CN116471037A - Identity authentication method and system based on space network - Google Patents

Identity authentication method and system based on space network Download PDF

Info

Publication number
CN116471037A
CN116471037A CN202310163614.0A CN202310163614A CN116471037A CN 116471037 A CN116471037 A CN 116471037A CN 202310163614 A CN202310163614 A CN 202310163614A CN 116471037 A CN116471037 A CN 116471037A
Authority
CN
China
Prior art keywords
entity object
satellite
authentication
public key
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310163614.0A
Other languages
Chinese (zh)
Inventor
方立娇
王楠
陈博深
桑国彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shenzhou Aerospace Software Technology Co ltd
Original Assignee
Beijing Shenzhou Aerospace Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shenzhou Aerospace Software Technology Co ltd filed Critical Beijing Shenzhou Aerospace Software Technology Co ltd
Priority to CN202310163614.0A priority Critical patent/CN116471037A/en
Publication of CN116471037A publication Critical patent/CN116471037A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an identity authentication method and system based on a space network, comprising the following steps: the system comprises a blockchain network, a satellite proxy authentication center and entity objects to be authenticated, wherein the blockchain network comprises a plurality of blockchain registration nodes: the blockchain network generates a public key of the entity object based on the unique identity of the entity object, and integrates the unique identity of the entity object to obtain an initial private key of the entity object; the entity object generates a final private key based on the initial private key; the satellite proxy authentication center performs mutual authentication with the entity object, and controls the entity object to access the space network according to the authentication result. By introducing the blockchain as a distributed trusted platform, the authority of the registration authority to generate keys is separated onto the blockchain nodes, and the user's final private key is generated by the user according to a combined policy related to identity. By using the satellite as a proxy authentication center to perform mutual authentication, not only is the resource consumption reduced, unauthorized access requests prevented, but also the vulnerability of data transmission is reduced.

Description

Identity authentication method and system based on space network
Technical Field
The invention relates to the field of identity authentication, in particular to an identity authentication method and system based on a space network.
Background
If the identity authentication technology is different according to the password technology, the identity authentication technology mainly comprises the identity authentication based on symmetric passwords, the identity authentication based on hash algorithm and the identity authentication based on asymmetric password algorithm. The authentication cost is high and the resources of the spatial information network are seriously consumed when the spatial information network identity authentication scheme uses a certificate system in the authentication process; the authentication system based on the hash function is used, so that the security of authentication is low, and the secure communication between entities is difficult to ensure; meanwhile, if a third party is required to participate in authentication in the authentication process, the authentication process is complicated. In the existing trusted identity authentication method based on identification, a user private key is generated by a trusted private key generator or key generation center KGC (key generation center) by utilizing a system master key and identity information of a user, and a public key is a unique identification such as a social security number, an email address, an identity card number and the like of the user.
In the related art, a trusted third party authentication center is removed in the identity authentication process, and a unique identifier is used as a public key, which is equivalent to the fact that identity information is directly exposed to an attacker, and the risk of privacy disclosure exists. The private keys of all users are uniformly generated by KGC by using user identification and system parameters, the KGC rights are too centralized, and the problems of KGC self-credibility, user private key storage security and the like exist.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defect of privacy disclosure in the prior art, thereby providing an identity authentication method and system based on a space network.
With reference to a first aspect, the present invention provides an identity authentication method based on a spatial network, where the method is applied to an entity object to be authenticated, and the method includes:
transmitting a unique identity and a blockchain encryption public key to a blockchain network, so that the blockchain network generates a public key of the entity object based on the unique identity and broadcasts the public key to a space network, and generates an initial private key based on the unique identity and the blockchain encryption public key;
receiving the initial private key sent by the blockchain network, and generating a final private key based on the initial private key;
receiving authentication request information of a satellite proxy authentication center, and carrying out identity authentication on the satellite proxy authentication center based on the authentication request information;
and when the identity of the satellite proxy authentication center is authenticated without any error, transmitting authentication information which takes the final private key as a signature and contains the unique identity to the satellite proxy authentication center, so that the satellite proxy authentication center authenticates the authentication information based on the public key, and controlling the entity object to access the space network according to an authentication result.
With reference to the first aspect, in a first embodiment of the first aspect, the authentication request information uses a private key of a satellite proxy authentication center as a signature, and includes authentication request information of a unique identity of the satellite proxy authentication center, and the authenticating the satellite proxy authentication center includes:
calculating to obtain the public key of the satellite agent authentication center based on the block chain encryption public key and the unique identity of the satellite agent authentication center;
decrypting and calculating the private key signature of the satellite proxy authentication center by utilizing the public key of the satellite proxy authentication center to obtain a decryption result of the satellite proxy authentication center, and judging whether the decryption result of the satellite proxy authentication center is consistent with the authentication request information;
and authenticating the identity of the satellite proxy authentication center when the decryption result of the satellite proxy authentication center is consistent with the authentication request information.
With reference to a second aspect, the present invention provides an identity authentication method based on a spatial network, the method being applied to a blockchain network, the blockchain network including a plurality of blockchain registration nodes, the method comprising:
receiving a unique identity mark and a blockchain encryption public key sent by an entity object;
generating a public key of the entity object based on the unique identity of the entity object, and broadcasting the public key of the entity object to a space network;
generating partial initial private keys through each blockchain registration node based on the unique identity of the entity object and the blockchain encryption public key;
and integrating all partial initial private keys to obtain an initial private key of the entity object, and sending the initial private key to the entity object so that the entity object generates a final private key based on the initial private key, thereby realizing the authentication of the entity object by a satellite proxy authentication center by utilizing the final private key and the public key.
With reference to the second aspect, in a first embodiment of the second aspect, before generating the public key of the entity object based on the unique identity of the entity object, the method further includes:
judging whether the identity of the entity object is legal or not based on the unique identity of the entity object;
and generating a public key of the entity object based on the unique identity of the entity object when the identity of the entity object is legal.
With reference to the second aspect, in a second embodiment of the second aspect, the generating, by each blockchain registration node, a part of an initial private key based on the unique identity of the entity object and a blockchain encryption public key includes:
generating a first private key through each blockchain registration node based on the unique identity of the entity object;
and encrypting the first private key by using the blockchain encryption public key to obtain a part of initial private key.
With reference to a third aspect, the present invention provides an identity authentication method based on a spatial network, applied to a satellite proxy authentication center, the method comprising:
sending authentication request information to an entity object so that the entity object performs identity authentication based on the authentication request information;
receiving authentication information sent by the entity object, wherein the authentication information takes a final private key of the entity object as a signature and comprises authentication information of a unique identity of the entity object;
extracting a public key of the entity object broadcasted to the space network based on the unique identity, and authenticating a signature of the entity object based on the public key of the entity object;
and controlling the entity object to access the space network according to the authentication result.
With reference to the third aspect, in a first embodiment of the first aspect, the authenticating the signature of the entity object based on the public key of the entity object includes:
decrypting and calculating the signature of the entity object by utilizing the public key of the entity object to obtain a decryption result of the entity object, and judging whether the decryption result of the entity object is consistent with the authentication information;
and authenticating the identity of the entity object when the decryption result of the entity object is consistent with the authentication information.
With reference to the third aspect, in a second embodiment of the third aspect, the authentication information further includes a timestamp of the entity object;
before extracting the public key of the entity object broadcast to the spatial network based on the unique identity, the method further comprises:
judging whether a list of the satellite proxy authentication center comprises the unique identity of the entity object or not based on the unique identity of the entity object, wherein the list is used for storing the unique identity of the entity object in the current coverage range of the satellite proxy authentication center;
when the list of the satellite proxy authentication center comprises the unique identity of the entity object, judging whether the timestamp of the entity object exceeds the corresponding validity period of the entity object in the list;
rejecting the entity object to access the space network when the timestamp of the entity object exceeds the validity period;
and when the time stamp of the entity object does not exceed the validity period, executing the step of extracting the public key of the entity object broadcasted to the space network based on the unique identity.
With reference to the third aspect, in a third embodiment of the third aspect, the controlling the physical object to access the spatial network includes:
assigning a group ID to the entity object based on the geographic position of the entity object, and adding the group ID into group management in the coverage area of the satellite proxy authentication center;
and calculating to obtain a shared group session key, and sending the shared group session key and the group ID to the entity object so that the entity can access the space network by using the shared group session key and the group ID.
In a fourth aspect of the present invention, the present invention also provides an identity authentication system based on a spatial network, the system comprising: the system comprises a blockchain network, a satellite proxy authentication center and entity objects to be authenticated, wherein the blockchain network comprises a plurality of blockchain registration nodes:
the entity object sends the unique identity mark and the blockchain encryption public key to a blockchain network;
the blockchain network receives the unique identity and the blockchain encryption public key sent by the entity object; generating a public key of the entity object based on the unique identity of the entity object, and broadcasting the public key of the entity object to a space network; generating partial initial private keys through each blockchain registration node based on the unique identity of the entity object and the blockchain encryption public key; integrating all partial initial private keys to obtain an initial private key of the entity object, and sending the initial private key to the entity object;
the entity object receives the initial private key sent by the blockchain network and generates a final private key based on the initial private key;
the satellite agent authentication center sends authentication request information to the entity object;
the entity object receives authentication request information of a satellite proxy authentication center, and performs identity authentication on the satellite proxy authentication center based on the authentication request information; when the identity of the satellite proxy authentication center is authenticated without any error, the authentication information which takes the final private key as a signature and contains the unique identity identifier is sent to the satellite proxy authentication center;
the satellite proxy authentication center receives authentication information sent by the entity object and a public key of the entity object broadcasted to a space network, and authenticates the authentication information based on the public key of the entity object; and controlling the entity object to access the space network according to the authentication result.
In the method, the authority of a registration authority to generate a key is separated to the blockchain nodes by introducing the blockchain as a distributed trusted platform, the user submits an identity to a blockchain network for registration, each blockchain node only generates part of private keys, and the final private key of the user is generated by the user according to a combination strategy related to the identity. By using the satellite as a proxy authentication center to perform mutual authentication, not only is the resource consumption reduced, unauthorized access requests prevented, but also the vulnerability of data transmission is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an identity authentication system based on a spatial network according to an exemplary embodiment.
Fig. 2 is an interaction diagram of an authentication system based on a spatial network according to an exemplary embodiment.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
If the identity authentication technology is different according to the password technology, the identity authentication technology mainly comprises the identity authentication based on the symmetric password, the identity authentication based on the hash algorithm and the identity authentication based on the asymmetric password algorithm. The authentication cost is high and the resources of the spatial information network are seriously consumed when the spatial information network identity authentication scheme uses a certificate system in the authentication process; the authentication system based on the hash function is used, so that the security of authentication is low, and the secure communication between entities is difficult to ensure; meanwhile, if a third party is required to participate in authentication in the authentication process, the authentication process is complicated. If a signcryption algorithm is used, unique identity information of an authentication entity is used as a public key, the problem of high communication overhead due to certificate management can be solved, but the problems of identity security and trust of private key escrow are difficult to guarantee. In the existing trusted identity authentication method based on identification, a user private key is generated by a trusted private key generator or key generation center KGC (key generation center) by utilizing a system master key and identity information of a user, and a public key is a unique identification such as a social security number, an email address, an identity card number and the like of the user. The trusted third party authentication center is removed in the identity authentication process, and the unique identifier is used as the public key, which is equivalent to the fact that identity information is directly exposed to an attacker, and the risk of privacy disclosure exists. The private keys of all users are uniformly generated by KGC by using user identification and system parameters, the KGC rights are too centralized, and the problems of KGC self-credibility, user private key storage security and the like exist.
In order to solve the above problems, an embodiment of the present invention provides an identity authentication system based on a spatial network, which is suitable for use scenarios of mutual communication in the spatial network. By introducing the blockchain as a distributed trusted platform, the identity authentication system based on the space network separates the authority of a registration authority to generate a key onto the blockchain nodes, the user submits an identity to the blockchain network for registration, each blockchain node only generates part of private keys, and the final private key of the user is generated by the user according to a combination strategy related to the identity. By using the satellite as a proxy authentication center to perform mutual authentication, not only is the resource consumption reduced, unauthorized access requests prevented, but also the vulnerability of data transmission is reduced.
Fig. 1 is a schematic diagram of an identity authentication system based on a spatial network according to an exemplary embodiment. As shown in fig. 1, the spatial network-based identity authentication system comprises a blockchain network 2, a satellite proxy authentication center 3 and a physical object 1 to be authenticated, wherein the blockchain network 2 comprises a plurality of blockchain registration nodes. The entity object 1 sends the unique identity and the blockchain encryption public key to the blockchain network 2; the block chain network 2 receives the unique identity and the block chain encryption public key sent by the entity object 1; the blockchain network 2 generates a public key of the entity object 1 based on the unique identity of the entity object 1, and broadcasts the public key of the entity object 1 to the space network; the blockchain network 2 generates partial initial private keys through each blockchain registration node based on the unique identity of the entity object 1 and the blockchain encryption public key; the blockchain network 2 integrates all partial initial private keys to obtain an initial private key of the entity object and sends the initial private key to the entity object; the entity object 1 receives an initial private key sent by the blockchain network 2 and generates a final private key based on the initial private key; the satellite agent authentication center 3 sends authentication request information to the entity object 1; the entity object 1 receives authentication request information of the satellite proxy authentication center 3, and performs identity authentication on the satellite proxy authentication center 3 based on the authentication request information; when the identity of the authentication satellite proxy authentication center 3 is correct, transmitting authentication information which takes a final private key as a signature and contains a unique identity to the satellite proxy authentication center 3; the satellite agent authentication center 3 receives authentication information sent by the entity object 1 and a public key of the entity object broadcasted to the space network, and authenticates the authentication information based on the public key of the entity object 1; and controlling the entity object 1 to access the space network according to the authentication result.
Specifically, in the embodiment of the present invention, the entity object 1 may be composed of various mobile devices, which communicate with each other through a spatial network, and the specific interaction process of the entity object 1, the blockchain network 2 and the satellite proxy authentication center 3 is referred to as an interaction schematic diagram shown in fig. 2.
In practical application, each blockchain registration node in the blockchain network 2 firstly initializes its own public key parameter and issues the public key parameter to the space network; meanwhile, corresponding intelligent contracts are deployed on the blockchain registration node, and part of private keys and key validity periods are packed into transactions to be agreed. The satellite proxy authentication center 3 mainly maintains three tables: a group identification mapping table (Group Identifier Mapping Table, GIMT) for managing all groups within its coverage area, the attributes of which include a group ID, a coverage area of the satellite proxy authentication center 3, a handover sequence and an active state of the satellite proxy authentication center 3, which may be divided in advance according to location; a group member mapping table GMMT (Group Member Mapping Table) for managing group members in each group, the attributes of which include a unique identity of the entity object 1, a group ID, and a shared group session key sk; the user revocation list RL (Revocation List) is used for managing the revocation information of the entity object 1 in the space network, and its attribute includes the unique identity of the entity object 1 and the key validity period of the entity object 1. Each physical object 1 and satellite proxy authentication center 3 need to select a key pair for encrypting sensitive information on blockchain network 2 prior to registration. The detailed working procedures of the entity object 1, the blockchain network 2 and the satellite proxy authentication center 3 are described in the following steps of the method embodiment, and will not be described here.
Through the cooperation of the above components, the authority of the registration authority to generate the key is separated to the blockchain nodes by introducing the blockchain as a distributed trusted platform, the user submits the identity to the blockchain network for registration, each blockchain node only generates part of the private key, and the final private key of the user is generated by the user according to the combination strategy related to the identity. By using the satellite as a proxy authentication center to perform mutual authentication, not only is the resource consumption reduced, unauthorized access requests prevented, but also the vulnerability of data transmission is reduced.
The embodiment of the invention also provides an identity authentication method based on the space network, which is applied to the entity object to be authenticated, the blockchain network and the satellite proxy authentication center shown in the figure 1, wherein the blockchain network comprises a plurality of blockchain registration nodes. Details are described in relation to the above embodiments, and will not be repeated here. As shown in fig. 2, the entity object is used to perform steps S101 to S105, the blockchain network is used to perform steps S201 to S204, and the satellite proxy authentication center is used to perform steps S301 to S304.
Step S101: the unique identity and the blockchain encryption public key are sent to the blockchain network.
Step S201: and receiving the unique identity and the blockchain encryption public key sent by the entity object.
Step S202: based on the unique identity of the entity object, a public key of the entity object is generated and broadcasted to the space network.
In the embodiment of the invention, in order to ensure that the identity of the entity object is legal, the identity of the entity object which is not legal is prevented from being given, so that the system receives external attack and unnecessary loss is caused. Thus, before generating a public key for an entity object, the blockchain network needs to audit whether the identity of the entity object is legitimate, and the audit process may include: judging whether the identity of the entity object is legal or not based on the unique identity of the entity object; and when the identity of the entity object is legal, generating a public key of the entity object based on the unique identity of the entity object.
Step S203: based on the unique identity of the entity object and the blockchain encryption public key, a part of initial private keys are respectively generated through each blockchain registration node. The unique identity of the entity object is added to the blockchain network for generating partial private keys, so that the key generation authority is separated to the blockchain nodes, and the problems of communication overhead and private key storage safety caused by third-party key escrow are solved.
In the embodiment of the present invention, based on the unique identity of the entity object and the blockchain encryption public key, generating a part of initial private key by each blockchain registration node respectively may include: based on the unique identity of the entity object, generating a first private key through each blockchain registration node respectively; and encrypting the first private key by using the blockchain encryption public key to obtain a part of initial private key.
Step S204: and integrating all partial initial private keys to obtain the initial private key of the entity object, and sending the initial private key to the entity object. In the embodiment of the invention, all partial initial private keys can be integrated through the blockchain registration node with the strongest calculation force.
Step S102: and receiving an initial private key sent by the blockchain network, and generating a final private key based on the initial private key. The final private key of the entity object is generated by the entity according to the combination strategy related to the identity, so that the security of the private key of the entity object is further improved, the problem of the security of the private key storage caused by third-party key escrow is solved by matching with the blockchain network, and the confidentiality and the integrity of user data in the transmission process can be further ensured.
In an example, the process of generating the final private key may include: decryption using a blockchain private key, and then a random combination method (SK when xi=1 is used for the resulting partial private key AID =SK i +δpk xi (δ, and xi are random numbers generated randomly, i=1, 2..n, n represents the number of spatial nodes)), to generate a final private key SK AID
Step S301: and sending the authentication request information to the entity object.
Step S103: and receiving authentication request information of the satellite proxy authentication center. In the embodiment of the invention, the authentication request information is the authentication request information which takes a private key of the satellite proxy authentication center as a signature and contains a unique identity of the satellite proxy authentication center.
Step S104: based on the authentication request information, the satellite proxy authentication center is subjected to identity authentication.
In the embodiment of the invention, because the communication time delay between the satellite and the ground entity object is smaller than that of other space nodes, mutual authentication is needed to ensure the safety of network environment and user operation. Authenticating the satellite proxy authentication center may include: calculating to obtain a public key of the satellite proxy authentication center based on the block chain encryption public key and the unique identity of the satellite proxy authentication center; the public key of the satellite proxy authentication center is utilized to carry out decryption calculation on the private key signature of the satellite proxy authentication center, so as to obtain a decryption result of the satellite proxy authentication center, and whether the decryption result of the satellite proxy authentication center is consistent with authentication request information or not is judged; and when the decryption result of the satellite proxy authentication center is consistent with the authentication request information, authenticating the identity of the satellite proxy authentication center.
Step S105: and when the authentication of the satellite proxy authentication center is correct, transmitting authentication information which takes the final private key as a signature and contains a unique identity to the satellite proxy authentication center. After the entity object authenticates the identity of the satellite proxy authentication center, the security of the entity object accessing to the space network is ensured.
Step S302: and receiving authentication information sent by the entity object and broadcasting the public key of the entity object to the space network. The authentication information takes the final private key of the entity object as a signature and comprises the authentication information of the unique identity of the entity object.
Step S303: the public key of the entity object broadcasted to the space network is extracted based on the unique identity, and the signature of the entity object is authenticated based on the public key of the entity object. Wherein the authentication information further comprises a timestamp of the entity object. To ensure the legitimacy of the identity of the entity object, the method further comprises, prior to extracting the public key of the entity object broadcast to the spatial network based on the unique identity,: judging whether a list of the satellite proxy authentication center comprises the unique identity of the entity object or not based on the unique identity of the entity object, wherein the list is used for storing the unique identity of the entity object in the current coverage range of the satellite proxy authentication center; when the list of the satellite proxy authentication center comprises the unique identity of the entity object, judging whether the timestamp of the entity object exceeds the validity period corresponding to the entity object in the list; rejecting the entity object to access the space network when the timestamp of the entity object exceeds the validity period; and when the time stamp of the entity object does not exceed the validity period, executing the step of extracting the public key of the entity object broadcasted to the space network based on the unique identity.
In the embodiment of the invention, in order to ensure that the entity object communicating with the satellite proxy authentication center is a legal entity object, authentication of the entity object is required. Authenticating the signature of the entity object based on the public key of the entity object includes: decrypting the signature of the entity object by utilizing the public key of the entity object to obtain a decryption result of the entity object, and judging whether the decryption result of the entity object is consistent with the authentication information; and when the decryption result of the entity object is consistent with the authentication information, authenticating the identity of the entity object.
Step S304: and controlling the entity object to access the space network according to the authentication result. In the embodiment of the invention, the control entity object accesses to the space network, which comprises the following steps: assigning a group ID for the entity object based on the geographic position of the entity object, and adding the group ID into group management in the coverage area of the satellite proxy authentication center; and calculating to obtain a shared group session key, and sending the shared group session key and the group ID to the entity object so that the entity can access the space network by using the shared group session key and the group ID.
In an example, a spatial network-based identity authentication system may include: entity a, consisting of various mobile devices, a number of blockchain registries RA that make up a blockchain network, and a satellite proxy authentication center PAC.
The identity authentication method based on the space network can comprise the following steps:
(1) Public key generation phase
S1: and submitting the unique identity mark AID to the RA by the entity A for registration, checking the validity of the identity of the RA by the RA, and if the identity information of the entity A is legal, generating a 256-bit character string str by the RA by using the SM3 of the national password, and generating a time stamp t and a random number ka.
S2: the character string, the time stamp t and the random number Ka generated in the S1 are issued to a space network, and then each block chain nodePublic key PK of unique identity mark capable of being disclosed by other entity can be calculated through hash function h AID =h(ka||t||str)。
(2) Private key generation phase
S1, the user entity A encrypts personal information and a blockchain encryption public key TPK A And submitting to the RA, wherein the RA generates the unique identification AID of the user A through operation, and then adds the unique identification AID into the blockchain for generating partial private keys. The process ensures the anonymity of the user and the privacy security.
S2, each RA generates a corresponding partial private key SK according to the unique identification AID of the user i And then re-using the user public key TPK on the blockchain A Encryption is performed until the RA collects all private keys, and then the private keys and the AID are sent to the user together.
S3, after receiving the data sent by RA, the user on the node decrypts the data by using the private key of the blockchain, and then uses a random combination method (SK when xi=1 to the obtained partial private key AID =SK i +δpk xi (δ, and xi are random numbers generated randomly, i=1, 2..n, n represents the number of spatial nodes)), to generate a final private key SK AID
(3) Broadcasting phase
S1, because the communication time delay between the low earth orbit satellite and the ground node is smaller than that of other space nodes, mutual authentication is needed to ensure the safety of network environment and user operation. In addition, to reduce resource consumption, an authentication request message En (m) signed by a satellite private key may be periodically broadcast, including identification information AID of the satellite PAC Timestamp to reduce the number of authentication interactions.
S2, once entity A receives the PAC broadcast message, the entity A can be based on the public key parameters and AID PAC Calculating public key PK of PAC using hash function PAC . Then A uses PK PAC And (3) performing decryption operation, and verifying the signature of the PAC by comparing the decryption result with the message m. If the identity of the PAC is authenticated once entity a, security of the access of entity a to the network is ensured.
(4) Unicast phase
S1: after entity A verifies the PAC, entity A sends a signature SK to the PAC through unicast AID An authentication message of (a), the authentication message comprising an AID A A time stamp. After PAC receives the verification request, first according to AID A Matching the entries in the local list. If the time stamp exceeds the validity period, it indicates that the entity has been revoked from the spatial network. In this case, the PAC refuses to provide the network access service and replies to entity a with an access refusal message. Otherwise, PAC will be based on the identity of A AID A Computing public key PK of entity A by hashing algorithm AID
S2: PAC then uses PK AID The signature of entity a is verified. If the verification is successful, the PAC will assign entity A a group ID, i.e., GID, to entity A based on the geographic location of entity A A Then GID is carried out A Added to the group management GMT within the PAC coverage area. Adding AID A Into a group user management gutt.
S3: after calculating the shared group session key (sk) using DH key negotiation method, PAC sends GID to entity A A And sk, entity A will be GID based A And joining the corresponding broadcast group. At this time, mutual authentication between the entity a and the PAC is completed, and the entity a can legally access the space network.
(5) And a switching stage.
S1: with the rapid movement of low earth orbit LEO satellites, the signal coverage will also change. Entity a therefore needs to constantly handoff satellites. Therefore, a multicast mode is adopted to re-authenticate a large number of entities. Multicast is characterized in that when a certain entity a in the group detects a link switch, it will immediately send a multicast re-authentication message. Once the other members of the same group receive the message, they will no longer send a re-authentication message and wait for an authentication reply message.
S2: when the new PAC moves to the geographical area where the GID is located, the new PAC automatically joins the multicast group to which the GID belongs, so that the new PAC can receive the multicast re-authentication message, and then calculate the public key of the entity a. Activating the state corresponding to the GID, and generating a new sk after the verification is successful.
S3: finally, PAC returns a re-authentication response to the multicast address, and the user in the same multicast group will receive the message and communicate with the new sk.
Through the method in the embodiment, identity-based identification is used, hash operation is carried out on the identification, entity identity anonymity is achieved, meanwhile, a blockchain is introduced to serve as a distributed trusted platform, and a satellite serves as a proxy authentication center to carry out mutual authentication, so that resource consumption is reduced, unauthorized access requests are prevented, vulnerability of data transmission is reduced, and meanwhile, a solution idea of trusted problems due to private key escrow is provided.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While still being apparent from variations or modifications that may be made by those skilled in the art are within the scope of the invention.

Claims (10)

1. An identity authentication method based on a space network, wherein the method is applied to an entity object to be authenticated, and the method comprises the following steps:
transmitting a unique identity and a blockchain encryption public key to a blockchain network, so that the blockchain network generates a public key of the entity object based on the unique identity and broadcasts the public key to a space network, and generates an initial private key based on the unique identity and the blockchain encryption public key;
receiving the initial private key sent by the blockchain network, and generating a final private key based on the initial private key;
receiving authentication request information of a satellite proxy authentication center, and carrying out identity authentication on the satellite proxy authentication center based on the authentication request information;
and when the identity of the satellite proxy authentication center is authenticated without any error, transmitting authentication information which takes the final private key as a signature and contains the unique identity to the satellite proxy authentication center, so that the satellite proxy authentication center authenticates the authentication information based on the public key, and controlling the entity object to access the space network according to an authentication result.
2. The method according to claim 1, wherein the authentication request information is authentication request information signed with a private key of a satellite proxy authentication center and including a unique identity of the satellite proxy authentication center, and the authenticating the satellite proxy authentication center includes:
calculating to obtain the public key of the satellite agent authentication center based on the block chain encryption public key and the unique identity of the satellite agent authentication center;
decrypting and calculating the private key signature of the satellite proxy authentication center by utilizing the public key of the satellite proxy authentication center to obtain a decryption result of the satellite proxy authentication center, and judging whether the decryption result of the satellite proxy authentication center is consistent with the authentication request information;
and authenticating the identity of the satellite proxy authentication center when the decryption result of the satellite proxy authentication center is consistent with the authentication request information.
3. An identity authentication method based on a space network, wherein the method is applied to a blockchain network, the blockchain network comprises a plurality of blockchain registration nodes, and the method comprises:
receiving a unique identity mark and a blockchain encryption public key sent by an entity object;
generating a public key of the entity object based on the unique identity of the entity object, and broadcasting the public key of the entity object to a space network;
generating partial initial private keys through each blockchain registration node based on the unique identity of the entity object and the blockchain encryption public key;
and integrating all partial initial private keys to obtain an initial private key of the entity object, and sending the initial private key to the entity object so that the entity object generates a final private key based on the initial private key, thereby realizing the authentication of the entity object by a satellite proxy authentication center by utilizing the final private key and the public key.
4. A method according to claim 3, wherein prior to generating the public key of the entity object based on the unique identity of the entity object, the method further comprises:
judging whether the identity of the entity object is legal or not based on the unique identity of the entity object;
and generating a public key of the entity object based on the unique identity of the entity object when the identity of the entity object is legal.
5. The method of claim 3, wherein the generating, by each blockchain registration node, a portion of the initial private key based on the unique identity of the physical object and a blockchain encryption public key, respectively, comprises:
generating a first private key through each blockchain registration node based on the unique identity of the entity object;
and encrypting the first private key by using the blockchain encryption public key to obtain a part of initial private key.
6. An identity authentication method based on a space network, which is applied to a satellite proxy authentication center, the method comprising:
sending authentication request information to an entity object so that the entity object performs identity authentication based on the authentication request information;
receiving authentication information sent by the entity object, wherein the authentication information takes a final private key of the entity object as a signature and comprises authentication information of a unique identity of the entity object;
extracting a public key of the entity object broadcasted to the space network based on the unique identity, and authenticating a signature of the entity object based on the public key of the entity object;
and controlling the entity object to access the space network according to the authentication result.
7. The method of claim 6, wherein authenticating the signature of the physical object based on the public key of the physical object comprises:
decrypting and calculating the signature of the entity object by utilizing the public key of the entity object to obtain a decryption result of the entity object, and judging whether the decryption result of the entity object is consistent with the authentication information;
and authenticating the identity of the entity object when the decryption result of the entity object is consistent with the authentication information.
8. The method of claim 6, wherein the authentication information further comprises a timestamp of the physical object;
before extracting the public key of the entity object broadcast to the spatial network based on the unique identity, the method further comprises:
judging whether a list of the satellite proxy authentication center comprises the unique identity of the entity object or not based on the unique identity of the entity object, wherein the list is used for storing the unique identity of the entity object in the current coverage range of the satellite proxy authentication center;
when the list of the satellite proxy authentication center comprises the unique identity of the entity object, judging whether the timestamp of the entity object exceeds the corresponding validity period of the entity object in the list;
rejecting the entity object to access the space network when the timestamp of the entity object exceeds the validity period;
and when the time stamp of the entity object does not exceed the validity period, executing the step of extracting the public key of the entity object broadcasted to the space network based on the unique identity.
9. The method of claim 6, wherein said controlling access to said spatial network by said physical object comprises:
assigning a group ID to the entity object based on the geographic position of the entity object, and adding the group ID into group management in the coverage area of the satellite proxy authentication center;
and calculating to obtain a shared group session key, and sending the shared group session key and the group ID to the entity object so that the entity can access the space network by using the shared group session key and the group ID.
10. An authentication system based on a spatial network, the system comprising: the system comprises a blockchain network, a satellite proxy authentication center and entity objects to be authenticated, wherein the blockchain network comprises a plurality of blockchain registration nodes:
the entity object sends the unique identity mark and the blockchain encryption public key to a blockchain network;
the blockchain network receives the unique identity and the blockchain encryption public key sent by the entity object; generating a public key of the entity object based on the unique identity of the entity object, and broadcasting the public key of the entity object to a space network; generating partial initial private keys through each blockchain registration node based on the unique identity of the entity object and the blockchain encryption public key; integrating all partial initial private keys to obtain an initial private key of the entity object, and sending the initial private key to the entity object;
the entity object receives the initial private key sent by the blockchain network and generates a final private key based on the initial private key;
the satellite agent authentication center sends authentication request information to the entity object;
the entity object receives authentication request information of a satellite proxy authentication center, and performs identity authentication on the satellite proxy authentication center based on the authentication request information; when the identity of the satellite proxy authentication center is authenticated without any error, the authentication information which takes the final private key as a signature and contains the unique identity identifier is sent to the satellite proxy authentication center;
the satellite proxy authentication center receives authentication information sent by the entity object and a public key of the entity object broadcasted to a space network, and authenticates the authentication information based on the public key of the entity object; and controlling the entity object to access the space network according to the authentication result.
CN202310163614.0A 2023-02-21 2023-02-21 Identity authentication method and system based on space network Pending CN116471037A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310163614.0A CN116471037A (en) 2023-02-21 2023-02-21 Identity authentication method and system based on space network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310163614.0A CN116471037A (en) 2023-02-21 2023-02-21 Identity authentication method and system based on space network

Publications (1)

Publication Number Publication Date
CN116471037A true CN116471037A (en) 2023-07-21

Family

ID=87177715

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310163614.0A Pending CN116471037A (en) 2023-02-21 2023-02-21 Identity authentication method and system based on space network

Country Status (1)

Country Link
CN (1) CN116471037A (en)

Similar Documents

Publication Publication Date Title
Xue et al. A secure and efficient access and handover authentication protocol for Internet of Things in space information networks
CN111355745B (en) Cross-domain identity authentication method based on edge computing network architecture
CN111371730B (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN110971415B (en) Space-ground integrated space information network anonymous access authentication method and system
CN109428875B (en) Discovery method and device based on service architecture
CN112039872A (en) Cross-domain anonymous authentication method and system based on block chain
US20090158394A1 (en) Super peer based peer-to-peer network system and peer authentication method thereof
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN112332900B (en) Low-orbit satellite communication network rapid switching authentication method
CN101356759A (en) Token-based distributed generation of security keying material
Liu et al. A secure and efficient authentication protocol for satellite-terrestrial networks
CN101009919A (en) Authentication method based on the end-to-end communication of the mobile network
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
Wei et al. BAVP: Blockchain‐Based Access Verification Protocol in LEO Constellation Using IBE Keys
CN112564775A (en) Spatial information network access control system and authentication method based on block chain
CN112769568B (en) Security authentication communication system and method in fog computing environment and Internet of things equipment
CN116056080B (en) Satellite switching authentication method for low-orbit satellite network
Yang et al. Improved handover authentication and key pre‐distribution for wireless mesh networks
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN115715004A (en) Privacy protection cross-domain authentication method for large-scale heterogeneous network
CN116471037A (en) Identity authentication method and system based on space network
CN1929377B (en) Method and system for communication identification query
CN108282778B (en) Anonymous and rapid roaming access authentication method in space network
Varadharajan et al. Preserving privacy in mobile communications: A hybrid method
Dao et al. Prefetched asymmetric authentication for infrastructureless D2D communications: feasibility study and analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination