CN113315762B - Distributed network authentication method for realizing secure communication by identity cryptography - Google Patents

Distributed network authentication method for realizing secure communication by identity cryptography Download PDF

Info

Publication number
CN113315762B
CN113315762B CN202110549584.8A CN202110549584A CN113315762B CN 113315762 B CN113315762 B CN 113315762B CN 202110549584 A CN202110549584 A CN 202110549584A CN 113315762 B CN113315762 B CN 113315762B
Authority
CN
China
Prior art keywords
node
authentication
request
identity
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110549584.8A
Other languages
Chinese (zh)
Other versions
CN113315762A (en
Inventor
张立勇
刘惠
杜军朝
李文龙
李嘉慧
杜厚德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202110549584.8A priority Critical patent/CN113315762B/en
Publication of CN113315762A publication Critical patent/CN113315762A/en
Application granted granted Critical
Publication of CN113315762B publication Critical patent/CN113315762B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Abstract

The invention discloses a distributed network authentication system and a method for realizing secure communication based on identity cryptography. The technical problem of high calculation amount is solved. The authentication system is provided with a sub-registration center RA in each distributed subnet, and the sub-registration centers are connected with a root registration center; and a ring-shaped backbone communication network is built between adjacent sub-networks by the sub-registration center nodes to carry out necessary data transmission. The security authentication method comprises the steps that a root registration center establishes a global public parameter; the sub-registration center registers and generates public parameters in the sub-network; registering common nodes in the subnet; identity authentication and session key negotiation of nodes within and between subnets. Each sub-network divided by the invention is provided with the sub-registration center, and the nodes are registered offline through the sub-registration centers, so that the nodes can join and leave without senses, the information security of the network is improved, and the method is applied to the identity authentication scene of the nodes with limited computing resources in the distributed network.

Description

Distributed network authentication method for realizing secure communication by identity cryptography
Technical Field
The invention belongs to the technical field of computer network communication, particularly relates to distributed network perception and authentication, and particularly relates to a distributed network authentication method for realizing secure communication by identity cryptography. The method is used for identity authentication and session key negotiation in a battlefield end environment.
Background
A large number of scattered and heterogeneous platforms exist in a battlefield, computational resources are difficult to distribute in a centralized mode, task decision factors are complex, and accordingly, information collection, transmission and processing of fighters are very difficult under the condition that the fighters cannot be connected with a remote center. With the development of a new mobile network computing network with distributed computing as a core, according to the change of task requirements, idle communication and computing resources are utilized at the edge of the network to transmit and compute data more and more conveniently, more and more data are generated and transmitted in the network, and the distributed computing network is facing a growing safety situation. A distributed computing network is a computing mode with multiple trust domains, a large number of unauthorized or malicious nodes exist in the network, the nodes are not trusted under the network environment, the nodes are easily attacked outside the trust domains during communication, data can be subjected to malicious access or modification of the storage nodes and risks of stealing and cracking by the malicious nodes during data storage in the network, and the difficulty of data sharing among the nodes is multiplied. In order to ensure the security of data transmission, the decentralized computing needs to provide an authentication mechanism to determine the identity of a node, thereby ensuring that data cannot be acquired by other nodes in the transmission process. The identity authentication mechanism in the traditional computing network can not effectively solve the identity authentication problem in the decentralized computing network.
A distributed computing network, namely a decentralized network, is a computing system with multiple trust domains coexisting in a staggered manner, and the problem of entity authentication in and between the trust domains needs to be solved simultaneously in the complex network. Most of the existing schemes for identity authentication in the trust domain adopt the unified security authentication of an authorization center to solve the problem, and the key point of the current research is to design an efficient identity authentication protocol capable of protecting the privacy of users. The research on entity authentication mechanisms crossing different trust domains in a distributed computing network does not form a uniform standard and system, the distributed computing network can be adapted on the basis of some cloud computing identity authentication mechanisms at present, for example, the authentication management mechanism of user identities among different cloud service providers on the market can be understood as cross-trust domain authentication in the distributed computing network, and some mature authentication schemes such as SAML, OpenID and single sign-on mechanisms are expected to solve the identity authentication problem of cross-trust domains in the distributed settlement network after some adaptations.
The existing decentralized computing network uses a traditional CA mechanism, nodes cannot be increased or decreased randomly in the network, the computing amount is large, and therefore deployment in an edge network is difficult.
After searching within a limited scope, no information or report closely related to the subject matter of the present invention is found.
Disclosure of Invention
The invention aims to provide a distributed network authentication method which can increase or decrease the identity cryptography of nodes at will under the condition of not informing other nodes and realize safe communication aiming at the defects and the requirements of the prior art.
The invention is a distributed network authentication system for realizing safe communication by identity cryptography, each node in the distributed network is connected with each other to form a criss-cross network structure, and data transmission is not required to be directly carried out between the nodes through a central node, so that the distributed network authentication system is a decentralized and highly dynamic network; the distributed network authentication system is provided with a unique root registration center RRA, the root registration center divides the network into a plurality of distributed sub-networks according to the geographical position of the nodes, the requirement of logical networking or other requirements, and the distributed sub-networks are provided with a plurality of distributed nodes; forming a decentralized network environment, characterized by: setting a real-time battlefield network environment as a distributed network environment, wherein each distributed subnet of the distributed network environment is provided with a sub-registration center RA, and all the sub-registration centers are respectively connected with a unique root registration center; an annular main communication network is built between adjacent distributed subnetworks through a sub registration center node, and necessary data are transmitted to form a distributed network authentication system; for a discrete node without an attached subnet in a tactical end environment, if the discrete node is added into a dispersed subnet, a network access request needs to be provided for an authentication center in a target subnet, a corresponding public and private key pair is obtained by calculating the name of the node to be added into the dispersed subnet on line, and then the node is added into a dispersed network authentication system on line again to complete the operation of adding the discrete node into the dispersed subnet; in a distributed network environment, a root registration center RRA is responsible for the registration of sub RA and the generation of private keys in other distributed subnets, sub RA nodes in the subnets are responsible for the generation of public parameters in the distributed subnets where the sub RA nodes are located and the registration of other nodes and the generation of private keys, besides, each distributed subnet is provided with a group of common computing nodes which are main operating places of identity registration and authentication protocols; the node identity is verified through a public and private key during session key negotiation; when performing cross-subnet session key negotiation, the registration centers of the two dispersed subnets perform public parameter exchange, then return the obtained public parameters, and the requesting node authenticates the identity of the target node by using the public parameters of the target subnet; in the whole distributed network authentication system, the distributed network calculates the way of storing resources of nodes, adopts the resource formalization processing and unifies the resource parameters, and keeps the form consistency of data transmission among the nodes.
The invention also relates to a distributed network authentication method for realizing safe communication by identity cryptography, which is characterized in that: operating on a decentralized network authentication system for secure communication with identity cryptography in a tactical end environment, comprising the steps of:
(1) the root registry establishes global public parameters: exposing a group of public parameters to all the sub-registries in the system, wherein the group of global public parameters are configured in a configuration file form and can also be generated by using a system initialization algorithm;
(2) the sub-registration center registers and generates public parameters in the scattered sub-networks: the sub-registry nodes are connected with the root registry through a main communication network, the root registry calculates a corresponding public and private key pair through the identity information of the sub-registry, and then returns the public and private key pair and the global public parameter to the sub-registry, and the sub-registry generates the public parameter in the distributed sub-registry by using a configuration file or a system initialization algorithm after receiving the return message;
(3) and (3) registering common nodes in the sub-network: the common node in the subnet is connected with a registration center in the subnet on line and sends identity information, the sub registration center calculates a corresponding public and private key pair through the identity information of the node and then returns the public and private key pair and public parameters in the subnet to the node, and the common node in the subnet locally stores the public and private key pair after receiving a return message of the sub registration center;
(4) node identity authentication and session key negotiation in the subnet: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node calculates a bilinear mapping value by using public parameters in a distributed subnet and identity information of the request authentication node, then the value is returned to the request authentication node, the request authentication node calculates the bilinear mapping value according to the identity information of the target authentication node and generates a session key at the same time, then the bilinear mapping value and the session key are returned to the target authentication node, and the target authentication node determines whether the identity authentication request and the session key of the request authentication node pass through or not by judging the consistency of the two bilinear mapping values;
(5) node identity authentication and session key negotiation between the dispersed subnets: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node judges that the authentication request is an authentication request between subnets and then requests an authentication center node in a subnet where the request authentication node is located to obtain public parameters in a distributed subnet where the request authentication node is located, after the authentication center node of the target authentication node and an authentication center of the request authentication node exchange respective public parameters, the public parameters in the distributed subnet are cached and returned to the target authentication node, the target authentication node replies a session key to the identity authentication request by using the parameters of the request authentication node, the request authentication node verifies the identity of the target authentication node, and then random number challenge is carried out, so that the identity and the session key of the target authentication node are determined.
The invention solves the technical problems that the nodes can be increased or reduced at will under the condition of not informing other nodes, the traditional CA mechanism has high calculation amount and the like.
Compared with the prior art, the invention has the following beneficial effects:
fast authentication and session key negotiation: the invention is based on a decentralized network; identity registration operation can be completed within 1 RTT, identity authentication and session key negotiation in the sub-network can be completed within 1.5 RTT, and the sub-network can be completed within 3 RTT.
Noninductive joining and leaving of nodes: because the mobility of the nodes in the decentralized network is strong, newly added nodes often appear in the network, and the registered nodes of the invention can not be influenced by the addition or the separation of other nodes and can always perform identity authentication and session key negotiation with any node.
Information security: the scheme provided by the invention can resist a series of common attack modes, and can guarantee the integrity and the safety of the information by adopting a series of means.
The invention arranges RA in each decentralized sub-network in decentralized network
Drawings
In order to illustrate the design of the method more clearly, the drawings that are necessary in the description of the method will be briefly described below, it being clear that the drawings in the description below are some schematic representations of the method.
FIG. 1 is a schematic diagram of a portion of the system of the present invention;
FIG. 2 is a timing diagram of sub-registry registration;
FIG. 3 is a timing diagram of a registry parameter exchange;
FIG. 4 is a timing diagram of node registration;
FIG. 5 is a timing diagram illustrating node authentication and session key agreement within a subnet;
FIG. 6 is a timing diagram illustrating node authentication and session key agreement between subnets;
fig. 7 is a flowchart illustrating a distributed network authentication method according to the present invention.
The invention is described in detail below with reference to the figures and examples.
Detailed Description
Example 1
In modern informatization war, the rapid and accurate acquisition of various information is the key to the success or failure of the war. Nowadays, with the development of national defense industry and the tamping foundation of communication technology in China, the development trend of network center battles is out of gear, and the problem of network communication safety enters the visual field of people.
The invention is a distributed network authentication system for realizing safe communication by identity cryptography, each node in the distributed network is connected with each other to form a criss-cross network structure, and data transmission is not required to be directly carried out between the nodes through a central node, so that the distributed network authentication system is a decentralized and highly dynamic network; the distributed network authentication system is provided with a unique root registration center RRA, the root registration center divides the network into a plurality of distributed sub-networks according to the geographical position of the nodes, the requirement of logical networking or other requirements, and the distributed sub-networks are provided with a plurality of distributed nodes; forming a decentralized network environment, referring to fig. 1, fig. 1 is a schematic diagram of a part of the system structure of the present invention; the real-time battlefield network environment is set as a distributed network environment, each distributed subnet of the distributed network environment is provided with a sub-registration center RA, and all the sub-registration centers are respectively connected with a unique root registration center; an annular main communication network is built between adjacent distributed subnetworks through the sub registration center nodes, necessary data are transmitted, and a distributed network authentication system is formed. Referring to fig. 2, fig. 2 is a registration timing diagram of the sub-registry, and after the sub-registry sends its own identity information to the root registry, a public and private key pair corresponding to the identity is obtained, and the registration operation of the sub-registry is completed. In actual operation, for a discrete node without an attached subnet in a tactical end environment, if a discrete subnet needs to be added, referring to fig. 4, fig. 4 is a node registration timing diagram, discrete nodes a and B need to make a network access request to an authentication center in a target subnet, obtain a corresponding public and private key pair by calculating the node names of a and B on line, then add the discrete node to a distributed network authentication system on line again, complete the operation of adding the discrete node to the discrete subnet, and implement node network access. In a distributed network environment, a root registration center RRA is responsible for the registration of sub RA and the generation of private keys in other distributed subnets, sub RA nodes in the subnets are responsible for the generation of public parameters in the distributed subnets where the sub RA nodes are located and the registration of other nodes and the generation of private keys, besides, each distributed subnet is provided with a group of common computing nodes, and the group of computing nodes are the main operating places of identity registration and authentication protocols. The nodes in the same subnet can quickly and accurately perform identity authentication and session key agreement, referring to fig. 5, fig. 5 is a sequence diagram of node authentication and session key agreement in the subnet, and the request authentication node a and the target authentication node B complete identity authentication with each other by exchanging identity information and calculating bilinear pairing values. The nodes between subnets can complete identity authentication and session key agreement between subnets with participation of the registration center, see fig. 6, fig. 6 is a sequence diagram of node authentication and session key agreement between subnets, when performing cross-subnet session key agreement, the registration centers of two dispersed subnets perform public parameter exchange, and then return the obtained public parameters, and the requesting node a can authenticate the identity of the target node B using the public parameters of the target subnet. In the whole distributed network authentication system, the distributed network calculates the way of storing resources of nodes, adopts the resource formalization processing and unifies the resource parameters, and keeps the form consistency of data transmission among the nodes.
The most mature and widely applied in the field of identity authentication is the Public Key Infrastructure (PKI), a public key in a PKI mechanism has no practical significance, a corresponding relation is established between the public key and an identity of a user through a Certificate Authority (CA) certificate, and the PKI has an authority to maintain, update and revoke the certificate. Due to the particularity of the nodes in the decentralized computing network, if the certificate is used in the authentication process, the calculation amount of the node authentication stage is undoubtedly increased, and the idea that the calculation capacity of the nodes in the network is limited is not met. In addition, the traditional PKI mechanism has a fatal disadvantage that there is no way to verify the identity of the node in an off-line state, once the CA center cannot effectively provide services, the node has no way to acquire or verify the validity of the CA certificate, and there is no way to verify the identity of other nodes, which is contrary to the design concept of unstable nodes in a decentralized computing network.
Although the public key cryptosystem based on the identity also needs a credible private key generator PKG, the PKG only participates in the registration and cross-domain authentication of the node and is more flexible than a PKI mechanism. The invention provides a distributed network authentication system for realizing secure communication by identity cryptography based on the idea of a distributed network. The system is provided with a unique root registration center and a plurality of sub-registration centers of the scattered subnets, and the scattered nodes are added into the network through the sub-registration centers on line without influencing other nodes. Authentication in the sub-network and between the sub-networks is completed through bilinear pairing and dynamic random number generation technologies, a session key can be generated efficiently and safely, and reliable communication between nodes is completed.
Aiming at future network battles, the invention provides an integral scheme of a distributed network authentication system for realizing safe communication by identity cryptography, aiming at achieving the purposes that in a real-time battlefield environment, the addition of a distributed network computing node can not influence other registered nodes, and the nodes can rapidly and safely complete identity authentication and session key negotiation. Meanwhile, the invention completes an anonymous identity authentication by using bilinear pairing and dynamic random number generation technology, the scheme can effectively hide the sensitive information of the user and complete mutual authentication and key exchange among nodes, and all processes can not be traced by malicious nodes. In the whole system, the distributed network calculates the way of node storage resources, adopts the resource formalization processing, unifies the resource parameters, and keeps the form consistency of data transmission among the nodes.
Because the mobility of the nodes in the decentralized network is strong, newly added nodes often appear in the network, and the registered nodes of the invention can not be influenced by the addition or the separation of other nodes and can always perform identity authentication and session key negotiation with any node.
Example 2
The overall structure of the distributed network authentication system for realizing the secure communication by the identity cryptography is the same as that of the embodiment 1, and the resource parameters in the invention comprise two parts: part of the parameters are registration center node parameters, including a pairing function, a preset elliptic curve function, a certain point on a curve, a master key, system public parameters, a plurality of hash functions mapped to the point and the like; the other part is common calculation node parameters, and the parameter part is obtained by sharing a registration center and comprises a pairing function, a selected elliptic curve, a public and private key pair, a session key negotiated with other nodes, system public parameters, a plurality of hash functions mapped to points and the like; when the distributed network computing node performs identity authentication, session key negotiation, updating, query and response transmission, the required equipment resource can be searched only through the resource parameter.
The invention perfects the parameter exchange protocol between the subnets. The method can resist certain attacks under the condition that one or more nodes are compromised or attacked, can still ensure certain safety even if all the nodes are damaged, and does not need any initialization or re-registration operation, thereby showing that the method can be better suitable for a decentralized computing network.
Example 3
The invention also relates to a distributed network authentication method for realizing the safe communication by the identity cryptography, which is operated on the distributed network authentication system for realizing the safe communication by the identity cryptography in the tactical end environment, the overall structure of the distributed network authentication system for realizing the safe communication by the identity cryptography is the same as that of the embodiment 1-2, and the invention refers to fig. 7, and fig. 7 is a flow chart of the distributed network authentication method. The method comprises the following steps:
(1) the root registry establishes global public parameters: a set of common parameters, which are configured in the form of a configuration file and which can also be generated using a system initialization algorithm, is exposed to all the child registries within the system. The root registry establishes global public parameters, which is also equivalent to completing the initialization of the root registry.
(2) The sub-registration center registers and generates public parameters in the scattered sub-networks: the sub-registration center nodes are connected with the root registration center through a main communication network, the root registration center calculates corresponding public and private key pairs through the identity information of the sub-registration centers, the public and private key pairs and global public parameters are returned to the sub-registration centers, and the sub-registration centers generate the public parameters in the distributed sub-networks by using configuration files or a system initialization algorithm after receiving the return information.
(3) And (3) common node registration in the decentralized sub-network: the common nodes in the decentralized sub-network are connected with the registration center in the sub-network on line and send identity information, the sub-registration center calculates corresponding public and private key pairs through the identity information of the nodes and then returns the public and private key pairs and public parameters in the sub-network to the nodes, and the common nodes in the sub-network can locally store the public and private key pairs after receiving the return information of the sub-registration center.
(4) Node identity authentication and session key negotiation in the decentralized subnet: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node calculates a bilinear mapping value by using public parameters in a distributed subnet and identity information of the request authentication node, then the value is returned to the request authentication node, the request authentication node calculates the bilinear mapping value according to the identity information of the target authentication node and generates a session key at the same time, then the bilinear mapping value and the session key are returned to the target authentication node, and the target authentication node determines whether the identity authentication request and the session key of the request authentication node pass through or not by judging the consistency of the two bilinear mapping values; the two bilinear mapping values are mapping values respectively calculated by the request authentication node and the target authentication node.
(5) Node identity authentication and session key negotiation between the dispersed subnets: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node judges that the authentication request is an authentication request between subnets and then requests an authentication center node in a subnet where the request authentication node is located to obtain public parameters in a distributed subnet where the request authentication node is located, after the authentication center node of the target authentication node and an authentication center of the request authentication node exchange respective public parameters, the public parameters in the distributed subnet are cached and returned to the target authentication node, the target authentication node replies a session key to the identity authentication request by using the parameters of the request authentication node, the request authentication node verifies the identity of the target authentication node, and then random number challenge is carried out, so that the identity and the session key of the target authentication node are determined.
The invention provides a distributed network authentication system for realizing safe communication by identity cryptography, and a distributed network authentication method for realizing safe communication by identity cryptography. In the invention, each subnet is provided with an RA, the RRA in the invention is responsible for RA registration and private key generation of each subnet, the RA is responsible for registration of all nodes in the subnet and private key generation, after one-time online registration operation, the node in any distributed network can perform mutual authentication in the subnet and across subnets with any other node, and meanwhile, the node in the network is not required to be added into any PKI system, so that the authentication and communication of the nodes in the distributed network can be safely and efficiently realized.
Example 4
The distributed network authentication system and method for realizing secure communication by identity cryptography, as in the embodiment 1-3, establishes global public parameters by the root registry in the step (1), and when established by using a system initialization algorithm, specifically comprises the steps of:
1.1 generating two groups G1 and G2 with prime number q and order q and a bilinear map e, and selecting a random generator P;
1.2 selecting a random number as a master key and setting a node public key;
1.3 construct two cryptographic hash functions H1 and H2 and expose global common parameters to child registries of decentralized subnets.
And establishing global public parameters by a system initialization method.
Besides the system initialization algorithm, the common parameters of the system can also use the current internationally universal parameters, and the parameters are stored in a configuration file and can be downloaded on an official website.
Example 5
The identity cryptography realizes the distributed network authentication system and method of secure communication, as with embodiments 1-4, the step (3) of ordinary node registration in the subnet, the process is as shown in fig. 4, and includes the following steps:
3.1 the registration node in the distributed subnet sends the identity information to the registration center in the distributed subnet, and the sub-registration center generates a pair of public and private keys for the registration node by using the acquired identity information and marks the validity period of the keys;
Figure BDA0003074895180000091
skA=G(skRA,pkA)=s·pkA
and 3.2, the sub registration center returns the related information of the public and private key pair and the public parameters in the distributed subnet to the registration node through a offline mode, and the common node registration in the distributed subnet is finished under the condition of not informing other nodes.
In the existing system and method, the join of the decentralized node needs to inform other nodes in the decentralized network, which undoubtedly increases the amount of computation and the complexity of the system. The invention can complete the network access operation of discrete nodes without informing other nodes, and reduces the calculation amount of a single node from the aspects of system structure and method, thereby realizing the rapid registration of the nodes.
Example 6
The distributed network authentication system and method for implementing secure communication by identity cryptography, as in embodiments 1-5, and the node identity authentication and session key agreement in the Subnet described in step (4), the process is as shown in fig. 5, fig. 5 is a sequence diagram of node authentication and session key agreement in the Subnet of the present invention, and when a node a in a same distributed Subnet M wishes to perform identity verification with a node B, the following steps are included:
4.1 node A sends VA1To node B, including node A's public key pkAAnd the identity, ID, of the RA in the subnet MRA-MAnd the public key pkRA-M
Figure BDA0003074895180000093
4.2 node B receives V sent by node AA1Then, the authentication is judged as the sub-network authentication, and then a bilinear pairing value K is calculatedBA,skBIs the private key of node B, pkAIs the public key of node A, e () is the bilinear map computation in BF-IBE, and then node B returns VB1For node A;
KBA=e(skB,pkA)
Figure BDA0003074895180000092
4.3 node A receives VB1Then, the pk is recovered by decryptionB、M、H(KBAMSG) post calculation KAB,H(KABMSG) by comparison with H (K)ABMSG) isNO and H (K)BAMSG) to confirm the identity of node B, after passing node B identity, node a returns VA2To the node B.
Figure BDA0003074895180000101
4.4 node B receives VA2And then decrypting the node A, carrying out integrity check on all the fields, and verifying the identity of the node A through a process similar to that in the fourth step. VBWhere N may be a session key or an integrity verification key,
Figure BDA0003074895180000102
is a signature over N.
A distributed computing network is a computing mode with multiple trust domains, a large number of unauthorized or malicious nodes exist in the network, the nodes are not trusted under the network environment, the nodes are easily attacked outside the trust domains during communication, data can be subjected to malicious access or modification of the storage nodes and risks of stealing and cracking by the malicious nodes during data storage in the network, and the difficulty of data sharing among the nodes is multiplied. Most of the existing identity authentication schemes are based on a public key infrastructure, a public key in a PKI mechanism has no practical significance, a corresponding relation is established between the public key and an identity of a user through a CA (certificate authority) certificate, and the certificate is maintained, updated and revoked by an authority in the PKI.
The invention improves the problem of the lack or the incompleteness of the identity authentication mechanism in the decentralized calculation model, combines the identity authentication mechanism and the characteristics of the decentralized network to improve on the basis of the existing solution that the encrypted storage data is difficult to share, adopts a bilinear pairing method for the identity authentication in the decentralized sub-network, realizes the authentication of the nodes safely and efficiently, and solves the problem of how to share the data in the decentralized network.
Example 7
The distributed network authentication system and method for implementing secure communication by identity cryptography, as in embodiments 1-6, the distributed inter-subnet node authentication and session key agreement described in step (5), see fig. 6, fig. 6 is a sequence diagram of the inter-subnet node authentication and session key agreement of the present invention, a node a of a distributed subnet M wants to authenticate with a node B of another subnet N, and needs to use an intermediate layer of an RA to perform mutual authentication, and after obtaining public parameters of the other network, the identity authentication and key agreement are performed, including the following steps:
5.1 sending identity authentication request: referring to fig. 6, a requesting authentication node a sends an identity authentication request to a target authentication node B, where the identity authentication request includes a public key of the requesting authentication node, identity information of a subnet where the requesting authentication node is located, and a public key; the specific operation is that the node A sends the tuple VA1To node B, including node A's public key pkAAnd node A identity ID of RA in subnet MRA-MAnd the public key pk of RARA-M
Node A tuple
Figure BDA0003074895180000103
Sending tuple VA1For node B, use public key pk of node BBAnd (4) encrypting.
5.2 the target authentication node acquires the public parameters in the subnet: the target authentication node receives the request and judges the request as the authentication between the subnets, and then requests the authentication center node in the subnet where the target authentication node is located to acquire the public parameter in the subnet where the request authentication node is located; operative to receive by node B V transmitted by node AAThen, judging that the authentication is cross-subnet authentication, the node B needs to apply for the public parameter of the subnet M to RA in the subnet N of the node B, and the node B sends a tuple VB1Giving RA-N;
node B tuple
Figure BDA0003074895180000111
In the formula, pkRA-NIs the public key, K, of the child registry of the subnet in which the node B is locatedBNIs a dynamic random number.
5.3 public parameter exchange between subnets: after the authentication center node of the target authentication node exchanges public parameters with the authentication requesting node, the public parameters are cached and returned to the target authentication node.
5.4 the target authentication node replies to the session key: the target authentication node replies a session key to the identity authentication request by using the parameters of the authentication request node, and the specific operation is that the node B receives VRA-NThen decryption is performed, the identity of RA-M is firstly authenticated, and then V is verifiedRA-NIntegrity of N in content, verification of public parameter Param of subnet M after validationMAnd a common parameter Param of the subnet NNThen generates the session key SK using the pseudo-random number generator PRNG, using pkA,ParamMTo VB2Encrypted and sent to the node A, wherein the public parameter Param of the subnet N is containedNAnd signing the public parameter, using the public key pk of node AA. Tuple of node B:
Figure BDA0003074895180000112
the public parameter Param of the inventionMTo VB2The encryption is performed to ensure that only node a in subnet M can pair VB2Decryption is carried out, and the safety of the authentication process is guaranteed.
5.5 request authentication node random number challenge: the identity of a target authentication node is verified by the request authentication node, then a random number is generated, the hash value of the session key encrypted random number is calculated and replied to the target authentication node, and the specific operation is that the node A receives VB2Then, the private key of the node A is used for carrying out decryption operation, integrity check is carried out on each field, and the node A is located in the subnet M, so that the node A can have the public key of RA in the subnet M, and the Param can be obtained by decryptionNAnd pkRA-NThen using the PRNG to generate a random number R1Sending VA2To the node B.
Figure BDA0003074895180000113
In the formula, H ({ R)1}SK) Representing the pair R with the session key SK1After encryption, a hash function is used to obtain a hash value, and the random number and the hash value are encrypted by the public key of the node B and the public parameter of the subnet in which the node B is positioned to obtain a tuple VA2
5.6 challenge of random number of target authentication node: specific operation receiving V as point BA2Then carrying out decryption operation to obtain R1And determines to use locally calculated H ({ R }1}SKWhether or not the result of (1) is equal to VA2After that, a random number R is generated2Transmitting VB3A node A;
Figure BDA0003074895180000121
the target authentication node acquires the random number generated by the request authentication node, whether the hash value after the session key encryption random number is calculated locally is the same as the received hash value, if so, the identity of the node A is confirmed, and then a new random number R is generated2Sending a request authentication node; otherwise, the identity of A is not safe, and the authentication process is stopped.
5.7 request authentication node to judge hash value: the specific operation is that the node A receives V from BB3Then, a decryption operation is performed, and H (V) is judged firstA2) Whether the message is the same as the message sent by the user or not is judged, and then R is obtained2. Then returns the tuple VA3To the node B.
Figure BDA0003074895180000122
Requesting the authentication node to locally calculate whether the hash value of the session key encrypted random number is the same as the received hash value, if so, confirming the identity of the node B, and then returning the hash value of the received message to the target authentication node; otherwise, the identity of the B is not safe, and the authentication process is stopped.
The safety certification among the sub networks is dispersed, the respective sub registration centers of the certification nodes exchange public parameters, then the communication safety of the certification nodes is ensured through a dynamic random number generation technology, and meanwhile, the invasion of external malicious nodes can be resisted.
The invention relates to a distributed network authentication method for realizing safe communication based on identity cryptography, which comprises the following steps: in a distributed network scene, a network is divided into a plurality of sub-networks (trust domains) according to the geographic position of nodes, the requirement of logical networking or other requirements, a root registration center RRA exists in the network and is responsible for the registration of sub-RA and the generation of private keys in other distributed sub-networks, the sub-RA nodes in the sub-networks are responsible for the generation of public parameters in the sub-networks where the sub-RA nodes are located and the registration of other nodes and the generation of private keys, besides, each sub-network is provided with a group of common computing nodes, and the computing nodes are the main operating places of identity authentication protocols. Before the common nodes join the distributed network, the common nodes can perform identity registration through a registration center RA in a corresponding sub-network to obtain a public key and a private key, and then the nodes in the network can perform identity authentication and session key negotiation through the public key and the private key pair, so that the service safety of the distributed network is improved.
The present invention is further illustrated by the following detailed example of a system and method fusion.
Example 8
The invention discloses a distributed network authentication system and a method for realizing safe communication by identity cryptography, which are the same as the embodiments 1-7, and the invention discloses the distributed network authentication system for realizing the safe communication by the identity cryptography, which is shown in figure 1.A unique root authentication center is arranged in the system, the network is divided into a plurality of sub-networks according to the geographic position of nodes, the requirement of logical networking or other requirements, and a sub-registration center and a common node are arranged in the sub-networks; and a ring-shaped backbone communication network is built between adjacent subnetworks through the registration center node to transmit necessary data. The sub-registries in each sub-network can perform registration operation through the main communication network, and referring to fig. 2, the sub-registries acquire public and private key pairs corresponding to identities after sending their own identity information to the root registry, thereby completing the registration operation. When processing the identity authentication operation between subnets, a step of parameter interchange is required for the authentication center node between subnets, referring to fig. 3, after the registration center 1 sends the public parameter of the corresponding subnet and the identity information of itself to the registration center 2, the registration center 2 verifies the identity of 1, and then returns the subnet public parameter and the identity information of the registration center 2. For a discrete node without a sub-network attached to a resource cluster in a tactical end environment, if the discrete node needs to be added to the sub-network, referring to fig. 4, identity information of the discrete node needs to be provided to a registry on line, and the registry generates a corresponding public and private key pair for the discrete node, and then the discrete node goes on line again. The nodes in the same subnet can quickly and accurately perform identity authentication and session key agreement, and referring to fig. 5, the request authentication node and the target authentication node complete identity authentication with each other by exchanging identity information and calculating a bilinear pairing value. The nodes between subnets can complete identity authentication and session key negotiation between subnets with participation of a registration center, referring to fig. 6, the authentication center acquires public parameters of the subnet of the opposite side through parameter exchange and returns the public parameters to the nodes, the target authentication node generates a verification message by using the public parameters of the network of the opposite side and sends the verification message to the authentication requesting node, the authentication requesting node verifies the message, random number challenge of the target authentication node is acquired, and identity authentication and session key negotiation is completed after reply is performed on the message.
Aiming at future network battles, the invention provides an integral scheme of a distributed network authentication system for realizing safe communication by identity cryptography, aiming at quickly and safely finishing identity authentication and session key negotiation among distributed network computing nodes in a real-time battlefield environment. In the whole system, the distributed network calculates the way of node storage resources, adopts the resource formalization processing, unifies the resource parameters, and keeps the form consistency of data transmission among the nodes.
Step (2) of the present invention, referring to fig. 2, the registration process of the sub-registry is shown, and fig. 2 is a registration timing chart of the sub-registry according to the present invention, which includes the following steps:
2.1 the sub-registry provides its own corresponding identity information to the root registry, and the root registry will use the information to generate a public and private key pair for the sub-registry.
Figure BDA0003074895180000131
skRA=G(s,pkRA)
=s·pkRA
And 2.2, the root registry returns the corresponding public and private key pairs and network public parameters to the sub-registries through the backbone network.
2.3 generating two groups G1 and G2 with prime number q and order q and a bilinear map e, and selecting a random generator P;
2.4 selecting a random number as a master key and setting a node public key;
2.5 two cryptographic hash functions H1 and H2 are constructed and expose the common parameters of the system into the network.
Referring to fig. 4, the registration process of the node in step (3) is shown in fig. 4, which is a timing diagram of node registration in the present invention, and includes the following steps:
3.1 the node A in the distributed subnet sends the identity information to the authentication node RA in the subnet, RA utilizes the obtained identity information to generate a pair of public and private keys for the node, and marks the validity period of the key;
Figure BDA0003074895180000141
skA=G(skRA,pkA)=s·pkA
and 3.2, the registration center node returns the related information of the public and private key pair and the public parameters of the sub-network to the registration node through a offline mode.
Step (4) the process of node identity authentication and session key agreement in the Subnet is shown in fig. 5, where fig. 5 is a sequence diagram of node authentication and session key agreement in the Subnet of the present invention, and when node a in the same distributed Subnet M wishes to perform identity verification with node B, the following steps are included:
4.1 node A sends VA1To node B, including node A's public key pkAAnd the identity, ID, of the RA in the subnet MRA-MAnd the public key pkRA-M
Figure BDA0003074895180000142
4.2 node B receives V sent by node AA1Then, the authentication is judged as the sub-network authentication, and then a bilinear pairing value K is calculatedBA,skBIs the private key of node B, pkAIs the public key of node A, e () is the bilinear map computation in BF-IBE, and then node B returns VB1For node A;
KBA=e(skB,pkA)
Figure BDA0003074895180000143
4.3 node A receives VB1Then, the pk is recovered by decryptionB、M、H(KABMSG) post calculation KAB,H(KABMSG) by comparison with H (K)ABWhether MSG) is associated with H (K)BAMSG) to confirm the identity of node B, after passing node B identity, node a returns VA2To the node B.
Figure BDA0003074895180000144
4.4 node B receives VA2And then decrypting the node A, carrying out integrity check on all the fields, and verifying the identity of the node A through a process similar to that in the third step. VBWhere N may be a session key or an integrity verification key,
Figure BDA0003074895180000154
is a signature over N.
Step (5) the process of the inter-subnet node identity authentication and session key agreement is shown in fig. 6, fig. 6 is a sequence diagram of the inter-subnet node authentication and session key agreement of the present invention, a node a of a distributed subnet M wants to authenticate with a node B of another subnet N, and needs to use an intermediate layer of RA to perform mutual authentication, and after obtaining the public parameters of the other subnet, the identity authentication and the key agreement are performed, which includes the following steps:
5.1 requesting the authentication node to send an identity authentication request to a target authentication node, wherein the identity authentication request comprises a public key of the authentication node, identity information of a subnet registry where the authentication node is located and the public key, and the specific operation is that the node A sends VA1To entity B, including node A's public key pkAAnd the identity, ID, of the RA in the subnet MRA-MAnd the public key pkRA-M
Figure BDA0003074895180000151
5.2 the target authentication node receives the request and judges the request as the authentication between the sub-networks, and then requests the authentication center node in the sub-network to obtain the public parameter of the sub-network of the authentication request node, specifically, the operation is that the node B receives the V sent by the node AAThen, judging as cross-subnet authentication, the node B needs to apply for the public parameter of the subnet M to RA in the subnet N of the node B, and the node B sends VB1Giving RA-N;
Figure BDA0003074895180000152
5.3 after the authentication center node of the target authentication node exchanges public parameters with the authentication center of the request authentication node, caching the public parameters and returning the public parameters to the target authentication node;
5.4 the target authentication node replies to the identity authentication request with the session key using the parameters of the requesting authentication node, specifically, the operation is that the node B receives VRA-NThen decryption is performed, the identity of RA-M is firstly authenticated, and then V is verifiedRA-NIntegrity of N in content, verification of Param after validationMAnd ParamNThen generates the session key SK using the PRNG, using pkA,ParamMTo VB2Encrypted and sent to the node A, wherein the public parameter Param of the subnet N is containedNAnd signature on common parameters, using pkA,ParamMTo VB2The encryption is performed to ensure that onlyNode A in subnet M can be paired with VB2Carrying out decryption;
Figure BDA0003074895180000153
5.5 the request authentication node verifies the identity of the target authentication node, then generates a random number and calculates the hash value of the session key after encrypting the random number and replies the hash value to the target authentication node, specifically, the operation is that the node A receives VB2Then, decryption operation is carried out, integrity check is carried out on each field, and as the node A is positioned in the subnet M, the node A can possess the public key of RA in the subnet M, so that Param can be obtained through decryptionNAnd pkRA-NThen using the PRNG to generate a random number R1And encrypted using SK, sends VA2To the node B;
Figure BDA0003074895180000161
5.6 the target authentication node obtains the random number generated by the request authentication node, calculates whether the hash value of the session key encrypted random number is the same as the received hash value or not locally, then generates a new random number to send the request authentication node, and the specific operation is that the point B receives VA2Then carrying out decryption operation to obtain R1And determines to use locally calculated H ({ R }1}SKWhether or not the result of (1) is equal to VA2After that, a random number R is generated2Transmitting VB3A node A;
Figure BDA0003074895180000162
5.7 requesting authentication node to calculate session key encrypted random number locally, whether the hash value is the same as the received hash value, then returning the hash value of the received message to target authentication node, specifically operating that node A receives V from BB3Then, a decryption operation is performed, and H (V) is judged firstA2) Whether the message is the same as the message sent by the user or not is obtainedR2The identity of the node B is determined by an operation similar to step seven. Then returns to VA3To the node B.
Figure BDA0003074895180000163
5.8 node B receives VA3Then, by comparison with VB3Can normally communicate with the node A and then return to VB4To node a.
VB4={"OK"}SK,H(VK,{"OK"}SK)
The invention improves the problem of the lack or the incompleteness of the identity authentication mechanism in the decentralized calculation model, improves the identity authentication mechanism and the characteristics of the decentralized network on the basis of the existing solution that the encrypted storage data is difficult to share, realizes the authentication of the nodes safely and efficiently by adopting a bilinear pairing method for the identity authentication in the decentralized sub-network, and solves the problem of how to share the data in the decentralized network.
In summary, the present invention provides a distributed network authentication system and method for implementing secure communication based on identity cryptography. The authentication system is formed in such a way that each distributed subnet of a distributed network environment is provided with a sub-registration center RA, and all the sub-registration centers are respectively connected with a unique root registration center; and annular backbone communication networks are built between adjacent distributed subnetworks through the sub registration center nodes to transmit necessary data. The security authentication method comprises the following steps that a root registration center establishes global public parameters, a sub-registration center registers and generates public parameters in a decentralized subnet, registration of common nodes in the subnet, identity authentication and session key negotiation of nodes in the subnet, and identity authentication and session key negotiation of nodes between subnets. The invention divides a plurality of sub-networks in a distributed network environment, each sub-network is provided with a sub-registration center, and the nodes register offline through the sub-registration centers, so that the nodes can be increased and decreased at will under the condition of not informing other nodes, and the technical problem of high calculation amount brought by the traditional CA mechanism is also solved. The invention has the advantages of realizing rapid identity verification and session key agreement of the nodes in the distributed network, realizing non-inductive joining and leaving of the nodes, improving the information security of the distributed network, and being applicable to identity authentication scenes of nodes with limited computing resources in the distributed network, such as identity authentication and session key agreement under the terminal environment of a battlefield.

Claims (7)

1. A distributed network authentication system for realizing safe communication by identity cryptography is characterized in that each node in a distributed network is connected with each other to form a crisscross network structure, and data transmission is not required to be directly carried out between the nodes through a central node, so that the distributed network authentication system is a decentralized and high-dynamic network; the distributed network authentication system is provided with a unique root registration center RRA, the root registration center divides the network into a plurality of distributed sub-networks according to the geographical position of the nodes, the requirement of logical networking or other requirements, and the distributed sub-networks are provided with a plurality of distributed nodes; forming a decentralized network environment, characterized by: setting a real-time battlefield network environment as a distributed network environment, wherein each distributed subnet of the distributed network environment is provided with a sub-registration center RA, and all the sub-registration centers are respectively connected with a unique root registration center; an annular main communication network is built between adjacent distributed subnetworks through a sub registration center node, and necessary data are transmitted to form a distributed network authentication system; for a discrete node without an attached subnet in a tactical end environment, if the discrete node is to be added into the discrete subnet, a network access request needs to be provided to a sub registry in a target subnet, a corresponding public and private key pair is obtained by calculating the name of the node to be added into the discrete subnet on line, and then the node is added into a distributed network authentication system on line again to complete the operation of adding the discrete node into the discrete subnet; in a distributed network environment, a root registration center RRA is responsible for the registration of sub RA and the generation of private keys in other distributed subnets, sub RA nodes in the subnets are responsible for the generation of public parameters in the distributed subnets where the sub RA nodes are located and the registration of other nodes and the generation of private keys, besides, each distributed subnet is provided with a group of common computing nodes which are main operating places of identity registration and authentication protocols; the node identity is verified through a public and private key during session key negotiation; node identity authentication and session key negotiation in the decentralized subnet: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node calculates a bilinear mapping value by using public parameters in a distributed subnet and identity information of the request authentication node, then the value is returned to the request authentication node, the request authentication node calculates the bilinear mapping value according to the identity information of the target authentication node and generates a session key at the same time, then the bilinear mapping value and the session key are returned to the target authentication node, and the target authentication node determines whether the identity authentication request and the session key of the request authentication node pass through or not by judging the consistency of the two bilinear mapping values; when performing cross-subnet session key negotiation, the registration centers of the two dispersed subnets exchange public parameters, then return the obtained public parameters, the request node authenticates the identity of the target node by using the public parameters of the target subnet, the target authentication node replies a session key to the identity authentication request by using the parameters of the request authentication node, the request authentication node verifies the identity of the target authentication node, and then challenge with a random number is performed, thereby determining the identity and the session key of the target authentication node; in the whole distributed network authentication system, the distributed network calculates the way of storing resources of nodes, adopts the resource formalization processing and unifies the resource parameters, and keeps the form consistency of data transmission among the nodes.
2. The decentralized network authentication system for identity cryptography enabling secure communication according to claim 1, wherein: the resource parameters include two parts: one part is a root registration center node parameter which comprises a pairing function, a preset elliptic curve function, a certain point on a curve, a master key, a system public parameter and a plurality of hash functions mapped to the point; the other part is common calculation node parameters, and the parameter part of the part is obtained by sharing a sub registration center and comprises a pairing function, a selected elliptic curve, a public and private key pair, a session key negotiated with other nodes, system public parameters and a plurality of hash functions mapped to points; when the distributed network computing node performs identity authentication, session key negotiation, updating, query and response transmission, the required equipment resource can be searched only through the resource parameter.
3. A distributed network authentication method for realizing secure communication by identity cryptography is characterized in that: operating on a decentralized network authentication system for secure communication with identity cryptography according to any one of claims 1-2, comprising the steps of:
(1) the root registry establishes global public parameters: exposing a group of public parameters to all the sub-registries in the system, wherein the group of global public parameters are configured in a configuration file form and can also be generated by using a system initialization algorithm;
(2) the sub-registration center registers and generates public parameters in the scattered sub-networks: the sub-registry nodes are connected with the root registry through a main communication network, the root registry calculates a corresponding public and private key pair through the identity information of the sub-registry, and then returns the public and private key pair and the global public parameter to the sub-registry, and the sub-registry generates the public parameter in the distributed sub-registry by using a configuration file or a system initialization algorithm after receiving the return message;
(3) and (3) registering common nodes in the sub-network: the common node in the subnet is connected with a registration center in the subnet on line and sends identity information, the sub registration center calculates a corresponding public and private key pair through the identity information of the node and then returns the public and private key pair and public parameters in the subnet to the node, and the common node in the subnet locally stores the public and private key pair after receiving a return message of the sub registration center;
(4) node identity authentication and session key negotiation in the subnet: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node calculates a bilinear mapping value by using public parameters in a distributed subnet and identity information of the request authentication node, then the value is returned to the request authentication node, the request authentication node calculates the bilinear mapping value according to the identity information of the target authentication node and generates a session key at the same time, then the bilinear mapping value and the session key are returned to the target authentication node, and the target authentication node determines whether the identity authentication request and the session key of the request authentication node pass through or not by judging the consistency of the two bilinear mapping values;
(5) node identity authentication and session key negotiation between the dispersed subnets: the method comprises the steps that a request authentication node sends an identity authentication request to a target authentication node, the target authentication node judges that the authentication request is an authentication request between subnets and then requests a sub-registration center node in a subnet where the request authentication node is located to acquire public parameters in a distributed subnet where the request authentication node is located, after the sub-registration center of the subnet where the target authentication node is located and the sub-registration center of the subnet where the request authentication node is located exchange respective public parameters, the public parameters in the distributed subnet are cached and returned to the target authentication node, the target authentication node replies a session key to the identity authentication request by using the parameters of the request authentication node, the request authentication node verifies the identity of the target authentication node, and then random number challenge is carried out, so that the identity and the session key of the target authentication node are determined.
4. The decentralized network authentication method for identity cryptography enabling secure communication according to claim 3, wherein: the root registration center in the step (1) establishes global public parameters, and when a system initialization algorithm is used for establishment, the specific steps comprise:
1.1 generating two groups G1 and G2 with prime number q and order q and a bilinear map e, and selecting a random generator P;
1.2 selecting a random number as a master key and setting a node public key;
1.3 construct two cryptographic hash functions H1 and H2 and expose global common parameters to child registries of decentralized subnets.
5. The decentralized network authentication method for identity cryptography enabling secure communication according to claim 3, wherein: the registration of the common node in the subnet in the step (3) specifically comprises the following steps:
3.1 the registration node in the distributed subnet sends the identity information to the registration center in the distributed subnet, and the sub-registration center generates a pair of public and private keys for the registration node by using the acquired identity information and marks the validity period of the keys;
and 3.2, the sub registration center returns the related information of the public and private key pair and the public parameters in the distributed subnet to the registration node through a offline mode, and the common node registration in the distributed subnet is finished under the condition of not informing other nodes.
6. The decentralized network authentication method for identity cryptography enabling secure communication according to claim 3, wherein: the node identity authentication and session key negotiation in the subnet in the step (4) specifically comprises the following steps:
4.1 request authentication node to send authentication request: the request authentication node sends an identity authentication request to a target authentication node, wherein the identity authentication request comprises a public key of the request authentication node, identity information of a subnet registration center where the request authentication node is located and the public key;
4.2 the target authentication node returns a message: the target authentication node receives the request and judges the request as the authentication in the distributed subnet, the public parameter in the distributed subnet and the identity information of the request authentication node are used for calculating a bilinear mapping value, and the hash value of the request message, the public key of the target authentication node, the session key, the signature of the session key and the hash value of the combination of the session key and the bilinear mapping value are returned to the request authentication node;
4.3 request authentication node to return message: the request authentication node calculates a bilinear mapping value by using the identity information of the target authentication node, judges that the hash value of the combination of the value and the session key is consistent with the median of the returned message of the target authentication node, and returns the hash value of the returned message, the signature of the session key and the hash value of the combination of the session key and the bilinear mapping value to the target authentication node if the hash value is consistent with the median of the returned message of the target authentication node; if not, returning the message information of authentication failure to the target authentication node.
7. The decentralized network authentication method for identity cryptography enabling secure communication according to claim 3, wherein: the identity authentication and session key negotiation of the nodes between the distributed subnets in the step (5) specifically comprises the following steps:
5.1 sending identity authentication request: the request authentication node sends an identity authentication request to a target authentication node, wherein the identity authentication request comprises a public key of the request authentication node, identity information of a subnet registration center where the request authentication node is located and the public key;
5.2 the target authentication node acquires the public parameters in the subnet: the target authentication node receives the request and judges the request as the authentication between the sub-networks, and then requests to a sub-registration center in the sub-network where the target authentication node is located to acquire the public parameter in the sub-network where the request authentication node is located;
5.3 public parameter exchange between subnets: after the sub-registration center of the sub-network where the target authentication node is located and the sub-registration center of the sub-network where the request authentication node is located exchange public parameters, caching the public parameters and returning the public parameters to the target authentication node;
5.4 the target authentication node replies to the session key: the target authentication node replies a session key to the identity authentication request by using the parameters of the authentication request node;
5.5 request authentication node random number challenge: the request authentication node verifies the identity of the target authentication node, then generates a random number and calculates a hash value of the session key after encrypting the random number and replies the hash value to the target authentication node;
5.6 challenge of random number of target authentication node: the target authentication node acquires the random number generated by the request authentication node, locally calculates whether the hash value of the session key encrypted random number is the same as the received hash value, and then generates a new random number to send the request authentication node;
5.7 request authentication node to judge hash value: requesting the authentication node to locally calculate whether the hash value of the session key encrypted random number is the same as the received hash value or not, and if so, returning the hash value of the received message to the target authentication node; and if the authentication is different, returning the message of the authentication failure to the target authentication node.
CN202110549584.8A 2021-05-20 2021-05-20 Distributed network authentication method for realizing secure communication by identity cryptography Active CN113315762B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110549584.8A CN113315762B (en) 2021-05-20 2021-05-20 Distributed network authentication method for realizing secure communication by identity cryptography

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110549584.8A CN113315762B (en) 2021-05-20 2021-05-20 Distributed network authentication method for realizing secure communication by identity cryptography

Publications (2)

Publication Number Publication Date
CN113315762A CN113315762A (en) 2021-08-27
CN113315762B true CN113315762B (en) 2022-04-19

Family

ID=77373805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110549584.8A Active CN113315762B (en) 2021-05-20 2021-05-20 Distributed network authentication method for realizing secure communication by identity cryptography

Country Status (1)

Country Link
CN (1) CN113315762B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112564923A (en) * 2021-03-01 2021-03-26 南京信息工程大学 Certificateless-based secure network connection handshake method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9106644B2 (en) * 2013-05-30 2015-08-11 CertiVox Ltd. Authentication
CN108667616B (en) * 2018-05-03 2021-05-04 西安电子科技大学 Cross-cloud security authentication system and method based on identification
CN111371730B (en) * 2018-12-26 2021-11-30 中国科学院沈阳自动化研究所 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN111355745B (en) * 2020-03-12 2021-07-06 西安电子科技大学 Cross-domain identity authentication method based on edge computing network architecture
CN112532591B (en) * 2020-11-06 2022-03-11 西安电子科技大学 Cross-domain access control method, system, storage medium, computer equipment and terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112564923A (en) * 2021-03-01 2021-03-26 南京信息工程大学 Certificateless-based secure network connection handshake method

Also Published As

Publication number Publication date
CN113315762A (en) 2021-08-27

Similar Documents

Publication Publication Date Title
CN112039872B (en) Cross-domain anonymous authentication method and system based on block chain
CN108667616B (en) Cross-cloud security authentication system and method based on identification
CN114615095B (en) Block chain cross-chain data processing method, relay chain, application chain and cross-chain network
Jiang et al. Integrated authentication and key agreement framework for vehicular cloud computing
CN110958229A (en) Credible identity authentication method based on block chain
Liu et al. Bua: A blockchain-based unlinkable authentication in vanets
US20090240941A1 (en) Method and apparatus for authenticating device in multi domain home network environment
CN109963282B (en) Privacy protection access control method in IP-supported wireless sensor network
JP2013502762A (en) Security access control method and system for wired LAN
CN108882238B (en) Lightweight round robin CA authentication method based on consensus algorithm for mobile ad hoc network
CN112039660B (en) Internet of things node group identity security authentication method
Xi et al. ZAMA: A ZKP-based anonymous mutual authentication scheme for the IoV
Tong et al. CCAP: A complete cross-domain authentication based on blockchain for Internet of things
CN115514474A (en) Industrial equipment trusted access method based on cloud-edge-end cooperation
CN114884698A (en) Kerberos and IBC security domain cross-domain authentication method based on alliance chain
Karim et al. BSDCE-IoV: blockchain-based secure data collection and exchange scheme for IoV in 5G environment
CN115002717A (en) Internet of vehicles cross-domain authentication privacy protection model based on block chain technology
CN114037457A (en) Industrial complex product terminal cross-domain access authentication method based on identity
CN114189380A (en) Zero-trust-based distributed authentication system and authorization method for Internet of things equipment
CN116599659B (en) Certificate-free identity authentication and key negotiation method and system
CN113411801A (en) Mobile terminal authentication method based on identity signcryption
CN110752934B (en) Method for network identity interactive authentication under topological structure
CN113315762B (en) Distributed network authentication method for realizing secure communication by identity cryptography
CN110891067A (en) Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system
CN113747433B (en) Equipment authentication method based on block side chain structure in fog network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant