Disclosure of Invention
The invention aims to provide a lightweight authentication method for an Internet of things system in a cloud computing environment, which improves the communication security of user equipment and a cloud server.
In order to achieve the purpose, the invention provides the following scheme:
a lightweight authentication method for an Internet of things system in a cloud computing environment comprises the following steps:
initializing system parameters through an identity trust registration center, wherein the initialized system parameters comprise values obtained by calculation through a chaotic mapping algorithm;
based on a barrel shift physical unclonable function, carrying out identity registration on user equipment through an identity trust registration center to obtain user registration information, and storing the identity information of the user equipment in the identity trust registration center;
based on a barrel shift physical unclonable function, identity registration is carried out on a cloud server through an identity trust registration center to obtain cloud server registration information, and the identity information of the cloud server is stored in the identity trust registration center;
performing authentication between the user equipment and the identity trust registry and authentication between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registry and the identity information of the cloud server stored in the identity trust registry;
and after the authentication between the user equipment and the identity trust registration center and the authentication between the user equipment and the cloud server are completed, the user equipment and the cloud server communicate through a session key.
Optionally, the initialization system parameter is { x, T }s1(x),p,H1(·),H2(. cndot.) wherein x is a random number, p is a large prime number, Ts1(x) Representing the value calculated by chaotic mapping algorithm based on a random number s1, s2 being a random number, s1 and s2 being private keys, Ts1(x) As system public key, H1(. and H)2(. cndot.) is a one-way hash function.
Optionally, the identity registration of the user equipment through the identity trust registration center based on the bucket shifting physical unclonable function to obtain user registration information, and storing the identity information of the user equipment in the identity trust registration center specifically includes:
generating user registration request information based on a random number and a chaotic mapping algorithm, wherein the user registration request information comprises an identity of an internet of things user and a first encrypted user password PW encrypted by the internet of things user passwordiAnd a second encrypted user password PK generated using a barrel-shifting physical unclonable functioniThe user equipment sends the user registration request information to the identity trust registration center;
after receiving the user registration request information, the identity trust registration center detects whether an identity mark of the user of the Internet of things exists, if not, the identity trust registration center generates first user registration information based on the user registration request information, and the first user registration information is sent to the user equipment;
and after receiving the first user registration information, the user equipment generates second user registration information based on the first user registration information, and writes the second user registration information into the smart card corresponding to the user equipment.
Optionally, the identity registration of the cloud server through the identity trust registry based on the barrel shift physical unclonable function to obtain cloud server registration information, and storing the identity information of the cloud server in the identity trust registry specifically includes:
generating cloud server registration request information based on a random number and a chaotic mapping algorithm, wherein the cloud server registration request information comprises a cloud server identity and a cloud server password generated by adopting a barrel shift physical unclonable function; the cloud server sends the cloud server registration request information to the identity trust registry;
after receiving cloud server registration request information, the identity trust registration center detects whether a cloud server identity mark exists in a data block, if not, the identity trust registration center generates cloud server registration information based on the cloud server registration request information and sends the cloud server registration information to a cloud server;
and after receiving the cloud server registration information, the cloud server publishes the cloud server pseudonym and the public key of the cloud server, wherein the cloud server pseudonym is generated according to the cloud server identity.
Optionally, the authenticating between the user equipment and the identity trust registration center and the authenticating between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registration center and the identity information of the cloud server stored in the identity trust registration center specifically include:
the user equipment is inserted with the intelligent card to carry out user identity login of the Internet of things;
after the user identity of the Internet of things is successfully logged in, the user equipment sends the generated first authentication request message to the identity trust registration center; the first authentication request message comprises a pseudonym RID of the user of the Internet of thingsiA first intermediate quantity CIDiAnd a first judgment mark CMiTime stamp T1The first judgment mark CMiGenerating according to the identity of the user of the Internet of things and a chaotic mapping algorithm;
when the identity trust registration center receives the first authentication request message, verifying the timestamp T1If it is legal, if the timestamp T is valid1Stopping authentication if the password is not matched, and stopping authentication if the password is not matched1If the identity trust registration center is legal, the identity trust registration center passes the pseudonym RID of the user of the Internet of thingsiThe ID of the corresponding user of the Internet of things is found in the databasei(ii) a According to the identity ID of the currently searched user of the Internet of thingsiGenerating a second judgment mark CM by a chaotic mapping algorithmi', by judging the first judgment mark CMiAnd the second judgment mark CMiWhether the first authentication is finished is judged;
if the first authentication is finished, the identity trust registration center sends a generated second authentication request message to the user equipment, wherein the second authentication request message comprises a third judgment identification IMiAnd a time stamp T2And the third judgment mark IMiGenerating according to the identity of the user of the Internet of things, the pseudonym of the cloud server, a chaotic mapping algorithm and a barrel shift physical unclonable function;
after the user equipment receives the second authentication request message, verifying the timestamp T2If it is legal, if the timestamp T is2Stopping authentication if the password is not matched, and stopping authentication if the password is not matched2If the method is legal, the method is carried out according to the identity of the user of the Internet of things, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shift physicsGenerating a fourth judgment mark IM by the unclonable functioni' by judging the third judgment mark IMiAnd the fourth judgment mark IMiWhether the authentication is equal or not is judged;
if the second authentication is completed, the user equipment sends the generated third authentication request message to the cloud server; the third authentication request message comprises a pseudonym of the user of the internet of things, a pseudonym of the cloud server and a fifth judgment mark JMiAnd a time stamp T3(ii) a The fifth judgment identification is generated according to the pseudonym of the user of the Internet of things, the pseudonym of the cloud server, a chaotic mapping algorithm and a barrel shift physical unclonable function;
after the cloud server receives the third authentication request message, verifying a timestamp T3If it is legal, if the timestamp T is3Stopping authentication if the password is not matched, and stopping authentication if the password is not matched3If the judgment result is legal, the cloud server generates a sixth judgment mark JM according to the pseudonym of the user of the Internet of things, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shift physical unclonable functioniJudging whether the third authentication is finished or not by judging whether the fifth judgment mark is equal to the sixth judgment mark or not;
if the third authentication is finished, generating a first session key based on a barrel shift physical unclonable function and a random value, and sending a generated fourth authentication request message to the user equipment by the cloud server for fourth authentication; the fourth authentication request message includes a seventh judgment flag MKjAnd the seventh judgment flag MKjThe encrypted first session key;
after receiving the fourth authentication request message, the user equipment generates a second session key according to the fourth authentication request message by using a barrel shift physical unclonable function, encrypts the second session key to generate an eighth judgment mark MKj' judging whether the fourth authentication is finished or not by judging whether the seventh judgment mark is equal to the eighth judgment mark or not;
and if the fourth authentication is finished, finishing the authentication.
Optionally, the chaos mapping algorithm is chebyshev chaos mapping.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention discloses a lightweight authentication method for an internet of things system in a cloud computing environment, which is based on a barrel shift physical unclonable function and a chaotic mapping algorithm, realizes registration and bidirectional authentication of user equipment and a cloud server, and improves the communication safety of the user equipment and the cloud server.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The invention aims to provide a lightweight authentication method for an internet of things system in a cloud computing environment, and the security of communication between user equipment and a cloud server is improved.
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.
Fig. 1 is a schematic flow diagram of a lightweight authentication method for an internet of things system in a cloud computing environment of the present invention, fig. 2 is a schematic flow diagram of a lightweight authentication method for an internet of things system in a cloud computing environment of the present invention, fig. 3 is a schematic data transmission diagram of a lightweight authentication method for an internet of things system in a cloud computing environment of the present invention, as shown in fig. 1 to fig. 3, a lightweight authentication method for an internet of things system in a cloud computing environment, comprising the following steps:
a system initialization stage:
step 101: initializing system parameters through an identity trust registration center, wherein the initialized system parameters comprise values obtained by calculation through a chaotic mapping algorithm.
System parameters x, T are initialized via Identity Trust Registry (ITR)s1(x),p,H1(·),H2(. cndot.) wherein x is a random number, p is a large prime number, Ts1(x) Representing a value calculated by a chaotic mapping algorithm based on a random number s1, s2 being a random number, s1 and s2 being private keys, Ts1(x) As the public key, H1(. cndot.) and H2(. cndot.) is a one-way hash function.
The communication entities (user equipment and cloud server) are connected to the PUF (physical unclonable Function) via a microcontroller component. Furthermore, the communication between the microcontroller and the PUF cannot be tampered with. The present invention employs a Barrel shift Physical Unclonable Function (BS-PUF). For a BS-PUF, the swappable BS-PUF requires both logical and physical swappability, and the entanglement function must be physically swappable. The commutative behavior of the BS-PUF depends on the logical commutative behavior and the physical commutative behavior, whereas the physical commutative behavior depends on the commutative behavior of the entanglement function. Physical measurement of BS-PUF function at BS-PUF2(BS-PUF1(x) ) and BS-PUF1(BS-PUF2(x) Is identical in the BS-PUF function, so the BS-PUF function is independent of the bit state. I.e. a combination of two exchangeable BS-PUFs-BS-PUF1And BS-PUF2。BS-PUF2(BS-PUF1(x))=BS-PUF1(BS-PUF2(x))。
The invention adopts a chaos mapping algorithm as Chebyshev chaos mapping.
A registration stage:
step 102: and based on the barrel shift physical unclonable function, carrying out identity registration on the user equipment through the identity trust registration center to obtain user registration information, and storing the identity information of the user equipment in the identity trust registration center.
Wherein, step 102 specifically comprises:
generating user registration request information based on a random number and a chaotic mapping algorithm, wherein the user registration request information comprises an identity of an internet of things user and a first encrypted user password PW encrypted by the internet of things user passwordiAnd a second encrypted user password PK generated using a barrel-shifting physical unclonable functioniAnd the user equipment sends the user registration request information to the identity trust registration center.
And the identity trust registration center detects whether the identity identification of the user of the Internet of things exists after receiving the user registration request information, if not, the identity trust registration center generates first user registration information based on the user registration request information, and the first user registration information is sent to the user equipment.
And after receiving the first user registration information, the user equipment generates second user registration information based on the first user registration information, and writes the second user registration information into the smart card corresponding to the user equipment.
Step 103: and based on the barrel shift physical unclonable function, carrying out identity registration on the cloud server through the identity trust registration center to obtain cloud server registration information, and storing the identity information of the cloud server in the identity trust registration center.
Wherein, step 103 specifically comprises:
generating cloud server registration request information based on a random number and a chaotic mapping algorithm, wherein the cloud server registration request information comprises a cloud server identity and a cloud server password generated by adopting a barrel shift physical unclonable function; and the cloud server sends the cloud server registration request information to the identity trust registration center.
After receiving the cloud server registration request information, the identity trust registration center detects whether a cloud server identity exists in the data block, if not, the identity trust registration center generates cloud server registration information based on the cloud server registration request information, and sends the cloud server registration information to the cloud server.
And after receiving the cloud server registration information, the cloud server publishes the cloud server pseudonym and the public key of the cloud server, wherein the cloud server pseudonym is generated according to the cloud server identity.
Login and authentication phase:
step 104: and performing authentication between the user equipment and the identity trust registration center and authentication between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registration center and the identity information of the cloud server stored in the identity trust registration center.
Wherein, step 104 specifically includes:
and the user equipment is inserted with the intelligent card to log in the user identity of the Internet of things.
After the user identity of the Internet of things is successfully logged in, the user equipment sends the generated first authentication request message to the identity trust registration center; the first authentication request message comprises a pseudonym RID of the user of the Internet of thingsiA first intermediate quantity CIDiThe first judgment mark CMiTime stamp T1The first judgment mark CMiAccording to the user of the Internet of thingsAnd generating the identity identification and chaotic mapping algorithm.
When the identity trust registration center receives the first authentication request message, the time stamp T is verified1If it is legal, if the timestamp T is1Stopping authentication if the comparison result is not correct, and stopping authentication if the comparison result is not correct1If the identity trust registration center is legal, the identity trust registration center passes the pseudonym RID of the user of the Internet of thingsiThe ID of the corresponding Internet of things user is found in the databasei(ii) a According to the identity ID of the currently searched user of the Internet of thingsiGenerating a second judgment mark CM by using a chaotic mapping algorithmi' by judging the first judgment mark CMiAnd the second judgment mark CMi' whether or not equal determines whether or not the first authentication is completed.
If the first authentication is finished, the identity trust registration center sends a generated second authentication request message to the user equipment, wherein the second authentication request message comprises a third judgment identification IMiAnd a time stamp T2And the third judgment mark IMiAnd generating according to the identity of the user of the Internet of things, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shift physical unclonable function.
After the user equipment receives the second authentication request message, the timestamp T is verified2If it is legal, if the timestamp T is2Stopping authentication if the password is not matched, and stopping authentication if the password is not matched2If the identity identification is legal, a fourth judgment identification IM is generated according to the identity identification of the user of the Internet of things, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shift physical unclonable functioni', by judging the third judgment mark IMiAnd the fourth judgment mark IMi' whether or not equal to each other determines whether or not the second authentication is completed.
If the second authentication is completed, the user equipment sends the generated third authentication request message to the cloud server; the third authentication request message comprises a pseudonym of the user of the internet of things, a pseudonym of the cloud server and a fifth judgment mark JMiAnd a time stamp T3(ii) a The fifth judgment identification is according to the pseudonym of the user of the Internet of things, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shiftA physical unclonable function is generated.
After receiving the third authentication request message, the cloud server verifies a timestamp T3If it is legal, if the timestamp T is3Stopping authentication if the password is not matched, and stopping authentication if the password is not matched3If the internet of things user is legal, the cloud server generates a sixth judgment mark JM according to the pseudonym of the internet of things user, the pseudonym of the cloud server, the chaotic mapping algorithm and the barrel shift physical unclonable functioniAnd if yes, judging whether the third authentication is finished or not by judging whether the fifth judgment mark is equal to the sixth judgment mark.
If the third authentication is finished, generating a first session key based on a barrel shift physical unclonable function and a random value, and sending a generated fourth authentication request message to the user equipment by the cloud server for fourth authentication; the fourth authentication request message includes a seventh judgment flag MKjThe seventh judgment flag MKjThe encrypted first session key;
after receiving the fourth authentication request message, the user equipment generates a second session key according to the fourth authentication request message by using a barrel shift physical unclonable function, encrypts the second session key and generates an eighth judgment mark MKj' judging whether the fourth authentication is finished or not by judging whether the seventh judgment mark is equal to the eighth judgment mark or not;
and if the fourth authentication is finished, finishing the authentication.
Step 105: and after the authentication between the user equipment and the identity trust registration center and the authentication between the user equipment and the cloud server are completed, the user equipment and the cloud server communicate through a session key.
The following describes in detail specific processes of the registration, login and authentication stages in the lightweight authentication method for the internet of things system in the cloud computing environment.
Generating user registration request information based on random number and chaotic mapping algorithm, wherein the user registration request information comprises an identity identifier and an object of a user of the Internet of thingsFirst encrypted user password PW after encryption of networking user passwordiAnd a second encrypted user password PK generated using a barrel-shifting physical unclonable functioniThe sending, by the user equipment, the user registration request information to the identity trust registration center specifically includes:
user equipment IoTU
i(Internet of things User, IoTU) selection of User true identity ID
iUser password Pwd
iAnd a random number a
iAnd a random number b
iComputing public keys
PW
i=H
1(ID
i||Pwd
i||b
i)mod n,2
4≤n≤2
6IoTU of user equipment
iSending user registration request information to an identity trust registration center through a secure channel, wherein the user registration request information is { ID }
i,PW
i,PK
iIn which PW is
iFor the encrypted value of the user password, parameter PK
i=BS-PUF
i(a
i) Wherein the BS-PUF
i() Shifting the physical unclonable function for the bucket,
the representation being based on a random number b
iAnd calculating the obtained value by adopting a chaotic mapping algorithm.
The identity trust registration center receives the user registration request Information (ID)i,PWi,PKiAfter that, the user's identity ID is detectediIf the user pseudonym exists in the data block, if the user pseudonym exists, the user pseudonym RID is calculatediAnd an intermediate parameter Ai、Bi、CiAnd Di,RIDi=H1(IDi||s1),Ai=H1(IDi||ti),Bi=Ai⊕PWi,Ci=H1(PWi||PKi||Bi),Di=H1(H1(IDi)||H1(s2)), identityTrust registry for generating first user registration information { RID }i,Bi,Ci,DiAnd register the first user with information { RID }i,Bi,Ci,DiIs sent to the user equipment IoTUiThe identity trust registry stores user information (RID)i,IDi,PKiIn which tiRepresenting a random number, | | represents a connector.
User equipment IoTUiReceiving first user registration information { RIDi,Bi,Ci,DiAfter that, the intermediate parameter F is calculatedi=Bi⊕H1(IDi||Pwdi||PKi) Intermediate parameter Ei=Di⊕PWiRegistering the second user with information { Fi,Ci,Ei,biWriting user identity as IDiSmart Card (SC) corresponding to the internet of things user.
Based on the barrel shift physical unclonable function, identity registration is carried out on the cloud server through the identity trust registration center to obtain cloud server registration information, and the identity information of the cloud server is stored in the identity trust registration center, which specifically comprises the following steps:
cloud server CS
j(CS) selecting a real cloud server identity ID
jAnd a random number c
jAnd a random number d
jComputing public key DK
j,
Intermediate parameter PK
j=BS-PUF
j(c
j) Cloud server CS
jSending cloud server registration request information to an identity trust registration center through a secure channel; the cloud server registration request information is { ID }
j,PK
j},BS-PUF
j() Shifting the physical unclonable function for the bucket,
the representation being based on a random number d
jAnd calculating the obtained value by adopting a chaotic mapping algorithm.
Identity trust registry receives cloud server registration request Information (ID)j,PKjFourthly, detecting the identity ID of the cloud serverjWhether the data block exists or not is judged, if not, the cloud server pseudonym RID is calculatedj=H1(IDjS2) and an intermediate parameter SDj=H1(s2) the identity trust registry generates first cloud server registration information { RIDj,SDj} and register the first cloud server with information { RIDj,SDjSending the data to a cloud server CS through a secure channeljThe identity trust registry stores cloud server Information (ID)j,PKj,cj,RIDj}。
Cloud server CSjReceiving first cloud server registration information { RIDj,SDjAfter this, the message { SD } is savedj,PKj,cj,dj} and publish the message { RIDj,DKj}。
Performing authentication between the user equipment and the identity trust registration center and authentication between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registration center and the identity information of the cloud server stored in the identity trust registration center, specifically including:
user equipment IoTUiInserting a smart card, and providing IoTU to the user equipment through the smart cardiInput user identity IDiUser password PwdiAnd PKiThe smart card calculates an intermediate parameter Bi=Fi⊕H1(IDi||Pwdi||PKi) Intermediate parameter PWi=H1(IDi||Pwdi||bi) And an intermediate parameter Ci’=H1(PWi||PKi||bi) IoTU of user equipmentiVerification Ci' with stored CiIf not, the login fails, if so, the user identity IDiThe login is successful.
User identity ID
iAfter login is successful, the user equipment IoTU
iSending a first authentication request message { RID
i,CID
i,CM
i,T
1} to an identity trust registry; wherein, the parameter CID
i=RID
j⊕IK
i,CM
i=H
1(IK
i||ID
i||T
1) Parameter of
T
1A time stamp is represented.
When the identity trust registry receives the first authentication request message { RID
i,CID
i,CM
i,T
1After that, the timestamp T is verified
1If it is legal, if the timestamp T is
1Stopping authentication if the comparison result is not correct, and stopping authentication if the comparison result is not correct
1If the identity trust registry bank is legal, the identity trust registry bank passes the RID in the first authentication request message
iFind out the corresponding ID in the database
iCalculating the parameters
And parameter CM
i’=H
1(IK
i’||ID
i||T
1) Judging CM
i' and CM
iIf not, stopping authentication, and if so, calculating RID
j=CID
i⊕IK
i', by RID
jFinding a corresponding PK in a database
jParameter CPK
i=(PK
j||c
j)⊕IK
i', parameter CSM
i=H
1(ID
j||SD
j) Parameter IM
i=H
1(ID
i||RID
j||IK
i’||PK
i||T
2),T
2For time stamping, the identity trust registry provides the user equipment IoTU with
iSending a second authentication request message { CPK
i,CSM
i,IM
i,T
2}。
When user equipment IoTU
iReceiving a second authentication request message { CPK
i,CSM
i,IM
i,T
2After that, the timestamp T is verified
2If it is legal, if the timestamp T is
2Stopping authentication if the comparison result is not correct, and stopping authentication if the comparison result is not correct
2If it is legal, the parameter PK is calculated by the received second authentication request message
j||c
j=CPK
i⊕IK
iAnd parameter IM
i’=H
1(ID
i||RID
j||IK
i||PK
i||T
2) Based on PK
j||c
jBy PK
jAnd c
jDetermining PK
jAnd c
jDetermining IM
i' and IM
iWhether the difference is equal, if not, the authentication is stopped, and if so, the user equipment IoTU
iCalculating parameter HK
i=BS-PUF
i(BS-PUF
j(c
j) HRK), parameters
i=BS-PUF
i(c
j) Parameter(s)
Parameter EK
i=BS-PUF
i(c
j)⊕TK
iParameter UK
i=a
i⊕HK
iParameter LK
i=PK
i⊕CSM
iParameter D
i=E
i⊕PW
iAnd parameter JM
i=H
1(RID
i||RID
j||TK
i||D
i||T
3) And transmits a third authentication request message { RID
i,RID
j,CK
i,EK
i,UK
i,LK
i,JM
i,T
3To cloud server CS
j(ii) a Wherein, T
3Is a time stamp.
When cloud server CS
jReceiving a third authentication request message { RID
i,RID
j,CK
i,EK
i,UK
i,LK
i,JM
i,T
3After that, the timestamp T is verified
3If it is legal, if the timestamp T is
3Stopping authentication if the password is not matched, and stopping authentication if the password is not matched
3If legal, the cloud serverCS
jAccording to the stored { SD
j,PK
j,c
j,d
j}, calculating parameters
BS-PUF
i(c
j)=EK
i⊕TK
i', parameter HK
i’=BS-PUF
j(BS-PUF
i(c
j))、a
i=UK
i⊕HK
i', parameter CSM
i’=H
1(ID
j||SD
j) Parameter PK
i=LK
i⊕CSM
i', parameter D
i’=H
1(H
1(IDi)||H
2(s2)) and a parameter JM
i’=H
1(RID
i||RID
j||TK
i’||D
i’||T
3) Verification JM
i' with JM
iWhether the data are equal or not, if not, the authentication is stopped, and if so, the cloud server CS is finished
jFor user equipment IoTU
iThe authentication of (1).
When cloud server CSjCompleting IoTU for user equipmentiAfter authentication, the cloud server CSjCalculating the parameter URj=BS-PUFj(ai) Parameter CSKj=BS-PUFj(PKi)=BS-PUFj(BS-PUFi(ai))、Kj=H2(RIDi||RIDj||CSKj||HKi’||ai||cj) Parameter MKj=H1(Kj||T4) And parameter GKj=URj⊕TKi’,KjRepresents the first session key, and sends a fourth authentication request message { GKj,MKj,T4}; wherein T is4Is a time stamp.
When user equipment IoTUiReceiving a fourth authentication request message { GKj,MKj,T4After that, the timestamp T is verified4If it is legal, if the timestamp T is4Stopping authentication if the comparison result is not correct, and stopping authentication if the comparison result is not correct4If it is legal, the parameter UR is calculatedj’=GKj⊕TKiParameter CSKj’=BS-PUFi(URj’)=BS-PUFi(BS-PUFj(ai))、Ki=H2(RIDi||RIDj||CSKj’||HKi||ai||cj) And parameter MKj’=H1(Ki||T4),KiRepresents the second session key, and determines MKj' and MKjWhether the difference is equal or not, if not, the authentication is stopped, and if so, the user equipment IoTU is completediTo cloud server CSjThe authentication of (2).
When the IoTU of the user equipment is finishediTo cloud server CSjAfter authentication, the user equipment IoTUiAnd cloud server CSjBy means of a session password KjAnd a session key KiCommunication is performed.
The chaotic mapping algorithm is Chebyshev chaotic mapping.
BS-PUFi() And BS-PUFj() BS-PUF with physical exchangeabilityj(BS-PUFi(x))=BS-PUFi(BS-PUFj(x))。
Verifying timestamp T1Whether it is legitimate, in particular the verification timestamp T1Whether the time stamp T is within a preset range or not is verified2、T3And T4And a verification timestamp T1The same is true.
Each message of the present invention contains either a timestamp or a random secret, or both, which the recipient verifies before any processing of the received message. Therefore, the present invention can prevent replay attacks.
The session key generated in the authentication process is the user equipment IoTUiAnd cloud server CSjGenerated by a secret value calculated by a respectively generated secret value and a bucket-shifted physically unclonable function. Any two different session keys are otherwise independent of each other so that the adversary cannot destroy the other session keys later. Thus, the security of the session key is guaranteed.
In the authentication process, the communication entities all have own physical unclonable functions, so that an attacker cannot generate corresponding physical unclonable function values even if obtaining secret values, and therefore, the method can effectively resist node capture attack.
The message generated in the authentication process comprises a chaos mapping cryptographic algorithm and a secret value calculated by a bucket-shifting physical unclonable function, so that the corresponding message cannot be calculated without the secret value generated by the corresponding algorithm. Thus, if any information is tampered with, it will result in a failure of the verification. Thus, no messages can be tampered with dynamically. The invention realizes the anonymous communication of the user equipment and ensures the privacy security of the user.
In a cloud computing environment scene of the Internet of things, a user can access a cloud server at any time and any place to obtain relevant data of the Internet of things, and can send a command to equipment of the Internet of things through the cloud server to realize remote production control. However, the cloud server provides internet of things services for the users through an insecure public channel, and therefore, the users must be authenticated with each other. Only authorized users can access the cloud server to obtain the service of the Internet of things equipment. Therefore, the present invention proposes a lightweight authentication method for an internet of things system in a cloud computing environment, which uses a Barrel shift physical Unclonable Function (BS-PUF) and a chaotic mapping algorithm, and uses multi-factors (user password and smart card) to ensure security of authentication. In a cloud computing environment, the method of the invention enables an external user and the cloud server to mutually authenticate, directly and safely access data on the cloud server through the negotiated session key, resist common attacks and ensure the safety of communication.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the foregoing, the description is not to be taken in a limiting sense.