CN116366263A - Authentication method based on PUF and revocable biological characteristics and application thereof - Google Patents
Authentication method based on PUF and revocable biological characteristics and application thereof Download PDFInfo
- Publication number
- CN116366263A CN116366263A CN202310524305.1A CN202310524305A CN116366263A CN 116366263 A CN116366263 A CN 116366263A CN 202310524305 A CN202310524305 A CN 202310524305A CN 116366263 A CN116366263 A CN 116366263A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- information
- cloud server
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 152
- 238000012795 verification Methods 0.000 claims abstract description 58
- 238000009826 distribution Methods 0.000 claims abstract description 52
- 230000004044 response Effects 0.000 claims abstract description 26
- 238000004891 communication Methods 0.000 claims abstract description 24
- 230000008569 process Effects 0.000 claims description 72
- 238000006243 chemical reaction Methods 0.000 claims description 17
- 238000012384 transportation and delivery Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 5
- 101100274486 Mus musculus Cited2 gene Proteins 0.000 claims description 4
- 101150096622 Smr2 gene Proteins 0.000 claims description 4
- 230000004927 fusion Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 230000003542 behavioural effect Effects 0.000 claims description 2
- 238000000605 extraction Methods 0.000 claims description 2
- 230000001815 facial effect Effects 0.000 claims description 2
- 238000007781 pre-processing Methods 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 abstract description 14
- 230000006870 function Effects 0.000 description 11
- 230000003993 interaction Effects 0.000 description 7
- 239000000243 solution Substances 0.000 description 5
- 101100533725 Mus musculus Smr3a gene Proteins 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000011056 performance test Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000013100 final test Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer And Data Communications (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention belongs to the technical field of information security, and particularly relates to an authentication method based on a PUF and a revocable biological feature and application thereof. The authentication method comprises the following steps: s1: the cloud server is connected with the edge server through intranet communication. S2: and the user puts forward a registration request to the cloud server and completes identity registration. S3: the user authenticates with the cloud server and negotiates a session key for communication. S4: the cloud server sends the session key and the authentication result, the identity information of the user, the device response value and the protected biometric feature to the edge server. S5: the user end actively requests the equipment authentication from the edge servers, and each edge server is mutually authenticated with the user end equipment in succession and negotiates a session key. In the unmanned distribution system, the cloud side end three-party finishes mutual authentication by adopting the method. The method solves the problems of insufficient safety and excessive calculation cost of the traditional multiple verification protocol in the unmanned distribution scene.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an authentication method based on a PUF and a revocable biological feature and an unmanned distribution system with edge cloud cooperation.
Background
In recent years, with the continuous development of the economic development level of China, the income level and the consumption capability of people are continuously improved, and the logistics transportation industry is not stressed little. Because the intelligent logistics system has the characteristics of automation, controllability, intellectualization and networking, the logistics transportation and distribution capacity can be greatly improved. Therefore, intelligent logistics systems have been rapidly developed. For example, the intelligent logistics system based on the unmanned aerial vehicle has the advantages of high speed, easiness in use, flexibility and the like, so that the problems of slow distribution, high labor cost, terrain constraint and the like in the traditional logistics distribution process can be effectively solved, and the intelligent logistics system based on the unmanned aerial vehicle is becoming a powerful productivity tool in the field of modern logistics distribution.
With the rapid popularization of unmanned logistics distribution systems such as unmanned aerial vehicles, related network threats are gradually increasing. For example, during the process of handling the unmanned aerial vehicle to perform the logistics distribution, the unmanned aerial vehicle may encounter network attacks such as fraud attacks, imposter attacks, injection attacks, etc., so that the unmanned aerial vehicle may be hijacked maliciously. In addition, the sender handling the unmanned aerial vehicle may also be subject to physical attacks, such as grabbing handling devices such as remote controls by malicious attackers. These actions can result in irreparable loss of user's property, personal privacy information, and security of the system. Therefore, how to provide a safer authentication scheme, to resist the network attack and the physical attack of the unmanned aerial vehicle, and to ensure that the unmanned aerial vehicle can accurately reach the delivery destination from the center of the stream, is becoming a technical problem to be solved by those skilled in the art.
The identity authentication of each party executing the delivery task is an effective strategy for guaranteeing the safety of the unmanned aerial vehicle delivery task. The existing identity authentication protocol is mainly designed for one-time authentication, and one-time authentication has a large security risk, and even if a user and a server complete mutual authentication and key negotiation, malicious attacks can still be suffered in the process of utilizing a session key for communication. Multiple authentications at each party should be the correct direction of investigation to improve the security of unmanned logistics distribution scenarios. However, the existing authentication protocol supporting multiple authentications often brings high computational overhead, and cannot be effectively applied in the unmanned aerial vehicle logistics distribution scene with limitations on computational power and energy consumption.
Disclosure of Invention
In order to solve the problems that in the existing unmanned distribution scene of high-speed movement, the security of a one-time authentication protocol adopted by a transport carrier is low, the security of a multiple-time authentication protocol is insufficient, and the calculation cost is excessive; the invention provides an authentication method based on PUF and revocable biological characteristics and application thereof.
The invention is realized by adopting the following technical scheme:
an authentication method based on PUF and revocable biological characteristics is used for realizing mutual authentication and continuous authentication between a user terminal containing a moving object and a management terminal containing a cloud server and an edge server. The authentication method comprises the following steps:
S1: the cloud server and the edge server establish mutually-trusted communication connection through an intranet, and the cloud server discloses own identity information and waits for a user side to put forward a registration request or an authentication request.
S2: the user puts forward a registration request to the cloud server through the user terminal and completes identity registration, and the identity registration process comprises the following steps:
s21: the user submits identity information to the cloud serverID i Registration request information of (a)Msg1After receiving the request, the cloud server generates corresponding anonymous identity sequences respectivelyPIDPrivate keyK user Random challengeC i And willMsg2To the user side of the mobile terminal,Msg2={PID、K user 、C i }。
s22: the user terminal collects the biological characteristics of the userBioAnd specify a conversion parameterwThe method comprises the steps of carrying out a first treatment on the surface of the Random challenge is then generated using the PUF of the user deviceC i Response to (2)R i And combine the responsesR i And conversion parameterswGenerating protected biometric templatespfThe method comprises the steps of carrying out a first treatment on the surface of the Finally, willMsg3Is sent to a cloud server and is sent to a cloud server,Msg3={pf、R i 、w}。
s23: cloud server willpfAndwgenerating multiple shares of shared secrets as secret messages by multiple secret sharing techniquesS 1 ~S 9 And willMsg4To the user side, wherein,Msg4={ S 1 ~ S 3 -a }; will be S 7 ~ S 9 Sending to each edge server; cloud hash code is generated by utilizing hash algorithmHV CS :
The method comprises the steps of carrying out a first treatment on the surface of the Last store {PID、R i 、K user 、HV CS 、S 1 ~ S 3 }。
S24: the user terminal generates a random number NThen using fuzzy extractor to obtain biological characteristicsBioCorresponding intermediate keyKAuxiliary outputFAAnd encrypting to obtain local secret key
Local vector->
The method comprises the steps of carrying out a first treatment on the surface of the User hash code generation by utilizing hash algorithmHV:/>
The method comprises the steps of carrying out a first treatment on the surface of the Last store { S 3 ~ S 6 、/>
、/>
、C i 、HV、N}。
S3: the user interacts with the cloud server through the user terminal, and mutual authentication is completed in an encryption domain by utilizing the user data collected in real time and related data stored in the user terminal and the cloud server and generated in a registration stage; and negotiates a session key for the communication after the mutual authentication is completed.
S4: the cloud server sends the session key and the authentication result negotiated in the previous step, the identity information of the user, the equipment response value and the protected biological characteristics to the edge server through the intranet, and the session key and the authentication result are used as authentication information for continuously authenticating the edge server and the user.
S5: after the user side reaches the service area of any one of the edge servers, the user actively requests equipment authentication from the edge servers through the user side, and each edge server successively uses various information sent by the cloud server and the user side equipment to mutually authenticate in an encryption domain so as to negotiate a session key for communication.
The invention also comprises the use of an authentication method based on PUFs and revocable biological features as described above in an unmanned logistics distribution method.
Based on the application of the authentication method based on the PUF and the revocable biological characteristics, the invention further develops an unmanned distribution system with edge cloud cooperation. The unmanned distribution system provided by the invention comprises: the cloud server comprises user terminal equipment, a cloud server and a plurality of edge servers.
The user side equipment comprises a control terminal operated by a supervisory person and an unmanned transportation carrier for executing cargo delivery tasks. The control terminal is in communication connection with the unmanned carrier and is used for operating the unmanned carrier; the control terminal is also internally or externally connected with a biological characteristic information acquisition device and input and output equipment.
The cloud server serves as a control center of the unmanned distribution system. The cloud server performs mutual authentication with the registered unmanned transportation vehicle by adopting the authentication method based on the PUF and the revocable biological characteristics, and establishes a session key and realizes secret communication after the authentication is passed. The cloud server distributes logistics distribution tasks to the unmanned transportation vehicles through the encryption channels and plans the movement paths of the unmanned transportation vehicles; and then determining an edge server of the unmanned transportation carrier path according to the motion path, and then sending verification information for realizing continuous authentication to each edge server.
A plurality of edge servers are distributed in the distribution area; and the edge server and the cloud server are communicated by adopting an intranet. Each edge server adopts the authentication method based on the PUF and the revocable biological characteristics and the unmanned transportation vehicle which makes an authentication request to perform mutual authentication, and establishes a session key and realizes secret communication after the authentication is passed. The various edge servers then send the guidance information and the supervision information needed on the way to the unmanned carrier via the encrypted channel.
As a further improvement of the invention, the unmanned transport vehicle comprises an unmanned transport vehicle, an unmanned transport ship and an unmanned plane. The biological characteristic information acquisition device adopts one or more of a face recognition component, a fingerprint recognition component and an iris acquisition component. The input/output device includes one or more of a display assembly, a microphone, a speaker, keys, and a joystick.
The technical scheme provided by the invention has the following beneficial effects:
the invention designs a complete cloud side end cooperative continuous identity authentication scheme, which can realize mutual authentication between a user end and a cloud server and continuous authentication between the user end and a plurality of edge servers. In the identity authentication process, the invention applies the unique PUF response of each user terminal device and the exclusive revocable biological characteristics of each user to the user identity recognition, adopts a multi-secret sharing strategy, and distributes and stores the parameter information to be protected in a memory of each party participating in the authentication. The complexity of the system authentication process is obviously improved, the security level of the data is improved, and the attack difficulty of an attacker is greatly increased.
In the continuous authentication scheme designed by the invention, the privacy data of the user is particularly encrypted, the plaintext information is fragmented in a distributed storage mode, and the authentication work is completed in an encrypted domain, so that the security of the privacy information is effectively ensured while the authentication of the user side is solved. In addition, the continuous authentication scheme with the cloud side three-party cooperation can effectively reduce the calculation cost of the user side and the edge server, the authentication period of each round can be obviously shortened along with the increase of the authentication times of the edge server, and the scheme has outstanding advantages in the aspect of calculation efficiency.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
fig. 1 is a flowchart of the steps of an authentication method based on PUFs and revocable biometric features provided in embodiment 1 of the present invention.
Fig. 2 is a flowchart of identity registration performed by a user side in a cloud server.
FIG. 3 is a graph of the use of fusion functions
Is provided for generating a data processing logic diagram of a biometric template.
Fig. 4 is a diagram of an architecture of an unmanned distribution system using unmanned aerial vehicle to implement edge cloud coordination in embodiment 2 of the present invention.
Fig. 5 is an interactive example of a user making a registration request to a cloud server and completing identity registration through a user terminal in an unmanned aerial vehicle distribution scenario.
Fig. 6 is an interaction example of mutual authentication between a user side and a cloud server side in an unmanned aerial vehicle distribution scene.
Fig. 7 is an interaction example of implementing continuous authentication between a client and an edge server in an unmanned aerial vehicle distribution scenario.
FIG. 8 shows the performance test procedure using
Generated biometric templatesCMC curve of (c).
FIG. 9 shows the performance test procedure using
ROC curve of the generated biometric template.
Fig. 10 is a graph showing the increase of the total verification time of the continuous verification method according to the present embodiment with verification rounds in the performance test process.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Example 1
The embodiment provides an authentication method based on a PUF and a revocable biometric, which is used for realizing mutual authentication and continuous authentication between a user terminal containing a moving object and a management terminal containing a cloud server and an edge server. The main idea of the authentication method provided by the invention is as follows:
First, a Physical Unclonable Function (PUF) of the user-side device itself is associated with a revocable biometric template generated using the user's biometric, and "binding" of a person to the device is achieved on the user side. The physical unclonable function is a hardware function which generates random values inside a chip due to manufacturing process differences of an integrated circuit, unpredictable response values can be generated rapidly through interaction with challenges, the hardware function has uniqueness, the same response values can be generated by the same equipment with the same challenges, and response values generated by different equipment or different challenges are different and can be circulated irregularly, so that the hardware function can be effectively used as a unique identity mark of the equipment. On the other hand, if the identity authentication is directly performed by using the biometric feature of the user operating the user terminal device, the original biometric feature template in the stored database is easily attacked, so that the privacy of the user is revealed. The revocable biological characteristic template protection method can effectively protect the original biological characteristic template, and the revocable biological characteristic template protection method is adopted for biological authentication, so that the personal privacy of the user can be effectively protected. Therefore, the invention can realize efficient user identity authentication and personal privacy protection by combining the equipment PUF and the revocable biological feature template protection method.
Then, the cloud server generates corresponding pseudo identity information in a registration stage and encrypts the pseudo identity information with the bound user side information, and related information is stored in the user side equipment, the cloud server and the edge server which participate in mutual authentication in a distributed mode through a multi-secret sharing technology for a subsequent authentication process. Meanwhile, the mutual authentication process of the related parties adopts a multi-step verification mode, and each interaction process only transmits partial encrypted verification 'information fragments', and the two parties perform mutual decoding and verification.
Based on the strategy, the scheme provided by the invention not only can realize mutual authentication between the user terminal and the cloud server, but also can realize mutual authentication and continuous authentication between the user terminal and a plurality of edge servers; and the authentication process has high complexity, and is difficult to realize cracking and hijacking. Meanwhile, all verification information adopted in the authentication process is encrypted information fragments, and only the authentication related party has the identification verification capability of the encrypted domain information, so that the risk of effective information leakage cannot occur, and the security of the whole system can be greatly improved. Specifically, the authentication method based on PUF and revocable biological feature designed by the invention is shown in fig. 1, and comprises the following procedures:
S1: the cloud server and the edge server establish mutually-trusted communication connection through an intranet, and the cloud server discloses own identity information and waits for a user side to put forward a registration request or an authentication request.
S2: the user puts forward a registration request to the cloud server through the user terminal and completes identity registration, and the identity registration process is shown in fig. 2 and comprises the following steps:
s21: the user actively inputs identity information through the user terminalID i The method comprises the steps of carrying out a first treatment on the surface of the The user submits identity information to the cloud serverID i Registration request information of (a)Msg1,Msg1={ID i ,Req}, itIn the process, ,Reqrepresenting a registration request.
After receiving the registration request information sent by any user side, the cloud server firstly carries out registration according to the identity informationID i Inquiring whether the current user has completed registration, if yes, rejecting the registration request, otherwise, accepting the registration request of the newly added user. After receiving the request, the cloud server generates corresponding anonymous identity sequences respectivelyPIDPrivate keyK user Random challengeC i And willMsg2To the user side of the mobile terminal,Msg2={PID、K user 、C i }。
。
s22: the user terminal collects the biological characteristics of the userBioAnd specify a conversion parameterwThe method comprises the steps of carrying out a first treatment on the surface of the Random challenge is then generated using the PUF of the user deviceC i Response to (2)R i And combine the responsesR i And conversion parameterswGenerating protected biometric templates pfThe method comprises the steps of carrying out a first treatment on the surface of the Finally, willMsg3Is sent to a cloud server and is sent to a cloud server,Msg3={pf、R i 、w}。
in the actual application process, the biological characteristics of the user are collected by the user sideBioIncluding facial images, fingerprint data, iris data, voiceprint data, and other physical or behavioral characteristics that may be captured and used to resolve individual differences. At present, most of the devices support biological recognition characteristic modes are face recognition and fingerprint recognition, the recognition modes are fully applied to the market and have rich and low-cost software and hardware integration schemes, and the invention can directly utilize the related solutions to carry out biological featureBioCollecting and processing. Of course, after the technology is mature, other biological identification features capable of identifying the identity of the user can be adopted as relevant verification information required by the scheme.
In the solution provided in this embodiment, the biometric templatepfUsing fusion functions
Generating, fusing function->
One path of input is the original biological characteristics of the user, the other path of input is the PUF value of the user terminal equipment, and the output is the corresponding biological characteristic templatepf。
As shown in fig. 3, in the present embodiment,
the data processing process of (1) is as follows:
(1) Preprocessing, feature extraction and normalization are carried out on the collected original biological features of the user to obtain a corresponding feature vector f。
(2) Generating random challenges based on PUFs of user devicesC i Response to (2)R i For a pair ofR i And carrying out normalization processing to obtain a normalized PUF response value.
(3) Feature vectorfAnd performing characteristic splicing on the normalized PUF response value.
(4) Performing characteristic splicing results
Processing to obtain the required biological feature templatepfWherein->
The conversion parameters of (a) are as followsw。
S23: cloud server willpfAndwgenerating multiple shares of shared secrets as secret messages by multiple secret sharing techniquesS 1 ~S 9 And willMsg4Transmitting to a user side; wherein,,Msg4={ S 1 ~ S 3 }. And then will be S 7 ~ S 9 And sending the data to each edge server through an intranet channel. Finally, a cloud hash code is generated by utilizing a hash algorithmHV CS :
The method comprises the steps of carrying out a first treatment on the surface of the And store { in the cloud serverPID、R i 、K user 、HV CS 、S 1 ~ S 3 }。
S24: the user receivesMsg4Thereafter, a random number is generatedNThen the fuzzy extractor is utilized to obtain the pre-collected biological characteristicsBioCorresponding intermediate keyKAuxiliary outputFAAnd encrypting to obtain local secret key
Local vector->
. User hash code generation by utilizing hash algorithmHV:/>
The method comprises the steps of carrying out a first treatment on the surface of the Last store { S 3 ~S 6 、/>
、/>
、C i 、HV、N}。
Wherein the local key
And local vector->
The generation function of (2) is as follows:
in the above-mentioned method, the step of,
a representation blur extractor; />
Representing a hash function; "/>
"means feature stitching; "/>
"means exclusive or operation.
S3: the user interacts with the cloud server through the user terminal, and mutual authentication is completed in an encryption domain by utilizing the user data collected in real time and related data stored in the user terminal and the cloud server and generated in a registration stage; and negotiates a session key for the communication after the mutual authentication is completed. Specifically, the process of negotiating the session key by the user side and the cloud server through mutual authentication includes the following steps:
s31: user input biometricBioAnonymous identityPID i And a PUF challenge value prestored in the user terminal, and verifying the input parameters by using the registration information in the registration process, and after verification is successful, transmitting the information
To a cloud server. Cloud server receives and verifies->
If the verification parameters are legal, the authentication process is terminated; if the cloud service is legal, the cloud service successfully authenticates the user terminal.
S32: the cloud server generates a random number, takes out the shared secret of the cloud server, calculates the parameters to be verified, and sends information
To the user side. The user terminal equipment receives the information->
Firstly, calculating to-be-verified parameters, then verifying the legality of the parameters, and if not, terminating the authentication process. If the authentication is legal, the user equipment authentication is successful.
S33: the user terminal extracts the shared secret parameter and generates new random number, calculates the verification parameter and sends information
To a cloud server; the cloud server receives information->
Firstly, calculating a parameter to be verified, and then verifying the legality of the parameter; if not, the authentication process is terminated. If it is legal, the rest of the shared secret information is extracted from the edge server.
S34: after the cloud service obtains the shared secret parameters in the edge server, the protected biological information and the template conversion parameters are recovered by utilizing a secret recovery technology; generating new random number, calculating verification parameter, and storing information
Transmitting to a user side; user terminal receives information->
Then, calculating to obtain parameters to be verified, and verifying the legality of the parameters; if not, terminating the authentication process; if the authentication is legal, the authentication is successful.
S35: the user terminal generates a protected biological characteristic template by utilizing biological characteristic information and received information, generates a random number, calculates a shared secret key of the cloud service and the user terminalSK ij Verifying parameters; and will information
Sending the cloud server to a cloud server; cloud server utilization information->
Shared secret key of computing cloud server and user SK ij Verification information->
Parameters and session keysSK ij Legitimacy, if not, terminating the authentication process; if it is legal, the session key is successfully established.
S4: after the mutual authentication is completed between the cloud server and the user side, the cloud server sends the session key and the authentication result negotiated in the previous step, the identity information of the user side, the equipment response value and the protected biological characteristics to the edge server through the intranet, and the session key and the authentication result, the equipment response value and the protected biological characteristics are used as authentication information for continuously authenticating the edge server and the user side.
S5: after the user side reaches the service area of any one of the edge servers, the user actively requests equipment authentication from the edge servers through the user side, and each edge server successively uses various information sent by the cloud server and the user side equipment to mutually authenticate in an encryption domain so as to negotiate a session key for communication. Specifically, the continuous authentication process between the client and the edge server is as follows:
s51: the user inputs the pseudo identity information and the information in the authentication process of the cloud server, calculates the verification information and sends the information
And sending the data to the edge server, and requesting the edge server to authenticate. The edge server receives the information
After that, verify information- >
Legitimacy of the medium parameters: if not, ending the authentication process; if the authentication is legal, the authentication is successful.
S52: the edge server generates random challenges, extracts shared secret parameters, calculates verification parameters and sends information
And sending the message to a user terminal. User terminal receives information->
After that, verify->
Legitimacy of the medium parameters: if not, ending the authentication process; if the authentication is legal, the authentication is successful.
S53: generating a new protected biometric template by the client using template conversion parameterspfCalculating verification parameters; and will information
And sending the data to an edge server. Edge server receives information->
After that, verify->
Legitimacy of the medium parameter and verifying legitimacy of the biological feature: if not, the authentication process is ended, and if not, the authentication is successful.
S54: edge server generates new session key
Calculating verification parameters; and +.>
And sending the message to a user terminal. User terminal receives information->
After that, calculate the session key +.>
Verification parameters and session keys
Legitimacy of (2): if not, ending the authentication process; if it is legal, the authentication is successful and a new session key is established.
S55: after the current edge server completes the establishment of the session key, the new session key and the PUF response value are sent to the next edge server needing to verify the user terminal equipment, and the steps S51-S54 are repeatedly executed, so that the continuous authentication of the user terminal and different edge servers is realized.
Example 2
The technical effects mainly achieved by the scheme provided in embodiment 1 are: and realizing mutual authentication and continuous authentication on the side of the user and the user terminal equipment, and on the side of the cloud server and the edge server. The mutual authentication is performed between the user side and the cloud server, so that on one hand, a user who executes a task and user side equipment can be ensured to be an object designated by the cloud server, and on the other hand, the user side equipment can be allowed to authenticate the cloud server, and the cloud server side is ensured to be a designated service provider.
And between the user terminal and the edge server, through mutual authentication and continuous authentication of the user terminal and the edge server, the user terminal equipment can be ensured to continuously contact with different edge servers in a fast moving scene, so that information interaction is carried out after the mutual authentication of the user terminal equipment and the edge server is completed. Therefore, the user terminal equipment can continuously acquire the guiding service provided by the edge server in the fast moving process, and the edge server can monitor the running state of the user terminal equipment at any time in the fast moving process of the user terminal equipment.
Based on the technical effects achieved, one typical application scenario of the authentication method based on PUF and revocable biometric features provided in embodiment 1 is unmanned logistics distribution. By the method, mutual authentication and continuous authentication can be realized between the logistics distribution equipment and the server of the distribution service provider. The scheme provided by the embodiment can ensure that the distribution service can be developed in a protected communication system, and avoid the distribution system from being cracked, so that the privacy information of the user is revealed. The method can also avoid the hijack of the logistics distribution equipment by lawbreakers, reduce the safety risk of unmanned distribution process and protect distribution service providers and users from economic loss.
Therefore, based on the scheme of embodiment 1, the embodiment further develops an unmanned distribution system with edge cloud cooperation. The unmanned delivery system provided in this embodiment 1 includes: the cloud server comprises user terminal equipment, a cloud server and a plurality of edge servers.
The user side equipment comprises a control terminal operated by a supervisory person and an unmanned transportation carrier for executing cargo delivery tasks. The control terminal is in communication connection with the unmanned carrier and is used for operating the unmanned carrier. The unmanned carrier mentioned in the scheme of the embodiment mainly comprises an unmanned carrier, an unmanned ship, an unmanned plane and other related equipment which can be used for carrying out logistics distribution autonomously.
In addition, the control terminal is also internally or externally connected with a biological characteristic information acquisition device and input and output equipment. The biological characteristic information acquisition device is mainly used for acquiring biological identification characteristics of a user so as to be used for mutual authentication of subsequent parties. The biological characteristic information acquisition device in the control terminal in this embodiment may adopt one or any more of a face recognition component, a fingerprint recognition component and an iris acquisition component. Of course, it is known from the foregoing that the biometric information collection apparatus may also employ other technologies for biometric-based user identification related devices. The input/output equipment mainly comprises one or more of a display component, a microphone, a loudspeaker, keys and a joystick; the devices can support the interaction between the user and the cloud server or the edge server at the server side through the user side device.
The cloud server serves as a control center of the unmanned distribution system. The cloud server performs mutual authentication with the registered unmanned transportation vehicle by using the authentication method based on the PUF and the revocable biometric as in embodiment 1, and establishes a session key and realizes secret communication after the authentication is passed. And the cloud server distributes logistics distribution tasks to the unmanned transportation vehicles through the encrypted channels and plans the movement paths of the unmanned transportation vehicles. And then determining an edge server of the unmanned transportation carrier path according to the motion path, and sending verification information for realizing continuous authentication to each edge server.
A plurality of edge servers are distributed in the distribution area; and the edge server and the cloud server are communicated by adopting an intranet. Each edge server adopts the authentication method based on PUF and revocable biological characteristics as in embodiment 1 to mutually authenticate with the unmanned transport vehicle which makes authentication request, and establishes a session key and realizes secret communication after authentication passes. The various edge servers then send the guidance information and the supervision information needed on the way to the unmanned carrier via the encrypted channel.
In order to make the technical scheme provided by the invention clearer, the following describes the application process of the scheme of the embodiment 1 in combination with a typical scene of unmanned aerial vehicle distribution; so that those skilled in the art will more clearly understand the principle and advantages of the technical solution provided by the present invention.
As shown in fig. 4, a typical unmanned aerial vehicle distribution system location includes a logistics distribution center and a distribution station based on the framework of example 2. The scenario in this embodiment describes a scenario in which the unmanned aerial vehicle is used to perform logistics distribution among sites, and the unmanned aerial vehicle is not involved in delivering goods to a specific user. The unmanned aerial vehicle is only responsible for carrying out cargo transportation at different site brackets. In different places, the related equipment for assisting in completing the logistics distribution task comprises: the system comprises an unmanned aerial vehicle system, cloud servers located in a distribution center and edge servers located between distribution stations.
In the unmanned distribution system with the edge cloud cooperation of the embodiment, the adopted identity authentication protocol mainly realizes the mutual authentication of the user side (the user and the unmanned aerial vehicle) and the cloud server and the continuous authentication process of the user side and the edge server. The authentication protocol includes three main phases: 1. and the registration stage of the user in the cloud server. 2. And a mutual authentication phase between the user side and the cloud server. 3. Successive authentication phases between the client and the edge server.
In the logistics distribution process, the user side needs to finish registration in the cloud server in advance, and after mutual authentication, the unmanned aerial vehicle obtains authority to receive the package from the distribution station. In the process of delivering packages by the unmanned aerial vehicle, in order to ensure the safety of the delivery process, the unmanned aerial vehicle needs to initiate authentication requests to the edge servers passing in the middle of flight, and the plurality of edge servers can constantly authenticate the identities of the unmanned aerial vehicle and the user. After all the authentications of the edge server are completed, the unmanned aerial vehicle reaches a preset destination on time, and the package delivery is completed successfully. The interaction process of the user with the cloud server and the edge server is completed through a remote controller in communication connection with the unmanned aerial vehicle, and related information acquisition and data processing modules required by various operations executed by the user side in an authentication stage are integrated in the remote controller and the unmanned aerial vehicle.
1. Registration phase
The cloud server and the edge server establish mutually-trusted communication connection through an intranet, and the cloud server discloses own identity information and waits for a user side to put forward a registration request or an authentication request. As shown in fig. 5, a user makes a registration request to a cloud server through a user terminal and completes identity registration.
(1) The user actively inputs identity information through the user terminalID i The method comprises the steps of carrying out a first treatment on the surface of the The user submits identity information to the cloud serverID i Registration request information of (a)Msg1,Msg1={ID i ,ReqAnd } wherein,Reqrepresenting a registration request.
After receiving the registration request information sent by any user side, the cloud server firstly carries out registration according to the identity informationID i Inquiring whether the current user has completed registration, if yes, rejecting the registration request, otherwise, accepting the registration request of the newly added user. After receiving the request, the cloud server generates corresponding anonymous identity sequences respectivelyPIDPrivate keyK user Random challengeC i And willMsg2To the user side of the mobile terminal,Msg2={PID、K user 、C i }。
。
(2) The user terminal collects the biological characteristics of the userBioAnd specify a conversion parameterwThe method comprises the steps of carrying out a first treatment on the surface of the Random challenge is then generated using the PUF of the user deviceC i Response to (2)R i And combine the responsesR i And conversion parameterswGenerating a protectedProtected biometric templatepfThe method comprises the steps of carrying out a first treatment on the surface of the Finally, willMsg3Is sent to a cloud server and is sent to a cloud server, Msg3={pf、R i 、w}。
(3) Cloud server willpfAndwgenerating multiple shares of shared secrets as secret messages by multiple secret sharing techniquesS 1 ~S 9 And willMsg4Transmitting to a user side; wherein,,Msg4={ S 1 ~ S 3 }. And then will be S 7 ~ S 9 And sending the data to each edge server through an intranet channel. Finally, a cloud hash code is generated by utilizing a hash algorithmHV CS :
The method comprises the steps of carrying out a first treatment on the surface of the And store { in the cloud serverPID、R i 、K user 、HV CS 、S 1 ~ S 3 }。
(4) The user receivesMsg4Thereafter, a random number is generatedNThen the fuzzy extractor is utilized to obtain the pre-collected biological characteristicsBioCorresponding intermediate keyKAuxiliary outputFAAnd encrypting to obtain local secret key
Local vector->
. User hash code generation by utilizing hash algorithmHV:/>
The method comprises the steps of carrying out a first treatment on the surface of the Last store { S 3 ~S 6 、/>
、/>
、C i 、HV、N}。
Wherein the local key
And local vector->
The generation function of (2) is as follows:
in the above-mentioned method, the step of,
a representation blur extractor; />
Representing a hash function; "/>
"means feature stitching; "/>
"means exclusive or operation.
2. Mutual authentication phase
Before the user side obtains the distribution task from the cloud server side, mutual authentication with the cloud server is required to be completed, as shown in fig. 6, the mutual task process comprises the following steps:
(1) The user first inputs biometric features to the remote control and the droneBioAnd randomly select an anonymous identitypid i The method comprises the steps of carrying out a first treatment on the surface of the ' unmanned aerial vehicle device first calculates 
Obtaining the PUF response value of the device, and calculating +.>
Obtaining parameters of a fuzzy extractor; then calculate +.>
Obtain the shared secret key and calculate +.>
And obtaining the fuzzy extracted secret key. Finally, the calculation result is verified and the user identity is +.>
: if the verification fails, the authentication process is terminated, if the verification is successful, the +.>
The method comprises the steps of carrying out a first treatment on the surface of the Send->
={HV 2 ,pid i ,Req Auth And (3) to a cloud server side.
(2) The cloud server receives
Searchingpid i Identity-corresponding information verificationHV 2 Whether or not to match withHV CS The same: if the verification fails, the identity authentication process is terminated. If the verification is successful, proving that the user terminal is legal identity; at this time, the cloud server side takes out the shared secretS 3 Generating random numbersr 1 Calculation ofV 1 =h(CS j ||K user )/>
r 1 AndV 2 ={ h(S 3 )/>
r 1 -a }; send information->
={V 1 ,V 2 To the user side.
(3) User' sInformation is received
After that, first calculater 1 = V 2 />
h(CS j ||K user ) Recalculate h (S 3 )=V 2 />
r 1 . Then verify h (S 3 ) If the verification fails, the authentication process is terminated. If the verification is successful, the cloud server is proved to be legal, and at the moment, the user side takes out the shared secretS 1 ,S 2 Generating random numbersr 2 Respectively calculateV 3 = K user 
S 1 ,V 4 = h(K user || r 2 ||S 1 )/>
S 1 ,V 5 = h(K user || S 1 ||S 2 ) Send information->
={V 3 ,V 4 ,V 5 ,r 2 And (3) to a cloud server side.
(4) Cloud service receives information
First calculateS 1 =V 3 />
K user ,S2 = h(K user || r 1 ||S 1 )
V 4 Verification ofV 5 = h(K user || S 1 ||S 2 ) If the verification fails, the authentication process is terminated. If the verification is successful, proving that the message is legal; at this time, the cloud server acquires the rest of secret information from the edge server and recovers the protected biometric template by using the secret recovery technology pfAnd conversion parameterswGenerating random numbersr 3 Calculation ofV 6 = K user />
w,V 7 = h(w ||K user ||r 3 ) Information +.>
And sending the message to a user side.
(5) User terminal receives information
After that, calculatew = V 6 />
K user Verification ofV 7 = h(w ||K user ||r 3 ) If the verification fails, the authentication process is terminated. If the verification is successful, the certification information is legal; at this time, the user side uses the biological characteristicsBioAnd conversion parameterswGenerating protected biometric templatespfThe method comprises the steps of carrying out a first treatment on the surface of the Regenerating into random numberr 4 The method comprises the steps of carrying out a first treatment on the surface of the Calculation ofV 8 = K user 4
r 4 ,V 9 = r 4 />
R i ,SK ij =h(pid i || R i || r 4 || r 3 ),V 10 =h(SK ij || K user || r 4 || R i ) Information is processed
={V 8 ,V 9 And (3) sending the cloud server. The cloud server receives the information +.>
After that, calculater 4 = V 8 />
K user ,R i =V 9 />
r 4 Computing a shared secret keySK ij =h(pid i || R i || r 4 || r 3 ) Verification ofV 10 =h(SK ij ||K user ||r 4 ||| R i ) And generateppf=pf|| R i Storingppf: if the verification fails, the key establishment process is terminated. If verifySuccessful, then the session key is successfully establishedSK ij 。
After the cloud server side and the user side complete identity authentication and key negotiation, the cloud server side starts path planning and predicts an edge server which is possibly passed through in the flight process of the unmanned aerial vehicle at the user side. The cloud server sends the shared secret information stored in the edge servers to the user through the shared secret key, and the response value of the user is obtainedR i Session keySK ij Protected biological featurespfAnd pseudo-identity of the userpid i And sending the data to an edge server.
3. Mutual authentication phase
After the mutual authentication of the user side and the cloud server side is completed, the unmanned aerial vehicle receives the package from the distribution station and starts to distribute the package, and when the unmanned aerial vehicle flies near an edge server maintained by the cloud server, an authentication request needs to be initiated to the edge server to acquire traffic and other information around the edge server. As shown in fig. 7, the continuous authentication process of the unmanned aerial vehicle and the edge server is as follows:
(1) User side input biological characteristicsBioAnonymous identity for authentication with cloud serverpid i Calculation of
Send authentication request information->
= {pid i ,Req auth To the edge server side.
(2) Edge server retrievalpid i Legitimacy of identity, calculation
Verify->
And received in advanceR i Whether or not the same: if yes, proving the legal identity of the unmanned aerial vehicle, and verifying successfully;otherwise, the verification fails, the unmanned aerial vehicle identity is illegal, and alarm information is sent to the system. After verification is successful, the edge server extracts the stored shared secretS i Generating random challengesC j Calculate->
= SK ij />
C j ,HV e1 = h(C j ||S i ) Send information->
= {/>
,HV e1 To the user side.
(3) The user receives the information
After that, calculateC j =/>
SK ij ,/>
= h(C j ||S i ) Verification of
And (3) withHV e1 Whether equal. If the authentication is not equal, the authentication fails, the authentication process is terminated, and if the authentication is successful, the edge server is proved to be legal. After the user side confirms the validity of the edge server, calculating R j =PUF(C j ),/>
= R j />
SK ij Using conversion parameterswGenerating a newpfThe method comprises the steps of carrying out a first treatment on the surface of the Calculation ofppf= pf ||R i ,ppf * = SK ij />
ppf,HV u1 = h(ppf * || R j ||SK ij ) Send information->
= {ppf * ,HV u1 ,/>
To the edge server side.
(4) The edge server receives the information
Calculation ofR j =/>
SK ij ,ppf = SK ij />
ppf * The method comprises the steps of carrying out a first treatment on the surface of the VerificationHV u1 Whether or not to be equal toh(ppf || R j || SK ij ) If the verification fails, terminating the authentication process and sending alarm information to the cloud server; if the verification is successful, proving that the unmanned aerial vehicle equipment is legal; calculation ofppf old =pf|| R j Verification ofppfWhether or not to match withppf old If the authentication fails, the reported user identity is sent to the cloud service, and the user identity is illegal; if the authentication is successful, the user is proved to be legal. After the edge server authenticates the validity of the user terminal, a new sharing secret key is generated>
= h(SK ij || R j ||R j ),HV e2 = h(/>
|| SK ij ) UpdatingR i =R j The method comprises the steps of carrying out a first treatment on the surface of the Send message->
={ HV e2 To the user side.
(5) The user receives the information
After that, calculate the session key +.>
= h(SK ij || R j || C j ) Verification ofHV e2 = h(/>
|| SK ij ) If not, ending the authentication process; if it is legal, authentication is successful and a new session key is established +.>
。
After the identity authentication of the user terminal and the generation of a new session key are completed, the edge server updates the response value of the user terminal equipment, and when the user terminal equipment is expected to be authenticated again, the updated response value is adopted to verify the equipment identity, and the biological characteristics are adopted to verify the user identity; meanwhile, the edge server which completes authentication can send the newly generated response value to the next edge server which needs to verify the identity of the user end through the security channel of the intranet, so as to verify the identity of the equipment.
Finally, the unmanned aerial vehicle reaches the appointed area to complete the package delivery task, the unmanned aerial vehicle completes mutual authentication of the user side and the cloud server in the delivery process, and continuous authentication of the edge server and the user side ensures safety authentication of the whole unmanned aerial vehicle delivery flow.
Performance testing
In order to verify the effectiveness of the unmanned distribution system with edge cloud cooperation provided by the embodiment, a relevant test experiment is designed to simulate and verify the performance of a graph and a curve scheme.
1. To verify
In this example, LFW large face data set is adopted, and the data set pair is utilized to propose +.>
The method tests the face recognition accuracy. The test process adopts two face recognition performance evaluation curves, namely a Cumulative Matching Characteristic (CMC) curve and a subject working characteristic (ROC) curve, to evaluate the performance.
The CMC curve is used for calculating the hit probability of Top-K, namely the probability that one of the first K most probable prediction results is a real sample, and can comprehensively reflect the performance of the classifier; the ROC curve is an indicator that can well reflect the performance of a classifier, where the abscissa indicates false positive rate and the ordinate indicates true positive rate, and the area under the ROC curve is referred to as the size of the area under the curve (AUC), and generally the larger AUC indicates the better classifier.
The final test results in CMC and ROC curves shown in fig. 8 and 9, respectively. The analysis of the data in the graph shows that: the technical scheme provided by the embodiment realizes better recognition performance, the recognition accuracy of rank-1 reaches 99.62, and the recognition result approaches to the recognition result of unprotected original biological characteristics of the main stream. Thus, our proposed solution achieves a balance in template security and recognition performance.
2. In order to verify the validity of the authentication protocol in this embodiment, this embodiment evaluates performance overheads of the user side and the cloud server side, respectively. The calculation methods are shown in tables 1 and 2 below, respectively. Wherein, table 1 reflects the time complexity of the user and the cloud server in the authentication phase; table 2 reflects the time complexity of the client and edge server during the authentication phase. Because the time cost generated by the operations such as exclusive OR, connection and the like is low, the time cost caused by the basic operations is ignored in the analysis process. Wherein,,T puf representing the time cost of operation based on the PUF,T h as a function of the time complexity of the hash function,
and->
The times of (2) are denoted as +.>
And->
。
TABLE 1 computational complexity of client and cloud Server
TABLE 2 computational complexity of client and edge servers
The experimental results finally obtained are: hash operation time on user and server is 0.026ms and 0.026ms respectively0.011ms; each PUF operation takes 0.13ms on the user side device; each time
Operating on the user terminal device for 2.67ms each time +.>
It takes 3.35ms on the client device. Therefore, in the authentication process of the user side and the cloud server, the total computational complexity is +.>
In the authentication of the user side and the edge server, the total computational complexity is +.>
。
From the above data, it can be found that: in this embodiment, in the package delivery process, the time overhead of the user side and the cloud server is relatively high, and the time overhead of the user side and the edge server side is relatively low. Therefore, the optimal authentication strategy is to complete identity authentication only once between the user side and the cloud server, and the rest continuous authentication process should be completed by adopting an edge server side with less time cost. In this regard, the test procedure further verifies the time variation under different verification runs, as shown in fig. 10. As can be seen from the data of fig. 10: the average per round verification time of the inventive scheme is decreasing with greater numbers of authentications, which proves that the present invention is significantly advantageous over time overhead.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (10)
1. An authentication method based on PUF and revocable biometric features, characterized by: the method is used for realizing mutual authentication and continuous authentication between a user terminal containing a moving object and a management terminal containing a cloud server and an edge server, and comprises the following steps:
s1: the cloud server and the edge server establish mutually-trusted communication connection through an intranet, and the cloud server discloses own identity information and waits for a user side to send a registration request or an authentication request;
s2: the user puts forward a registration request to the cloud server through the user terminal and completes identity registration, and the identity registration process comprises the following steps:
s21: the user submits identity information to the cloud serverID i Registration request information of (a)Msg1After receiving the request, the cloud server generates corresponding anonymous identity sequences respectivelyPIDPrivate keyK user Random challengeC i And willMsg2To the user side of the mobile terminal,Msg2={PID、K user 、C i };
s22: the user terminal collects the biological characteristics of the user BioAnd specify a conversion parameterwThe method comprises the steps of carrying out a first treatment on the surface of the Random challenge is then generated using the PUF of the user deviceC i Response to (2)R i And combine the responsesR i And conversion parameterswGenerating protected biometric templatespfThe method comprises the steps of carrying out a first treatment on the surface of the Finally, willMsg3Is sent to a cloud server and is sent to a cloud server,Msg3={pf、R i 、w};
s23: cloud server willpfAndwgenerating multiple shares of shared secrets as secret messages by multiple secret sharing techniquesS 1 ~ S 9 And willMsg4To the user side, wherein,Msg4={ S 1 ~ S 3 -a }; will be S 7 ~ S 9 Sending to each edge server; cloud hash code is generated by utilizing hash algorithmHV CS :
The method comprises the steps of carrying out a first treatment on the surface of the Last store {PID、R i 、K user 、HV CS 、S 1 ~S 3 };
S24: the user terminal generates a random numberNThen using fuzzy extractor to obtain biological characteristicsBioCorresponding intermediate keyKAuxiliary outputFAAnd encrypting to obtain local secret key
Local vector->
The method comprises the steps of carrying out a first treatment on the surface of the User hash code generation by utilizing hash algorithmHV:/>
The method comprises the steps of carrying out a first treatment on the surface of the Last store { S 3 ~ S 6 、/>
、/>
、C i 、HV、N};
S3: the user interacts with the cloud server through the user terminal, and mutual authentication is completed in an encryption domain by utilizing the user data collected in real time and related data stored in the user terminal and the cloud server and generated in a registration stage; negotiating a session key for communication after the mutual authentication is completed;
s4: the cloud server sends the session key and the authentication result negotiated in the previous step, the identity information of the user, the equipment response value and the protected biological characteristics to the edge server through the intranet, and the session key and the authentication result are used as authentication information for continuously authenticating the edge server and the user;
S5: after the user side reaches the service area of any one of the edge servers, the user actively requests equipment authentication from the edge servers through the user side, and each edge server successively uses various information sent by the cloud server and the user side equipment to mutually authenticate in an encryption domain so as to negotiate a session key for communication.
2. The PUF and revocable biometric-based authentication method according to claim 1, wherein: in step S21, the user actively inputs identity information through the user terminalID i The method comprises the steps of carrying out a first treatment on the surface of the The user is based on the identity informationID i Generating and generating registration request information to cloud serverMsg1={ID i ,ReqAnd } wherein,Reqrepresenting a registration request;
after receiving the registration request information sent by any user side, the cloud server firstly carries out registration according to the identity informationID i Inquiring whether the current user has completed registration, if yes, rejecting the registration request, otherwise executing the newly added user registration process of step S22.
3. A PUF and revocable biometric based authentication method according to claim 2, characterized in that: in step S22, the user terminal collects the biometric features of the userBioIncluding facial images, fingerprint data, iris data, voiceprint data, and other physical or behavioral characteristics that may be captured and used to resolve individual differences.
4. A PUF and revocable biometric based authentication method according to claim 3, wherein: in step S22, a biometric templatepfUsing fusion functions
Generating, fusing function->
One path of input is the original biological characteristics of the user, the other path of input is the PUF value of the user terminal equipment, and the output is the corresponding biological characteristic templatepf,/>
The data processing process of (1) is as follows:
(1) Preprocessing, feature extraction and normalization are carried out on the collected original biological features of the user to obtain a corresponding feature vectorf;
(2) Generating random challenges based on PUFs of user devicesC i Response to (2)R i For a pair ofR i Normalizing to obtain a normalized PUF response value;
(3) Feature vectorfCharacteristic splicing is carried out on the normalized PUF response value;
(4) Performing characteristic splicing results
Processing to obtain the required biological feature templatepfWherein, the method comprises the steps of, wherein,
the conversion parameters of (a) are as followsw。
5. The PUF and revocable biometric-based authentication method according to claim 4, wherein: in step S24, the local key
Local vector->
The generation function of (2) is as follows:
in the above-mentioned method, the step of,
a representation blur extractor; />
Representing a hash function; "/>
"means feature stitching; "/ >
"means exclusive or operation.
6. The PUF and revocable biometric-based authentication method according to claim 1, wherein: in step S3, the process of negotiating the session key by the user side and the cloud server through mutual authentication includes the following steps:
s31: user input biometricBioAnonymous identityPID i And a PUF challenge value prestored in the user terminal, and verifying the input parameters by using the registration information in the registration process, and after verification is successful, transmitting the information
To a cloud server; cloud server receives and verifies->
If the verification parameters are legal, the authentication process is terminated; if the cloud service is legal, the cloud service successfully authenticates the user terminal;
s32: the cloud server generates a random number, takes out the shared secret of the cloud server, calculates the parameters to be verified, and sends information
To the user side; the user terminal equipment receives the information->
Firstly, calculating parameters to be verified, then verifying the validity of the parameters, and if the parameters are not legal, terminating the authentication process; if the authentication is legal, the user equipment authentication is successful;
s33: the user terminal extracts the shared secret parameter and generates new random number, calculates the verification parameter and sends information 
To a cloud server; the cloud server receives information->
Firstly, calculating a parameter to be verified, and then verifying the legality of the parameter; if not, terminating the authentication process; if the shared secret information is legal, extracting the rest shared secret information from the edge server;
s34: after the cloud service obtains the shared secret parameters in the edge server, the protected biological information and the template conversion parameters are recovered by utilizing a secret recovery technology; generating new random number, calculating verification parameter, and storing information
Transmitting to a user side; user terminal receives information->
Then, calculating to obtain parameters to be verified, and verifying the legality of the parameters; if not, terminating the authentication process; if the authentication is legal, the authentication is successful;
s35: the user terminal generates a protected biological characteristic template by utilizing biological characteristic information and received information, generates a random number, calculates a shared secret key of the cloud service and the user terminalSK ij Verifying parameters; and will information
Sending the cloud server to a cloud server; cloud server utilization information->
Shared secret key of computing cloud server and userSK ij Verification information->
Parameters and session keysSK ij Legitimacy, if not, terminating the authentication process; such asIf the result is legal, the session key is successfully established.
7. The PUF and revocable biometric-based authentication method according to claim 1, wherein: in step S5, the continuous authentication process between the client and the edge server is as follows:
s51: the user inputs the pseudo identity information and the information in the authentication process of the cloud server, calculates the verification information and sends the information
Sending the data to an edge server, and requesting the edge server to authenticate; edge server receives information->
After that, verify information->
If the validity of the medium parameter is not legal, ending the authentication process, and if the validity is legal, successful authentication;
s52: the edge server generates random challenges, extracts shared secret parameters, calculates verification parameters and sends information
Sending the message to a user side; user terminal receives information->
After that, verify->
If the validity of the medium parameter is not legal, ending the authentication process, and if the validity is legal, successful authentication;
s53: generating a new protected biometric template by the client using template conversion parameterspfCalculating verification parameters; and will information
Hair brushSending the data to an edge server; edge server receives information->
After that, verify->
The validity of the medium parameter is verified, the validity of the biological characteristics is verified, if the biological characteristics are not legal, the authentication process is finished, and if the biological characteristics are legal, the authentication is successful;
S54: edge server generates new session key
Calculating verification parameters; and +.>
Sending the message to a user side; user terminal receives information->
After that, calculate the session key +.>
Verification parameters and session keys
If not, ending the authentication process; if the authentication is legal, the authentication is successful and a new session key is established;
s55: after the current edge server completes the establishment of the session key, the new session key and the PUF response value are sent to the next edge server needing to verify the user terminal equipment, and the steps S51-S54 are repeatedly executed, so that the continuous authentication of the user terminal and different edge servers is realized.
8. An unmanned logistics distribution method is characterized in that: employing a PUF and revocable biometric based authentication method according to any one of claims 1-7.
9. An unmanned delivery system of limit cloud cooperation which characterized in that: the unmanned delivery system comprises:
the system comprises user side equipment, a control terminal and an unmanned transportation carrier, wherein the user side equipment comprises a control terminal operated by a supervisory personnel and the unmanned transportation carrier is used for executing a cargo delivery task; the control terminal is in communication connection with the unmanned carrier and is used for operating the unmanned carrier; the control terminal is also internally or externally connected with a biological characteristic information acquisition device and input and output equipment;
A cloud server as a control center of the unmanned distribution system; the cloud server performs mutual authentication with the registered unmanned transport vehicle by adopting the authentication method based on the PUF and the revocable biological characteristics according to any one of claims 1 to 7, and establishes a session key and realizes secret communication after passing the authentication; the cloud server distributes logistics distribution tasks to the unmanned transportation vehicles through the encryption channels and plans the movement paths of the unmanned transportation vehicles; then determining an edge server of the unmanned transport vehicle path according to the motion path, and then sending verification information for realizing continuous authentication to each edge server;
a plurality of edge servers distributed within the distribution area; the edge server and the cloud server are communicated by adopting an intranet; each edge server adopts the authentication method based on the PUF and the revocable biological characteristics as set forth in any one of claims 1-7 to mutually authenticate with the unmanned transport vehicle which makes an authentication request, and establishes a session key and realizes secret communication after passing the authentication; the various edge servers then send the guidance information and the supervision information needed on the way to the unmanned carrier via the encrypted channel.
10. The edge cloud collaborative unmanned distribution system according to claim 9, wherein: the unmanned transport carrier comprises an unmanned transport vehicle, an unmanned transport ship and an unmanned plane;
and/or the biological characteristic information acquisition device adopts one or more of a face recognition component, a fingerprint recognition component and an iris acquisition component;
and/or the input and output equipment comprises one or more of a display component, a microphone, a loudspeaker, keys and a joystick.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310524305.1A CN116366263B (en) | 2023-05-11 | 2023-05-11 | Authentication method based on PUF and revocable biological characteristics and application thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310524305.1A CN116366263B (en) | 2023-05-11 | 2023-05-11 | Authentication method based on PUF and revocable biological characteristics and application thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116366263A true CN116366263A (en) | 2023-06-30 |
| CN116366263B CN116366263B (en) | 2023-07-28 |
Family
ID=86939622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310524305.1A Active CN116366263B (en) | 2023-05-11 | 2023-05-11 | Authentication method based on PUF and revocable biological characteristics and application thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366263B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117118765A (en) * | 2023-10-25 | 2023-11-24 | 易讯科技股份有限公司 | IPV6 identity security authentication method and system |
| CN117896079A (en) * | 2024-03-15 | 2024-04-16 | 北京电子科技学院 | Efficient authentication method based on PUF and revocable biological characteristics |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140337635A1 (en) * | 2013-05-13 | 2014-11-13 | Ira Konvalinka | Biometric verification with improved privacy and network performance in client-server networks |
| CN109756338A (en) * | 2017-11-08 | 2019-05-14 | 美国亚德诺半导体公司 | The unclonable function of physics remotely re-registers |
| CN112637845A (en) * | 2020-12-18 | 2021-04-09 | 深圳市赛为智能股份有限公司 | Unmanned aerial vehicle interactive authentication method and device, computer equipment and storage medium |
| CN114205091A (en) * | 2021-11-30 | 2022-03-18 | 安徽大学 | Chaos mapping-based network authentication and key agreement method for automatic driving vehicle |
| WO2022090813A1 (en) * | 2020-10-30 | 2022-05-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Verification of authenticity of a user equipment using puf |
| CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
| US20230032099A1 (en) * | 2021-07-15 | 2023-02-02 | Nanyang Technological University | Physical unclonable function based mutual authentication and key exchange |
| US20230075612A1 (en) * | 2021-09-07 | 2023-03-09 | Hangzhou Normal University | Privacy protection authentication method based on wireless body area network |
| CN116055136A (en) * | 2022-12-27 | 2023-05-02 | 海南大学 | Secret sharing-based multi-target authentication method |
-
2023
- 2023-05-11 CN CN202310524305.1A patent/CN116366263B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140337635A1 (en) * | 2013-05-13 | 2014-11-13 | Ira Konvalinka | Biometric verification with improved privacy and network performance in client-server networks |
| CN109756338A (en) * | 2017-11-08 | 2019-05-14 | 美国亚德诺半导体公司 | The unclonable function of physics remotely re-registers |
| WO2022090813A1 (en) * | 2020-10-30 | 2022-05-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Verification of authenticity of a user equipment using puf |
| CN112637845A (en) * | 2020-12-18 | 2021-04-09 | 深圳市赛为智能股份有限公司 | Unmanned aerial vehicle interactive authentication method and device, computer equipment and storage medium |
| US20230032099A1 (en) * | 2021-07-15 | 2023-02-02 | Nanyang Technological University | Physical unclonable function based mutual authentication and key exchange |
| US20230075612A1 (en) * | 2021-09-07 | 2023-03-09 | Hangzhou Normal University | Privacy protection authentication method based on wireless body area network |
| CN114205091A (en) * | 2021-11-30 | 2022-03-18 | 安徽大学 | Chaos mapping-based network authentication and key agreement method for automatic driving vehicle |
| CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
| CN116055136A (en) * | 2022-12-27 | 2023-05-02 | 海南大学 | Secret sharing-based multi-target authentication method |
Non-Patent Citations (3)
| Title |
|---|
| A HUI ZHANG, XUEJUN LI: "Privacy-Preserving Biometric Authentication: Cryptanalysis and Countermeasures", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING * |
| HUI ZHANG; WEIXIN BIAN: "A Complete User Authentication and Key Agreement Scheme Using Cancelable Biometrics and PUF in Multi-Server Environment", IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY * |
| JUN ZHAO; WEIXIN BIAN: "A Secure Biometrics and PUFs-Based Authentication Scheme With Key Agreement For Multi-Server Environments", IEEE ACCESS * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117118765A (en) * | 2023-10-25 | 2023-11-24 | 易讯科技股份有限公司 | IPV6 identity security authentication method and system |
| CN117118765B (en) * | 2023-10-25 | 2023-12-22 | 易讯科技股份有限公司 | IPV6 identity security authentication method and system |
| CN117896079A (en) * | 2024-03-15 | 2024-04-16 | 北京电子科技学院 | Efficient authentication method based on PUF and revocable biological characteristics |
| CN117896079B (en) * | 2024-03-15 | 2024-05-14 | 北京电子科技学院 | Efficient authentication method based on PUF and revocable biological characteristics |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116366263B (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116366263B (en) | Authentication method based on PUF and revocable biological characteristics and application thereof | |
| CN111371730B (en) | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene | |
| WO2018090183A1 (en) | Identity authentication method, terminal device, authentication server and electronic device | |
| CN108809637B (en) | LTE-R vehicle-ground communication non-access stratum authentication key agreement method based on mixed password | |
| CN112039918B (en) | Internet of things credible authentication method based on identification cryptographic algorithm | |
| CN114125833B (en) | Multi-factor authentication key negotiation method for intelligent device communication | |
| CN113727296B (en) | Anonymous privacy protection authentication protocol method based on wireless sensor system in intelligent medical treatment | |
| CN113849815B (en) | Unified identity authentication platform based on zero trust and confidential calculation | |
| CN113395166B (en) | Edge computing-based power terminal cloud edge terminal collaborative security access authentication method | |
| CN113316149B (en) | Identity security authentication method, device, system, wireless access point and medium | |
| CN113068187A (en) | Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application | |
| CN113572765A (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
| CN107911211B (en) | Two-dimensional code authentication system based on quantum communication network | |
| CN113055394A (en) | Multi-service double-factor authentication method and system suitable for V2G network | |
| CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
| CN117278330B (en) | Lightweight networking and secure communication method for electric power Internet of things equipment network | |
| Ma et al. | A robust authentication scheme for remote diagnosis and maintenance in 5G V2N | |
| CN113037702B (en) | Agricultural worker login system safe working method based on big data analysis | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN110336776A (en) | A kind of multi-point cooperative Verification System and method based on user images intelligent acquisition | |
| Wang et al. | Secure long-range autonomous valet parking: A reservation scheme with three-factor authentication and key agreement | |
| CN117614626A (en) | Lightweight identity authentication method based on PUF | |
| Sun et al. | A lightweight multi-factor mobile user authentication scheme | |
| CN110717177A (en) | Method for safely unlocking computer in real time by using mobile terminal | |
| CN112637845B (en) | Unmanned aerial vehicle interactive authentication method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |