the edge gateway obtains authentication key negotiation authority for terminal equipment, meanwhile, identity information of the edge gateway is stored in a cloud database, and an authentication key negotiation task is transferred by the cloud server;
step 2, after the edge gateway obtains the authority through the cloud server authentication, receiving an authentication key negotiation task transferred by a corresponding cloud server, and starting to take charge of the safety authentication and management of the terminal equipment in the edge gateway local area network;
step 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and perform data transmission to the edge gateway; the method comprises the following steps:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication, and the method specifically comprises the following steps:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CN i And a time stamp T i The equipment identity ID and the random challenge number CN i Sending to the edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp T i Whether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, searching corresponding C according to the equipment identity ID i And calculating a response value R = H (ID, C) i ⊕CN i ) To generate a random number CN i+1 R and CN i+1 Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculates
Figure FDA0003825495270000011
Comparison
Figure FDA0003825495270000012
If the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number N i+1 And calculating to generate a new password C i+1 =H(ID,PW⊕N i+1 ) Calculating D i+1 =H(ID,C i+1 ) Calculating D i =H(ID,C i ⊕CN i+1 ) Calculating a = C i+1 ⊕(D i+1 +D i ) Calculate b = C i ⊕D i+1 And sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, D is calculated i+1 =b⊕C i Calculating D i =H(ID,C i ⊕CN i+1 ) Calculating C i+1 =a⊕(D i+1 +D i ) Calculating
Figure FDA0003825495270000013
Comparison
Figure FDA0003825495270000014
And D i+1 If the two are the same, the authentication fails, if the two are the same, the authentication of the equipment end is successful, the edge gateway updates the information of the registration information database and uses C i+1 Replacement C i Password updating is completed, and the edge gateway calculates r = H (ID, D) i+1 ) And sending Success and r to the user to provide secondary authentication to the edge gateway;
step 3.1.5, after the terminal equipment receives r, calculating
Figure FDA0003825495270000021
Comparison of
Figure FDA0003825495270000022
If the two-way authentication is the same as r, the key agreement is started, and ak = D i+1 As shared authentication material in the subsequent key agreement stage;
step 3.2, the terminal device and the edge gateway perform key negotiation exchange, which specifically includes:
step 3.2.1, the terminal equipment generates a random number KN i Generating a random integer n a Calculating the keying material KM i =n a G, G is an elliptic curve base point, and KN is sent to an edge gateway i And KM i
Step 3.2.2, the edge gateway generates a random number KN r Generating a random integer n b Calculating the keying material KM r =n b G, after receiving the key material data of the equipment end, sending KM to the terminal equipment r And KN r
Step 3.3, the terminal device and the edge gateway perform key negotiation verification, which specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K = K i =n a ·KM r =k r =n b ·KM i Calculating a temporary session Key = H (ak, K ≦ KN) i ⊕KN r );
Step 3.3.2, the terminal device calculates the verification material H i H (= ID, ak ≧ Key), and send to the edge gateway with ID to verify;
step 3.3.3, edge gateway computation
Figure FDA0003825495270000023
Comparison of
Figure FDA0003825495270000024
And H i If the two are the same, the authentication fails, and negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generated id Calculating H r =H(N id Ak ≦ Key), N is set id And H r Sending the information to the terminal equipment, and enabling the edge gateway to enter a safe communication stage;
step 3.3.4, terminal device calculates
Figure FDA0003825495270000025
Comparison
Figure FDA0003825495270000026
And H r If the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed;
step 4, the edge gateway performs primary processing on data transmitted by the terminal equipment, and partial data and the cloud are coordinated and transmitted to a cloud server;
and 5, the cloud server and the edge gateway process the data together, and the authentication key negotiation of the terminal equipment is uniformly managed by the edge gateway.
2. The lightweight internet of things security key agreement method based on edge computing according to claim 1, characterized in that:
step 2 comprises the registration of the new network access terminal equipment, and the registration process comprises the following steps:
step 2.1, inputting relevant equipment information and a preset password PW at the terminal equipment, generating a unique equipment identity ID by the equipment registering system equipment end through the equipment information, and generating a random number N i And calculates the password C i =H(ID,PW⊕N i );
Step 2.2, the terminal equipment saves ID, PW and C i ,C i And the ID is transmitted to a registration server through a secure channel for checking and storing;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment ID is not registered, the server end stores C i And the equipment identity ID and returns registration success information.
3. The lightweight internet of things security key agreement method based on edge computing according to claim 2, characterized in that:
the device information includes: a device area number, a device type number, and a device number.
4. The lightweight internet of things security key agreement method based on edge computing according to claim 1, characterized in that:
and 3.2, the terminal equipment and the edge gateway use an ECDH key exchange algorithm to carry out key negotiation exchange.
CN202010806877.5A 2020-08-12 2020-08-12 Lightweight Internet of things security key negotiation method based on edge calculation Active CN112073379B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010806877.5A CN112073379B (en) 2020-08-12 2020-08-12 Lightweight Internet of things security key negotiation method based on edge calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010806877.5A CN112073379B (en) 2020-08-12 2020-08-12 Lightweight Internet of things security key negotiation method based on edge calculation

Publications (2)

Publication Number Publication Date
CN112073379A CN112073379A (en) 2020-12-11
CN112073379B true CN112073379B (en) 2022-11-11

Family

ID=73661225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010806877.5A Active CN112073379B (en) 2020-08-12 2020-08-12 Lightweight Internet of things security key negotiation method based on edge calculation

Country Status (1)

Country Link
CN (1) CN112073379B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468983B (en) * 2020-12-18 2022-05-10 国网河北省电力有限公司电力科学研究院 Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof
CN114650156B (en) * 2020-12-18 2023-11-14 北京华弘集成电路设计有限责任公司 Real-time data transmission method and system for Internet of things
CN112702171B (en) * 2020-12-23 2021-10-15 北京航空航天大学 Distributed identity authentication method facing edge gateway
CN112596914B (en) * 2020-12-29 2024-03-15 贵州大学 IoT-oriented edge node system architecture, working method thereof and computing migration method
CN112822274B (en) * 2021-01-08 2022-06-21 苏州蓝赫朋勃智能科技有限公司 Safety verification method and device for household edge computing system
CN112751661B (en) * 2021-01-14 2022-05-06 重庆邮电大学 Industrial field device privacy data protection method based on homomorphic encryption
CN112511393B (en) * 2021-02-08 2022-04-15 腾讯科技(深圳)有限公司 Equipment linkage control method and device and storage medium
CN113507474B (en) * 2021-07-14 2022-04-12 同济大学 User data cloud, side end and terminal collaborative interaction encryption and decryption method
CN113783868B (en) * 2021-09-08 2023-09-01 广西东信数建信息科技有限公司 Method and system for protecting Internet of things safety of gate based on commercial password
CN113783893A (en) * 2021-09-29 2021-12-10 远景智能国际私人投资有限公司 Data transmission method, device and system
CN114095256B (en) * 2021-11-23 2023-09-26 广州市诺的电子有限公司 Terminal authentication method, system, equipment and storage medium based on edge calculation
CN114389838A (en) * 2021-12-08 2022-04-22 广东电网有限责任公司 Terminal security access control method for identifying abnormal service from multiple dimensions
CN114501440B (en) * 2022-01-04 2024-02-09 中国人民武装警察部队工程大学 Authentication key protocol for block chain application at edge of wireless sensor network
CN114398602A (en) * 2022-01-11 2022-04-26 国家计算机网络与信息安全管理中心 Internet of things terminal identity authentication method based on edge calculation
CN114221822B (en) * 2022-01-12 2023-10-27 杭州涂鸦信息技术有限公司 Distribution network method, gateway device and computer readable storage medium
CN114935630A (en) * 2022-05-17 2022-08-23 河南省保时安电子科技有限公司 Internet of things platform for intelligently analyzing data of industrial gas detector
CN115085943B (en) * 2022-08-18 2023-01-20 南方电网数字电网研究院有限公司 Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions
CN117221010B (en) * 2023-11-07 2024-01-12 合肥工业大学 Cloud-based vehicle ECU identity authentication method, communication method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107919956A (en) * 2018-01-04 2018-04-17 重庆邮电大学 End-to-end method for protecting under a kind of internet of things oriented cloud environment
CN110995432A (en) * 2020-03-05 2020-04-10 杭州字节物联安全技术有限公司 Internet of things sensing node authentication method based on edge gateway

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107919956A (en) * 2018-01-04 2018-04-17 重庆邮电大学 End-to-end method for protecting under a kind of internet of things oriented cloud environment
CN110995432A (en) * 2020-03-05 2020-04-10 杭州字节物联安全技术有限公司 Internet of things sensing node authentication method based on edge gateway

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
物联网终端可信认证与自动接入技术研究与实现;鲁阳;《中国优秀硕士学位论文全文数据库 信息科技辑》;20200215;第3-4章 *

Also Published As

Publication number Publication date
CN112073379A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN112073379B (en) Lightweight Internet of things security key negotiation method based on edge calculation
CN113783836B (en) Internet of things data access control method and system based on block chain and IBE algorithm
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN112039872B (en) Cross-domain anonymous authentication method and system based on block chain
CN108737436B (en) Cross-domain server identity authentication method based on trust alliance block chain
CN112953727B (en) Internet of things-oriented equipment anonymous identity authentication method and system
CN109743172A (en) Based on alliance's block chain V2G network cross-domain authentication method, information data processing terminal
CN110708170A (en) Data processing method and device and computer readable storage medium
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN110581854A (en) intelligent terminal safety communication method based on block chain
US20230089134A1 (en) Data communication method and apparatus, computer device, and storage medium
CN113746632B (en) Multi-level identity authentication method for Internet of things system
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
Jia et al. A Blockchain-Assisted Privacy-Aware Authentication scheme for internet of medical things
CN112910861A (en) Group authentication and segmented authentication-based authentication method for terminal equipment of power internet of things
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
CN113055394A (en) Multi-service double-factor authentication method and system suitable for V2G network
CN101577620A (en) Authentication method of Ethernet passive optical network (EPON) system
CN115514474A (en) Industrial equipment trusted access method based on cloud-edge-end cooperation
CN114024698A (en) Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm
CN103781026A (en) Authentication method of general authentication mechanism
CN116599659B (en) Certificate-free identity authentication and key negotiation method and system
CN110430207B (en) Multi-point remote cross-network interaction collaborative authentication method for smart power grid
CN116388995A (en) Lightweight smart grid authentication method based on PUF

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant