Disclosure of Invention
The invention aims to provide a lightweight authentication method for an internet of things system in a cloud computing environment, which improves the communication security of user equipment and a cloud server.
In order to achieve the above object, the present invention provides the following solutions:
a lightweight authentication method for an Internet of things system in a cloud computing environment comprises the following steps:
initializing system parameters through an identity trust registration center, wherein the initialized system parameters comprise values calculated by adopting a chaotic mapping algorithm;
based on a barrel shift physical unclonable function, carrying out identity registration on the user equipment through an identity trust registration center to obtain user registration information, and storing the identity information of the user equipment in the identity trust registration center;
based on a barrel shift physical unclonable function, carrying out identity registration on the cloud server through an identity trust registration center to obtain cloud server registration information, and storing the identity information of the cloud server in the identity trust registration center;
performing authentication between the user equipment and the identity trust registry and authentication between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registry and the identity information of the cloud server stored in the identity trust registry;
after authentication between the user equipment and the identity trust registry and authentication between the user equipment and the cloud server are completed, the user equipment and the cloud server communicate through a session key.
Optionally, the initialization system parameter is { x, T s1 (x),p,H 1 (·),H 2 (. Cndot.) }, where x is a random number, p is a large prime number, T s1 (x) Representing a value calculated by adopting a chaotic mapping algorithm based on a random number s1, wherein s2 is the random number, s1 and s2 are used as private keys, and T is calculated by adopting a random number s1 (x) As a system public key, H 1 (. Cndot.) and H 2 (. Cndot.) are all one-way hash functions.
Optionally, the barrel shift physical unclonable function is based, the user equipment is subjected to identity registration through the identity trust registration center to obtain user registration information, and the identity information of the user equipment is stored in the identity trust registration center, which specifically comprises:
generating user registration request information based on random numbers and a chaotic mapping algorithm, wherein the user registration request information comprises an identity of an Internet of things user and a first encrypted user password PW after encryption of the Internet of things user password i And a second encrypted user password PK generated using a bucket-shifting physical unclonable function i The user equipment sends the user registration request information to the identity trust registration center;
after receiving the user registration request information, the identity trust registration center detects whether an identity of an Internet of things user exists or not, and if not, the identity trust registration center generates first user registration information based on the user registration request information, and the first user registration information is sent to the user equipment;
and after receiving the first user registration information, the user equipment generates second user registration information based on the first user registration information, and writes the second user registration information into the smart card corresponding to the user equipment.
Optionally, the barrel shift physical unclonable function is based on the step of registering the identity of the cloud server through the identity trust registration center to obtain cloud server registration information, and the step of saving the identity information of the cloud server in the identity trust registration center specifically includes:
generating cloud server registration request information based on a random number and a chaotic mapping algorithm, wherein the cloud server registration request information comprises a cloud server identity and a cloud server password generated by adopting a barrel shift physical unclonable function; the cloud server sends the cloud server registration request information to the identity trust registration center;
after receiving cloud server registration request information, the identity trust registration center detects whether a cloud server identity mark exists in a data block, if not, the identity trust registration center generates cloud server registration information based on the cloud server registration request information and sends the cloud server registration information to a cloud server;
and after receiving the cloud server registration information, the cloud server publishes the cloud server pseudonym and the public key of the cloud server, wherein the cloud server pseudonym is generated according to the cloud server identity.
Optionally, the authenticating between the user equipment and the identity trust registry and the authenticating between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registry and the identity information of the cloud server stored in the identity trust registry specifically includes:
the intelligent card is inserted into the user equipment to log in the user identity of the Internet of things;
after the user identity of the Internet of things is successfully logged in, the user equipment sends the generated first authentication request message to the identity trust registration center; the first authentication request message comprises a pseudonymous RID of the Internet of things user i First intermediate quantity CID i First judgment mark CM i Time stamp T 1 The first judgment mark CM i Generating according to the identity of the user of the Internet of things and a chaotic mapping algorithm;
when the identity trust registration center receives the first authentication request message, verifying the timeStamp T 1 Whether or not it is legal, if the time stamp T 1 If not, stopping authentication, if the time stamp T 1 If the user is legal, the identity trust registration center passes the pseudonym RID of the user of the Internet of things i Searching an identity ID corresponding to the user of the Internet of things in a database i The method comprises the steps of carrying out a first treatment on the surface of the According to the currently searched identity ID of the user of the Internet of things i And the chaotic mapping algorithm generates a second judgment mark CM i ' by judging the first judgment mark CM i And the second judgment mark CM i ' whether the first authentication is completed is judged to be equal;
if the first authentication is completed, the identity trust registry sends a generated second authentication request message to the user equipment, wherein the second authentication request message comprises a third judgment mark IM i And a timestamp T 2 The third judgment mark IM i Generating according to the identity of the user of the Internet of things, a cloud server pseudonym, a chaotic mapping algorithm and a barrel shift physical unclonable function;
after the user equipment receives the second authentication request message, verifying the timestamp T 2 Whether or not it is legal, if the time stamp T 2 If not, stopping authentication, if the time stamp T 2 If the identification is legal, a fourth judgment identification IM is generated according to the identity identification of the user of the Internet of things, the cloud server pseudonym, the chaotic mapping algorithm and the barrel shift physical unclonable function i ' by judging the third judgment mark IM i And the fourth judgment mark IM i ' whether the second authentication is completed is judged to be equal;
if the second authentication is completed, the user equipment sends the generated third authentication request message to the cloud server; the third authentication request message includes a pseudonym of the internet of things user, a pseudonym of the cloud server, and a fifth judgment identification JM i And a timestamp T 3 The method comprises the steps of carrying out a first treatment on the surface of the The fifth judgment mark is generated according to the pseudonym of the Internet of things user, the cloud server pseudonym, a chaotic mapping algorithm and a barrel shift physical unclonable function;
after receiving the third authentication request message, the cloud server verifies the timestamp T 3 Whether or not it is legal, if the time stamp T 3 If not, stopping authentication, if the time stamp T 3 If the cloud server is legal, the cloud server generates a sixth judgment identification JM according to the pseudonym of the Internet of things user, the pseudonym of the cloud server, a chaotic mapping algorithm and a barrel shift physical unclonable function i ' judging whether the third authentication is finished or not by judging whether the fifth judgment mark is equal to the sixth judgment mark or not;
if the third authentication is completed, generating a first session key based on a barrel shift physical unclonable function and a random value, and sending a generated fourth authentication request message to the user equipment by the cloud server to perform fourth authentication; the fourth authentication request message includes a seventh judgment identification MK j The seventh judgment mark MK j Is the encrypted first session key;
after receiving the fourth authentication request message, the user equipment generates a second session key based on a barrel shift physical unclonable function according to the fourth authentication request message, encrypts the second session key to generate an eighth judgment identification MK j ' judging whether the fourth authentication is finished or not by judging whether the seventh judgment mark is equal to the eighth judgment mark or not;
and if the fourth authentication is completed, finishing the authentication.
Optionally, the chaotic mapping algorithm is chebyshev chaotic mapping.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention discloses a lightweight authentication method for an Internet of things system in a cloud computing environment, which is used for realizing registration and bidirectional authentication of user equipment and a cloud server based on a barrel shift physical unclonable function and a chaotic mapping algorithm, and improving the communication security of the user equipment and the cloud server.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide a lightweight authentication method for an internet of things system in a cloud computing environment, which improves the communication security of user equipment and a cloud server.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Fig. 1 is a schematic flow diagram of a lightweight authentication method for an internet of things system in a cloud computing environment according to the present invention, fig. 2 is a schematic flow diagram of a lightweight authentication method for an internet of things system in a cloud computing environment according to the present invention, and fig. 3 is a schematic data transmission diagram of a lightweight authentication method for an internet of things system in a cloud computing environment according to the present invention, as shown in fig. 1 to 3, and a lightweight authentication method for an internet of things system in a cloud computing environment according to the present invention, including the following steps:
system initialization phase:
step 101: initializing system parameters through an identity trust registration center, wherein the initialized system parameters comprise values calculated by adopting a chaotic mapping algorithm.
Initializing system parameters { x, T over an identity trusted registry (Identity Trust Registry, ITR) s1 (x),p,H 1 (·),H 2 (. Cndot.) }, where x is a random number, p is a large prime number, T s1 (x) Representing a value calculated by adopting a chaotic mapping algorithm based on a random number s1, wherein s2 is the random number, s1 and s2 are used as private keys, and T is calculated by adopting a random number s1 (x) As public key, H 1 (. Cndot.) and H 2 (. Cndot.) are all one-way hash functions.
The communication entities (user equipment and cloud server) are connected to the PUF (PhysicalUnclonable Function, physically unclonable function) through one microcontroller component. Furthermore, the communication between the microcontroller and the PUF cannot be tampered with. The invention employs a bucket shifting physical unclonable function (Barrel Shifter Physical Unclonable Function, BS-PUF). For BS-PUFs, exchangeable BS-PUFs require logical and physical interchangeability, and entanglement functions must be physically interchangeability. The interchangeability of BS-PUFs depends on logical interchangeability and physical interchangeability, while physical interchangeability depends on interchangeability of entanglement functions. Physical measurement of BS-PUF function in BS-PUF 2 (BS-PUF 1 (x) And BS-PUF 1 (BS-PUF 2 (x) The BS-PUF function is independent of the bit state). I.e. a combination of two exchangeable BS-PUFs-BS-PUF 1 And BS-PUF 2 。BS-PUF 2 (BS-PUF 1 (x))=BS-PUF 1 (BS-PUF 2 (x))。
The invention adopts a chaos mapping algorithm to carry out Chebyshev chaos mapping.
Registration:
step 102: based on the barrel shift physical unclonable function, the user equipment is subjected to identity registration through the identity trust registration center to obtain user registration information, and the identity information of the user equipment is stored in the identity trust registration center.
The step 102 specifically includes:
based on random number and chaosThe mapping algorithm generates user registration request information, wherein the user registration request information comprises an identity of an Internet of things user and a first encrypted user password PW after encryption of the Internet of things user password i And a second encrypted user password PK generated using a bucket-shifting physical unclonable function i The user equipment sends the user registration request information to the identity trust registration center.
After receiving the user registration request information, the identity trust registration center detects whether the identity of the user of the Internet of things exists or not, and if not, the identity trust registration center generates first user registration information based on the user registration request information, and the first user registration information is sent to the user equipment.
And after receiving the first user registration information, the user equipment generates second user registration information based on the first user registration information, and writes the second user registration information into the smart card corresponding to the user equipment.
Step 103: based on the barrel shift physical unclonable function, the cloud server is subjected to identity registration through the identity trust registration center, cloud server registration information is obtained, and the identity information of the cloud server is stored in the identity trust registration center.
Step 103 specifically includes:
generating cloud server registration request information based on a random number and a chaotic mapping algorithm, wherein the cloud server registration request information comprises a cloud server identity and a cloud server password generated by adopting a barrel shift physical unclonable function; and the cloud server sends the cloud server registration request information to the identity trust registration center.
After receiving the cloud server registration request information, the identity trust registration center detects whether the cloud server identity mark exists in the data block, if not, the identity trust registration center generates cloud server registration information based on the cloud server registration request information, and sends the cloud server registration information to a cloud server.
And after receiving the cloud server registration information, the cloud server publishes the cloud server pseudonym and the public key of the cloud server, wherein the cloud server pseudonym is generated according to the cloud server identity.
Login and authentication phase:
step 104: and authenticating between the user equipment and the identity trust registry and authenticating between the user equipment and the cloud server based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registry and the identity information of the cloud server stored in the identity trust registry.
Step 104 specifically includes:
and the intelligent card is inserted into the user equipment to log in the user identity of the Internet of things.
After the user identity of the Internet of things is successfully logged in, the user equipment sends the generated first authentication request message to the identity trust registration center; the first authentication request message comprises a pseudonymous RID of the Internet of things user i First intermediate quantity CID i First judgment mark CM i Time stamp T 1 The first judgment mark CM i And generating according to the identity of the user of the Internet of things and a chaotic mapping algorithm.
After the identity trust registration center receives the first authentication request message, the authentication timestamp T is verified 1 Whether or not it is legal, if the time stamp T 1 If not, stopping authentication, if the time stamp T 1 If the user is legal, the identity trust registration center passes the pseudonym RID of the user of the Internet of things i Searching an identity ID corresponding to the user of the Internet of things in a database i The method comprises the steps of carrying out a first treatment on the surface of the According to the currently searched identity ID of the user of the Internet of things i And the chaotic mapping algorithm generates a second judgment mark CM i ' by judging the first judgment mark CM i And the second judgment mark CM i ' whether or not the first authentication is completed is judged.
If the first authentication is completed, the identity informationAny registry transmits a generated second authentication request message to the user equipment, wherein the second authentication request message comprises a third judgment identity IM i And a timestamp T 2 The third judgment mark IM i And generating according to the identity of the user of the Internet of things, the cloud server pseudonym, the chaotic mapping algorithm and the barrel shift physical unclonable function.
After the user equipment receives the second authentication request message, verifying the timestamp T 2 Whether or not it is legal, if the time stamp T 2 If not, stopping authentication, if the time stamp T 2 If the identification is legal, a fourth judgment identification IM is generated according to the identity identification of the user of the Internet of things, the cloud server pseudonym, the chaotic mapping algorithm and the barrel shift physical unclonable function i ' by judging the third judgment mark IM i And the fourth judgment mark IM i ' whether or not the second authentication is completed is judged.
If the second authentication is completed, the user equipment sends the generated third authentication request message to the cloud server; the third authentication request message includes a pseudonym of the internet of things user, a pseudonym of the cloud server, and a fifth judgment identification JM i And a timestamp T 3 The method comprises the steps of carrying out a first treatment on the surface of the And the fifth judgment mark is generated according to the pseudonym of the Internet of things user, the cloud server pseudonym, a chaotic mapping algorithm and a barrel shift physical unclonable function.
After receiving the third authentication request message, the cloud server verifies the timestamp T 3 Whether or not it is legal, if the time stamp T 3 If not, stopping authentication, if the time stamp T 3 If the cloud server is legal, the cloud server generates a sixth judgment identification JM according to the pseudonym of the Internet of things user, the pseudonym of the cloud server, a chaotic mapping algorithm and a barrel shift physical unclonable function i And', judging whether the third authentication is finished or not by judging whether the fifth judgment mark is equal to the sixth judgment mark.
If the third authentication is completed, generating a first session key based on a bucket-shifting physical unclonable function and a random value, the cloud server transmitting a generated fourth authentication request message to the user equipmentPerforming fourth authentication; the fourth authentication request message includes a seventh judgment identification MK j The seventh judgment mark MK j Is the encrypted first session key;
after receiving the fourth authentication request message, the user equipment generates a second session key based on a barrel shift physical unclonable function according to the fourth authentication request message, encrypts the second session key to generate an eighth judgment identification MK j ' judging whether the fourth authentication is finished or not by judging whether the seventh judgment mark is equal to the eighth judgment mark or not;
and if the fourth authentication is completed, finishing the authentication.
Step 105: after authentication between the user equipment and the identity trust registry and authentication between the user equipment and the cloud server are completed, the user equipment and the cloud server communicate through a session key.
The following describes in detail a specific process of registration, login and authentication stages in a lightweight authentication method for an internet of things system in a cloud computing environment.
Generating user registration request information based on random numbers and a chaotic mapping algorithm, wherein the user registration request information comprises an identity of an Internet of things user and a first encrypted user password PW after encryption of the Internet of things user password i And a second encrypted user password PK generated using a bucket-shifting physical unclonable function i The user equipment sends the user registration request information to the identity trust registration center, and the method specifically comprises the following steps:
user equipment IoTU i (Internet ofThings User, ioTU) select user real identity ID i User password Pwd i And a random number a i And a random number b i Calculating a public keyPW i =H 1 (ID i ||Pwd i ||b i )mod n,2 4 ≤n≤2 6 User equipment IoTU i Transmitting user registration request information to an identity trust registration center through a secure channel, wherein the user registration request information is { ID } i ,PW i ,PK i }, PW (pseudo wire) i For a value encrypted by a user password, parameter PK i =BS-PUF i (a i ) Wherein the BS-PUF i () Shifts the physical unclonable function for the bucket, +.>The representation is based on a random number b i And calculating the obtained value by adopting a chaotic mapping algorithm.
The identity trust registry receives the user registration request information { ID } i ,PW i ,PK i After } detect the user's ID i Whether or not the user exists in the data block, if the user exists, the user pseudonym RID is calculated if the user exists and the user pseudonym RID is not registered i Intermediate parameter A i 、B i 、C i And D i ,RID i =H 1 (ID i ||s1),A i =H 1 (ID i ||t i ),B i =A i ⊕PW i ,C i =H 1 (PW i ||PK i ||B i ),D i =H 1 (H 1 (ID i )||H 1 (s 2)) the identity trust registry generates first user registration information { RID i ,B i ,C i ,D i And registers the first user with the information { RID } i ,B i ,C i ,D i Transmit to user equipment IoTU i The identity trust registry stores user information { RID i ,ID i ,PK i And t is }, where i Represents a random number, || represents a connector.
User equipment IoTU i Receiving first user registration information { RID i ,B i ,C i ,D i After } calculate the intermediate parameter F i =B i ⊕H 1 (ID i ||Pwd i ||PK i ) Intermediate parameter E i =D i ⊕PW i Second user registration information { F i ,C i ,E i ,b i Writing user identity as ID i Smart Card (SC) corresponding to the internet of things user.
Based on a barrel shift physical unclonable function, carrying out identity registration on a cloud server through an identity trust registration center to obtain cloud server registration information, and storing the identity information of the cloud server in the identity trust registration center, wherein the method specifically comprises the following steps:
cloud server CS j (CS) select a real cloud server identity ID j Random number c j And a random number d j Calculate the public key DK j ,Intermediate parameters PK j =BS-PUF j (c j ) Cloud server CS j Sending cloud server registration request information to an identity trust registration center through a secure channel; the cloud server registration request information is { ID } j ,PK j },BS-PUF j () Shifts the physical unclonable function for the bucket, +.>The representation is based on a random number d j And calculating the obtained value by adopting a chaotic mapping algorithm.
The identity trust registry receives the cloud server registration request information { ID } j ,PK j After } detect cloud server identity ID j If the cloud server pseudonym RID exists in the data block, if the cloud server pseudonym RID does not exist, the cloud server pseudonym RID is calculated j =H 1 (ID j S 2) and intermediate parameter SD j =H 1 (s 2) the identity trust registry generates first cloud server registration information { RID j ,SD j And register the first cloud server with the information { RID } j ,SD j Send to cloud server CS over secure channel j The identity trust registry stores cloud server information { ID } j ,PK j ,c j ,RID j }。
Cloud server CS j Receiving a first cloudServer registration information { RID } j ,SD j After } save message { SD } j ,PK j ,c j ,d j -and publish message { RID } j ,DK j }。
Based on the user registration information, the cloud server registration information, the identity information of the user equipment stored in the identity trust registration center and the identity information of the cloud server stored in the identity trust registration center, authentication between the user equipment and the identity trust registration center and authentication between the user equipment and the cloud server are performed, specifically including:
user equipment IoTU i Inserting a smart card, and transmitting the smart card to user equipment IoTU i Input user identity ID i User password Pwd i And PK i The smart card calculates the intermediate parameter B i =F i ⊕H 1 (ID i ||Pwd i ||PK i ) Intermediate parameter PW i =H 1 (ID i ||Pwd i ||b i ) And intermediate parameter C i ’=H 1 (PW i ||PK i ||b i ) User equipment IoTU i Verification C i ' and preserved C i If the values of (2) are equal, if not, the login fails, and if equal, the user ID i The login is successful.
User identity ID i After successful login, user equipment IoTU i Transmitting a first authentication request message { RID i ,CID i ,CM i ,T 1 -to an identity trust registry; wherein the parameter CID i =RID j ⊕IK i ,CM i =H 1 (IK i ||ID i ||T 1 ) Parameters (parameters)T 1 Representing a time stamp.
When the identity trust registry receives the first authentication request message { RID i ,CID i ,CM i ,T 1 After } verify the timestamp T 1 Whether or not it is legal, if it is time-stampedT 1 If not, stopping authentication, if the time stamp T 1 If the identity trust registration center library is legal, the identity trust registration center library passes through the RID in the first authentication request message i Finding the corresponding ID in the database i Calculating parametersSum parameter CM i ’=H 1 (IK i ’||ID i ||T 1 ) Judging CM i ' and CM i If the two are equal, stopping authentication if the two are not equal, and calculating RID if the two are equal j =CID i ⊕IK i ' by RID j Finding the corresponding PK in the database j Parameter CPK i =(PK j ||c j )⊕IK i ' parameter CSM i =H 1 (ID j ||SD j ) Parameter IM i =H 1 (ID i ||RID j ||IK i ’||PK i ||T 2 ),T 2 For time stamp, the identity trust registration center sends the user equipment IoTU i Sending a second authentication request message { CPK i ,CSM i ,IM i ,T 2 }。
When user equipment IoTU i Receiving the second authentication request message { CPK i ,CSM i ,IM i ,T 2 After } verify the timestamp T 2 Whether or not it is legal, if the time stamp T 2 If not, stopping authentication, if the time stamp T 2 If the authentication request message is legal, calculating the parameter PK through the received second authentication request message j ||c j =CPK i ⊕IK i Sum parameter IM i ’=H 1 (ID i ||RID j ||IK i ||PK i ||T 2 ) PK-based j ||c j By PK j And c j Determining PK of the number of bits of (a) j And c j Judge IM i ' AND IM i Whether or not the authentication is equal, if not, stopping the authenticationIf equal, user equipment IoTU i Calculate parameter HK i =BS-PUF i (BS-PUF j (c j ) Parameter HRK) i =BS-PUF i (c j ) Parameters and parametersParameter EK i =BS-PUF i (c j )⊕TK i Parameter UK i =a i ⊕HK i Parameter LK i =PK i ⊕CSM i Parameter D i =E i ⊕PW i Sum parameter JM i =H 1 (RID i ||RID j ||TK i ||D i ||T 3 ) And transmits a third authentication request message { RID } i ,RID j ,CK i ,EK i ,UK i ,LK i ,JM i ,T 3 ' to cloud Server CS j The method comprises the steps of carrying out a first treatment on the surface of the Wherein T is 3 Is a time stamp.
When cloud server CS j Receiving a third authentication request message { RID i ,RID j ,CK i ,EK i ,UK i ,LK i ,JM i ,T 3 After } verify the timestamp T 3 Whether or not it is legal, if the time stamp T 3 If not, stopping authentication, if the time stamp T 3 Legal, cloud server CS j According to the stored { SD } j ,PK j ,c j ,d j -calculating parametersBS-PUF i (c j )=EK i ⊕TK i ' parameter HK i ’=BS-PUF j (BS-PUF i (c j ))、a i =UK i ⊕HK i ' parameter CSM i ’=H 1 (ID j ||SD j ) Parameters PK i =LK i ⊕CSM i ' parameter D i ’=H 1 (H 1 (IDi)||H 2 (s 2)) and parameter JM i ’=H 1 (RID i ||RID j ||TK i ’||D i ’||T 3 ) Verify JM i ' and JM i If the cloud server CS and the cloud server CS are equal, stopping authentication if the cloud server CS and the cloud server CS are not equal j For user equipment IoTU i Is used for authentication of the mobile terminal.
When cloud server CS j Completion of user equipment IoTU i After authentication of cloud server CS j Calculate the parameters UR j =BS-PUF j (a i ) Parameter CSK j =BS-PUF j (PK i )=BS-PUF j (BS-PUF i (a i ))、K j =H 2 (RID i ||RID j ||CSK j ||HK i ’||a i ||c j ) Parameter MK j =H 1 (K j ||T 4 ) Sum parameter GK j =UR j ⊕TK i ’,K j Representing the first session key, sending a fourth authentication request message { GK }, and j ,MK j ,T 4 -a }; wherein T is 4 Is a time stamp.
When user equipment IoTU i Receiving the fourth authentication request message { GK j ,MK j ,T 4 After } verify the timestamp T 4 Whether or not it is legal, if the time stamp T 4 If not, stopping authentication, if the time stamp T 4 Legal, calculate the parameters UR j ’=GK j ⊕TK i Parameter CSK j ’=BS-PUF i (UR j ’)=BS-PUF i (BS-PUF j (a i ))、K i =H 2 (RID i ||RID j ||CSK j ’||HK i ||a i ||c j ) Sum parameter MK j ’=H 1 (K i ||T 4 ),K i Representing the second session key, determining MK j ' and MK j If the user equipment IoTU is equal, stopping authentication if the user equipment IoTU is not equal, and finishing the user equipment IoTU if the user equipment IoTU is equal i To cloud server CS j Is used for authentication of the mobile terminal.
When finishing user equipment IoTU i To cloud server CS j After authentication of the user equipment IoTU i Cloud server CS j By session password K j And session keyK i Communication is performed.
The chaotic mapping algorithm is chebyshev chaotic mapping.
BS-PUF i () And BS-PUF j () Having physical interchangeability, BS-PUF j (BS-PUF i (x))=BS-PUF i (BS-PUF j (x))。
Verification timestamp T 1 Whether or not it is legal, in particular the verification timestamp T 1 Verifying whether the time stamp T is within a preset range 2 、T 3 And T 4 With verification timestamp T 1 And the same is true.
The invention includes a time stamp or random secret for each message or both, which the recipient verifies before any processing of the received message. Thus, the present invention can prevent replay attacks.
The session key generated in the authentication process is generated by the user equipment IoTU i Cloud server CS j Generated by the secret value calculated by the respective generated secret value and the bucket-shifted physical unclonable function. In addition, any two different session keys are independent of each other, so that an adversary cannot destroy other session keys at a later time. Thus, the security of the session key is ensured.
In the authentication process, the communication entity has own physical unclonable function, so that even if an attacker obtains a secret value, the attacker cannot generate a corresponding physical unclonable function value, and therefore, the method can effectively resist node capture attack.
The message generated in the authentication process includes the secret value calculated by the chaotic mapping cryptographic algorithm and the bucket shifting physical unclonable function, so that the corresponding message cannot be calculated without the secret value generated by the corresponding algorithm. Thus resulting in authentication failure if any information is tampered with. Thus, any message cannot be tampered with dynamically. The invention realizes anonymous communication of the user equipment and ensures privacy security of the user.
In a cloud computing environment scene of the Internet of things, a user can access a cloud server at any time and any place to acquire related data of the Internet of things, and can also send a command to the Internet of things equipment through the cloud server to realize remote production control. But cloud servers provide internet of things services to users through unsecure public channels, so that they must authenticate each other. Only authorized users can access the cloud server to acquire services of the Internet of things equipment. Therefore, the invention provides a lightweight authentication method for an internet of things system in a cloud computing environment, which uses a barrel shift physical unclonable function (Barrel ShifterPhysical Unclonable Function, BS-PUF) and a chaotic mapping algorithm, and uses multiple factors (user password and smart card) to ensure the security of authentication. In the cloud computing environment, the external user and the cloud server perform mutual authentication, and the data on the cloud server is directly and safely accessed through the negotiated session key, so that common attacks can be resisted, and the safety of communication is ensured.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other.
The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present invention and the core ideas thereof; also, it is within the scope of the present invention to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the invention.