CN116318678A - Multi-factor internet of things terminal dynamic group access authentication method - Google Patents

Multi-factor internet of things terminal dynamic group access authentication method Download PDF

Info

Publication number
CN116318678A
CN116318678A CN202310311718.1A CN202310311718A CN116318678A CN 116318678 A CN116318678 A CN 116318678A CN 202310311718 A CN202310311718 A CN 202310311718A CN 116318678 A CN116318678 A CN 116318678A
Authority
CN
China
Prior art keywords
new
group
internet
things
vid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310311718.1A
Other languages
Chinese (zh)
Inventor
罗文俊
敖晋
陈自刚
程智全
朱海华
陈龙
代仁杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN202310311718.1A priority Critical patent/CN116318678A/en
Publication of CN116318678A publication Critical patent/CN116318678A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention relates to a multi-factor internet of things terminal dynamic group access authentication method, which belongs to the field of internet of things and comprises the following steps: s1: the SDN controller establishes secure connection with the gateway of the Internet of things, performs system initialization, generates a secure private key and selects a secure single hash function; s2: dividing the terminals of the Internet of things according to groups, and uniformly registering under a secure channel; s3: the terminal of the Internet of things decrypts secret parameters in the smart card through the PUF, and verifies the safety and reliability of the terminal of the Internet of things; s4: the terminal of the Internet of things performs identity authentication and session key negotiation; s5: when a new member is to be added to a certain terminal group, updating a group key to ensure forward security; s6: when a member in a group is found to have malicious activity, the member is evicted from the group and the group key is updatedSK G To ensure backward safety; s7: the group identity and PUF challenge-response are updated regularly.

Description

Multi-factor internet of things terminal dynamic group access authentication method
Technical Field
The invention belongs to the field of Internet of things, and relates to a dynamic group access authentication method for a multi-factor Internet of things terminal.
Background
With the large-scale deployment of internet of things services, the number of internet of things terminals is increasing explosively. However, a large number of low-cost, low-power-consumption, narrow-bandwidth internet of things terminals are often deployed in unmanned or wireless signal complex environments with less data to send or receive. If the communication network is accessed by adopting an end-to-end authentication method one by one, a great deal of unnecessary signaling and calculation overhead is generated. The authentication efficiency is low, and the service life of the terminal powered by the battery is consumed. How to realize access authentication and key distribution and management of tens of thousands of internet of things terminals becomes a challenging research problem. The grouping of a plurality of terminals of the Internet of things is an effective management means, and the service network of group authentication faces to massive concurrent access scenes, and only needs to authenticate individual nodes in the group, and other group members can finish batch authentication locally. On the premise of ensuring safety, various system overheads can be reduced, and authentication efficiency is improved.
Lai C et al in "Lai C, lu R, zheng D, et al GLARM: group-based lightweight authentication scheme for resource-constrained machine to machine communications [ J ]. Computer Networks,2016,99:66-81 ], propose a lightweight Group authentication scheme based on resource-constrained machine-to-machine (M2M) under a 3GPP network architecture. In the scheme, a symmetrical cryptosystem and a method for aggregating MAC addresses are adopted to realize simultaneous authentication of a group of terminals. But this protocol does not implement forward/backward security, once the current key is compromised, the historical keys and future keys will be presumed to be unsecure, possibly resulting in a significant amount of encrypted data being compromised.
Li J et al in "Li J, wen M, zhang T.group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks [ J ]. IEEE Internet of Things Journal,2015,3 (3): 408-417." propose an AKA protocol for dynamic policy updating based on groups. In the protocol, a scheme of combining asynchronous secret sharing with Diffie-Hellman key exchange is adopted to realize distributed authentication and session key negotiation in the LTE-A network and realize dynamic updating of the access authority of the MTC device. However, the protocol adopts point multiplication operation, and each terminal device needs to communicate with a service network to realize key negotiation, so that the calculation and signaling overhead of the terminal is high.
Cao J et al in "Cao J, yan Z, ma R, et al LSAA: A lightweight and secure access authentication scheme for both UE and mMTC devices in G networks [ J ] IEEE Internet of Things Journal,2020,7 (6): 5329-5344 ] propose a lightweight secure access authentication scheme for UE and MMTC devices in 5G networks. In the scheme, the secure functions of mutual authentication, session key establishment, identity privacy protection, forward/backward confidentiality and the like of common User Equipment (UE) large-scale machine type communication (MMTC) equipment are realized by using Chebyshev chaotic mapping. However, the scheme does not verify the reliability and the safety of the terminal of the Internet of things and lacks a dynamic refreshing mechanism, so that a malicious node can be accessed to the system.
Among the above protocols, the protocol proposed by Lai C et al does not realize forward/backward security, and once the current key leaks, the history key and future key can be presumed, possibly resulting in a large amount of encrypted data leakage; the protocol proposed by Li J et al is complex in calculation, and each terminal device needs to communicate with the service network to realize key negotiation, so that the calculation and signaling overhead of the terminal is high; the protocol proposed by Cao J et al does not verify the reliability and security of the terminal of the Internet of things and lacks a dynamic refreshing mechanism, so that a malicious node can be accessed by the system.
Disclosure of Invention
Therefore, the invention aims to provide a multi-factor internet of things terminal dynamic group access authentication method, which aims to realize a plurality of security functions, reduce signaling, calculation and storage expenses of the internet of things terminal in authentication, and realize batch authentication and session key negotiation of the internet of things terminal.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a multi-factor internet of things terminal dynamic group access authentication method comprises the following steps:
s1: system initialization phase: the SDN controller establishes secure connection with the gateway of the Internet of things, performs system initialization, generates a secure private key and selects a secure single hash function;
s2: and a terminal registration stage of the Internet of things: dividing the terminals of the Internet of things according to groups, and uniformly registering under a secure channel;
s3: a login stage: the terminal of the Internet of things decrypts secret parameters in the smart card through the PUF, and verifies the safety and reliability of the terminal of the Internet of things;
s4: identity authentication and session key negotiation phase: in a group to be authenticated, firstly, a group leader initiates an access authentication request to an SDN controller; the SDN controller verifies the identity of the group leader through the information in registration and the parameters in the authentication request, generates a random number, calculates an encryption key for each member in the group, and then sends the encryption key to the gateway of the Internet of things; the gateway of the internet of things calculates a session key for each terminal member, protects a random number through an encryption key, and then broadcasts an authentication message to group members; the group member calculates the encryption key, the session key and the group key locally according to the parameters and the authentication information when logging in, then verifies the authentication information and updates the pseudo identity, and then calculates the authentication success information and sends the authentication success information to the group owner; the group leader fuses and sends the verification success information of each member to the gateway of the Internet of things; after the converged message is successfully verified by the gateway of the internet of things, an authentication success message is sent to the SDN controller, and then the SDN controller synchronously calculates a session key and a group key;
s5: dynamically joining the terminal stage: when a new member is to be added to a certain terminal group, updating a group key to ensure forward security;
s6: dynamically removing a terminal stage: when a group is foundWhen a member has malicious behaviors, the member is ejected from the group, and the group key SK is updated G To ensure backward safety;
s7: timing update group identity and PUF stimulus response phase: updating the group identity and PUF stimulus response after a certain period of time in order to prevent tracking attacks; each Internet of things terminal reselects a private key and PUF input excitation, calculates corresponding registration parameters and sends the registration parameters to the SDN controller; the SDN controller recalculates the group identity and the selected random number according to the new parameters, and sends the group identity and the selected random number to each terminal of the Internet of things through the original session key; the respective terminal then calculates an updated session key and a group key in synchronization with the SDN controller.
Further, the step S1 specifically includes: the SDN controller establishes secure connection with the gateway of the Internet of things, and then generates a secure private key delta sc And selects a secure single hash function H () {0,1} * →{0,1} n N is the bit width of the hash function message digest output.
Further, in the step S2, all k terminal members in the group are provided with a physical unclonable function PUF by default, and initialize a stimulus response CRP (Ci, ri), and the registration of the terminal of the internet of things specifically includes the following steps:
s21: internet of things terminal passes through identity ID i Calculating enrollment parameters GPW with PUF output i Send to SDN controller<ID i ,GPW i >Registering information;
R i =PUF(C i )
GPW i =H(ID i ||R i )
wherein R is i Representing the output response of a physical unclonable function PUF, C i Input stimulus representing a physically unclonable function, GPW i Representing registration parameters, H representing a hash function;
s22: SDN controller calculates pseudo identity VID for terminal of Internet of things i Selecting a large prime number p i And the primitive root g of the exponential operation, the SDN controller sends registration information<VID i ,p i ,g>To the terminal of the Internet of things; VID (video frequency) i The calculation formula of (2) is as follows:
VID i =H(ID i ||δ sc )
δ sc a secure private key representing an SDN controller;
s22: terminal selection private key x of internet of things i Calculating registration information y i ≡g xi mod p i And send registration information to SDN<y i >;
S24: the SDN controller constructs a congruence equation set according to the registration information to calculate a group identity GID, and encrypts the group identity through the registration information to calculate W i SDN controller sends registration information<W i >To the terminal of the Internet of things; GID is the result of the calculation of the congruence equation, and the formula is as follows:
Figure BDA0004148719110000031
s25: the terminal of the Internet of things verifies and calculates B for encryption private key and parameter integrity 1 And B 2 And will<B 1 ,B 2 ,VID i ,W i SMC for storing to smart card i Wherein W is i Parameters for protecting GID:
Figure BDA0004148719110000032
B 1 and B 2 The method is used for protecting the private key and the integrity verification of the terminal of the Internet of things, and the calculation process is as follows:
B 1 =x i ⊕H(VID i ||GPW i )
B 2 =H(VID i ||ID i ||x i ||R i ||W i ||GID)。
further, the step S3 specifically includes: internet of things terminal reads identity ID i And PUF input stimulus C i And parameters < B in a smart card 1 ,B 2 ,VID i ,W i >Calculate GPW i Decryption B 1 The protected private key and integrity verification of the parameters.
Further, the step S4 specifically includes:
s41: group long generation timestamp T 1 Calculating an authentication request verification parameter AUTH GL =H(GID||VID GL ||ID GL ||T 1 ) And < VID on authentication request message GL ,AUTH GL ,T 1 Sending to the gateway of the Internet of things;
s42: the gateway of the internet of things forwards the authentication request message to the SDN controller;
s43: SDN controller verifies AUTH after verifying message freshness GL Calculating an encryption key K for each terminal member i =H(VIDi||GID||GPW i ) Selecting the random number r, and sending the message < VID { i ,K i Transmitting the r, GID > to the terminal of the Internet of things;
s44: gateway of internet of things calculates D for protecting random number r i Computing a session key SK i And an integrity verification parameter AUTH i-ITG Message < VID i ,D i ,AUTH i-ITG >The formula sent to the group leader is as follows:
D i =r⊕H(VID i ||K i )
SK i =H(VID i ||GID||r||K i )
AUTH i-ITG =H(VID i ||GID||r||SK i ||K i ||D i )
s45: the group leader broadcasts the message in the group and the terminal members calculate the encryption key K i Decrypt D i Obtaining a random number r and calculating a session key SK i Computing a group key SK G And performing integrity verification and calculation AUTH i-ITG Updating a pseudo-identity computing VID i new Calculating an authentication success parameter AUTH i-N Will message<VID i ,AUTH i-N >Sending to a group leader; the formula is as follows:
SK G =H(r||GID)
VID i new =H(r||VID i ||ID i )
AUTH i-N =H(VID i ||GID||D i ||r||SK i ||SK G ||K i )
s46: the group length performs fusion calculation on the information of each member to obtain a fusion authentication parameter AUTH t Message < VID GL ,AUTH t >Sending the gateway to an Internet of things gateway; wherein:
AUTH t =AUTH 1-N ⊕AUTH 2-N ⊕...⊕AUTH k-N
s47: internet of things gateway computing SK G And verify AUTH t Sending an authentication success message to the SDN controller, and synchronously calculating the SDN controller<SK i ,SK G ,VID i new >。
Further, the step S5 specifically includes the following steps:
s51: new member N k+1 Generating a time stamp T 2 And calculates an authentication request verification parameter AUTH k+1 Message < VID k+1 ,AUTH k+1 ,T 2 The specific formula for the group leader sent to the group is as follows:
AUTH k+1 =H(GID’||VID k+1 ||ID k+1 ||GPW k+1 ||T 2 )
s52: group identity is added to the message by the group leader, and the message is less than VID GL ,VID k+1 ,AUTH k+1 ,T 2 >Transmitting to an SDN controller;
s53: SDN controller verifies freshness of message and verifies and calculates AUTH k+1 Reconstructing the congruence equation set to calculate new group identity GID new Selecting a new random number r new Calculate the encryption key K' k+1 And K k+1 Will message<{VID k+1 ,K’ k+1 ,K k+1 },r new ,GID new Sending the message to an Internet of things gateway; the calculation formula is as follows:
Figure BDA0004148719110000051
K’ k+1 =H(VID k+1 ||GID’||GPW k+1 )
K k+1 =H(VID k+1 ||GID new ||GPW k+1 )
s54: the gateway of the Internet of things calculates D 'for encrypting new group identity and random numbers' k+1 And D k+1 Computing a session key SK k+1 And an integrity verification parameter AUTH (k+1)-ITG Message < VID k+1 ,D’ k+1 ,D k+1 ,AUTH (k+1)-ITG Send to new member, and will < r new ,GID new Broadcasting to the original group members through the original group key; the calculation formula is as follows:
Figure BDA0004148719110000052
Figure BDA0004148719110000053
SK k+1 =H(VID k+1 ||GID new ||r new ||K k+1 )
AUTH (k+1)-ITG =H(VID k+1 ||GID new ||r new ||SK k+1 ||K’ k+1 ||K k+1 ||D’ k+1 ||D k+1 )
s55: new member calculates encryption key K' k+1 And K k+1 Decryption D' k+1 And D k+1 Obtaining new group identity and random number, calculating session key SK k+1 And group key SK G new Calculating and verifying AUTH (k+1)-ITG Updating pseudo-identity VID k+1 new Calculating an authentication success parameter AUTH (k+1)-N Message < VID k+1 ,AUTH (k+1)-N Sending to an Internet of things gateway; at the same time, other members receive < r new ,GID new >Will also after<SK i ,SK G ,W i >Updating; the calculation formula is as follows:
VID k+1 new =H(r||VID k+1 ||ID k+1 )
AUTH (k+1)-N =H(VID k+1 ||GID new ||D’ k+1 ||D k+1 ||r new ||SK k+1 ||SK G new ||K’ k+1 ||K k+1 )
s56: internet of things gateway computing SK G new And verify and calculate AUTH (k+1)-N Sending an authentication success message to the SDN controller; SDN controller synchronization pair<SK i ,SK G >And updating.
Further, the step S6 specifically includes the following steps:
s61: first SDN controller retrieves malicious member N k And cancel N k Legal identity of (2), y thereof k Modified to other values y' k And reconstructing the congruence equation system to calculate the GID new
Figure BDA0004148719110000061
SDN generates new random number r new And send message < r- new ,GID new >Through SK i Encryption transmission to remove malicious member N k Outside group members;
s62: other members will<SK i ,SK G ,W i >Updating and SC recalculate<SK i ,SK G >And is synchronized with the ITG by encryption.
Further, step S7 includes: the terminal of the Internet of things generates new PUF input excitation C i new Calculating R i new ,GPW i new Selecting a new private key x i new Calculating y i new Will message<GPW i new ,y i new >Transmitting to an SDN controller; reconstructing the congruence equation set by the SDN controller to obtain the GID new Generating a new random number r new And send message < r- new ,GID new >Broadcasting to all group members; group member, SDN controller and gateway of Internet of things, update<SK i ,SK G ,W i ,B 1 ,B 2 >Parameters.
The invention has the beneficial effects that:
firstly, the method not only can realize the safety functions of mutual authentication, identity anonymity, replay attack resistance and the like, but also can update the pseudo identity and the random number after each negotiation, the encryption key is updated, and the group identity is updated at regular time; this ensures randomness and independence of each session key and group key, and even if an attacker obtains the current group key or the session key of a member through various modes, the previous or subsequent group key or session key cannot be calculated, thus realizing forward/backward security.
Secondly, only hash, exclusive or and other lightweight encryption algorithms are used in the whole process of the method, and the SDN controller only needs to authenticate the group leader in the terminal group of the internet of things, and other terminals of the internet of things can complete authentication and session key negotiation through local calculation by a method of broadcasting and aggregating messages, so that the calculation and signaling cost of terminals with limited resources is greatly reduced.
Thirdly, the reliability and the security verification of the terminal of the Internet of things are realized by utilizing the characteristics of the PUF and combining with the smart card, and a terminal adding and removing mechanism is designed; when a certain node in an internet of things terminal group joins or leaves the group, the SDN controller can reconstruct a congruence equation set through the China remainder theorem to generate a new group identity mark, and the updating of the secret key is realized with the minimum cost without re-authenticating each member in the group.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objects and other advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the specification.
Drawings
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in the following preferred detail with reference to the accompanying drawings, in which:
FIG. 1 is a diagram of a network architecture according to an embodiment of the present invention;
FIG. 2 is a detailed protocol registration process diagram according to an embodiment of the present invention;
fig. 3 is a detailed protocol authentication process diagram according to an embodiment of the present invention.
Detailed Description
Other advantages and effects of the present invention will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present invention with reference to specific examples. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be noted that the illustrations provided in the following embodiments merely illustrate the basic idea of the present invention by way of illustration, and the following embodiments and features in the embodiments may be combined with each other without conflict.
Wherein the drawings are for illustrative purposes only and are shown in schematic, non-physical, and not intended to limit the invention; for the purpose of better illustrating embodiments of the invention, certain elements of the drawings may be omitted, enlarged or reduced and do not represent the size of the actual product; it will be appreciated by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The same or similar reference numbers in the drawings of embodiments of the invention correspond to the same or similar components; in the description of the present invention, it should be understood that, if there are terms such as "upper", "lower", "left", "right", "front", "rear", etc., that indicate an azimuth or a positional relationship based on the azimuth or the positional relationship shown in the drawings, it is only for convenience of describing the present invention and simplifying the description, but not for indicating or suggesting that the referred device or element must have a specific azimuth, be constructed and operated in a specific azimuth, so that the terms describing the positional relationship in the drawings are merely for exemplary illustration and should not be construed as limiting the present invention, and that the specific meaning of the above terms may be understood by those of ordinary skill in the art according to the specific circumstances.
Referring to fig. 1 to 3, with the rapid development of the internet of things, the existing protocol for handling access authentication of a large number of terminals of the internet of things has many problems of insufficient security function, high system overhead, lack of refresh mechanism and the like. Aiming at the current state of the art, the invention provides a multi-factor internet of things terminal dynamic group access authentication method, which realizes batch lightweight authentication of the internet of things terminal on the premise of ensuring safety.
In order to implement the access authentication protocol in the present invention, a network architecture of internet of things terminal group authentication is designed, and refer to fig. 1. A plurality of internet of things terminals form a plurality of authentication groups, and each group has a group leader; the gateway of the Internet of things is responsible for the transmission of the message, the parameter calculation of part and the verification of the authentication message; the SDN controller bears responsibilities such as terminal registration, session key calculation and the like of the Internet of things.
The invention relates to a multi-factor internet of things terminal dynamic group access authentication method, which comprises the following 7 stages:
(1) System initialization phase: the Internet of Things Gateway (ITG) establishes a secure connection with the SDN Controller (SC), and data interaction between them is secure and trusted. SDN controller first initializes the system to generate a security private key delta sc And selects a secure single hash function H () {0,1} * →{0,1} n N is the bit width of the hash function message digest output.
(2) And a terminal registration stage of the Internet of things: the internet of things terminal performs unified registration according to group division, and it is assumed that there is one internet of things terminal group, and k terminal members { N ] are in the group 1 ,N 2 ,...,N k Each member is provided by default with a PUF, initializing a stimulus response to CRP (C i ,R i ) And the registration process is accomplished under a secure channel. The terminal registration process of the Internet of things comprises the following steps:
(2a) Referring to FIG. 2, each N i Selecting an identity ID for oneself i And calculate R i =PUF(C i ),GPW i =H(ID i ||R i ). Then N i Will be through the secure channel<ID i ,GPW i >And transmitted to the SC.
(2b) Referring to FIG. 2, upon receipt of N i After the registration message is sent, SC is N i Calculating a pseudo-identity VID i =H(ID i ||δ sc ). SC is N i Selecting a large prime number p i (i=1,., k), and p when i+.j i ≠p j And meet at p i There are two different large primes in the range of-1. Next, SC selects an exponential-operated primitive root g for the group, which is also group Z * pi Is a generator of (1). SC will<VID i ,p i ,g>Transmitting to N through secure channel i
(2c) Referring to FIG. 2, after receiving the SC reply message, N i Selecting a private key x for oneself i ∈Z * pi And calculate y i ≡g xi mod p i . Subsequently, N i Will be<y i >And sent to the SC over a secure channel.
(2d) Referring to FIG. 2, the SC receives data from k N i Transmitted y i Then, the congruence equation set is constructed by utilizing the Chinese remainder theorem,
Figure BDA0004148719110000081
wherein GID is the group identity of the group, SC is N i Calculation of W i =GID⊕GPW i . The SC then generates a table in which group information is recorded<GID,g>And each member information<ID i ,VID i ,y i ,p i ,GPW i >. SC will<W i >Transmitting to N through secure channel i
(2e) Continuing to refer to FIG. 2, N i Received W i After that, calculate B 1 =x i ⊕H(VID i ||GPW i ),B 2 =H(VID i ||ID i ||x i ||R i ||W i GID. Then will<B 1 ,B 2 ,VID i ,W i >Store to smart card SMC i Is a kind of medium. So far, the terminal group of the Internet of things completes the registration process.
(3) A login stage: when an Internet of things terminal group needs to be accessed to a 5G network, each member firstly executes a login step, decrypts and verifies security parameters in the smart card. N (N) i Reading identification ID from local storage i And PUF input stimulus C i Reading parameters stored during registration from a smart card<B 1 ,B 2 ,VID i ,W i >。N i Calculating R i =PUF(C i ),GPW i =H(ID i ||R i ),x i =B 1 ⊕H(VID i ||GPW i ),GID=W i ⊕GPW i And verify B 2 ?=H(VID i ||ID i ||x i ||R i ||W i GID. If the above equations are equal, it means that all parameters are legal, the terminal of the internet of things is safe and reliable, and the next flow can be executed. Otherwise, the login will stop, re-reading the parameters and computing the verification.
(4) Identity authentication and session key negotiation phase: referring to fig. 3, the process of terminal identity authentication and session key negotiation of the internet of things comprises the following steps:
(4a) Referring to fig. 3, a member is selected in a group according to the factors of computing power, signal quality and energy storage as a group leader of the group, and the group leader (N GL ) An authentication request is initiated. N (N) GL Generating a time stamp T 1 And calculate AUTH GL =H(GID||VID GL ||ID GL ||T 1 ). Subsequently, N GL Will authenticate message M 1 =<VID GL ,AUTH GL ,T 1 >To the ITG.
(4b) Referring to FIG. 3, when a message M is received 1 When the ITG does not do any otherThe process is simply forwarding the message to the SC.
(4c) Referring to FIG. 3, after receiving the forwarding message of the ITG, the SC verifies the T first 1 To ensure the freshness of the message. The SC then follows the VID GL Performing table lookup to obtain the identification GID and N of the group GL Is the true identity ID of (2) GL And verify AUTH GL ?=H(GID||VID GL ||ID GL ||T 1 ). If the equations are not equal, the authentication flow is terminated and authentication failure information is sent. Otherwise, SC retrieves all members of the group according to GID and calculates K i =H(VID i ||GID||GPW i ). The SC generates a random number r and then sends message M 2 =<{VID i ,K i },r,GID>The encryption is sent to the ITG.
(4d) Referring to FIG. 3, the ITG receives message M 2 Post-decryption to obtain<{VID i ,K i },r,GID>. Subsequently, ITG is N for each member i Calculation D i =r⊕H(VID i ||K i ),SK i =H(VID i ||GID||r||K i ),AUTH i-ITG =H(VID i ||GID||r||SK i ||K i ||D i ). ITG sends message M 3 =<VID i ,D i ,AUTH i-ITG >Send to N GL
(4e) Referring to FIG. 3, N GL Received message M 3 It is then broadcast within the group. N in group i According to VID i Receiving corresponding messages<VID i ,D i ,AUTH i-ITG >。N i Calculation of K in combination with parameters acquired during login i =H(VID i ||GID||GPW i ),r=D i ⊕H(VID i ||K i ),SK i =H(VID i ||GID||r||K i ) Group key SK G =h (r||gid), verify AUTH i-ITG ?=H(VID i ||GID||r||SK i ||K i ||D i ). If the above equations are equal, then N i Authentication SC succeeds. Otherwise, authentication fails. N (N) i Calculating AUTH i-N =H(VID i ||GID||D i ||r||SK i ||SK G ||K i ) Updating pseudo-identity VID i new =H(r||VID i ||ID i ). Subsequently, N i Message M 4 =<VID i ,AUTH i-N >Send to N GL
(4f) Referring to FIG. 3, when each N is received i After the message is sent, N GL Calculating AUTH t =AUTH 1-N ⊕AUTH 2-N ⊕...⊕AUTH k-N . Subsequently, N GL Sending message M to ITG 5 =<VID GL ,AUTH t >。
(4g) Referring to FIG. 3, when a message M is received 5 Thereafter, ITG calculates SK G =H(r||GID),AUTH i-N And verify
Figure BDA0004148719110000101
If the above equations are not equal, authentication fails, and the message M needs to be acquired again 5 . Otherwise, the access authentication and the session key negotiation are successful. ITG sends authentication success message to SC, SC calculates SK i =H(VID i ||GID||r||K i ),SK G =H(r||GID),VID i new =H(r||VID i ||ID i )。
(5) Dynamically joining the terminal stage: if a new member is to be added to a certain terminal group, the group key SK needs to be updated in addition to the necessary authentication G To ensure forward security and to ensure that the new terminal cannot acquire the previous encrypted message. Since the new member is unaware of the current group key, broadcasting the new group key calculation parameters through current group key encryption typically has minimal cost after authenticating the new member is successful. The dynamic joining process of the terminal of the Internet of things comprises the following steps:
(5a) First new member N k+1 Generating a time stamp T 2 And calculate AUTH k+1 =H(GID’||VID k+1 ||ID k+1 ||GPW k+1 ||T 2 ). Subsequently, N k+1 Message M 1 =<VID k+1 ,AUTH k+1 ,T 2 >Group leader N sent to the group GL
(5b) When N is GL After receiving the message, a message M is generated 2 =<VID GL ,M 1 >To the ITG. The ITG forwards the message to the SC.
(5c) When receiving message M 2 After that, SC a priori evidence T 2 To ensure the freshness of the message. SC calculation and verification AUTH k+1 ?=H(GID’||VID k+1 ||ID k+1 ||GPW k+1 ||T 2 ). If the above equations are not equal, authentication fails, otherwise the SC authenticates N k+1 Successful. SC based on VID in message GL Retrieving the related information of the group and combining N k+1 Parameters of registration<y k+1 ,p k+1 >The reconstruction is identical to the system of equations,
Figure BDA0004148719110000102
SC generates a new random number r new And calculate K' k+1 =H(VID k+1 ||GID’||GPW k+1 ),K k+1 =H(VID k+1 ||GID new ||GPW k+1 ). Subsequently, the SC will message M 3 =<{VID k+1 ,K’ k+1 ,K k+1 },r new ,GID new >The encryption is sent to the ITG.
(5d) When ITG receives message M 3 After that, calculate
Figure BDA0004148719110000103
SK k+1 =H(VID k+1 ||GID new ||r new ||K k+1 );
AUTH (k+1)-ITG =H(VID k+1 ||GID new ||r new ||SK k+1 ||K’ k+1 ||K k+1 ||D’ k+1 ||D k+1 )
Subsequently, the ITG will message M 4 =<VID k+1 ,D’ k+1 ,D k+1 ,AUTH (k+1)-ITG >TransmittingFor N k+1 . At the same time, ITG passes the original group key SK G Will be<r new ,GID new >To the original member in the group.
(5e) When N is k+1 After receiving the message, calculate K' k+1 =H(VID k+1 ||GID’||GPW k+1 ),
Figure BDA0004148719110000111
Figure BDA0004148719110000112
K k+1 =H(VID k+1 ||GID new ||GPW k+1 ),/>
Figure BDA0004148719110000113
SK k+1 =H(VID k+1 ||GID new ||r new ||K k+1 ),SK G new =H(r new ||GID new ) And verify AUTH (k+1) - ITG ?=H(VID k+1 ||GID new ||r new ||SK k+1 ||K’ k+1 ||K k+1 ||D’ k+1 ||D k+1 ). If the above equations are equal then N k+1 Authentication SC succeeds, otherwise fails. N (N) k+1 Calculation of
AUTH (k+1)-N =H(VID k+1 ||GID new ||D’ k+1 ||D k+1 ||r new ||SK k+1 ||SK G new ||K’ k+1 ||K k+1 ) Updating pseudo-identity VID k+1 new =H(r||VID k+1 ||ID k+1 ). Subsequently, N k+1 Message M 5 =<VID k+1 ,AUTH (k+1)-N >To the ITG. At the same time other members receive<r new ,GID new >Will also after<SK i ,SK G ,W i >And updating.
(5f) When the ITG receives the message, calculate SK G new =H(r new ||GID new ) And verify AUTH (k+1) - N ?=H(VID k+1 ||GID new ||D’ k+1 ||D k+1 ||r new ||SK k+1 ||SK G new ||K’ k+1 ||K k+1 ). If the above equations are equal, the ITG sends an authentication success message to the SC, the SC pairs<SK i ,SK G >And updating. Otherwise, the verification fails and M needs to be acquired again 5
(6) Dynamically removing a terminal stage: when a member of a group is found to have malicious activity, the member needs to be evicted from the group. And the group key SK should be updated as soon as possible G The backward security is guaranteed, and the malicious members cannot obtain the subsequent encrypted messages. Since the current group key is not already secure, the SDN controller needs to update the group identity GID and transmit new security parameters through the session key with each member. The dynamic removal process of the terminal of the Internet of things comprises the following steps:
(6a) First SC retrieves malicious member N k All relevant record information for its group is obtained in the registered table. SC revocation N k Legal identity of (2), y thereof k Modified to other values y' k And reconstruct the system of congruence equations,
Figure BDA0004148719110000114
SC generates a new random number r new And send message M i =<r new ,GID new >Through SK i Encryption transmission to remove malicious member N k Other group members.
(6b) Other members receiving<r new ,GID new >After that, will<SK i ,SK G ,W i >And updating. SC also recalculates<SK i ,SK G >And is synchronized with the ITG by encryption.
(7) Timing update group identity and PUF stimulus response phase: after a certain period of time, a response to the group identity GID and PUF excitation is required to CRP (C i ,R i ) And updating. N (N) i Generating a new C i new And calculate R i new =PUF(C i new ),GPW i new =H(ID i ||R i new )。N i Re-selecting private key x for oneself i new ∈Z * pi And calculate
Figure BDA0004148719110000121
N i Through SK i Encrypting messages<GPW i new ,y i new The > is sent to the SC. SC receives the message and decrypts it, and then reconstructs the congruence equation set to obtain GID new . SC generates a new random number r new And by means of a group key SK G Encryption will < r- new ,GID new The > broadcast to all members. N (N) i Decryption after receiving the message, and updating the SK i ,SK G ,W i ,B 1 ,B 2 And (3) is shown. After updating, the new session key can be used to exchange data, and the SC and ITG can synchronously update after receiving the new message<SK i ,SK G >。
Finally, it is noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the present invention, which is intended to be covered by the claims of the present invention.

Claims (8)

1. A multi-factor internet of things terminal dynamic group access authentication method is characterized in that: the method comprises the following steps:
s1: system initialization phase: the SDN controller establishes secure connection with the gateway of the Internet of things, performs system initialization, generates a secure private key and selects a secure single hash function;
s2: and a terminal registration stage of the Internet of things: dividing the terminals of the Internet of things according to groups, and uniformly registering under a secure channel;
s3: a login stage: the terminal of the Internet of things decrypts secret parameters in the smart card through the PUF, and verifies the safety and reliability of the terminal of the Internet of things;
s4: identity authentication and session key negotiation phase: in a group to be authenticated, firstly, a group leader initiates an access authentication request to an SDN controller; the SDN controller verifies the identity of the group leader through the information in registration and the parameters in the authentication request, generates a random number, calculates an encryption key for each member in the group, and then sends the encryption key to the gateway of the Internet of things; the gateway of the internet of things calculates a session key for each terminal member, protects a random number through an encryption key, and then broadcasts an authentication message to group members; the group member calculates the encryption key, the session key and the group key locally according to the parameters and the authentication information when logging in, then verifies the authentication information and updates the pseudo identity, and then calculates the authentication success information and sends the authentication success information to the group owner; the group leader fuses and sends the verification success information of each member to the gateway of the Internet of things; after the converged message is successfully verified by the gateway of the internet of things, an authentication success message is sent to the SDN controller, and then the SDN controller synchronously calculates a session key and a group key;
s5: dynamically joining the terminal stage: when a new member is to be added to a certain terminal group, updating a group key to ensure forward security;
s6: dynamically removing a terminal stage: when a member in a group is found to have malicious activity, the member is evicted from the group and the group key SK is updated G To ensure backward safety;
s7: timing update group identity and PUF stimulus response phase: updating the group identity and PUF stimulus response after a certain period of time in order to prevent tracking attacks; each Internet of things terminal reselects a private key and PUF input excitation, calculates corresponding registration parameters and sends the registration parameters to the SDN controller; the SDN controller recalculates the group identity and the selected random number according to the new parameters, and sends the group identity and the selected random number to each terminal of the Internet of things through the original session key; the respective terminal then calculates an updated session key and a group key in synchronization with the SDN controller.
2. According to claimThe multi-factor internet of things terminal dynamic group access authentication method of claim 1 is characterized in that: the step S1 specifically includes: the SDN controller establishes secure connection with the gateway of the Internet of things, and then generates a secure private key delta sc And selects a secure single hash function H () {0,1} * →{0,1} n N is the bit width of the hash function message digest output.
3. The multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of:
in the step S2, all k terminal members in the group are provided with a physical unclonable function PUF by default, and initialize a stimulus response CRP (Ci, ri), and the registration of the terminal of the internet of things specifically includes the following steps:
s21: internet of things terminal passes through identity ID i Calculating enrollment parameters GPW with PUF output i Send to SDN controller<ID i ,GPW i >Registering information;
R i =PUF(C i )
GPW i =H(ID i ||R i )
wherein R is i Representing the output response of a physical unclonable function PUF, C i Input stimulus representing a physically unclonable function, GPW i Representing registration parameters, H representing a hash function;
s22: SDN controller calculates pseudo identity VID for terminal of Internet of things i Selecting a large prime number p i And the primitive root g of the exponential operation, the SDN controller sends registration information<VID i ,p i ,g>To the terminal of the Internet of things; VID (video frequency) i The calculation formula of (2) is as follows:
VID i =H(ID i ||δ sc )
δ sc a secure private key representing an SDN controller;
s22: terminal selection private key x of internet of things i Calculating registration information y i ≡g xi mod p i And send registration information to SDN<y i >;
S24: the SDN controller constructs a congruence equation set according to the registration information to calculate a group identity GID, and encrypts the group identity through the registration information to calculate W i SDN controller sends registration information<W i >To the terminal of the Internet of things; GID is the result of the calculation of the congruence equation, and the formula is as follows:
Figure FDA0004148719100000021
s25: the terminal of the Internet of things verifies and calculates B for encryption private key and parameter integrity 1 And B 2 And will<B 1 ,B 2 ,VID i ,W i >Store to smart card SMC i Wherein W is i Parameters for protecting GID:
W i =GID⊕GPW i
B 1 and B 2 The method is used for protecting the private key and the integrity verification of the terminal of the Internet of things, and the calculation process is as follows:
B 1 =x i ⊕H(VID i ||GPW i )
B 2 =H(VID i ||ID i ||x i ||R i ||W i ||GID)。
4. the multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of: the step S3 specifically comprises the following steps: internet of things terminal reads identity ID i And PUF input stimulus C i And parameters in a smart card<B 1 ,B 2 ,VID i ,W i >Calculate GPW i Decryption B 1 The protected private key and integrity verification of the parameters.
5. The multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of: the step S4 specifically includes:
s41: group long generation timestamp T 1 Calculate authentication request verification parameter AUTH GL =H(GID||VID GL ||ID GL ||T 1 ) And < VID on authentication request message GL ,AUTH GL ,T 1 >Sending the gateway to an Internet of things gateway;
s42: the gateway of the internet of things forwards the authentication request message to the SDN controller;
s43: SDN controller verifies AUTH after verifying message freshness GL Calculating an encryption key K for each terminal member i =H(VIDi||GID||GPW i ) Selecting a random number r to let message < { VID ] i ,K i },r,GID>Sending the data to an Internet of things terminal;
s44: gateway of internet of things calculates D for protecting random number r i Computing a session key SK i And an integrity verification parameter AUTH i-ITG Will message<VID i ,D i ,AUTH i-ITG >The formula sent to the group leader is as follows:
D i =r⊕H(VID i ||K i )
SK i =H(VID i ||GID||r||K i )
AUTH i-ITG =H(VID i ||GID||r||SK i ||K i ||D i )
s45: the group leader broadcasts the message in the group and the terminal members calculate the encryption key K i Decrypt D i Obtaining a random number r and calculating a session key SK i Computing a group key SK G And performing integrity verification and calculation AUTH i-ITG Updating a pseudo-identity computing VID i new Calculating an authentication success parameter AUTH i-N Will message<VID i ,AUTH i-N >Sending to a group leader; the formula is as follows:
SK G =H(r||GID)
VID i new =H(r||VID i ||ID i )
AUTH i-N =H(VID i ||GID||D i ||r||SK i ||SK G ||K i )
s46: the group length performs fusion calculation on the information of each member to obtain fusionAuthentication parameter AUTH t Will message<VID GL ,AUTH t >Sending the gateway to an Internet of things gateway; wherein:
AUTH t =AUTH 1-N ⊕AUTH 2-N ⊕...⊕AUTH k-N
s47: internet of things gateway computing SK G And verify AUTH t Sending an authentication success message to the SDN controller, and synchronously calculating the SDN controller<SK i ,SK G ,VID i new >。
6. The multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of: the step S5 specifically comprises the following steps:
s51: new member N k+1 Generating a time stamp T 2 And calculates an authentication request verification parameter AUTH k+1 Message < VID k+1 ,AUTH k+1 ,T 2 >The group leader sent to the group has the following specific formula:
AUTH k+1 =H(GID’||VID k+1 ||ID k+1 ||GPW k+1 ||T 2 )
s52: group identity is added to the message by the group leader, and the message is sent to the group leader<VID GL ,VID k+1 ,AUTH k+1 ,T 2 Send to SDN controller;
s53: SDN controller verifies freshness of message and verifies and calculates AUTH k+1 Reconstructing the congruence equation set to calculate new group identity GID new Selecting a new random number r new Calculate the encryption key K' k+1 And K k+1 Will message<{VID k+1 ,K’ k+1 ,K k+1 },r new ,GID new Sending the message to an Internet of things gateway; the calculation formula is as follows:
Figure FDA0004148719100000041
K’ k+1 =H(VID k+1 ||GID’||GPW k+1 )
K k+1 =H(VID k+1 ||GID new ||GPW k+1 )
s54: the gateway of the Internet of things calculates D 'for encrypting new group identity and random numbers' k+1 And D k+1 Computing a session key SK k+1 And an integrity verification parameter AUTH (k+1)-ITG Message < VID k+1 ,D’ k+1 ,D k+1 ,AUTH (k+1)-ITG Send to new member, and will < r new ,GID new Broadcasting to the original group members through the original group key; the calculation formula is as follows:
D’ k+1 =GID new ⊕H(VID k+1 ||K’ k+1 )
D k+1 =r new ⊕H(VID k+1 ||K k+1 )
SK k+1 =H(VID k+1 ||GID new ||r new ||K k+1 )
AUTH (k+1)-ITG =H(VID k+1 ||GID new ||r new ||SK k+1 ||K’ k+1 ||K k+1 ||D’ k+1 ||D k+1 )
s55: new member calculates encryption key K' k+1 And K k+1 Decryption D' k+1 And D k+1 Obtaining new group identity and random number, calculating session key SK k+1 And group key SK G new Calculating and verifying AUTH (k+1)-ITG Updating pseudo-identity VID k+1 new Calculating an authentication success parameter AUTH (k+1)-N Message < VID k+1 ,AUTH (k+1)-N Sending to an Internet of things gateway; at the same time other members receive<r new ,GID new >Will also after<SK i ,SK G ,W i >Updating; the calculation formula is as follows:
VID k+1 new =H(r||VID k+1 ||ID k+1 )
AUTH (k+1)-N =H(VID k+1 ||GID new ||D’ k+1 ||D k+1 ||r new ||SK k+1 ||SK G new ||K’ k+1 ||K k+1 )
s56: internet of things gateway computing SK G new And verify and calculate AUTH (k+1)-N Sending an authentication success message to the SDN controller; SDN controller synchronization pair<SK i ,SK G >And updating.
7. The multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of: the step S6 specifically comprises the following steps:
s61: first SDN controller retrieves malicious member N k And cancel N k Legal identity of (2), y thereof k Modified to other values y' k And reconstructing the congruence equation system to calculate the GID new
Figure FDA0004148719100000042
SDN generates new random number r new And < r message new ,GID new >Through SK i Encryption transmission to remove malicious member N k Outside group members;
s62: other members will<SK i ,SK G ,W i >Updating and SC recalculate<SK i ,SK G >And is synchronized with the ITG by encryption.
8. The multi-factor internet of things terminal dynamic group access authentication method according to claim 1, wherein the method comprises the steps of: the step S7 includes: the terminal of the Internet of things generates new PUF input excitation C i new Calculating R i new ,GPW i new Selecting a new private key x i new Calculating y i new Will message<GPW i new ,y i new >Transmitting to an SDN controller; reconstructing the congruence equation set by the SDN controller to obtain the GID new Generating a new random number r new And < r message new ,GID new >Broadcasting to all group members; group member, SDN controller and gateway of Internet of things, update<SK i ,SK G ,W i ,B 1 ,B 2 >Parameters.
CN202310311718.1A 2023-03-28 2023-03-28 Multi-factor internet of things terminal dynamic group access authentication method Pending CN116318678A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310311718.1A CN116318678A (en) 2023-03-28 2023-03-28 Multi-factor internet of things terminal dynamic group access authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310311718.1A CN116318678A (en) 2023-03-28 2023-03-28 Multi-factor internet of things terminal dynamic group access authentication method

Publications (1)

Publication Number Publication Date
CN116318678A true CN116318678A (en) 2023-06-23

Family

ID=86788547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310311718.1A Pending CN116318678A (en) 2023-03-28 2023-03-28 Multi-factor internet of things terminal dynamic group access authentication method

Country Status (1)

Country Link
CN (1) CN116318678A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116709316A (en) * 2023-07-06 2023-09-05 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card
CN117097489A (en) * 2023-10-20 2023-11-21 华东交通大学 Lightweight double-factor agriculture Internet of things equipment continuous authentication method and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116709316A (en) * 2023-07-06 2023-09-05 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card
CN116709316B (en) * 2023-07-06 2024-01-26 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card
CN117097489A (en) * 2023-10-20 2023-11-21 华东交通大学 Lightweight double-factor agriculture Internet of things equipment continuous authentication method and system
CN117097489B (en) * 2023-10-20 2024-01-30 华东交通大学 Lightweight double-factor agriculture Internet of things equipment continuous authentication method and system

Similar Documents

Publication Publication Date Title
Li et al. Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks
US7233664B2 (en) Dynamic security authentication for wireless communication networks
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
KR101350538B1 (en) Enhanced security for direct link communications
CN101238677B (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved safety
He et al. Handover authentication for mobile networks: security and efficiency aspects
US11044084B2 (en) Method for unified network and service authentication based on ID-based cryptography
Zhang et al. Efficient and privacy-preserving blockchain-based multifactor device authentication protocol for cross-domain IIoT
CN116318678A (en) Multi-factor internet of things terminal dynamic group access authentication method
Rabiah et al. A lightweight authentication and key exchange protocol for IoT
Fan et al. Complete EAP method: User efficient and forward secure authentication protocol for IEEE 802.11 wireless LANs
Guo et al. FogHA: An efficient handover authentication for mobile devices in fog computing
Madhusudhan A secure and lightweight authentication scheme for roaming service in global mobile networks
Kim et al. SFRIC: a secure fast roaming scheme in wireless LAN using ID-based cryptography
De Smet et al. Lightweight PUF based authentication scheme for fog architecture
Nyangaresi Provably secure authentication protocol for traffic exchanges in unmanned aerial vehicles
Maccari et al. Security analysis of IEEE 802.16
Castiglione et al. An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update
US20070055870A1 (en) Process for secure communication over a wireless network, related network and computer program product
Boudguiga et al. An authentication scheme for IEEE 802.11 s mesh networks relying on Sakai-Kasahara ID-Based Cryptographic algorithms
CN116055136A (en) Secret sharing-based multi-target authentication method
Rathore et al. Smart home security: a distributed identity-based security protocol for authentication and key exchange
KR20080056055A (en) Communication inter-provider roaming authentication method and key establishment method, and recording medium storing program including the same
Kotzanikolaou et al. Secure and practical key establishment for distributed sensor networks
Li et al. Identity-based and threshold key management in mobile ad hoc networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination