CN114500085A - Remote certification protocol for multimedia edge cloud security - Google Patents

Remote certification protocol for multimedia edge cloud security Download PDF

Info

Publication number
CN114500085A
CN114500085A CN202210156151.0A CN202210156151A CN114500085A CN 114500085 A CN114500085 A CN 114500085A CN 202210156151 A CN202210156151 A CN 202210156151A CN 114500085 A CN114500085 A CN 114500085A
Authority
CN
China
Prior art keywords
terminal
mmec
multimedia
security
edge cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210156151.0A
Other languages
Chinese (zh)
Other versions
CN114500085B (en
Inventor
张志勇
张丽丽
邵敬平
宋斌
邵东霞
牛丹梅
张孝国
李玉祥
赵长伟
向菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University of Science and Technology
Original Assignee
Henan University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University of Science and Technology filed Critical Henan University of Science and Technology
Priority to CN202210156151.0A priority Critical patent/CN114500085B/en
Publication of CN114500085A publication Critical patent/CN114500085A/en
Application granted granted Critical
Publication of CN114500085B publication Critical patent/CN114500085B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a remote certification protocol oriented to multimedia edge cloud security, which comprehensively guarantees data security, platform identity security and integrity state maintenance of multimedia edge cloud and terminal interaction by introducing platform identity authentication, integrity measurement and verification of a terminal and an MMEC (multimedia Measure and control) end and an MMEC end and a multimedia cloud communication party. The security analysis shows that the method of the invention is superior to the existing security scheme in the aspects of privacy protection capability, attack resistance capability and the like; the performance simulation result shows that the method effectively reduces the calculation overhead when the method is in a non-intensive multimedia resource request quantity state.

Description

Remote certification protocol for multimedia edge cloud security
Technical Field
The invention relates to the technical field of multimedia edge cloud security, in particular to a remote attestation protocol facing multimedia edge cloud security.
Background
In a Multimedia Edge cloud (MMEC) environment, unauthorized Multimedia devices and potentially untrusted devices frequently interact with each other in the number of insecure transmission layers, which makes the phenomena of device attack, data eavesdropping, tampering and deletion endless. Therefore, how to ensure that only the security device can perform multimedia data interaction with the trusted device under the multimedia edge cloud environment and ensure that data is transmitted in the security channel is a difficult problem to be solved urgently. Trusted computing is an effective authentication mechanism for solving the potential safety hazard of an equipment system, wherein Remote Attestation (RA) can realize identity authentication and integrity verification of platforms of both communication parties, and ideas and methods are provided for solving the problems.
Currently, binary-based remote attestation is a classic method of verifying platform integrity status. In the binary-based remote attestation process, a challenger measures the integrity of the configuration state of software and hardware components of a Platform through a Trusted Platform Module (TPM), a Platform integrity measurement value and an integrity measurement report are sent to a verifier, and the Trusted verifier judges whether the challenger is Trusted or not through the verification measurement value. In addition, the transmission layer is used as a key layer of MMEC data transmission, potential safety hazards existing in the transmission layer cannot be solved only by adopting remote certification based on binary system, and transmission safety can be ensured only by executing a safe transmission layer protocol. The TLS1.3 handshake protocol is one of the secure transport layer protocols, and key agreement, identity authentication and handshake integrity verification of the client and the server are realized through three-way handshake, so that the security of the transport layer is guaranteed, but the integrity state of the two communication devices cannot be comprehensively verified.
The remote attestation model and protocol combining the remote attestation of the second system and the TLS1.3 handshake protocol are an important means for solving the safety and privacy problems of the MMEC. And bidirectional identity authentication is carried out in the TLS1.3 handshake process, and integrity measurement and verification of both sides of communication between the terminal and the MMEC end and between the MMEC end and the multimedia cloud end are introduced, so that the interactive data security, platform identity security and integrity state maintenance of the multimedia edge cloud and the terminal are comprehensively ensured.
Disclosure of Invention
In order to achieve the purpose, the invention provides the following technical scheme:
a remote attestation protocol facing multimedia edge cloud security comprises the following steps:
s1, the terminal initiates a remote certification challenge to the MMEC terminal;
s2, after receiving the challenge message, the MMEC sends a response message to the terminal, and negotiates a first symmetric key pair between the terminal and the MMEC, namely a handshake stream key derived key pair;
s3, the terminal and the MMEC terminal mutually send and verify remote certification values, and negotiate out a second symmetric key pair, namely an application layer handshake flow key derivation key pair, so as to establish a credible security channel;
s4, the terminal transmits the multimedia resource request message encrypted by the second symmetric key to the MMEC terminal on the secure channel; the MMEC terminal analyzes and decides the multimedia resource request of the terminal, and if the MMEC terminal has sufficient resources, the MMEC terminal directly transfers the resources to the terminal; otherwise, the MMEC terminal sends a multimedia resource waiting message encrypted by the second symmetric key to the terminal, temporarily stores a multimedia resource request message sent by the terminal, and simultaneously requests the multimedia resource from the multimedia cloud.
Preferably, the steps S1 and S2 are that the terminal and the MMEC end mutually perform a key exchange phase, use a random number to defend against a replay attack, use a derived key to encrypt the name of the MMEC server to defend against behavior of the terminal accessing the MMEC end, and are tracked, and use a signature algorithm to defend against a tampering attack.
Preferably, in step S3, the terminal and the MMEC terminal perform a server parameter stage, a platform identity authentication stage, and an integrity check stage; the two communication parties carry out two-way anonymous identity authentication and two-way integrity measurement and verification, and finally a credible security channel is established.
Preferably, in step S4, the terminal sends an access accept and reject message to the MMEC terminal according to the access principle; if the access is allowed, the terminal sends a multimedia resource request message encrypted by the second symmetric key to the MMEC terminal; otherwise, the remote attestation process is terminated.
According to the remote certification protocol oriented to the multimedia edge cloud security, platform identity authentication, integrity measurement and verification of both sides of communication between the terminal and the MMEC end and between the MMEC end and the multimedia cloud end are introduced, so that the interactive data security, the platform identity security and the integrity state maintenance of the multimedia edge cloud and the terminal are comprehensively guaranteed. Compared with the existing security scheme, the protocol has superiority in the aspects of privacy protection capability, attack resistance capability and the like.
Drawings
FIG. 1 is a diagram of a remote attestation model oriented to multimedia edge cloud security in an embodiment of the present invention;
fig. 2 is a diagram illustrating a remote attestation process between a terminal and a multimedia edge cloud according to an embodiment of the present invention;
fig. 3 is a diagram of a remote attestation process of a multimedia edge cloud and a multimedia cloud in an embodiment of the invention.
Detailed Description
The technical scheme of the invention is further explained by combining the drawings and the embodiment.
In the RA model facing the MMEC security, the MMEC end server utilizes the analysis decision capability to divide the process of requesting multimedia resources from the MMEC end by a terminal into two conditions of non-intensive resource request quantity and intensive resource request quantity. Based on the RA model oriented to the MMEC security, the remote attestation protocol oriented to the multimedia edge cloud security is also divided into two cases, one is to execute only the RA procedure between the terminal and the MMEC end, and the other is to execute the RA procedure between the MMEC end and the multimedia cloud end in addition to the RA procedure. Because the two RA processes are similar, the invention only describes the RA protocol facing the MMEC safety under the non-intensive resource request quantity state, namely the RA process between the terminal and the MMEC terminal, and specifically comprises the following stages:
(1) and a key exchange stage: the terminal initiates a remote certification challenge to the MMEC terminal, such as: including a ClientHello message and a derived key KTMEncryptionClientHello extension message of MMEC end server name, ECDHE public key Y of terminalTAnd using terminal ECDHE private key DTFor YTAnd a random number NTSignature sig (Y)T||NT,DT) And the like. The MMEC server sends remote certification challenge response data to the terminal, such as ServerHello message, ECDHE public key Y of the MMEC serverMAnd ECDHE private key D using MMEC serverMFor YMRandom number NMAnd NTSignature sig (Y)M||NM||NT,DM) And the like. Finally, the terminal and the MMEC end negotiate out a derived symmetric key pair K of the handshake stream keytrafficTAnd KtrafficM
(2) A server parameter stage: the MMEC server sends the warp K to the terminal in sequencetrafficMEncrypted EncryptedExtensions message and CertificateRequest message containing a random string str1 to inform the terminal that the interaction message needs to be encrypted and that it needs to provide anonymous certificate credentials to prove identity.
(3) Platform identity authentication and integrity verification stage: and the MMEC server and the terminal mutually transmit the RA certificate and the RA report.
For example, the RA credentials of the MMEC server are: ECDSA private key SK of MMEC serverMFor sig (cert)M||str1||NT||NM) Signed anonymous certificate annoCertMPCR including platform integrity metric and previous handshake metricMUse of AIKpriMFor sig (PCR)M||TML||NT||NM) Sigma of the signatureM、finished_keyMEtc., wherein TML is a credibility measurement log, and the signature algorithm is ECDSA algorithm, finished _ keyMNamely hkdf _ expand _ label (K)trafficM"finished", "h.length), h.length is SHA1 length of 256 bits.
The RA credentials of the terminal are: ECDSA private key SK of terminalTFor sig (cert)T||str1||NM||NT) Signed anonymous certificate annoCertTPCR including platform integrity metric and previous handshake metricTUse of AIKpriTFor sig (PCR)T||TML||NT||NM) Sigma of the signatureT、finished_keyTEtc., wherein finished _ keyTNamely hkdf _ expand _ label (K)trafficT,"finished","",H.length)。
If the MMEC server and the terminal mutually prove that the identity of the other party is real and the integrity check value is correct, a credible security channel is established between the two communication parties and a symmetric key pair K derived from the handshake stream key of the application layer is negotiatedapp_trafficTAnd Kapp_trafficM. Then, both parties of communication use K respectivelyapp_trafficTAnd Kapp_trafficMThe RA report of the encrypted opposite platform is transmitted to the opposite party through a trusted secure channel. If the RA reports received by each other prove that the terminals are both credible, the terminal and the MMEC end continue the following operations through a credible secure channel.
(4) And an application layer stage: and the terminal sends access acceptance and rejection messages to the MMEC terminal according to the access principle. If the access is refused, the RA processes of the two parties are terminated; otherwise, the terminal sends warp Kapp_trafficTAnd sending the encrypted multimedia resource request message to the MMEC terminal. After receiving the multimedia resource request message, the MMEC end makes an analysis decision, and if the MMEC end is directly transferred, K is usedapp_trafficMThe encrypted multimedia resources are sent to the terminal, and the trusted interaction process of the multimedia resources between the terminal and the MMEC terminal is completed; otherwise, the MMEC end needs to send the warp K to the terminalapp_trafficMAnd the encrypted multimedia resource waiting message is used for temporarily storing the multimedia resource request message sent by the terminal, and on the other hand, the RA process between the MMEC end and the multimedia cloud end needs to be repeated in the four stages, so that the credible interaction process of the multimedia resources between the terminal, the MMEC end and the multimedia cloud end is finally realized.
The above is a specific embodiment of the present invention, but the scope of the present invention should not be limited thereto. Any changes or substitutions that can be easily made by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention, and therefore, the protection scope of the present invention is subject to the protection scope defined by the appended claims.

Claims (4)

1. A remote attestation protocol for multimedia edge cloud security is characterized by comprising
S1, the terminal initiates a remote certification challenge to the MMEC terminal;
s2, after receiving the challenge message, the MMEC sends a response message to the terminal, and negotiates a first symmetric key pair between the terminal and the MMEC, namely a handshake stream key derived key pair;
s3, the terminal and the MMEC terminal mutually send and verify remote certification values, and negotiate out a second symmetric key pair, namely an application layer handshake flow key derivation key pair, so as to establish a credible security channel;
s4, the terminal transmits the multimedia resource request message encrypted by the second symmetric key to the MMEC terminal on the secure channel; the MMEC terminal analyzes and decides the multimedia resource request of the terminal, and if the MMEC terminal has sufficient resources, the MMEC terminal directly transfers the resources to the terminal; otherwise, the MMEC terminal sends a multimedia resource waiting message encrypted by the second symmetric key to the terminal, temporarily stores a multimedia resource request message sent by the terminal, and simultaneously requests the multimedia resource from the multimedia cloud.
2. The multimedia edge cloud security oriented remote attestation protocol of claim 1, wherein the steps S1 and S2 are that the terminal and the MMEC side mutually perform a key exchange phase, and use a random number to defend against replay attack, use a derived key to encrypt the name of the MMEC server to defend against the behavior of the terminal accessing the MMEC side, and are tracked, and use a signature algorithm to defend against tamper attack.
3. The multimedia edge cloud security-oriented remote attestation protocol according to claim 1, wherein in step S3, the terminal and the MMEC terminal perform a server parameter phase, a platform identity authentication phase, and an integrity check phase; the two communication parties carry out two-way anonymous identity authentication and two-way integrity measurement and verification, and finally a credible security channel is established.
4. The multimedia edge cloud security oriented remote attestation protocol of claim 1, wherein in step S4, the terminal sends access accept and reject messages to the MMEC terminal according to an access principle; if the access is allowed, the terminal sends a multimedia resource request message encrypted by the second symmetric key to the MMEC terminal; otherwise, the remote attestation process is terminated.
CN202210156151.0A 2022-02-21 2022-02-21 Remote certification method for multimedia edge cloud security Active CN114500085B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210156151.0A CN114500085B (en) 2022-02-21 2022-02-21 Remote certification method for multimedia edge cloud security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210156151.0A CN114500085B (en) 2022-02-21 2022-02-21 Remote certification method for multimedia edge cloud security

Publications (2)

Publication Number Publication Date
CN114500085A true CN114500085A (en) 2022-05-13
CN114500085B CN114500085B (en) 2023-03-07

Family

ID=81481619

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210156151.0A Active CN114500085B (en) 2022-02-21 2022-02-21 Remote certification method for multimedia edge cloud security

Country Status (1)

Country Link
CN (1) CN114500085B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610273A (en) * 2009-08-03 2009-12-23 西安西电捷通无线网络通信有限公司 A kind of secure remote certification method
CN101741842A (en) * 2009-12-07 2010-06-16 北京交通大学 Method for realizing dependable SSH based on dependable computing
CN102438044A (en) * 2011-12-04 2012-05-02 河南科技大学 Digital content trusted usage control method based on cloud computing
US20190065406A1 (en) * 2017-11-17 2019-02-28 Intel Corporation Technology For Establishing Trust During A Transport Layer Security Handshake
CN113746884A (en) * 2020-05-29 2021-12-03 北京金山云网络技术有限公司 Multimedia resource transmission method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610273A (en) * 2009-08-03 2009-12-23 西安西电捷通无线网络通信有限公司 A kind of secure remote certification method
CN101741842A (en) * 2009-12-07 2010-06-16 北京交通大学 Method for realizing dependable SSH based on dependable computing
CN102438044A (en) * 2011-12-04 2012-05-02 河南科技大学 Digital content trusted usage control method based on cloud computing
US20190065406A1 (en) * 2017-11-17 2019-02-28 Intel Corporation Technology For Establishing Trust During A Transport Layer Security Handshake
CN113746884A (en) * 2020-05-29 2021-12-03 北京金山云网络技术有限公司 Multimedia resource transmission method, device and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
YUE YU等: "《A Trusted Remote Attestation Model Based on Trusted Computing》", 《IEEE XPLORE》 *
丰伟宁等: "面向多媒体数字版权保护的委托授权远程证明协议", 《计算机科学》 *
孟辰: "《基于PTM的可信终端交互系统的研究》", 《中国优秀硕士学位论文全文数据库》 *

Also Published As

Publication number Publication date
CN114500085B (en) 2023-03-07

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
US11303616B2 (en) System and method for a multi system trust chain
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
CN108965230A (en) A kind of safety communicating method, system and terminal device
EP1913728B1 (en) Total exchange session security
CN111756529B (en) Quantum session key distribution method and system
CN102811224A (en) Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection
CN112235235A (en) SDP authentication protocol implementation method based on state cryptographic algorithm
CN114143117B (en) Data processing method and device
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
CN108319857A (en) Trusted application adds unlocking method and system
CN115514474A (en) Industrial equipment trusted access method based on cloud-edge-end cooperation
US20210377239A1 (en) Method for distributed application segmentation through authorization
CN111641651B (en) Access verification method and device based on Hash chain
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN114500085B (en) Remote certification method for multimedia edge cloud security
CN102098397A (en) Realization method of VoIP (Voice-over-IP) media stream trusted transmission based on Zimmermann Real-Time Transport Protocol key exchange
CN113539523B (en) Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN110035035A (en) A kind of secondary authentication method and system of single-sign-on
CN104935430A (en) Processing method and device for client business
WO2023151427A1 (en) Quantum key transmission method, device and system
CN113449343B (en) Trusted computing system based on quantum technology
CN112073410B (en) Cloud data secure transmission control method based on aging
CN114567439B (en) Identity authentication method and device
CN117201110A (en) Service data cross-network switching system under double-wiring network physical isolation environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant