CN114007219B - Invisible identification access authentication method for low-orbit satellite communication - Google Patents

Invisible identification access authentication method for low-orbit satellite communication Download PDF

Info

Publication number
CN114007219B
CN114007219B CN202111238889.3A CN202111238889A CN114007219B CN 114007219 B CN114007219 B CN 114007219B CN 202111238889 A CN202111238889 A CN 202111238889A CN 114007219 B CN114007219 B CN 114007219B
Authority
CN
China
Prior art keywords
mac
satellite
access authentication
gid
uid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111238889.3A
Other languages
Chinese (zh)
Other versions
CN114007219A (en
Inventor
王施人
葛春鹏
任艳慧
王浩
马建鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN202111238889.3A priority Critical patent/CN114007219B/en
Publication of CN114007219A publication Critical patent/CN114007219A/en
Application granted granted Critical
Publication of CN114007219B publication Critical patent/CN114007219B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18578Satellite systems for providing broadband data service to individual earth stations
    • H04B7/18593Arrangements for preventing unauthorised access or for providing user protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • H04W4/08User group management

Abstract

The invention relates to a stealth access authentication method for low-orbit satellite communication, and belongs to the field of satellite communication. The invention includes an initialization phase and an access authentication phase. And in the initialization stage, before the access authentication starts, pre-distributing hidden identity identifiers and pre-fabricated keys for all communication nodes. The access authentication stage, firstly, performs first access authentication, utilizes preassigned stealth identification and prefabricated secret key and mutual interactive parameter information, combines the self-authentication characteristic of the stealth, completes access authentication between nodes, and negotiation of a master session key and a temporary session key, ensures the credibility of access nodes, and can utilize the negotiated secret key to construct a secure communication channel to ensure the confidentiality of the session; the authentication method meets the safety requirements of the communication environment with the advantages of network dynamic topology, limited node resources and large communication delay.

Description

Invisible identification access authentication method for low-orbit satellite communication
Technical Field
The invention belongs to the field of satellite communication, and particularly relates to a stealth access authentication method for low-orbit satellite communication.
Background
With the construction of low orbit satellite constellation, satellite Internet is a novel network capable of completing the communication services such as broadband interconnection access to ground and air terminals, and has the characteristics of wide coverage, high time delay, dynamic topology and the like compared with the traditional ground wired network. At present, the satellite Internet and a ground communication system complementarily cooperate and develop in a fusion way, and the satellite Internet starts to walk into the broadband Internet period.
The application of the satellite interconnection network brings great convenience for information interconnection and intercommunication, but because the nodes are highly mobile and have wide coverage, the satellite interconnection network has the characteristics of high complexity, dynamic property, openness and the like, and the communication among the nodes is easy to be threatened by information interception, information tampering and the like of attackers. In order to ensure the communication safety, a set of safe and efficient access authentication mechanism is needed to ensure that each node of an access network is a legal user, prevent unauthorized users from accessing the network and develop network attacks, thereby causing serious consequences such as sensitive information theft, satellite platform damage, mobile node out of control and the like.
The communication characteristics of the satellite Internet, limited resources of access network nodes and the like determine that the satellite Internet cannot directly adopt the traditional ground network security access mechanism, and the satellite Internet is not applicable to environments with limited resources due to the fact that the communication cost is too high; secondly, the interaction times are more, the authentication time is longer, and the execution efficiency and the authentication success rate are seriously reduced in an environment with interrupted communication chain and easy transformation; thirdly, the security and confidentiality levels of the nodes are different, security and confidentiality and resource occupation are considered, and a flexible access authentication method is designed.
In order to solve the above problems, a set of access authentication method suitable for satellite internet needs to be designed, which supports the security authentication of the first access authentication, and the method has the characteristics of low resource consumption, light protocol, security and provability, etc.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to solve the technical problems of too high communication cost, more interaction times, longer authentication time and difference of node security and confidentiality levels of the existing satellite communication.
(II) technical scheme
In order to solve the technical problems, the invention provides a stealth access authentication method for low-orbit satellite communication, which comprises a ground management center, a mobile user and satellites, wherein M, G is respectively used u 、S A Representing that the mobile user first communicating with the satellite isIts hidden information is uid i The method comprises the steps of carrying out a first treatment on the surface of the Satellite S A Is SID (service identifier) A
The method comprises an initialization stage and an access authentication stage;
an initialization stage:
m shares a long-term key (GK, uk) with group members i ) Where GK is the group key, uk i For members of a groupIs a key to a key (a);
the group is composed of a plurality of members, and the identity of each member is determined by a group identification GID and an identity identification UID of the group member;
ground pipeThe identity of the management center M is MID and is matched with the satellite S A The shared long-term key is MSA; the related information collected by M is expressed by GP, GP= { MID, GID, UID };
after the initialization phase is completed, the ground management center M has the identity UID of each group member in the group, the group identity GID and the pair key (GK, uk) of each member i );
First access authentication and master key generation:
s11, mobile userGenerating random number r g After that, message1 is sent to satellite S A Wherein Message 1= (r g ,GID,uid i );
S12, satellite S A After receiving Message1, message2 is sent to the ground management center M, where Message 2= (r) g ,GID,uid i ,SID A );
S13, after receiving Message2, the ground management center M generates a random number r m Sequentially generating GMK, umk i The method comprises the steps of carrying out a first treatment on the surface of the Ground management center M calculates MAC 1 And transmits Message3 to satellite S A Wherein Message 3= (r m ,MID,GID,uid i ,SID A ,MAC 1 );
GMK=PRF(GK||r m ||MID||r g ||GID||SID A )......(1-1)
umk i =PRF(GMK||uid i ||uk i ||r g ||r m ||SID A ||MID||GID)......(1-2)
MAC 1 =HASH(umk i ,r m ||MID||r g ||GID||SID A ||uid i )......(1-5)
S14, satellite S A Receive Message3 and forward it to the mobile user
S15, mobile userAfter receiving Message3, generating GMK and umk in turn i Calculate MAC 1 Judging from satellite S A Received MAC 1 Whether or not the values are equal to verify umk generated by the ground management center M i Accuracy of (3); computing MAC 2 And transmits Message4 to satellite S A Wherein Message 4= (r g ,MID,GID,uid i ,SID A ,MAC 2 );
MAC 2 =HASH(umk i ,r m ||MID||r g ||GID||uid i ||SID A )......(1-6)
S16, satellite S A Receiving Message4 and forwarding the Message to a ground management center M;
s17, after receiving Message4, the ground management center M calculates MAC 2 Associating it with a received MAC 2 Alignment to authenticate a mobile userGenerate umk i Transmits Message5 to satellite S A Where Message5 = EMS A (GMK,umk i ,GP);
S18, satellite S A Message5 is received, decrypted and stored.
Further, each group member has a pair of keys (GK, UK), GK being the group key and UK being the member key.
Further, in the initialization stage, the ground management center M collects and stores each membership identifier and key information through a secure channel.
Further, the satellite S A Is a low-orbit satellite.
Further, in the authentication method, each main body is pre-allocated with unique stealth identification and key information.
Further, for the user group, the stealth information is composed of GID and UID, the GID is group identity information, members of the same group have the same group identity information, the UID is information of the group user members, and the user information of each member is unique.
Further, the generation of the master session key uses a pseudo-random function.
The invention also provides a temporary key generation method, which comprises the following steps:
s21, satellite S A Generating random numbersComputing MAC 3 And send Message6 to the mobile user +.>Wherein the method comprises the steps of
S22, mobile userReceiving Message6, first validating the MAC 3 Correctness and then generate a random number r' g And generate usk i GSK, calculate MAC 4 ,MAC 5 Message7 is sent to satellite SA, where Message 7= (r' g ,GID,uid i ,SID A ,MAC 4 ,MAC 5 );
S23, receiving Message7 by satellite SA and generating usk i After GSK, calculate MAC 4 ,MAC 5 To combine it with the received MAC 4 ,MAC 5 Comparison, verificationGenerating usk i Correctness of GSK; in calculating MAC 6 ,MAC 7 After that, message8 is sent to the mobile user +.>Wherein->
S24, mobile userReceive Message8, calculate MAC 6 ,MAC 7 And then combine it with the just received MAC 6 ,MAC 7 Alignment to verify satellite SA generation usk i The correctness of the GSK, and thus the temporary key generation phase, is completed.
Further, after the master key generation stage and the temporary key generation stage are completed, the mobile userAnd satellite S A And finishing access authentication.
Further, MAC 1 -MAC 7 Either MD5 or SHA algorithms are used.
(III) beneficial effects
The invention provides a stealth access authentication method for low-orbit satellite communication. And in the initialization stage, before the access authentication starts, pre-distributing hidden identity identifiers and pre-fabricated keys for all communication nodes. The access authentication stage, firstly, performs first access authentication, utilizes preassigned stealth identification and prefabricated secret key and mutual interactive parameter information, combines the self-authentication characteristic of the stealth, completes access authentication between nodes, and negotiation of a master session key and a temporary session key, ensures the credibility of access nodes, and can utilize the negotiated secret key to construct a secure communication channel to ensure the confidentiality of the session; the authentication method not only can carry out identity confirmation for the communication nodes in the spatial information network, generate a shared secret, establish a secure channel, prove the security of the protocol under a secure model, but also adopts a logic-based combinable secure model PCL to prove the security of the authentication method, thereby meeting the security requirements of the communication environment with network dynamic topology, limited node resources and large communication delay.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to examples.
The invention relates to the field of satellite Internet, in particular to the field of satellite Internet access authentication. The invention develops access authentication designs of different security domain nodes in the satellite internet based on implicit identities, and provides a stealth access authentication protocol for low-orbit satellite communication. The protocol comprises an initialization stage and an access authentication stage, and the first access authentication of the node is completed through implicit identity information pre-allocation, master key negotiation and temporary key negotiation.
The invention relates to a stealth access authentication protocol for low-orbit satellite communication, which comprises an initialization stage and an access authentication stage. And in the initialization stage, before the access authentication starts, pre-distributing hidden identity identifiers and pre-fabricated keys for all communication nodes. In the access authentication stage, first access authentication is executed, access authentication between nodes and negotiation of a master session key and a temporary session key are completed by utilizing pre-allocated stealth identification, a pre-made key and mutual interactive parameter information and combining the stealth self-authentication characteristic, so that the credibility of the access nodes is ensured, and meanwhile, a safety communication channel can be constructed by utilizing the negotiated key, so that the confidentiality of the session is ensured.
The invention designs a stealth access authentication method for low-orbit satellite communication, which adopts a cross-domain authentication method based on shared secret, a hidden identity and symmetric key mechanism, and an access authentication method supporting first access and security access authentication is designed for space information, so that the security and high-efficiency access of low-orbit satellite switching is realized. The access authentication method comprises an initialization phase and an access authentication phase. And in the initialization stage, before the access authentication starts, pre-distributing hidden identity identifiers and pre-fabricated keys for all communication nodes. In the access authentication stage, first access authentication is executed, access authentication between nodes and negotiation of a master session key and a temporary session key are completed by utilizing pre-allocated stealth identification, a pre-made key and mutual interactive parameter information and combining the stealth self-authentication characteristic, the credibility of the access nodes is ensured, authentication and key negotiation are combined to improve communication efficiency, and meanwhile, a safety communication channel is constructed by utilizing the negotiated key, so that the confidentiality of the session is ensured.
The authentication method not only can carry out identity confirmation for the communication nodes in the spatial information network, generate a shared secret, establish a secure channel, prove the security of the protocol under a secure model, but also adopts a logic-based combinable secure model PCL to prove the security of the authentication method, thereby meeting the security requirements of the communication environment with network dynamic topology, limited node resources and large communication delay.
The main body related to the authentication method comprises a ground management center, a mobile user and a satellite, wherein M and G are respectively used u (first, the mobile user communicating with the satellite isIts hidden information is uid i ),S A ,S B And (3) representing. The number of the involved satellites is 2, respectively using S A And S is B Indicating that its stealth information is SID respectively A 、SID B Original GU and low orbit satellite S of mobile user group A Connection, postamble low orbit satellite S A The user group GU is no longer in the low orbit satellite S A Coverage of the beam, but is switched to low-orbit satellite S B Is provided for the beam range of (a).
Each main body in communication is pre-allocated with unique stealth identification and key information, and for a user group, the stealth identification information is composed of GID and UID, the GID is group identity information, members of the same group have the same group identity information, the UID is information of the members of the group users, and the user information of each member is unique.
The protocol comprises two phases, wherein the first phase is an initialization phase, secret information interaction sharing among all communication nodes is completed, and an authentication basis is provided for subsequent access authentication; the second stage is an access authentication stage, which includes an access authentication process, and defines formulas of information interaction and key negotiation, wherein the formulas are based on the existing security model and proved to be secure by combination.
1. Initialization phase
The ground management center M collects and stores information such as each membership identification and the secret key through a secure channel. M shares a long-term key (GK, uk) with group members i ) Where GK is the group key, uk i For members of a groupIs used for the key(s). A group consists of several members, each member having a pair of keys (GK, UK), GK being the group key and UK being the member key, the identity of each member being determined by the GID and UID. The ground management center M identity is MID, and the long-term key shared with the satellite is: MSA, MSB. Correlation of M collectionThe information is denoted GP = { MID, GID, UID }.
After the initialization phase is completed, the ground management center M has an identification UID of each group member in the group, a group identification GID and a pair key (GK, UK) of each member.
2. Access authentication phase
1.1. First access authentication
The mobile user accesses the authentication for the first time, and generates a main session key and a temporary session key at the same time of authentication so as to support the security of the subsequent session. The master session key generation phase is responsible for generating GMK, umk i The temporary session key generation stage is responsible for generating GSK, usk i . The key generation mainly uses a pseudo random function, and the calculation formula is as follows. Wherein r is g ,r′ g A random number generated for the mobile user; r is (r) m A random number generated for the management center;is satellite S A A generated random number; />Is satellite S B And (5) generating a random number.
GMK=PRF(GK||r m ||MID||r g ||GID||SID A )......(1-1)
umk i =PRF(GMK||uid i ||uk i ||r g ||r m ||SID A ||MID||GID)......(1-2)
To ensure the integrity of the message itself, the MAC is used to verify the integrity of the message during its transmission 1 -MAC 7 Using the HASH algorithm of MD5, SHA and the like,the calculation formula is shown in table 2.
MAC 1 =HASH(umk i ,r m ||MID||r g ||GID||SID A ||uid i )......(1-5)
MAC 2 =HASH(umk i ,r m ||MID||r g ||GID||uid i ||SID A )......(1-6)
1.1.1. First authentication and master key generation
The method comprises the following steps:
s11, mobile userGenerating random number r g After that, message1 is sent to satellite S A Wherein Message 1= (r g ,GID,uid i )。
S12, satellite S A After receiving Message1, message2 is sent to the ground management center M, where Message 2= (r) g ,GID,uid i ,SID A )。
S13, after receiving Message2, the ground management center M generates a random number r m Sequentially generating GMK, umk i . Ground management center M calculates MAC 1 And transmits Message3 to satellite S A Wherein Message 3= (r m ,MID,GID,uid i ,SID A ,MAC 1 )。
S14, satellite S A Receive Message3 and forward it to the mobile user
S15, mobile userAfter receiving Message3, generating GMK and umk in turn i Calculate MAC 1 Judging from satellite S A Received MAC 1 Whether or not the values are equal to verify umk generated by the ground management center M i Accuracy of (3). Computing MAC 2 And transmits Message4 to satellite S A Wherein Message 4= (r g ,MID,GID,uid i ,SID A ,MAC 2 )。
S16, satellite S A The Message4 is received and forwarded to the ground management center M.
S17, after receiving Message4, the ground management center M calculates MAC 2 Associating it with a received MAC 2 Alignment to authenticate a mobile userGenerate umk i Transmits Message5 to satellite S A Where Message5 = EMS A (GMK,umk i ,GP)。
S18, satellite S A Message5 is received, decrypted and stored.
1.1.2. Temporary key generation
The method comprises the following steps:
s21, satellite S A Generating random numbersCalculate MAC3 and send Message6 to mobileHouse->Wherein the method comprises the steps of
S22, mobile userReceiving Message6, first validating the MAC 3 Correctness and then generate a random number r' g And generate usk i GSK, calculate MAC 4 ,MAC 5 Message7 is sent to satellite SA, where Message 7= (r' g ,GID,uid i ,SID A ,MAC 4 ,MAC 5 )。
S23, receiving Message7 by satellite SA and generating usk i After GSK, calculate MAC 4 ,MAC 5 To combine it with the received MAC 4 ,MAC 5 Comparison, verificationGenerating usk i The correctness of GSK. In calculating MAC 6 ,MAC 7 After that, message8 is sent to the mobile user +.>Wherein->
S24, mobile userReceive Message8, calculate MAC 6 ,MAC 7 And then combine it with the just received MAC 6 ,MAC 7 Alignment to verify satellite SA generation usk i The correctness of GSK. Master key generation phase and temporaryAfter the key generation phase is finished, the mobile user is +.>And the satellite SA completes access authentication.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.

Claims (8)

1. A stealth access authentication method for low-orbit satellite communication is characterized in that a main body related to the authentication method comprises a ground management center, a mobile user and a satellite, which are respectively M, G u 、S A Representing that the mobile user first communicating with the satellite isIts hidden information is uid i The method comprises the steps of carrying out a first treatment on the surface of the Satellite S A Is SID (service identifier) A
The method comprises an initialization stage and an access authentication stage;
an initialization stage:
m shares a long-term key (GK, uk) with group members i ) Where GK is the group key, uk i For members of a groupIs a key to a key (a);
the group is composed of a plurality of members, and the identity of each member is determined by a group identification GID and an identity identification UID of the group member;
the identity of the ground management center M is MID and is connected with the satellite S A The shared long-term key is MSA; the related information collected by M is expressed by GP, GP= { MID, GID, UID };
after the initialization phase is completed, the ground management center M has the identity UID of each group member in the group, the group identity GID and the pair key (GK, uk) of each member i );
First access authentication and master key generation:
s11, mobile userGenerating random number r g After that, message1 is sent to satellite S A Wherein Message 1= (r g ,GID,uid i );
S12, satellite S A After receiving Message1, message2 is sent to the ground management center M, where Message 2= (r) g ,GID,uid i ,SID A );
S13, after receiving Message2, the ground management center M generates a random number r m Sequentially generating GMK, umk i The method comprises the steps of carrying out a first treatment on the surface of the Ground management center M calculates MAC 1 And transmits Message3 to satellite S A Wherein Message 3= (r m ,MID,GID,uid i ,SID A ,MAC 1 );
GMK=PRF(GK||r m ||MID||r g ||GID||SID A )……(1-1)
umk i =PRF(GMK||uid i ||uk i ||r g ||r m ||SID A ||MID||GID)……(1-2)
MAC 1 =HASH(umk i ,r m ||MID||r g ||GID||SID A ||uid i )……(1-5)
S14, satellite S A Receive Message3 and forward it to the mobile user
S15, mobile userAfter receiving Message3, generating GMK and umk in turn i Calculate MAC 1 Judging from satellite S A Received MAC 1 Whether or not the values are equal to verify umk generated by the ground management center M i Accuracy of (3); computing MAC 2 And transmits Message4 to satellite S A Wherein Message 4= (r g ,MID,GID,uid i ,SID A ,MAC 2 );
MAC 2 =HASH(umk i ,r m ||MID||r g ||GID||uid i ||SID A )……(1-6)
S16, satellite S A Receiving Message4 and forwarding the Message to a ground management center M;
s17, after receiving Message4, the ground management center M calculates MAC 2 Associating it with a received MAC 2 Alignment to authenticate a mobile userGenerate umk i Transmits Message5 to satellite S A Where Message5 = EMS A (GMK,umk i ,GP);
S18, satellite S A Receiving Message5, decrypting the Message and storing;
wherein,
each main body in communication is pre-allocated with unique stealth identification and key information, and for a user group, the stealth identification information is composed of GID and UID, the GID is group identity information, members of the same group have the same group identity information, the UID is information of the members of the group users, and the user information of each member is unique.
2. The low-orbit satellite communication oriented stealth access authentication method of claim 1, wherein each group member has a pair of keys (GK, UK), GK being a group key and UK being a member key.
3. The stealth access authentication method for low-orbit satellite communication according to claim 1, wherein the ground management center M collects and stores each membership identification and key information through a secure channel in an initialization stage.
4. As claimed in claim 1The stealth access authentication method for low-orbit satellite communication is characterized in that the satellite S A Is a low-orbit satellite.
5. The stealth access authentication method for low-orbit satellite communication according to claim 1, wherein the generation of the master session key uses a pseudo-random function.
6. A temporary key generation method based on the access authentication method according to any one of claims 1 to 5, characterized in that the method comprises the steps of:
s21, satellite S A Generating random numbersComputing MAC 3 And send Message6 to the mobile user +.>Wherein the method comprises the steps of
S22, mobile userReceiving Message6, first validating the MAC 3 Correctness and then generate a random number r' g And generate usk i GSK, calculate MAC 4 ,MAC 5 Message7 is sent to satellite SA, where Message 7= (r' g ,GID,uid i ,SID A ,MAC 4 ,MAC 5 );
S23, receiving Message7 by satellite SA and generating usk i After GSK, calculate MAC 4 ,MAC 5 To combine it with the received MAC 4 ,MAC 5 Comparison, verificationGenerating usk i Correctness of GSK; in calculating MAC 6 ,MAC 7 After that, message8 is sent to the mobile userWherein->
S24, for movementHouseholdReceive Message8, calculate MAC 6 ,MAC 7 And then combine it with the just received MAC 6 ,MAC 7 Alignment to verify satellite SA generation usk i The correctness of the GSK, and thus the temporary key generation phase, is completed.
7. The temporary key generation method of claim 6, wherein the mobile subscriber after the master key generation phase and the temporary key generation phase are completedAnd satellite S A And finishing access authentication.
8. The temporary key generation method of claim 6, wherein the MAC 1 -MAC 7 Either MD5 or SHA algorithms are used.
CN202111238889.3A 2021-10-25 2021-10-25 Invisible identification access authentication method for low-orbit satellite communication Active CN114007219B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111238889.3A CN114007219B (en) 2021-10-25 2021-10-25 Invisible identification access authentication method for low-orbit satellite communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111238889.3A CN114007219B (en) 2021-10-25 2021-10-25 Invisible identification access authentication method for low-orbit satellite communication

Publications (2)

Publication Number Publication Date
CN114007219A CN114007219A (en) 2022-02-01
CN114007219B true CN114007219B (en) 2024-03-26

Family

ID=79923714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111238889.3A Active CN114007219B (en) 2021-10-25 2021-10-25 Invisible identification access authentication method for low-orbit satellite communication

Country Status (1)

Country Link
CN (1) CN114007219B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117200862B (en) * 2023-09-07 2024-04-02 中国电子信息产业集团有限公司第六研究所 Inter-satellite networking safety communication system and method

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5652795A (en) * 1994-11-14 1997-07-29 Hughes Electronics Method and apparatus for an adapter card providing conditional access in a communication system
US6185409B1 (en) * 1995-11-30 2001-02-06 Amsc Subsidiary Corporation Network engineering/systems engineering system for mobile satellite communication system
US6272316B1 (en) * 1995-11-17 2001-08-07 Globalstar L.P. Mobile satellite user information request system and methods
CN107979408A (en) * 2017-12-08 2018-05-01 北京理工大学 A kind of high rail Satellite Networking certification and credible holding agreement
CN108055663A (en) * 2017-12-08 2018-05-18 北京理工大学 A kind of low rail constellation networking certification of lightweight and group key agreement agreement
CN108566240A (en) * 2018-03-28 2018-09-21 西安电子科技大学 Networking Verification System and method between a kind of star suitable for double layer minipellet
CN109547213A (en) * 2018-12-14 2019-03-29 西安电子科技大学 Suitable for networking Verification System and method between the star of low-track satellite network
CN112332901A (en) * 2020-09-29 2021-02-05 北京邮电大学 Heaven and earth integrated mobile access authentication method and device
CN112585887A (en) * 2018-07-12 2021-03-30 星网有限责任公司 Communication system and method with randomly distributed orbiting satellites
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
CN113098686A (en) * 2021-03-31 2021-07-09 中国人民解放军国防科技大学 Group key management method for low-earth-orbit satellite network
CN113326530A (en) * 2021-06-29 2021-08-31 北京计算机技术及应用研究所 Key negotiation method suitable for sharing keys of two communication parties

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5652795A (en) * 1994-11-14 1997-07-29 Hughes Electronics Method and apparatus for an adapter card providing conditional access in a communication system
US6272316B1 (en) * 1995-11-17 2001-08-07 Globalstar L.P. Mobile satellite user information request system and methods
US6185409B1 (en) * 1995-11-30 2001-02-06 Amsc Subsidiary Corporation Network engineering/systems engineering system for mobile satellite communication system
CN107979408A (en) * 2017-12-08 2018-05-01 北京理工大学 A kind of high rail Satellite Networking certification and credible holding agreement
CN108055663A (en) * 2017-12-08 2018-05-18 北京理工大学 A kind of low rail constellation networking certification of lightweight and group key agreement agreement
CN108566240A (en) * 2018-03-28 2018-09-21 西安电子科技大学 Networking Verification System and method between a kind of star suitable for double layer minipellet
CN112585887A (en) * 2018-07-12 2021-03-30 星网有限责任公司 Communication system and method with randomly distributed orbiting satellites
CN109547213A (en) * 2018-12-14 2019-03-29 西安电子科技大学 Suitable for networking Verification System and method between the star of low-track satellite network
CN112332901A (en) * 2020-09-29 2021-02-05 北京邮电大学 Heaven and earth integrated mobile access authentication method and device
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
CN113098686A (en) * 2021-03-31 2021-07-09 中国人民解放军国防科技大学 Group key management method for low-earth-orbit satellite network
CN113326530A (en) * 2021-06-29 2021-08-31 北京计算机技术及应用研究所 Key negotiation method suitable for sharing keys of two communication parties

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Cooperative Blind Spectrum Detection With Doolittle Decomposition and PCA-SVM Classification in Hybrid GEO-LEO Satellite Constellation Networks;Jianrong Bao ect.;《 IEEE Transactions on Aerospace and Electronic Systems 》;全文 *
低轨卫星互联网对保密工作影响分析;刘银龙;;保密工作;20200722(第07期);全文 *
新的低轨星座组网认证与群组密钥协商协议;张子剑;周琪;张川;童逍瑶;李春磊;王龙;;通信学报(第06期);全文 *
马建鹏 ; 喻崇仁 ; 王施人 ; 邓威.基于FPGA的多对多KVM切换器设计.《电子技术与软件工程》.2021,全文. *

Also Published As

Publication number Publication date
CN114007219A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
CN111371730B (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN112039872B (en) Cross-domain anonymous authentication method and system based on block chain
CN101222772B (en) Wireless multi-hop network authentication access method based on ID
CN108667616B (en) Cross-cloud security authentication system and method based on identification
CN101232378B (en) Authentication accessing method of wireless multi-hop network
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
Wang et al. Ultra super fast authentication protocol for electric vehicle charging using extended chaotic maps
US20150149767A1 (en) Method and system for authenticating the nodes of a network
JP2013520070A (en) Discovery of credibility in communication networks
CN102098318B (en) Method for performing end-to-end anonymity safety communication of hop network
CN111092717A (en) Group authentication-based safe and reliable communication method in smart home environment
CN101494862A (en) Access authentication method of wireless mesh network
CN110730455B (en) Underwater node authentication method based on symmetric polynomial and ECC algorithm
CN114007219B (en) Invisible identification access authentication method for low-orbit satellite communication
CN101778387B (en) Method for resisting denial of service (DoS) attack for wireless local area network access authentication
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
CN113783694B (en) Low-orbit satellite communication-oriented stealth switching authentication method
Joy et al. Smart card authentication model based on elliptic curve cryptography in IoT networks
Jog Data importance and feedback based adaptive level of authorization for the security of Internet of Things
CN113872759A (en) Lightweight identity authentication method for smart power grid
Olufemi et al. SAMA: a secure and anonymous mutual authentication with conditional identity-tracking scheme for a unified car sharing system
CN113225189A (en) Quantum resistance-based annular secret service method
Dey et al. A threshold cryptography based authentication scheme for mobile ad-hoc network
CN116614807B (en) Lightweight authentication key exchange method for computing wireless local area network and multi-access edge
CN114374564B (en) Internal gateway routing link security management system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant