CN115378604A - Identity authentication method of edge computing terminal equipment based on credit value mechanism - Google Patents

Identity authentication method of edge computing terminal equipment based on credit value mechanism Download PDF

Info

Publication number
CN115378604A
CN115378604A CN202210962297.4A CN202210962297A CN115378604A CN 115378604 A CN115378604 A CN 115378604A CN 202210962297 A CN202210962297 A CN 202210962297A CN 115378604 A CN115378604 A CN 115378604A
Authority
CN
China
Prior art keywords
node
message
terminal equipment
slave
consensus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210962297.4A
Other languages
Chinese (zh)
Inventor
魏旻
肖峰
余涛
李金�
黄旭炜
洪承镐
王平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN202210962297.4A priority Critical patent/CN115378604A/en
Publication of CN115378604A publication Critical patent/CN115378604A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention relates to an identity authentication method of edge computing terminal equipment based on a credit value mechanism, belonging to the complete technical field of computer networks. The method comprises the following steps of S1: an initialization stage; s2: terminal equipment generates a registration request message; s3: the edge gateway verifies the registration request message and the master node verifies the registration transaction stage; s4: generating and verifying transaction information of the terminal equipment; the slave node verifies the authenticity of the transaction information and the timeliness of the transaction information, and the identity validity judgment of the terminal equipment is realized; s5: the identity registration information common identification and uplink stage of the terminal equipment; s6: and updating the behavior information and the reputation value of the consensus node. The invention integrates the identity authentication of the terminal equipment into an improved consensus algorithm mechanism, and adopts a credit value mechanism to select the consensus nodes, thereby realizing the identity authentication of the terminal equipment and further improving the safety capability of the industrial edge computing environment.

Description

Identity authentication method of edge computing terminal equipment based on credit value mechanism
Technical Field
The invention belongs to the complete technical field of computer networks, and relates to an identity authentication method of edge computing terminal equipment based on a credit value mechanism.
Background
However, with the development of industrial networks, the continuous emergence of new services in upper-layer applications, and the continuous proliferation of equipment accessed and data generated in industrial fields, cloud computing has been unable to meet new requirements brought by these changes. The industrial edge computing network can enhance local computing power through edge computing, reduce response delay caused by centralized cloud computing, and meet the requirements of the industry on high computing power and real-time response in a large-scale computing scene. Therefore, edge computing is introduced into the industrial network.
Because the industrial edge computing has the characteristic of network openness, the terminal equipment can be connected with an external network. If a malicious node or a trapped terminal device is accessed into the industrial network, huge losses are caused to industrial production. Therefore, ensuring the trusted access of the terminal device in the edge computing environment is a serious security challenge, and it is necessary to design an identity authentication method for the terminal device in the industrial edge computing environment.
At present, most of methods for verifying the identity of devices adopt a traditional public key infrastructure, and the method distributes digital certificates to devices in a network through a centralized Authority CA (Certificate Authority) so as to realize identity authentication. However, the centralized authentication method is very easy to cause a single point failure problem. Therefore, authentication based on the conventional public key infrastructure poses a certain threat to the security of the industrial network. In addition, for example, a password-based identity authentication method (a cryptography-based authentication method) is also widely applied in an equipment identity authentication scenario in an industrial edge environment, and such a method can indeed effectively solve the identity authentication problem of equipment in terms of functions, but such a method has a large security hole and is very easy to be utilized by an attacker, for example: in password-based authentication methods, a malicious entity may impersonate a trusted entity if he knows (e.g., guesses) the password of the entity, thereby posing a security threat. Therefore, the identity authentication method with security vulnerabilities is difficult to be applied to terminal equipment with high security requirements in an industrial edge environment.
In the alliance chain, the block information on the alliance chain is written into the alliance chain block by acquiring the common identification of a plurality of nodes, and if the block information is required to be modified, the consent of the plurality of nodes is acquired, and the nodes are usually held in different subjects, so that the block information in the block chain is difficult to tamper. Therefore, the alliance chain technology and the identity authentication technology can be fused to form a safer and more reliable method for solving the identity authentication problem of the terminal equipment. Based on the existing industrial edge computing architecture, a alliance chain is built on an edge layer, so that a common identification node in the alliance chain participates in identity authentication of terminal equipment, the identity authentication of the terminal equipment can be judged to be legal only through verification of a plurality of common identification nodes (the process is a common identification mechanism), and therefore the defect that the authentication has centralization can be effectively overcome, and the authentication reliability is enhanced; and by linking the authentication information, the tracing back of the authentication information can be realized. Therefore, the invention applies the alliance chain to the identity authentication framework of the terminal equipment in the industrial edge computing environment, thereby solving the problem of high security requirement of the terminal equipment in the existing industrial edge environment.
Disclosure of Invention
In view of this, the present invention aims to provide an identity authentication method for an edge computing terminal device based on a reputation value mechanism, which merges the identity authentication of the terminal device into an improved consensus algorithm mechanism and designs a reputation value mechanism to select a consensus node, thereby implementing the identity authentication of the terminal device and further improving the security capability of the industrial edge computing environment.
In order to achieve the purpose, the invention provides the following technical scheme:
an identity authentication method of edge computing terminal equipment based on a credit value mechanism specifically comprises the following steps:
s1: an initialization stage: the method comprises the steps that a terminal device, a routing node and an edge gateway generate a key pair, an edge server is provided with a alliance chain client, and an alliance chain selects a main node and a slave node in a consensus algorithm;
s2: the terminal equipment generates a registration request message stage: the terminal equipment generates a registration request message by using the identity registration information of the terminal equipment, and sends the registration request message and the timestamp to the edge gateway;
s3: the authentication registration request message of the edge gateway and the authentication registration transaction stage of the main node: after receiving the registration request message of the terminal equipment, the edge gateway checks whether the registration request message of the terminal equipment is overtime, and the main node verifies the registration transaction;
s4: the transaction information generation and verification stage of the terminal equipment comprises the following steps: the master node generates transaction information and broadcasts the transaction information to the slave nodes; the slave node verifies the authenticity of the transaction information and the timeliness of the transaction information, and the identity validity judgment of the terminal equipment is realized;
s5: identity registration information consensus and uplink stage of the terminal equipment: the master node and the slave node carry out consensus on the identity registration information of the terminal equipment, and the master node can achieve the cochain of the registration information of the slave node consensus;
s6: and (3) updating the behavior information and the reputation value of the consensus node: and the main node calculates and updates the behavior information and the reputation value of the consensus node according to the behavior of the consensus node in the step S5.
Further, step S1 specifically includes the following steps:
s11: generating a public key and a private key of the terminal device: the edge gateway generates its own public key P EG And a private key S EG To public key P EG Disclosed is a method for producing a compound; meanwhile, the edge gateway generates a public key P for the terminal equipment TE And a private key S TE To public key P TE Public, private key S TE Sending the private key to the terminal equipment, and storing the private key by the terminal equipment;
s12: generating public keys and private keys of the routing nodes: edge gateway generates public for routing nodeKey P RN And a private key S RN To public key P RN Public, private key S RN Sending the private key to a routing node, and storing the private key by the routing node;
s13: initializing an edge server and generating a key pair of the edge server;
selecting an edge server in an edge layer to act as a consensus node in a alliance chain network, wherein the method comprises the following steps: first, in ES i (ES i I =1,2,3, …, Z represents all federation link points) for the ith edge server of the edge layer, and after the installation of the federation link client is completed, the ES i Obtaining a federation chain node address and a federation chain certificate; then, ES i Using an asymmetric cryptographic algorithm to obtain a unique session key pair, i.e. a public key
Figure BDA0003793265030000031
And a private key
Figure BDA0003793265030000032
Will public key
Figure BDA0003793265030000033
Public, self-keeping private keys
Figure BDA0003793265030000034
S14: and selecting a consensus node, a main node and a slave node in the alliance chain by adopting a consensus algorithm based on a credit value mechanism.
Further, step S14 specifically includes the following steps:
s141: selecting a consensus node: after completing the uplink of the terminal equipment identity registration information in one period, the alliance link node reselects the consensus node according to the consensus node selection mechanism within delta t time; Δ t is the time gap between the end of the uplink of the previous identity registration message and the start of the uplink of the next identity registration message;
the consensus node selection mechanism combines a credit value mechanism and a VRF random function, and the specific selection mechanism scheme is as follows:
(1) Each alliance chain node generates a random number rand according to the block hash value of the alliance chain node i Will run i Conversion into 16-system number S 16 (S 16 Zero knowledge certificate proof) used to construct federation chain nodes, and rand i And S 16 Broadcast to all federation chain nodes, rand i Random number representing the ith federation link node, i ∈ [1,Z];
(2) Federation chain node i passing through private key
Figure BDA0003793265030000035
(
Figure BDA0003793265030000036
Private key representing federation chain node i) versus random number rand i Calculating a hash value to obtain a random result of the union link node i i
Figure BDA0003793265030000037
Wherein, hash () represents Hash calculation, | | | is a link symbol;
(3) The alliance link node i responds to the random result i Whether the ratio of the length of the bytes to the length of the bytes is less than or equal to a threshold value Y to determine whether the node can be selected as a consensus node; the selection judgment algorithm is shown as formula (1):
Figure BDA0003793265030000038
since the election determination algorithm in formula (1) is a probabilistic algorithm, there may be a situation where there is not enough number of common nodes in the uplink stage of the identity registration message, and therefore an appropriate threshold Y needs to be set to reduce the probability of this situation. The invention takes Y =0.4 or 0.5. Among them, len (result) i ) Represents the random result i The byte length of (d);
random result when node i of federation chain i If the ratio of the length of the node to the length of the byte is less than or equal to a threshold value Y, the node is qualified to be commonly recognized as a commonly recognized node by other alliance link points; on the contrary, it is not sharedIdentifying qualification;
(4) If the alliance link node i meets the formula (1), the alliance link node i has the possibility of becoming a consensus node at the moment, and other alliance link nodes are needed to verify whether the result of the alliance link node i becoming the consensus node is reliable. Therefore, the alliance link node i constructs a zero knowledge certificate proof through an elliptic curve encryption algorithm i (ii) a Federation chain node i obtains proof i After that, proof of i And a random result i Broadcast to other federation chain nodes for other federation chain link point pairs proof i Carrying out verification;
federation chain node i constructs zero knowledge certificate proof i The method comprises the following specific steps:
a) The method comprises the following steps K for computing alliance chain node i 1 Value of,
Figure BDA0003793265030000039
b) The method comprises the following steps K for computing alliance chain node i 2 The value of the sum of the values,
Figure BDA0003793265030000041
wherein k is the same as [0,J-1 ]]J is the large prime number order of the base point G, and G is the base point of the elliptic curve encryption algorithm;
c) The method comprises the following steps Obtaining zero knowledge certificate of federation chain node i
Figure BDA0003793265030000042
(5) Other alliance-link nodes are receiving proof i After that, proof of i The method comprises the following specific steps:
a) The method comprises the following steps Any alliance chain node i' except the alliance chain node i is according to the public key of the alliance chain node i
Figure BDA0003793265030000043
Base points G, K 2 Value and result i Calculating K 3 The value of the sum of the values,
Figure BDA0003793265030000044
b) The method comprises the following steps Alliance link node i'According to public key of federation link node i
Figure BDA0003793265030000045
And a random number rand i Calculating K 4
Figure BDA0003793265030000046
Figure BDA0003793265030000047
c) The method comprises the following steps The alliance link node i' is according to K of the alliance link node i 1 Value, K 2 Value, K 4 Value and result i Calculating K 5 Value, K 5 =K 1 *result i +K 4 *K 2
d) The method comprises the following steps Federation chain node i' is based on base point G, K 1 Value, K 3 Value, K 4 Value, K 5 Value and public key of federation link node i
Figure BDA0003793265030000048
Calculating out
Figure BDA0003793265030000049
Judge result i′ =result i If the result is true, if the result is calculated by the node i' of the union link i′ =result i If the alliance link node i becomes the consensus node, the identity of the consensus node is accepted by other alliance link nodes, and the alliance link node i becomes the consensus node; if result i′ ≠result i The alliance link node i cannot become a consensus node;
s142: selecting a main node and a slave node;
after the selection of the consensus node is completed, the master node C in the previous period LN Selecting a new main node and a new slave node in the next period according to the main node reputation value and the slave node reputation value list in the table 1; the specific selection rule is as follows: c LN Sorting the reputation values of the master nodes and the slave nodes, selecting the consensus node with the highest reputation value as a new master node, and selecting N consensus nodes with the top reputation valuesIdentifying a node as a new slave node, wherein (2*N) is more than or equal to Z; and if two consensus nodes with the highest reputation value exist, selecting the consensus node with a small label as the main node in the alliance chain.
Further, step S2 specifically includes the following steps:
s21: the terminal device sends the private key S TE Public key P TE Node ID TE And taking the timestamp t of the identity registration information as the identity registration information ms, ms = (S) of the terminal equipment TE ,P TE ,NodeID TE ,t);
S22: terminal equipment utilizes public key P of edge gateway LN For ms = (S) TE ,P TE ,NodeID TE T) carrying out elliptic curve encryption algorithm to obtain registration request message
Figure BDA00037932650300000410
Wherein E () represents an elliptic curve cryptography algorithm; then the registration request message req and the time stamp T of the registration request message req are stored r And sending the data to the edge gateway.
Further, step S3 specifically includes the following steps:
s31: and (3) verifying the timestamp: after the edge gateway receives the registration request message of the terminal equipment, the edge gateway verifies the timestamp T of the registration request message r If the register request message is overtime, the message is discarded, and if the register request message is not overtime, the subsequent steps are executed;
s32: generating a registration transaction, specifically comprising:
(1) After the edge gateway verifies the registration request message, the edge gateway decrypts the registration request message req by using the private key to obtain the identity registration information ms = (S) of the terminal device TE ,P TE ,NodeID TE ,t);
(2) Edge gateway pair S TE ,P TE ,NodeID TE T Hash calculation, resulting in Hash value h = Hash (S) TE ||P TE ||NodeID TE ||t);
(3) Edge gateway using private key S EG Carrying out elliptic curve digital signature on h to obtain an elliptic curve digital signature
Figure BDA0003793265030000051
Wherein ES () represents the elliptic curve digital signature algorithm, S EG The private key generated by the edge gateway in the initialization stage is represented;
(4) The edge gateway will
Figure BDA0003793265030000052
As a registration transaction
Figure BDA0003793265030000053
And trans will EG Feeding back to the main node;
s33: verifying the registration transaction: master node receiving registration transaction trans EG Then, trans is verified EG Whether the method is reliable or not is used for preventing a malicious attacker from pretending to be the edge gateway to launch the attack; the method specifically comprises the following steps:
(1) Master node pair S TE ,P TE ,NodeID TE T performs a hash calculation to obtain a hash value h 1 =Hash(S TE ||P TE ||NodeID TE ||t);
(2) The master node utilizes the public key P of the edge gateway EG To pair
Figure BDA0003793265030000054
Performing signature verification and verifying the signature
Figure BDA0003793265030000055
Carrying out Hash calculation to obtain a Hash value
Figure BDA0003793265030000056
If h is 2 =h 1 If yes, the verification is passed, and trans is verified EG The sender of (2) is an edge gateway, so as to prevent a malicious node from impersonating the edge gateway; wherein P is EG Representing a public key generated by the edge gateway in an initialization stage;
(3) After the verification is passed, the master node transmits the trans EG S in (1) TE ,NodeID TE And t is put into a transaction pool, and the master node and the slave node enter a transaction information verification stage.
Further, step S4 specifically includes the following steps:
s41: the main node generates and broadcasts transaction information, and specifically comprises the following steps:
(1) The main node obtains the node ID of the terminal device from the transaction pool TE T), to terminal equipment (NodeID) TE T) performing a hash calculation to obtain a hash value h 3 =Hash(NodeID TE ||t);
(2) The main node obtains a private key S from the transaction pool TE Master node using S TE To h 3 Carrying out encryption (the encryption method is an asymmetric encryption method) to obtain
Figure BDA0003793265030000057
Wherein E' () represents an asymmetric encryption based encryption algorithm;
(3) Master node reusing public key P of slave node RN Pair (NodeID) TE T) and
Figure BDA0003793265030000058
carrying out elliptic curve encryption to obtain
Figure BDA0003793265030000059
Record as
Figure BDA00037932650300000510
(4) The master node will
Figure BDA00037932650300000511
And T _ tx is broadcast as transaction information to the slave nodes
Figure BDA00037932650300000512
Wherein T _ tx represents the time stamp of the transaction information of the current round;
s42: verifying the authenticity of the transaction information from the node: block trans of slave node receiving main node broadcast LN Then, trans by the slave node pair LN Verifying and ensuring the authenticity of the transaction information, which specifically comprises the following steps:
(1) Using self from nodePrivate key S of RN For in transaction information
Figure BDA0003793265030000061
Carrying out elliptic curve decryption to obtain
Figure BDA0003793265030000062
(2) Using public key P of terminal device by slave node TE To pair
Figure BDA0003793265030000063
Decrypting (the decryption method is an asymmetric decryption method), and if the decryption can be successfully performed, indicating that the identity registration information is of the terminal equipment;
(3) Slave node pair NodeID TE T performs a hash calculation to obtain a hash value h 4 =Hash(NodeID TE | t), if h 4 =h 3 Then verify (NodeID) TE T) has not been tampered with;
s43: the slave node verifies the timeliness of the transaction information;
after the slave node confirms that the sender of the transaction information is the master node and the transaction information is reliable, the slave node verifies the timeliness of the transaction information and verifies trans through verification LN Whether the transaction timestamp T _ tx in (1) is expired to verify the timeliness of the transaction; time of verifying time stamp T _ tx is T tx Assuming that the validity period time length is T t If T is tx -T_tx≤T t Determining that the transaction information is time-efficient;
s44: identity authentication judgment;
if the number of the slave nodes is larger than N/2, the slave nodes verify the authenticity of the transaction information and the timeliness of the transaction information, the slave nodes judge that the identity authentication of the terminal equipment passes, and the result is marked as Pass TE (ii) a Otherwise, the terminal equipment identity authentication fails and is marked as False TE
After the terminal equipment identity authentication is successful, the main node packs the identity registration information ms of the terminal equipment into a Block Block A Recording the information into the account book of the alliance chain, and realizing the identity registration information uplink of the terminal equipment (the account book is a series of connected alliance chains)A block); and the master node sends the authentication result to the edge gateway and the terminal device.
Further, step S5 specifically includes: after the terminal equipment identity authentication is successful, the main node enables Block A Broadcast, the slave node receiving Block A Then, the identity registration information chaining of the terminal equipment is realized according to an improved consensus algorithm; if the number of slave node pairs is more than N/2, the Block Block is divided into blocks A If the agreement is reached, the master node will Block Block A Recording the information into an account book of the alliance chain, namely, the identity registration information cochain, thereby realizing traceability of the authentication result; the terminal equipment identity authentication is not passed, and the identity registration information cannot be uplink.
Wherein, the uplink of the identity registration information comprises the stages of request, pre-preparation, feedback, confirmation and reply, and the method specifically comprises the following steps:
(1) A request phase: terminal equipment sends request message req to main node m =<request,q,t req ,c>Wherein q is the request content and q contains Block A ,t req The timestamp is, c is a terminal equipment identifier, and the request comprises message content m and a message abstract d;
(2) The main node enters a pre-preparation stage after receiving a request message of the terminal equipment;
the master node will prepare the message in advance<pre pr ,req m ,d,n s ,v>Hash value h of the pre-prepared message 5 =Hash(pre pr ||req m ||d||n s | v) and digital signatures of pre-prepared messages
Figure BDA0003793265030000071
Broadcasting to the slave nodes; wherein pre pr For prepping a marker of the message, d is req m Abstract of (1), n s For preparing message sequence numbers, h is less than or equal to n s H is less than or equal to H, H and H represent serial number n s V is a view number (view means that each round is taken as a view according to different main nodes in the consensus algorithm);
(3) The slave node enters a preparation stage after receiving a preparation message of the master node;
receiving a pre-preparation message and a hash value h from a node 5 And a digital signature
Figure BDA0003793265030000072
Thereafter, the following checks need to be performed:
a) The method comprises the following steps The slave node verifies whether the digital signature of the master node on the pre-prepared message is correct or not;
slave node using public key pair of master node
Figure BDA0003793265030000073
Carrying out signature verification and carrying out Hash calculation on the signature verification result to obtain a Hash value h 6 If h is 5 =h 6 If the verification is successful;
b) The method comprises the following steps The slave node checks whether a sequence number n in view v is received s I.e. the slave node checks if there is a request message req of the terminal device m '; and checking if there is a request message req m Message digest d'; if (req) m ′≠req m ) And (d' ≠ d) exists, the pre-prepare message is invalid;
c) The method comprises the following steps Slave node checking pre-prepared message sequence number n s If not within the correct range (H, H), the pre-preparation message is invalid;
if the conditions a), b) and c) are verified to be valid, the pre-prepared message is indicated to be valid and is recorded as Succ ppre (ii) a Whereby the slave node sends a prepare message m to the master node pre =<prep,j,d′,n s ′,v′>Where prep is the marker of the prepare message, j denotes the number of the current slave node, d', n s ', v' and d, n in the Preset message s V is the same; and the slave node will prepare the hash value h of the message 7 =Hash(m pre ) And digital signature
Figure BDA0003793265030000074
Sending the information to a main node;
(4) The master node enters a feedback stage after receiving the preparation message of the slave node; master node and each slave node need pairPrepare message m pre Hash value h 7 Preparing a signature of the message
Figure BDA0003793265030000075
The following validation was performed:
a) The method comprises the following steps Host node verifying signature of prepare message
Figure BDA0003793265030000076
Whether it is correct; the master node uses the public key pair of the slave nodes
Figure BDA0003793265030000077
Performing signature verification and verifying the signature
Figure BDA0003793265030000078
Hash calculation to obtain a hash value h 8 If h is 8 =h 7 If the verification is successful;
b) The method comprises the following steps Verifying the Pre-prepare message number n in the prepare message from the node s ' whether the reference numbers are under the same view number v, if the pre-prepared message n in the prepared message s ′≠n s If the message is valid, the pre-prepared message is invalid;
c) The method comprises the following steps The slave node checks the preparation message sequence number n s A range of' if not within the correct range (H, H), the prepare message is invalid;
d) The method comprises the following steps The slave node verifies whether the message digest d' in the preparation message is consistent with d in the pre-preparation message, and if not, the preparation message is invalid;
if the conditions of a), b), c) and d) are verified to be valid, the preparation message is valid and is recorded as Succ pre Sending Succ from the node pre Giving the master node;
if the master node receives more than N/2 Succ pre N/2 pieces of preparation message and Succ pre Packaging, marking the package as D, and sending a feedback message m to the slave node feback =<feback,j′,D,n s ″,v″>(ii) a Wherein j', n s ", v" and i, n of the prepare message s ', v' same, feedback is a mark of feedback messageMarking;
(5) The slave node receives the feedback message m of the master node feback Then entering a confirmation stage;
a) The method comprises the following steps Firstly, the slave node verifies the received feedback message, and verifies j' n s ", v" and j, n of the prepare message s If ' and v ' are the same, if j ' = j, n s ″=n s ', v "= v', then the feedback message verification is successful;
b) The method comprises the following steps Slave node RN j Checking whether the feedback messages of the rest slave nodes are successfully verified;
if the slave node RN j The received message of successful verification of the rest slave nodes more than N/2 indicates that the RN from the node j Agreeing to the request message, sending an acknowledgement message m commit =<commit,j′,D,n s ″,v′>To the master node, where commit is the acknowledgement marker, RN j J is more than or equal to 1 and less than or equal to N and represents the jth slave node;
(6) The master node receives the confirmation message m of the slave node commit Then entering a reply stage;
if the master node receives the confirmation messages of more than N/2 slave nodes, the confirmation messages indicate that the slave nodes are used for blocking the terminal equipment A A consensus is reached; block of terminal equipment A After the consensus is achieved, the main node as the consensus node uses Block A Recording the data into an account book; and the master node will reply message m reply =<reply,j′,t req ,c,v″,r>Sending to the terminal device, where r is the operation result of the request, t req Is a timestamp, and c is a terminal equipment identifier; the terminal equipment finds that the request operation is successful, which indicates that the uplink of the terminal equipment identity registration information is successful.
Further, in step S6, the reputation value calculation formula of the master node is:
rew LN =(A 1 ×ω 1 -A 2 ×ω 2 )×(1-r LN )+r LN (2)
wherein rew LN Indicating the updated reputation value, r, of the master node after the end of a period LN Representing the reputation value of the master node in a period, A 1 To representThe master node links the identity registration information with the number of uplink activities, A 2 Indicating the number of times the master node will leave the identity registration information unlinked.
Further, in step S6, the reputation value calculation formula of the slave node is:
Figure BDA0003793265030000081
wherein the content of the first and second substances,
Figure BDA0003793265030000082
represents that a slave node RN after one period is finished j The updated reputation value of (a) is,
Figure BDA0003793265030000083
indicating a slave node RN within one cycle j Reputation value, A 5 Representing the number of actions achieved from the normal consensus of the node, A 3 Representing the behavior times of the common identification failure in the uplink stage of the node identity registration information; a. The 4 Indicating the number of times the behavior of the consensus-reached message is repeatedly sent from the node.
The invention has the beneficial effects that: the invention integrates the identity authentication of the terminal equipment into an improved consensus algorithm mechanism, and designs a credit value mechanism to select the consensus node, thereby realizing the identity authentication of the terminal equipment and further improving the safety capability of the industrial edge computing environment.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Drawings
For a better understanding of the objects, aspects and advantages of the present invention, reference will now be made to the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is an identity authentication architecture for a terminal device in an industrial edge computing environment;
FIG. 2 is a flowchart of identity authentication of an edge computing terminal device based on a reputation value mechanism according to an embodiment of the present invention;
FIG. 3 is a diagram of the relationship between the number of rounds of chaining and one cycle of identity registration information;
FIG. 4 is a diagram illustrating an identity registration information uplink process;
FIG. 5 is a diagram illustrating behavior information and round relationship of consensus nodes;
FIG. 6 is a diagram of consensus node reputation values versus turns.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention in a schematic way, and the features in the following embodiments and examples may be combined with each other without conflict.
The embodiment provides an identity authentication architecture based on a terminal device in an industrial edge computing environment, as shown in fig. 1, the architecture is divided into 3 layers, and is composed of an industrial cloud platform layer, an edge layer and a field layer. The industrial cloud platform layer comprises an industrial cloud server; the edge layer comprises edge nodes (the edge nodes comprise edge servers, edge gateways and the like); the field layer comprises industrial terminal equipment and routing nodes; the alliance chain is formed by mapping after an edge server in an edge layer installs an alliance chain client. The method is designed based on the fact that all devices in the framework (not including the terminal device) are reliable and secure.
1. Industrial Cloud Server (ICP): and providing information calculation and storage services for edge layer alliance link nodes and field layer equipment.
2. Edge Server (ES, edge Server): and a server with computing capacity and storage capacity, and the like, and a federation chain client is installed in the edge server to form a federation chain node, so that a federation chain is formed. And selecting a consensus node participating in a consensus algorithm in the alliance chain, wherein the consensus node is divided into a master node (Leader) and a slave node (Replica) in the alliance chain of the edge layer.
A federation link node: edge servers with federation chain clients installed are called federation chain nodes, and the federation chain nodes form a federation chain; the federation chain nodes include consensus nodes and weak nodes.
(1) Consensus node (Sealer): the nodes participating in the consensus algorithm are called consensus nodes, and the master node (Leader) and the slave node (Replica) belong to the consensus nodes.
Master node (Leader): the system is responsible for verifying transaction information and recording identity registration information into a federation chain ledger, wherein the federation chain ledger is a continuous block of the federation chain, and the block of the federation chain is a carrier for storing data information and the like in the federation chain.
Slave node (Replica): is responsible for transacting trans EG To identify and verify transaction information, etc.
(2) Weak node (weak): only a federation chain is formed and does not participate in the consensus process.
3. Edge Gateway (EG, edge Gateway): responsible for generating transaction trans EG And completing industrial communication protocol conversion, etc.
4. Terminal Equipment (TE, terminal Equipment): and sensing the environment and collecting data.
5. Routing Node (Routing Node): data forwarding and routing path selection are accomplished in the field layer.
The embodiment provides an identity authentication method for edge computing terminal equipment based on a reputation value mechanism, as shown in fig. 2, an identity authentication process of the terminal equipment is divided into six stages, and the specific process is as follows:
1. initialization phase
In the initialization stage, the edge gateway generates public and private keys of terminal equipment and routing nodes, installs a alliance chain client on an edge server and selects a master node and a slave node in a consensus algorithm from an alliance chain.
1) Generating public and private keys for a terminal device
Edge gateway generates public key P for terminal equipment TE And a private key S TE To public key P TE Public, private key S TE And sending the private key to the terminal equipment, and storing the private key by the terminal equipment.
2) Generating public and private keys for routing nodes
Edge gateway generates public key P for routing node RN And a private key S RN To public key P RN Public, private key S RN And sending the private key to the routing node, and storing the private key by the routing node.
3) Initializing edge servers and generating key pairs for edge servers
The invention selects the edge server in the edge layer to act as a consensus node in the alliance chain network. Firstly, in ES i Installing the alliance chain client, and after the alliance chain client is installed, the ES i The federation chain node address and federation chain certificate, ES, will be obtained i (i =1,2,3, …, Z) is the ith edge server of the edge layer; then, ES i Adopting an asymmetric encryption algorithm to obtain a unique session key pair and a public key
Figure BDA0003793265030000101
And a private key
Figure BDA0003793265030000102
Will public key
Figure BDA0003793265030000103
Public, self-keeping private keys
Figure BDA0003793265030000104
4) Selecting common node, master node and slave node in alliance chain
The existing practical Byzantine fault-tolerant algorithm needs all nodes to participate in the consensus algorithm, so that the consensus time is increased, the efficiency is low, and the method is different from the requirement of high real-time performance of an industrial network. Therefore, the invention improves the existing Byzantine fault-tolerant consensus algorithm from the aspects of performance and safety. In the consensus algorithm designed by the invention, a credit value mechanism is designed, so that the selection of the consensus nodes is related to the credit value of the nodes, wherein the probability of being selected as the consensus nodes is higher as the credit value of the nodes is higher, and thus, the nodes participating in the consensus algorithm are not all the alliance chain network nodes. In the aspect of consensus efficiency, the mechanism reduces the number of consensus nodes and accelerates the consensus speed by selecting partial nodes as the consensus nodes; in terms of security, the common node is selected according to the reputation value of the node, so that an attacker trying to destroy the authentication result must control a large number of nodes with high reputation values, thereby increasing the attack cost of the attacker.
In this embodiment, the ul of the f-turn identity registration information is defined as a period, and a relationship between the ul of the f-turn identity registration information and the period is shown in fig. 3. In the invention, the reputation value r of the alliance chain node ranges from (0,1), the alliance chain node means an edge server provided with an alliance chain client, and the alliance chain nodes are numbered from 1 to Z in sequence. Initializing a reputation value r of a federation chain node (set of federation chain nodes Z = {1, N, Q }) at a time t = 0; then, the alliance chain selects the alliance chain node with the highest reputation value as a main node, selects N alliance chain nodes as slave nodes, and labels are sequentially from 1 to N, wherein N satisfies the following conditions: 2N is more than or equal to Z, Z represents the number of all the coalition link points, and the reliability of the authentication result is ensured; q alliance chain nodes are left to serve as weak nodes; and after the initialization work is finished, starting the identity registration information uplink work.
4.1 ) select consensus nodes
In this embodiment, after completing the uplink procedure of the terminal equipment identity registration information in one period, the alliance link node reselects the consensus node according to the designed consensus node selection mechanism within Δ t time, as shown in [ t ] of fig. 3 f ,t f +Δt]、[t 2f ,t 2f +Δt]And reselecting the consensus node within the moment. Δ t is the time interval between the end of the uplink for the previous identity registration message and the start of the uplink for the next identity registration message.
The consensus node selection mechanism designed in this embodiment combines a reputation value mechanism and a VRF random function, and the specific consensus node selection mechanism scheme is as follows:
(1) Each alliance chain node generates a random number rand according to the block hash value of the alliance chain node i Will run i Conversion into 16-system number S 16 (S 16 Zero knowledge certificate proof used to construct federation chain nodes) and will rand i And S 16 Broadcast to all federation chain nodes, rand i Random number representing the ith federation chain node, i ∈ [1,Z]。
(2) Each alliance link node passes through a private key
Figure BDA0003793265030000111
(
Figure BDA0003793265030000112
Private key representing federation chain node i) versus random number rand i Calculating the Hash value to obtain a random result i
Figure BDA0003793265030000113
Wherein, hash () represents Hash calculation, | | | is a link symbol; result i Representing the random result of the ith federation link node.
(3) Each alliance chain node according to the random result i Whether the ratio to the length of the byte is less than or equal to a threshold Y determines whether it can be selected as a consensus node. The selection judgment algorithm is shown as formula (1):
Figure BDA0003793265030000114
since the election determination algorithm in formula (1) is a probabilistic algorithm, there may be a situation where there is not enough number of common nodes in the uplink stage of the identity registration message, and therefore an appropriate threshold Y needs to be set to reduce the probability of this situation. The invention takes Y =0.4 or 0.5,len (result) i ) Represents the random result i The byte length of (c).
The embodiment specifies federation chain nodes iRandom result i If the ratio of the length of the node to the length of the byte is less than or equal to a threshold value Y, the node is qualified to be commonly recognized as a commonly recognized node by other alliance link points; on the contrary, it does not qualify as being recognized.
(4) If the alliance link node i meets the formula (1), the alliance link node i has the possibility of becoming a consensus node at the moment, and other alliance link nodes are needed to verify whether the result of the alliance link node i becoming the consensus node is reliable. Therefore, the alliance link node i constructs a zero knowledge certificate proof through an elliptic curve encryption algorithm i (where G is the base point of the elliptic curve cryptography algorithm and J is the large prime order of the base point G).
Federation chain node i constructs zero knowledge certificate proof i The method comprises the following specific steps:
the first step is as follows: federation chain node i compute K 1 The value of the sum of the values,
Figure BDA0003793265030000121
the second step is that: federation link node i computation K 2 Value of,
Figure BDA0003793265030000122
wherein k is the same as [0,J-1 ]];
The third step: federation link node i acquisition
Figure BDA0003793265030000123
Federation chain node i obtains proof i After that, proof i And a random result i Broadcast to other federation chain nodes for other federation chain link point pairs proof i And (6) carrying out verification.
(5) Other alliance-link nodes are receiving proof i After that, proof of i The method comprises the following specific steps:
step 1: each federation chain node (except federation chain node i) is based on the public key of federation chain node i
Figure BDA0003793265030000124
Base points G, K 2 Value and result i Calculating K 3
Figure BDA0003793265030000125
Step 2: each federation chain node (except federation chain node i) is based on the public key of federation chain node i
Figure BDA0003793265030000126
And a random number rand i Calculating K 4
Figure BDA0003793265030000127
And 3, step 3: each federation link node (except federation link node i) is based on K of federation link node i 1 Value, K 2 Value, K 4 Value and result i Calculating K 5 Value, K 5 =K 1 *result i +K 4 *K 2
And 4, step 4: each federation link node (except federation link node i) is based on base point G, K 1 Value, K 3 Value, K 4 Value, K 5 Value and public key of federation chain node i
Figure BDA0003793265030000128
Calculating result i ′,
Figure BDA0003793265030000129
Judge result i ′=result i If the result is true, if the result is calculated by each alliance link node (except the alliance link node i) i ′=result i If the alliance link node i becomes the consensus node, the identity of the consensus node is accepted by other alliance link nodes, and the alliance link node i becomes the consensus node; if resilt i ′≠result i Federation chain node i cannot become a consensus node.
4.2 ) select master and slave nodes
After the selection of the consensus node is completed, the master node C in the previous period LN Selecting a new cycle according to the master node reputation value and the slave node reputation value list in table 1A master node and a new slave node. The specific selection rule is as follows:
C LN sorting the reputation values of the master node and the slave nodes, selecting the consensus node with the highest reputation value as a new master node, and selecting 60% of the consensus nodes with the highest reputation values as new slave nodes (namely selecting N slave nodes, wherein the first 60% is ensured to be (2*N) ≧ Z); and if two consensus nodes with the highest reputation value exist, selecting the consensus node with a small label as a main node in the alliance chain.
2. Terminal equipment generating registration request message phase
Firstly, terminal equipment generates a registration request message by using own identity registration information, and the specific flow is as follows:
1) Secret key S TE Public key P TE Node ID TE Taking the timestamp t of the identity registration information as the identity registration information ms, ms = (S) of the terminal equipment TE ,P TE ,t,NodeID TE );
2) Terminal equipment utilizes public key P of edge gateway LN For ms = (S) TE ,P TE ,t,NodeID TE ) Performing elliptic curve encryption algorithm to obtain registration request message
Figure BDA0003793265030000135
Wherein E () represents an elliptic curve cryptography algorithm; then the registration request message req and the time stamp T of the registration request message req are stored r And sending the data to the edge gateway.
3. Edge gateway authentication registration request message and master node authentication registration transaction
After receiving the identity registration request message of the terminal equipment, the edge gateway checks whether the registration request message of the terminal equipment is overtime, and the main node verifies the registration transaction trans EG . The specific process is as follows:
1) Verifying a timestamp
After the edge gateway receives the registration request message of the terminal equipment, the edge gateway verifies the timestamp T of the registration request message r And if the registration request message is overtime, discarding the message, and if the registration request message is not overtime, executing subsequent operation.
2) Generating registration transactions
(1) After the edge gateway verifies the identity registration request message, the edge gateway decrypts the registration request message req by using the private key to obtain the identity registration information ms = (S) of the terminal device TE ,P TE ,NodeID TE ,t);
(2) Edge gateway pair S TE ,P TE ,NodeID TE T Hash calculation, resulting in Hash value h = Hash (S) TE ||P TE ||NodeID TE ||t);
(3) Edge gateway using private key S EG Carrying out elliptic curve digital signature on h to obtain an elliptic curve digital signature
Figure BDA0003793265030000131
Wherein ES () represents an elliptic curve digital signature algorithm;
(4) The edge gateway will
Figure BDA0003793265030000132
As a registration transaction
Figure BDA0003793265030000133
And trans will EG And feeding back to the main node.
3) Verifying registration transactions
Master node receiving registration transaction trans EG Then, trans is verified EG And (4) whether the method is reliable or not so as to prevent a malicious attacker from masquerading as the edge gateway to launch the attack.
(1) Master node pair S TE ,P TE ,NodeID TE T performs a hash calculation to obtain a hash value h 1 =Hash(S TE ||P TE ||NodeID TE ||t);
(2) The master node utilizes the public key P of the edge gateway EG To pair
Figure BDA0003793265030000134
Performing signature verification and verifying the signature
Figure BDA0003793265030000141
Carrying out Hash calculation to obtain a Hash value
Figure BDA0003793265030000142
If h 2 =h 1 If yes, the verification is passed, and the trans is verified EG The sender of (2) is an edge gateway, so as to prevent malicious nodes from masquerading as the edge gateway;
(3) After the verification is passed, the master node transmits the trans EG S in (1) TE ,NodeID TE And t is put into a transaction pool, and the master node and the slave node enter a transaction information verification stage.
4. Transaction information generation and verification phase of terminal device
The embodiment enters a transaction information generation and verification stage, the master node needs to generate a transaction and broadcast the transaction to the slave nodes, and the slave nodes verify the authenticity of the transaction information and the timeliness of the transaction information, and the specific flow is as follows:
1) Host node generating and broadcasting transaction information
1.1 Node ID of terminal device is obtained from transaction pool by main node TE T), to terminal equipment (NodeID) TE T) performing a hash calculation to obtain a hash value h 3 =Hash(NodeID TE ||t);
1.2 ) the master node obtains the private key S from the transaction pool TE Master node using S TE To h 3 Carrying out encryption (the encryption method is an asymmetric encryption method) to obtain
Figure BDA0003793265030000143
Wherein E' () represents an encryption algorithm based on asymmetric encryption;
1.3 ) the master node reuses the public key P of the slave node RN Pair (NodeID) TE T) and
Figure BDA0003793265030000144
carrying out elliptic curve encryption to obtain
Figure BDA0003793265030000145
Record as
Figure BDA0003793265030000146
1.4 The master node will
Figure BDA0003793265030000147
And T _ tx is broadcast as transaction information to the slave nodes
Figure BDA0003793265030000148
Where T tx is the timestamp of the transaction information for the current round.
2) Verifying transaction information authenticity from a node
Block trans of slave node receiving main node broadcast LN Then, trans by the slave node pair LN And (3) verifying to ensure the authenticity of the transaction information, wherein the process is as follows:
2.1 The slave node uses its own private key S RN For in transaction information
Figure BDA0003793265030000149
Carrying out elliptic curve decryption to obtain
Figure BDA00037932650300001410
2.2 Use of the public key P of the terminal device by the slave node TE To pair
Figure BDA00037932650300001411
Decrypting, (the decryption method is an asymmetric decryption method), if the decryption can be successfully performed, the identity registration information is shown to be of the terminal equipment;
2.3 Node ID from node pair TE T performs a hash calculation to obtain a hash value h 4 =Hash(NodeID TE | t), if h 4 =h 3 Then verify (NodeID) TE T) has not been tampered with.
3) Verifying timeliness of transaction information from node
After the slave node confirms that the sender of the transaction information is the master node and the transaction information is reliable, the slave node verifies the timeliness of the transaction information and verifies trans LN Whether the transaction timestamp T _ tx in (1) is expired to verify the aging of the transactionAnd (4) sex. The time of the verification timestamp T _ tx is T tx Assuming a validity period time length T t If T is tx -T_tx≤T t The transaction message is deemed to be time-sensitive.
4) Identity authentication decision
If the number of the slave nodes larger than N/2 is larger than that of the slave nodes, the authenticity of the transaction information and the timeliness of the transaction information are verified, the slave nodes judge that the identity authentication of the terminal equipment is passed, and the Pass is marked as Pass TE (ii) a Otherwise, the terminal equipment fails to identify and is marked as False TE
After the terminal equipment identity authentication is successful, the main node packs the identity registration information ms of the terminal equipment into a Block A Recording the information into an account book of the alliance chain, and realizing the identity registration information uplink of the terminal equipment (the account book is a series of connected alliance chain blocks); and the master node sends the authentication result to the edge gateway and the terminal device.
5. Identity registration information uplink stage of terminal equipment
After the terminal equipment identity authentication is successful, the main node enables Block A Broadcast, the slave node receiving Block A And then, the identity registration transaction information uplink of the terminal equipment is realized according to the improved consensus algorithm. If the number of slave node pairs is more than N/2, the Block Block is divided into blocks A If the agreement is reached, the master node will Block Block A And recording the information into an account book of the alliance chain (namely, the identity registration information uplink), thereby realizing traceability of the authentication result. If the terminal equipment identity authentication fails, the identity registration transaction information cannot be uplink. The identity registration transaction information uplink process consists of the stages of request, pre-preparation, feedback, confirmation and reply as shown in fig. 4.
The total number of the common identification nodes in the alliance chain is N +1, and the process of the identity registration information of the terminal equipment to achieve common identification is as follows:
1) In the request phase, the terminal device sends a request message req to the master node m =<request,q,t req ,c>Wherein q is the request content and q contains Block A ,t req And c is a terminal equipment identifier, and the request comprises message content m and a message abstract d.
2) The main node enters a pre-preparation stage after receiving a request message of the terminal equipment.
The master node will prepare the message in advance<pre pr ,req m ,d,n s ,v>Prepare message in advance hash value h of 5 =Hash(pre pr ||req m ||d||n s | v) and digital signatures of pre-prepared messages
Figure BDA0003793265030000151
Broadcast to the slave nodes. Wherein pre pr For prepping a marker of the message, d is req m Summary of (1), n s For preparing message sequence numbers (specified h ≦ n) s H is less than or equal to H, H and H represent serial number n s High and low numbers of (g)), v is a view number (view means: each round is treated as a view, depending on the master node in the consensus algorithm).
3) And the slave node enters a preparation stage after receiving the preparation message of the master node. Pre-prepare message, hash value h received from node 5 And digital signature
Figure BDA0003793265030000152
After that, the following check needs to be performed.
a) The slave node verifies whether the master node's digital signature on the pre-prepared message is correct.
Slave node using public key pair of master node
Figure BDA0003793265030000153
Carrying out signature verification and carrying out Hash calculation on the signature verification result to obtain a Hash value h 6 If h is 5 =h 6 The verification is successful.
b) The slave node checks whether it has received a sequence n under view v s I.e. a request message req of the slave node checking whether a terminal device is present m '; and checking if there is a request message req m Message digest d' of. If (req) m ′≠req m ) If (d' ≠ d) exists, the pre-prepare message is invalid.
c) Slave node checking pre-prepared message sequence number n s If not within the correct range (H, H), the pre-prepare message is invalid.
If the conditions a), b) and c) are verified to be valid, the pre-prepared message is indicated to be valid and is recorded as Succ ppre . Whereby the slave node sends a prepare message m to the master node pre =<prep,j,d′,n s ′,v′>Where prep is the marker of the prepare message, j denotes the number of the current slave node, d', n s ', v' and d, n in the Preset message s V is the same; and the slave node will prepare the hash value h of the message 7 =Hash(m pre ) And digital signature
Figure BDA0003793265030000161
And sending the data to the main node.
4) And the master node enters a feedback stage after receiving the preparation message of the slave node. The master node and each slave node need to align the prepared message m pre Hash value h 7 Preparing a signature of the message
Figure BDA0003793265030000162
The following verification was performed.
a) Host node verifying signature of prepare message
Figure BDA0003793265030000163
If it is correct. The master node uses the public key pair of the slave node
Figure BDA0003793265030000164
Performing signature verification and verifying the signature
Figure BDA0003793265030000165
Hash calculation to obtain a hash value h 8 If h is 8 =h 7 The verification is successful.
b) Verifying the Pre-prepare message number n in the prepare message from the node s ' if the reference number is the same as that under the view number v, if the pre-prepared message n in the prepared message is the same as that under the view number v s ′≠n s The pre-prepared message is invalid.
c) The slave node checks the preparation message sequence number n s The range of' if not within the correct range (H, H), the prepare message is invalid.
d) The slave node verifies whether the message digest d' in the preparation message is consistent with d in the preparation message, and if not, the preparation message is invalid.
If the conditions of a), b), c) and d) are verified to be valid, the preparation message is valid and is recorded as Succ pre Sending Succ from the node pre To the master node.
If the master node receives more than N/2 Succ pre The N/2 pieces of preparation information and Succ pre Packaging, marking the package as D, and sending a feedback message m to the slave node feback =<feback,j′,D,n s ″,v″>. Wherein j', n s ", v" and i, n of the prepare message s ', v' are the same, feedback is a marker for feedback messages.
5) The slave node receives the feedback message m of the master node feback And then entering a confirmation phase.
a) Firstly, the slave node verifies the received feedback message, and verifies j' n s ", v" and j, n of the prepare message s If ' and v ' are the same, if j ' = j, n s ″=n s ', v "= v', the feedback message verification is successful.
b) RN from node j (RN j Representing the jth slave node, j is more than or equal to 1 and less than or equal to N) and checking whether the feedback messages of the rest slave nodes are successfully verified. If the slave node RN j Receiving a message of successful verification of the rest of the slave nodes more than N/2, indicating that the RN is the slave node j Agreeing to the request message, sending an acknowledgement message m commit =<commit,j′,D,n s ″,v″>To the master node, commit is the acknowledgement marker.
6) The master node receives the confirmation message m of the slave node commit And then enters a reply phase.
If the master node receives the confirmation messages of more than N/2 slave nodes, the confirmation messages indicate that the slave nodes are used for blocking the terminal equipment A A consensus was reached. Block of terminal equipment A After the consensus is achieved, the Block is taken as a main node of the consensus node A Recording the data into an account book; and the master node will reply message m reply =<reply,j′,t req ,c,v″,r>Sending to the terminal device, where r is the operation result of the request, t req Is a timestamp, and c is a terminal device identifier. The terminal equipment finds that the request operation is successful, which indicates that the uplink of the terminal equipment identity registration information is successful.
6. Behavior information and reputation value updating phase of consensus node
In each identity registration information uplink stage period, the master node records and updates the reputation value and the behavior information table of the consensus node according to the identity registration information uplink behaviors and results of the master node and the slave nodes. After the new master node is selected, the reputation value and behavior information table of the consensus node is delivered to the new master node, and the new master node records and updates the behavior information and reputation value in the next period, as shown in table 1.
Table 1 consensus node reputation value and behavior information table
Figure BDA0003793265030000171
Specific meanings of each symbol in table 1, such as:
Figure BDA0003793265030000172
in (1)
Figure BDA0003793265030000173
Represents the reputation value of the slave node numbered j; s =1 indicates that the master node uplinks the identity registration information 1 time; f =1 indicates that the master node does not uplink the identity registration information 1 time; g f ={g 1 ,g 2 ,g j ,…g n In the (g) 1 =2 denotes that slave node consensus with number 1 failed 2 times; link =6 indicates that the identity registration information consensus behavior occurs 6 times at the consensus node;
Figure BDA0003793265030000174
zhongjuan (Chinese character)
Figure BDA0003793265030000175
The slave node denoted by the number 1 repeatedly transmits the consensus achievement message 2 times.
1) Consensus node behavior information recording and updating
During a time Δ t before the end of each round, as shown in FIG. 5 [ t ] 1 -Δt,t 1 ]、…、[t f -Δt,t f ]Within the time, the master node records and updates the consensus node behavior information table according to the identity registration information uplink behavior and results of the master node and the slave nodes to the terminal equipment in the identity registration information uplink stage.
The master node records and updates the credit value and the behavior information table of the consensus node according to the behaviors of the master node and the slave node in the uplink of the identity registration information of each turn, such as the following behaviors;
the first action: if the main node uplinks the terminal equipment identity registration information successfully authenticated, adding 1 to the S value;
and a second action: if the main node does not uplink the identity registration information of the terminal equipment passing the identity authentication, adding 1 to the F value;
behavior three: after the master node receives the confirmation message of the slave node j in the reply stage, the master node finds that the slave node j can not achieve consensus or malicious non-consensus on the identity registration information of the terminal equipment, and g j Adding 1 to the numerical value;
and action four: the main node and the slave node have the identity registration information uplink behaviors of the terminal equipment, if the behaviors have A times, the Link value is A;
and a fifth action: every time the master node receives 1 consensus message repeatedly sent by the slave node, the master node sends the consensus message
Figure BDA0003793265030000181
The value is increased by 1.
2) Consensus node reputation value recording and updating
Within Δ t before the chain turn in the last identity information of each cycle, as shown by [ t ] in FIG. 6 f -Δt,t f ]And [ t 2f -Δt,t 2f ]In, the master node will follow Table 1The reputation value and the consensus node behavior update the reputation value.
In the calculation process of the reputation value, the influence degree of each behavior attribute on the reputation values of the master node and the slave node is different. According to the scheme, the malicious behavior evaluation of the master node and the slave node is focused on to identify the malicious node, so that when the weight value occupied by the behavior attribute in the table 2 is set, the large weight is assigned to the malicious behavior, and the behavior weights in the master node and the slave node are assigned as shown in the table 2.
TABLE 2 behavior attributes and corresponding weights for consensus nodes
Properties Weight of
Master node chaining identity registration information ω 1 Satisfy (ω) 1 <<0.5)
Master node unlinked behavior with identity registration information ω 2 Satisfy (ω) 2 >>0.5)
Behavior of common identification failure in uplink stage from node identity registration information ω 3 Satisfy (ω) 3 =ω 45 )
Behavior of repeatedly sending agreed-upon messages from a node ω 4 Satisfy (ω) 4 =ω 35 )
Behavior achieved from normal consensus of nodes ω 5 Satisfy (ω) 54 =ω 3 )
ω in Table 2 1 、ω 2 、ω 3 、ω 4 、ω 5 Satisfy omega 12 =1;ω 34 +ω 5 1, < means much smaller than the symbol and > means much larger than the symbol.
Defining reputation value updating algorithms of the master node and the slave node according to the weights and the times of each action in table 2, wherein the calculation of the reputation value of the master node is shown as formula (2):
rew LN =(A 1 ×ω 1 -A 2 ×ω 2 )×(1-r LN )+r LN (2)
wherein rew LN Is the updated reputation value, r, of the master node after a period has ended LN Is the master node reputation value within a period, as shown in FIG. 6; a. The 1 Representing the number of times that the master node uplinks identity registration information; a. The 2 Indicating the number of times the master node will leave the identity registration information unlinked.
Slave node RN j The reputation value calculation is shown in equation (3):
Figure BDA0003793265030000191
wherein
Figure BDA0003793265030000192
Is a slave node RN after one period is finished j The updated reputation value of (a) is,
Figure BDA0003793265030000193
is a slave node RN in one period j Reputation value, as shown in FIG. 6; a. The 5 Representing the number of behaviors normally agreed by the slave node; a. The 3 Indicating slave node identity registration information uplink stageIdentifying the number of failed behaviors; a. The 4 Indicating the number of times the behavior of the consensus-reached message is repeatedly sent from the node.
The master node updates the reputation values rew of the master node and the slave node LN
Figure BDA0003793265030000194
Fill in table 1.
Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.

Claims (10)

1. An identity authentication method of edge computing terminal equipment based on a credit value mechanism is characterized by comprising the following steps:
s1: an initialization stage: the method comprises the steps that a terminal device, a routing node and an edge gateway generate a key pair, an edge server is provided with a alliance chain client, and an alliance chain selects a main node and a slave node in a consensus algorithm;
s2: the terminal equipment generates a registration request message stage: the terminal equipment generates a registration request message by using the identity registration information of the terminal equipment, and sends the registration request message and the timestamp to the edge gateway;
s3: the edge gateway verifies the registration request message and the main node verifies the registration transaction stage: after receiving the registration request message of the terminal equipment, the edge gateway checks whether the registration request message of the terminal equipment is overtime, and the main node verifies the registration transaction;
s4: the transaction information generation and verification stage of the terminal equipment comprises the following steps: the master node generates transaction information and broadcasts the transaction information to the slave nodes; the slave node verifies the authenticity of the transaction information and the timeliness of the transaction information, and the identity validity judgment of the terminal equipment is realized;
s5: identity registration information consensus and uplink stage of the terminal equipment: the master node and the slave node carry out consensus on the identity registration information of the terminal equipment, and the master node can achieve the cochain of the registration information of the slave node consensus;
s6: and (3) updating the behavior information and the reputation value of the consensus node: and the main node calculates and updates the behavior information and the reputation value of the consensus node according to the behavior of the consensus node in the step S5.
2. The identity authentication method for the edge computing terminal equipment based on the reputation value mechanism according to claim 1, wherein step S1 specifically comprises the steps of:
s11: generating public keys and private keys of the edge gateway and the terminal equipment: the edge gateway generates its own public key P EG And a private key S EG A public key P EG Disclosed is a method for producing a compound; meanwhile, the edge gateway generates a public key P for the terminal equipment TE And a private key S TE A public key P TE Public, private key S TE Sending the data to the terminal equipment for storage;
s12: generating public keys and private keys of the routing nodes: edge gateway generates public key P for routing node RN And a private key S RN To public key P RN Public, private key S RN Sending the routing information to a routing node for storage;
s13: initializing an edge server and generating a key pair of the edge server;
selecting an edge server in an edge layer to act as a consensus node in a alliance chain network, wherein the method comprises the following steps: first, in ES i Installing the alliance chain client, and after the alliance chain client is installed, the ES i Obtaining a federation chain node address and a federation chain certificate; then, ES i Using asymmetric cryptographic algorithms, obtaining a unique session key pair, i.e. a public key
Figure FDA0003793265020000011
And a private key
Figure FDA0003793265020000012
Will public key
Figure FDA0003793265020000013
Public, self-keeping private keys
Figure FDA0003793265020000014
Wherein ES i The ith edge server for the edge layer, i =1,2,3, …, Z represents all federation link point numbers;
s14: and selecting a consensus node, a main node and a slave node in the alliance chain by adopting a consensus algorithm based on a reputation value mechanism.
3. The identity authentication method for the edge computing terminal device based on the reputation value mechanism according to claim 2, wherein step S14 specifically comprises the following steps:
s141: selecting a consensus node: after completing the uplink of the terminal equipment identity registration information in one period, the alliance link node reselects the consensus node according to the consensus node selection mechanism within delta t time; Δ t is the time gap between the end of the uplink of the previous identity registration message and the start of the uplink of the next identity registration message;
the consensus node selection mechanism combines a credit value mechanism and a VRF random function, and the specific selection mechanism scheme is as follows:
(1) Each alliance chain node generates a random number rand according to the block hash value of the alliance chain node i Will run i Conversion into 16-system number S 1+ And will run rand i And S 16 Broadcast to all federation link nodes, rand i Random number representing the ith federation chain node, i ∈ [1,Z];
(2) Federation chain node i passing through private key
Figure FDA0003793265020000021
For random number rand i Calculating the Hash value to obtain a random result of the alliance link node i i
Figure FDA0003793265020000022
Wherein, hash () represents Hash calculation, | | | is a link symbol;
(3) The alliance link node i responds to the random result i Whether the ratio of the length of the bytes to the length of the bytes is less than or equal to a threshold value Y to determine whether the node can be selected as a consensus node; the selection judgment algorithm is shown as formula (1):
Figure FDA0003793265020000023
wherein, len (result) i ) Represents the random result i The byte length of (d);
random result when node i of federation chain i If the ratio of the length of the node to the length of the byte is less than or equal to a threshold value Y, the node is qualified to be commonly recognized as a commonly recognized node by other alliance link points; on the contrary, the user does not have the acquaintance to be recognized;
(4) If the alliance-link node i satisfies the formula (1), the alliance-link node i constructs a zero-knowledge certificate proof through an elliptic curve encryption algorithm i (ii) a Federation chain node i obtains proof i After that, proof of i And a random result i Broadcast to other federation chain nodes;
zero knowledge certificate proof of construction of federation link node i i The method comprises the following specific steps:
a) The method comprises the following steps K for computing federation link node i 1 Value of,
Figure FDA0003793265020000024
b) The method comprises the following steps K for computing alliance chain node i 2 Value of,
Figure FDA0003793265020000025
wherein k is the same as [0,J-1 ]]J is the large prime number order of the base point G, and G is the base point of the elliptic curve encryption algorithm;
c) The method comprises the following steps Obtaining zero knowledge certificate of federation link node i
Figure FDA0003793265020000026
(5) Other alliance-link nodes are receiving proof i Then, examineProof of progress i The method comprises the following specific steps:
a) The method comprises the following steps Any alliance chain node i' except the alliance chain node i is according to the public key of the alliance chain node i
Figure FDA0003793265020000027
Base points G, K 2 Value and result i Calculating K 3 The value of the sum of the values,
Figure FDA0003793265020000028
b) The method comprises the following steps The federation chain node i' is based on the public key of the federation chain node i
Figure FDA0003793265020000029
And a random number rand i Calculating K 4
Figure FDA00037932650200000210
Figure FDA00037932650200000211
c) The method comprises the following steps The alliance link node i' is according to K of the alliance link node i 1 Value, K 2 Value, K 4 Value and result i Calculating K 5 Value, K 5 =K 1 *result i +k 4 *K 2
d) The method comprises the following steps Federation chain node i' is based on base point G, K 1 Value, K 3 Value, K 4 Value, K 5 Value and public key of federation link node i
Figure FDA0003793265020000031
Calculating result i′
Figure FDA0003793265020000032
Judge result i′ =result i If the result is true, if the result is calculated by the node i' of the union link i′ =result i Then union chainThe identity of the node i which becomes the consensus node is accepted by other alliance chain nodes, and the alliance chain node i becomes the consensus node; if result i′ ≠result i The alliance link node i cannot become a consensus node;
s142: selecting a main node and a slave node;
after the selection of the consensus node is completed, the master node C in the previous period LN Selecting a new main node and a new slave node in the next period according to the main node reputation value and the slave node reputation value; the specific selection rule is as follows: c LN Sorting the reputation values of the master nodes and the slave nodes, selecting the consensus node with the highest reputation value as a new master node, and selecting N consensus nodes with the highest reputation values before the reputation value sorting as new slave nodes, wherein (2*N) is more than or equal to Z; and if two consensus nodes with the highest reputation value exist, selecting the consensus node with a small label as the main node in the alliance chain.
4. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 2, wherein step S2 specifically comprises the steps of:
s21: the terminal device sends the private key S TE Public key P TE Node ID TE Taking the timestamp t of the identity registration information as the identity registration information ms, ms = (S) of the terminal equipment TE ,P TE ,NodeID TE ,t);
S22: terminal equipment utilizes public key P of edge gateway LN For ms = (S) TE ,P TE ,NodeID TE T) carrying out elliptic curve encryption algorithm to obtain registration request message
Figure FDA0003793265020000033
Wherein E () represents an elliptic curve cryptography algorithm; then the registration request message req and the time stamp T of the registration request message req are stored r And sending the data to the edge gateway.
5. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 2, wherein step S3 specifically comprises the steps of:
s31: and (3) verifying the timestamp: after the edge gateway receives the registration request message of the terminal equipment, the edge gateway verifies the timestamp T of the registration request message r If the register request message is overtime, the message is discarded, and if the register request message is not overtime, the subsequent steps are executed;
s32: generating a registration transaction, specifically comprising:
(1) After the edge gateway verifies the registration request message, the edge gateway decrypts the registration request message req by using the private key to obtain the identity registration information ms = (S) of the terminal device TE ,P TE ,NodeID TE ,t);
(2) Edge gateway pair S TE ,P TE ,NodeID TE T Hash calculation, resulting in Hash value h = Hash (S) TE ||P TE ||NodeID TE ||t);
(3) Edge gateway using private key S EG Carrying out elliptic curve digital signature on h to obtain an elliptic curve digital signature
Figure FDA0003793265020000034
Wherein ES () represents an elliptic curve digital signature algorithm, S EG The private key generated by the edge gateway in the initialization stage is represented;
(4) The edge gateway will
Figure FDA0003793265020000041
As a registration transaction
Figure FDA0003793265020000042
And trans will EG Feeding back to the main node;
s33: verifying the registration transaction: master node receiving registration transaction trans EG Then, trans is verified EG Whether the method is reliable or not is used for preventing a malicious attacker from pretending to be the edge gateway to launch the attack; the method specifically comprises the following steps:
(1) Master node pair S TE ,P TE ,NodeID TE T performs a hash calculation to obtain a hash h 1 =Hash(S TE ||P TE ||NodeID TE | t) value;
(2) The master node utilizes the public key P of the edge gateway EG For is to
Figure FDA0003793265020000043
Performing signature verification and verifying the signature
Figure FDA0003793265020000044
Carrying out Hash calculation to obtain a Hash value
Figure FDA0003793265020000045
If h is 2 =h 1 If yes, the verification is passed, and the trans is verified EG The sender of (2) is an edge gateway, so as to prevent a malicious node from impersonating the edge gateway; wherein P is EG Representing a public key generated by the edge gateway in an initialization stage;
(3) After the verification is passed, the master node transmits the trans EG S in (1) TE ,NodeID TE And t is put into a transaction pool, and the master node and the slave node enter a transaction information verification stage.
6. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 2, wherein step S4 specifically comprises the steps of:
s41: the main node generates and broadcasts transaction information, and specifically comprises the following steps:
(1) The main node obtains the node ID of the terminal device from the transaction pool TE T), to terminal equipment (NodeID) TE T) performing a hash calculation to obtain a hash value h 3 =Hash(NodeID TE ||t);
(2) The main node obtains a private key S from the transaction pool TE Master node using S TE To h 3 Is encrypted to obtain
Figure FDA0003793265020000046
Wherein E' () represents an encryption algorithm based on asymmetric encryption;
(3) Master node reusing public key P of slave node RN Pair (NodeID) TE T) and
Figure FDA0003793265020000047
carrying out elliptic curve encryption to obtain
Figure FDA0003793265020000048
Record as
Figure FDA0003793265020000049
(4) The master node will
Figure FDA00037932650200000410
And T _ tx is broadcast as transaction information to the slave nodes
Figure FDA00037932650200000411
Wherein T _ tx represents the time stamp of the transaction information of the current round;
s42: verifying transaction information authenticity from the node: block trans of slave node receiving main node broadcast LN Then, trans by the slave node pair LN Performing verification, specifically comprising:
(1) The slave node uses its own private key S RN For in transaction information
Figure FDA00037932650200000412
Decoding the elliptic curve to obtain NodeID TE ,t,
Figure FDA00037932650200000413
(2) Using public key P of terminal device by slave node TE To pair
Figure FDA00037932650200000414
Decrypting, if the decryption can be successfully performed, indicating that the identity registration information is of the terminal equipment;
(3) Slave node pair NodeID TE T performs a hash calculation to obtain a hash value h 4 =Hash(NodeID TE ||t),If h 4 =h 3 Then verify (NodeID) TE T) has not been tampered with;
s43: the slave node verifies the timeliness of the transaction information;
after the slave node confirms that the sender of the transaction information is the master node and the transaction information is reliable, the slave node verifies the timeliness of the transaction information and verifies trans LN Whether the transaction timestamp T _ tx in (1) is expired to verify the timeliness of the transaction; the time of the verification timestamp T _ tx is T tx Assuming that the validity period time length is T t If T is tx -T_tx≤T t Determining that the transaction information is time-efficient;
s44: identity authentication judgment;
if the number of the slave nodes larger than N/2 is larger than that of the slave nodes, the authenticity of the transaction information and the timeliness of the transaction information are verified, the slave nodes judge that the identity authentication of the terminal equipment is passed, and the Pass is marked as Pass TE (ii) a Otherwise, the terminal equipment fails to identify and is marked as False TE
After the terminal equipment identity authentication is successful, the main node packs the identity registration information ms of the terminal equipment into a Block A Recording the information into an account book of the alliance chain, and realizing the identity registration information chaining of the terminal equipment; and the master node sends the authentication result to the edge gateway and the terminal device.
7. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 6, wherein step S5 specifically comprises: after the terminal equipment identity verification is successful, the main node performs BlOck A Broadcast, the slave node receiving Block A Then, the identity registration information chaining of the terminal equipment is realized according to an improved consensus algorithm; if the number of slave node pairs is more than N/2, the Block Block is divided into blocks A If the agreement is reached, the master node will Block Block A Recording the information into an account book of the alliance chain, namely an identity registration information uplink; the terminal equipment identity authentication is not passed, and the identity registration information cannot be uplink.
8. The method according to claim 7, wherein in step S5, the uplink of the identity registration information includes request, pre-preparation, feedback, confirmation, and reply phases, and specifically includes the following steps:
(1) A request phase: terminal equipment sends request message req to main node m =<request,q,t req ,c>Wherein q is the request content and q contains Block A ,t req The timestamp is, c is a terminal equipment identifier, and the request comprises message content m and a message abstract d;
(2) The main node enters a pre-preparation stage after receiving a request message of the terminal equipment;
the master node will prepare the message in advance<pre pr ,req m ,d,n s ,v>Hash value h of the pre-prepared message 5 =Hash(pre pr ||req m ||d||n s | v) and digital signatures of pre-prepared messages
Figure FDA0003793265020000051
Broadcasting to the slave nodes; wherein pre pr For prepping a marker of the message, d is req m Summary of (1), n s For preparing message sequence numbers, h is less than or equal to n s H is less than or equal to H, H and H represent serial number n s V is a view number;
(3) The slave node enters a preparation stage after receiving a pre-preparation message of the master node;
receiving a pre-preparation message and a hash value h from a node 5 And digital signature
Figure FDA0003793265020000052
Thereafter, the following checks need to be performed:
a) The method comprises the following steps The slave node verifies whether the digital signature of the master node on the pre-prepared message is correct;
slave node using public key pair of master node
Figure FDA0003793265020000061
Carrying out signature verification and carrying out Hash calculation on the signature verification result to obtain a Hash value h 6 If h is 5 =h 6 If the verification is successful;
b) The method comprises the following steps The slave node checks whether a sequence number n in view v is received s I.e. the slave node checks if there is a request message req of the terminal device m '; and checking if there is a request message req m Message digest d'; if (req) m ′≠req m ) And (d' ≠ d) exists, the pre-prepare message is invalid;
c) The method comprises the following steps Slave node checking pre-prepared message sequence number n s If not within the correct range (H, H), the pre-preparation message is invalid;
if the conditions a), b) and c) are verified to be valid, the pre-prepared message is indicated to be valid and is recorded as Succ ppre (ii) a Whereby the slave node sends a prepare message m to the master node pre =<prep,j,d′,n s ′,v′>Where prep is the marker of the prepare message, j denotes the number of the current slave node, d', n s ', v' and d, n in the PrePrePrep message s V is the same; and the slave node will prepare the hash value h of the message 7 =Hash(m pre ) And digital signature
Figure FDA0003793265020000062
Sending the data to a main node;
(4) The master node enters a feedback stage after receiving the preparation message of the slave node; the master node and each slave node need to align the prepared message m pre Hash value h 7 Preparing a signature of the message
Figure FDA0003793265020000063
The following validation was performed:
a) The method comprises the following steps Host node verifying signature of prepare message
Figure FDA0003793265020000064
Whether it is correct; the master node uses the public key pair of the slave node
Figure FDA0003793265020000065
Performing signature verification and verifying the signature
Figure FDA0003793265020000066
Hash calculation to obtain a hash value h 8 If h is 8 =h 7 If the verification is successful;
b) The method comprises the following steps Verifying the Pre-prepare message number n in the prepare message from the node s ' whether the reference numbers are under the same view number v, if the pre-prepared message n in the prepared message s ′≠n s If the message is valid, the pre-prepared message is invalid;
c) The method comprises the following steps The slave node checks the preparation message sequence number n s A range of' if not within the correct range (H, H), the prepare message is invalid;
d) The method comprises the following steps The slave node verifies whether the message digest d' in the preparation message is consistent with d in the pre-preparation message, and if not, the preparation message is invalid;
if the conditions of a), b), c) and d) are verified to be valid, the preparation message is valid and is recorded as Succ pre Sending Succ from the node pre Giving the master node;
if the master node receives more than N/2 Succ pre N/2 pieces of preparation message and Succ pre Packaging, marking the package as D, and sending a feedback message m to the slave node feback =<feback,j′,D,n s ″,v″>(ii) a Wherein j', n s ", v" and i, n of the prepare message s ', v' are the same, feedback is the marker of the feedback message;
(5) The slave node receives the feedback message m of the master node feback Then entering a confirmation stage;
a) The method comprises the following steps Firstly, the slave node verifies the received feedback message, and verifies j' n s ", v" and j, n of the prepare message s If ' and v ' are the same, if j ' = j, n s ″=n s ', v "= v', then the feedback message verification is successful;
b) The method comprises the following steps Slave node RN j Checking whether the feedback messages of the rest slave nodes are successfully verified;
if the slave node RN j More than N/2 of the remaining slaves receivedMessage of node verification success indicating RN from node j Agreeing to the request message, sending an acknowledgement message m commit =<commit,j′,D,n s ″,v″>To the master node, where commit is the acknowledgement marker, RN j J is more than or equal to 1 and less than or equal to N;
(6) The master node receives the confirmation message m of the slave node commit Then entering a reply stage;
if the master node receives the confirmation messages of more than N/2 slave nodes, the confirmation messages indicate that the slave nodes are used for blocking the terminal equipment A A consensus is reached; block of terminal equipment A After the consensus is achieved, the main node as the consensus node uses Block A Recording the data into an account book; and the master node will reply message m reply =<reply,j′,t req ,c,v″,r>Sending to the terminal device, where r is the operation result of the request, t req Is a timestamp, and c is a terminal equipment identifier; the terminal equipment finds that the request operation is successful, and the terminal equipment identity registration information is successfully uplink-linked.
9. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 1, wherein in step S6, the reputation value calculation formula of the master node is:
rew LN =(A 1 ×ω 1 -A 2 ×ω 2 )×(1-r LN )+r LN (2)
wherein rew LN Indicating the updated reputation value, r, of the master node after the end of a period LN Representing the reputation value of the master node in a period, A 1 Representing the number of times the master node uplinks identity registration information, A 2 Indicating the number of times the master node will leave the identity registration information unlinked.
10. The identity authentication method of the edge computing terminal device based on the reputation value mechanism according to claim 1, wherein in step S6, the reputation value calculation formula of the slave node is:
Figure FDA0003793265020000071
wherein the content of the first and second substances,
Figure FDA0003793265020000072
represents that a slave node RN after one period is finished j The updated reputation value of (a) is,
Figure FDA0003793265020000073
indicating a slave node RN within one cycle j Reputation value, A 5 Representing the number of actions normally agreed from the node, A 3 Representing the behavior times of the common identification failure in the uplink stage of the node identity registration information; a. The 4 Indicating the number of times the behavior of the consensus-reached message is repeatedly sent from the node.
CN202210962297.4A 2022-08-11 2022-08-11 Identity authentication method of edge computing terminal equipment based on credit value mechanism Pending CN115378604A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210962297.4A CN115378604A (en) 2022-08-11 2022-08-11 Identity authentication method of edge computing terminal equipment based on credit value mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210962297.4A CN115378604A (en) 2022-08-11 2022-08-11 Identity authentication method of edge computing terminal equipment based on credit value mechanism

Publications (1)

Publication Number Publication Date
CN115378604A true CN115378604A (en) 2022-11-22

Family

ID=84065974

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210962297.4A Pending CN115378604A (en) 2022-08-11 2022-08-11 Identity authentication method of edge computing terminal equipment based on credit value mechanism

Country Status (1)

Country Link
CN (1) CN115378604A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115633035A (en) * 2022-12-07 2023-01-20 长春大学 Improved PBFT (physical layer transmission) based block chain consensus algorithm for Internet of things
CN115643575A (en) * 2022-12-26 2023-01-24 电子科技大学 Radio frequency fingerprint cross-layer security access authentication method based on block chain under edge calculation
CN116489641A (en) * 2023-05-05 2023-07-25 烟台欣飞智能系统有限公司 5G mobile device communication management and control system based on block chain
CN116527372A (en) * 2023-05-16 2023-08-01 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116668987A (en) * 2023-06-07 2023-08-29 湖北工业大学 Side chain-based internet of vehicles data sharing method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115633035A (en) * 2022-12-07 2023-01-20 长春大学 Improved PBFT (physical layer transmission) based block chain consensus algorithm for Internet of things
CN115643575A (en) * 2022-12-26 2023-01-24 电子科技大学 Radio frequency fingerprint cross-layer security access authentication method based on block chain under edge calculation
CN115643575B (en) * 2022-12-26 2023-03-10 电子科技大学 Radio frequency fingerprint cross-layer security access authentication method based on block chain under edge calculation
CN116489641A (en) * 2023-05-05 2023-07-25 烟台欣飞智能系统有限公司 5G mobile device communication management and control system based on block chain
CN116527372A (en) * 2023-05-16 2023-08-01 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116527372B (en) * 2023-05-16 2023-12-15 深圳建安润星安全技术有限公司 Internet-based data security interaction system and method
CN116668987A (en) * 2023-06-07 2023-08-29 湖北工业大学 Side chain-based internet of vehicles data sharing method and system
CN116668987B (en) * 2023-06-07 2024-02-02 湖北工业大学 Side chain-based internet of vehicles data sharing method and system

Similar Documents

Publication Publication Date Title
CN112055025B (en) Privacy data protection method based on block chain
CN113194469B (en) 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain
CN106972931B (en) Method for transparentizing certificate in PKI
CN109981582B (en) Internet of things equipment identity authentication method based on block chain
US20210367753A1 (en) Trusted measurement and control network authentication method based on double cryptographic values and chaotic encryption
CN115378604A (en) Identity authentication method of edge computing terminal equipment based on credit value mechanism
KR101260188B1 (en) Secure node identifier assignment in a distributed hash table for peer-to-peer networks
CN112583596B (en) Complete cross-domain identity authentication method based on block chain technology
CN113055363B (en) Identification analysis system implementation method based on blockchain trust mechanism
CN113779605A (en) Industrial internet Handle identification system analysis authentication method based on alliance chain
CN101902476A (en) Method for authenticating identity of mobile peer-to-peer user
Saha et al. Consortium blockchain‐enabled access control mechanism in edge computing based generic Internet of Things environment
CN113746858B (en) Cross-chain communication method based on verifiable random function
CN113259135B (en) Lightweight blockchain communication authentication device and method for detecting data tamper
Badshah et al. LAKE-BSG: Lightweight authenticated key exchange scheme for blockchain-enabled smart grids
US20230006836A1 (en) Multi-party and multi-use quantum resistant signatures and key establishment
CN113301022A (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
CN114125773A (en) Vehicle networking identity management system and management method based on block chain and identification password
CN112351019A (en) Identity authentication system and method
Longo et al. On the security of the blockchain BIX protocol and certificates
CN112039837B (en) Electronic evidence preservation method based on block chain and secret sharing
Dwivedi et al. Design of blockchain and ecc-based robust and efficient batch authentication protocol for vehicular ad-hoc networks
Liou et al. T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs
Chiu et al. NoPKI-a point-to-point trusted third party service based on blockchain consensus algorithm
CN110945833A (en) Method and system for multi-mode identification network privacy protection and identity management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination