CN112953726B - Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network - Google Patents
Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network Download PDFInfo
- Publication number
- CN112953726B CN112953726B CN202110225496.2A CN202110225496A CN112953726B CN 112953726 B CN112953726 B CN 112953726B CN 202110225496 A CN202110225496 A CN 202110225496A CN 112953726 B CN112953726 B CN 112953726B
- Authority
- CN
- China
- Prior art keywords
- satellite
- authentication
- orbit
- ground
- orbit satellite
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B7/00—Radio transmission systems, i.e. using radiation field
- H04B7/14—Relay systems
- H04B7/15—Active relay systems
- H04B7/185—Space-based or airborne stations; Stations for satellite systems
- H04B7/18521—Systems of inter linked satellites, i.e. inter satellite service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The invention belongs to the technical field of satellite communication information safety, and discloses a satellite-ground and inter-satellite networking authentication method, a system and application of a fusion double-layer satellite network.A ground control center, a high-orbit satellite and a low-orbit satellite network adopt a hierarchical control mode, and the ground control center controls and completes authentication with the high-orbit satellite, authentication of the high-orbit satellite and control of a low-orbit satellite group; the authentication entity is divided into three types according to different authentication entities: 1) satellite-to-ground/inter-satellite authentication of high orbit satellites, 2) inter-layer and same-orbit inter-low orbit satellite authentication, and 3) inter-adjacent-orbit inter-low orbit satellite authentication; the ground control center stores all the shared master keys of the high orbit satellites and the high orbit satellites store the shared master keys of the low orbit satellites under the jurisdiction of the high orbit satellites. The invention realizes the two-way safety authentication between high orbit satellites and between ground control centers, the interlayer authentication and the authentication between low orbit satellites in the same orbit and adjacent orbits; the method can meet the requirements of satellite-ground and inter-satellite networking safety certification of the satellite network with smaller certification overhead.
Description
Technical Field
The invention belongs to the technical field of satellite communication information security, and particularly relates to a satellite-ground and inter-satellite networking authentication method, system and application of a fusion double-layer satellite network.
Background
At present: modern communication is developing day by day, and satellite communication plays an indispensable role. With the rapid development of 5G communication in 2020, the 5G mobile communication system in the future will integrate radio access technologies including satellite components, and develop giant constellations to extend terrestrial services. The satellite communication has the characteristics of large coverage area, high flexibility and high reliability, and can be used as a supplementary scheme for emergency and disaster recovery. The satellite network can also support machine type communication, paves a road for development of novel applications such as intelligent agriculture, environmental protection, transportation, animal tracking and the like, provides a high-efficiency and convenient communication basis for navigation and aviation industries, and supplements the service of a ground communication system.
The network structure of the satellite constellation tends to be complicated, the number of deployed satellites is increasing, and the service types are more diversified. For example, the GPS (american global positioning system) uses 6 orbital planes with 55 ° inclination, and each orbit is allocated with 4 satellites to form a satellite constellation; the China 'Beidou' system adopts a typical space network system architecture, and the satellite management is more flexible through layering, wherein the Beidou No. three system is expected to deploy 30 satellites in a middle-circle earth orbit, an equatorial static orbit and an inclined geosynchronous orbit; the 'rainbow cloud engineering' builds a space-based internet system-satellite-borne broadband global mobile internet network by 156 satellites; the swan goose global satellite constellation communication system comprises 300 low orbit minisatellites; the "star chain" project by SpaceX, which has been launched 7 times since 5 months 2019, puts 420 satellites into Low Earth Orbit (LEO).
However, many security attacks exist in the satellite communication process, for example, a highly open wireless link is easily interfered, information is easily intercepted, and the satellite communication process is easily threatened by denial of service (DoS) attack, data falsification or falsification, entity impersonation and the like, and since the satellite-borne resources are limited, the authentication overhead needs to be reduced. Meanwhile, the satellite communication distance is long, and the communication link is long in time delay and unstable. In order to ensure the safe and reliable transmission of communication information and meet the safety requirements of authenticating the identity of a communication entity and negotiating a session key, a trusted networking identity authentication mechanism needs to be designed for a satellite communication network.
An improved ELGamal digital signature bidirectional security authentication method is provided for high Jing and the like based on an authentication scheme of a public key cryptosystem, so that the stealing of satellite resources is avoided; the identity-based key exchange protocol proposed by Zhong Yantao and the like improves the authentication efficiency and enhances the security of satellite communication; aiming at a layered satellite network model, a public key cipher facility based on a hybrid certificate model is provided in detail by any party and the like, so that the safety and the capability of coping with a complex topological structure are improved. However, the above scheme involves more public key cryptographic algorithms and has higher computational overhead.
Based on a symmetric cryptosystem, Zhang Zi sword and the like propose a satellite-ground and inter-satellite authentication scheme depending on a low-orbit satellite, the process is simple, but the authentication pressure of a ground station is increased, and the security of an inter-satellite authentication protocol needs to be considered; in order to reduce the satellite calculation pressure, increase the time for newly keeping the satellites, and provide protocols for networking authentication and credibility keeping of the high-orbit satellites; the certification and reliable maintenance protocol (DISA) of the satellite network designed by Huang and the like realizes the bidirectional certification among satellites and the reliable maintenance of communication links. Compared with the traditional public key, the calculation amount of the symmetric cryptosystem is smaller, but the scheme is designed only for a single scene, so that the method has limitation on applicability, and the advantages of the scheme cannot be well exerted in certain scenes.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) the satellite-to-ground or inter-satellite identity authentication has high calculation overhead. At present, the number of satellites tends to be large, and the authentication time delay is increased due to large calculation cost, so that the authentication cost needs to be reduced, and the authentication efficiency needs to be improved.
(2) Most of the existing inter-satellite and inter-satellite networking authentication protocols aim at a single scene, and are difficult to give play to advantages when applied to a plurality of scenes. And the inter-satellite authentication of the low-orbit satellite is excessively dependent on the ground station, so that the pressure of the ground station for processing the authentication request is increased.
(3) The existing satellite networking authentication scheme has some defects in the security of satellite identity privacy protection.
The difficulty and significance for solving the problems and defects are as follows: the performance requirements of the massive satellite constellations on the authentication scheme are more strict, and the scene is more complex. However, the current solutions have various safety and performance drawbacks, and the design of the solutions lacks systematic analysis of scenes. Therefore, analysis needs to be performed on the existing scene, calculation overhead and communication overhead are reduced as much as possible on the premise of ensuring safety under a unified framework, a unified and efficient satellite networking authentication scheme is provided, and satellite identity information is protected.
The significance of solving the problems and the defects is as follows: the safe authentication scheme needs to realize the safety of mutual authentication, replay attack resistance, DDOS attack resistance, key uniqueness, satellite identity anonymity and the like, and reduces the calculation cost and bandwidth cost so as to improve the authentication efficiency, adapt to a mass satellite constellation with a more complex structure and guarantee the satellite communication safety.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a satellite-ground and inter-satellite networking authentication method, system and application of a fusion double-layer satellite network.
The invention is realized in this way, a method for authenticating a converged double-layer satellite network satellite-ground and inter-satellite networking comprises the following steps: the system comprises a ground control center, a high orbit satellite and a low orbit satellite network, wherein the ground control center controls and completes authentication with the high orbit satellite, the high orbit satellite authenticates and controls a low orbit satellite group in a hierarchical control mode; the authentication entities are divided into three categories according to different authentication entities: 1) satellite-to-ground/inter-satellite authentication of high orbit satellites, 2) inter-layer and same-orbit inter-low orbit satellite authentication, and 3) inter-adjacent-orbit inter-low orbit satellite authentication;
the ground control center stores all shared master keys of the high orbit satellites in a unified mode, and the high orbit satellites store the shared master keys of the low orbit satellites under the jurisdiction of the high orbit satellites.
Further, in 1), the ground control center completes the authentication of the high orbit satellite B by verifying that locally generated XMAC is equal to MAC generated by the high orbit satellite B; the high-orbit satellite B completes the authentication of the ground control center by verifying that the locally generated XRES is equal to the received RES; the high orbit satellite B decrypts to obtain RES according to the session key between the high orbit satellites, verifies RES as XRES, and completes authentication of the high orbit satellite A; the high-orbit satellite A completes the authentication of the high-orbit satellite B by verifying that the locally generated XRES2 is equal to the received RES 2;
in 2), the low orbit satellite Li completes the authentication of the high orbit satellite a by verifying locally generated XMAC ═ MAC; the high-orbit satellite A completes the authentication of the low-orbit satellite Li by verifying local XRES (RES); the low orbit satellite Li verifies and decrypts to obtain MAC ═ XMAC, and authentication of the low orbit satellite Lj is completed; the low-orbit satellite Lj completes the authentication of the low-orbit satellite Li by verifying HRES (high resolution imaging) obtained by RES (reduced resolution imaging);
in 3), the authentication of the low orbit satellite Li with the satellite Lk is done by verifying locally generated XMAC ═ MAC; and the low-orbit satellite Lk completes the authentication of the low-orbit satellite Li by verifying XRES (scanning XRES) -RES.
Further, the method for authenticating the satellite-ground and inter-satellite networking of the converged double-layer satellite network specifically comprises the following steps:
firstly, satellite registration, wherein before satellite transmission, a ground control center needs to distribute identity identification information, preset long-term keys and orbit parameters to a satellite;
secondly, because the positions of the high-orbit satellite and the ground control center are relatively static, the communication between part of the high-orbit satellite and the ground control center needs other satellites for message forwarding; the first high-orbit satellite and the ground control center finish the satellite-ground authentication based on the long-term pre-shared key, and the rest high-orbit satellites finish the satellite-ground and inter-satellite authentication of the high-orbit satellite under the participation of the ground control center;
step three, authentication between layers and between same-orbit low-orbit satellites is completed;
and step four, finishing the authentication between the adjacent orbit low orbit satellites.
Further, the first step comprises:
(1) the satellite applies for identity registration from a registration domain;
(2) the ground registration domain generates a satellite identity ID according to the information of the batch and the like, and then obtains a timestamp T s And generating a pre-shared key MainKey according to the private key m of the registration domain. The key generation mode MainKey between the ground control center and the high orbit satellite secA =KDF m (ID A ,T s ) The key generation method MainKey between high-orbit satellite and low-orbit satellite Ai =KDF m (ID A ,ID i ,T s );
(3) Registration domain will separately Identify (ID) A ,MainKey secA ,MsgKey g0 )、(ID i ,MainKey Ai ,MsgKey gl ) Writing into corresponding high orbit satellite or low orbit satellite, and storing (ID) in ground control center A ,MainKey secA ,MsgKey g0 )、(ID i ,MainKey Ai ) For identity authentication; MsgKey g0 Representing group Key, MsgKey, between ground control center and high orbit satellite group gl Representing a group key shared in a high-orbit satellite group l and a low-orbit satellite group l;
where the subscript sec represents the ground control center, capital letters represent high orbit satellites, and lowercase letters represent low orbit satellites.
Further, the second step includes:
(1) after the first high orbit satellite is successfully transmitted, according to the pre-shared key MainKey of the ground control center secSAT The satellite-ground authentication of the high orbit satellite is completed, and the method specifically comprises the following steps:
(1.1) generating an authentication material by the high orbit satellite, and sending an authentication request;
generating random number r by high orbit satellite to obtain time stamp T mac Generating a message verification code MAC, an expected authentication response value XRES and a satellite-to-ground session key K according to a preset long-term shared key secSAT (ii) a The authentication vector AV ═ XRES | | | K is then stored secSAT Token, wherein Token ═ r | | | MAC;
adding a timestamp T at last msg Sending a request to a ground control center
(1.2) the ground control center completes identity verification:
passing through T by the authentication center module msg Verifying message freshness;
and the data center verifies the identity of the high orbit satellite. Data center of ground control center according to ID SAT Requesting identity authentication from the registration domain, and deriving the long-term shared key MainKey secSAT (ii) a If the information is not found, judging the satellite to be an illegal satellite, and terminating authentication; derived key MainKey secSAT And extracts r', T from the received message mac ', calculate XMAC, verify
If equal, calculating response value RES and satellite-to-ground session key K secSAT ;
Thirdly, the ground authentication center sends the RES to the high orbit satellite;
(1.3) the high orbit satellite verifies RES (XRES), and if the RES and the XRES are equal, mutual authentication and session key negotiation between the high orbit satellite and a ground control center are completed;
(2) except the first high orbit satellite, other high orbit satellites need to complete the satellite-ground and inter-satellite authentication stage of the high orbit satellite, the stage relates to a ground control center, a high orbit satellite A with a safe satellite-ground link established, and a high orbit satellite B to be authenticated, and the method specifically comprises the following steps:
(2.1) generating an authentication material by the high orbit satellite to be authenticated, and sending an authentication request;
presetting long-term key MainKey of high orbit satellite to be authenticated according to satellite and ground secB Random number r and time stamp T mac Generating a message authentication code MAC, an expected response value XRES and a satellite-to-ground and inter-satellite session key K secB 、K AB (ii) a The local database then stores the authentication vector AV ═ XRES | | | K secB ||K AB Token, wherein Token ═ r | | | MAC;
high orbit satellite B acquisition timestamp T msg Sending an authentication request
To ground control center, SSID A A broadcast identifier of the high orbit satellite A to be authenticated;
(2.2) the ground control center verifies the identity of the high orbit satellite;
authentication center utilizes MsgKey g0 Decrypting the received message and determining the ID B 、SSID A Whether it is valid, T msg Need to satisfy T msg -T 0 ≤ΔT msg (ii) a If the parameters are met, transmitting the rest parameters to a ground data center;
ground data center according to ID B Requesting identity information from a registration domain, and deriving a key MainKey if the satellite finishes registration secB (ii) a Otherwise, the authentication is terminated, and the key MainKey is derived secB Then, the message authentication code XMAC is generated in the data center and compared
If equal, calculating response value RES and satellite-to-ground session key K secB The ground data center transmits the RES to a ground authentication center;
ground authentication centerAccording to SSID A Finding the identity ID of a target satellite A And satellite-to-ground session key K secA Calculating the session key K between the high orbit satellites AB Adding timestamps and merging into a new authentication vector
The ground authentication center sends AV' to the high orbit satellite A;
(2.3) the high orbit satellite A generates the message verification code between the high orbit satellites:
first, the high orbit satellite A utilizes K secA Decrypting to obtain T hxres Verifying message freshness, then, using K by the high orbit satellite A AB Encrypting the newly generated random numbers R and RES to obtain a new message authentication code C MAC And C is MAC Sending the data to a high orbit satellite B;
and (2.4) the high orbit satellite B verifies the identities of the ground control center and the high orbit satellite:
high orbit satellite B according to pre-generated K AB Decrypting messages, verifying
If the two phases are equal, the identity of the ground control center is verified, and the shared secret key K is confirmed to be owned between the high orbit satellites AB Thereby verifying the identity of the high orbit satellite;
second, generating RES in response to authentication message of high earth orbit satellite A 2 Sending to a high orbit satellite A;
(2.5) after receiving the message from the high orbit satellite A, computing XRES 2 If XRES 2 =RES 2 And the authentication is successful.
Further, the third step includes:
(1) after the high orbit satellite completes the authentication process in the step two, the ground registration domain transfers the long-term shared key between layers to the high orbit satellite through the satellite-ground link through the session key negotiated by the satellite-ground authentication and stores the long-term shared key in the data center of the high orbit satellite;
(2) MsgKey for low earth orbit satellite Li gl Encrypting an authentication request, which contains a time stamp and a broadcast identifier of the low-orbit satellite Lj, and sending the encrypted authentication request to the controlled high-orbit satellite;
(3) after the high-orbit satellite receives the request, the MsgKey is utilized gl Acquiring identity information and a timestamp, and detecting the legality of the identity and the freshness of the message;
(4) generating an interlayer authentication material by the high orbit satellite;
firstly, generating authentication material AV in a high orbit satellite data center, wherein the authentication material AV comprises a random number r, a message verification code MAC, an expected response value XRES and an interlayer shared secret key K Ai Sending AV to the authentication center;
secondly, the high-orbit satellite authentication center extracts an authentication Token in the AV and sends the authentication Token to the low-orbit satellite Li;
(5) completing interlayer authentication by the low-orbit satellite Li;
extracting a time stamp parameter from the low earth orbit satellite Li to verify the message freshness; generating XMAC according to the method in (4), and verifying that MAC and XMAC are equal to finish the authentication of the high orbit satellite;
secondly, after the verification is successful, generating a response value RES and an interlayer shared key K according to the method in the step (4) Ai Sending a response value RES to the high orbit satellite;
(6) the high orbit satellite verifies the response value RES is XRES, authorize the low orbit satellite identity;
(7) after the verification is successful, the high-orbit satellite generates a low-orbit inter-satellite authentication material;
according to the low-orbit satellite broadcast identification in the authentication request in the step (2), the high-orbit satellite searches the corresponding identity information and the communication encryption key K Aj Generating an expected authentication response HXRES for the low-orbit satellite Lj based on the XRES in (4); generating shared secret key K between low orbit satellites by using shared secret key between layers in step (5) ij Merging the authentication materials AV ' into authentication materials AV ', including an inter-satellite shared key, HXRES, a timestamp and MAC, and sending the authentication materials AV ' to a low orbit satellite Lj;
(8) extracting a timestamp from the low earth orbit satellite Lj to verify the message freshness, storing an inter-satellite shared key, and generating an inter-satellite message verification code C according to MAC encryption MAC And sending the data to a low earth orbit satellite Li;
(9) low-earth-orbit satellite Li decryption C MAC And completing the inter-satellite identity authentication. Then, generating an encrypted RES by using an inter-satellite encryption key and sending the encrypted RES to a low earth orbit satellite Lj;
(10) the low orbit satellite Lj verifies the identity of the satellite Li.
Further, the fourth step includes:
(1) low earth orbit satellite Li sending MsgKey gl Encrypting an authentication request, which contains a time stamp and a broadcast identifier of the low-orbit satellite Lk, and sending the encrypted authentication request to the high-orbit satellite A controlled by the encrypted authentication request;
(2) after receiving the request, the high orbit satellite utilizes MsgKey gl Acquiring identity information and a timestamp, detecting the validity of the identity and the freshness of the information, generating an inter-satellite shared key, and sending the inter-satellite shared key and the timestamp parameter to a low earth orbit satellite Lk through a secure channel;
(3) the low orbit satellite Lk generates an authentication material by an inter-satellite shared key, wherein the authentication material comprises a random number r, a message verification code MAC and an expected response value XRES, and the r and the MAC are sent to a low orbit satellite Li;
(4) the low orbit satellite Li verifies the identity of the low orbit satellite Lk, and then sends an authentication response to Lk to complete mutual authentication.
Another object of the present invention is to provide a method for implementing a two-layer satellite network satellite-ground and inter-satellite networking authentication method, where the two-layer satellite network satellite-ground and inter-satellite networking authentication method includes:
the satellite registration module is used for distributing identity identification information, a preset long-term key and an orbit parameter to the satellite by the ground control center before the satellite is launched;
the message forwarding module is used for realizing that the communication between a part of high orbit satellites and the ground control center needs other satellites to forward messages;
the first inter-satellite authentication module is used for completing the authentication between the layers and the same-orbit low-orbit satellite;
and the second inter-satellite authentication module is used for finishing the authentication between the adjacent orbit low orbit satellites.
Further, the system for authenticating the satellite-ground and inter-satellite networking of the converged double-layer satellite network further comprises:
the ground control center comprises a data center and an authentication center; the data center stores the identity, the pre-shared key and the orbit parameter information required by the high orbit satellite authentication, completes the verification of the message verification code MAC from the satellite and generates a message verification code RES and a satellite-ground session key which are sent to the high orbit satellite; the authentication center interacts information from the high orbit satellite and the data center to generate an inter-satellite session key;
the high orbit satellite is divided into an authentication center and a data center; the authentication module completes the verification of the message verification code, generates a session key between the satellite and the ground, and verifies the authentication response value between layers; the data center stores identity, pre-shared key and orbit parameter information required by low orbit satellite authentication, and generates an interlayer session key;
and the low orbit satellite generates an inter-satellite session key, and completes the verification of the message verification code or the authentication response value according to a specific scene.
The invention also aims to provide a satellite communication information security control terminal which is used for realizing the method for authenticating the converged double-layer satellite network satellite-ground and inter-satellite networking.
By combining all the technical schemes, the invention has the advantages and positive effects that: in order to reduce the pressure of a ground station, reduce authentication overhead, ensure safe and reliable transmission of communication information, meet the safety requirements of authenticating the identity of a communication entity and negotiating a session key and avoid the non-adaption of an authentication scheme and a satellite networking scene, the invention provides a set of research schemes suitable for a satellite-ground and inter-satellite networking authentication mechanism.
The ground station only participates in the authentication of a few high orbit satellites, and simultaneously adopts a mesh networking mode, so that the satellites have certain on-satellite processing and forwarding capacity, belong to low orbit satellites governed by the same high orbit satellite, and finish the authentication by the assistance of the high orbit satellite; if the low orbit satellite belongs to different high orbit satellites, the authentication is completed through inter-satellite link and on-satellite routing assistance.
Compared with the prior art, the invention has the following advantages:
(1) bidirectional authentication, for example, satellite-to-ground/inter-satellite authentication of high orbit satellite, high orbit satellite B and groundThe two-way identity verification of the plane authentication center is respectively completed by XMAC (XMAC), XRES (XRES) and RES (RES), because only the MainKey with the long-term shared key is possessed secB The material can be generated, and the bidirectional identity authentication can be completed under the condition that the time stamp and the random number are both correct, so that the forgery and tampering attacks can be resisted. High orbit satellite A pass decryption MAC 2 Obtaining RES-XRES encrypted with inter-satellite session key to verify the identity of high orbit satellite B, only possessing
Can generate and obtain C MAC (ii) a High earth orbit satellite B pass validation RES 2 =XRES 2 Verifying that both parties of a communication have the same secret key K AB And completing the bidirectional identity authentication.
(2) The method is used for resisting replay attack, and a method of attaching a time stamp to the message is adopted to resist the message replay attack. Taking the satellite-to-ground/inter-satellite authentication of the high earth orbit satellite as an example, the high earth orbit satellite B adds T to the authentication request msg The high orbit satellite A and the ground control center can then screen the fresh request and respond. Time parameter T added by satellite A, B through ground control center hxres 、T mac To check if the message is within the validity period.
(3) Denial of service (DOS) attack resistance, because of limited satellite computing resources, requires that a satellite receiving an authentication request message be able to quickly discriminate a legitimate authentication request in order to prevent an attacker from forging an authentication request, or replaying a completed, authentic and valid authentication request. By adding T in sending authentication request msg To ensure message freshness and use the secret key MsgKey together with the satellite identity requesting authentication gi The encryption ensures that the true satellite identity can only be obtained by the satellite in the network, and the satellite for authentication can quickly screen out legal and reasonable authentication requests through the two points so as to resist DoS attack.
(4) Key uniqueness, e.g. satellite-to-ground/inter-satellite authentication of high earth orbit satellite, ground authentication center and key of high earth orbit satellite B
By sharing the master key and other parameters, respectively, based on T mac The key is guaranteed to be fresh and unpredictable. Shared secret key for high orbit satellite A and high orbit satellite B
A is obtained by transmission through a ground control center safety channel, and B is obtained by transmission through K secB Is generated because of the secret key K secB 、K AB The updates are synchronized so that each update generates a different key.
(5) The calculation cost is small, and only the main authentication calculation cost is concerned with the calculation cost of the authentication protocol. Wherein, H represents authentication response value or hash calculation, M represents message verification code operation, Enc represents symmetric block encryption or decryption operation, and AK represents operation of key generation function. In the invention, the satellite-ground/inter-satellite authentication calculation overhead of the high orbit satellite is respectively 2M +2H +2Enc and 2H +2Enc, the inter-layer and same-orbit low orbit satellite authentication calculation overhead is respectively 2M +2H +2AK and 2H +2Enc, and the adjacent-orbit low orbit satellite authentication calculation overhead is 2M + 2H.
(6) The bandwidth overhead is small, the bandwidth required by each message transmission is listed respectively, and the existing scheme is analyzed by calculating the total bandwidth overhead. Under the same safety condition with AES-128, for a Hash algorithm and an MAC algorithm, HMAC-SM3 is adopted for generation, the output length is 256bits, the encryption algorithm adopts an SM4 algorithm with the output data length of 128 bits, the length of a random number is finally defined as 128 bits, and the lengths of a timestamp, a sequence number and an AMF identifier are 48 bits. In the invention, the authentication bandwidth overhead of the satellite-ground/inter-satellite authentication of the high orbit satellite, the authentication bandwidth overhead of the high orbit satellite and the low orbit satellite between the high orbit satellite layer and the low orbit satellite layer, the same orbit low orbit satellite layer and the adjacent orbit low orbit satellite layer are respectively 240 bytes, 134 bytes, 144 bytes and 176 bytes.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
Fig. 1 is a flowchart of a method for authenticating a satellite-ground and inter-satellite network of a converged two-layer satellite network according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a satellite-ground and inter-satellite networking authentication system incorporating a two-layer satellite network according to an embodiment of the present invention;
in fig. 2: 1. a satellite registration module; 2. a message forwarding module; 3. a first inter-satellite authentication module; 4. a second inter-satellite authentication module.
Fig. 3 is a flowchart of implementation of protocols for satellite-to-ground and inter-satellite authentication in a two-layer satellite network according to an embodiment of the present invention.
Fig. 4 is a flowchart of a satellite node registration process according to an embodiment of the present invention.
Fig. 5 is a flowchart of star-earth authentication for an orbiting satellite according to an embodiment of the present invention.
Fig. 6 is a flowchart of the phase of authentication between the satellite and the earth of the high earth orbit satellite according to the embodiment of the present invention.
Fig. 7 is a flowchart of authentication between inter-layer and co-orbital low-earth satellites according to an embodiment of the invention.
Fig. 8 is a flowchart of authentication between adjacent orbiting low earth orbit satellites according to an embodiment of the present invention.
Fig. 9 is a diagram of a model of a two-layer satellite network according to an embodiment of the present invention.
Fig. 10 is a scene diagram of satellite-to-ground and inter-satellite authentication of a high orbit satellite according to an embodiment of the present invention.
Fig. 11 is a diagram of an authentication scenario between inter-layer and co-orbital low-earth satellites according to an embodiment of the invention.
Fig. 12 is a diagram of an authentication scenario between adjacent orbiting low earth orbit satellites according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Aiming at the problems in the prior art, the invention provides a method, a system and an application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication, and the invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the authentication method for a converged two-layer satellite network satellite-ground and inter-satellite networking provided by the invention comprises the following steps:
s101: and (4) satellite registration, wherein before the satellite is launched, the ground control center needs to distribute identification information, a preset long-term key and orbit parameters to the satellite.
S102: because the high orbit satellite and the ground control center are relatively static, the communication between part of the high orbit satellite and the ground control center needs other satellites to transmit messages. The first high-orbit satellite and the ground control center finish the satellite-ground authentication based on the long-term pre-shared key, and the rest high-orbit satellites finish the satellite-ground and inter-satellite authentication of the high-orbit satellite under the participation of the ground control center.
S103: and finishing the authentication between the layers and the same-orbit low-orbit satellite.
S104: and finishing the authentication between the adjacent orbit low orbit satellites.
Those skilled in the art of the authentication method for fusing two-layer satellite network satellite-ground and inter-satellite networking provided by the present invention may also use other steps to implement, and the authentication method for fusing two-layer satellite network satellite-ground and inter-satellite networking provided by the present invention in fig. 1 is only a specific embodiment.
As shown in fig. 2, the star-to-ground and inter-satellite networking authentication system of the converged dual-layer satellite network provided by the invention comprises:
the satellite registration module 1 is used for the ground control center to distribute identification information, preset long-term keys and orbit parameters to the satellite before the satellite is launched.
And the message forwarding module 2 is used for realizing that the communication between part of the high orbit satellites and the ground control center needs other satellites for message forwarding.
And the first inter-satellite authentication module 3 is used for finishing the authentication between layers and between low-orbit satellites in the same orbit.
And the second inter-satellite authentication module 4 is used for completing the authentication between the adjacent orbit low orbit satellites.
The technical scheme of the invention is further described in the following with reference to the attached drawings.
The invention assumes that three high orbit satellites are deployed and respectively positioned above the equator, and a ground control center (TCC) uniformly stores master keys of all the high orbit satellites; the low-orbit satellites are uniformly distributed on three polar ground orbit surfaces with the same height, each orbit surface comprises six satellites, the low-orbit satellites of each orbit are respectively managed by one high-orbit satellite, and the high-orbit satellite stores the shared master key of the low-orbit satellite under the jurisdiction. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Aiming at a double-layer satellite network formed by high-orbit satellites and low-orbit satellites, the invention provides an authentication scheme from the following three scenes, which are respectively as follows: 1) satellite-to-ground/inter-satellite authentication of high orbit satellites, 2) inter-layer and same-orbit low orbit satellite authentication, and 3) inter-adjacent-orbit low orbit satellite authentication.
The satellite network includes the following entities, a ground control center, high orbit satellites, and low orbit satellites, as described below.
The ground control center comprises a data center and an authentication center. The data center stores the identity, the pre-shared key, the orbit parameter and other information required by the high orbit satellite authentication, completes the verification of the satellite authentication response MAC and generates a message response RES and a satellite-ground session key which are sent to the high orbit satellite; the authentication center interacts information from the high orbit satellite and the data center, checks the message freshness and generates an inter-satellite session key.
The high orbit satellite is divided into an authentication center and a data center. The authentication module completes the verification of the message verification code, generates a satellite-to-ground and inter-satellite session key, and verifies the ground authentication center and the inter-layer authentication response value; the data center stores information such as identity, pre-shared key, orbit parameter and the like required by low orbit satellite authentication, and generates an interlayer session key.
And the low orbit satellite generates an inter-satellite session key, and completes the verification of the message verification code or the authentication response value according to a specific scene.
Example 1
The embodiment of the invention describes a high-orbit satellite registration process.
(1.1) the high earth orbit satellite A initiates a registration request to the ground registration domain.
(1.2) the high orbit satellite A generates a satellite identity ID in a ground registration domain according to the information of the batch and the like A Obtaining the time stamp T s Then generating a long-term key MainKey according to the private key m of the registration domain secA =KDF m (ID A ,T s )。
(1.3) registration Domain registers Information (ID) before satellite transmission A ,MainKey secA ,MsgKey g0 ) Writing into high orbit satellite, and storing (ID) in ground control center A ,MainKey secA ,MsgKey g0 ) And the method is used for identity authentication.
Example 2
The embodiments of the present invention describe satellite-to-ground authentication of a high orbit satellite, wherein the high orbit satellite a has completed satellite registration.
(2.1) generating random number r by the high orbit satellite and obtaining the time stamp T max Respectively generating message verification codes according to preset long-term shared keys
Expected authentication response value
And a satellite-to-ground session key
The authentication vector AV ═ XRES | | | K is then stored secA ||Token,Token=r||MAC。
Finally, a time stamp T is added msg Sending a request
To the ground control center.
And (2.2) the ground control center checks the message freshness and verifies the identity of the high-orbit satellite.
Authentication center solution for ground control centerUpon receipt of a request, obtaining identity information and a timestamp, and detecting the ID A Whether naming rules are met and T msg Of validity, i.e. T msg -T 0 ≤ΔT msg . And if the condition is met, transmitting the information to the data center.
② data center of ground control center according to ID A Requesting identity authentication from the registration domain and deriving the long-term shared key MainKey secA . Derived key MainKey secA And extracts r', T from the received message mac ' calculating message authentication code
Authentication
Equal yields XRES and K as described above secA Respectively calculating a response value RES and a satellite-to-ground session key K secA 。
And thirdly, the ground authentication center sends the RES to the high orbit satellite.
(2.3) high orbit satellite authentication RES ═ XRES. And if the two phases are equal, the mutual authentication and session key negotiation between the high orbit satellite and the ground control center are completed.
Example 3
The embodiment of the invention describes the satellite-ground and inter-satellite authentication stage of the high orbit satellite, wherein the high orbit satellite A finishes satellite-ground authentication and key agreement, and the high orbit satellite B is to be authenticated.
And (3.1) generating an authentication message verification code by the high orbit satellite and sending an authentication request.
Firstly, the high orbit satellite B is based on the secret key MainKey secB Random number r and time stamp T mac Generating a message authentication code
Expected response value
Satellite-to-ground and inter-satellite session keys
Storage authentication vector AV ═ XRES | | | K secB ||K AB And | Token. Wherein Token ═ r | | | MAC.
② high orbit satellite B obtains time stamp T msg Sending an authentication request to the ground control center
SSID A Is the broadcast identification of the high earth orbit satellite a.
And (3.2) the ground control center verifies the identity of the high orbit satellite B.
MsgKey is utilized by authentication center of ground control center g0 Decrypting the received message and determining the ID B 、SSID A Whether it is valid, T msg Need to satisfy T msg -T 0 ≤ΔT msg . If the parameters are satisfied, the rest parameters are transmitted to the ground data center.
Ground data center according to ID B Identity information is requested from the registration domain. If the satellite finishes the registration, derive the key MainKey secB (ii) a Otherwise, authentication terminates. Derived key MainKey secB Thereafter, a message authentication code is generated at the data center
Comparison of
Respectively calculating response values when the two values are equal
And satellite-to-ground session key
And the ground data center transmits the RES to the ground authentication center.
Ground authentication center according to SSID A Finding the identity ID of a target satellite A And satellite-to-ground session key K secA Calculating the session key between the high orbit satellites
Adding timestamps and merging into a new authentication vector
And fourthly, the ground authentication center sends the AV' to the high orbit satellite A.
(3.3) high Earth orbit satellite A utilization K secA Decrypting to obtain T hxres Judging whether T is satisfied hxres -T 0 ≤ΔT hxres . High orbit satellite A generates a new random number R calculation
C is to be MAC To the high earth satellite B.
(3.4) high Earth orbit satellite B utilization K AB Decrypting to obtain R and RES, and verifying
If the two are equal, the identity of the ground control center is verified, and the shared secret key K is confirmed to be owned between the high orbit satellites AB Thereby verifying the identity of the high orbit satellite. Then, generate
To the high earth orbit satellite a.
(3.5) after receiving the message, calculating
If XRES 2 =RES 2 And the authentication is successful.
Example 4
The embodiment of the invention describes the authentication stage between the inter-layer and same-orbit low-orbit satellites, and the high-orbit satellite A controls the low-orbit satellites including the Lj, and the satellites Lj and A are supposed to finish the inter-layer authentication.
(4.1) after the high orbit satellite A completes the satellite-ground/inter-satellite authentication process of the high orbit satellite, the ground registration domain safely transfers the long-term shared key MainKey between the high orbit satellite A and the low orbit satellite Li administered by the high orbit satellite A through the session key negotiated by the satellite-ground authentication Ai And stored in the data center of the high earth orbit satellite.
(4.2) MsgKey for Low Earth orbit satellite Li g1 Encrypting an authentication request
A broadcast identifier, containing a timestamp and a low orbit satellite Lj, is sent to the controlled high orbit satellite a.
(4.3) after receiving the request, the high orbit satellite A utilizes the MsgKey g1 Obtaining identity information and timestamp, detecting identity ID i 、SSID j And the message freshness, i.e. T msg Satisfy T msg -T 0 ≤ΔT msg 。
And (4.4) generating an interlayer authentication material by the high-orbit satellite.
Firstly, generating authentication material AV ═ XRES | | | K in high orbit satellite data center Ai The | | Token comprises a random number r and a message verification code
Expected response value
Inter-layer shared key
Wherein
The AV is then sent to the authentication center.
And secondly, the authentication center of the high orbit satellite A extracts the authentication Token in the AV and sends the authentication Token to the low orbit satellite Li.
And (4.5) completing interlayer authentication by the low-earth satellite Li.
Utilizing MainKey of low earth orbit satellite Li Ai AK is calculated in the same manner as for r extracted from Token, and T is extracted mac Verifying message freshness, i.e. T mac -T 0 ≤ΔT mac . According toThe method for generating the MAC in this example generates XMAC, verifies that the MAC and XMAC are equal to complete authentication of the high orbit satellite.
Secondly, after the verification is successful, generating a response value RES and an interlayer shared key K according to the method for generating the XRES Ai And then sends a response value RES to the high orbit satellite.
(4.6) the high-orbit satellite a verifies the response value RES ═ XRES, authenticating the identity of the low-orbit satellite Li.
(4.7) after the verification is successful, the high orbit satellite A generates an authentication material between the low orbit satellites Li and Lj.
According to the broadcast identification of the low-orbit satellite Lj in the (4.2) authentication request, the high-orbit satellite A searches the corresponding identity information and the communication encryption key K in the authentication center Aj Generating an expected authentication response for the low-orbit satellite Lj based on XRES in this example
Generation of shared key between low orbit satellites by using (4.4) negotiated interlayer shared key
Obtaining the time stamp, encrypting the authentication material by using the session key between the high orbit satellite A and the low orbit satellite Lj, and generating
To the low earth orbit satellite Lj.
(4.8) extracting the timestamp T from the low-orbit satellite Lj hxres Verifying message freshness T hxres -T 0 ≤ΔT hxres . Storing inter-satellite shared secret key K ij Generating an inter-satellite message authentication code from MAC encryption
To the low earth satellite Li.
(4.9) Low Earth satellite Li reception C MAC Then, generating a shared secret key K between low-orbit satellites ij Decryption C MAC Completing the inter-satellite identity authentication and then sending
To the low earth orbit satellite Lj.
(4.10) decrypting the low-orbit satellite Lj to obtain RES, and calculating
And comparing HXRES (HRES) to verify the identity of the satellite Li.
Example 5
The embodiment of the invention introduces the authentication process of the adjacent orbit low orbit satellite, and assumes that the low orbit satellites Li and Lk are respectively affiliated to the high orbit satellite A, B and finish the interlayer authentication and the key agreement.
(5.1) Low Earth satellite Li sending encrypted authentication request to high Earth satellite A
Broadcast identifier SSID containing time stamps and low earth orbit satellites Lk k 。
(5.2) after receiving the request, the high orbit satellite A utilizes the MsgKey g1 Obtaining identity information and time stamp, detecting identity ID i 、SSID k Legitimacy of (1) and message freshness T msg -T 0 ≤ΔT msg . Then, the high orbit satellite A is according to ID i Finding a shared secret key K at its authentication center Ai According to SSID k Looking up the corresponding identity ID k Generating shared secret key between low orbit satellites
Obtaining a timestamp T msg′ Using session key K between high earth orbit satellites A, B AB Safely will
To the high earth satellite B. After the high orbit satellite B is decrypted, a timestamp T is obtained msg″ Then utilizes the negotiated inter-layer session key K Bk Will be provided with
To the low earth orbit satellite Lk.
(5.3) Low Earth orbit satelliteLk judges message freshness, i.e. T msg″ -T 0 ≤ΔT msg″ . According to SSID i Find the corresponding ID i Generating a random number r, generating an authentication material
And combining to Token | | | MAC, and sending Token to the low-orbit satellite Li.
And (5.4) the low-orbit satellite Li verifies the identity of the low-orbit satellite Lk.
Low earth orbit satellite Li calculation Li and Lk shared key
Calculate from this key and r extracted from Token
And comparing XMAC ═ MAC, and verifying the identity of the low orbit satellite Lk. After success, the response value is calculated
And finally, sending an authentication response to the satellite Lk to complete bidirectional authentication.
(5.5) the low orbit satellite Lk verifies RES ═ XRES, confirming the legal identity of the satellite Li.
It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. It will be appreciated by those skilled in the art that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, for example such code provided on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware) or a data carrier such as an optical or electronic signal carrier. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (7)
1. A method for authenticating a converged double-layer satellite network satellite-ground and inter-satellite networking is characterized by comprising the following steps: the system comprises a ground control center, a high orbit satellite and a low orbit satellite network, wherein the ground control center controls and completes authentication with the high orbit satellite, the high orbit satellite authenticates and controls a low orbit satellite group in a hierarchical control mode; the authentication entity is divided into three types according to different authentication entities: 1) satellite-to-ground/inter-satellite authentication of high orbit satellites, 2) inter-layer and same-orbit inter-low orbit satellite authentication, and 3) inter-adjacent-orbit inter-low orbit satellite authentication;
the ground control center stores the shared master key of all high orbit satellites in a unified way, and the high orbit satellites store the shared master key of the low orbit satellites managed by the high orbit satellites;
the satellite-ground and inter-satellite networking authentication method for the converged double-layer satellite network specifically comprises the following steps:
firstly, satellite registration, wherein before satellite transmission, a ground control center needs to distribute identity identification information, preset a shared master key and orbit parameters to a satellite;
step two, because the high orbit satellite and the ground control center are relatively static, the communication between part of the high orbit satellite and the ground control center needs other satellites to transmit messages; the first high-orbit satellite and the ground control center finish the satellite-ground authentication based on the shared master key, and the rest high-orbit satellites finish the satellite-ground and inter-satellite authentication of the high-orbit satellite under the participation of the ground control center;
step three, authentication between the layers and the same-orbit low-orbit satellite is completed;
step four, finishing authentication between adjacent orbit low orbit satellites;
the second step comprises the following steps:
(1) after the first high orbit satellite successfully transmits, the MainKey is based on the shared master key with the ground control center secSAT The satellite-ground authentication of the high orbit satellite is completed, and the method specifically comprises the following steps:
(1.1) generating an authentication material by the high orbit satellite, and sending an authentication request;
generating random number r by high orbit satellite to obtain time stamp T mac Generating a message verification code MAC, an expected authentication response value XRES and a satellite-to-ground session key K according to a preset shared master key secSAT (ii) a The authentication vector AV ═ XRES | | | K is then stored secSAT Token, wherein Token ═ r | | | MAC;
adding a timestamp T at last msg Sending a request to a ground control center
(1.2) the ground control center completes identity verification:
passing through T by the authentication center module msg Verifying the message freshness;
the data center verifies the identity of the high orbit satellite, and the data center of the ground control center verifies the identity of the high orbit satellite according to the ID SAT Requesting identity authentication from the registration domain, and deriving the shared master key MainKey secSAT (ii) a If the information is not found, judging the satellite to be an illegal satellite, and terminating authentication; derived key MainKey secSAT And extracts r', T from the received message mac ', calculate XMAC, verify
If equal, calculating response value RES and satellite-to-ground session key K secSAT ;
Thirdly, the ground authentication center sends the RES to the high orbit satellite;
(1.3) the high orbit satellite verifies RES (equal to XRES), and if the RES and the XRES are equal, mutual authentication and session key agreement between the high orbit satellite and a ground control center are completed;
(2) except the first high orbit satellite, other high orbit satellites need to complete the satellite-ground and inter-satellite authentication stage of the high orbit satellite, the stage relates to a ground control center, a high orbit satellite A with a safe satellite-ground link established, and a high orbit satellite B to be authenticated, and the method specifically comprises the following steps:
(2.1) generating an authentication material by the high orbit satellite to be authenticated, and sending an authentication request;
shared master key MainKey preset according to satellite and ground for high orbit satellite to be authenticated secB Random number r and time stamp T mac Generating a message authentication code MAC, an expected response value XRES and a satellite-to-ground and inter-satellite session key K secB 、K AB (ii) a The local database then stores the authentication vector AV ═ XRES | | | K secB ||K AB Token, wherein Token ═ r | | | MAC;
high orbit satellite B acquisition timestamp T msg Sending an authentication request
To ground control center, SSID A A broadcast identifier of the high orbit satellite A to be authenticated;
(2.2) the ground control center verifies the identity of the high orbit satellite;
authentication center utilizes MsgKey g0 Decrypting the received message and determining the ID B 、SSID A Whether it is valid, T msg Need to satisfy T msg -T 0 ≤ΔT msg (ii) a If the parameters are met, transmitting the rest parameters to a ground data center;
ground data center according to ID B Requesting identity information from a registration domain, and deriving a key MainKey if the satellite finishes registration secB (ii) a Otherwise, the authentication is terminated, and the key MainKey is derived secB Then, a message authentication code XMAC is generated in the data center and compared
If equal, calculating response value RES and satellite-to-ground session key K secB The ground data center transmits the RES to a ground authentication center;
ground authentication center according to SSID A Finding the identity ID of a target satellite A And satellite-to-ground session key K secA Calculating a session key K between the satellites in high orbit AB Adding timestamps and merging into a new authentication vector
The ground authentication center sends AV' to the high orbit satellite A;
(2.3) the high orbit satellite A generates the message verification code between the high orbit satellites:
first, the high orbit satellite A utilizes K secA Decrypting to obtain T hxres Verifying message freshness, then, using K by the high orbit satellite A AB Encrypting the newly generated random numbers R and RES to obtain a new message authentication code C MAC And C is MAC Sending the data to a high orbit satellite B;
(2.4) the high orbit satellite B verifies the identities of the ground control center and the high orbit satellite A:
high orbit satellite B according to pre-generated K AB Decrypting messages, verifying
If the two phases are equal, the identity of the ground control center is verified, and the shared secret key K is confirmed to be owned between the high orbit satellites AB Thereby verifying the identity of the high orbit satellite A;
second, generating RES in response to authentication message of high earth orbit satellite A 2 Sending the data to a high orbit satellite A;
(2.5) calculating XRES after receiving message from high orbit satellite A 2 If XRES 2 =RES 2 And the authentication is successful.
2. The method for satellite-to-ground and inter-satellite networking authentication of a converged two-tier satellite network according to claim 1, wherein the first step comprises:
(1) the satellite applies for identity registration from a registration domain;
(2) the ground registration domain generates a satellite identity ID according to batch information, and then obtains a timestamp T s Generating a shared master key MainKey according to the private key m of the registration domain, wherein the Key generation mode MainKey is between the ground control center and the high orbit satellite secA =KDF m (ID A ,T s ) The key generation mode MainKey between the high orbit satellite and the low orbit satellite Ai =KDF m (ID A ,ID i ,T s );
(3) Registration domain will (ID) respectively A ,MainKey secA ,MsgKey g0 )、(ID i ,MainKey Ai ,MsgKey gl ) Writing into corresponding high orbit satellite or low orbit satellite, and storing (ID) in ground control center A ,MainKey secA ,MsgKey g0 )、(ID i ,MainKey Ai ) For identity authentication; MsgKey g0 Representing group keys, MsgKey, between a ground control center and a high orbit satellite group gl Representing a group key shared in a high-orbit satellite group l and a low-orbit satellite group l;
where the subscript sec represents the ground control center, capital letters represent high orbit satellites, and lowercase letters represent low orbit satellites.
3. The method for authenticating a converged two-tier satellite network satellite-to-ground and inter-satellite networking according to claim 1, wherein the third step comprises:
(1) after the high orbit satellite completes the authentication process in the step two, the shared master key between layers is transferred to the high orbit satellite through the satellite-ground link by the ground registration domain through the session key negotiated by the satellite-ground authentication, and the shared master key is stored in the data center of the high orbit satellite;
(2) MsgKey for low earth orbit satellite Li gl Encrypting an authentication request, which contains a time stamp and a broadcast identifier of the low-orbit satellite Lj, and sending the encrypted authentication request to the controlled high-orbit satellite;
(3) after the high-orbit satellite receives the request, the MsgKey is utilized gl Acquiring identity information and a timestamp, and detecting the legality of the identity and the freshness of the message;
(4) generating an interlayer authentication material by the high orbit satellite;
generating authentication material AV in a high orbit satellite data center, wherein the authentication material AV comprises a random number r, a message verification code MAC, an expected response value XRES and an interlayer shared secret key K Ai Sending AV to the authentication center;
secondly, the high-orbit satellite authentication center extracts an authentication Token in the AV and sends the authentication Token to the low-orbit satellite Li;
(5) completing interlayer authentication by the low-orbit satellite Li;
firstly, extracting a time stamp parameter from the low earth orbit satellite Li to verify the message freshness; generating XMAC according to the method in (4), and verifying that MAC and XMAC are equal to finish the authentication of the high orbit satellite;
secondly, after the verification is successful, generating a response value RES and an interlayer shared key K according to the method in the step (4) Ai Sending a response value RES to the high orbit satellite;
(6) the high orbit satellite verifies the response value RES is XRES, authorize the low orbit satellite identity;
(7) after the verification is successful, the high-orbit satellite generates a low-orbit inter-satellite authentication material;
according to the low-orbit satellite broadcast identification in the authentication request in the step (2), the high-orbit satellite searches the corresponding identity information and the communication encryption key K Aj Generating an expected authentication response HXRES for the low-orbit satellite Lj based on the XRES in (4); generating shared secret key K between low orbit satellites by using shared secret key between layers in (5) ij Merging the authentication materials AV ' into authentication materials AV ', including an inter-satellite shared key, HXRES, a timestamp and MAC, and sending the authentication materials AV ' to a low orbit satellite Lj;
(8) extracting the timestamp from the low earth orbit satellite Lj to verify the message freshness, storing the inter-satellite shared key, and generating the inter-satellite message verification code C according to MAC encryption MAC Sending to a low orbit satellite Li;
(9) low-earth-orbit satellite Li decryption C MAC Completing inter-satellite identity authentication, then generating an encrypted RES by using an inter-satellite encryption key, and sending the encrypted RES to a low earth orbit satellite Lj;
(10) the low earth orbit satellite Lj verifies the identity of the satellite Li.
4. The method for authenticating the converged two-layer satellite network satellite-ground and inter-satellite networking according to claim 1, wherein the fourth step comprises:
(1) low earth orbit satellite Li sending MsgKey gl Encrypting an authentication request, which contains a time stamp and a broadcast identifier of the low-orbit satellite Lk, and sending the encrypted authentication request to the high-orbit satellite A controlled by the encrypted authentication request;
(2) after the high-orbit satellite receives the request, the MsgKey is utilized gl Acquiring identity information and a timestamp, detecting the validity of the identity and the freshness of the information, generating an inter-satellite shared key, and sending the inter-satellite shared key and the timestamp parameter to a low earth orbit satellite Lk through a secure channel;
(3) the low-orbit satellite Lk generates an authentication material comprising a random number r, a message verification code MAC and an expected response value XRES from an inter-satellite shared key, and sends r and the MAC to a low-orbit satellite Li;
(4) the low earth orbit satellite Li verifies the identity of the low earth orbit satellite Lk, and then sends an authentication response to the Lk to complete the mutual authentication.
5. A fused double-layer satellite network star-earth and inter-satellite networking authentication system for implementing the fused double-layer satellite network star-earth and inter-satellite networking authentication method according to any one of claims 1 to 4, wherein the fused double-layer satellite network star-earth and inter-satellite networking authentication system comprises:
the satellite registration module is used for distributing identity identification information, presetting a shared master key and orbit parameters to the satellite by the ground control center before the satellite is launched;
the message forwarding module is used for realizing that the communication between a part of high orbit satellites and the ground control center needs other satellites for message forwarding;
the first inter-satellite authentication module is used for completing the authentication between layers and between low-orbit satellites in the same orbit;
and the second inter-satellite authentication module is used for finishing the authentication between the adjacent orbit low orbit satellites.
6. The converged two-layer satellite network satellite-ground and inter-satellite networking authentication system of claim 5, wherein the converged two-layer satellite network satellite-ground and inter-satellite networking authentication system further comprises:
the ground control center comprises a data center and an authentication center; the data center stores the identity, the shared master key and the orbit parameter information required by the high orbit satellite authentication, completes the verification of the message verification code MAC from the satellite and generates a message verification code RES and a satellite-ground session key which are sent to the high orbit satellite; the authentication center interacts information from the high orbit satellite and the data center to generate an inter-satellite session key;
the high orbit satellite is divided into an authentication center and a data center; the authentication module completes the verification of the message verification code, generates a session key between the satellite and the ground, and verifies an inter-layer authentication response value; the data center stores identity, shared master key and orbit parameter information required by low earth orbit satellite authentication, and generates an interlayer session key;
and the low orbit satellite generates an inter-satellite session key, and completes the verification of the message verification code or the authentication response value according to a specific scene.
7. A satellite communication information security control terminal is characterized by being used for realizing the satellite-ground and inter-satellite networking authentication method of the converged double-layer satellite network according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110225496.2A CN112953726B (en) | 2021-03-01 | 2021-03-01 | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110225496.2A CN112953726B (en) | 2021-03-01 | 2021-03-01 | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953726A CN112953726A (en) | 2021-06-11 |
| CN112953726B true CN112953726B (en) | 2022-09-06 |
Family
ID=76246936
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110225496.2A Active CN112953726B (en) | 2021-03-01 | 2021-03-01 | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953726B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114007219B (en) * | 2021-10-25 | 2024-03-26 | 北京计算机技术及应用研究所 | Invisible identification access authentication method for low-orbit satellite communication |
| CN113904876B (en) * | 2021-12-07 | 2022-02-25 | 北京航天驭星科技有限公司 | Security protection method and device, electronic equipment and computer readable medium |
| CN114466359B (en) * | 2022-01-07 | 2024-03-01 | 中国电子科技集团公司电子科学研究院 | Distributed user authentication system and authentication method suitable for low orbit satellite network |
| CN114828005A (en) * | 2022-05-24 | 2022-07-29 | 西安电子科技大学 | Enhanced inter-satellite networking authentication method based on location key |
| CN115102608B (en) * | 2022-06-22 | 2023-10-20 | 西安电子科技大学 | Cooperative multicast method based on high-low orbit double-layer satellite network |
| CN116132108B (en) * | 2022-12-19 | 2024-04-12 | 湖北工业大学 | Universal lightweight group key authentication distribution method and device based on pre-shared pairwise key |
| CN117156433B (en) * | 2023-10-31 | 2024-02-06 | 航天宏图信息技术股份有限公司 | Satellite internet key management distribution method, device and deployment architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5982323A (en) * | 1997-05-24 | 1999-11-09 | Oerlikon Contraves Ag | Satellite navigation system |
| CN109698744A (en) * | 2018-12-24 | 2019-04-30 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | A kind of machinery of consultation of Satellite Networking session key and device |
| CN110971415A (en) * | 2019-12-13 | 2020-04-07 | 重庆邮电大学 | Space-ground integrated space information network anonymous access authentication method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107390233B (en) * | 2017-07-18 | 2020-04-17 | 武汉大学 | Low-earth-orbit satellite navigation enhanced ionosphere delay correction parameter method |
| CN107979408B (en) * | 2017-12-08 | 2020-06-05 | 北京理工大学 | Networking authentication and credibility keeping method for high-orbit satellite |
| CN108566240B (en) * | 2018-03-28 | 2020-10-27 | 西安电子科技大学 | Inter-satellite networking authentication system and method suitable for double-layer satellite network |
| CN111224707B (en) * | 2018-11-26 | 2021-12-28 | 华为技术有限公司 | Satellite, terminal device, satellite communication system, and satellite communication method |
| CN112243235B (en) * | 2020-09-15 | 2021-12-28 | 西安电子科技大学 | Group access authentication and switching authentication method suitable for world integration and application |
| CN112261650B (en) * | 2020-09-24 | 2022-05-03 | 北京邮电大学 | Network access switching method and device, electronic equipment and storage medium |
-
2021
- 2021-03-01 CN CN202110225496.2A patent/CN112953726B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5982323A (en) * | 1997-05-24 | 1999-11-09 | Oerlikon Contraves Ag | Satellite navigation system |
| CN109698744A (en) * | 2018-12-24 | 2019-04-30 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | A kind of machinery of consultation of Satellite Networking session key and device |
| CN110971415A (en) * | 2019-12-13 | 2020-04-07 | 重庆邮电大学 | Space-ground integrated space information network anonymous access authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953726A (en) | 2021-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953726B (en) | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network | |
| CN109547213B (en) | Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network | |
| CN108566240B (en) | Inter-satellite networking authentication system and method suitable for double-layer satellite network | |
| CN112039870B (en) | Privacy protection-oriented vehicle-mounted network authentication method and system based on block chain | |
| Sun et al. | A privacy-preserving mutual authentication resisting DoS attacks in VANETs | |
| CN113194469B (en) | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain | |
| CN113079016B (en) | Identity-based authentication method facing space-based network | |
| US20170366342A1 (en) | Protecting the Integrity of Log Entries in a Distributed System | |
| US20120011360A1 (en) | Key management systems and methods for shared secret ciphers | |
| US20030026433A1 (en) | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique | |
| CN103281190A (en) | Systems and methods for secure workgroup management and communication | |
| CN105554105A (en) | Internet of vehicles group key management method oriented to multiple services and privacy protection | |
| CN115022879B (en) | Enhanced Beidou user terminal access authentication method and system based on position key | |
| CN112564775B (en) | Spatial information network access control system and authentication method based on block chain | |
| Othman et al. | Physically secure lightweight and privacy-preserving message authentication protocol for VANET in smart city | |
| Yao et al. | Toward secure and lightweight access authentication in SAGINs | |
| CN111212400B (en) | Anti-quantum computing internet-of-vehicle system based on secret sharing and mobile terminal and authentication method thereof | |
| CN112235792B (en) | Multi-type terminal access and switching authentication method, system, equipment and application | |
| Wang et al. | An efficient and privacy-preserving blockchain-based authentication scheme for low earth orbit satellite-assisted internet of things | |
| Wei et al. | BAVP: blockchain-based access verification protocol in LEO constellation using IBE keys | |
| Guan et al. | BSLA: blockchain-assisted secure and lightweight authentication for SGIN | |
| Xiong et al. | A blockchain-based and privacy-preserved authentication scheme for inter-constellation collaboration in Space-Ground Integrated Networks | |
| CN111885545A (en) | Selfish node tracking method based on V2V cooperative transmission authentication | |
| CN114584975B (en) | SDN-based anti-quantum satellite network access authentication method | |
| CN113949517A (en) | Low-orbit satellite security authentication method based on spatial channel characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |