CN114760060A - Service scheduling method for edge computing - Google Patents
Service scheduling method for edge computing Download PDFInfo
- Publication number
- CN114760060A CN114760060A CN202210670997.6A CN202210670997A CN114760060A CN 114760060 A CN114760060 A CN 114760060A CN 202210670997 A CN202210670997 A CN 202210670997A CN 114760060 A CN114760060 A CN 114760060A
- Authority
- CN
- China
- Prior art keywords
- service
- user equipment
- edge
- service node
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012795 verification Methods 0.000 claims abstract description 71
- 239000004576 sand Substances 0.000 claims description 29
- 239000013598 vector Substances 0.000 claims description 22
- 230000000295 complement effect Effects 0.000 claims description 7
- 239000003795 chemical substances by application Substances 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 230000008859 change Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A service scheduling method of edge calculation belongs to the technical field of data transmission and comprises the following steps: step S1, initial stage: the authentication server sets and discloses an elliptic curve, a base point, an order, a first public key and a hash function; the edge service node establishes a service sequence and a service scheduling sequence; step S2, registration phase; step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key; step S4, service scheduling: the user equipment applies for service from the edge service node, obtains a service sequence and a service scheduling sequence, calculates and encrypts a service authority value and a service scheduling authority value according to requirements, and transmits the service authority value and the service scheduling authority value to the edge service node to be used for service, and the edge service node provides service according to the service authority and the service scheduling authority after decryption. In the scheme, the user equipment has the right to schedule the service according to the requirement, so that the right use range is changed, and the use elasticity of the service is effectively increased.
Description
Technical Field
The invention belongs to the technical field of data transmission, and particularly relates to a service scheduling method for edge computing.
Background
Edge computing is a basic concept for integrating software to service, with a common spirit being to serve the computing needs of user devices through a network service. For example, a provider of edge computing services may provide general business applications online, which may be logged in for use via a web browser, but the software and data are stored on a server. Generally, the architecture of edge computing includes services delivered through data centers that are built into computers and virtualized storage technologies. Any client with computing requirement can use network to make single point login, and further can use the service in any corner of the world.
On the one hand, edge computing, has elastic requirements for service scheduling. Since most edge-computed service schedules are managed by service providers, when a service needs to be scheduled, for example, a service or a right is changed, the user equipment still needs to perform re-application or authentication.
Edge computing, on the other hand, has the security requirements of service scheduling. Due to the adoption of the edge computing architecture, a hacker can directly invade a rear-end server or a database to steal data and authority by controlling a zombie computer at a remote end, so as to engage in illegal behaviors, or provide services by utilizing blocking type services and directly interrupt the services.
Chinese patent publication No. CN109508552A discloses a privacy protection method for a distributed cloud storage system, which combines a distributed storage technology with a block chain technology, and when safe and effective distributed cloud storage is implemented, a file ownership processing process is used as a block chain transaction process, and privacy protection in distributed storage is further implemented. The scheme is suitable for file storage, and if the encryption method is applied to services in edge computing, on one hand, the encryption method cannot have the characteristic of dynamic adjustability, so that user equipment is difficult to schedule and adjust the services, and on the other hand, the encryption process is too complex, so that the execution efficiency of a system is reduced.
Disclosure of Invention
In view of the foregoing shortcomings in the prior art, an object of the present invention is to provide a service scheduling method for edge computation.
In order to achieve the above object, the present invention adopts the following technical solutions.
A service scheduling method of edge computing comprises the following steps:
step S1, initial stage: the authentication server sets and discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PKASA hash function h (); the edge service node establishes a service sequence A and a service scheduling sequence B;
Step S2, registration phase: the edge service node registers to the authentication server and obtains a second public key PK of the edge service nodeSAnd edge service node signature WS(ii) a The user equipment registers to the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WA;
Step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key;
step S4, service scheduling: the user equipment applies for service from the edge service node, obtains a service sequence A and a service scheduling sequence B, and calculates and encrypts a service authority value A 'according to the requirement'f and the service scheduling authority value A't are transmitted to the edge service node to be used for service, and the edge service node is decrypted and then is used according to the service authority value tUAAnd service scheduling authority tUA *Providing the service.
Further, step S1 includes:
step S111, the authentication server is in the limited domain FqSelecting an elliptic curve E (F)q) Wherein q is a large prime number of 160 bits or more, and is represented by an elliptic curve E (F)q) Selecting a base point G with the order of n, so that nG = O, wherein O is an infinite point of the elliptic curve;
step S112, the authentication server selects a one-way collision-free hash function h () and the first private key sk ASAnd calculates a first public key PKASI.e. PKAS=skASG。
Further, in step S1, the edge service node establishes a service sequence a and a service scheduling sequence B, including the following steps:
in step S121, an n-dimensional vector U = (U) is randomly selected1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1.
Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-i,i=1,...,n;
Randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, and:
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiA sequence value representing the ith service;
service authority: t is tA=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1,.., n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service;
step S122, randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1.
Calculating vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-i,i=1,...,m;
Randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, and:
the service scheduling sequence is calculated using the complementary theorem: b = (B)1,b2,...,bi,...,bm),0≤bi≤gmfm−1;bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m;
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1,. ·, m; 0 indicates that the user equipment is not allowedUsing the service schedule, 1 denotes allowing the user equipment to use the service schedule;
further, step S2 includes:
step S211, the edge service node uses its own edge service node ID SAnd edge service node random parameter dSCalculating edge service node signature file VSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]N is the number of edge service nodes;
step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the edge service node second public key PKSAnd edge service node signature WSThen transmitting the data to the edge service nodes, wherein n is the number of the edge service nodes;
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs PKSFirst factor of qsxIs PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS));
step S213, the edge service node calculates a second private key sk of the edge service nodeSNamely skS=[WS+h(dS||IDS)](ii) a Signing W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeSI.e. SS=skSG。
Further, step S2 includes: step S221, the user equipment identifies ID with own user equipment identityAAnd user equipment random parameter dACalculating the signature file V of the user equipmentAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]N is the number of user equipment;
step S222, the authentication server selects a random parameter k A∈[2,n-2]Computing a second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting to the user equipment:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of (b), qaySecond public key PK for user equipmentAThe second factor of (a);
WA=kA+skAS(qax+h(IDA));
step S223, the user equipment sends back the second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skANamely skA=[WA+h(dA||IDA)](ii) a Signing W with user equipmentAVerifying the user device second public key PKAAnd calculates a first verification value S of the user equipmentAI.e. SA=skAG。
Further, step S3 includes: step S31, the user equipment transmits the user equipment ID to the edge service nodeAThe second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA;
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS;
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA’SAIf the user equipment is the same as the user equipment, the user equipment passes the verification, and the edge service node establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, terminating the operation;
step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service node SAnd the first verification value S of the edge service nodeS;
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS;
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS’SS: if the two are the same, the edge service node passes the verification and is a legal edge service node, and the user equipment establishes a shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
Further, step S4 includes: step S41, the user equipment applies for service to the edge service node, the edge service node transmits the service sequence A and the service scheduling sequence B to the user equipment;
step S42, the user equipment calculates the service authority value A 'f and the service scheduling authority value A't;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1;
tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
establishing service scheduling authority t according to use requirementUA *And calculating a service scheduling authority value A't with the service scheduling sequence B;
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1;
tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
step S43, the ue randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0;
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is 1Is a first factor of the plaintext M of the user equipment authority2Is the second factor of the plaintext M of the user equipment rights,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwherein, YAIs a verification parameter, yA1Is the first factor, y, of the verification parameterA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is a user equipment authority ciphertext CA0First factor of (2), CA2Is a user equipment authority ciphertext CA0A second factor of (C)21Is CA0Of the second factor, C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
Further, step S4 further includes: step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0Content;
edge service node sk with private keySCalculating a Z value;
Z=skS×CA1=(Z1,Z2) Wherein Z is1Is the first factor of the Z value, Z2Is the second factor of the value of Z,
edge service node using shared secret key K(A,S)Calculating to obtain a service authority value A 'f and a service scheduling authority value A't;
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2);
(A'f,A't)=(m1,m2)-K(A,S);
calculating to obtain the service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *;
cgn=A'f mod gn,0≤cgn≤gn−1;
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2;
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
cgm=A't mod gm,0≤cgm≤gm−1;
cfm=A't mod fm,-cfm/2<cfm≤cfm/2;
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Wherein, cgn、cfn、cgm、cfmAre all intermediate values;
step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the service UA *And determining the scheduling authority type of the user equipment to the authorized service.
This scheme has adopted elliptic curve cryptosystem, and the speed of encryption and decryption is fast to adopt the knapsack sequence, make the service scheduling have the characteristic of dynamic access, reduced rear end server and database to the burden of user equipment authority centralized management.
Collusion attack is avoided: in the scheme, the user equipment can adjust the service and the authority according to the requirement in the authorization range, and the user equipment participates in the configuration of the secret key, thereby avoiding conspiracy attack and having elasticity and safety for service scheduling.
Service authority control: in the scheme, the user equipment can obtain the authorized service authority use range, and in the service authority use range, the user equipment has the right to schedule the service according to the requirement, so that the authority use range is changed, related services can be immediately started to join the service when temporary service is met, the service use elasticity is effectively increased, and more renting cost is saved for the user. In the conventional scheme, the user equipment needs to reapply or authenticate to change the service or the service right.
Security of cloud storage: the method and the device are suitable for edge computing, the encrypted authorized service types and the service use range are stored in the edge cloud, and the risk of easy leakage due to centralized authority management can be avoided. Meanwhile, even if an attacker acquires the relevant sequence, the attacker cannot know the type of the authorized service and the relevant information of the use range, so that the safety of the use environment is ensured.
And (3) identity authentication: according to the scheme, the authentication server is designed to be a fair third-party authentication center, after the user equipment and the edge server complete registration to the authentication server, information is transmitted between the user equipment and the edge server, and verification can be completed by utilizing identity information and verification data of the user equipment and the edge server, so that the user equipment and the edge server are judged to be legal users, the authentication server of the third party is not required to be guaranteed and coordinated, and the on-line state of the authentication server of the third party is not required to be kept constantly.
Concealment of data: the user equipment can participate in the configuration of the key, huge loss caused by the fact that internal personnel of a third party are kept in charge of self-theft is avoided, and in the authorization process of the service, a shared key mode is established to be used as authority ciphertext encryption, so that the risk that the ciphertext is cracked due to the fact that the third party key is obtained is avoided. Meanwhile, even if an attacker intercepts the sequence, the attacker cannot know the selectable service and authority types, and cannot guess the possible identity and service guide of the user equipment, so that the attacker is prevented from directly carrying out blocking attack on the server.
Drawings
FIG. 1 is a block flow diagram of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
Elliptic curve encryption ECC is a public key encryption technology, based on the elliptic curve theory, and realizes encryption, decryption and digital signature by using the difficulty of difficult decrepitation of Abel group discrete logarithm formed by points of an elliptic curve on a finite field, and a corresponding cryptosystem based on the elliptic curve can be established by corresponding the addition operation in the elliptic curve with the modular multiplication operation in the discrete logarithm. The elliptic curve is a plane curve E determined by the following weierstrass equation: y is2z+a1xyz+a3yz2=x3+a2x2z+a4xz2+a6z3。
The elliptic curve encryption method has the advantages of small key length, high safety performance and small time consumption of the whole digital signature. In the network, the real-time performance of cooperative work of the elliptic curve encryption method is also ensured, data (such as a secret key) with higher sensitivity level is encrypted by using the elliptic curve encryption method, the requirement of large data volume can be met in speed, the safety is high, and the safety of the system can be well ensured.
A service scheduling method of edge computing is shown in figure 1 and comprises an initial stage, a registration stage, a verification stage and a service scheduling stage.
Step S1, initial stage:
s11, the authentication server sets and discloses the elliptic curve E (Fq), the base point G, the order n and the first public key PK ASA hash function h (); the method comprises the following specific steps:
step S111, the authentication server is in the finite field FqA safe elliptic curve E (F) is selectedq) Wherein q is a large prime number of 160bit or more, and is represented by an elliptic curve E (F)q) A base point G of order n is selected such that nG = O, where O is the infinity point of the elliptic curve.
Step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skASAnd calculates a first public key PKAS:PKAS=skASG。
Step S113, the authentication server discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PKASThe hash function h ().
S12, the edge service node establishes a service sequence A and a service scheduling sequence B; the method comprises the following specific steps:
step S121, the edge service node establishes a service sequence A according to the service type and quantity.
Randomly selecting n-dimensional vector U = (U)1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1.
Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-i,i=1,...,n。
Randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, such that gnGreater than the sum of the vectors U, fnGreater than twice the maximum of the vector V plus the absolute value; namely:
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;
ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiRepresenting the sequence value of the ith service.
Service authority: t is t A=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1, n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service.
step S122, the edge service node establishes a service scheduling sequence B according to the service scheduling type and quantity.
Randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1.
Calculating the vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-i,i=1,...,m。
Randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, such that gmGreater than vector U*Sum of (a), (b), (c) and (d)mGreater than vector V*Adding the maximum of the absolute valuesDoubling; namely:
the service scheduling sequence is calculated using the complementary theorem: b = (B)1,b2,...,bi,...,bm),0≤bi≤gmfm−1;
bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m。
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1,. ·, m; 0 indicates that the user equipment is not allowed to use the service schedule, and 1 indicates that the user equipment is allowed to use the service schedule.
and S13, the edge service node transmits the service sequence A and the service scheduling sequence B to the authentication server for the user equipment to inquire.
Step S2, registration phase:
step S21, the edge service node registers to the authentication server to participate in the setting of the key;
step S211, the edge service node uses its own edge service node IDSAnd edge service node random parameter d SGenerating an edge service node signature file V by a one-way collision-free hash function hSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]And n is the number of edge service nodes.
Step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the edge service node second public key PKSAnd edge service node signature WSAnd then transmitting the data to the edge service nodes, wherein n is the number of the edge service nodes. The calculation formula is as follows:
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs the edge service node second public key PKSFirst factor of qsxIs the edge service node second public key PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS))。
step S213, the edge service node transmits the second public key PK of the edge service node according to the authentication serverSAnd edge service node signature WSComputing the edge service node second private key skSSigning W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeS。
Second private key sk of edge service nodeSThe calculation formula is as follows:
skS=[WS+h(dS||IDS)]。
edge service node first verification value SSThe calculation formula is as follows:
SS=skSG。
the edge service nodes register with the authentication server, once each edge service node completes registration from the authentication server and obtains the second public key PK of the edge service node SAnd edge service node signature WSThen, the authentication server does not need to execute the identity authentication work of the edge service node in the system, and the identity identification ID issued by the authentication server can be usedSThe second public key PK of the edge service nodeSAnd the second private key sk of the self-computed edge service nodeSAnd performing mutual identity authentication.
Step S22, the user equipment registers to the authentication server to participate in the setting of the key;
step S221, the user equipment uses the user equipment identity ID of the user equipmentAAnd user equipment random parameter dAGenerating a user device signature V by a one-way collision-free hash function hAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]And n is the number of the user equipment.
Step S222, the authentication server selects a random parameter kA∈[2,n-2]Computing the second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting the data to the user equipment, wherein the calculation formula is as follows:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of qaySecond public key PK for user equipmentAA second factor of (d);
WA=kA+skAS(qax+h(IDA))。
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature W ACalculating a second private key sk of the user equipmentASigning W with user equipmentAVerifying the second public key PK of the user equipmentAAnd calculating a first verification value S of the user equipmentA。
Second private key sk of user equipmentAThe calculation formula is as follows:
skA=[WA+h(dA||IDA)]。
first verification value S of user equipmentAThe calculation formula is as follows:
SA=skAG。
the user equipment registers to the authentication server, and once each user equipment completes registration from the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WAThen, the authentication server is not needed to execute the identity authentication work of the user equipment in the system, and the user equipment identity identification ID issued by the authentication server can be usedAA second public key PK of the user equipmentAWith the self-calculated second private key sk of the user equipmentAAnd performing mutual identity authentication.
Step S3, verification stage: and mutually verifying whether the user equipment and the edge service node are legal identities through the service correlation and establishing a public key.
Step S31, the user equipment transmits the user equipment ID to the edge service nodeAThe second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA。
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS。
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely S A’SAIf the user equipment is the same as the user equipment, the user equipment passes the verification and establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, the operation is terminated.
Step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service nodeSAnd the first verification value S of the edge service nodeS。
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS。
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS’SS: if the two are the same, the edge service node passes the verification and is a legal edge service node,
user equipment establishing shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
In this step, the edge service node needs to confirm (ID) with the user equipmentA、SA、PKA) And (ID)Si、SS、PKS) If it is correct, the shared secret key K can be established after verification(A,S). The verification check equation is as follows:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS;
similarly, the user equipment can also authenticate SS’SSAfter mutually verifying as legal user equipment and edge service node, the shared secret key K can be established(A,S)。
Step S4, service scheduling: the user equipment puts forward a service use application, obtains a service sequence A and a service scheduling sequence B, encrypts a service authority value A ' f and a service scheduling authority value A't according to requirements and transmits the service authority value A ' f and the service scheduling authority value A't to an edge service node for service use, and decrypts the service authority value A't and transmits the service authority value A ' f and the service scheduling authority value A't to the edge service node for service use UAAnd service scheduling authority tUA *Providing the service.
Step S41, the ue applies for service from the edge service node, and the edge service node transmits the service sequence a and the service scheduling sequence B to the ue.
Step S42, when the user equipment receives the service sequence A and the service scheduling sequence B, the service authority value A 'f and the service scheduling authority value A't are calculated;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1。
tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n。
establishing service scheduling authority t according to use requirementUA *And calculates the service scheduling authority value A't with the service scheduling sequence B.
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1。
tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m。
Step S43, the user equipment randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0。
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is1Is a first factor, M, of the plaintext M of the rights of the user equipment2Is the second factor of the user device rights plaintext M,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwhich isIn, YAIs the verification parameter, yA1Is the first factor of the verification parameter, yA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is user equipment authority ciphertext CA0First factor of (C)A2Is user equipment authority ciphertext C A0A second factor of (C)21Is CA0First factor of the second factor of (1), C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
Step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0The contents.
Edge service node sk with private keySAnd calculating the Z value.
Z=skS×CA1=(Z1,Z2) Wherein Z is1Is the first factor of the Z value, Z2Is the second factor of the value of Z,
edge service node using shared secret key K(A,S)And calculating to obtain a service authority value A 'f and a service scheduling authority value A't.
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2)。
(A'f,A't)=(m1,m2)-K(A,S)。
Calculating to obtain the service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *。
cgn=A'f mod gn,0≤cgn≤gn−1。
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2。
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n。
cgm=A't mod gm,0≤cgm≤gm−1。
cfm=A't mod fm,-cfm/2<cfm≤cfm/2。
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m。
Wherein, cgn、cfn、cgm、cfmAre all intermediate values.
Step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the serviceUA *And determining the scheduling authority type of the user equipment to the authorized service.
In case of a change of service schedule, the user equipment may encounter the following two conditions:
in a first situation, the modified service schedule, within the service scope managed by the edge service node:
the edge service node establishes a sequence of the managed service and the service scheduling, and the user equipment can use the service according to the requirement under the authenticated condition, so that the service can be used only by recalculating the authority ciphertext in the scheduling change.
The second condition, altered service scheduling, is outside the service scope managed by the edge service node:
in the system of edge computing, the edge cloud provides services, and user equipment has more choices and comparisons, such as applying for services from a single service integration center, and the required services are inevitably not in the list of services provided, under this condition, the original edge service node is transferred to another edge service node of the same authentication server to apply for services.
Step1, when the user device reflects the needed service not in the service sequence A to the edge service node, the edge service node inquires the authentication server whether there is related service, and obtains the service sequence A and the service dispatch sequence B of other edge service nodes.
And Step2, the edge service node transmits the service sequence A and the service scheduling sequence B of other edge service nodes to the user equipment to achieve the purpose of service relay.
Step3 the service dispatch Step is handled against the service dispatch phase.
And simulating service scheduling by using simple data so as to verify the correctness of the scheme and the application of the scheme in a real object.
Step S1, initial stage.
S11, the authentication server sets and discloses the elliptic curve E (Fq), the base point G, the order n and the first public key PK ASThe hash function h (). The method comprises the following specific steps:
step S111, the authentication server selects a secure elliptic curve e (Fq) on the finite field Fq:
y2≡x3+2x +6 mod p, prime q =9013, on an elliptic curve E (F)q) A base point G = (1, 3) with an order n =8908 is selected, so that 8908G = O, where O is the infinity point of the elliptic curve.
Step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skAS=9, and calculate first public key PKAS:
PKAS=skASG=9(1,3)=(2074,6035)。
In step S113, the authentication server discloses an elliptic curve e (fq): y is2≡x3+2x +6 mod p, base point G = (1, 3), order n =8908, first public key PKAS= 2074,6035, hash function h ().
S12, the edge service node establishes a service sequence and a service scheduling sequence, which are as follows:
assume that the edge service node has 3 total classes of service managed and that these 3 classes of service schedules are summed
There are 6 types, as shown in table 1.
Table 1 is a service and service schedule for management of edge service nodes.
Step S121, the edge service node establishes a service sequence A according to the service type and quantity.
Randomly choose a 3-dimensional vector U = (9, 11, 6).
Vector V = (5, 9, 5) is calculated.
Randomly selecting two prime numbers gn=29 and fn=43, satisfy q > 4g nfn+1。
The following service sequences are obtained by using the following theorem: a = (908,1084,1166).
Step S122, the edge service node establishes a service scheduling sequence B according to the service scheduling type and quantity.
Randomly selecting a 6-dimensional vector U*=(16,8,7,5,2,1)。
Calculating the vector V*=(-16,-8,-1,1,0,0)。
Randomly selecting two prime numbers gm=37 and fm=53, satisfy q > 4gmfm+1。
The service scheduling sequence is calculated using the remainder theorem: b = (90, 45,1006,1485,742, 371).
In step S13, the edge service node transmits the service sequence a = (908,1084,1166) and the service scheduling sequence B = (90, 45,1006,1485,742, 371) to the authentication server for the user equipment to query. The content received by the user equipment is shown in table 2.
Table 2 is a service and service schedule for provisioning of edge service nodes.
And S13, the edge service node transmits the service sequence A and the service scheduling sequence B to the authentication server for the user equipment to inquire.
Step S2, registration phase:
in the scheme, the service request can be executed only after the legal identity is confirmed through the registration of the public third party. Therefore, both the edge service node and the ue need to complete registration.
Step S21, the edge service node registers to the authentication server to participate in the setting of the key;
step S211, the edge service node uses its own edge service node ID S=123 and edge serving node random parameter dS=432, by one-way collision-free hash function h (ID)S)=15、h(dS||IDS) =21 generation of edge service node signature VSI.e. VS=h(dS||IDS) G = h (432| |123) G =21 (1, 3) = (6070,7155), and the edge service node identity ID is assignedSAnd edge service node signature file VSAnd transmitting to the authentication server.
Step S212, the authentication server selects a random parameter kS=31, calculate edge service node second public key PKSAnd edge service node signature WSAnd then transmitted to the edge service node. The calculation formula is as follows:
PKS=VS+(kS-h(IDS))G=(6070,7155)+16(1,3)=(4072,6525)=(qsx,qsy);
WS=kS+skAS(qsx+h(IDS))=31+9(4072+15)=36814。
step S213, the edge service node transmits the second public key PK of the edge service node according to the authentication serverSAnd edge service node signature WSComputing the edge service node second private key skSSigning W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service nodeS。
Second private key sk of edge service nodeSThe calculation formula is as follows:
skS=[WS+h(dS||IDS)]=(36814+21)=36835。
edge service node first verification value SSThe calculation formula is as follows:
SS=skSG=36835G=1203G=(8224,7690)。
the user equipment calculates a second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS
=(4072,6525)+15(1,3)+[(4072+15)](2074,6035)
=(4072,6525)+(6316,4684)+4087(2074,6035)
=(5628,5821)+4087(2074,6035)
=(5628,5821)+(6040,2038)
=(8224,7690)。
Judging and calculating a second verification value S of the edge service nodeS' with edge service node first verification value SSWhether or not they are identical, i.e. SS’SS。
Step S22, the user equipment registers to the authentication server to participate in the setting of the key;
Step S221, the user equipment uses the user equipment identity ID of the user equipmentA=219 and ue random parameter dA=424, by one-way collision-free hash function h (ID)A)=13、h(dA||IDA) =17 generation of ue signature profile VAI.e. VA=h(dA||IDA) G = h (424| | |219) G =17(1,3) = (6290,3233), and identifies the user equipment IDAAnd user equipment signature file VAAnd transmitting to the authentication server.
Step S222, the authentication server selects a random parameter kA=20, calculate user device second public key PKAAnd user equipment signature WAAnd then transmitting the data to the user equipment, wherein the calculation formula is as follows:
PKA=VA+(kA-h(IDA))G
=(6290,3233)+7(1,3)
=(6290,3233)+(8036,5437)
=(7085,3042)=(qax,qay);
WA=kA+skAS(qax+h(IDA))=20+9(7085+13)=63902。
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skASigning W with user equipmentAVerifying the user device second public key PKAAnd calculates a first verification value S of the user equipmentA。
Second private key sk of user equipmentAThe calculation formula is as follows:
skA=[WA+h(dA||IDA)]=(63902+17)=63919。
first verification value S of user equipmentAThe calculation formula is as follows:
SA=skAG=63919G=1563G=(3560,6434)。
the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS
=(7085,3042)+13(1,3)+[(7085+13)](2074,6035)
=(7085,3042)+(6262,3818)+7098(2074,6035)
=(4072,6525)+7098(2074,6035)
=(4072,6525)+(8897,4526)
=(3560,6434)。
Judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA’SA。
The user equipment and the edge service node are registered in the authentication server, once each member completes registration from the authentication server and obtains the second public key and signature belonging to the member, the authentication server is not required to execute identity authentication work in the system, and mutual identity authentication can be performed by the identity identification issued by the authentication server, the second public key and the verification value calculated by the authentication server.
Step S3, verification stage: and mutually verifying whether the user equipment and the edge service node are legal or not through the service related user equipment and the edge service node, and establishing a public key.
Step S31, the user equipment transmits the user equipment ID to the edge service nodeA=219 user equipment second public key PKA= (7085,3042) and user equipment first authentication value SA= (3560,6434); an edge service node for transmitting an edge service node identification ID to the user equipmentS=123, edge service node second public key PKS= (4072,6525) and edge service node first verification value SS=(8224,7690)。
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS。
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, namely SA’SAIf the user equipment is the same as the user equipment, the user equipment passes the verification and is legal user equipment; otherwise, terminating the operation;
edge service node establishing shared secret key K(A,S)=skS×SA。
Step S33, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS。
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node, namely SS’SS: if the two are the same, the edge service node passes the verification and is a legal edge service node; otherwise, terminating the operation;
User equipment establishing shared secret key K(A,S)=skA×SS。
In this scheme, the shared secret key K of both parties(A,S)=skS×SA=skA×SS
=36835×(3560,6434)=63919×(8224,7690)
=1203×(3560,6434)=1563×(8224,7690)
=(678,3945)。
Step S4, service scheduling.
Step S41, the ue applies for service from the edge service node, and the edge service node transmits the service sequence a and the service scheduling sequence B to the ue.
Step S42, when the user equipment receives the service sequence A and the service scheduling sequence B, the service authority value A 'f and the service scheduling authority value A't are calculated;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(908,1084,1166)。
tUA=(1,1,1)。
A’f=(908×1)+(1084×1)+(1166×1)=3158。
establishing service scheduling authority t according to use requirementUA *And calculates the service scheduling authority value A't with the service scheduling sequence B.
B=(90,45,1006,1485,742,371)。
tUA *=(1,1,1,0,1,0)。
A’t=(90×1)+(45×1)+(1006×1)+(1485×0)+(742×1)+(371×0)=1883。
Step S43, the user equipment randomly selects a parameter kA' =502 user composed of service authority value A ' f and service scheduling authority value A ' tGenerating a point message by the equipment authority plaintext M, then calculating the authority plaintext M and forming a user equipment authority ciphertext CA0。
M=((A'f,A't)+K(A,S))=(m1,m2)
((3158,1883)+(678,3945))=(5513,3673)。
CA1=kA'×G=502(1,3)=(3493,719)。
YA=(yA1,yA2)=kA'×SS=502×(8224,7690)=(3424,443)。
CA2=(C21,C22)
=(yA1×m1 mod q,yA2×m2 mod q)
=(3424×5513 mod 9013,443×3673 mod 9013)
=(6790,4799)。
CA0=(CA1,CA2)=((3493,719),(6790,4799))。
Step S44, the user equipment transmits the authority ciphertext CA0= ((3493,719), (6790,4799)) to edge service node.
Step S45, the edge service node receives the authority ciphertext C transmitted by the user equipmentA0After that, disentangle CA0The contents.
Edge service node sk with private keyS=36835 calculate Z value.
Z=skS×CA1=36835×(3493,719)=1203×(3493,719)=(3423,443)=(Z1,Z2)。
Edge service node using shared secret key K(A,S)= (678,3945), the service authority value a 'f and the service scheduling authority value a't are calculated.
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)
=(6790×3423-1 mod 9013,4799×443-1 mod 9013)
=(6790×1762 mod 9013,4799×5066 mod 9013)
=(5513,3673)
=(m1,m2)。
(A'f,A't)=(m1,m2)-K(A,S)
=(5513,3673)-(678,3945)
=(5513,3673)+(678,-3945)
=(5513,3673)+(678,5068)
=(3158,1883)。
Calculating to obtain service authority t according to the service authority value A 'f and the service scheduling authority value A' tUAAnd service scheduling authority tUA *。
cgn=A'f mod gn=3158 mod 29=26。
cfn=A'f mod fn=3158 mod 43=19。
(cgn-cfn)2=(26-19)2=(1,1,1)2=tUA。
cgm=A't mod gm=1883 mod 37=33。
cfm=A't mod fm=1883 mod 53=-25。
(cgm-cfm)2=(33-(-25))2=(58)2=(1,1,1,0,1,0)2=tUA *。
Step S46: the edge service node is according to the service authority tUA= (1,1,1), determine that the user equipment has the service with the use authority, and schedule the authority t according to the serviceUA *= (1,1,1,0,1,0), determine the scheduling authority type that the user equipment has for the authorized service.
With a change in service schedule, the user equipment may encounter the following two conditions:
and (3) changed service scheduling, in the service range controlled and managed by the edge service node:
the edge service node establishes a sequence of the managed service and the service scheduling, and the user equipment can use the service according to the requirement under the authenticated condition, so that the service can be used only by recalculating the authority ciphertext in the scheduling change.
And (3) changed service scheduling, outside the service range controlled and managed by the edge service node:
in the system of edge computing, the edge cloud provides services, and the user equipment has more choices and comparisons, such as applying for services from a single service integration center, and the required services are inevitably not in the list of services provided, in this case, the original edge service node is transferred to another edge service node of the same authentication server to apply for services.
Step1, when the user equipment reflects that the needed service is not in the service sequence A to the edge service node, the edge service node inquires the authentication server whether there is a relevant service (such as network space storage service) and gets the service sequence A and service dispatch sequence B of other edge service nodes.
Table 3 is a managed service and service schedule for other edge service nodes.
And Step2, the edge service node transmits the service sequence A and the service scheduling sequence B of other edge service nodes to the user equipment to achieve the purpose of service relay.
Adding the sequence values of "network space storage service" and service scheduling to generate vectors U = (9,11,6,3) and U, respectively*=(16,8,7,5,2,1,10,4)。
Calculation vectors V = (1,7,4,2) and V*=(−112,−52,−25,−11,−6,−3,8,3)。„
Reselecting two groups of prime numbers gn=31、fn=41 and gm=97、fm=491 (temporarily disregarding the condition: q)>4gf+1)。
Obtaining service sequence A by using complementary theorem*= (288,786,1029,1150) and serving scheduling sequence B = (42114,4858,34345,17174,32400,16200,31923,39774).
Step3 service dispatch, compare Step S4.
The edge service node will serve sequence A*= (288,786,1029,1150) and service scheduling sequence B = (42114,4858,34345,17174,32400)16200,31923,39774) to the user equipment; the user equipment serves according to the demand option, and the purpose of service referral is achieved.
The scheme is as follows:
firstly, the user equipment participates in the configuration of the key, thereby avoiding collusion attack.
Secondly, the scheme configures an identity authentication mechanism capable of off-line operation, thereby avoiding service interruption.
And thirdly, authorized service adopts a knapsack sequence, so that an attacker cannot know the authority content of the service, and the secrecy is improved.
And fourthly, the user equipment can change the types and the ranges of the services within the authorized range at any time, so that the service use elasticity is increased.
And fifthly, the edge cloud only stores the types and the ranges of authorized services, so that the risk of authority management is reduced.
And sixthly, the cipher text encryption of the service is executed by the elliptic curve cryptosystem, so that higher safety is achieved.
And seventhly, the shared secret key is used as the authority ciphertext for encryption, so that the risk of secret key centralized management leakage can be avoided.
It should be understood that equivalents and modifications of the technical solution and inventive concept thereof may occur to those skilled in the art, and all such modifications and alterations should fall within the scope of the appended claims.
Claims (8)
1. An edge-computed service scheduling method, comprising the steps of:
step S1, initial stage: the authentication server sets and discloses an elliptic curve E (Fq), a base point G, an order n and a first public key PK ASA hash function h (); the edge service node establishes a service sequence A and a service scheduling sequence B;
step S2, registration phase: the edge service node registers to the authentication server and obtains a second public key PK of the edge service nodeSAnd edge service node signature WS(ii) a The user equipment registers to the authentication server and obtains the second public key PK of the user equipmentAAnd user equipment signature WA;
Step S3, verification stage: the user equipment and the edge service node which are associated with the service mutually verify whether the user equipment and the edge service node are legal identities or not and establish a public shared key;
step S4, service scheduling: user equipment applies for service from edge service node, obtains service sequence A and service scheduling sequence B, calculates and encrypts service authority value A ' f and service scheduling authority value A't according to requirement, and transmits the service authority value A ' f and service scheduling authority value A't to edge service node for service use, and the edge service node decrypts the service authority value A ' f and service scheduling authority value A't and transmits the service authority value A't to the edge service node for service useUAAnd service scheduling authority tUA *Providing the service.
2. The method for scheduling services by edge computing according to claim 1, wherein step S1 includes:
step S111, the authentication server is in the limited domain FqSelecting an elliptic curve E (F)q) Wherein q is a large prime number of 160 bits or more, and is represented by an elliptic curve E (F) q) Selecting a base point G with the order n, so that nG = O, wherein O is an infinite point of the elliptic curve;
step S112, the authentication server selects a one-way collision-free hash function h () and a first private key skASAnd calculates a first public key PKASI.e. PKAS=skASG。
3. The edge-computed service scheduling method of claim 2, wherein in step S1, the edge service node establishes the service sequence a and the service scheduling sequence B, and includes the following steps:
in step S121, an n-dimensional vector U = (U) is randomly selected1,u2,...,ui,...,un) Wherein u isiAre all positive integers, i = 1. Calculation vector V = (V)1,v2,...,vi,...,vn) Wherein v isi=ui−2n-iI =1,.., n; randomly selecting two prime numbers gnAnd fnQ > 4gnfn+1, and:,;
and (3) solving a service sequence by using a complementary theorem: a = (a)1,a2,...,ai,...,an),0≤ai≤gnfn−1;ai≡ui(mod gn),ai≡vi(mod fn),i=1,...,n;aiA sequence value representing the ith service;
service authority: t is tA=(t1,t2,...,ti,...,tn),ti∈[0,1]I =1,.., n; 0 indicates that the user equipment is not allowed to use the service, and 1 indicates that the user equipment is allowed to use the service;
step S122, randomly selecting m-dimensional vector U*=(u1 *,u2 *,...,ui *,...,um *) Wherein u isi *Are all positive integers, i = 1. Calculating vector V*=(v1 *,v2 *,...,vi *,...,vm *) Wherein v isi *=ui *−2m-iI =1,. ·, m; randomly selecting two prime numbers gmAnd fmQ > 4gmfm+1, and:,;
the service scheduling sequence is calculated using the complementary theorem: b = (B) 1,b2,...,bi,...,bm),0≤bi≤gmfm−1;bi≡ui *(mod gm),bi≡vi *(mod fm),i=1,...,m;
Service scheduling authority: t is tB=(t1,t2,...,ti,...,tm),ti∈[0,1]I =1, · m; 0 represents that the user equipment is not allowed to use the service schedule, and 1 represents that the user equipment is allowed to use the service schedule;
4. the method for scheduling services by edge computing according to claim 3, wherein the step S2 comprises:
step S211, the edge service node uses its own edge service node IDSAnd edge service node random parameter dSCalculating edge service node signature file VSI.e. VS=h(dS||IDS) G, and identify ID of edge service nodeSAnd edge service node signature file VSTo an authentication server, where dS∈[2,n-2]N is the number of edge service nodes;
step S212, the authentication server selects a random parameter kS∈[2,n-2]Computing the second public key PK of the edge service nodeSAnd edge service node signature WSThen transmitting the data to edge service nodes, wherein n is the number of the edge service nodes;
PKS=VS+(kS-h(IDS))G=(qsx,qsy) (ii) a Wherein q issxIs PKSFirst factor of qsxIs PKSA second factor of (d);
WS=kS+skAS(qsx+h(IDS));
step S213, the edge service node calculates a second private key sk of the edge service nodeSNamely skS=[WS+h(dS||IDS)](ii) a Signing W with edge service nodeSVerifying the edge service node second public key PKSAnd calculating a first verification value S of the edge service node SI.e. SS=skSG。
5. The method for service scheduling of edge computing according to claim 4, wherein the step S2 comprises: step S221, the user equipment uses the user equipment identity ID of the user equipmentAAnd user equipment random parameter dACalculating the signature V of the user equipmentAI.e. VA=h(dA||IDA) G, and identifying the user equipment identity IDAAnd user equipment signature file VATo an authentication server, where dA∈[2,n-2]N is the number of user equipment;
step S222, the authentication server selects a random parameter kA∈[2,n-2]Computing the second public key PK of the user deviceAAnd user equipment signature WAAnd then transmitting to the user equipment:
PKA=VA+(kA-h(IDA))G=(qax,qay) (ii) a Wherein q isaxSecond public key PK for user equipmentAFirst factor of qaySecond public key PK for user equipmentAA second factor of (d);
WA=kA+skAS(qax+h(IDA));
step S223, the user equipment transmits a second public key PK of the user equipment according to the authentication serverAAnd user equipment signature WAComputing a user device second private key skANamely skA=[WA+h(dA||IDA)](ii) a Signing W with user equipmentAVerifying the user device second public key PKAAnd calculating the correctness ofFirst verification value S of user equipmentAI.e. SA=skAG。
6. The method for scheduling services by edge computing according to claim 5, wherein the step S3 comprises: step S31, the user equipment transmits the user equipment ID to the edge service node AA second public key PK of the user equipmentAAnd a first authentication value S of the user equipmentA;
Step S32, the edge service node calculates a second verification value S of the user equipmentA’:
SA’=PKA+h(IDA)G+[(qax+h(IDA))]PKAS;
And judging whether the second verification value of the user equipment is the same as the first verification value of the user equipment, if so, the user equipment passes the verification and establishes a shared secret key K for the legal user equipment and the edge service node(A,S)=skS×SA(ii) a Otherwise, the operation is terminated;
step S33, the edge service node transmits the ID of the edge service node to the user equipmentSThe second public key PK of the edge service nodeSAnd the first verification value S of the edge service nodeS;
Step S34, the user equipment calculates the second verification value S of the edge service nodeS’:
SS’=PKS+h(IDS)G+[(qsx+h(IDS))]PKAS;
And judging whether the second verification value of the edge service node is the same as the first verification value of the edge service node: if the two are the same, the edge service node passes the verification and is a legal edge service node, and the user equipment establishes a shared secret key K(A,S)=skA×SS(ii) a Otherwise, the operation is terminated.
7. The method for scheduling services by edge computing according to claim 6, wherein step S4 includes: step S41, the user equipment applies for service to the edge service node, the edge service node transmits the service sequence A and the service scheduling sequence B to the user equipment;
Step S42, the user equipment calculates the service authority value A 'f and the service scheduling authority value A't;
establishing service authority t according to use requirementUAAnd calculating a service authority value A' f with the service sequence A:
A=(a1,a2,...,ai,...,an),0≤ai≤gnfn−1;tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
establishing service scheduling authority t according to use requirementUA *And calculating a service scheduling authority value A't with the service scheduling sequence B;
B=(b1,b2,...,bi,...,bm),0≤bi≤gmfm−1;tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
step S43, the user equipment randomly selects a parameter kA', generating a point message by a user equipment authority plaintext M consisting of a service authority value A ' f and a service scheduling authority value A't, and then calculating the authority plaintext M to form a user equipment authority ciphertext CA0;
M=((A'f,A't)+K(A,S))=(m1,m2) Wherein m is1Is a first factor, M, of the plaintext M of the rights of the user equipment2Is the second factor of the user device rights plaintext M,
CA1=kA'×G,
YA=(yA1,yA2)=kA'×SSwherein Y isAIs the verification parameter, yA1Is the first factor of the verification parameter, yA2Is a second factor of the authentication parameter;
CA2=(C21,C22)=(yA1×m1 mod q,yA2×m2 mod q),
CA0=(CA1,CA2) (ii) a Wherein, CA1Is user equipment authority ciphertext CA0First factor of (C)A2Is user equipment authority ciphertext CA0A second factor of (C)21Is CA0Of the second factor, C22Is CA0Of the second factor of (a) is,
step S44, the user equipment transmits the authority ciphertext CA0To the edge service node.
8. The method for service scheduling of edge computing according to claim 7, wherein the step S4 further comprises: step S45, the edge service node receives the authority ciphertext C transmitted by the user equipment A0After that, disentangle CA0Content;
the edge service node uses the private key skSCalculating a Z value;
Z=skS×CA1=(Z1,Z2) Wherein, Z1Is the first factor of the Z value, Z2Is a second factor in the value of Z,
edge service node using shared secret key K(A,S)Calculating to obtain a service authority value A 'f and a service scheduling authority value A't;
M=(C21×Z1 -1 mod q,C22×Z2 -1 mod q)=(m1,m2);
(A'f,A't)=(m1,m2)-K(A,S);
calculating to obtain service authority according to the service authority value A 'f and the service scheduling authority value A' ttUAAnd service scheduling authority tUA *;
cgn=A'f mod gn,0≤cgn≤gn−1;
cfn=A'f mod fn,-cfn/2<cfn≤cfn/2;
(cgn-cfn)2=tUA=(t1,t2,...,ti,...,tn),ti∈[0,1],i=1,...,n;
cgm=A't mod gm,0≤cgm≤gm−1;
cfm=A't mod fm,-cfm/2<cfm≤cfm/2;
(cgm-cfm)2=tUA *=(t1,t2,...,ti,...,tm),ti∈[0,1],i=1,...,m;
Wherein, cgn、cfn、cgm、cfmAre all intermediate values;
step S46, the edge service node according to the service authority tUADetermining the right of use of the service by the user equipment and scheduling the right t according to the serviceUA *And determining the scheduling authority type of the user equipment to the authorized service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210670997.6A CN114760060B (en) | 2022-06-15 | 2022-06-15 | Service scheduling method for edge calculation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210670997.6A CN114760060B (en) | 2022-06-15 | 2022-06-15 | Service scheduling method for edge calculation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114760060A true CN114760060A (en) | 2022-07-15 |
CN114760060B CN114760060B (en) | 2022-09-23 |
Family
ID=82336543
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210670997.6A Active CN114760060B (en) | 2022-06-15 | 2022-06-15 | Service scheduling method for edge calculation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114760060B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115170132A (en) * | 2022-09-07 | 2022-10-11 | 浙江浙商互联信息科技有限公司 | Payment method suitable for high-speed post network member system |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110055553A1 (en) * | 2009-08-26 | 2011-03-03 | Lee Sung-Young | Method for controlling user access in sensor networks |
CN110191469A (en) * | 2019-06-19 | 2019-08-30 | 西南交通大学 | A kind of wireless body area network group certifiede-mail protocol method based on certificate |
CN111090522A (en) * | 2019-12-13 | 2020-05-01 | 南京邮电大学 | Scheduling system and decision method for service deployment and migration in mobile edge computing environment |
CN111614657A (en) * | 2020-05-18 | 2020-09-01 | 北京邮电大学 | Mobile edge security service method and system based on mode selection |
US20200358877A1 (en) * | 2019-05-09 | 2020-11-12 | Toyota Motor Engineering & Manufacturing North America, Inc. | Methods and systems for allocating service requests from mobile objects among edge servers |
CN111935714A (en) * | 2020-07-13 | 2020-11-13 | 兰州理工大学 | Identity authentication method in mobile edge computing network |
CN112532683A (en) * | 2020-10-30 | 2021-03-19 | 北京盛和信科技股份有限公司 | Edge calculation method and device based on micro-service architecture |
CN112600895A (en) * | 2020-12-07 | 2021-04-02 | 中国科学院深圳先进技术研究院 | Service scheduling method, system, terminal and storage medium for mobile edge computing |
CN113569213A (en) * | 2021-08-13 | 2021-10-29 | 河南中盾云安信息科技有限公司 | Industrial park application safety support system and method based on 5G technology |
CN114390060A (en) * | 2021-12-13 | 2022-04-22 | 杭州网鼎科技有限公司 | Method for distributing edge computing network and storage medium |
-
2022
- 2022-06-15 CN CN202210670997.6A patent/CN114760060B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110055553A1 (en) * | 2009-08-26 | 2011-03-03 | Lee Sung-Young | Method for controlling user access in sensor networks |
US20200358877A1 (en) * | 2019-05-09 | 2020-11-12 | Toyota Motor Engineering & Manufacturing North America, Inc. | Methods and systems for allocating service requests from mobile objects among edge servers |
CN110191469A (en) * | 2019-06-19 | 2019-08-30 | 西南交通大学 | A kind of wireless body area network group certifiede-mail protocol method based on certificate |
CN111090522A (en) * | 2019-12-13 | 2020-05-01 | 南京邮电大学 | Scheduling system and decision method for service deployment and migration in mobile edge computing environment |
CN111614657A (en) * | 2020-05-18 | 2020-09-01 | 北京邮电大学 | Mobile edge security service method and system based on mode selection |
CN111935714A (en) * | 2020-07-13 | 2020-11-13 | 兰州理工大学 | Identity authentication method in mobile edge computing network |
CN112532683A (en) * | 2020-10-30 | 2021-03-19 | 北京盛和信科技股份有限公司 | Edge calculation method and device based on micro-service architecture |
CN112600895A (en) * | 2020-12-07 | 2021-04-02 | 中国科学院深圳先进技术研究院 | Service scheduling method, system, terminal and storage medium for mobile edge computing |
CN113569213A (en) * | 2021-08-13 | 2021-10-29 | 河南中盾云安信息科技有限公司 | Industrial park application safety support system and method based on 5G technology |
CN114390060A (en) * | 2021-12-13 | 2022-04-22 | 杭州网鼎科技有限公司 | Method for distributing edge computing network and storage medium |
Non-Patent Citations (2)
Title |
---|
JIARONG HAN; HOUPENG WANG; SHAOJUN WU; JUNYONG WEI; LEI YAN: "Task Scheduling of High Dynamic Edge Cluster in Satellite Edge Computing", 《 2020 IEEE WORLD CONGRESS ON SERVICES (SERVICES)》 * |
吴鸿飞: "基于边缘计算的微服务调度算法研究", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115170132A (en) * | 2022-09-07 | 2022-10-11 | 浙江浙商互联信息科技有限公司 | Payment method suitable for high-speed post network member system |
CN115170132B (en) * | 2022-09-07 | 2022-12-09 | 浙江浙商互联信息科技有限公司 | Payment method suitable for high-speed post network member system |
Also Published As
Publication number | Publication date |
---|---|
CN114760060B (en) | 2022-09-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107947913B (en) | Anonymous authentication method and system based on identity | |
CN113364576B (en) | Data encryption evidence storing and sharing method based on block chain | |
CN108667625B (en) | Digital signature method of cooperative SM2 | |
US7359507B2 (en) | Server-assisted regeneration of a strong secret from a weak secret | |
US5481613A (en) | Computer network cryptographic key distribution system | |
JP4639084B2 (en) | Encryption method and encryption apparatus for secure authentication | |
EP2014000B1 (en) | Method for elliptic curve public key cryptographic validation | |
US7716482B2 (en) | Conference session key distribution method in an ID-based cryptographic system | |
US20070242830A1 (en) | Anonymous Certificates with Anonymous Certificate Show | |
EP1376976A1 (en) | Methods for authenticating potential members invited to join a group | |
US20220029969A1 (en) | Method and Apparatus for Effecting a Data-Based Activity | |
CN105978695A (en) | Batch self-auditing method for cloud storage data | |
GB2490407A (en) | Joint encryption using base groups, bilinear maps and consistency components | |
US20200336470A1 (en) | Method and apparatus for effecting a data-based activity | |
Saranya et al. | Cloud based efficient authentication for mobile payments using key distribution method | |
CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
CN113708917A (en) | APP user data access control system and method based on attribute encryption | |
CN114760060B (en) | Service scheduling method for edge calculation | |
CN110557367A (en) | Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography | |
CN111656728B (en) | Device, system and method for secure data communication | |
Lin et al. | Authentication protocols with nonrepudiation services in personal communication systems | |
CN115955320A (en) | Video conference identity authentication method | |
AlMeghari et al. | A proposed authentication and group-key distribution model for data warehouse signature, DWS framework | |
CN111245594A (en) | Homomorphic operation-based collaborative signature method and system | |
Lee et al. | An interactive mobile SMS confirmation method using secret sharing technique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A service scheduling method for edge computing Granted publication date: 20220923 Pledgee: Hangzhou branch of Bank of Nanjing Co.,Ltd. Pledgor: Hangzhou Tian ship information technology Limited by Share Ltd. Registration number: Y2024980035594 |