CN113068187B

CN113068187B - Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application

Info

Publication number: CN113068187B
Application number: CN202110190970.2A
Authority: CN
Inventors: 曹进; 关键; 李晖; 马如慧; 赵兴文
Original assignee: Xidian University
Current assignee: Xidian University
Priority date: 2021-02-20
Filing date: 2021-02-20
Publication date: 2022-03-11
Anticipated expiration: 2041-02-20
Also published as: CN113068187A

Abstract

The invention belongs to the technical field of communication network security, and discloses an unmanned aerial vehicle-assisted terminal access authentication method, a system, equipment and application, wherein the unmanned aerial vehicle-assisted terminal access authentication method comprises the following steps: the terminal and the unmanned aerial vehicle interact with a network control center through a safety channel to complete registration; after the unmanned aerial vehicle and the terminal complete registration, the unmanned aerial vehicle executes access authentication; after the unmanned aerial vehicle access authentication is completed, the terminal executes the access authentication under the assistance of the unmanned aerial vehicle; when the unmanned aerial vehicle causes authentication interruption due to the fact that the force of inelasticity deviates from the designated airspace, the unmanned aerial vehicles cooperate rapidly, and the auxiliary terminal continues to finish access authentication. The identity authentication method can efficiently complete the authentication of different entity identities in real time under the condition of the assistance of the unmanned aerial vehicle, quickly establish a stable and reliable mobile communication network, and provide technical support for scenes such as emergency communication, military operation, fire rescue and the like of the unmanned aerial vehicle; while realizing anonymity, the method avoids the complex certificate management process in the public key system and realizes stronger safety capability.

Description

Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application

Technical Field

The invention belongs to the technical field of communication network security, and particularly relates to an unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application.

Background

At present, with the popularization of 5G communication technology and the high-speed increase of Internet of things equipment, the demand of people for mobile communication services is continuously improved, areas such as mountainous areas, oceans and the like are covered through a satellite communication network, meanwhile, technical support can be greatly provided for the fields such as military, electric power, rescue and the like by matching with an unmanned aerial vehicle for cooperative operation, the heaven and earth integrated information network is built, the mobile equipment is greatly promoted to advance towards the direction of full-scene cooperation and high-reliability interconnection, and the deep interconnection and high-efficiency fusion of a global information network are favorably realized. The star chain project (StarLink), introduced by the american company SpaceX, plans to build a network of "star chains" consisting of about 1.2 ten thousand satellites in space between 2019 and 2024, of which 1584 will be deployed in a near-earth orbit 550 kilometers above the earth and working from 2020. It is worth noting that in terms of concerned transmission delay, the round-trip transmission delay of low earth orbit satellites such as StarLink is expected to be controlled within 30ms, and the basic requirements of users on network delay can be met. During the period, the rainbow cloud engineering project developing in China launches 156 satellites which operate in a networking mode on an orbit 1000 kilometers away from the ground, and the aim of constructing a satellite-borne broadband global mobile internet network is fulfilled. Meanwhile, with the help of the rapid development of wireless communication networks, unmanned aerial vehicles are beginning to be widely applied to the aspects of industry, military affairs and daily life of the masses. Wherein all have the wide application in fields such as unmanned aerial vehicle commander combat, unmanned aerial vehicle fixed point survey and drawing, electric power overhaul, forest fire prevention. The winged dragon middle and low altitude dual-purpose unmanned aerial vehicle for military and civilian use, which is independently developed in China, can execute tasks such as monitoring, communication investigation, ground attack, anti-terrorism patrol and the like, and is also widely applied to disaster monitoring, pesticide spraying, forest fire prevention and the like.

Therefore, in the integrated information network, a three-in-one communication network of a satellite, an unmanned aerial vehicle and terminal equipment is built to provide technical support for more application scenes. For example, in the aspect of emergency communication: the pterosaur universal platform carrying the wireless communication base station continuously spirals at the altitude of 3-5 kilometers and the radius of more than 3000 meters, so that long-term stable continuous mobile signal coverage exceeding 50 square kilometers is successfully realized, and meanwhile, the pterosaur universal platform is marked to have the capability of realizing emergency communication and communication relay on base station equipment and satellite communication equipment. It is worth mentioning that the single machine can keep the continuous flight capability for 35 hours, can effectively solve the problems of infrastructure damage, all-weather communication and data transmission under remote mountainous areas, special landforms and severe conditions, and can deal with large-scale natural disasters such as earthquakes, floods, fires and the like. In the aspect of unmanned aerial vehicle operation, in military conflicts of Alexari and subminian occurring in 2020, TB-2 unmanned aerial vehicles of Alexari army chase after subminian troops when flying in the field, when enemies are scattered and hidden, TB-2 unmanned aerial vehicles which cannot accurately strike immediately transmit position data of local soldiers to a rear artillery army, BM-21 rocket guns of the artillery army perform covering striking on the locally scattered infantries, and finally, the enemies are completely killed. Therefore, the method has extremely important strategic significance in constructing the air-space-ground integrated information network. However, whether the device is a satellite device or a drone device, the characteristics of open communication link and dynamic change of network topology may cause the device to be attacked by channel eavesdropping, message tampering, replay and the like in the communication process. In addition, due to the limited computing resources of the satellite and the unmanned aerial vehicle, complex data processing should be avoided as much as possible in the communication process.

Through the above analysis, the problems and defects of the prior art are as follows:

(1) in the aspect of unmanned aerial vehicle combat, when enemies are scattered and hidden, a TB-2 unmanned aerial vehicle which cannot be accurately struck by an existing communication network immediately transmits position data of local soldiers to a rear artillery unit, and the locally scattered infantries are subjected to coverage striking through BM-21 rocket guns of the artillery unit, so that the enemies are completely killed.

(2) Whether the device is a satellite device or an unmanned aerial vehicle device, the characteristics of open communication link and dynamic change of network topology can cause the device to be attacked by channel interception, message tampering, replay and the like in the communication process.

(3) Due to the limited computing resources of the satellite and the unmanned aerial vehicle, complex data processing should be avoided as much as possible in the communication process.

The difficulty in solving the above problems and defects is:

(1) the satellite and the unmanned aerial vehicle both adopt open link communication, any network entity can monitor, tamper and forge communication contents, even disguise the communication contents into a legal user to carry out unauthorized access, and further carry out information stealing.

(2) Due to the limitation of satellite-borne and airborne resources, a lightweight authentication protocol needs to be designed to ensure that ground terminal equipment can complete access authentication efficiently in real time under the condition of dealing with massive terminal large-scale access, a communication link is established, and signaling overhead is reduced as much as possible.

(3) The unmanned aerial vehicle has the characteristics of strong maneuverability, limited cruising ability and the like, and when the ground terminal carries out authentication through the unmanned aerial vehicle, if the unmanned aerial vehicle breaks away from the specified coverage range, the terminal needs to repeatedly execute the authentication process, extra signaling overhead and calculation overhead are generated, and the authentication efficiency is influenced.

(4) Both the ground terminal equipment and the unmanned aerial vehicle are likely to be subjected to physical attack, and an adversary can acquire secret information stored in a memory chip of the adversary after capturing the adversary in a physical attack mode, so that identity is forged to participate in authentication, and the secret information and various permissions are illegally acquired.

The significance of solving the problems and the defects is as follows: the authentication between different entity identities can be efficiently completed in real time under the condition of unmanned aerial vehicle assistance, a stable and reliable mobile communication network is quickly established, and technical support is provided for scenes such as unmanned aerial vehicle emergency communication, military operation, fire rescue and the like. Specifically, the method comprises the following steps: in the communication scenario, if an attacker can acquire the identity information or other authentication information of the entity to be authenticated by monitoring the open link, the security of the entity to be authenticated is threatened, and communication content is revealed. Secondly, if a lightweight authentication process cannot be realized, a large number of authentication requests can cause the computational load of the unmanned aerial vehicle and the satellite to be too large, and the situation that responses cannot be made occurs, so that the execution of a protocol is influenced. Thirdly, if the situation that the terminal repeatedly initiates authentication due to the fact that the unmanned aerial vehicle deviates from the designated area can be avoided, the calculation overhead of the network control center and the terminal side can be greatly reduced, meanwhile, the communication overhead of the whole communication network can also be effectively reduced, and network resources can be effectively utilized. Fourthly, if the scheme can resist physical attack, the robustness of the protocol can be greatly improved, and even if the terminal equipment and the unmanned aerial vehicle are maliciously intercepted, an adversary can be ensured not to attack the scheme, so that the safety of the network is effectively protected.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides an unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application.

The invention is realized in such a way that an unmanned aerial vehicle-assisted terminal access authentication method comprises the following steps:

step one, the unmanned aerial vehicle and the terminal interactively execute an entity registration process with a network control center through a secure channel, and entity registration is completed after secret information is preset. The step can provide safety support and guarantee for the subsequent authentication process, and is the basis for the safety execution of the whole scheme;

and step two, the unmanned aerial vehicle interacts with the network control center through the satellite network to complete the access authentication of the unmanned aerial vehicle. The step provides technical support for subsequent access authentication of the terminal, after the unmanned aerial vehicle completes authentication, the identity validity of the unmanned aerial vehicle can be verified by the network control center, and when the terminal performs access authentication, the identity authentication of the unmanned aerial vehicle and the network control center can be realized simultaneously;

and step three, after the unmanned aerial vehicle completes access authentication, the terminal completes access authentication in the all-in-one information network under the assistance of the unmanned aerial vehicle. The step completely shows the process that the terminal performs the access authentication under the condition of unmanned aerial vehicle assistance, and is the core of the scheme.

And fourthly, when the unmanned aerial vehicle is interrupted due to the fact that the force of inelasticity deviates from the designated airspace, the unmanned aerial vehicles cooperate quickly, and the auxiliary terminal continues to finish access authentication. The supplementary optimization of the step considers the special situation possibly occurring in the actual scene, and the analysis and the description are carried out aiming at the specific situation, so that the method can be perfectly optimized.

Further, in the first step, before the heaven and earth integrated information network is registered, the satellite and the network control center complete networking authentication; the unmanned aerial vehicle and the terminal interactively execute an entity registration process with a network control center through a secure channel, and after secret information is preset, entity registration is completed, and the method comprises the following steps:

(1) unmanned aerial vehicle registration

1) The unmanned aerial vehicle sends the identity identifier ID thereof to the network control center through the secure channel_uSimultaneously selecting random PUF excitations

Sending the data to a network control center;

2) the network control center calculates the excitation response through the built-in PUF in the memory of the network control center

At the same time, the network control center generates a set of random stimuli

And pseudo-ID PID_N＝{pid₁,pid₂,…,pid_nWill be described above

Sending the data to the unmanned aerial vehicle through a safety channel;

3) the unmanned aerial vehicle generates corresponding excitation response for each random excitation through PUF embedded in memory of the unmanned aerial vehicle

The set of stimuli is then responded to

Returning to the network control center;

4) network control center needs storage

Unmanned aerial vehicle only needs to store

(2) Terminal registration

1) In the registration stage, the user terminal interacts with the network control center, sends the real identity identification of the user terminal through a secure channel, and generates random excitation for the built-in PUF of the network control center during the ith authentication

ID (identity)_d,

Sending the data to a network control center;

2) after receiving the response, the network control center generates an excitation response through the PUF in the memory of the network control center

At the same time, the network control center generates random excitation of the network control center to the built-in PUF of the terminal

And pseudo identity identifier for next authentication of user terminal

Sending a message M to the user terminal through the secure channel:

3) after receiving the message M, the user terminal generates an excitation response by a PUF (physical unclonable function) built in a memory of the user terminal

And sending to a network control center for storage;

4) eventually, the terminal needs additional saving

Network control center preservation

Further, in step two, the unmanned aerial vehicle interacts with the network control center through the satellite network, and the access authentication of the unmanned aerial vehicle is completed, including:

(1) unmanned aerial vehicle can follow false identity identification group PID_N＝{pid₁,pid₂,…,pid_nArbitrarily choose the ith pseudo-identity identifier pid_iPreparing to initiate authentication;

(2) unmanned aerial vehicle randomly selects any pseudo-identity identifier pid_iThe identity information is used as the identity identification information of the authentication of the user in the current round so as to realize the protection of the real identity of the user; at the same time, the random number generator generates the random number N_uSimultaneously reading the internally stored preset secret message

Will authenticate the request

Sending the data to the satellite in the airspace; if the authentication request is not responded or DDos attack is encountered due to environmental factors, a new (i + 1) th pseudo-identity identifier is reselected for authentication;

(3) after receiving the authentication request, the satellite in the airspace where the unmanned aerial vehicle is located adds the constellation identity of the satellite and requests the authentication

The information is forwarded to a network control center, and the network control center can determine the airspace to which the information belongs according to the identity identifier of the information;

(4) network control center pseudo-identity identifier pid_iWhether it is in its legal range, and randomly selecting any pair (c)_i,r_i) The authentication is used for the authentication of the current round; computing a corresponding response using a stimulus in an authentication request

According to the response

And excitation r of unmanned aerial vehicle_iCalculating a message authentication code:

generating random number N of the authentication of the current round_sWithout human-machine supplementation of new pseudo-ID pid_n+1In addition, the network control center needs to calculate the next incentive response pair for authentication with the drone:

and carrying out security processing on the sensitive information:

respond to the authentication

Sending the authentication request to the unmanned aerial vehicle initiating the authentication request through the original satellite;

(5) after receiving the authentication response, the unmanned aerial vehicle firstly utilizes the built-in PUF in the memory of the unmanned aerial vehicle to calculate

And using the stimulus response in local memory

And verifying whether the received data XRES is equal to

After the authentication is finished, calculating and acquiring a pseudo identity identifier of the subsequent authentication and an excitation response pair of the network control center:

meanwhile, the unmanned aerial vehicle needs to generate an excitation and response pair for the next round of authentication and perform confidentiality processing: c. C_n+1＝h(c_i||r_i||ID_u)，

In addition, the drone also needs to generate a session key S required for subsequent communications_kAnd an authentication message confirmation code RES:

RES＝h(r_i||S_k) The drone will authenticate the response message

Sending the data to a network control center through a satellite to wait for verification;

(6) after receiving the authentication response message, the network control center calculates:

c_n+1＝h(c_i||r_i||ID_u)，

verifying the RES by using the calculation result, and if the RES passes the verification, finishing the authentication of the unmanned aerial vehicle; at this point, both delete the used pseudo-ID and the corresponding stimulus response pair

The new pseudo ID and the excitation response pair which are supplemented in the authentication process need to be respectively stored for subsequent authentication, and the session key S which is safely negotiated by the two parties in the authentication process_kAnd the two parties respectively store the information for ensuring the safety of the subsequent wireless communication process.

Further, in step three, after the unmanned aerial vehicle completes the access authentication, the terminal completes the access authentication in the integrated information network of heaven and earth under the assistance of the unmanned aerial vehicle, including:

(1) initiating an authentication request to an unmanned aerial vehicle providing network service by a user terminal, and finishing mutual authentication and key agreement through interaction of a satellite and a network control center; because the unmanned aerial vehicle has already finished the authentication with network control and centre in the stage of unmanned aerial vehicle cut-in authentication, therefore, in the subsequent authentication procedure, the unmanned aerial vehicle can assist the terminal equipment in its communication coverage to carry on authentication, produce the random number N for the authentication process of this round by the terminal equipment at first_dMeanwhile, the self pseudo identity identifier and the excitation preset in the registration phase to the PUF at the network control center side are used

As an authentication request, sending the authentication request to the unmanned aerial vehicle in the airspace;

(2) after receiving the authentication request, the unmanned aerial vehicle attaches the identity identifier ID to the authentication request_UAVThe authentication is forwarded to a network control center through a satellite to assist in completing authentication; after the unmanned aerial vehicle access authentication phase is completed, the identity identifier is safely stored in a network control center;

(3) after receiving the authentication request, the network control center firstly checks the validity of the pseudo-identity identifier and generates a random number N for the authentication of the current round_sSimultaneously, the PUF preset in the memory of the PUF is utilized to calculate the excitation in the request

Response to (2)

Reading the preset excitation response pair of the terminal in the network control center during the registration phase

And respectively calculating a message authentication code:

meanwhile, the network control center needs to calculate the pseudo identity identifier needed by the next round of authentication

And excitation response pair and security processing are carried out:

after the calculation is completed, the network control center forwards the data to the satellite

As an authentication response;

(4) after receiving the authentication response of the network control center, the satellite extracts the message authentication code XRES and the random number N generated by the terminal and the network control center_s,N_dCalculating HXRES ═ h (N)_d||N_sXRES) for subsequent authentication of the terminal device; after the computation is completed, the satellite stores XRES and sends an authentication response

Carrying out a subsequent authentication process on the unmanned aerial vehicle;

(5) after receiving the authentication response of the satellite, the unmanned aerial vehicle reads and stores HXRES (high-speed radio resource reservation) and simultaneously identifies the identity identifier ID of the unmanned aerial vehicle_UAVMerge into a new authentication response

Then the signals are sent to the terminal together;

(6) after receiving the authentication response, the terminal firstly transmits excitation according to the network control center

Inputting into PUF in its memory, calculating out excitation response

Then combining the excitation response pairs stored in the memory of the authentication system

And authenticating the response content, calculating the message authentication code

And checking the MAC value; furthermore, the terminal needs to compute the input stimuli of the PUF on the network control center side required for the next round of authentication:

meanwhile, the terminal needs to read the content of the received authentication response and analyze the corresponding excitation response

And a new pseudo-ID generated by the network control center for the terminal

Terminal computing

And performing confidentiality treatment on the PUF excitation response pair required by the next round of authentication calculation:

at this time, the terminal may send an authentication response message to the drone

And calculating the session key negotiated with the network control center after the authentication of the current round is completed:

(7) after receiving the authentication response message sent by the terminal, the unmanned aerial vehicle extracts the value of the RES in the authentication response message, and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency of HRES and HXRES stored in step 5; if the authentication is passed, continuing to forward the authentication response message to the satellite;

(8) satellite received authentication response message

Then, reading the XRES value stored in the step (2) and checking the correctness of RES, if the XRES value is consistent with the RES value, sending an authentication confirmation message to the network control center

Extracting the secret message by the network control center;

(9) after receiving the authentication confirmation message sent by the satellite, the network control center calculates and obtains a PUF excitation response pair required by the next authentication of the terminal and a session key of subsequent communication:

after the flow from step (1) to step (9) is completed, the terminal side needs to store

For the next round of authentication and subsequent wireless network communication processes; network control center side needs storage

For subsequent authentication and communication.

Further, in step four, when the authentication is interrupted due to the deviation of the inefficacy force of the unmanned aerial vehicle from the designated airspace, the multiple unmanned aerial vehicles cooperate quickly, and the auxiliary terminal continues to complete the access authentication, including:

when unmanned aerial vehicle (A) deviates from the original airspace due to factors such as insufficient electric quantity and environment and causes the terminal equipment in the original coverage area to lose connection, according to the difference of the authentication process execution stage when unmanned aerial vehicle (A) deviates, the following conditions are divided for discussion:

(1) the original unmanned aerial vehicle deviates before the step (2) in the step three is completed

When the unmanned aerial vehicle (A) deviates from the designated airspace, if the ground terminal equipment to be authenticated finishes sending the authentication request of the step (1) to the original unmanned aerial vehicle, and the unmanned aerial vehicle (A) does not receive the authentication request of the step (1) or does not successfully send the message content of the step (2) after receiving the authentication request, when the network control center dispatches the unmanned aerial vehicle with good condition again to enter the designated airspace to assist in operation, the terminal equipment needs to execute the step (1) again to initiate the authentication flow to the unmanned aerial vehicle B again.

(2) The original unmanned aerial vehicle deviates from the step (2) after the step (4) is finished

1) When the original unmanned aerial vehicle A deviates from the coverage range of the original unmanned aerial vehicle A after the step (2) is finished and before the step (4) is finished, the unmanned aerial vehicle B with good system assignment condition enters a designated airspace to assist in continuously finishing authentication; network control center needs to identify identifier ID of unmanned aerial vehicle B according to participation assistance_UAVbCalculating a switching identification authentication code TMAC (MAC | | | ID) for the unmanned aerial vehicle B participating in assistance_UAVa||ID_UAVb)；

2) If the network control center does not execute the step (3) to send the authentication response to the satellite at this time, the network control center needs to switch the identification authentication code TMAC and the identity identifier ID of the unmanned aerial vehicle B_UAVbAnd (3) authentication response

Synchronously sending the data to the terminal equipment through a satellite and an unmanned aerial vehicle B;

3) if the network control center has already executed step (3), the unmanned aerial vehicle B receives the authentication response

Continuing to wait; after calculating the switching identification authentication code TMAC, the network control center sends the assistant authentication message { TMAC, ID_UAVa,ID_UAVbTo drone B; after receiving the assistant authentication message, the unmanned aerial vehicle B synchronously sends an authentication response and the assistant authentication message to the terminal and continues to execute a subsequent authentication process;

4) after the terminal receives the authentication response and the assistant authentication message, firstly, the terminal calculates through a self-preset PUF:

and calculating by using a secret message preset in the registration stage:

THMAC＝h(HMAC||ID_UAVa||ID_UAVb) (ii) a Respectively verifying the MAC and the TMAC in the received message by using the HMAC and the THMAC obtained by calculation, and if the verification fails, ending the authentication process; otherwise, the unmanned aerial vehicle B is considered to be a legal unmanned aerial vehicle, and the authentication can be continuously completed through the legal unmanned aerial vehicle B; the terminal calculates the input excitation of PUF required by the next round of authentication and decrypts the excitation response contained in the authentication response

And a new terminal pseudo-identity identifier

After the above-mentioned procedure is finished, the terminal calculates and generates its own message authentication code:

furthermore, the terminal needs to compute and secure the PUF excitation response pair required for the next round of authentication:

5) after receiving the data, the unmanned aerial vehicle extracts the RES value and calculates: HRES ═ h (N)_d||N_sI RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency of the HRES and the HXRES stored in the step (5); if the authentication is passed, continuing to forward the authentication response message to the satellite;

6) satellite received authentication response message

Then, XRES value and RES correctness are checked, if the XRES value and RES correctness are checked to be consistent, an authentication confirmation message is sent to the network control center

Extracting the secret message by the network control center;

7) after receiving the authentication confirmation message sent by the satellite, the network control center needs to calculate the PUF excitation response pair and the subsequent communication session key required by the next round of authentication of the terminal:

8) after the authentication is completed, the terminal side needs to store

Network control center side needsTo be stored

For subsequent authentication and communication.

(3) Deviating the original unmanned aerial vehicle after the step (5) is finished

1) In this way, the terminal device has already finished authenticating the network control center and has already calculated an authentication response message, that is, step (6) is to be executed, and if the terminal device finds that the original unmanned aerial vehicle A is out of the communication range, the terminal device performs silent waiting;

2) the switching identification authentication code TMAC (MAC | | | ID) is calculated in the network control center_UAVa||ID_UAVb) Thereafter, a helper authentication message { TMAC, ID is sent_UAVb,N_d,N_s-to the satellite;

3) after adding the message authentication code HXRES to the satellite, forwarding the message authentication code HXRES to the unmanned aerial vehicle B; unmanned aerial vehicle B in charge of assisting authentication forwards assisting authentication message { TMAC, ID_UAVbTransmitting the data to the terminal equipment, and storing the rest information;

4) after receiving the assisting authentication message, the terminal firstly calculates: THMAC ═ h (HMAC | | | ID)_UAVa||ID_UAVb) Then, checking the value of the TMAC, and if the checking is inconsistent, ending the authentication; otherwise, continuing to execute the step (6) and sending an authentication response message to the unmanned aerial vehicle B

5) After receiving the authentication response message, the unmanned aerial vehicle B in charge of assisting authentication extracts the value of RES therein, and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle B can complete the authentication of the terminal by checking the consistency between HRES and its locally stored HXRES; if the authentication is passed, continuing to forward the authentication response message to the satellite to execute a subsequent authentication process;

6) satellite receiving authentication response message

Value of XRES andchecking the correctness of RES, and if the RES is checked to be consistent, sending an authentication confirmation message to the network control center

Extracting the secret message by the network control center; in addition, the network control center needs to calculate a session key for obtaining a PUF excitation response pair and subsequent communication required for the next round of authentication of the terminal:

7) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

Another object of the present invention is to provide an unmanned aerial vehicle-assisted terminal access authentication system using the unmanned aerial vehicle-assisted terminal access authentication method, the unmanned aerial vehicle-assisted terminal access authentication system comprising:

the identity registration module is used for enabling the unmanned aerial vehicle and the terminal to interactively execute an entity registration process with a network control center through a secure channel, and finishing entity registration after secret information is preset;

the unmanned aerial vehicle access authentication module is used for enabling the unmanned aerial vehicle to interact with a network control center through a satellite network so as to finish the access authentication of the unmanned aerial vehicle;

the unmanned aerial vehicle-assisted terminal access authentication module is used for completing access authentication in the integrated information network of the heaven and the earth under the assistance of the unmanned aerial vehicle after the unmanned aerial vehicle completes the access authentication;

and the terminal access authentication module assisted by the multiple unmanned aerial vehicles is used for rapidly cooperating the multiple unmanned aerial vehicles and continuing the auxiliary terminal to finish access authentication when the unmanned aerial vehicles cause authentication interruption due to deviation of the inequality force from the designated airspace.

Another object of the present invention is to provide a terminal device suitable for a satellite network, wherein the terminal device suitable for a satellite network is equipped with the unmanned aerial vehicle assisted terminal access authentication system.

The invention also aims to provide an application of the unmanned aerial vehicle-assisted terminal access authentication system in the access authentication of the ground terminal, unmanned aerial vehicle and satellite 'trinity' cooperative authentication.

It is another object of the present invention to provide a computer program product stored on a computer readable medium, comprising a computer readable program for providing a user input interface to implement the drone assisted terminal access authentication method when executed on an electronic device.

Another object of the present invention is to provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the drone-assisted terminal access authentication method.

By combining all the technical schemes, the invention has the advantages and positive effects that: the unmanned aerial vehicle-assisted terminal access authentication method provided by the invention can solve the problem of terminal access authentication during unmanned aerial vehicle-assisted authentication in the scenes of emergency communication, military operation, post-disaster rescue and the like. Aiming at the safety risk possibly suffered in the authentication process, the authentication mode based on the Physical Unclonable Function (PUF) provided by the invention ensures that the terminal and the unmanned aerial vehicle can effectively resist physical attack in the access authentication process. Even if the registration information in the database of the network control center is stolen, the authentication process can be safely and efficiently executed, and the leakage of user privacy data caused by the fact that the registration information is stolen is avoided. Aiming at the terminal access authentication protocol assisted by multiple unmanned aerial vehicles, when the unmanned aerial vehicle for authentication by the auxiliary terminal deviates and the terminal is forced to be authenticated, the network control center can send a new unmanned aerial vehicle to continue to recover the authentication process, so that the generation of extra calculation overhead and communication overhead due to a large amount of repeated authentication is prevented.

The invention provides an access authentication method suitable for three-in-one cooperative authentication of a ground terminal, an unmanned aerial vehicle and a satellite in a space-ground integrated information network. The method can realize real-time and efficient completion of authentication among different entity identities under the condition of assistance of the unmanned aerial vehicle, quickly establish a stable and reliable mobile communication network, and provide technical support for scenes such as unmanned aerial vehicle emergency communication, military operation, fire rescue and the like. By designing an access authentication protocol integrated with a communication flow, the security construction of a world-wide integrated information network is guaranteed. The scheme fully considers various forms of attacks which the unmanned aerial vehicle can be subjected to in various scenes, and the protocol has the capability of resisting physical attacks and database stealing attacks by adopting a Physical Unclonable Function (PUF). Compared with the prior scheme adopting a symmetric encryption system and a public key encryption system, the scheme can avoid the complex certificate management process in the public key system while realizing anonymity, and simultaneously realizes stronger safety capability.

The unmanned aerial vehicle-assisted terminal access authentication method provided by the invention can realize anonymity, unlinkability, complete forward and backward safety on the premise of ensuring bidirectional authentication, and can resist various attack modes such as replay, man-in-the-middle and the like. In addition, the scheme fully considers various forms of attacks which the unmanned aerial vehicle can suffer in various scenes, and the protocol has the capability of resisting physical attacks and database stealing attacks by adopting a Physical Unclonable Function (PUF). Compared with the prior scheme adopting a symmetric encryption system and a public key encryption system, the scheme can avoid the complex certificate management process in the public key system while realizing anonymity, and simultaneously realizes stronger safety capability.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart of a method for authenticating terminal access assisted by an unmanned aerial vehicle according to an embodiment of the present invention.

Fig. 2 is a flowchart of a registration phase according to an embodiment of the present invention.

Fig. 3 is a flowchart of the authentication phase of the drone according to an embodiment of the present invention.

Fig. 4 is a flowchart of a terminal access authentication phase assisted by a drone according to an embodiment of the present invention.

Fig. 5 is a flowchart of a multi-drone assisted terminal access authentication phase state according to an embodiment of the present invention.

Fig. 6 is a flowchart of a second state of the multi-drone assisted terminal access authentication phase according to an embodiment of the present invention.

Fig. 7 is a block diagram of a structure of a terminal access authentication system assisted by an unmanned aerial vehicle according to an embodiment of the present invention;

in the figure: 1. an identity registration module; 2. the unmanned aerial vehicle accesses the authentication module; 3. the terminal assisted by the unmanned aerial vehicle accesses an authentication module; 4. the terminal access authentication module that many unmanned aerial vehicles helped.

Fig. 8 is a schematic diagram showing a specific comparison of total computation overhead of various schemes provided by the embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The invention provides an unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application, and particularly relates to emergency communication, wherein when natural disasters occur in mountainous areas or other remote areas to cause communication infrastructure damage, the communication infrastructure cannot be quickly repaired or rebuilt due to terrain limitation. By the unmanned aerial vehicle-assisted terminal access authentication method, terminal equipment in a disaster area can be safely and quickly accessed to a satellite communication network under the assistance of the unmanned aerial vehicle, and communication is recovered. The emergency communication network can be quickly established for disaster areas to provide help for rescue by virtue of the global coverage of the satellite network and the high mobility of the unmanned aerial vehicle. In the aspect of the field high-voltage cable inspection, the unmanned aerial vehicle is utilized to inspect, so that inspection efficiency can be obviously improved, and inspection safety is improved. After the inspection personnel arrive at the designated area, the unmanned aerial vehicle flies from a nearby supply point to arrive at the designated airspace, and then the control terminal of the inspection personnel in the designated area is identified and authenticated. By using the method, the ground terminal can complete bidirectional authentication with the network control center under the assistance of the unmanned aerial vehicle, and meanwhile, bidirectional authentication between the unmanned aerial vehicle and ground equipment is realized, so that higher safety guarantee is provided for establishment of a communication link.

The present invention will be described in detail below with reference to the accompanying drawings.

As shown in fig. 1, the method for authenticating terminal access assisted by an unmanned aerial vehicle according to the embodiment of the present invention includes the following steps:

s101, an unmanned aerial vehicle and a terminal interactively execute an entity registration process with a network control center through a secure channel, and entity registration is completed after secret information is preset;

s102, the unmanned aerial vehicle interacts with a network control center through a satellite network to complete the access authentication of the unmanned aerial vehicle;

s103, after the unmanned aerial vehicle completes access authentication, the terminal completes access authentication in the integrated information network of heaven and earth with the assistance of the unmanned aerial vehicle;

and S104, when the unmanned aerial vehicle is interrupted due to the fact that the force of inelasticity deviates from the designated airspace, the unmanned aerial vehicles cooperate rapidly, and the auxiliary terminal continues to finish access authentication.

A person skilled in the art can also use other steps to implement the man-machine-assisted terminal access authentication method provided by the present invention, and the man-machine-assisted terminal access authentication method provided by the present invention in fig. 1 is only a specific embodiment.

As shown in fig. 7, the terminal access authentication system assisted by an unmanned aerial vehicle according to an embodiment of the present invention includes:

the identity registration module 1 is used for enabling the unmanned aerial vehicle and the terminal to interactively execute an entity registration process with a network control center through a secure channel, and finishing entity registration after secret information is preset;

the unmanned aerial vehicle access authentication module 2 is used for enabling the unmanned aerial vehicle to interact with a network control center through a satellite network so as to finish the access authentication of the unmanned aerial vehicle;

the unmanned aerial vehicle-assisted terminal access authentication module 3 is used for completing access authentication in the integrated information network of the heaven and earth under the assistance of the unmanned aerial vehicle by the terminal after the unmanned aerial vehicle completes the access authentication;

and the terminal access authentication module 4 assisted by the multiple unmanned aerial vehicles is used for rapidly cooperating the multiple unmanned aerial vehicles and continuing the auxiliary terminal to finish access authentication when the unmanned aerial vehicles cause authentication interruption due to deviation of the inequality resistance from the designated airspace.

The technical solution of the present invention will be further described with reference to the following examples.

Example 1

Aiming at the problems in the prior art, the invention provides an unmanned aerial vehicle-assisted terminal access authentication method and application in a space-ground integrated information network.

The invention is realized in such a way, and the unmanned aerial vehicle-assisted terminal access authentication method in the space-ground integrated information network comprises the following steps:

firstly, after a Physical Unclonable Function (PUF) based on hardware is added into memories of an unmanned aerial vehicle, a terminal and a network control center, the unmanned aerial vehicle and the terminal interactively complete registration with the network control center through a safety channel;

secondly, after the unmanned aerial vehicle and the terminal complete registration, the unmanned aerial vehicle executes access authentication;

thirdly, after the unmanned aerial vehicle access authentication is completed, the terminal executes the access authentication under the assistance of the unmanned aerial vehicle;

and fourthly, when the unmanned aerial vehicle causes authentication interruption due to deviation of the inefficacy force from the designated airspace, the multiple unmanned aerial vehicles cooperate quickly, and the auxiliary terminal continues to finish access authentication.

Further, the registration process of the unmanned aerial vehicle and the terminal device in the method specifically includes:

1) unmanned aerial vehicle registration

(1) The unmanned aerial vehicle sends the identity identifier ID thereof to the network control center through the secure channel_uSimultaneously selecting random PUF excitations

And sent to the network control center.

(2) The network control center calculates the excitation response through the built-in PUF in the memory of the network control center

At the same time, the network control center generates a set of random stimuli

And pseudo-ID PID_N＝{pid₁,pid₂,…,pid_nWill be described above

And sending the data to the unmanned aerial vehicle through a safety channel.

(3) The unmanned aerial vehicle generates corresponding excitation response for each random excitation through PUF embedded in memory of the unmanned aerial vehicle

Then responding the set of stimuli

And returning to the network control center.

(4) Network control center needs storage

The drone only needs to store the ID_u,PID_N,(C_i ^y,R_i ^y)}。

2) Terminal registration

(1) In the registration phase, the user terminal firstInteracting with the network control center, sending the real identity identification of the user terminal through a secure channel by the user terminal, and simultaneously generating random excitation for the built-in PUF of the network control center during the ith authentication

ID (identity)_d,

And sent to the network control center.

(2) After receiving the response, the network control center generates an excitation response through the PUF in the memory of the network control center

And pseudo identity identifier for next authentication of user terminal

Sending a message M to the user terminal through the secure channel:

(3) after receiving the message M, the user terminal generates an excitation response by a PUF (physical unclonable function) built in a memory of the user terminal

And sending the data to a network control center for storage.

(4) Eventually, the terminal needs additional saving

Network control center preservation

Further, the unmanned aerial vehicle access authentication process specifically includes:

(1) unmanned aerial vehicle can follow false identity identification group PID_N＝{pid₁,pid₂,…,pid_nArbitrarily choose the ith pseudo-identity identifier pid_iReady to initiate authentication.

(2) Unmanned aerial vehicle randomly selects any pseudo-identity identifier pid_iThe identity information is used as the identity identification information of the authentication of the self-round so as to realize the protection of the real identity of the self-round. At the same time, the random number generator generates the random number N_uSimultaneously reading the internally stored preset secret message

Will authenticate the request

And then sent to the satellite in the airspace where the satellite is located. If the authentication request is not responded or DDos attack is encountered due to environmental factors, a new (i + 1) th pseudo-identity identifier is reselected for authentication.

The information is forwarded to a network control center, and the network control center can determine the airspace to which the network control center belongs according to the identity identifier of the network control center

(4) Network control center pseudo-identity identifier pid_iWhether it is in its legal range, and randomly selecting any pair (c)_i,r_i) And the authentication is used for the authentication of the current round. Computing a corresponding response using a stimulus in an authentication request

According to the response

and carrying out security processing on the sensitive information:

respond to the authentication

And sending the authentication request to the unmanned aerial vehicle initiating the authentication request through the original satellite.

And using the stimulus response in local memory

And verifying whether the received data XRES is equal to

RES＝h(r_i||S_k) The drone will authenticate the response message

And sending the data to a network control center through a satellite to wait for verification.

c_n+1＝h(c_i||r_i||ID_u)，

and verifying the RES by using the calculation result, and if the RES passes the verification, finishing the authentication of the unmanned aerial vehicle. At this point, both delete the used pseudo-ID and the corresponding stimulus response pair

Further, the method for terminal access authentication assisted by the unmanned aerial vehicle specifically comprises the following steps:

(1) the user terminal initiates an authentication request to the unmanned aerial vehicle providing the network service, and completes mutual authentication and key agreement through the interaction of the satellite and the network control center. Because the unmanned aerial vehicle has already finished the authentication with network control and center in the stage of unmanned aerial vehicle cut-in authentication, therefore, in the subsequent authentication process, unmanned aerial vehicleThe terminal equipment in the communication coverage area can be assisted to carry out authentication, and the terminal equipment generates a random number N for the authentication process in the current round_dMeanwhile, the self pseudo identity identifier and the excitation preset in the registration phase to the PUF at the network control center side are used

And sending the authentication request to the unmanned aerial vehicle in the airspace as well.

(2) After receiving the authentication request, the unmanned aerial vehicle attaches the identity identifier ID to the authentication request_UAVAnd forwarded to a network control center through a satellite to assist in completing authentication. After the access authentication phase of the unmanned aerial vehicle is completed, the identity identifier is safely stored in a network control center.

Response to (2)

And respectively calculating a message authentication code:

And excitation response pair and security processing are carried out:

As an authentication response.

(4) After receiving the authentication response of the network control center, the satellite extracts the message authentication code XRES and the random number N generated by the terminal and the network control center_s,N_dCalculating HXRES ═ h (N)_d||N_sXRES) for subsequent authentication of the terminal device. After the computation is completed, the satellite stores XRES and sends an authentication response

And carrying out subsequent authentication flow to the unmanned aerial vehicle.

And then transmitted to the terminal together.

(6) After receiving the authentication response, the terminal firstly transmits an excitation C according to a network control center_i ^xInput to PUF in its memory, and calculate the excitation response

And checks the MAC value. In addition, the terminal needs to calculateInput excitation of the PUF at the network control center side required by one round of authentication is as follows:

And a new pseudo-ID generated by the network control center for the terminal

After the above process is completed, the terminal needs to calculate

(7) after receiving the authentication response message sent by the terminal, the unmanned aerial vehicle extracts the value of the RES in the authentication response message, and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency of HRES and HXRES stored in step 5. And if the authentication is passed, continuously forwarding the authentication response message to the satellite.

(8) Satellite received authentication response message

Then, reading the XRES value stored in step 2 and checking the correctness of RES, if the verification is consistent, sending an authentication confirmation message to the network control center

The secret message is extracted by the network control center.

after the above-mentioned process is completed, the terminal side needs to store

For the next round of authentication and subsequent wireless network communication procedures. Network control center side needs storage

For subsequent authentication and communication.

Further, the multi-unmanned aerial vehicle assisted terminal access authentication method specifically comprises the following steps:

when the unmanned aerial vehicle (A) deviates from an original airspace due to the factors of insufficient electric quantity, environment and the like, and the terminal equipment in the original coverage area of the unmanned aerial vehicle (A) loses connection, the following situation is discussed according to the difference of the authentication process execution stages when the unmanned aerial vehicle (A) deviates.

1) The original drone deviates before completing step 2 as described in claim 3

When the unmanned aerial vehicle (A) deviates from the designated airspace, if the ground terminal equipment to be authenticated has completed sending the authentication request in the step 1 to the original unmanned aerial vehicle, and the unmanned aerial vehicle (A) does not receive the authentication request in the step 1 or does not successfully send the message content in the step 2 after receiving the authentication request, when the network control center dispatches the unmanned aerial vehicle with good condition again to enter the designated airspace to assist in operation, the terminal equipment needs to execute the step 1 again to initiate the authentication flow to the unmanned aerial vehicle B again.

2) The original unmanned aerial vehicle deviates from the step 2 to the step 4

(1) When the original unmanned aerial vehicle A deviates from the coverage range of the original unmanned aerial vehicle A after the step 2 is finished and before the step 4 is finished, the unmanned aerial vehicle B with good system assignment condition enters a designated airspace to assist in continuously finishing the authentication. Network control center needs to identify identifier ID of unmanned aerial vehicle B according to participation assistance_UAVbCalculating a switching identification authentication code TMAC (MAC | | | ID) for the unmanned aerial vehicle B participating in assistance_UAVa||ID_UAVb)。

(2) If the network control center does not execute step 3 to send the authentication response to the satellite at this time, the network control center needs to switch the identification authentication code TMAC and the identity identifier ID of the unmanned aerial vehicle B_UAVbAnd authentication response in step 3

And synchronously sending the data to the terminal equipment through a satellite and an unmanned aerial vehicle B.

(3) If the network control center has already executed step 3 at this time, the unmanned aerial vehicle B receives the authentication response

And then continues to wait. After calculating the switching identification authentication code TMAC, the network control center sends the assistant authentication message { TMAC, ID_UAVa,ID_UAVbTo drone B. After receiving the assistant authentication message, the unmanned aerial vehicle B synchronously sends the authentication response and the assistant authentication message to the terminal, and continues to execute the subsequent authentication process.

(4) After the terminal receives the authentication response and the assistant authentication message, firstly, the terminal calculates through a self-preset PUF:

and calculating by using a secret message preset in the registration stage:

THMAC＝h(HMAC||ID_UAVa||ID_UAVb). And checking the MAC and the TMAC in the received message by using the HMAC and the THMAC obtained by calculation respectively, and ending the authentication process if the checking fails. Otherwise, the unmanned aerial vehicle B is considered to be a legal unmanned aerial vehicle, and the authentication can be continuously completed through the legal unmanned aerial vehicle B. The terminal calculates the input excitation of PUF required by the next round of authentication and decrypts the excitation response contained in the authentication response

And a new terminal pseudo-identity identifier

(5) after receiving the data, the unmanned aerial vehicle extracts the RES value and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can check HRES and the information stored in step 5 by using the unmanned aerial vehicleAnd completing the authentication of the terminal by the consistency of HXRES. And if the authentication is passed, continuously forwarding the authentication response message to the satellite.

(6) Satellite received authentication response message

The secret message is extracted by the network control center.

(7) After receiving the authentication confirmation message sent by the satellite, the network control center needs to calculate the PUF excitation response pair and the subsequent communication session key required by the next round of authentication of the terminal:

(8) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

3) The original unmanned plane deviates after step 5

(1) In this way, the terminal device has already completed the authentication of the network control center and has already calculated the authentication response message, that is, step 6 is to be executed, and if it finds that the original unmanned aerial vehicle a is out of its communication range, it waits for silence.

(2) The switching identification authentication code TMAC (MAC | | | ID) is calculated in the network control center_UAVa||ID_UAVb) Thereafter, a helper authentication message { TMAC, ID is sent_UAVb,N_d,N_sTo the satellite.

(3) And after the satellite adds the message authentication code HXRES, forwarding the message authentication code HXRES to the unmanned aerial vehicle B. Unmanned aerial vehicle B in charge of assisting authentication forwards assisting authentication message { TMAC, ID_UAVbAnd fourthly, the terminal equipment stores the rest information.

(4) After receiving the assisting authentication message, the terminal firstly calculates: THMAC ═ h (HMAC | | | ID)_UAVa||ID_UAVb) And then checking the value of the TMAC, and if the checking is not consistent, ending the authentication. Otherwise, continuing to execute step 6, and sending an authentication response message to the unmanned aerial vehicle B

(5) After receiving the authentication response message, the unmanned aerial vehicle B in charge of assisting authentication extracts the value of RES therein, and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle B can complete the authentication of the terminal by checking the consistency between HRES and its locally stored HXRES. And if the authentication is passed, continuing to forward the authentication response message to the satellite to execute a subsequent authentication process.

(6) Satellite receiving authentication response message

The secret message is extracted by the network control center. In addition, the network control center needs to calculate a session key for obtaining a PUF excitation response pair and subsequent communication required for the next round of authentication of the terminal:

(7) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

Example 2

Aiming at the problems in the prior art, the invention provides an unmanned aerial vehicle-assisted terminal access authentication method suitable for a space-ground integrated information network and application thereof, and the invention is described in detail below with reference to the accompanying drawings. Supplementary explanations have been made above for Physically Unclonable Functions (PUFs):

a PUF is a physical stimulus response function whose inputs, called stimuli, can be identified by X e X, and the response produced for each stimulus can be represented by Y e Y. Generally, a response corresponding to an excitation is called an excitation response pair (CRP), and may be represented by CRP (x, y). The following equation is used to describe the relationship of the physical unclonable function response for a particular stimulus: PUF X → Y PUF (X) ═ Y. When queried with a stimulus x, the PUF generates a response

It depends on x and the internal physical (sub-) microstructure of the device. Due to variations in environmental and operational factors (e.g., ambient temperature and terminal voltage), the PUF output may vary slightly when the same stimulus is encountered multiple times. However, the blur extractor can remove these variations (noise) and convert them into deterministic functions.

As shown in fig. 1, the method for authenticating terminal access assisted by an unmanned aerial vehicle applicable to a space-ground integrated information network provided by the embodiment of the present invention includes the following steps:

(1) the terminal and the unmanned aerial vehicle interact with a network control center through a safety channel to complete registration;

(2) after the unmanned aerial vehicle and the terminal complete registration, the unmanned aerial vehicle executes access authentication;

(3) after the unmanned aerial vehicle access authentication is completed, the terminal executes the access authentication under the assistance of the unmanned aerial vehicle;

(4) when the unmanned aerial vehicle causes authentication interruption due to the fact that the force of inelasticity deviates from the designated airspace, the unmanned aerial vehicles cooperate rapidly, and the auxiliary terminal continues to finish access authentication.

As shown in fig. 2, the system architecture provided by the present invention is composed of a network control center, a satellite, an unmanned aerial vehicle, and a terminal device, and in the registration stage, the specific steps are as follows:

1) unmanned aerial vehicle registration

And sent to the network control center.

At the same time, the network control center generates a set of random stimuli

And pseudo-ID PID_N＝{pid₁,pid₂,…,pid_nWill be described above

And sending the data to the unmanned aerial vehicle through a safety channel.

Then responding the set of stimuli

And returning to the network control center.

(4) Network control center needs storage

The drone only needs to store the ID_u,PID_N,(C_i ^y,R_i ^y)}。

2) Terminal registration

(1) In the registration stage, the user terminal interacts with the network control center, sends the real identity mark of the user terminal through the safety channel and generates the real identity mark of the user terminalRandom excitation of built-in PUF (physical unclonable function) of network control center during ith authentication

ID (identity)_d,

And sent to the network control center.

And pseudo identity identifier for next authentication of user terminal

Sending a message M to the user terminal through the secure channel:

And sending the data to a network control center for storage.

(4) Eventually, the terminal needs additional saving

Network control center preservation

As shown in fig. 3, it mainly demonstrates unmanned aerial vehicle access authentication process, specifically includes:

Will authenticate the request

According to the response

generating random number N of the authentication of the current round_sNobodyMachine-supplementing new pseudo-identity identifier pid_n+1In addition, the network control center needs to calculate the next incentive response pair for authentication with the drone:

and carrying out security processing on the sensitive information:

respond to the authentication

And using the stimulus response in local memory

And verifying whether the received data XRES is equal to

RES＝h(r_i||S_k) The drone will authenticate the response message

c_n+1＝h(c_i||r_i||ID_u)，

As shown in fig. 4, it specifically shows an unmanned aerial vehicle-assisted terminal access authentication procedure, which specifically includes:

(1) the user terminal initiates an authentication request to the unmanned aerial vehicle providing the network service, and completes mutual authentication and key agreement through the interaction of the satellite and the network control center. Because the unmanned aerial vehicle has already finished the authentication with network control and center in the stage of unmanned aerial vehicle cut-in authentication, therefore, in the subsequent authentication procedure, the unmanned aerial vehicle can assist the terminal equipment in its communication coverage to carry out authentication firstGenerating a random number N for the authentication process by the terminal device_dMeanwhile, the self pseudo identity identifier and the excitation preset in the registration phase to the PUF at the network control center side are used

Response to (2)

And respectively calculating a message authentication code:

And excitation response pair and security processing are carried out:

As an authentication response.

And carrying out subsequent authentication flow to the unmanned aerial vehicle.

And then transmitted to the terminal together.

Inputting into PUF in its memory, calculating out excitation response

And checking the MAC value. Furthermore, the terminal needs to compute the input stimuli of the PUF on the network control center side required for the next round of authentication:

And a new pseudo-ID generated by the network control center for the terminal

After the above process is completed, the terminal needs to calculate

(8) Satellite received authentication response message

The secret message is extracted by the network control center.

For subsequent authentication and communication.

1) The original drone deviates before completing step 2 as described in claim 3

The assisting process is shown in fig. 4:

2) The original unmanned aerial vehicle deviates from the step 2 to the step 4

As shown in fig. 5, it mainly shows a flow chart of a terminal access authentication phase state assisted by multiple drones, and the specific flow is as follows:

and calculating by using a secret message preset in the registration stage:

And a new terminal pseudo-identity identifier

(5) after receiving the information, the unmanned aerial vehicle extracts the informationThe value of RES, and calculate: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency of HRES and HXRES stored in step 5. And if the authentication is passed, continuously forwarding the authentication response message to the satellite.

(6) Satellite received authentication response message

The secret message is extracted by the network control center.

(8) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

3) The original unmanned plane deviates after step 5

As shown in fig. 6, it mainly shows a flow chart of a terminal access authentication phase state two assisted by multiple drones, and the specific flow is as follows:

(6) Satellite receiving authentication response message

(7) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

The technical solution of the present invention is further described below in conjunction with a security analysis.

(1) Bidirectional authentication: in the scheme, the terminal equipment can firstly verify the message authentication code generated by the network control center

To determine the validity of the network control center due to values therein

The value of (a) is written through the secure channel during the registration phase,

the value of (c) is the excitation response calculated by its built-in PUF, and therefore cannot be obtained by an adversary by illegal means. For network control centers

The value of (a) is the stimulus response it generates by the built-in PUF during the authentication phase, the corresponding stimulus is also sent by the terminal at the start of the authentication, there is no risk of leakage,

the registration phase is obtained by interacting with the terminal equipment. Meanwhile, the characteristic of the single hash of the hash function also ensures that an adversary cannot deduce the result of the hash according to the hash resultThe details are as follows. The terminal can thus complete authentication with the network control center. Similarly, the authentication of the network control center to the terminal can be obtained by the consistency of the satellite check RES and the XRES, and because the satellite and the network control center complete the authentication, when the message verification codes of the two parties are equal to each other

And then, the satellite can determine the legality of the terminal and send an authentication confirmation message to the network control center. Particularly, when the multi-unmanned aerial vehicle is cooperatively assisted, the identity validity of the unmanned aerial vehicle which is kept connected can be identified by the network control center, so that the network control center only needs to calculate TMAC (TMAC | | | ID) h (MAC | | | ID) for the unmanned aerial vehicle which is well dispatched to assist according to the geographical position_UAVa||ID_UAVb) As an identification code for assisting authentication. When the terminal device completes the check of the MAC, the terminal device means that the terminal device completes the check of the identity validity of the network control center. And then the THMAC ═ h (HMAC | | | ID) is obtained by calculation_UAVa||ID_UAVb) Thereafter, the verification of TMAC may be completed. Also, due to the security feature of the hash function one-way hash, it means that the identity legitimacy of the drone A, B participating in the assisted authentication can be certified by the network control center. In addition, when unmanned aerial vehicle accomplished HRES and HXRES's check-up, also meant to accomplish the authentication to terminal equipment, among the above-mentioned authentication process, the enemy can't obtain through monitoring the channel all

And

so it cannot be forged into any entity to attack. In conclusion, the protocol of the invention can realize the bidirectional authentication between the terminal and the network control center and the bidirectional authentication between the unmanned aerial vehicle and the terminal, and simultaneously can prevent the adversary from forging identity attacks.

(2) Anonymity: when the terminal equipment performs access authentication, the identity identifiers used in each round of authentication are pseudo identity identifiers,the pseudo ID of the first round authentication is distributed by the network control center in the registration stage, and in the subsequent authentication process, the new pseudo ID

Also can be continuously updated and is processed by the network control center for secrecy

And then sent to the terminal equipment. The adversary knows only the PID^*Under the condition of the terminal authentication method, the terminal authentication method and the terminal authentication system, the value of a new pseudo identity identifier allocated to the terminal equipment by the network control center cannot be estimated, so that the anonymity protection of the terminal to be authenticated is better realized by the scheme of the invention.

(3) Unlinkability: in the scheme, the content of each round of authentication information can be updated in time, and the terminal equipment cannot send the same content in each round of authentication. The pseudo-identity identifier for identifying the terminal is updated and sent secretly in each round of authentication, so that even if an adversary performs eavesdropping attack on a channel, the association existing between different authentication messages cannot be observed, and the association between the authentication messages and the terminal equipment to be authenticated cannot be inferred. The solution of the invention thus achieves unlinkability.

(4) Resisting physical attack and database stealing attack: according to the invention, PUFs are embedded in memories of both the terminal equipment and the network control center, and an entity of any party only stores an excitation response pair of the PUF of the other party. Therefore, even if an adversary acquires the secret message in the terminal device memory or the network control center database by means of physical attack, the adversary cannot acquire the access right to the encrypted data and cannot forge the message authentication code in the authentication process. If an adversary tries to physically tamper the hardware of the terminal or the network control center or steal secret information and then makes a fake identity attack, the adversary can be authenticated as an illegal user because the expected PUF excitation response cannot be generated, and the unclonability also ensures that the adversary cannot make the same PUF copy. Therefore, the scheme of the invention can enable the terminal equipment and the network control center to have the capability of resisting physical attack and data stealing at the same time.

(5) Resisting replay attack: in each round of authentication message, random numbers are introduced to ensure the freshness of the authentication message, and both parties participating in authentication can prevent the message from being replayed by verifying the random numbers sent by the opposite entity, so that the scheme of the invention can resist replay attack.

(6) Resisting denial of service attacks: after receiving the authentication request, the network control center judges the validity of the terminal equipment pseudo-identity identifier at first, thereby effectively preventing the authentication request of an illegal user from consuming the computing resources of the network control center and ensuring that the scheme of the invention has the capability of resisting denial of service attack.

Specifically, the present invention mainly analyzes the performance of the unmanned aerial vehicle-assisted terminal access authentication method in terms of computational overhead, and combines with a paper scheme published in Computer Communications in 2020 by Yunru Zhang et al: a lightweight authentication and key acquisition scheme for Internet of Drones and Jangiala Srinivas et al, 2019, in journal IEEE Transactions on Vehicular Technology: TCALAS, Temporal creative-Based photosynthetic weight Authentication Scheme for Internet of Drons environmental management. In the experimental simulation, the computing power of the terminal and the unmanned aerial vehicle can be simulated by using a samsung Galaxy S5, and the specific configuration is as follows: a Quad-core 2.45G,2G memory, the android4.4.2, satellite and network control center can be simulated by a computer, which is specifically configured as: I5-4460S 2.90GHz,4G memory, windows 8 operating system. The computational overhead for performing a particular operation is shown in table 1.

TABLE 1

Type (B)	Terminal/wirelessMan-machine (ms)	Satellite/network control center (ms)
			Hash operation (t)_h)	0.056(t_h1)	0.007(t_h2)

It should be emphasized that, in the scheme of the unmanned aerial vehicle-assisted terminal access authentication provided by the present invention, after the unmanned aerial vehicle completes authentication, the terminal is assisted to perform access authentication, and when the terminal access authentication is completed, the bidirectional authentication of the network control center and the unmanned aerial vehicle is simultaneously realized. In the schemes proposed by Zhang et al and Srinivas et al, when any terminal needs to be authenticated with the unmanned aerial vehicle, a complete protocol flow needs to be executed, so as to realize bidirectional authentication of the terminal, the unmanned aerial vehicle, and the network control center/ground station. When each drone receives authentication requests of m terminals at the same time, the calculation overhead of each scheme is as shown in table 2 below.

TABLE 2

When the number m of terminals requesting access authentication takes different values, the total computation overhead of each scheme is specifically as shown in fig. 8. When the number m of terminals requesting access authentication is greater than 1, the scheme of the present invention has better performance in terms of computational overhead than other schemes.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims

1. An unmanned aerial vehicle-assisted terminal access authentication method is characterized by comprising the following steps:

the unmanned aerial vehicle and the terminal interactively execute an entity registration process with a network control center through a secure channel, and entity registration is completed after secret information is preset;

the unmanned aerial vehicle interacts with a network control center through a satellite network to complete the access authentication of the unmanned aerial vehicle;

after the unmanned aerial vehicle finishes the access authentication, the terminal finishes the access authentication in the integrated information network of heaven and earth with the assistance of the unmanned aerial vehicle;

when the unmanned aerial vehicle is interrupted due to the fact that the force of inelasticity deviates from the designated airspace, the unmanned aerial vehicles cooperate rapidly, and the auxiliary terminal continues to finish access authentication;

before the heaven and earth integrated information network is registered, the satellite and a network control center complete networking authentication; the unmanned aerial vehicle and the terminal interactively execute an entity registration process with a network control center through a secure channel, and after secret information is preset, entity registration is completed, and the method comprises the following steps:

s1 unmanned aerial vehicle registration

S1.1 the drone sends its identity identifier ID to the network control center through the secure channel_uSimultaneously selecting random PUF excitations

Sending the data to a network control center;

s1.2 network control center calculates excitation response through built-in PUF in memory of network control center

At the same time, the network control center generates a set of random stimuli

And pseudo-ID PID_N＝{pid₁,pid₂,…,pid_nWill be described above

Sending the data to the unmanned aerial vehicle through a safety channel;

s1.3 the unmanned aerial vehicle generates corresponding excitation response for each random excitation through PUF embedded in the memory of the unmanned aerial vehicle

The set of stimuli is then responded to

Returning to the network control center;

s1.4 network control center needs storage

The drone only needs to store the ID_u,PID_N,(C_i ^y,R_i ^y)}；

S2 terminal registration

S2.1 in the registration stage, the user terminal interacts with the network control center, sends the real identity identification of the user terminal through a safety channel, and generates random excitation for the built-in PUF of the network control center during the ith authentication

ID (identity)_d,

Sending the data to a network control center;

s2.2 after receiving the response, the network control center generates an excitation response through the PUF in the memory of the network control center

And pseudo identity identifier for next authentication of user terminal

Sending a message M to the user terminal through the secure channel:

s2.3 after the user terminal receives the message M, the built-in PUF of the memory of the user terminal generates an excitation response

And sending to a network control center for storage;

s2.4 finally, the terminal needs to save additionally

Network control center preservation

Unmanned aerial vehicle accomplishes unmanned aerial vehicle's access authentication through interacting with satellite network and network control center, include:

s3.1 unmanned aerial vehicle can follow self pseudo-ID identification group PID_N＝{pid₁,pid₂,…,pid_nArbitrarily choose the ith pseudo-identity identifier pid_iPreparing to initiate authentication;

s3.2 unmanned aerial vehicle randomly selects any pseudo-identity identifier pid_iThe identity information is used as the identity identification information of the authentication of the user in the current round so as to realize the protection of the real identity of the user; at the same time, the random number generator generates the random number N_uSimultaneously reading the internally stored preset secret message

Will authenticate the request

s3.3, after the satellite in the airspace where the unmanned aerial vehicle is located receives the authentication request, the satellite adds the constellation identity mark per se and requests the authentication

Forwarding to the network control center, which may be the rootDetermining the airspace to which the mobile terminal belongs according to the identity identifier of the mobile terminal;

s3.4 network control center pseudo-identity identifier pid_iWhether it is in its legal range, and randomly selecting any pair (c)_i,r_i) The authentication is used for the authentication of the current round; computing a corresponding response using a stimulus in an authentication request

According to the response

and carrying out security processing on the sensitive information:

respond to the authentication

s3.4 after receiving the authentication response, the unmanned aerial vehicle firstly utilizes the built-in PUF in the memory of the unmanned aerial vehicle to calculate

And using the stimulus response in local memory

And verifying whether the received data XRES is equal to

RES＝h(r_i||S_k) The drone will authenticate the response message

s3.5 after the network control center receives the authentication response message, the network control center calculates:

c_n+1＝h(c_i||r_i||ID_u)，

The new pseudo ID and the excitation response pair which are supplemented in the authentication process need to be respectively stored for subsequent authentication, and the session key S which is safely negotiated by the two parties in the authentication process_kThe two parties respectively store the information for ensuring the safety of the subsequent wireless communication process;

after unmanned aerial vehicle accomplished the access authentication, the terminal was accomplished the access authentication in the integrated information network of heaven and earth under unmanned aerial vehicle's assistance, includes:

s4.1, initiating an authentication request to an unmanned aerial vehicle providing network service by a user terminal, and finishing mutual authentication and key agreement through interaction of a satellite and a network control center; because the unmanned aerial vehicle has already finished the authentication with network control and centre in the stage of unmanned aerial vehicle cut-in authentication, therefore, in the subsequent authentication procedure, the unmanned aerial vehicle can assist the terminal equipment in its communication coverage to carry on authentication, produce the random number N for the authentication process of this round by the terminal equipment at first_dMeanwhile, the self pseudo identity identifier and the excitation preset in the registration phase to the PUF at the network control center side are used

s4.2 after the unmanned aerial vehicle receives the authentication request, the identity identifier ID of the unmanned aerial vehicle is added to the authentication request_UAVThe authentication is forwarded to a network control center through a satellite to assist in completing authentication; after the unmanned aerial vehicle access authentication phase is completed, the identity identifier is safely stored in a network control center;

s4.3 after receiving the authentication request, the network control center firstly checks the validity of the pseudo identity identifier, and the round isAuthentication generating random number N_sSimultaneously, the PUF preset in the memory of the PUF is utilized to calculate the excitation in the request

Response to (2)

And respectively calculating a message authentication code:

And excitation response pair and security processing are carried out:

As an authentication response;

s4.4 after receiving the authentication response of the network control center, the satellite extracts the message authentication code XRES and the random number N generated by the terminal and the network control center_s,N_dCalculating HXRES ═ h (N)_d||N_sXRES) for subsequent authentication of the terminal device; after the calculation is completed, the satellite stores XRES andsending an authentication response

s4.5 after the unmanned aerial vehicle receives the authentication response of the satellite, reading and storing HXRES (high-speed image space ratio) and simultaneously identifying the identity identifier ID of the unmanned aerial vehicle_UAVMerge into a new authentication response

Then the signals are sent to the terminal together;

s4.6 after receiving the authentication response, the terminal firstly sends the excitation according to the network control center

Inputting into PUF in its memory, calculating out excitation response

And a new pseudo-ID generated by the network control center for the terminal

Terminal computing

s4.7, after receiving the authentication response message sent by the terminal, the unmanned aerial vehicle extracts the RES value and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency of HRES and HXRES stored in step 5; if the authentication is passed, continuing to forward the authentication response message to the satellite;

s4.8 satellite receiving authentication response message

Extracting the secret message by the network control center;

s4.9 after receiving the authentication confirmation message sent by the satellite, the network control center calculates and obtains a PUF excitation response pair required by the next round of authentication of the terminal and a session key of subsequent communication:

after the flow of step S4.1-step S4.9 is completed, the terminal side needs to store

For subsequent authentication and communication;

when the unmanned aerial vehicle causes authentication interruption due to deviation of the inequality from the designated airspace, the unmanned aerial vehicles cooperate rapidly, and the auxiliary terminal continues to complete access authentication, and the method comprises the following steps:

when unmanned aerial vehicle A deviates from an original airspace due to the fact that the electric quantity is insufficient, the environment and other factors, and the terminal equipment in the original coverage range loses connection, the following conditions are divided for discussion according to the difference of the authentication flow execution stage when unmanned aerial vehicle A deviates:

(1) the original drone deviates before step S4.2 is completed

When the unmanned aerial vehicle A deviates from the designated airspace, if the ground terminal equipment to be authenticated has completed sending the authentication request of the step S4.1 to the original unmanned aerial vehicle, and the unmanned aerial vehicle A does not receive the authentication request of the step S4.1 or unsuccessfully sends the message content of the step S4.2 after receiving the authentication request, when the network control center dispatches the unmanned aerial vehicle with good condition again to enter the designated airspace for assisting operation, the terminal equipment needs to execute the step S4.1 again to initiate the authentication flow to the unmanned aerial vehicle B again;

(2) the original unmanned plane deviates from the step S4.2 after the step S4.4 is finished and before the step S4.4 is finished

1) When the original unmanned aerial vehicle A deviates from the coverage range of the original unmanned aerial vehicle A after the step S4.2 is finished and before the step S4.4 is finished, the unmanned aerial vehicle B with good system assignment condition enters a designated airspace to assist in continuously finishing authentication; network control center needs to identify identifier ID of unmanned aerial vehicle B according to participation assistance_UAVbCalculating a switching identification authentication code TMAC (MAC | | | ID) for the unmanned aerial vehicle B participating in assistance_UAVa||ID_UAVb)；

2) If the network control center does not execute step S4.3 to send an authentication response to the satellite, it needs to switch the identification authentication code TMAC and the identity identifier ID of the drone B_UAVbAnd authentication response { AUTN, C in step S4.3_i ^xXRES is synchronously sent to the terminal equipment through the satellite and the unmanned aerial vehicle B;

3) if the network control center has executed step S4.3 at this time, the drone B receives the authentication response { AUTN, C_i ^xXRES } then continue waiting; after calculating the switching identification authentication code TMAC, the network control center sends the assistant authentication message { TMAC, ID_UAVa,ID_UAVbTo drone B; after receiving the assistant authentication message, the unmanned aerial vehicle B synchronously sends an authentication response and the assistant authentication message to the terminal and continues to execute a subsequent authentication process;

and calculating by using a secret message preset in the registration stage:

THMAC＝h(HMAC||ID_UAVa||ID_UAVb) (ii) a The HMAC and the THMAC obtained by calculation are used for respectively verifying the MAC and the TMAC in the received message, if the verification fails, the verification is endedBundle authentication process; otherwise, the unmanned aerial vehicle B is considered to be a legal unmanned aerial vehicle, and the authentication can be continuously completed through the legal unmanned aerial vehicle B; the terminal calculates the input excitation of PUF required by the next round of authentication and decrypts the excitation response contained in the authentication response

And a new terminal pseudo-identity identifier

5) after receiving the data, the unmanned aerial vehicle extracts the RES value and calculates: HRES ═ h (N)_d||N_s| RES), after the calculation is completed, the unmanned aerial vehicle can complete the authentication of the terminal by checking the consistency between HRES and the HXRES stored in step S4.5; if the authentication is passed, continuing to forward the authentication response message to the satellite;

6) satellite received authentication response message

Extracting the secret message by the network control center;

8) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication;

(3) the original unmanned plane deviates after step S4.5

1) Thus, the terminal device has already finished the authentication of the network control center and has already calculated the authentication response message, will execute step S4.6, if it finds that the original unmanned aerial vehicle a is out of its communication range, it waits for silence;

3) satellite adding message authentication code HXAfter RES, forwarding to an unmanned aerial vehicle B; unmanned aerial vehicle B in charge of assisting authentication forwards assisting authentication message { TMAC, ID_UAVbTransmitting the data to the terminal equipment, and storing the rest information;

4) after receiving the assisting authentication message, the terminal firstly calculates: THMAC ═ h (HMAC | | | ID)_UAVa||ID_UAVb) Then, checking the value of the TMAC, and if the checking is inconsistent, ending the authentication; otherwise, continuing to execute step S4.6, and sending an authentication response message to the unmanned aerial vehicle B

6) satellite receiving authentication response message

7) after the authentication is completed, the terminal side needs to store

Network control center side needs storage

For subsequent authentication and communication.

2. A drone-assisted terminal access authentication system implementing the drone-assisted terminal access authentication method of claim 1, the drone-assisted terminal access authentication system comprising:

3. A terminal device adapted for a satellite network, the terminal device adapted for a satellite network being installed with the drone-assisted terminal access authentication system of claim 2.

4. Use of the drone-assisted terminal access authentication system of claim 2 in access authentication for ground terminal, drone, satellite "trinity" collaborative authentication.

5. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the drone-assisted terminal access authentication method of claim 1.