CN112152816B - Credible mechanism of Internet of things security chip - Google Patents
Credible mechanism of Internet of things security chip Download PDFInfo
- Publication number
- CN112152816B CN112152816B CN202011014771.8A CN202011014771A CN112152816B CN 112152816 B CN112152816 B CN 112152816B CN 202011014771 A CN202011014771 A CN 202011014771A CN 112152816 B CN112152816 B CN 112152816B
- Authority
- CN
- China
- Prior art keywords
- information
- internet
- verification node
- entropy
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007246 mechanism Effects 0.000 title claims abstract description 27
- 230000006854 communication Effects 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000004044 response Effects 0.000 claims abstract description 15
- 230000005284 excitation Effects 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims description 61
- 238000000605 extraction Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000011084 recovery Methods 0.000 claims description 6
- 230000001172 regenerating effect Effects 0.000 claims description 2
- 238000004519 manufacturing process Methods 0.000 abstract description 8
- 238000000034 method Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 5
- 238000012549 training Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000001934 delay Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000010355 oscillation Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011946 reduction process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a credible mechanism of a security chip of the Internet of things, which relates to the technical field of the security of the Internet of things and comprises the following steps: acquiring a physical unclonable function of a chip, and extracting a plurality of corresponding pairs of excitations from the physical unclonable function; extracting a response part of the corresponding pair of the excitation as a first entropy value, and adding the first entropy value into an entropy pool; extracting communication protocol information in the communication process as a second entropy value by the Internet of things equipment, and adding the second entropy value into the entropy pool; combining the first entropy value and the second entropy value in the entropy pool to obtain physical characteristic information; inputting the physical characteristic information into a fuzzy extractor, outputting auxiliary data P and a uniform random value R by the fuzzy extractor, and taking the auxiliary data P and the uniform random value R as registration information registration identities; the invention uses the random characteristic 'physical fingerprint' as identity registration information in the chip production and manufacturing process, and uses the block chain as an identity generation and registration platform, thereby having high safety.
Description
Technical Field
The invention relates to the technical field of Internet of things security, in particular to a credible mechanism of an Internet of things security chip.
Background
The unique identification of the internet of things device is a basic function, and can have a plurality of application scenarios, such as software authorization (how to ensure that your software can be used on a specific machine after authorization), software License, device identification and the like. The current common modes have many problems:
(1) MAC address of network card
MAC addresses are probably the most common identification methods, but this method is now largely unreliable: a computer may have multiple network cards and multiple MAC addresses, for example, a typical notebook may have multiple MAC addresses such as wired, wireless, and bluetooth, and the MAC addresses may change each time with the change of different connection modes. Also, the MAC address is more when the virtual machine is installed. Another more fatal weakness of MAC addresses is that MAC addresses are easily changed manually. Therefore, the MAC address is not basically recommended to be used as the device unique ID.
(2)CPU ID
The CPU ID can be viewed in the Windows system by running the "wmic CPU get process" through the command line.
At present, the CPU ID can not uniquely identify the equipment, and Intel can not provide unique ID any more because the CPU IDs of the same batch are the same. And through practical testing, the CPU IDs of the newly purchased PCs of the same batch are likely to be the same. This can be problematic as a unique identification of the device.
The identity authentication of the internet of things equipment refers to that when the internet of things equipment is accessed into an internet of things system, the identity of the equipment needs to be identified so as to confirm the validity of the equipment. The equipment authentication is the first step of the safety of the whole Internet of things, for legal equipment, the identity authentication mechanism allows the legal equipment to be accessed into the Internet of things to perform data communication and information exchange with other equipment, and for illegal equipment, the identity authentication mechanism limits the access of the illegal equipment into the Internet of things, so that potential safety hazards caused by the illegal equipment are avoided.
Disclosure of Invention
The invention provides a credible mechanism of an Internet of things security chip, which solves the technical problems in the related technology.
According to one aspect of the invention, a trusted mechanism of an internet of things security chip is provided, which comprises the following steps:
s100, acquiring a physical unclonable function of a chip, and extracting a plurality of corresponding pairs of excitations from the physical unclonable function;
s200, extracting a response part of the corresponding pair of the excitations as a first entropy value, and adding the first entropy value into an entropy pool;
extracting communication protocol information in the communication process as a second entropy value by the Internet of things equipment, and adding the second entropy value into the entropy pool;
s300, combining the first entropy value and the second entropy value in the entropy pool to obtain physical characteristic information;
s400, inputting the physical characteristic information Wm into a fuzzy extractor, outputting auxiliary data Pm and a uniform random value Rm by the fuzzy extractor, and taking the auxiliary data Pm and the uniform random value Rm as registration information registration identities;
s500, in an authentication stage, a uniform random value Rm 'is generated again through physical characteristic information Wm' of the Internet of things equipment to be authenticated and output auxiliary data Pm ', whether | Rm' -Rm | is smaller than a preset threshold value or not is verified, if yes, authentication is successful, and if not, authentication fails.
Further, the regenerating of the uniform random value Rm 'through the physical characteristic information Wm' and the output auxiliary data Pm 'of the internet of things device to be authenticated is calculated through a recovery algorithm of a fuzzy extraction technology by using the physical characteristic information and the output auxiliary data Pm'.
Further, the communication protocol information is a system frame number of the MIB in the LTE standard.
Further, the communication protocol information is obtained by rearranging the character string of the system frame number according to a predetermined rule.
Further, the physical characteristic information obtained by combining the first entropy value and the second entropy value is the addition of the first entropy value and the second entropy value or the direct combination, wherein the direct combination is that the binary word of the first entropy value and the second entropy value is coincident, and the binary word of the second entropy value is arranged after the binary word of the first entropy value.
Further, registering the helper data P and the uniform random value R as the registration information includes:
generating a user name IDm, a password PWm, auxiliary data Pm (public) and a uniform random value Rm (obtained by a fuzzy extraction algorithm through physical characteristic information Wm) by using the Internet of things equipment Um, and sending the user name IDm, the password PWm, the auxiliary data Pm (public) and the uniform random value Rm to a non-verification node NVP of a block chain;
the non-verification node NVP inquires whether the user name IDm is registered to the registration block chain or not through the registration block chain;
if so, registered information is sent to the Internet of things equipment Um, otherwise unregistered information is sent to the Internet of things equipment Um;
after the Internet of things equipment Um receives the unregistered information, the Internet of things equipment Um sends the registered information to the non-verification node NVP;
the Internet of things equipment Um performs Hash processing on the password PWm to obtain a fixed-length password Hm;
encrypting the uniform random value Rm by using a public key PUBnvp of the non-verification node NVP to obtain Envp (Rm), combining to obtain intermediate information IDm, Envp (Rm), Pm and Hm, and sending to the non-verification node NVP;
in the step, after the intermediate information is sent to the non-verification node NVP, the Internet of things equipment Um does not store the auxiliary data Pm and the uniform random value Rm;
the non-verification node NVP executes a block chain intelligent contract to initiate the registration transaction, and a private key PRA of the non-verification node NVP is used for signing intermediate information IDm, Envp (Rm), Pm, Hm and IDnvp to generate SIGNVp, wherein IDnvp is ID information of the non-verification node NVP;
the non-verification node NVP broadcasts the registration transaction information to the verification node VP; the registered transaction information comprises IDm, Envp (Rm), Hm, IDnvp and SIGNNvp;
the verification node VP verifies the registration transaction initiated by the non-verification node NVP, and writes a plurality of registration transaction generation blocks into the registration block chain through a consensus mechanism in one period.
Further, the authentication phase includes:
the Internet of things equipment Um 'is provided with a user name IDm' and a password PWm 'and generates physical characteristic information Wm' and initiates a verification request to a non-verification node NVP;
the non-verification node NVP executes a block chain intelligent contract to verify whether the IDm' is a registered user;
if yes, executing the next step, otherwise, failing to authenticate;
the NVP carries out Hash processing on the password PWm 'through the IDm' to obtain a fixed-length password Hm ', and verifies whether Hm' is the same as Hm or not;
if yes, executing the next step, otherwise, failing to authenticate;
the non-verification node NVP queries the auxiliary data Pm through IDm ', and recovers to obtain a uniform random value Rm ' through a recovery algorithm of a fuzzy extraction technology based on the auxiliary data Pm and the physical characteristic information Wm ';
the NVP judges whether the absolute value of the difference value alpha ' between Rm ' and Rm exceeds a preset threshold alpha or not, if alpha ' is less than alpha, the authentication is successful, and the next step is executed;
if the alpha' is more than or equal to the alpha, finishing the authentication and failing the authentication;
and the non-verification node NVP generates and endorses the information of the current authentication transaction, broadcasts the information to the verification node VP, and packs a plurality of authentication transactions into blocks through a consensus mechanism within a certain time and writes the blocks into an authentication chain.
Further, the non-verification node NVP generating and endorsing the authentication transaction information includes the following steps:
the non-verification node NVP initiates the authentication transaction, and signs IDm ', Rm', Hm 'and IDnvp to generate SIGNNvp';
the authentication transaction information includes IDm ', Rm', Hm ', IDnvp, SIGNnvp'.
The invention has the beneficial effects that: according to the invention, the random characteristic physical fingerprint in the chip production and manufacturing process is used as the identity registration information, when the equipment is inactive, the equipment cannot be opened or all memory contents cannot be read, the equipment has non-replicability and variability, and the identity generation mechanism based on the equipment can greatly improve the security of the Internet of things;
according to the method, the final physical characteristic information is obtained by combining the two types of sources of entropy values into the entropy pool, so that the sources of the physical characteristic information of the equipment of the Internet of things are enriched, and the establishment of a physical fingerprint model through machine learning hard solution is avoided;
the identity generation and registration platform based on the block chain has the advantages that through the irreparable modification and decentralization characteristics of the block chain, the possibility of modifying the registration information after the server is broken can be avoided, and the safety is further improved.
Drawings
Fig. 1 is a schematic flow diagram of a trusted mechanism of an internet of things security chip according to an embodiment of the present invention;
fig. 2 is a table of CPRs for a plurality of stimulus Corresponding Pairs (CPRs) according to an embodiment of the present invention.
Detailed Description
The subject matter described herein will now be discussed with reference to example embodiments. It should be understood that these embodiments are discussed only to enable those skilled in the art to better understand the subject matter described herein and are not intended to limit the scope, applicability, or examples set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as needed. For example, the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. In addition, features described with respect to some examples may also be combined in other examples.
The term "entropy" is originally a thermodynamic concept, and is used as a factor for increasing randomness in cryptography, and sometimes environmental "noise" is used to refer to the factor for increasing entropy, and the noise herein does not refer to sound, but may be a randomness factor in environments such as images, magnetic fields, light rays, motion tracks and the like.
The "entropy pool" refers to a data structure designed at a system or application level, and is used for collecting "noise" in an environment, and when a random number is needed, the collected "noise" is selected from the entropy pool to serve as the random number.
The "fingerprint" referred to in the present invention is not a biometric fingerprint, but refers to a physical characteristic unique to a device;
in this embodiment, an internet of things security chip trusted mechanism is provided, as shown in fig. 1, a schematic flow diagram of the internet of things security chip trusted mechanism according to the present invention is shown in fig. 1, and the internet of things security chip trusted mechanism includes the following steps:
s100, acquiring a Physical Unclonable Function (PUF) of a chip, and extracting a plurality of excitation Corresponding Pairs (CPRs) from the Physical Unclonable Function (PUF);
the "physical fingerprint" of a chip is a random feature in the production and manufacturing process of the chip, and the physical fingerprint has uniqueness and non-reproducible characteristics, such as time delay, frequency, voltage and the like. The physical unclonable function is a function of functional units for differential identification of "physical fingerprints" built inside the chip. The most important operating characteristics of a PUF are its uniqueness and irreproducibility, with each input stimulus corresponding to an output response, and the outputs of the various circuits being unpredictable, i.e. "stimulus-response pairs" CPRs. CPRs are only generated in the case of stimulus inputs, and response outputs are not present in the case of stimulus failures. And the PUF has the natural characteristic of resisting the split-bark attack, once the chip is split, the physical characteristic of the chip is changed, the CPRs are also changed, and a plurality of generated PUFs with randomness and uniqueness are output as the key of the cryptographic algorithm by utilizing the random deviation of the chip in the manufacturing process, so that the cryptographic algorithm has the advantage of being safe.
Digital circuit PUFs currently have two main implementations:
1) is generated by using the propagation delay of the digital signal. When a digital signal is transmitted among various components, propagation delays exist, and the delays are related to parameters of the components, such as the length and width of a MOSFET channel, the threshold voltage, the thickness of an oxide layer and the like. Therefore, the propagation delay of the digital signal has randomness, which is the embodiment of the physical unclonable function. Common types of PUFs based on propagation delay are arbierPUFs and ring oscillator PUFs. The arbierpup realizes two symmetrical digital circuits on an IC, selects a specific path for signal propagation by external excitation, and finally sets an arbiter at the end point of the two paths to judge the arrival sequence of electrical signals on the two paths to output response. The ring oscillator PUF outputs a response by measuring the number of oscillations per unit time of the electrical signals on the two paths.
2) Generated using the steady state of the memory cell circuit. Generally, digital storage is accomplished by bistable logic cells. Specifically, a bistable logic cell is implemented by two cross-coupled gates, such as inverters, and then a register selectively stores one of the states to store a binary digit. However, if the bistable ballast unit enters an unstable state, it will oscillate between unstable states until it reaches a stable state, and will obviously be biased towards either state. This bias is generally caused by process variations in the manufacturing process, which are also a manifestation of the physically unclonable function. SRAMPUFl9 outputs a response through the steady state of a static random access cell or flip-flop. Butterfly PUFs output a response by destroying the steady state of a cell.
S200, extracting a response part of corresponding pairs of excitation (CPRs) as a first entropy value, and adding the first entropy value into an entropy pool;
extracting communication protocol information in the communication process as a second entropy value by the Internet of things equipment, and adding the second entropy value into the entropy pool;
s300, combining the first entropy value and the second entropy value in the entropy pool to obtain physical characteristic information;
s400, inputting the physical characteristic information Wm into a Fuzzy Extractor (FE), outputting auxiliary data Pm (public) and a uniform random value Rm by the Fuzzy Extractor (FE), and taking the auxiliary data Pm and the uniform random value Rm as registration information registration identities;
s500, in the authentication stage, a uniform random value Rm 'is regenerated through physical characteristic information Wm' of the Internet of things equipment to be authenticated and output auxiliary data Pm ', whether | Rm' -Rm | is smaller than a preset threshold value is verified, if yes, authentication is successful, and if not, authentication fails.
The uniform random value Rm 'is regenerated through the physical characteristic information Wm' of the Internet of things equipment to be authenticated and the output auxiliary data Pm 'and is obtained through calculation through a recovery algorithm of a fuzzy extraction technology by the physical characteristic information and the output auxiliary data Pm'.
In the above-described trusted mechanism, although physical characteristic information has irreproducibility and complete randomness, SRAMPUF and ring oscillator PUFs are typically weak PUFs. Strong PUFs can be based on their high entropy content
Providing a large number of CRPs, a feature that makes it possible to support very well the lightweight class of CRPs in networking security
And (5) identity authentication. Arbierpufs are the most typical strong PUFs. The current strong PUF is easily attacked by machine learning, and has great potential safety hazard. An attacker can simulate (clone) the entire PUF instance by collecting the very small number of CRPs exchanged over the communication channel, and the cloned PUF parametric model can exhibit almost the same stimulus-response behavior as a hardware PUF. For example, for a 64x64 Arbiter PUF, the prediction accuracy of the training model may exceed 95% when using about 650 pairs of CRPs (training time on a common PC is about 0.01s) for modeling attacks; when 18050 pairs of CRPs (training time on ordinary PC is about 0.6s) are used, the prediction accuracy is up to 99.9% 11.
Although this embodiment overcomes this problem to some extent, the internet of things device needs to register to the server, which means that the physical characteristic information needs to be stored in the server, once the server is broken, an illegal access person can directly authenticate by modifying the registration information, which means that illegal access will become easy, and to solve this problem, this embodiment provides a trusted mechanism combining a block chain, storing the registration information in the block chain, and avoiding the registration information from being modified based on the unchangeable characteristic and the decentralized characteristic of the block chain, including:
generating a user name IDm, a password PWm, auxiliary data Pm (public) and a uniform random value Rm (obtained by a fuzzy extraction algorithm through physical characteristic information Wm) by using the Internet of things equipment Um, and sending the user name IDm, the password PWm, the auxiliary data Pm (public) and the uniform random value Rm to a non-verification Node (NVP) of a block chain;
a non-verification Node (NVP) inquires whether the user name IDm is registered to a registration block chain or not through the registration block chain;
if so, registered information is sent to the Internet of things equipment Um, otherwise unregistered information is sent to the Internet of things equipment Um;
after the Internet of things device Um receives the unregistered information, the Internet of things device Um sends the registered information to a non-verification Node (NVP);
the Internet of things equipment Um carries out Hash processing on the password PWm to obtain a fixed-length password Hm;
encrypting a uniform random value Rm by using a public key PUBnvp of a non-verification Node (NVP) to obtain Envp (Rm), combining to obtain intermediate information IDm, Envp (Rm), Pm and Hm, and sending to the non-verification Node (NVP);
in the step, after the intermediate information is sent to a non-verification Node (NVP), the Internet of things equipment Um does not store auxiliary data Pm and a uniform random value Rm;
the non-verification Node (NVP) executes a block chain intelligent contract to initiate the registration transaction, and a self private key PRA is used for signing intermediate information IDm, Envp (Rm), Pm, Hm and IDnvp to generate SIGNVp, wherein IDnvp is ID information of the non-verification Node (NVP);
broadcasting, by a non-verification Node (NVP), registration transaction information to a verification node (VP); the registered transaction information comprises IDm, Envp (Rm), Hm, IDnvp and SIGNNvp;
the verification node (VP) verifies the registration transaction initiated by the non-verification Node (NVP), and writes a plurality of registration transaction generation blocks into the registration block chain through a consensus mechanism in one period.
In addition, the present embodiment provides an example of authentication:
the Internet of things equipment Um 'has a user name IDm' and a password PWm 'and generates physical characteristic information Wm' and initiates an authentication request to a non-authentication Node (NVP);
the non-verification Node (NVP) executes a block chain intelligent contract to verify whether the IDm' is a registered user;
if yes, executing the next step, otherwise, failing to authenticate;
the non-verification Node (NVP) performs Hash processing on the password PWm 'through the IDm' fixed-length password Hm to obtain a fixed-length password Hm ', and verifies whether the Hm' is the same as the Hm or not;
if yes, executing the next step, otherwise, failing to authenticate;
a non-verification Node (NVP) queries auxiliary data Pm through IDm ', and recovers to obtain a uniform random value Rm ' through a recovery algorithm of a fuzzy extraction technology based on the auxiliary data Pm and physical characteristic information Wm ';
judging whether the absolute value of the difference value alpha ' between Rm ' and Rm exceeds a preset threshold alpha by a non-verification Node (NVP), if alpha ' is less than alpha, successfully authenticating, and executing the next step;
if alpha' is more than or equal to alpha, the authentication is ended and the authentication fails.
And the non-verification Node (NVP) generates and endorses the information of the current authentication transaction, broadcasts the information to the verification node (VP), and packs a plurality of authentication transactions into blocks through a consensus mechanism within a certain time and writes the blocks into an authentication chain.
The non-verification Node (NVP) generates the authentication transaction information and endorses the authentication transaction information comprises the following steps:
the non-verification Node (NVP) initiates the authentication transaction, and signs IDm ', Rm', Hm 'and IDnvp to generate SIGNNvp';
the authentication transaction information comprises IDm ', Rm', Hm ', IDnvp and SIGNVp';
in the embodiment, the registration information is stored based on the blockchain, so that the registration information is prevented from being tampered, and the safety of identity generation and authentication of the internet of things is improved by using the irreparable property and the decentralization property of the blockchain.
The communication protocol information may be wired communication protocol information or wireless communication protocol information in this embodiment;
the wireless communication protocol information may be selected from, but not limited to: frequency domain information, channel information, time synchronization information, physical configuration information.
The present embodiment provides a specific embodiment: the Internet of things equipment carries out communication based on a communication protocol of an LTE standard;
extracting a system frame number of an MIB in an LTE standard as communication protocol information, wherein the range of the frame number in the LTE standard is 0-1023, and 1024 data can be completely coded by 10 bits, so that the system frame number in the LED standard is a binary string with a fixed length, and the binary string is used as wireless communication protocol information, namely a second entropy;
further, in order to reduce the size of the entropy pool, that is, the difference range of the physical characteristic information, the embodiment performs a reduction process on the system frame number information, including:
rearranging character strings of the system frame number according to the following preset rules:
the 0 characters are all located before the 1 characters;
carrying out reduction processing on the system frame number information in the above way, and reducing the fluctuation range of the second entropy;
in this embodiment, a combination of the first entropy and the second entropy is explained by combining the second entropy, and the first entropy is a response part of the excitation Corresponding Pairs (CPRs) extracted as the first entropy, specifically:
the table of the CPRs of the plurality of excitation Corresponding Pairs (CPRs) as shown in fig. 2 should be as shown, the response part, i.e. the right half part of the table, after extracting the binary characters of all the response parts, the first entropy value is obtained by combination;
the combination can be selected from but not limited to: sorting and combining;
for the combination of the first entropy value and the second entropy value, it may be the addition of the first entropy value and the second entropy value or a direct combination, the direct combination being the coincidence of the binary word of the first entropy value and the second entropy value and the binary word of the second entropy value being arranged after the binary word of the first entropy value.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (6)
1. An internet of things security chip credibility mechanism is characterized by comprising the following steps:
s100, acquiring a physical unclonable function of a chip, and extracting a plurality of corresponding pairs of excitations from the physical unclonable function;
s200, extracting a response part of the corresponding pair of the excitations as a first entropy value, and adding the first entropy value into an entropy pool;
extracting communication protocol information in the communication process as a second entropy value by the Internet of things equipment, and adding the second entropy value into the entropy pool;
s300, combining the first entropy and the second entropy in the entropy pool to obtain physical characteristic information;
s400, inputting the physical characteristic information Wm into a fuzzy extractor, outputting auxiliary data Pm and a uniform random value Rm by the fuzzy extractor, and using the auxiliary data Pm and the uniform random value Rm as registration information registration identities;
s500, in the authentication stage, a uniform random value Rm ' is regenerated through physical characteristic information Wm ' of the Internet of things equipment to be authenticated and output auxiliary data Pm, whether | Rm ' -Rm | is smaller than a preset threshold value is verified, if yes, authentication is successful, and if not, authentication fails;
the physical characteristic information obtained by combining the first entropy value and the second entropy value is the addition or direct combination of the first entropy value and the second entropy value, the direct combination is the coincidence of the binary characters of the first entropy value and the second entropy value, and the binary character of the second entropy value is arranged behind the binary character of the first entropy value;
generating a user name IDm, a password PWm, auxiliary data Pm and a uniform random value Rm by the Internet of things equipment Um, and sending the user name IDm, the password PWm, the auxiliary data Pm and the uniform random value Rm to a non-verification node NVP of a block chain;
the non-verification node NVP inquires whether the user name IDm is registered to the registration block chain or not through the registration block chain;
if so, registered information is sent to the Internet of things equipment Um, otherwise unregistered information is sent to the Internet of things equipment Um;
after the Internet of things device Um receives the unregistered information, the Internet of things device Um sends the registered information to the non-verification node NVP;
the Internet of things equipment Um performs Hash processing on the password PWm to obtain a fixed-length password Hm;
encrypting the uniform random value Rm by using a public key PUBnvp of the non-verification node NVP to obtain Envp (Rm), combining to obtain intermediate information IDm, Envp (Rm), Pm and Hm, and sending to the non-verification node NVP;
in the step, after the intermediate information is sent to the non-verification node NVP, the Internet of things equipment Um does not store the auxiliary data Pm and the uniform random value Rm;
the non-verification node NVP executes a block chain intelligent contract to initiate the registration transaction, and a private key PRA of the non-verification node NVP is used for signing intermediate information IDm, Envp (Rm), Pm, Hm and IDnvp to generate SIGNVp, wherein IDnvp is ID information of the non-verification node NVP;
the non-verification node NVP broadcasts the registration transaction information to the verification node VP; the registered transaction information comprises IDm, Envp (Rm), Hm, IDnvp and SIGNNvp;
the verification node VP verifies the registration transaction initiated by the non-verification node NVP, and writes a plurality of registration transaction generation blocks into the registration block chain through a consensus mechanism in one period.
2. The internet of things security chip trusted mechanism of claim 1, wherein the regenerating of the uniform random value Rm 'by the physical feature information Wm' and the output auxiliary data Pm of the internet of things device to be authenticated is calculated by a recovery algorithm of a fuzzy extraction technology using the physical feature information and the output auxiliary data Pm.
3. The internet of things security chip trust mechanism of claim 1, wherein the communication protocol information is a system frame number of the MIB in the LTE standard.
4. The internet-of-things security chip trusted mechanism as claimed in claim 1, wherein the communication protocol information is obtained by rearranging strings of system frame numbers according to a predetermined rule.
5. The internet-of-things security chip trust mechanism of claim 1, wherein the authentication phase comprises:
the Internet of things equipment Um 'is provided with a user name IDm' and a password PWm 'and generates physical characteristic information Wm' and initiates an authentication request to a non-authentication node NVP;
the NVP executes a block chain intelligent contract to verify whether the IDm' is a registered user;
if yes, executing the next step, otherwise, failing to authenticate;
the non-verification node NVP carries out Hash processing on the password PWm ' through the IDm ' fixed-length password Hm ' to obtain a fixed-length password Hm ', and verifies whether the Hm ' is the same as the Hm or not;
if yes, executing the next step, otherwise, failing to authenticate;
the non-verification node NVP queries the auxiliary data Pm through IDm ', and recovers through a recovery algorithm of a fuzzy extraction technology based on the auxiliary data Pm and the physical characteristic information Wm ' to obtain a uniform random value Rm ';
the non-verification node NVP judges whether the absolute value of the difference value alpha ' between Rm ' and Rm exceeds a preset threshold value alpha, if alpha ' is less than alpha, the authentication is successful, and the next step is executed;
if the alpha' is more than or equal to the alpha, finishing the authentication and failing the authentication;
the non-verification node NVP generates and endorses the information of the authentication transaction, broadcasts the information to the verification node VP, and packs a plurality of authentication transactions into blocks through a consensus mechanism within a certain time and writes the blocks into an authentication chain.
6. The internet of things security chip trusted mechanism as claimed in claim 5, wherein said non-verification node NVP generating and endorsing the authentication transaction information comprises the following steps:
the non-verification node NVP initiates the authentication transaction, and signs IDm ', Rm', Hm 'and IDnvp to generate SIGNNvp';
the authentication transaction information includes IDm ', Rm', Hm ', IDnvp, SIGNnvp'.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011014771.8A CN112152816B (en) | 2020-09-24 | 2020-09-24 | Credible mechanism of Internet of things security chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011014771.8A CN112152816B (en) | 2020-09-24 | 2020-09-24 | Credible mechanism of Internet of things security chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112152816A CN112152816A (en) | 2020-12-29 |
| CN112152816B true CN112152816B (en) | 2022-07-26 |
Family
ID=73896619
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011014771.8A Active CN112152816B (en) | 2020-09-24 | 2020-09-24 | Credible mechanism of Internet of things security chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112152816B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112822011B (en) * | 2021-02-24 | 2022-08-05 | 南京航灵信息科技有限公司 | Internet of things authentication method based on chip features and block chains |
| CN113055183B (en) * | 2021-03-18 | 2022-04-12 | 电子科技大学 | Identity authentication and encryption transmission system based on hardware fingerprint |
| CN113259135B (en) * | 2021-07-06 | 2022-01-21 | 常州市建筑科学研究院集团股份有限公司 | Lightweight blockchain communication authentication device and method for detecting data tamper |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768660A (en) * | 2018-05-28 | 2018-11-06 | 北京航空航天大学 | Internet of things equipment identity identifying method based on physics unclonable function |
| CN111565110A (en) * | 2020-05-09 | 2020-08-21 | 西安电子科技大学 | Unified identity authentication system and method based on RO PUF multi-core system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2191410B1 (en) * | 2007-08-22 | 2014-10-08 | Intrinsic ID B.V. | Identification of devices using physically unclonable functions |
| US20120183135A1 (en) * | 2011-01-19 | 2012-07-19 | Verayo, Inc. | Reliable puf value generation by pattern matching |
-
2020
- 2020-09-24 CN CN202011014771.8A patent/CN112152816B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768660A (en) * | 2018-05-28 | 2018-11-06 | 北京航空航天大学 | Internet of things equipment identity identifying method based on physics unclonable function |
| CN111565110A (en) * | 2020-05-09 | 2020-08-21 | 西安电子科技大学 | Unified identity authentication system and method based on RO PUF multi-core system |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于PUF的PBE系统;咸凛等;《通信技术》;20190510(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112152816A (en) | 2020-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112152816B (en) | Credible mechanism of Internet of things security chip | |
| Liang et al. | A mutual security authentication method for RFID-PUF circuit based on deep learning | |
| CN108768660B (en) | Internet of things equipment identity authentication method based on physical unclonable function | |
| US10382965B2 (en) | Identity verification using computer-implemented decentralized ledger | |
| Farha et al. | SRAM-PUF-based entities authentication scheme for resource-constrained IoT devices | |
| Gao et al. | Obfuscated challenge-response: A secure lightweight authentication mechanism for PUF-based pervasive devices | |
| EP2360615B1 (en) | Biometric authentication system and method therefor | |
| KR100340936B1 (en) | Method of Eeffecting Mutual Authentication | |
| CN109005040A (en) | Dynamic multi-secrets key obscures PUF structure and its authentication method | |
| CN109756893A (en) | A kind of intelligent perception Internet of Things anonymous authentication method based on chaotic maps | |
| CN111385103B (en) | Authority processing method, system and device and electronic equipment | |
| Zheng et al. | UDhashing: Physical unclonable function-based user-device hash for endpoint authentication | |
| US11831778B2 (en) | zkMFA: zero-knowledge based multi-factor authentication system | |
| US8984599B2 (en) | Real time password generation apparatus and method | |
| CN114365134A (en) | Secure identity card using unclonable functions | |
| Țiplea et al. | Privacy and reader-first authentication in Vaudenay’s RFID model with temporary state disclosure | |
| CN114499859A (en) | Password verification method, device, equipment and storage medium | |
| Wu et al. | A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof | |
| US10972286B2 (en) | Token-based authentication with signed message | |
| Rahmani et al. | AMAPG: Advanced mobile authentication protocol for GLOMONET | |
| Zerrouki et al. | A low-cost authentication protocol using Arbiter-PUF | |
| CN101510875A (en) | Identification authentication method based on N-dimension sphere | |
| CN115913577B (en) | Anti-physical clone equipment authentication system and method based on lightweight SPONGENT hash algorithm | |
| Wu et al. | A Blockchain‐Based Hierarchical Authentication Scheme for Multiserver Architecture | |
| CN113630255A (en) | Lightweight bidirectional authentication method and system based on SRAM PUF |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Trusted Mechanism for IoT Security Chips Granted publication date: 20220726 Pledgee: Nanjing Bank Co.,Ltd. Nanjing Financial City Branch Pledgor: Nanjing hangling Information Technology Co.,Ltd. Registration number: Y2024980016628 |