CN114760060A - Service scheduling method for edge computing - Google Patents

Service scheduling method for edge computing Download PDF

Info

Publication number
CN114760060A
CN114760060A CN202210670997.6A CN202210670997A CN114760060A CN 114760060 A CN114760060 A CN 114760060A CN 202210670997 A CN202210670997 A CN 202210670997A CN 114760060 A CN114760060 A CN 114760060A
Authority
CN
China
Prior art keywords
service
user equipment
edge
service node
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210670997.6A
Other languages
Chinese (zh)
Other versions
CN114760060B (en
Inventor
张文昊
聂世元
叶颖哲
张康崇
鲍其炜
张福明
王海燕
黄飞奕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Tian Ship Information Technology Ltd By Share Ltd
Original Assignee
Hangzhou Tian Ship Information Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Tian Ship Information Technology Ltd By Share Ltd filed Critical Hangzhou Tian Ship Information Technology Ltd By Share Ltd
Priority to CN202210670997.6A priority Critical patent/CN114760060B/en
Publication of CN114760060A publication Critical patent/CN114760060A/en
Application granted granted Critical
Publication of CN114760060B publication Critical patent/CN114760060B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A service scheduling method of edge calculation belongs to the technical field of data transmission and comprises the following steps: step S1, initial stage: the authentication server sets and discloses an elliptic curve, a base point, an order, a first public key and a hash function; the edge service node establishes a service sequence and a service scheduling sequence; step S2, registration phase; step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key; step S4, service scheduling: the user equipment applies for service from the edge service node, obtains a service sequence and a service scheduling sequence, calculates and encrypts a service authority value and a service scheduling authority value according to requirements, and transmits the service authority value and the service scheduling authority value to the edge service node to be used for service, and the edge service node provides service according to the service authority and the service scheduling authority after decryption. In the scheme, the user equipment has the right to schedule the service according to the requirement, so that the right use range is changed, and the use elasticity of the service is effectively increased.

Description

Service scheduling method for edge computing
Technical Field
The invention belongs to the technical field of data transmission, and particularly relates to a service scheduling method for edge computing.
Background
Edge computing is a basic concept for integrating software to service, with a common spirit being to serve the computing needs of user devices through a network service. For example, a provider of edge computing services may provide general business applications online, which may be logged in for use via a web browser, but the software and data are stored on a server. Generally, the architecture of edge computing includes services delivered through data centers that are built into computers and virtualized storage technologies. Any client with computing requirement can use network to make single point login, and further can use the service in any corner of the world.
On the one hand, edge computing, has elastic requirements for service scheduling. Since most edge-computed service schedules are managed by service providers, when a service needs to be scheduled, for example, a service or a right is changed, the user equipment still needs to perform re-application or authentication.
Edge computing, on the other hand, has the security requirements of service scheduling. Due to the adoption of the edge computing architecture, a hacker can directly invade a rear-end server or a database to steal data and authority by controlling a zombie computer at a remote end, so as to engage in illegal behaviors, or provide services by utilizing blocking type services and directly interrupt the services.
Chinese patent publication No. CN109508552A discloses a privacy protection method for a distributed cloud storage system, which combines a distributed storage technology with a block chain technology, and when safe and effective distributed cloud storage is implemented, a file ownership processing process is used as a block chain transaction process, and privacy protection in distributed storage is further implemented. The scheme is suitable for file storage, and if the encryption method is applied to services in edge computing, on one hand, the encryption method cannot have the characteristic of dynamic adjustability, so that user equipment is difficult to schedule and adjust the services, and on the other hand, the encryption process is too complex, so that the execution efficiency of a system is reduced.
Disclosure of Invention
In view of the foregoing shortcomings in the prior art, an object of the present invention is to provide a service scheduling method for edge computation.
In order to achieve the above object, the present invention adopts the following technical solutions.
A service scheduling method of edge computing comprises the following steps:
step S1, initial stage: the authentication server sets and discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PKASA hash function h (); the edge service node establishes a service sequence A and a service scheduling sequence B;
Step S2, registration phase: the edge service node registers to the authentication server and obtains a second public key PK of the edge service nodeSAnd edge service node signature WS(ii) a The user equipment registers to the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WA
Step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key;
step S4, service scheduling: the user equipment applies for service from the edge service node, obtains a service sequence A and a service scheduling sequence B, and calculates and encrypts a service authority value A 'according to the requirement'f and the service scheduling authority value A't are transmitted to the edge service node to be used for service, and the edge service node is decrypted and then is used according to the service authority value tUAAnd service scheduling authority tUA *Providing the service.
Further, step S1 includes:
step S111, the authentication server is in the limited domain FqSelecting an elliptic curve E (F)q) Wherein q is a large prime number of 160 bits or more, and is represented by an elliptic curve E (F)q) Selecting a base point G with the order of n, so that nG = O, wherein O is an infinite point of the elliptic curve;
step S112, the authentication server selects a one-way collision-free hash function h () and the first private key sk ASAnd calculates a first public key PKASI.e. PKAS=skASG。
Further, in step S1, the edge service node establishes a service sequence a and a service scheduling sequence B, including the following steps:
in step S121, an n-dimensional vector U = (U) is randomly selected1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1.
Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-i,i=1,...,n;
Randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, and:
Figure 488859DEST_PATH_IMAGE001
Figure 961429DEST_PATH_IMAGE002
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiA sequence value representing the ith service;
service authority: t is tA=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1,.., n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service;
calculating a service authority value:
Figure 74878DEST_PATH_IMAGE003
step S122, randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1.
Calculating vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-i,i=1,...,m;
Randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, and:
Figure 328005DEST_PATH_IMAGE004
Figure 552313DEST_PATH_IMAGE005
the service scheduling sequence is calculated using the complementary theorem: b = (B)1,b2,...,bi,...,bm),0≤bi≤gmfm−1;bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m;
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1,. ·, m; 0 indicates that the user equipment is not allowedUsing the service schedule, 1 denotes allowing the user equipment to use the service schedule;
calculating a service scheduling authority value:
Figure 144968DEST_PATH_IMAGE006
further, step S2 includes:
step S211, the edge service node uses its own edge service node ID SAnd edge service node random parameter dSCalculating edge service node signature file VSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]N is the number of edge service nodes;
step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the edge service node second public key PKSAnd edge service node signature WSThen transmitting the data to the edge service nodes, wherein n is the number of the edge service nodes;
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs PKSFirst factor of qsxIs PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS));
step S213, the edge service node calculates a second private key sk of the edge service nodeSNamely skS=[WS+h(dS||IDS)](ii) a Signing W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeSI.e. SS=skSG。
Further, step S2 includes: step S221, the user equipment identifies ID with own user equipment identityAAnd user equipment random parameter dACalculating the signature file V of the user equipmentAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]N is the number of user equipment;
step S222, the authentication server selects a random parameter k A∈[2,n-2]Computing a second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting to the user equipment:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of (b), qaySecond public key PK for user equipmentAThe second factor of (a);
WA=kA+skAS(qax+h(IDA));
step S223, the user equipment sends back the second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skANamely skA=[WA+h(dA||IDA)](ii) a Signing W with user equipmentAVerifying the user device second public key PKAAnd calculates a first verification value S of the user equipmentAI.e. SA=skAG。
Further, step S3 includes: step S31, the user equipment transmits the user equipment ID to the edge service nodeAThe second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA
Figure 632581DEST_PATH_IMAGE007
SAIf the user equipment is the same as the user equipment, the user equipment passes the verification, and the edge service node establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, terminating the operation;
step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service node SAnd the first verification value S of the edge service nodeS
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS
Figure 45108DEST_PATH_IMAGE008
SS: if the two are the same, the edge service node passes the verification and is a legal edge service node, and the user equipment establishes a shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
Further, step S4 includes: step S41, the user equipment applies for service to the edge service node, the edge service node transmits the service sequence A and the service scheduling sequence B to the user equipment;
step S42, the user equipment calculates the service authority value A 'f and the service scheduling authority value A't;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1;
tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
Figure 73107DEST_PATH_IMAGE009
establishing service scheduling authority t according to use requirementUA *And calculating a service scheduling authority value A't with the service scheduling sequence B;
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1;
tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Figure 582586DEST_PATH_IMAGE010
step S43, the ue randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is 1Is a first factor of the plaintext M of the user equipment authority2Is the second factor of the plaintext M of the user equipment rights,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwherein, YAIs a verification parameter, yA1Is the first factor, y, of the verification parameterA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is a user equipment authority ciphertext CA0First factor of (2), CA2Is a user equipment authority ciphertext CA0A second factor of (C)21Is CA0Of the second factor, C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
Further, step S4 further includes: step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0Content;
edge service node sk with private keySCalculating a Z value;
Z=skS×CA1=(Z1,Z2) Wherein Z is1Is the first factor of the Z value, Z2Is the second factor of the value of Z,
edge service node using shared secret key K(A,S)Calculating to obtain a service authority value A 'f and a service scheduling authority value A't;
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2);
(A'f,A't)=(m1,m2)-K(A,S)
calculating to obtain the service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *
cgn=A'f mod gn,0≤cgn≤gn−1;
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2;
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
cgm=A't mod gm,0≤cgm≤gm−1;
cfm=A't mod fm,-cfm/2<cfm≤cfm/2;
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Wherein, cgn、cfn、cgm、cfmAre all intermediate values;
step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the service UA *And determining the scheduling authority type of the user equipment to the authorized service.
This scheme has adopted elliptic curve cryptosystem, and the speed of encryption and decryption is fast to adopt the knapsack sequence, make the service scheduling have the characteristic of dynamic access, reduced rear end server and database to the burden of user equipment authority centralized management.
Collusion attack is avoided: in the scheme, the user equipment can adjust the service and the authority according to the requirement in the authorization range, and the user equipment participates in the configuration of the secret key, thereby avoiding conspiracy attack and having elasticity and safety for service scheduling.
Service authority control: in the scheme, the user equipment can obtain the authorized service authority use range, and in the service authority use range, the user equipment has the right to schedule the service according to the requirement, so that the authority use range is changed, related services can be immediately started to join the service when temporary service is met, the service use elasticity is effectively increased, and more renting cost is saved for the user. In the conventional scheme, the user equipment needs to reapply or authenticate to change the service or the service right.
Security of cloud storage: the method and the device are suitable for edge computing, the encrypted authorized service types and the service use range are stored in the edge cloud, and the risk of easy leakage due to centralized authority management can be avoided. Meanwhile, even if an attacker acquires the relevant sequence, the attacker cannot know the type of the authorized service and the relevant information of the use range, so that the safety of the use environment is ensured.
And (3) identity authentication: according to the scheme, the authentication server is designed to be a fair third-party authentication center, after the user equipment and the edge server complete registration to the authentication server, information is transmitted between the user equipment and the edge server, and verification can be completed by utilizing identity information and verification data of the user equipment and the edge server, so that the user equipment and the edge server are judged to be legal users, the authentication server of the third party is not required to be guaranteed and coordinated, and the on-line state of the authentication server of the third party is not required to be kept constantly.
Concealment of data: the user equipment can participate in the configuration of the key, huge loss caused by the fact that internal personnel of a third party are kept in charge of self-theft is avoided, and in the authorization process of the service, a shared key mode is established to be used as authority ciphertext encryption, so that the risk that the ciphertext is cracked due to the fact that the third party key is obtained is avoided. Meanwhile, even if an attacker intercepts the sequence, the attacker cannot know the selectable service and authority types, and cannot guess the possible identity and service guide of the user equipment, so that the attacker is prevented from directly carrying out blocking attack on the server.
Drawings
FIG. 1 is a block flow diagram of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
Elliptic curve encryption ECC is a public key encryption technology, based on the elliptic curve theory, and realizes encryption, decryption and digital signature by using the difficulty of difficult decrepitation of Abel group discrete logarithm formed by points of an elliptic curve on a finite field, and a corresponding cryptosystem based on the elliptic curve can be established by corresponding the addition operation in the elliptic curve with the modular multiplication operation in the discrete logarithm. The elliptic curve is a plane curve E determined by the following weierstrass equation: y is2z+a1xyz+a3yz2=x3+a2x2z+a4xz2+a6z3
The elliptic curve encryption method has the advantages of small key length, high safety performance and small time consumption of the whole digital signature. In the network, the real-time performance of cooperative work of the elliptic curve encryption method is also ensured, data (such as a secret key) with higher sensitivity level is encrypted by using the elliptic curve encryption method, the requirement of large data volume can be met in speed, the safety is high, and the safety of the system can be well ensured.
A service scheduling method of edge computing is shown in figure 1 and comprises an initial stage, a registration stage, a verification stage and a service scheduling stage.
Step S1, initial stage:
s11, the authentication server sets and discloses the elliptic curve E (Fq), the base point G, the order n and the first public key PK ASA hash function h (); the method comprises the following specific steps:
step S111, the authentication server is in the finite field FqA safe elliptic curve E (F) is selectedq) Wherein q is a large prime number of 160bit or more, and is represented by an elliptic curve E (F)q) A base point G of order n is selected such that nG = O, where O is the infinity point of the elliptic curve.
Step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skASAnd calculates a first public key PKAS:PKAS=skASG。
Step S113, the authentication server discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PKASThe hash function h ().
S12, the edge service node establishes a service sequence A and a service scheduling sequence B; the method comprises the following specific steps:
step S121, the edge service node establishes a service sequence A according to the service type and quantity.
Randomly selecting n-dimensional vector U = (U)1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1.
Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-i,i=1,...,n。
Randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, such that gnGreater than the sum of the vectors U, fnGreater than twice the maximum of the vector V plus the absolute value; namely:
Figure 303417DEST_PATH_IMAGE001
Figure 406502DEST_PATH_IMAGE002
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;
ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiRepresenting the sequence value of the ith service.
Service authority: t is t A=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1, n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service.
Calculating a service authority value:
Figure 972613DEST_PATH_IMAGE003
step S122, the edge service node establishes a service scheduling sequence B according to the service scheduling type and quantity.
Randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1.
Calculating the vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-i,i=1,...,m。
Randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, such that gmGreater than vector U*Sum of (a), (b), (c) and (d)mGreater than vector V*Adding the maximum of the absolute valuesDoubling; namely:
Figure 274281DEST_PATH_IMAGE004
Figure 228331DEST_PATH_IMAGE005
the service scheduling sequence is calculated using the complementary theorem: b = (B)1,b2,...,bi,...,bm),0≤bi≤gmfm−1;
bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m。
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1,. ·, m; 0 indicates that the user equipment is not allowed to use the service schedule, and 1 indicates that the user equipment is allowed to use the service schedule.
Calculating a service scheduling authority value:
Figure 615450DEST_PATH_IMAGE006
and S13, the edge service node transmits the service sequence A and the service scheduling sequence B to the authentication server for the user equipment to inquire.
Step S2, registration phase:
step S21, the edge service node registers to the authentication server to participate in the setting of the key;
step S211, the edge service node uses its own edge service node IDSAnd edge service node random parameter d SGenerating an edge service node signature file V by a one-way collision-free hash function hSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]And n is the number of edge service nodes.
Step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the edge service node second public key PKSAnd edge service node signature WSAnd then transmitting the data to the edge service nodes, wherein n is the number of the edge service nodes. The calculation formula is as follows:
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs the edge service node second public key PKSFirst factor of qsxIs the edge service node second public key PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS))。
step S213, the edge service node transmits the second public key PK of the edge service node according to the authentication serverSAnd edge service node signature WSComputing the edge service node second private key skSSigning W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeS
Second private key sk of edge service nodeSThe calculation formula is as follows:
skS=[WS+h(dS||IDS)]。
edge service node first verification value SSThe calculation formula is as follows:
SS=skSG。
the edge service nodes register with the authentication server, once each edge service node completes registration from the authentication server and obtains the second public key PK of the edge service node SAnd edge service node signature WSThen, the authentication server does not need to execute the identity authentication work of the edge service node in the system, and the identity identification ID issued by the authentication server can be usedSThe second public key PK of the edge service nodeSAnd the second private key sk of the self-computed edge service nodeSAnd performing mutual identity authentication.
Step S22, the user equipment registers to the authentication server to participate in the setting of the key;
step S221, the user equipment uses the user equipment identity ID of the user equipmentAAnd user equipment random parameter dAGenerating a user device signature V by a one-way collision-free hash function hAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]And n is the number of the user equipment.
Step S222, the authentication server selects a random parameter kA∈[2,n-2]Computing the second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting the data to the user equipment, wherein the calculation formula is as follows:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of qaySecond public key PK for user equipmentAA second factor of (d);
WA=kA+skAS(qax+h(IDA))。
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature W ACalculating a second private key sk of the user equipmentASigning W with user equipmentAVerifying the second public key PK of the user equipmentAAnd calculating a first verification value S of the user equipmentA
Second private key sk of user equipmentAThe calculation formula is as follows:
skA=[WA+h(dA||IDA)]。
first verification value S of user equipmentAThe calculation formula is as follows:
SA=skAG。
the user equipment registers to the authentication server, and once each user equipment completes registration from the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WAThen, the authentication server is not needed to execute the identity authentication work of the user equipment in the system, and the user equipment identity identification ID issued by the authentication server can be usedAA second public key PK of the user equipmentAWith the self-calculated second private key sk of the user equipmentAAnd performing mutual identity authentication.
Step S3, verification stage: and mutually verifying whether the user equipment and the edge service node are legal identities through the service correlation and establishing a public key.
Step S31, the user equipment transmits the user equipment ID to the edge service nodeAThe second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely S A
Figure 985251DEST_PATH_IMAGE011
SAIf the user equipment is the same as the user equipment, the user equipment passes the verification and establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, the operation is terminated.
Step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service nodeSAnd the first verification value S of the edge service nodeS
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS
Figure 344688DEST_PATH_IMAGE012
SS: if the two are the same, the edge service node passes the verification and is a legal edge service node,
user equipment establishing shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
In this step, the edge service node needs to confirm (ID) with the user equipmentA、SA、PKA) And (ID)Si、SS、PKS) If it is correct, the shared secret key K can be established after verification(A,S). The verification check equation is as follows:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
SA
Figure 141743DEST_PATH_IMAGE013
SA
similarly, the user equipment can also authenticate SS
Figure 16158DEST_PATH_IMAGE014
SSAfter mutually verifying as legal user equipment and edge service node, the shared secret key K can be established(A,S)
Step S4, service scheduling: the user equipment puts forward a service use application, obtains a service sequence A and a service scheduling sequence B, encrypts a service authority value A ' f and a service scheduling authority value A't according to requirements and transmits the service authority value A ' f and the service scheduling authority value A't to an edge service node for service use, and decrypts the service authority value A't and transmits the service authority value A ' f and the service scheduling authority value A't to the edge service node for service use UAAnd service scheduling authority tUA *Providing the service.
Step S41, the ue applies for service from the edge service node, and the edge service node transmits the service sequence a and the service scheduling sequence B to the ue.
Step S42, when the user equipment receives the service sequence A and the service scheduling sequence B, the service authority value A 'f and the service scheduling authority value A't are calculated;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1。
tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n。
Figure 517547DEST_PATH_IMAGE009
establishing service scheduling authority t according to use requirementUA *And calculates the service scheduling authority value A't with the service scheduling sequence B.
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1。
tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m。
Figure 528228DEST_PATH_IMAGE010
Step S43, the user equipment randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is1Is a first factor, M, of the plaintext M of the rights of the user equipment2Is the second factor of the user device rights plaintext M,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwhich isIn, YAIs the verification parameter, yA1Is the first factor of the verification parameter, yA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is user equipment authority ciphertext CA0First factor of (C)A2Is user equipment authority ciphertext C A0A second factor of (C)21Is CA0First factor of the second factor of (1), C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
Step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0The contents.
Edge service node sk with private keySAnd calculating the Z value.
Z=skS×CA1=(Z1,Z2) Wherein Z is1Is the first factor of the Z value, Z2Is the second factor of the value of Z,
edge service node using shared secret key K(A,S)And calculating to obtain a service authority value A 'f and a service scheduling authority value A't.
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2)。
(A'f,A't)=(m1,m2)-K(A,S)
Calculating to obtain the service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *
cgn=A'f mod gn,0≤cgn≤gn−1。
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2。
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n。
cgm=A't mod gm,0≤cgm≤gm−1。
cfm=A't mod fm,-cfm/2<cfm≤cfm/2。
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m。
Wherein, cgn、cfn、cgm、cfmAre all intermediate values.
Step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the serviceUA *And determining the scheduling authority type of the user equipment to the authorized service.
In case of a change of service schedule, the user equipment may encounter the following two conditions:
in a first situation, the modified service schedule, within the service scope managed by the edge service node:
the edge service node establishes a sequence of the managed service and the service scheduling, and the user equipment can use the service according to the requirement under the authenticated condition, so that the service can be used only by recalculating the authority ciphertext in the scheduling change.
The second condition, altered service scheduling, is outside the service scope managed by the edge service node:
in the system of edge computing, the edge cloud provides services, and user equipment has more choices and comparisons, such as applying for services from a single service integration center, and the required services are inevitably not in the list of services provided, under this condition, the original edge service node is transferred to another edge service node of the same authentication server to apply for services.
Step1, when the user device reflects the needed service not in the service sequence A to the edge service node, the edge service node inquires the authentication server whether there is related service, and obtains the service sequence A and the service dispatch sequence B of other edge service nodes.
And Step2, the edge service node transmits the service sequence A and the service scheduling sequence B of other edge service nodes to the user equipment to achieve the purpose of service relay.
Step3 the service dispatch Step is handled against the service dispatch phase.
And simulating service scheduling by using simple data so as to verify the correctness of the scheme and the application of the scheme in a real object.
Step S1, initial stage.
S11, the authentication server sets and discloses the elliptic curve E (Fq), the base point G, the order n and the first public key PK ASThe hash function h (). The method comprises the following specific steps:
step S111, the authentication server selects a secure elliptic curve e (Fq) on the finite field Fq:
y2≡x3+2x +6 mod p, prime q =9013, on an elliptic curve E (F)q) A base point G = (1, 3) with an order n =8908 is selected, so that 8908G = O, where O is the infinity point of the elliptic curve.
Step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skAS=9, and calculate first public key PKAS
PKAS=skASG=9(1,3)=(2074,6035)。
In step S113, the authentication server discloses an elliptic curve e (fq): y is2≡x3+2x +6 mod p, base point G = (1, 3), order n =8908, first public key PKAS= 2074,6035, hash function h ().
S12, the edge service node establishes a service sequence and a service scheduling sequence, which are as follows:
assume that the edge service node has 3 total classes of service managed and that these 3 classes of service schedules are summed
There are 6 types, as shown in table 1.
Table 1 is a service and service schedule for management of edge service nodes.
Figure 761763DEST_PATH_IMAGE015
Step S121, the edge service node establishes a service sequence A according to the service type and quantity.
Randomly choose a 3-dimensional vector U = (9, 11, 6).
Vector V = (5, 9, 5) is calculated.
Randomly selecting two prime numbers gn=29 and fn=43, satisfy q > 4g nfn+1。
The following service sequences are obtained by using the following theorem: a = (908,1084,1166).
Step S122, the edge service node establishes a service scheduling sequence B according to the service scheduling type and quantity.
Randomly selecting a 6-dimensional vector U*=(16,8,7,5,2,1)。
Calculating the vector V*=(-16,-8,-1,1,0,0)。
Randomly selecting two prime numbers gm=37 and fm=53, satisfy q > 4gmfm+1。
The service scheduling sequence is calculated using the remainder theorem: b = (90, 45,1006,1485,742, 371).
In step S13, the edge service node transmits the service sequence a = (908,1084,1166) and the service scheduling sequence B = (90, 45,1006,1485,742, 371) to the authentication server for the user equipment to query. The content received by the user equipment is shown in table 2.
Table 2 is a service and service schedule for provisioning of edge service nodes.
Figure 61158DEST_PATH_IMAGE016
And S13, the edge service node transmits the service sequence A and the service scheduling sequence B to the authentication server for the user equipment to inquire.
Step S2, registration phase:
in the scheme, the service request can be executed only after the legal identity is confirmed through the registration of the public third party. Therefore, both the edge service node and the ue need to complete registration.
Step S21, the edge service node registers to the authentication server to participate in the setting of the key;
step S211, the edge service node uses its own edge service node ID S=123 and edge serving node random parameter dS=432, by one-way collision-free hash function h (ID)S)=15、h(dS||IDS) =21 generation of edge service node signature VSI.e. VS=h(dS||IDS) G = h (432| |123) G =21 (1, 3) = (6070,7155), and the edge service node identity ID is assignedSAnd edge service node signature file VSAnd transmitting to the authentication server.
Step S212, the authentication server selects a random parameter kS=31, calculate edge service node second public key PKSAnd edge service node signature WSAnd then transmitted to the edge service node. The calculation formula is as follows:
PKS=VS+(kS-h(IDS))G=(6070,7155)+16(1,3)=(4072,6525)=(qsx,qsy);
WS=kS+skAS(qsx+h(IDS))=31+9(4072+15)=36814。
step S213, the edge service node transmits the second public key PK of the edge service node according to the authentication serverSAnd edge service node signature WSComputing the edge service node second private key skSSigning W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeS
Second private key sk of edge service nodeSThe calculation formula is as follows:
skS=[WS+h(dS||IDS)]=(36814+21)=36835。
edge service node first verification value SSThe calculation formula is as follows:
SS=skSG=36835G=1203G=(8224,7690)。
the user equipment calculates a second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
=(4072,6525)+15(1,3)+[(4072+15)](2074,6035)
=(4072,6525)+(6316,4684)+4087(2074,6035)
=(5628,5821)+4087(2074,6035)
=(5628,5821)+(6040,2038)
=(8224,7690)。
Judging and calculating a second verification value S of the edge service nodeS' with edge service node first verification value SSWhether or not they are identical, i.e. SS
Figure 772762DEST_PATH_IMAGE007
SS
Step S22, the user equipment registers to the authentication server to participate in the setting of the key;
Step S221, the user equipment uses the user equipment identity ID of the user equipmentA=219 and ue random parameter dA=424, by one-way collision-free hash function h (ID)A)=13、h(dA||IDA) =17 generation of ue signature profile VAI.e. VA=h(dA||IDA) G = h (424| | |219) G =17(1,3) = (6290,3233), and identifies the user equipment IDAAnd user equipment signature file VAAnd transmitting to the authentication server.
Step S222, the authentication server selects a random parameter kA=20, calculate user device second public key PKAAnd user equipment signature WAAnd then transmitting the data to the user equipment, wherein the calculation formula is as follows:
PKA=VA+(kA-h(IDA))G
=(6290,3233)+7(1,3)
=(6290,3233)+(8036,5437)
=(7085,3042)=(qax,qay);
WA=kA+skAS(qax+h(IDA))=20+9(7085+13)=63902。
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skASigning W with user equipmentAVerifying the user device second public key PKAAnd calculates a first verification value S of the user equipmentA
Second private key sk of user equipmentAThe calculation formula is as follows:
skA=[WA+h(dA||IDA)]=(63902+17)=63919。
first verification value S of user equipmentAThe calculation formula is as follows:
SA=skAG=63919G=1563G=(3560,6434)。
the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
=(7085,3042)+13(1,3)+[(7085+13)](2074,6035)
=(7085,3042)+(6262,3818)+7098(2074,6035)
=(4072,6525)+7098(2074,6035)
=(4072,6525)+(8897,4526)
=(3560,6434)。
Judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA
Figure 903529DEST_PATH_IMAGE017
SA
The user equipment and the edge service node are registered in the authentication server, once each member completes registration from the authentication server and obtains the second public key and signature belonging to the member, the authentication server is not required to execute identity authentication work in the system, and mutual identity authentication can be performed by the identity identification issued by the authentication server, the second public key and the verification value calculated by the authentication server.
Step S3, verification stage: and mutually verifying whether the user equipment and the edge service node are legal or not through the service related user equipment and the edge service node, and establishing a public key.
Step S31, the user equipment transmits the user equipment ID to the edge service nodeA=219 user equipment second public key PKA= (7085,3042) and user equipment first authentication value SA= (3560,6434); an edge service node for transmitting an edge service node identification ID to the user equipmentS=123, edge service node second public key PKS= (4072,6525) and edge service node first verification value SS=(8224,7690)。
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA
Figure 370282DEST_PATH_IMAGE018
SAIf the user equipment is the same as the user equipment, the user equipment passes the verification and is legal user equipment; otherwise, terminating the operation;
edge service node establishing shared secret key K(A,S)=skS×SA
Step S33, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS
Figure 219289DEST_PATH_IMAGE019
SS: if the two are the same, the edge service node passes the verification and is a legal edge service node; otherwise, terminating the operation;
User equipment establishing shared secret key K(A,S)=skA×SS
In this scheme, the shared secret key K of both parties(A,S)=skS×SA=skA×SS
=36835×(3560,6434)=63919×(8224,7690)
=1203×(3560,6434)=1563×(8224,7690)
=(678,3945)。
Step S4, service scheduling.
Step S41, the ue applies for service from the edge service node, and the edge service node transmits the service sequence a and the service scheduling sequence B to the ue.
Step S42, when the user equipment receives the service sequence A and the service scheduling sequence B, the service authority value A 'f and the service scheduling authority value A't are calculated;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(908,1084,1166)。
tUA=(1,1,1)。
A’f=(908×1)+(1084×1)+(1166×1)=3158。
establishing service scheduling authority t according to use requirementUA *And calculates the service scheduling authority value A't with the service scheduling sequence B.
B=(90,45,1006,1485,742,371)。
tUA *=(1,1,1,0,1,0)。
A’t=(90×1)+(45×1)+(1006×1)+(1485×0)+(742×1)+(371×0)=1883。
Step S43, the user equipment randomly selects a parameter kA' =502 user composed of service authority value A ' f and service scheduling authority value A ' tGenerating a point message by the equipment authority plaintext M, then calculating the authority plaintext M and forming a user equipment authority ciphertext CA0
M=((A'f,A't)+K(A,S))=(m1,m2
((3158,1883)+(678,3945))=(5513,3673)。
CA1=kA'×G=502(1,3)=(3493,719)。
YA=(yA1,yA2)=kA'×SS=502×(8224,7690)=(3424,443)。
CA2=(C21,C22
=(yA1×m1 mod q,yA2×m2 mod q)
=(3424×5513 mod 9013,443×3673 mod 9013)
=(6790,4799)。
CA0=(CA1,CA2)=((3493,719),(6790,4799))。
Step S44, the user equipment transmits the authority ciphertext CA0= ((3493,719), (6790,4799)) to edge service node.
Step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0The contents.
Edge service node sk with private keyS=36835 calculate Z value.
Z=skS×CA1=36835×(3493,719)=1203×(3493,719)=(3423,443)=(Z1,Z2)。
Edge service node using shared secret key K(A,S)= (678,3945), the service authority value a 'f and the service scheduling authority value a't are calculated.
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)
=(6790×3423-1 mod 9013,4799×443-1 mod 9013)
=(6790×1762 mod 9013,4799×5066 mod 9013)
=(5513,3673)
=(m1,m2)。
(A'f,A't)=(m1,m2)-K(A,S)
=(5513,3673)-(678,3945)
=(5513,3673)+(678,-3945)
=(5513,3673)+(678,5068)
=(3158,1883)。
Calculating to obtain service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *
cgn=A'f mod gn=3158 mod 29=26。
cfn=A'f mod fn=3158 mod 43=19。
(cgn-cfn)2=(26-19)2=(1,1,1)2=tUA
cgm=A't mod gm=1883 mod 37=33。
cfm=A't mod fm=1883 mod 53=-25。
(cgm-cfm)2=(33-(-25))2=(58)2=(1,1,1,0,1,0)2=tUA *
Step S46: the edge service node is according to the service authority tUA= (1,1,1), determine that the user equipment has the service with the use authority, and schedule the authority t according to the serviceUA *= (1,1,1,0,1,0), determine the scheduling authority type that the user equipment has for the authorized service.
With a change in service schedule, the user equipment may encounter the following two conditions:
and (3) changed service scheduling, in the service range controlled and managed by the edge service node:
the edge service node establishes a sequence of the managed service and the service scheduling, and the user equipment can use the service according to the requirement under the authenticated condition, so that the service can be used only by recalculating the authority ciphertext in the scheduling change.
And (3) changed service scheduling, outside the service range controlled and managed by the edge service node:
in the system of edge computing, the edge cloud provides services, and the user equipment has more choices and comparisons, such as applying for services from a single service integration center, and the required services are inevitably not in the list of services provided, in this case, the original edge service node is transferred to another edge service node of the same authentication server to apply for services.
Step1, when the user equipment reflects that the needed service is not in the service sequence A to the edge service node, the edge service node inquires the authentication server whether there is a relevant service (such as network space storage service) and gets the service sequence A and service dispatch sequence B of other edge service nodes.
Table 3 is a managed service and service schedule for other edge service nodes.
Figure 469005DEST_PATH_IMAGE020
And Step2, the edge service node transmits the service sequence A and the service scheduling sequence B of other edge service nodes to the user equipment to achieve the purpose of service relay.
Adding the sequence values of "network space storage service" and service scheduling to generate vectors U = (9,11,6,3) and U, respectively*=(16,8,7,5,2,1,10,4)。
Calculation vectors V = (1,7,4,2) and V*=(−112,−52,−25,−11,−6,−3,8,3)。„
Reselecting two groups of prime numbers gn=31、fn=41 and gm=97、fm=491 (temporarily disregarding the condition: q)>4gf+1)。
Obtaining service sequence A by using complementary theorem*= (288,786,1029,1150) and serving scheduling sequence B = (42114,4858,34345,17174,32400,16200,31923,39774).
Step3 service dispatch, compare Step S4.
The edge service node will serve sequence A*= (288,786,1029,1150) and service scheduling sequence B = (42114,4858,34345,17174,32400)16200,31923,39774) to the user equipment; the user equipment serves according to the demand option, and the purpose of service referral is achieved.
The scheme is as follows:
firstly, the user equipment participates in the configuration of the key, thereby avoiding collusion attack.
Secondly, the scheme configures an identity authentication mechanism capable of off-line operation, thereby avoiding service interruption.
And thirdly, authorized service adopts a knapsack sequence, so that an attacker cannot know the authority content of the service, and the secrecy is improved.
And fourthly, the user equipment can change the types and the ranges of the services within the authorized range at any time, so that the service use elasticity is increased.
And fifthly, the edge cloud only stores the types and the ranges of authorized services, so that the risk of authority management is reduced.
And sixthly, the cipher text encryption of the service is executed by the elliptic curve cryptosystem, so that higher safety is achieved.
And seventhly, the shared secret key is used as the authority ciphertext for encryption, so that the risk of secret key centralized management leakage can be avoided.
It should be understood that equivalents and modifications of the technical solution and inventive concept thereof may occur to those skilled in the art, and all such modifications and alterations should fall within the scope of the appended claims.

Claims (8)

1. An edge-computed service scheduling method, comprising the steps of:
step S1, initial stage: the authentication server sets and discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PK ASA hash function h (); the edge service node establishes a service sequence A and a service scheduling sequence B;
step S2, registration phase: the edge service node registers to the authentication server and obtains a second public key PK of the edge service nodeSAnd edge service node signature WS(ii) a The user equipment registers to the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WA
Step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key;
step S4, service scheduling: user equipment applies for service from edge service node, obtains service sequence A and service scheduling sequence B, calculates and encrypts service authority value A ' f and service scheduling authority value A't according to requirement, and transmits the service authority value A ' f and service scheduling authority value A't to edge service node for service use, and the edge service node decrypts the service authority value A ' f and service scheduling authority value A't and transmits the service authority value A't to the edge service node for service useUAAnd service scheduling authority tUA *Providing the service.
2. The method for scheduling services by edge computing according to claim 1, wherein step S1 includes:
step S111, the authentication server is in the limited domain FqSelecting an elliptic curve E (F)q) Wherein q is a large prime number of 160 bits or more, and is represented by an elliptic curve E (F) q) Selecting a base point G with the order n, so that nG = O, wherein O is an infinite point of the elliptic curve;
step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skASAnd calculates a first public key PKASI.e. PKAS=skASG。
3. The edge-computed service scheduling method of claim 2, wherein in step S1, the edge service node establishes the service sequence a and the service scheduling sequence B, and includes the following steps:
in step S121, an n-dimensional vector U = (U) is randomly selected1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1. Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-iI =1,.., n; randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, and:
Figure 279916DEST_PATH_IMAGE001
Figure 855254DEST_PATH_IMAGE002
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiA sequence value representing the ith service;
service authority: t is tA=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1,.., n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service;
calculating a service authority value:
Figure 925978DEST_PATH_IMAGE003
step S122, randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1. Calculating vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-iI =1,. ·, m; randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, and:
Figure 307281DEST_PATH_IMAGE004
Figure 412641DEST_PATH_IMAGE005
the service scheduling sequence is calculated using the complementary theorem: b = (B) 1,b2,...,bi,...,bm),0≤bi≤gmfm−1;bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m;
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1, · m; 0 represents that the user equipment is not allowed to use the service schedule, and 1 represents that the user equipment is allowed to use the service schedule;
calculating a service scheduling authority value:
Figure 893300DEST_PATH_IMAGE006
4. the method for scheduling services by edge computing according to claim 3, wherein the step S2 comprises:
step S211, the edge service node uses its own edge service node IDSAnd edge service node random parameter dSCalculating edge service node signature file VSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]N is the number of edge service nodes;
step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the second public key PK of the edge service nodeSAnd edge service node signature WSThen transmitting the data to edge service nodes, wherein n is the number of the edge service nodes;
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs PKSFirst factor of qsxIs PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS));
step S213, the edge service node calculates a second private key sk of the edge service nodeSNamely skS=[WS+h(dS||IDS)](ii) a Signing W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service node SI.e. SS=skSG。
5. The method for service scheduling of edge computing according to claim 4, wherein the step S2 comprises: step S221, the user equipment uses the user equipment identity ID of the user equipmentAAnd user equipment random parameter dACalculating the signature V of the user equipmentAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]N is the number of user equipment;
step S222, the authentication server selects a random parameter kA∈[2,n-2]Computing the second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting to the user equipment:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of qaySecond public key PK for user equipmentAA second factor of (d);
WA=kA+skAS(qax+h(IDA));
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skANamely skA=[WA+h(dA||IDA)](ii) a Signing W with user equipmentAVerifying the user device second public key PKAAnd calculating the correctness ofFirst verification value S of user equipmentAI.e. SA=skAG。
6. The method for scheduling services by edge computing according to claim 5, wherein the step S3 comprises: step S31, the user equipment transmits the user equipment ID to the edge service node AA second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, if so, the user equipment passes the verification and establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, the operation is terminated;
step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service nodeSAnd the first verification value S of the edge service nodeS
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node: if the two are the same, the edge service node passes the verification and is a legal edge service node, and the user equipment establishes a shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
7. The method for scheduling services by edge computing according to claim 6, wherein step S4 includes: step S41, the user equipment applies for service to the edge service node, the edge service node transmits the service sequence A and the service scheduling sequence B to the user equipment;
Step S42, the user equipment calculates the service authority value A 'f and the service scheduling authority value A't;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1;tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
Figure 389004DEST_PATH_IMAGE007
establishing service scheduling authority t according to use requirementUA *And calculating a service scheduling authority value A't with the service scheduling sequence B;
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1;tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Figure 511681DEST_PATH_IMAGE008
step S43, the user equipment randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is1Is a first factor, M, of the plaintext M of the rights of the user equipment2Is the second factor of the user device rights plaintext M,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwherein Y isAIs the verification parameter, yA1Is the first factor of the verification parameter, yA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is user equipment authority ciphertext CA0First factor of (C)A2Is user equipment authority ciphertext CA0A second factor of (C)21Is CA0Of the second factor, C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
8. The method for service scheduling of edge computing according to claim 7, wherein the step S4 further comprises: step S45, the edge service node receives the authority ciphertext C transmitted by the user equipment A0After that, disentangle CA0Content;
the edge service node uses the private key skSCalculating a Z value;
Z=skS×CA1=(Z1,Z2) Wherein, Z1Is the first factor of the Z value, Z2Is a second factor in the value of Z,
edge service node using shared secret key K(A,S)Calculating to obtain a service authority value A 'f and a service scheduling authority value A't;
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2);
(A'f,A't)=(m1,m2)-K(A,S)
calculating to obtain service authority according to the service authority value A 'f and the service scheduling authority value A' ttUAAnd service scheduling authority tUA *
cgn=A'f mod gn,0≤cgn≤gn−1;
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2;
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
cgm=A't mod gm,0≤cgm≤gm−1;
cfm=A't mod fm,-cfm/2<cfm≤cfm/2;
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Wherein, cgn、cfn、cgm、cfmAre all intermediate values;
step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the serviceUA *And determining the scheduling authority type of the user equipment to the authorized service.
CN202210670997.6A 2022-06-15 2022-06-15 Service scheduling method for edge calculation Active CN114760060B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210670997.6A CN114760060B (en) 2022-06-15 2022-06-15 Service scheduling method for edge calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210670997.6A CN114760060B (en) 2022-06-15 2022-06-15 Service scheduling method for edge calculation

Publications (2)

Publication Number Publication Date
CN114760060A true CN114760060A (en) 2022-07-15
CN114760060B CN114760060B (en) 2022-09-23

Family

ID=82336543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210670997.6A Active CN114760060B (en) 2022-06-15 2022-06-15 Service scheduling method for edge calculation

Country Status (1)

Country Link
CN (1) CN114760060B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115170132A (en) * 2022-09-07 2022-10-11 浙江浙商互联信息科技有限公司 Payment method suitable for high-speed post network member system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055553A1 (en) * 2009-08-26 2011-03-03 Lee Sung-Young Method for controlling user access in sensor networks
CN110191469A (en) * 2019-06-19 2019-08-30 西南交通大学 A kind of wireless body area network group certifiede-mail protocol method based on certificate
CN111090522A (en) * 2019-12-13 2020-05-01 南京邮电大学 Scheduling system and decision method for service deployment and migration in mobile edge computing environment
CN111614657A (en) * 2020-05-18 2020-09-01 北京邮电大学 Mobile edge security service method and system based on mode selection
US20200358877A1 (en) * 2019-05-09 2020-11-12 Toyota Motor Engineering & Manufacturing North America, Inc. Methods and systems for allocating service requests from mobile objects among edge servers
CN111935714A (en) * 2020-07-13 2020-11-13 兰州理工大学 Identity authentication method in mobile edge computing network
CN112532683A (en) * 2020-10-30 2021-03-19 北京盛和信科技股份有限公司 Edge calculation method and device based on micro-service architecture
CN112600895A (en) * 2020-12-07 2021-04-02 中国科学院深圳先进技术研究院 Service scheduling method, system, terminal and storage medium for mobile edge computing
CN113569213A (en) * 2021-08-13 2021-10-29 河南中盾云安信息科技有限公司 Industrial park application safety support system and method based on 5G technology
CN114390060A (en) * 2021-12-13 2022-04-22 杭州网鼎科技有限公司 Method for distributing edge computing network and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055553A1 (en) * 2009-08-26 2011-03-03 Lee Sung-Young Method for controlling user access in sensor networks
US20200358877A1 (en) * 2019-05-09 2020-11-12 Toyota Motor Engineering & Manufacturing North America, Inc. Methods and systems for allocating service requests from mobile objects among edge servers
CN110191469A (en) * 2019-06-19 2019-08-30 西南交通大学 A kind of wireless body area network group certifiede-mail protocol method based on certificate
CN111090522A (en) * 2019-12-13 2020-05-01 南京邮电大学 Scheduling system and decision method for service deployment and migration in mobile edge computing environment
CN111614657A (en) * 2020-05-18 2020-09-01 北京邮电大学 Mobile edge security service method and system based on mode selection
CN111935714A (en) * 2020-07-13 2020-11-13 兰州理工大学 Identity authentication method in mobile edge computing network
CN112532683A (en) * 2020-10-30 2021-03-19 北京盛和信科技股份有限公司 Edge calculation method and device based on micro-service architecture
CN112600895A (en) * 2020-12-07 2021-04-02 中国科学院深圳先进技术研究院 Service scheduling method, system, terminal and storage medium for mobile edge computing
CN113569213A (en) * 2021-08-13 2021-10-29 河南中盾云安信息科技有限公司 Industrial park application safety support system and method based on 5G technology
CN114390060A (en) * 2021-12-13 2022-04-22 杭州网鼎科技有限公司 Method for distributing edge computing network and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JIARONG HAN; HOUPENG WANG; SHAOJUN WU; JUNYONG WEI; LEI YAN: "Task Scheduling of High Dynamic Edge Cluster in Satellite Edge Computing", 《 2020 IEEE WORLD CONGRESS ON SERVICES (SERVICES)》 *
吴鸿飞: "基于边缘计算的微服务调度算法研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115170132A (en) * 2022-09-07 2022-10-11 浙江浙商互联信息科技有限公司 Payment method suitable for high-speed post network member system
CN115170132B (en) * 2022-09-07 2022-12-09 浙江浙商互联信息科技有限公司 Payment method suitable for high-speed post network member system

Also Published As

Publication number Publication date
CN114760060B (en) 2022-09-23

Similar Documents

Publication Publication Date Title
CN107947913B (en) Anonymous authentication method and system based on identity
CN113364576B (en) Data encryption evidence storing and sharing method based on block chain
CN108667625B (en) Digital signature method of cooperative SM2
US7359507B2 (en) Server-assisted regeneration of a strong secret from a weak secret
US5481613A (en) Computer network cryptographic key distribution system
JP4639084B2 (en) Encryption method and encryption apparatus for secure authentication
EP2014000B1 (en) Method for elliptic curve public key cryptographic validation
US7716482B2 (en) Conference session key distribution method in an ID-based cryptographic system
US20070242830A1 (en) Anonymous Certificates with Anonymous Certificate Show
EP1376976A1 (en) Methods for authenticating potential members invited to join a group
US20220029969A1 (en) Method and Apparatus for Effecting a Data-Based Activity
CN105978695A (en) Batch self-auditing method for cloud storage data
GB2490407A (en) Joint encryption using base groups, bilinear maps and consistency components
US20200336470A1 (en) Method and apparatus for effecting a data-based activity
Saranya et al. Cloud based efficient authentication for mobile payments using key distribution method
CN114036539A (en) Safety auditable Internet of things data sharing system and method based on block chain
CN113708917A (en) APP user data access control system and method based on attribute encryption
CN114760060B (en) Service scheduling method for edge calculation
CN110557367A (en) Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography
CN111656728B (en) Device, system and method for secure data communication
Lin et al. Authentication protocols with nonrepudiation services in personal communication systems
CN115955320A (en) Video conference identity authentication method
AlMeghari et al. A proposed authentication and group-key distribution model for data warehouse signature, DWS framework
CN111245594A (en) Homomorphic operation-based collaborative signature method and system
Lee et al. An interactive mobile SMS confirmation method using secret sharing technique

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A service scheduling method for edge computing

Granted publication date: 20220923

Pledgee: Hangzhou branch of Bank of Nanjing Co.,Ltd.

Pledgor: Hangzhou Tian ship information technology Limited by Share Ltd.

Registration number: Y2024980035594