CN114513781A - Identity authentication method and data encryption and decryption method for air traffic control intelligent station - Google Patents

Identity authentication method and data encryption and decryption method for air traffic control intelligent station Download PDF

Info

Publication number
CN114513781A
CN114513781A CN202210129639.4A CN202210129639A CN114513781A CN 114513781 A CN114513781 A CN 114513781A CN 202210129639 A CN202210129639 A CN 202210129639A CN 114513781 A CN114513781 A CN 114513781A
Authority
CN
China
Prior art keywords
intelligent station
data
background server
equation
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210129639.4A
Other languages
Chinese (zh)
Other versions
CN114513781B (en
Inventor
张颖
王岩磊
刘亮
邹斌斌
张建杰
任航
潘旋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EASTERN CHINA AIR TRAFFIC MANAGEMENT BUREAU CAAC
Qingdao Civil Aviation Atc Industry Development Co ltd
Original Assignee
EASTERN CHINA AIR TRAFFIC MANAGEMENT BUREAU CAAC
Qingdao Civil Aviation Atc Industry Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EASTERN CHINA AIR TRAFFIC MANAGEMENT BUREAU CAAC, Qingdao Civil Aviation Atc Industry Development Co ltd filed Critical EASTERN CHINA AIR TRAFFIC MANAGEMENT BUREAU CAAC
Priority to CN202210129639.4A priority Critical patent/CN114513781B/en
Publication of CN114513781A publication Critical patent/CN114513781A/en
Application granted granted Critical
Publication of CN114513781B publication Critical patent/CN114513781B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of data encryption, and discloses an identity authentication method and a data encryption and decryption method for an air traffic control intelligent station. The method comprises the steps of carrying out application level source encryption on related real-time data of the air management equipment at a source, realizing end-to-end confidentiality protection of the related real-time data on a full link, completing session key distribution and identity authentication on an unsafe channel, and enabling communication data to exist in a ciphertext mode in the whole transmission process through session encryption. The identity authentication method comprises an intelligent station side acquisition device, an intelligent station background server and a KDC secret key distribution center; before each communication between the intelligent station side acquisition equipment and the intelligent station background server, the two communication parties carry out identity verification and key distribution through a KDC secret key distribution center. The data encryption and decryption method comprises the steps that data messages from an intelligent station side acquisition device to an intelligent station background server are encrypted and decrypted; and encrypting and decrypting data messages from the background server of the intelligent station to the acquisition equipment at the end side of the intelligent station.

Description

Identity authentication method and data encryption and decryption method for air traffic control intelligent station
Technical Field
The invention belongs to the technical field of data encryption, and particularly relates to an identity authentication method and a data encryption and decryption method for an air traffic control intelligent station.
Background
The introduction of new applications, new technologies and new air interfaces in the 5G network ensures the openness and flexibility of the network and expands the attack area of the network, and the integrity of information needs a communication system to ensure that the information is not tampered or replaced in the transmission process. Man-in-the-middle (MITM) attacks are a common attack that destroys information integrity by surreptitiously controlling the communication path between two legitimate parties, intercepting, modifying and replacing communication messages, which are more likely to be attacked by MITM due to the broadcast nature of wireless communications. The separation of the user plane and the control plane is an important characteristic of the 5G core network, so that the user plane is more flexible, and a foundation is laid for reducing time delay and edge calculation. The addition of relay nodes and edge nodes presents a significant challenge to the integrity of the information, as each node can be targeted for MITM attacker attacks. In the core network, an attacker can manipulate network configuration data with a network vulnerability, thereby affecting the integrity of the information. At the edge node, an attacker can deploy own gateway equipment through a forged Mobile Edge Computing (MEC) gateway, resulting in the same effect as man-in-the-middle attack.
The strong and flexible technical characteristics of the 5G network can relieve the transmission pressure of a large data volume service of an intelligent station, but the existing security protection technologies of the 5G network are all based on link level encryption technologies, such as IPsec/TSL, and these data encryption technologies all belong to link level encryption modes, and there are a lot of papers to realize the attack on the encryption modes in the near term, and the problem of link level protection security comes up endlessly. The encryption of data in the 5G network is confidentiality protection at a link level, and only point-to-point security protection can be provided. If the communication link is attacked by a man-in-the-middle, after intercepting and capturing the related data packet of key negotiation and authentication, an attacker can steal, tamper and the like the communication data.
The air traffic control intelligent station is professional software for guiding remote real-time monitoring, intelligent troubleshooting, operation maintenance and visual analysis of an external station, a shelter and a machine room for people in the air traffic control industry of civil aviation. Through technologies such as internet, the auxiliary operation and maintenance personnel master the scene developments the very first time, realize wisdom operation and maintenance. Effectively improve the air traffic control operation maintenance efficiency, promote the intelligent operation and maintenance managerial ability. The intelligent station system adopts a distributed architecture, and data acquisition equipment on the far-end station side transmits data such as the monitoring of a station upper moving ring and an air traffic control device to a central background server for centralized processing.
Because the confidentiality requirement of the air management intelligent station data is higher, most of the existing air management intelligent station data adopt a transmission mode of renting or self-building point-to-point private lines or bare fibers, but the transmission mode has many problems, such as higher cost of a private link of a remote station, single link mode, lack of effective air side link backup, high damage risk of a private communication line, long recovery time and the like.
Disclosure of Invention
Aiming at the defects in the prior art, the technical problems to be solved by the invention are that application level source encryption is carried out on related real-time data of air management equipment at a source, end-to-end confidentiality protection of the related real-time data on a full link is realized, session key distribution and identity authentication are completed on an unsafe channel, and communication data exist in a ciphertext form in the whole transmission process through session encryption.
The application provides an identity authentication method of an air traffic control intelligent station,
the system comprises intelligent station end-side acquisition equipment, an intelligent station background server and a KDC secret key distribution center;
before each communication between the intelligent station side acquisition equipment and the intelligent station background server, the two communication parties carry out identity verification and key distribution through a KDC secret key distribution center.
The identity authentication method of the air management intelligent station comprises the following steps:
s100, the intelligent station side acquisition equipment sends the unique serial number of the equipment and the unique serial number of an intelligent station background server to a KDC secret key distribution center;
s110, after receiving the request, the KDC secret key distribution center randomly generates a session secret key KS,CThen generate the bills T respectivelyCAnd TSFinally, the bill T is putSSending the data to intelligent station side acquisition equipment;
generating a ticket T according to equation 1C
TC=E(KC,(IDS,KS,C) Equation 1);
generating a ticket T according to equation 2S
TS=E(KS,(IDC,KS,C,TC) Equation 2;
s120, receiving the bill T by the intelligent station side collecting equipmentSThen, using KSDecrypting to obtain a session key KS,CAnd TCThen, the current time stamp TS and the data checksum ChS are encrypted by the session key to generate an authentication factor A, and the authentication factors A and T are usedCSending the data to an intelligent station background server;
generating an authentication factor A according to a formula 3;
A=E(KS,C(TS, ChC)) formula 3;
s130, receiving the bill T by the background server of the intelligent stationCAfter authentication factor A, K is usedCWill TCDecrypting to obtain a session key KS,CThen with KS,CDecrypting the authentication factor A to obtain the time stamp TS and the data check sum ChS, if the time stamp TS is within 3 minutes above and below the current time and appears for the first time, checking whether the data check sum ChS is correct, if yes, proceeding to the next step;
s140, the smart station background server increases the received time stamp TS by 1 and uses the session key KS,CAnd encrypting and sending the encrypted data to intelligent station side acquisition equipment to complete bidirectional authentication.
The above-mentioned identity authentication method of the air management intelligent station,
the IDX: respectively representing unique names of the intelligent station side acquisition equipment or the intelligent station background server;
said K isS: a secret key is pre-shared between the KDC secret key distribution center and the intelligent station end-side acquisition equipment;
said KC: a secret key is pre-shared between the KDC secret key distribution center and an intelligent station background server;
the T isS: k for KDC key distribution centerSThe bill information encrypted by the key;
the T isC: k for KDC key distribution centerCThe bill information encrypted by the key;
said KS,C: and the intelligent station end side collects the session key of the communication between the equipment and the intelligent station background server.
The above-mentioned identity authentication method of the air management intelligent station,
the intelligent station end-side acquisition equipment performs identity verification and key distribution, and comprises the following steps:
s200, checking whether a KDC secret key distribution center address and an intelligent station background server address in configuration information set by an administrator can be connected or not, if socket connection cannot be established, prompting that the configuration information is wrong, ending a total flow, and if normal connection can be achieved, continuing the next step;
s210, connecting a KDC secret key distribution center and sending two parts of contents to the KDC secret key distribution center, wherein one part is a unique serial number identifier of the intelligent station end-side acquisition equipment, and the other part is a server serial number identifier consisting of an IP address and a connection port number of an intelligent station background server;
s220, receiving data sent by the KDC secret key distribution center and checking whether the data is bill information, if not, indicating that the KDC secret key distribution center makes mistakes when generating bills, prompting error information and ending a total flow, and if the data is judged to be the bill information, performing the next step;
s230, decrypting the ticket of the current device in the received data by using the pre-shared key to obtain a session key and identification information, if the identification information is inconsistent with the current network device, prompting error information and returning to the step S210, applying for the ticket to the KDC again, and if the identification information is correct, continuing the next step;
s240, encrypting the current timestamp and a random check value by using the session key to obtain an authentication factor, then connecting the authentication factor with the smart station background server, and sending the other bill and the authentication factor to the smart station background server;
and S250, checking data returned by the intelligent station background server, returning to the step S210 if the data is error information, otherwise decrypting the ciphertext data transmitted by the server by using the session key, finishing bidirectional identity authentication if the plaintext is the timestamp value self-increment 1 transmitted in the step S230, and returning to the step S210 to perform identity authentication and key distribution again if the authentication fails.
The above-mentioned identity authentication method of the air management intelligent station,
the intelligent station background server performs identity authentication and key distribution, and comprises the following steps:
s300, starting a bill receiving service, and monitoring a specific Socket port;
s310, receiving a connection request of the network equipment, and receiving bill information and an authentication factor;
s320, decrypting the bill information by using the pre-shared key to obtain a session key and network equipment identification information, if the identification information is inconsistent with the network equipment operated by the current encryption agent, sending error information to a switch end and preparing to receive the bill again, and if the identification information is correct, continuing the next step;
s330, decrypting the authentication factor by using the session key to obtain a timestamp and a random number, if the timestamp is within 3 minutes of the current time and appears for the first time, checking whether a check value format is correct, if the timestamp cannot pass through the check value format, sending error information to the SDN exchanger end, returning to the step S310, preparing to receive the bill again, and if the timestamp can pass through the step S310, entering the next step;
and S340, independently encrypting the correct timestamp from increment 1 by using the session key, and sending the encrypted timestamp to the intelligent station end-side acquisition equipment to finish bidirectional identity authentication.
The application also provides a data encryption and decryption method, which is used for carrying out encryption and decryption communication after the identity authentication method of the air management intelligent station mentioned in the foregoing content passes through identity authentication and key distribution, and the data encryption and decryption method comprises the following steps:
the intelligent station end side acquires data messages from equipment to an intelligent station background server for encryption and decryption;
and encrypting and decrypting data messages from the background server of the intelligent station to the acquisition equipment at the end side of the intelligent station.
In the above-mentioned data encryption and decryption method,
the data message encryption and decryption from the intelligent station end side acquisition equipment to the intelligent station background server comprises the following steps:
s400, the source encryption program on the intelligent station end side acquisition equipment enables the application layer original data SM0The HMAC authentication code for source encryption and calculation of the ciphertext is appended to the following to form the ciphertext SMe1
Generating a ciphertext SM according to equation 4e1
SMe1=E(EKs,c,SM0)||HMAC(MKs,c,E(EKs,c,SM0) Equation 4);
s410, ciphertext SMe1Then, the encrypted message is encrypted in a transmission layer through TLS, and then, the encrypted message SMe2Sending to the intermediate device;
generating a ciphertext SM according to equation 5e2
SMe2=E(EKs,md,SMe1) Equation 5;
S420、intermediate device receiving ciphertext SMe2Then, use it to negotiate TLS key EK with smart station end-side acquisition devices,mdDecipher to SMe1Then, the TLS key EK negotiated with the intelligent station background server by the intelligent station background server is usedc,mdIs encrypted into
Figure BDA0003501943350000061
And sending the data to an intelligent station background server;
generating a ciphertext SM according to equation 6e1
SMe1=D(EKs,md,SMe2) Equation 6;
generating ciphertext according to equation 7
Figure BDA0003501943350000062
Figure BDA0003501943350000063
S430, the encryption and decryption agent receives the ciphertext
Figure BDA0003501943350000064
Then, it is decrypted into SM with its TLS keye1If the message SMe1Using HMAC message authentication code to verify successfully, then using source encryption key to decrypt it into plaintext SM0If the verification fails, the message is discarded;
generating a ciphertext SM according to equation 8e1
Figure BDA0003501943350000065
Generating a plaintext SM according to equation 90
SM0=D(EKs,c,SMe1) Equation 9.
According to the data encryption and decryption method, the data message encryption and decryption from the intelligent station background server to the intelligent station end-side acquisition device comprises the following steps:
s500, the application layer original data RM is encrypted and decrypted by an encryption and decryption program on a background server of the intelligent station0The HMAC authentication code which carries out source encryption and then calculates the ciphertext is attached to the tail part to form a ciphertext RMe1
Generating ciphertext RM according to equation 9e1
RMe1=E(EKs,c,RM0)||HMAC(MKs,c,E(EKs,c,RM0) Equation 9);
S510、RMe1then TLS encrypts the data in the transmission layer, and finally the encrypted data RM is obtainede2Sending to the intermediate device; generating ciphertext RM according to equation 10e2
RMe2=E(EKc,md,RMe1) Equation 10;
s520, the intermediate device receives the ciphertext RMe2Then, the TLS key EK negotiated with the smart station background server is usedc,mdDecrypted into RMe1Then RM is addede1TLS key EK negotiated with smart station end-side acquisition device using sames,mdIs encrypted into
Figure BDA0003501943350000071
And sending the data to an intelligent station end side acquisition device;
generating ciphertext RM according to equation 11e1
RMe1=D(EKc,md,RMe2) Equation 11;
generating ciphertext according to equation 12
Figure BDA0003501943350000072
Figure BDA0003501943350000073
S530, the encryption and decryption program on the intelligent station end side acquisition equipment receives the ciphertext
Figure BDA0003501943350000074
Later, use its TLS keyDecrypt it to RMe1Then decrypted into clear text RM by using source encryption key0
Generation of RM according to equation 13e1
Figure BDA0003501943350000075
RM generation according to equation 140
RM0=D(EKs,c,RMe1) Equation 14.
In the above-mentioned data encryption and decryption method,
the MKx,y: a key between x and y for calculating a message authentication code;
the EKx,y: a symmetric encryption key between x and y;
the SM0: the method comprises the steps that a station side collects original messages (plaintext) sent by equipment;
the SMe1:SM0The source encrypted message (ciphertext);
the SMe2:SMe1TLS encrypted message (ciphertext);
the RM0: original message (plaintext) from the background server;
the RMe1:RM0The source encrypted message (ciphertext);
the RMe2:RMe1TLS encrypts the message (ciphertext).
In the above-mentioned data encryption and decryption method,
the intermediate device may be any one of gateway related devices in a 5G wireless open network, transmission devices of a user plane in a 5G core network, or an attacker initiating a man-in-the-middle attack.
The invention aims to guide the air traffic control intelligent station system to be under the high-speed and open 5G network transmission link, the related real-time data of the air management equipment is encrypted by an application level source at the source, the end-to-end confidentiality protection of the related real-time data on a full link is realized, the method can also carry out integrity verification and anti-replay attack on the transmission data through related algorithms of cryptography, realize that whether the data is tampered or replayed can be actively sensed, finally realize that the session key distribution and the identity authentication can be completed on an unsafe channel by utilizing the method, and the communication data is in the form of ciphertext in the whole transmission process through session encryption, and is not decrypted into plaintext until the data reaches a destination application, after the data is decrypted into a plaintext, whether the data is tampered or replayed can be judged through the calculation result of the authentication mechanism, and the transmission safety of the data of the air traffic control equipment in the 5G network is effectively improved.
Drawings
Fig. 1 is a schematic diagram of authentication flow of a KDC key distribution center according to the present invention;
FIG. 2 is a schematic diagram illustrating a process of performing authentication and key distribution by an intelligent station side acquisition device according to the present invention;
FIG. 3 is a schematic diagram illustrating a process of identity authentication and key distribution by a background server of an intelligent station according to the present invention;
fig. 4 is a schematic diagram illustrating a data message encryption and decryption process between an intelligent station side acquisition device and an intelligent station background server according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
An identity authentication method of an air management intelligent station is disclosed, as shown in FIG. 1,
the system comprises an intelligent station side acquisition device 1, an intelligent station background server 2 and a KDC secret key distribution center 3; before each communication between the intelligent station side acquisition device 1 and the intelligent station background server 2, the two communication parties carry out identity verification and key distribution through the KDC key distribution center 3. Finally, encrypted communication is carried out by using the distributed key.
The identity authentication method uses a Key Distribution Center (KDC) to perform identity authentication and session Key Distribution for both communication parties. The following are symbolic definitions used to describe the authentication process:
the IDX: respectively representing unique names of the intelligent station side acquisition equipment or the intelligent station background server;
said KS: a secret key is pre-shared between the KDC secret key distribution center and the intelligent station end-side acquisition equipment;
said KC: a secret key is pre-shared between the KDC secret key distribution center and an intelligent station background server;
the T isS: k for KDC key distribution centerSThe bill information encrypted by the key;
the T isC: k for KDC key distribution centerCThe bill information encrypted by the key;
said KS,C: and the intelligent station end side collects the session key of the communication between the equipment and the intelligent station background server.
Further, as shown in fig. 1, the identity authentication method of the air traffic control intelligent station includes the following steps:
s100, the intelligent station side acquisition equipment sends the unique serial number of the equipment and the unique serial number of an intelligent station background server to a KDC secret key distribution center;
s110, after receiving the request, the KDC secret key distribution center randomly generates a session secret key KS,CThen generate the bills T respectivelyCAnd TSFinally, the bill T is putSSending the data to intelligent station side acquisition equipment;
generating a ticket T according to equation 1C
TC=E(KC,(IDS,KS,C) Equation 1);
generating a ticket T according to equation 2S
TS=E(KS,(IDC,KS,C,TC) Equation 2);
s120, receiving the bill T by the intelligent station side collecting equipmentSThen, with KSDecrypting to obtain a session key KS,CAnd TCThen, the current time stamp TS and the data checksum ChS are encrypted by the session key to generate an authentication factorA, and the authentication factors A and TCThe data are sent to an intelligent station background server together;
generating an authentication factor A according to a formula 3;
A=E(KS,C(TS, ChS)) formula 3;
s130, receiving the bill T by the background server of the intelligent stationCAfter authentication factor A, K is usedCWill TCDecrypting to obtain a session key KS,CThen with KS,CDecrypting the authentication factor A to obtain a time stamp TS and a data check sum ChS, if the time stamp TS is within 3 minutes of the current time and appears for the first time, checking whether the data check sum ChS is correct, and if the time stamp TS can pass through, entering the next step;
s140, the smart station background server increases the received time stamp TS by 1 and uses the session key KS,CAnd encrypting and sending the encrypted data to the intelligent station side acquisition equipment to complete bidirectional authentication.
In the identity authentication method, in the process of identity authentication and key distribution, any communication data packet is encrypted by the pre-shared key, and the pre-shared key is only held by authorized network equipment, so that an unauthorized user cannot know the communication content even if all communication data in the process is obtained; and introduced the time stamp TS in the authentication factor A that smart station end side collection equipment 1 sent 2 backend servers of smart station, smart station backend servers 2 need compare with current time when verifying, and this time stamp just can pass through when appearing for the first time and verify. Thus, an attacker cannot impersonate the acquisition device to access by replaying the authentication factor; after the smart station background server 2 receives the authentication factor A, the session key K is used firstlyS,CDecipher the time stamp TS, then need to use K separately the time stamp TSS,CAnd the encryption is sent back to the intelligent station end side acquisition equipment 1 to complete the bidirectional authentication.
Further, as shown in fig. 2, the identity authentication method of the air management intelligent station,
the intelligent station end-side acquisition equipment performs identity verification and key distribution, and comprises the following steps:
s200, checking whether a KDC secret key distribution center address and an intelligent station background server address in configuration information set by an administrator can be connected or not, if socket connection cannot be established, prompting that the configuration information is wrong, ending a total flow, and if normal connection can be achieved, continuing the next step;
s210, connecting a KDC secret key distribution center and sending two parts of contents to the KDC secret key distribution center, wherein one part is a unique serial number identifier of the intelligent station end-side acquisition equipment, and the other part is a server serial number identifier consisting of an IP address and a connection port number of an intelligent station background server;
s220, receiving data sent by the KDC secret key distribution center and checking whether the data is bill information, if not, indicating that the KDC secret key distribution center makes mistakes when generating bills, prompting error information and ending a total flow, and if the data is judged to be the bill information, performing the next step;
s230, decrypting the ticket of the current device in the received data by using the pre-shared key to obtain a session key and identification information, if the identification information is inconsistent with the current network device, prompting error information and returning to the step S210, applying for the ticket to the KDC again, and if the identification information is correct, continuing the next step;
s240, encrypting the current timestamp and a random check value by using the session key to obtain an authentication factor, then connecting the authentication factor with the smart station background server, and sending the other bill and the authentication factor to the smart station background server;
and S250, checking data returned by the intelligent station background server, returning to the step S210 if the data is error information, otherwise decrypting the ciphertext data transmitted by the server by using the session key, finishing bidirectional identity authentication if the plaintext is the timestamp value self-increment 1 transmitted in the step S230, and returning to the step S210 to perform identity authentication and key distribution again if the authentication fails.
Further, as shown in fig. 3, the identity authentication method of the air traffic control smart station, where the smart station background server performs identity verification and key distribution, includes the following steps:
s300, starting a bill receiving service, and monitoring a specific Socket port;
s310, receiving a connection request of the network equipment, and receiving bill information and an authentication factor;
s320, decrypting the bill information by using the pre-shared key to obtain a session key and network equipment identification information, if the identification information is inconsistent with the network equipment operated by the current encryption agent, sending error information to a switch end and preparing to receive the bill again, and if the identification information is correct, continuing the next step;
s330, decrypting the authentication factor by using the session key to obtain a timestamp and a random number, if the timestamp is within 3 minutes above and below the current time and appears for the first time, checking whether a check value format is correct, if the timestamp cannot pass through, sending error information to the SDN exchanger end, returning to the step S310, preparing to receive the bill again, and if the timestamp can pass through, entering the next step;
and S340, independently encrypting the correct timestamp from increment 1 by using the session key, and sending the encrypted timestamp to the intelligent station end-side acquisition equipment to finish bidirectional identity authentication.
A data encryption and decryption method, as shown in fig. 4, for performing encryption and decryption communication after passing identity authentication and key distribution for the identity authentication method of the air management intelligent station, the data encryption and decryption method comprising:
the intelligent station end side acquires data messages from equipment to an intelligent station background server for encryption and decryption;
and encrypting and decrypting data messages from the background server of the intelligent station to the acquisition equipment at the end side of the intelligent station.
The method adopts a mode of encrypting the communication data at the source, ensures that the data exists in a ciphertext mode in the whole communication process, and provides end-to-end data protection capability for both communication parties. Taking the 5G network to open the TLS secure transmission mode as an example, the following is a symbol definition used for describing the encryption and decryption process:
the MKx,y: a key between x and y for calculating a message authentication code;
the EKx,y: a symmetric encryption key between x and y;
the SM0: the method comprises the steps that a station side collects original messages (plaintext) sent by equipment;
the SMe1:SM0The source encrypted message (ciphertext);
the SMe2:SMe1TLS encrypted message (ciphertext);
the RM0: original message (plaintext) from the background server;
the RMe1:RM0The source encrypted message (ciphertext);
the RMe2:RMe1TLS encrypts the message (ciphertext).
Further, as shown in fig. 4, the data encryption and decryption method,
the data message encryption and decryption from the intelligent station end side acquisition equipment to the intelligent station background server comprises the following steps:
s400, the source encryption program on the intelligent station end side acquisition equipment enables the application layer original data SM0The HMAC authentication code for source encryption and calculation of the ciphertext is appended to the following to form the ciphertext SMe1
Generating a ciphertext SM according to equation 4e1
SMe1=E(EKs,c,SM0)||HMAC(MKs,c,E(EKs,c,SM0) Equation 4);
s410, ciphertext SMe1Then, the encrypted message is encrypted in a transmission layer through TLS, and then, the encrypted message SMe2Sending to the intermediate device;
generating a ciphertext SM according to equation 5e2
SMe2=E(EKs,md,SMe1) Equation 5;
s420, the intermediate device receives the ciphertext SMe2Then, use it to negotiate TLS key EK with smart station end-side acquisition devices,mdDecipher to SMe1Then, the TLS key EK negotiated with the intelligent station background server by the intelligent station background server is usedc,mdIs encrypted into
Figure BDA0003501943350000131
And sending the data to an intelligent station background server;
generating a ciphertext SM according to equation 6e1
SMe1=D(EKS,md,SMe2) Equation 6;
generating ciphertext according to equation 7
Figure BDA0003501943350000132
Figure BDA0003501943350000133
S430, the encryption and decryption agent receives the ciphertext
Figure BDA0003501943350000141
Then, it is decrypted into SM with its TLS keye1If the message SMe1Using HMAC message authentication code to verify successfully, then using source encryption key to decrypt it into plaintext SM0If the verification fails, the message is discarded;
generating the ciphertext SM according to equation 8e1
Figure BDA0003501943350000142
Generating a plaintext SM according to equation 90
SM0=D(EKs,c,SMe1) Equation 9.
Further, as shown in fig. 4, the data encryption and decryption method,
the data message encryption and decryption from the smart station background server to the smart station end-side acquisition device comprises the following steps:
s500, the application layer original data RM is encrypted and decrypted by an encryption and decryption program on a background server of the intelligent station0The HMAC authentication code for source encryption and calculation of the ciphertext is attached to the tail part to form the ciphertext RMe1
Generating ciphertext RM according to equation 9e1
RMe1=E(EKs,c,RM0)||HMAC(MKs,c,E(EKs,c,RM0) Equation 9);
S510、RMe1then TLS encrypts the data in the transmission layer, and finally the encrypted data RM is obtainede2Sending to the intermediate device; generating ciphertext RM according to equation 10e2
RMe2=E(EKc,md,RMe1) Equation 10;
s520, the intermediate device receives the ciphertext RMe2Then, the TLS key EK negotiated with the smart station background server is usedc,mdDecrypted to RMe1Then RM is addede1TLS key EK negotiated with smart station end-side acquisition device using sames,mdIs encrypted into
Figure BDA0003501943350000143
And sending the data to an intelligent station end side acquisition device;
generating ciphertext RM according to equation 11e1
RMe1=D(EKc,md,RMe2) Equation 11;
generating ciphertext according to equation 12
Figure BDA0003501943350000144
Figure BDA0003501943350000151
S530, the encryption and decryption program on the intelligent station end side acquisition equipment receives the ciphertext
Figure BDA0003501943350000152
Later, it is decrypted into RM with its TLS keye1Then decrypted into clear text RM by using source encryption key0
RM generation according to equation 13e1
Figure BDA0003501943350000153
RM generation according to equation 140
RM0=D(EKs,c,RMe1) Equation 14.
Further, as shown in fig. 4, the intermediate device in the dashed box is a gateway related device in a 5G wireless open network or a transmission device of a user plane in a 5G core network or an attacker who initiates a man-in-the-middle attack.
As shown in fig. 4, because the message SM sent by the intelligent station end-side acquisition device or the intelligent station background server0、RM0The source encryption processing is carried out before TLS encryption, messages exist in a ciphertext mode in the communication process between intelligent station end-side acquisition equipment or an intelligent station background server, and even if intermediate equipment or man-in-the-middle attack exists, the intermediate equipment can only take ciphertext SM after source encryptione1、RMe1Because only the smart station end-side acquisition device or the smart station background server holds the encryption key EKs,cSo the intermediate device cannot decrypt the plaintext. And if the intermediate third party tampers with the communication message, the receiving end can detect the safety problem on the link because the receiving end cannot pass the verification of the message authentication code after the receiving end reaches the message.
The present invention is described above by way of example with reference to the accompanying drawings, and it is to be understood that the specific implementations of the present invention are not limited to the above-described embodiments. Those skilled in the art can make various modifications or alterations to the present invention without departing from the technical idea of the present invention, and such modifications or alterations also fall within the protective scope of the present invention.

Claims (10)

1. An identity authentication method of an air traffic control intelligent station is characterized in that:
the intelligent station comprises an intelligent station end side acquisition device (1), an intelligent station background server (2) and a KDC secret key distribution center (3);
before each communication between the intelligent station side acquisition equipment (1) and the intelligent station background server (2), both communication parties carry out identity authentication and key distribution through a KDC key distribution center (3).
2. The identity authentication method of the air management intelligent station as claimed in claim 1, wherein: the method comprises the following steps:
s100, the intelligent station side acquisition equipment sends the unique serial number of the equipment and the unique serial number of an intelligent station background server to a KDC secret key distribution center;
s110, after receiving the request, the KDC secret key distribution center randomly generates a session secret key KS,CThen generate the bills T respectivelyCAnd TSFinally, the bill T is putSSending the data to intelligent station side acquisition equipment;
generating a ticket T according to equation 1C
TC=E(KC,(IDS,KS,C) Equation 1);
generating a ticket T according to equation 2S
TS=E(KS,(IDC,KS,C,TC) Equation 2);
s120, receiving the bill T by the intelligent station side collecting equipmentSThen, using KSDecrypting to obtain a session key KS,CAnd TCThen, the current time stamp TS and the data checksum ChS are encrypted by the session key to generate an authentication factor A, and the authentication factors A and T are usedCSending the data to an intelligent station background server;
generating an authentication factor A according to a formula 3;
A=E(KS,C(TS, ChS)) formula 3;
s130, receiving the bill T by the background server of the intelligent stationCAfter authentication factor A, K is usedCWill TCDecrypting to obtain a session key KS,CThen with KS,CDecrypting the authentication factor A yields a timestamp TS and a data checksum ChS, and if the timestamp TS is within 3 minutes of the current time and is the first occurrence, checking whether the data checksum ChS is positiveIf yes, entering the next step;
s140, the smart station background server increases the received time stamp TS by 1 and uses the session key KS,CAnd encrypting and sending the encrypted data to intelligent station side acquisition equipment to complete bidirectional authentication.
3. The identity authentication method of the air management intelligent station according to claim 2, wherein:
the IDX: respectively representing unique names of the intelligent station side acquisition equipment or the intelligent station background server;
said KS: a secret key is pre-shared between the KDC secret key distribution center and the intelligent station end-side acquisition equipment;
said KC: a secret key is pre-shared between the KDC secret key distribution center and an intelligent station background server;
the T isS: k for KDC key distribution centerSThe bill information encrypted by the key;
the T isC: k for KDC key distribution centerCThe bill information encrypted by the key;
said KS,C: and the intelligent station end side acquires a session key of the communication between the equipment and the intelligent station background server.
4. The identity authentication method of the air-management intelligent station as claimed in claim 3, wherein:
the intelligent station end-side acquisition equipment performs identity verification and key distribution, and comprises the following steps:
s200, checking whether a KDC secret key distribution center address and an intelligent station background server address in configuration information set by an administrator can be connected or not, if socket connection cannot be established, prompting that the configuration information is wrong, ending a total flow, and if normal connection can be achieved, continuing the next step;
s210, connecting a KDC secret key distribution center and sending two parts of contents to the KDC secret key distribution center, wherein one part is a unique serial number identifier of the intelligent station end-side acquisition equipment, and the other part is a server serial number identifier consisting of an IP address and a connection port number of an intelligent station background server;
s220, receiving data sent by the KDC secret key distribution center, checking whether the data is bill information or not, if not, indicating that an error occurs when the KDC secret key distribution center generates a bill, prompting error information and ending a general flow, and if the data is judged to be the bill information, performing the next step;
s230, decrypting the ticket of the current device in the received data by using the pre-shared key to obtain a session key and identification information, if the identification information is inconsistent with the current network device, prompting error information and returning to the step S210, applying for the ticket to the KDC again, and if the identification information is correct, continuing the next step;
s240, encrypting the current timestamp and a random check value by using the session key to obtain an authentication factor, then connecting the authentication factor with the smart station background server, and sending the other bill and the authentication factor to the smart station background server;
and S250, checking data returned by the intelligent station background server, returning to the step S210 if the data is error information, otherwise decrypting the ciphertext data transmitted by the server by using the session key, finishing bidirectional identity authentication if the plaintext is the timestamp value self-increment 1 transmitted in the step S230, and returning to the step S210 to perform identity authentication and key distribution again if the authentication fails.
5. The identity authentication method of the air management intelligent station as claimed in claim 4, wherein:
the intelligent station background server performs identity authentication and key distribution, and comprises the following steps:
s300, starting a bill receiving service, and monitoring a specific Socket port;
s310, receiving a connection request of the network equipment, and receiving bill information and an authentication factor;
s320, decrypting the bill information by using the pre-shared key to obtain a session key and network equipment identification information, if the identification information is inconsistent with the network equipment operated by the current encryption agent, sending error information to a switch end and preparing to receive the bill again, and if the identification information is correct, continuing the next step;
s330, decrypting the authentication factor by using the session key to obtain a timestamp and a random number, if the timestamp is within 3 minutes of the current time and appears for the first time, checking whether a check value format is correct, if the timestamp cannot pass through the check value format, sending error information to the SDN exchanger end, returning to the step S310, preparing to receive the bill again, and if the timestamp can pass through the step S310, entering the next step;
and S340, independently encrypting the correct timestamp from increment 1 by using the session key, and sending the encrypted timestamp to the intelligent station end-side acquisition equipment to finish bidirectional identity authentication.
6. A data encryption and decryption method is characterized by comprising the following steps: the data encryption and decryption method is used for carrying out encryption and decryption communication after identity authentication and key distribution on the identity authentication method of the air management intelligent station as claimed in any one of claims 1 to 5, and comprises the following steps:
the intelligent station end side acquires data messages from equipment to an intelligent station background server for encryption and decryption;
and encrypting and decrypting data messages from the background server of the intelligent station to the acquisition equipment at the end side of the intelligent station.
7. The data encryption and decryption method according to claim 6, wherein:
the data message encryption and decryption from the intelligent station end side acquisition equipment to the intelligent station background server comprises the following steps:
s400, the source encryption program on the intelligent station end side acquisition equipment enables the application layer original data SM0The HMAC authentication code for source encryption and calculation of the ciphertext is appended to the following to form the ciphertext SMe1
Generating a ciphertext SM according to equation 4e1
SMe1=E(EKs,c,SM0)||HMAC(MKs,c,E(EKs,c,SM0) Equation 4);
s410, ciphertext SMe1Then, TLS is used to encrypt the transmission layer, and the cipher text is further encryptedSMe2Sending to the intermediate device;
generating a ciphertext SM according to equation 5e2
SMe2=E(EKs,md,SMe1) Equation 5;
s420, the intermediate device receives the ciphertext SMe2Then, use it to negotiate TLS key EK with smart station end-side acquisition devices,mdDecipher to SMe1Then, the TLS key EK negotiated with the intelligent station background server by the intelligent station background server is usedc,mdIs encrypted into
Figure FDA0003501943340000041
And sending the data to an intelligent station background server;
generating a ciphertext SM according to equation 6e1
SMe1=D(EKs,md,SMe2) Equation 6;
generating ciphertext according to equation 7
Figure FDA0003501943340000042
Figure FDA0003501943340000043
S430, the encryption and decryption agent receives the ciphertext
Figure FDA0003501943340000044
Then, it is decrypted into SM with its TLS keye1If the message SMe1Using HMAC message authentication code to verify successfully, then using source encryption key to decrypt it into plaintext SM0If the verification fails, the message is discarded;
generating a ciphertext SM according to equation 8e1
Figure FDA0003501943340000051
Generating a plaintext according to equation 9SM0
SM0=D(EKs,c,SMe1) Equation 9.
8. The data encryption and decryption method according to claim 7, wherein:
the data message encryption and decryption from the smart station background server to the smart station end-side acquisition device comprises the following steps:
s500, the application layer original data RM is encrypted and decrypted by an encryption and decryption program on a background server of the intelligent station0The HMAC authentication code for source encryption and calculation of the ciphertext is attached to the tail part to form the ciphertext RMe1
Generating ciphertext RM according to equation 9e1
RMe1=E(EKs,c,RM0)||HMAC(MKs,c,E(EKs,c,RM0) Equation 9);
S510、RMe1then TLS encrypts the data in the transmission layer, and finally the encrypted data RM is obtainede2Sending to the intermediate device;
generating ciphertext RM according to equation 10e2
RMe2=E(EKc,md,RMe1) Equation 10;
s520, the intermediate device receives the ciphertext RMe2Then, the TLS key EK negotiated with the smart station background server is usedc,mdDecrypted to RMe1Then RM is addede1TLS key EK negotiated with smart station end-side acquisition device using sames,mdIs encrypted into
Figure FDA0003501943340000054
And sending the data to an intelligent station end side acquisition device;
generating ciphertext RM according to equation 11e1
RMe1=D(EKc,md,RMe2) Equation 11;
generating ciphertext according to equation 12
Figure FDA0003501943340000052
Figure FDA0003501943340000053
S530, the encryption and decryption program on the intelligent station end side acquisition equipment receives the ciphertext
Figure FDA0003501943340000061
Later, it is decrypted into RM with its TLS keye1Then decrypted into clear text RM by using source encryption key0
RM generation according to equation 13e1
Figure FDA0003501943340000062
RM generation according to equation 140
RM0=D(EKs,c,RMe1) Equation 14.
9. The data encryption and decryption method according to claim 8, wherein:
the MKx,y: a key between x and y for calculating a message authentication code;
the EKx,y: a symmetric encryption key between x and y;
the SM0: the method comprises the steps that a station side collects original messages (plaintext) sent by equipment;
the SMe1:SM0The source encrypted message (ciphertext);
the SMe2:SMe1TLS encrypted message (ciphertext);
the RM0: original message (plaintext) from the background server;
the RMe1:RM0The source encrypted message (ciphertext);
the RMe2:RMe1TLS encrypts the message (ciphertext).
10. The data encryption and decryption method according to claim 9, wherein:
the intermediate device may be any one of gateway related devices in a 5G wireless open network, transmission devices of a user plane in a 5G core network, or an attacker initiating a man-in-the-middle attack.
CN202210129639.4A 2022-02-11 2022-02-11 Identity authentication method and data encryption and decryption method for air traffic control intelligent station Active CN114513781B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210129639.4A CN114513781B (en) 2022-02-11 2022-02-11 Identity authentication method and data encryption and decryption method for air traffic control intelligent station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210129639.4A CN114513781B (en) 2022-02-11 2022-02-11 Identity authentication method and data encryption and decryption method for air traffic control intelligent station

Publications (2)

Publication Number Publication Date
CN114513781A true CN114513781A (en) 2022-05-17
CN114513781B CN114513781B (en) 2024-08-06

Family

ID=81552510

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210129639.4A Active CN114513781B (en) 2022-02-11 2022-02-11 Identity authentication method and data encryption and decryption method for air traffic control intelligent station

Country Status (1)

Country Link
CN (1) CN114513781B (en)

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040162980A1 (en) * 2001-05-23 2004-08-19 Laurent Lesenne Security devices and processes for protecting and identifying messages
US6978021B1 (en) * 2000-09-18 2005-12-20 Navteq North America, Llc Encryption method for distribution of data
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
US20080072303A1 (en) * 2006-09-14 2008-03-20 Schlumberger Technology Corporation Method and system for one time password based authentication and integrated remote access
CN101420687A (en) * 2007-10-24 2009-04-29 中兴通讯股份有限公司 Identity verification method based on mobile terminal payment
US20110246765A1 (en) * 2010-04-02 2011-10-06 Suridx, Inc Efficient, Secure, Cloud-Based Identity Services
US20120177198A1 (en) * 2010-04-12 2012-07-12 Flight Focus Pte. Ltd Secure aircraft data channel communication for aircraft operations
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
US20170026676A1 (en) * 2015-07-23 2017-01-26 Panasonic Avionics Corporation Transfer of consumable data to vehicles
CN107317674A (en) * 2016-04-27 2017-11-03 华为技术有限公司 Key distribution, authentication method, apparatus and system
CN109728901A (en) * 2017-10-31 2019-05-07 中国电信股份有限公司 Digital signature authentication method, device and system
CN109787761A (en) * 2019-02-20 2019-05-21 金陵科技学院 A kind of equipment certification and key distribution system and method based on physics unclonable function
CN109842442A (en) * 2017-11-26 2019-06-04 成都零光量子科技有限公司 It is a kind of using airport as the quantum key service network and method of regional center
CN110690959A (en) * 2019-08-26 2020-01-14 西安电子科技大学 Unmanned aerial vehicle safety certifiable information communication processing method based on cloud platform
CN110808829A (en) * 2019-09-27 2020-02-18 国电南瑞科技股份有限公司 SSH authentication method based on key distribution center
CN111738480A (en) * 2019-03-21 2020-10-02 塔莱斯公司 Distributed ledger for managing the lifecycle of data over the air
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113612600A (en) * 2021-06-30 2021-11-05 中国航空工业集团公司西安航空计算技术研究所 High-efficiency airborne electronic publishing method
CN113727296A (en) * 2021-07-29 2021-11-30 杭州师范大学 Anonymous privacy protection authentication protocol method based on wireless sensor system in intelligent medical treatment
US20220030473A1 (en) * 2020-07-27 2022-01-27 Southwest Jiaotong University Method for batch handover authentication and key agreement oriented to heterogeneous network

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6978021B1 (en) * 2000-09-18 2005-12-20 Navteq North America, Llc Encryption method for distribution of data
US20040162980A1 (en) * 2001-05-23 2004-08-19 Laurent Lesenne Security devices and processes for protecting and identifying messages
CN101005359A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Method and device for realizing safety communication between terminal devices
US20080072303A1 (en) * 2006-09-14 2008-03-20 Schlumberger Technology Corporation Method and system for one time password based authentication and integrated remote access
CN101420687A (en) * 2007-10-24 2009-04-29 中兴通讯股份有限公司 Identity verification method based on mobile terminal payment
US20110246765A1 (en) * 2010-04-02 2011-10-06 Suridx, Inc Efficient, Secure, Cloud-Based Identity Services
US20120177198A1 (en) * 2010-04-12 2012-07-12 Flight Focus Pte. Ltd Secure aircraft data channel communication for aircraft operations
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
US20170026676A1 (en) * 2015-07-23 2017-01-26 Panasonic Avionics Corporation Transfer of consumable data to vehicles
CN107317674A (en) * 2016-04-27 2017-11-03 华为技术有限公司 Key distribution, authentication method, apparatus and system
CN109728901A (en) * 2017-10-31 2019-05-07 中国电信股份有限公司 Digital signature authentication method, device and system
CN109842442A (en) * 2017-11-26 2019-06-04 成都零光量子科技有限公司 It is a kind of using airport as the quantum key service network and method of regional center
CN109787761A (en) * 2019-02-20 2019-05-21 金陵科技学院 A kind of equipment certification and key distribution system and method based on physics unclonable function
CN111738480A (en) * 2019-03-21 2020-10-02 塔莱斯公司 Distributed ledger for managing the lifecycle of data over the air
CN110690959A (en) * 2019-08-26 2020-01-14 西安电子科技大学 Unmanned aerial vehicle safety certifiable information communication processing method based on cloud platform
CN110808829A (en) * 2019-09-27 2020-02-18 国电南瑞科技股份有限公司 SSH authentication method based on key distribution center
US20220030473A1 (en) * 2020-07-27 2022-01-27 Southwest Jiaotong University Method for batch handover authentication and key agreement oriented to heterogeneous network
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113612600A (en) * 2021-06-30 2021-11-05 中国航空工业集团公司西安航空计算技术研究所 High-efficiency airborne electronic publishing method
CN113727296A (en) * 2021-07-29 2021-11-30 杭州师范大学 Anonymous privacy protection authentication protocol method based on wireless sensor system in intelligent medical treatment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
刘嘉勇, 周安民, 方勇: "一种基于智能卡的会话密钥交换和认证方案", 电讯技术, no. 01, 28 February 2003 (2003-02-28), pages 121 - 124 *
杨力;马建峰;: "可信的智能卡口令双向认证方案", 电子科技大学学报, no. 01, 30 January 2011 (2011-01-30), pages 130 - 13 *
王超;刘黎明;: "基于ECC点乘的多因子远程身份验证协议", 计算机工程与设计, no. 11, 16 November 2018 (2018-11-16), pages 76 - 81 *

Also Published As

Publication number Publication date
CN114513781B (en) 2024-08-06

Similar Documents

Publication Publication Date Title
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
CN110996318A (en) Safety communication access system of intelligent inspection robot of transformer substation
EP2437531B1 (en) Security service control method and wireless local area network terminal
CN110999223A (en) Secure encrypted heartbeat protocol
CN113824705B (en) Safety reinforcement method for Modbus TCP (transmission control protocol)
CN111988328A (en) Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
CN110022320A (en) A kind of communication partner method and communication device
CN105323754A (en) Distributed authentication method based on pre-shared key
CN115051813B (en) New energy platform control instruction protection method and system
CN110430571A (en) A kind of face recognition device and implementation method based on 5G framework
CN111147257A (en) Identity authentication and information confidentiality method, monitoring center and remote terminal unit
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN114422205A (en) Method for establishing data tunnel of network layer of CPU chip special for electric power
CN101527708B (en) Method and device for restoring connection
KR102190618B1 (en) Apparatus and method for securing train control message
Bansal et al. Lightweight authentication protocol for inter base station communication in heterogeneous networks
CN115835194B (en) NB-IOT terminal safety access system and access method
CN103986716A (en) Establishing method for SSL connection and communication method and device based on SSL connection
CN114513781B (en) Identity authentication method and data encryption and decryption method for air traffic control intelligent station
CN114928503A (en) Method for realizing secure channel and data transmission method
CN109474667A (en) A kind of UAV Communication method based on TCP and UDP
CN114386020A (en) Quick secondary identity authentication method and system based on quantum security
CN113347004A (en) Encryption method for power industry
CN102143174A (en) Method and system for implementing remote control between Intranet and Internet host computers
CN115801248B (en) Safety reinforcement method for secondary system of intelligent substation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant