CN116528235B - Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial - Google Patents

Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial Download PDF

Info

Publication number
CN116528235B
CN116528235B CN202310786025.8A CN202310786025A CN116528235B CN 116528235 B CN116528235 B CN 116528235B CN 202310786025 A CN202310786025 A CN 202310786025A CN 116528235 B CN116528235 B CN 116528235B
Authority
CN
China
Prior art keywords
authentication
management entity
parameter
mobility management
initialization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310786025.8A
Other languages
Chinese (zh)
Other versions
CN116528235A (en
Inventor
周长利
温景良
陈祖希
梅萌
张灵慧
聂志国
徐中伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaqiao University
Original Assignee
Huaqiao University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaqiao University filed Critical Huaqiao University
Priority to CN202310786025.8A priority Critical patent/CN116528235B/en
Publication of CN116528235A publication Critical patent/CN116528235A/en
Application granted granted Critical
Publication of CN116528235B publication Critical patent/CN116528235B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/42Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for mass transport vehicles, e.g. buses, trains or aircraft
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]

Abstract

The invention discloses a vehicle-ground wireless communication authentication method and system based on an extended chebyshev polynomial, which relate to the technical field of LTE-R vehicle-ground wireless communication, and are characterized in that the extended chebyshev polynomial is introduced in the processes of system initialization, USIM card registration and initialization authentication, and the extended chebyshev polynomial is utilized to replace the methods of elliptic curve scalar multiplication, modular exponentiation operation, bilinear pair operation and the like, so that the calculated amount is large, the consumed time is long, the safety is ensured, the calculation and communication cost is reduced, and a safe, efficient and reliable identity authentication scheme is provided for LTE-R vehicle-ground wireless communication.

Description

Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial
Technical Field
The invention relates to the technical field of LTE-R train-ground wireless communication, in particular to a train-ground wireless communication authentication method and system based on an extended Chebyshev polynomial.
Background
With the development of high-speed railways, people become more and more convenient to travel, the demands for railway traffic in life of people are increased, and the railway traffic safety problem is one of the main problems of daily concern of people. Because of the limitation of the GSM-R system, the LTE-R system will replace the GSM-R system as a next-generation railway wireless communication system, and the LTE-R can be regarded as evolution of the GSM-R to LTE and 5G, so that more efficient, reliable, safe and intelligent railway wireless communication service can be provided. As interfaces in LTE-R systems become more open, adversaries can easily control communications, yielding the following two direct effects: (1) An attacker can release illegal railway traffic information to influence the normal operation of traffic or forge malicious information to cause railway traffic accidents; (2) An attacker can easily track the vehicle and thus violate the user privacy. Both of these activities have a significant impact on the efficiency and safety of the railway communication system and may in some cases also be life and property threatening to passengers. The problem of security in LTE-R is therefore becoming a research hotspot in recent years as to how to improve security in LTE-R, where the problem of security authentication of access devices to LTE-R is the first focus.
Most of the existing LTE-R identity authentication schemes are based on elliptic curve scalar multiplication, modular exponentiation or bilinear pairing operation with large calculation amount, the calculation amount is large, and the consumed time is long, while most of the ultra-light authentication schemes can reduce the calculation cost and the calculation consumed time, but the cost is mostly at the expense of part of safety.
In view of this, there is a need for a vehicle-to-ground wireless communication authentication technology that can have both the advantages of high security and small calculation amount.
Disclosure of Invention
The invention aims to provide a vehicle-ground wireless communication authentication method and system based on an extended chebyshev polynomial, which can realize light weight while ensuring safety and realize balance between efficiency and safety.
In order to achieve the above object, the present invention provides the following solutions:
an extended chebyshev polynomial-based vehicle-to-ground wireless communication authentication method, the authentication method comprising:
initializing a system: the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity; the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key; the system public key is calculated by the home subscriber server based on the initialization parameter by using an extended chebyshev polynomial;
USIM card registration: the home subscriber server receives a USIM card registration request generated by the vehicle-mounted unit based on the IMSI of the USIM card of the vehicle-mounted unit, calculates and obtains a first authentication token and first authentication signature information of the vehicle-mounted unit by using an extended chebyshev polynomial based on the USIM card registration request and the public parameter, and sends registration response information to the vehicle-mounted unit; the registration response information includes the first authentication token and the first authentication signature information;
initializing authentication: the mobile management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server; the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and sends initialization authentication response information to the mobility management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information; the mobile management entity calculates first authentication information based on the initialization authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; and the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes.
An extended chebyshev polynomial based vehicle-to-ground wireless communication authentication system, the authentication system comprising:
the system initialization module is used for completing system initialization: the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity; the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key; the system public key is calculated by the home subscriber server based on the initialization parameter by using an extended chebyshev polynomial;
the USIM card registration module is used for finishing the registration of the USIM card: the home subscriber server receives a USIM card registration request generated by the vehicle-mounted unit based on the IMSI of the USIM card of the vehicle-mounted unit, calculates and obtains a first authentication token and first authentication signature information of the vehicle-mounted unit by using an extended chebyshev polynomial based on the USIM card registration request and the public parameter, and sends registration response information to the vehicle-mounted unit; the registration response information includes the first authentication token and the first authentication signature information;
the initialization authentication module is used for completing initialization authentication: the mobile management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server; the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and sends initialization authentication response information to the mobility management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information; the mobile management entity calculates first authentication information based on the initialization authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; and the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention is used for providing a vehicle-ground wireless communication authentication method and system based on an extended chebyshev polynomial, wherein the extended chebyshev polynomial is introduced in the system initialization, USIM card registration and initialization authentication processes, and the extended chebyshev polynomial is utilized to replace the methods of elliptic curve scalar multiplication, modular exponentiation operation, bilinear opposite operation and the like, so that the calculated amount is large, the consumed time is long, the calculation and communication expenditure is reduced while the safety is ensured, and a safe, efficient and reliable identity authentication scheme is provided for LTE-R vehicle-ground wireless communication.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an authentication method according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of an overall technical route of an authentication method according to embodiment 1 of the present invention;
Fig. 3 is a schematic flow chart of USIM card registration provided in embodiment 1 of the present invention;
fig. 4 is a flowchart of initializing authentication according to embodiment 1 of the present invention;
fig. 5 is a schematic flow chart of re-authentication provided in embodiment 1 of the present invention;
fig. 6 is a schematic flow chart of node switching authentication according to embodiment 1 of the present invention;
fig. 7 is a system block diagram of an authentication system according to embodiment 2 of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide a vehicle-ground wireless communication authentication method and system based on an extended chebyshev polynomial, which can realize light weight while ensuring safety and realize balance between efficiency and safety.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Example 1:
the embodiment is used for providing a vehicle-to-ground wireless communication authentication method based on an extended chebyshev polynomial, as shown in fig. 1 and fig. 2, the authentication method includes:
system initialization:
the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity, wherein the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key, and the system public key is calculated by the home subscriber server based on the initialization parameter by using an extended chebyshev polynomial.
Here, an encryption method using an extended chebyshev polynomial will be described.
(1) Extended chebyshev polynomials:
assume thatIs an integer, & gt>Is a variable, ++>The value of (2) is within the interval->In the interior, then->The order expanded chebyshev polynomial is defined as:
wherein, the liquid crystal display device comprises a liquid crystal display device,is a large prime number.
The equivalent recursion is defined as:
the semi-swarm property is equally applicable to the extended chebyshev polynomial, namely:
(2) An encryption method using an extended chebyshev polynomial:
1) Key generation
Alice selects a random numberAs its private key->For the group consisting of positive integers with maximum value n, a large prime number is selected >And polynomial seed->By->Computing public keysPublic parameters +.>
2) Encryption stage
Bob receives common parametersRandom number +.>As its private key, information M to be encrypted is selected, M being encrypted by the following formula:
then the encrypted informationTo Alice.
3) Decryption stage
Receiving the encrypted informationAfter that, alice decrypts the ciphertext (i.e., the encrypted information) by the following formula to obtain plaintext (i.e., the information to be encrypted)/(the encrypted information)>
Wherein P is an intermediate parameter.
Based on the above, the home subscriber server issuing common parameters to the in-vehicle unit and the mobility management entity may comprise:
home subscriber server (Home Subscriber Server, HSS) selects a random numberAs a system private key; selecting seed of extended chebyshev polynomial ∈ ->And a large prime number n as an initialization parameter; selecting multiple one-way hash functions, specifically 3 one-way hash functions +.>Wherein->,h i () For mapping binary sequences of arbitrary length to shorter binary sequences of fixed length/. The home subscriber server uses the private key of the system +.>And initializing parameters as input, and calculating by using an extended chebyshev polynomial System public Key->. The home subscriber server has as common parameters the initialization parameters, the plurality of one-way hash functions and the system public key, public parameters are issued to the vehicle-mounted unit and the mobility management entity>
(II) USIM card registration: the method is used for finishing registration of the USIM card in the HSS and writing of related authentication information, namely finishing the authorization process of the HSS to the USIM card.
The home subscriber server receives a USIM card registration request generated by the vehicle-mounted unit based on the IMSI of the USIM card of the vehicle-mounted unit, calculates and obtains a first authentication token and first authentication signature information of the vehicle-mounted unit by using an extended Chebyshev polynomial based on the USIM card registration request and public parameters, and sends registration response information to the vehicle-mounted unit, wherein the registration response information comprises the first authentication token and the first authentication signature information.
Specifically, as shown in fig. 3, USIM card registration may include:
(1) An On Board Unit (OBU) obtains IMSI (International Mobile Subscriber Identity ) of USIM card (Universal Subscriber Identity Module, global subscriber identity) of the On board Unit, and generates a first random numberAnd uses IMSI and the first random number +.>As input, use is made of a first one-way hash function h in the common parameter 1 () Calculating to obtain IMSI hash value +.>,/>The representation will->And->And (5) performing connection. After calculating the IMSI hash value +.>Afterwards, will->And sending the USIM card registration request to the HSS for registration, namely sending a USIM card registration request to a home subscriber server, wherein the USIM card registration request comprises an IMSI hash value.
(2) After receiving the USIM card registration request sent by the OBU, the home subscriber server generates a second random numberAnd with a second random number +>System public key->And initializing parameters as input, and calculating a first authentication token of the vehicle-mounted unit by using the extended Chebyshev polynomial>,/>. With a first authentication token->USIM card registration request, second random number ∈>And tie upSystem private key->As input, use is made of a first one-way hash function h 1 () Calculating to obtain first authentication signature information of the vehicle-mounted unit>,/>Transmitting registration response information to the in-vehicle unit>The registration response information includes a first authentication token +.>And first authentication signature information->. After receiving the registration response information, the on-board unit stores +.>
Thus, the registration of the USIM card is completed, and the first authentication token and the first authentication signature information are obtained for subsequent initialization authentication, re-authentication and switching authentication processes.
Initializing authentication: the method is used for completing the initialization authentication of the OBU when the vehicle-mounted unit is accessed to the authentication network for the first time.
Specifically, as shown in fig. 4, the initialization authentication includes the steps of:
(1) A mobility management entity (Mobility Management Entity, MME, also referred to as a control plane node) receives an initialization authentication request generated by the on-board unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server.
1) In-vehicle unit readingAnd generate->,/>. Generating a third random number +.>Based on the third random number->And IMSI hash value->Calculating to obtain first authentication secret parameter,/>. With the first authentication secret parameter->And initializing parameters as input, calculating a first key negotiation parameter by using an extended chebyshev polynomial>,/>. Intermediate parameters are calculated based on the IMSI hash value and the first one-way hash function, and the IMSI hash value is used for +.>As input, using a physical unclonable function PUF U () Calculating to obtain PUF output response +.>,/>Then use PUFOutput response->As input, use is made of a first one-way hash function h 1 () Calculating to obtain intermediate parameter->,/>. With IMSI hash value +.>First Key negotiation parameter->And intermediate parameters->As input, use is made of a second one-way hash function h in the common parameters 2 () Calculating to obtain a first integrity verification value +.>,/>. Utilize system public key->Hash value +.>Location information of mobility management entity->First authentication token->And intermediate parameters->(i.e) Encrypting to obtain encrypted ciphertextSending an initialization authentication request to a Mobility Management Entity (MME)The initialization authentication request comprises a first key agreement parameter +.>First integrity verification value->Ciphertext->And ID of home subscriber server->
2) After receiving an initializing authentication request sent by an OBU, a mobility management entity obtains the real position information of the mobility management entityAnd retrieving the ID of the obtained mobility management entity +.>Generating a new authentication requestAnd according to->Transmitting a new authentication request to the home subscriber server, the new authentication request comprising an ID of the mobility management entity>First Key negotiation parameter->First integrity verification value->Ciphertext->And true location information of mobility management entity +.>
(2) The home subscriber server authenticates the mobile management entity and the new authentication request based on the system private key, generates a second authentication token and second authentication signature information of the mobile management entity after authentication is passed, and sends initialization authentication response information to the mobile management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information.
1) After receiving the new authentication request sent by the MME, the home subscriber server uses the system private keyEncryption ciphertext->Decrypting to obtain IMSI hash value +.>Location information of mobility management entity->First authentication token->And intermediate parameters->(i.e. decryption results +.>)。
2) For attributionThe user server judges the real position information of the mobile management entityAnd decrypting the obtained location information of the mobility management entity +.>If the authentication is the same, the authentication is continued by the mobility management entity if the authentication is the same, otherwise, the authentication process is terminated. With IMSI hash value +.>First Key negotiation parameter->And intermediate parameters->As input, use is made of a second one-way hash function h 2 () Calculating to obtain a second integrity verification value +.>,/>Judging the second integrity verification value +.>And a first integrity verification value +>Whether or not the same, i.e. judge->If the authentication request is established, the message integrity verification is successful, and the new authentication request passes the authentication.
3) Home subscriber server generates a fourth random numberBy a fourth random number->System public key->And initializing parameters as input, and calculating by using the extended chebyshev polynomial to obtain a second authentication token of the mobility management entity ,/>. With a second authentication token->ID of mobility management entity>Fourth random number->And system private key->As input, use is made of a first one-way hash function h 1 () Calculating second authentication signature information of the mobility management entity>,/>Transmitting initialization authentication response information +_ to mobility management entity>The initialization authentication response information includes an IMSI hash valueFirst authentication token->Intermediate parameters->Second authentication token->And second authentication signature information->
(3) The mobile management entity calculates first authentication information based on the initialized authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes.
1) After receiving the initialization authentication response information sent by the HSS, the mobility management entity generates a fifth random numberWith ID of mobility management entity->And a fifth random number->As input, a first one-way hash function h of a common parameter is utilized 1 () Calculating a second authentication secret parameter +.>,/>. With the second authentication secret parameter->And initializing parameters as input, calculating a second key agreement parameter by using the extended chebyshev polynomial>. Based on a second authentication secret parameter->First Key negotiation parameter->Second authentication signature information->Initialization parameter, first authentication token->IMSI hash value +.>Calculate session key->. With intermediate parameters->Session keyAnd an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain a first message authentication code +.>And a first response parameter->,/>,/>Obtain the first authentication information->And transmitting first authentication information to the in-vehicle unit, the first authentication information including a second authentication token +_>Second Key negotiation parameter->And a first message authentication code->
2) After receiving the first authentication information sent by the mobility management entity, the vehicle-mounted unit is based on the first authentication secret parameterSecond Key negotiation parameter->First authentication signature information->Initialization parameter, second authentication token->ID of mobility management entity>Calculate session key->. Due to the semi-group nature of the extended chebyshev polynomial, use is made of +. >Calculated session key and utilization->The calculated session keys are equal. With intermediate parameters->Session key->And an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain a second message authentication code +.>And a second response parameter->,/>. Judging the second message authentication code +.>With the first message authentication code->Whether or not the same, i.e. judge->If so, the OBU authenticates the MME successfully, namely the authentication passes, and sends first response information to the mobility management entity, wherein the first response information comprises second response parameters
In this embodiment, the second message authentication code may be calculated first, and after the authentication is passed, the second response parameter may be calculated.
3) Mobility management entity receptionTo a second response parameterAfter that, the second response parameter is judged +.>Is>Whether or not the same, i.e. judge->If the authentication is true, if the authentication is the same, the MME successfully authenticates the OBU, namely the authentication passes, and the initialization authentication is completed.
So far, the initialization authentication is completed, the MME obtains the first authentication token of the OBU, the second authentication token of the MME and the second authentication signature information, and negotiates a session key for the next authentication.
In the movement process of the train of this embodiment, the OBU is connected with a plurality of MMEs after authentication in sequence, and the authentication process can be implemented through the initialization authentication process described above, that is, no matter which coverage area the OBU enters into, the authentication process between the OBU and the MME is completed by using the initialization authentication process described above, and after the authentication is passed, the OBU is connected with the MME, so as to complete identity authentication of the access device in the LTE-R system.
According to the vehicle-ground wireless communication authentication key negotiation method based on the extended chebyshev polynomial, the session key is negotiated while the access equipment in the LTE-R vehicle-ground wireless communication network is authenticated so as to facilitate subsequent safe communication and authentication operation, and the identity authentication and privacy protection requirements in the existing LTE-R system are met, wherein the used extended chebyshev polynomial encryption has less calculation cost than elliptic curve encryption, the required safety characteristic is provided, the method is lighter and more suitable for the LTE-R system, namely the method which is large in calculation amount, long in consumed time and the like by utilizing the extended chebyshev polynomial to replace elliptic curve scalar multiplication, modular exponentiation operation and bilinear pairing operation is adopted, the calculation and communication cost is reduced while the safety is ensured, and a safe, efficient and reliable identity authentication and key negotiation protocol is provided for the LTE-R vehicle-ground wireless communication.
Preferably, when the on-board unit needs to be reconnected with the mobility management entity that has completed the initialization authentication (or has completed the node handover authentication), that is, corresponds to reconnection with the connected mobility management entity, the authentication method of this embodiment further includes:
(IV) re-authentication: the authentication method is used for completing the authentication process when the vehicle-mounted unit reenters the connected MME coverage area, and the process is different from the initialization authentication, does not need HSS participation, and reduces the communication pressure of the HSS.
Specifically, as shown in fig. 5, the re-authentication includes the following steps:
(1) The mobile management entity receives the re-authentication request generated by the vehicle-mounted unit based on the registration response information and the session key, authenticates the mobile management entity and the re-authentication request based on the session key, generates re-authentication response information after the authentication is passed, and sends the re-authentication response information to the vehicle-mounted unit.
1) On-board unit calculates encryption key based on session key. Generating a new first random number +.>And a new third random number +>Based on the new first random number +.>Calculating to obtain new IMSI hash value +.>,/>. Based on a new third random number +.>And a new IMSI hash value +.>Calculating new first authentication secret parameter +.>. With the new first authentication secret parameter +.>And initializing parameters as input, calculating a new first key negotiation parameter ++using an extended chebyshev polynomial>,/>. Calculating a new intermediate parameter based on the new IMSI hash value and the first one-way hash function, and particularly using the new IMSI hash value As input, using a physical unclonable function PUF U () Calculating new PUF output response +.>Then output response with new PUF>As input, a new intermediate parameter is calculated using the first one-way hash function>,/>. Hash value with new IMSI>New first key agreement parameter ∈ ->And new intermediate parameters->As input, use is made of a second one-way hash function h in the common parameters 2 () Calculating a new first integrity verification value +.>. With encryption key->Hash value for new IMSI +.>Location information of mobility management entity->First authentication token->And new intermediate parameters->Encrypting to obtain new encrypted ciphertext ++>Transmitting a reauthentication request to a mobility management entity>The re-authentication request comprises a new first key agreement parameter +.>New first integrity verification value +.>New encrypted ciphertext->And ID of home subscriber server->
2) After receiving the re-authentication request sent by the OBU, the mobility management entity calculates an encryption keyUsing encryption key->Encryption ciphertext->Decrypting to obtain a new IMSI hash value +.>Location information of mobility management entity->First authentication token->And new intermediate parameters
3) The mobility management entity obtains the true position information of the mobility management entityAnd retrieving the ID of the obtained mobility management entity +.>Judging the true position information of the mobility management entity +.>And location information of mobility management entity +.>Whether or not the same, i.e. judge->If the authentication is true, the authentication is continued by the mobility management entity if the authentication is true, otherwise, the authentication process is terminated. Hash value with new IMSI>New first key negotiation parametersAnd new intermediate parameters->As input, use is made of a second one-way hash function h 2 () Calculating a new second integrity verification value +.>,/>Judging new second integrity verification value +.>And a new first integrity verification value +.>Whether or not the same, i.e. judge->If the message integrity verification is successful, the re-authentication request passes, otherwise, the authentication process is terminated.
4) The mobility management entity generates a new fifth random numberWith ID of mobility management entity->And a new fifth random number +.>As input, a first one-way hash function h of a common parameter is utilized 1 () Calculating new second authentication secret parameter +.>,/>. With the new second authentication secret parameter +.>And initializing parameters as input, calculating a new second key negotiation parameter ++using an extended chebyshev polynomial >. Based on the new second authentication secret parameter +.>New first key agreement parameter ∈ ->Second authentication signature information->Initialization parameter, first authentication token->New IMSI hash value +.>Calculating to obtain new session key/>. With new intermediate parametersNew Session Key->And an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain new first message verification code +.>And a new first response parameter +.>,/>Get reauthentication response information->And transmitting re-authentication response information to the on-board unit, the re-authentication response information including a new second key agreement parameter +.>And a new first message authentication code +_>
(2) The vehicle-mounted unit authenticates the mobility management entity based on the re-authentication response information, and sends second response information to the mobility management entity after the authentication is passed; and the mobile management entity authenticates the vehicle-mounted unit based on the second response information, and completes re-authentication after the authentication passes.
1) After receiving the re-authentication response information sent by the MME, the vehicle-mounted unit is based on the new first authentication secret parameterNew second key agreement parameter +.>First authentication signature information->Initialization parameter, second authentication token- >ID of mobility management entity>Calculating new session key->. With new intermediate parameters->New Session Key->And an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain new second message verification code +.>And a new second response parameter +.>,/>. Judging new second message authentication code +.>With a new first message authentication code +_>Whether or not it is the same, i.e. judgeIf so, the OBU authenticates the MME successfully, namely the authentication passes, and sends second response information to the mobility management entity, wherein the second response information comprises new second response parameters +.>
The embodiment can also calculate the new second message verification code first, and calculate the new second response parameter after verification is passed.
2) The mobility management entity receives the new second response parameterThen, judging new second response parametersAnd a new first response parameter->Whether or not the same, i.e. judge->If the authentication is satisfied, if the authentication is the same, the MME successfully authenticates the OBU, namely the authentication is passed, the re-authentication is completed, and a new session key is stored>For use in the next re-authentication process.
When the vehicle-mounted unit needs to be connected with other mobility management entities, the authentication method of the embodiment further comprises the following steps:
(V) node switching authentication: and when the train enters different MME ranges, performing node switching authentication, and finishing bidirectional authentication between the current MME and the vehicle-mounted unit through the MME of which the last authentication is finished.
Specifically, as shown in fig. 6, the node switching authentication includes the following steps:
(1) The mobile management entity to be switched receives a switching authentication request generated by the vehicle-mounted unit based on the registration response information and the session key, and forwards the switching authentication request to the mobile management entity.
1) On-board unit calculates encryption key based on session key. Generating a new first random number +.>And a new third random number +>Based on the new first random number +.>Calculating to obtain new IMSI hash value +.>,/>. Based on a new third random number +.>And a new IMSI hash value +.>Calculating new first authentication secret parameter +.>,/>. With the new first authentication secret parameter +.>And initializing parameters as input, calculating a new first key negotiation parameter ++using an extended chebyshev polynomial>,/>. Calculating a new intermediate parameter based on the new IMSI hash value and the first one-way hash function, and particularly using the new IMSI hash value +.>As input, using a physical unclonable function PUF U () Calculating new PUF output response +. >,/>Then output response with new PUF>As input, a new intermediate parameter is calculated using the first one-way hash function>. Hash value with new IMSI>New first key agreement parameter ∈ ->And new intermediate parameters->As input, use is made of a second one-way hash function h in the common parameters 2 () Calculated to obtainTo a new first integrity verification value +.>,/>. With encryption key->Hash value for new IMSI +.>First authentication token->And new intermediate parameters->Encrypting to obtain new encrypted ciphertext ++>To mobility management entity to be handed over +.>Send a handover authentication request->The handover authentication request comprises a new first key agreement parameter +.>New first integrity verification value +.>New encrypted ciphertext->And mobility management entity->Position information of->
2) After receiving the handover authentication request, the mobility management entity to be handed over confirms the mobility management entityPosition information of->In particular a mobility management entity storing the mobility management entity itself to be handed over +.>Is defined as being in terms of location information and received mobility management entity +.>Position information of->Comparing, if the authentication request is the same, the authenticity verification is passed, and the authentication request is switched >Forwarding to mobility management entity->
(2) The mobile management entity authenticates the mobile management entity and the switching authentication request based on the session key, generates switching authentication response information after the authentication is passed, and sends the switching authentication response information to the mobile management entity to be switched.
1) After receiving the handover authentication request, the mobility management entity calculates an encryption keyUsing encryption key->Encryption ciphertext->Decrypting to obtain a new IMSI hash value +.>First authentication token->And new intermediate parameters->
2) The mobility management entity obtains the true position information of the mobility management entityJudging the true position information of the mobility management entity +.>And location information of mobility management entity +.>Whether or not it is the same, i.e. judgeIf the authentication is true, the authentication is continued by the mobility management entity if the authentication is true, otherwise, the authentication process is terminated. Hash value with new IMSI>New first key agreement parameter ∈ ->And new intermediate parameters->As input, use is made of a second one-way hash function h 2 () Calculating a new second integrity verification value +.>Judging new second integrity verification value +.>And a new first integrity verification value +. >Whether or not the same, i.e. judge->If the message integrity verification is successful, the authentication of the switching authentication request is passed, and the mobility management entity to be switched is added with the message>Transmitting handover authentication response informationOtherwise, the authentication process is terminated.
(3) The mobility management entity to be switched calculates third authentication information based on the switching authentication response information, and sends the third authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity to be switched based on the third authentication information, and sends third response information to the mobility management entity to be switched after the authentication is passed; and the mobility management entity to be switched authenticates the vehicle-mounted unit based on the third response information, and completes node switching authentication after the authentication passes.
1) Mobility management entity to be switchedGenerating a new fifth random number +.>With ID of mobility management entity->And a new fifth random number +.>As input, a first one-way hash function h of a common parameter is utilized 1 () Calculating new second authentication secret parameter +.>,/>. With new second authentication secret parametersAnd initializing parameters as input, calculating to obtain new second key negotiation parameters by using the extended chebyshev polynomial ,/>. Based on the new second authentication secret parameter +.>New first key negotiation parametersSecond authentication signature information->Initialization parameter, first authentication token->New IMSI hash value +.>Calculating new session key->,/>. With new intermediate parameters->New Session Key->And an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain new first message verification code +.>And a new first response parameter +.>,/>Obtaining third authentication informationAnd transmitting third authentication information to the on-board unit, the third authentication information including a new second key agreement parameter +.>And a new first message authentication code +_>
2) The vehicle-mounted unit receivesAfter the third authentication information is sent, based on the new first authentication secret parameterNew second key agreement parameter +.>First authentication signature information->Initializing parameters, theTwo authentication tokensID of mobility management entity>Calculating new session key->. With new intermediate parameters->New session keyAnd an authentication management domain identification AMF as input, using a third one-way hash function h 3 () Calculating to obtain new second message verification code +.>And a new second response parameter +. >,/>. Judging new second message authentication code +.>With a new first message authentication code +_>Whether or not the same, i.e. judge->If they are the same, OBU authenticationSuccessful, i.e. authentication is passed, and a third response message is sent to the mobility management entity to be handed over, the third response message comprising new second response parameters +.>
The embodiment can also calculate the new second message verification code first, and calculate the new second response parameter after verification is passed.
3) The mobility management entity to be switched receives the new second response parameterAfter that, a new second response parameter is determined +.>And a new first response parameter->Whether or not the same, i.e. judge->Whether or not it is true, if so->Authentication OBU is successful, namely authentication is passed, node switching authentication is completed, and a new session key is stored +.>For use in a re-authentication procedure of a mobility management entity to be handed over.
Thus, the node switching authentication is completed, and the OBU is formed bySwitch to->,/>The associated authentication information is obtained and,and negotiates a session key for next re-authentication or node switching authentication, and when the next node switching authentication is performed, the current authentication node +.>Will be regarded as->And new node->Authentication is performed through the above-described procedure.
Through the re-authentication and node switching authentication process described above, the home subscriber server HSS in this embodiment only participates in the USIM card registration and initialization authentication process, and subsequent re-authentication and node switching authentication are realized by the MME participating.
The present embodiment implements train-ground wireless communication authentication, which refers to authentication between a train and ground equipment (road side units, base stations, etc.), HSS is one core network element in the LTE network, for managing important data such as user identities and location information, OBU is a vehicle-mounted unit, which is usually installed on a vehicle, for communicating with the road side units or the ground equipment such as the base stations, and transmitting vehicle-related data (such as location, speed, acceleration, etc.), and MME is another core network element in the LTE network, and is mainly responsible for controlling and managing functions in mobility management, such as mobility management, security authentication, etc. In this embodiment, authentication between the OBU and the MME is mainly implemented, and subsequent authentication is completed by multiple MMEs together except that HSS is required for the first authentication.
The vehicle-ground wireless communication authentication method based on the extended chebyshev polynomials comprises the processes of system initialization, USIM card registration, initialization authentication, reauthentication, node switching authentication and the like, wherein the HSS is responsible for registering a USIM card of a vehicle-mounted unit OBU and assisting in completing the initialization authentication process, the MME participates in the initialization authentication of the OBU, a key negotiation process, a subsequent reauthentication process and a node switching authentication process, the vehicle-ground wireless communication authentication and the key negotiation under the LTE-R network environment are realized based on the extended chebyshev polynomials, keys of a home server HSS, the vehicle-mounted unit OBU and a control plane node MME are generated by the extended chebyshev polynomials in the whole process, the authentication and the key negotiation process are realized through the semi-group property of the home server HSS, IMSI information is anonymized, and an unclonable function PUF is added as an authentication factor of the vehicle-mounted unit, and the data and privacy security in the authentication process are ensured. The authentication method of the present embodiment has the following advantages: (1) The method has the advantages of resisting the known attack in the LTE-R system, and protecting the privacy security of related data while finishing authentication and key negotiation; (2) Aiming at the problem that light weight and safety cannot be considered, an extended chebyshev polynomial encryption system is introduced to replace an elliptic curve encryption system, so that the balance between safety and efficiency is achieved; (3) The re-authentication and node switching authentication process is provided, the data and privacy security of each stage in the railway communication process are ensured, the session key is dynamically updated, the forward and backward security of each communication is ensured, and the high efficiency and the security are verified through security analysis and a security protocol test.
More specifically, compared with the existing authentication protocol, the authentication method of the embodiment has the following beneficial effects:
(1) And an extended chebyshev polynomial is introduced to realize light weight: in the embodiment, an extended chebyshev polynomial encryption is used for replacing an ECC encryption algorithm, the chaos of the extended chebyshev polynomial is utilized for guaranteeing the safety of a secret key, the discrete logarithm problem of the extended chebyshev polynomial and the Diffie-Hellman problem are utilized for guaranteeing the safety of private keys used by two authentication parties, the semi-group property of the extended chebyshev polynomial is utilized for completing the negotiation process of secret keys of the two authentication parties, the safety is guaranteed, the light weight is realized, and the balance between efficiency and safety is realized in an environment with limited conditions.
(2) Providing re-authentication, node-switched authentication reduces communication overhead: the embodiment provides the re-authentication and node switching authentication process, and further improves the authentication efficiency while ensuring the security, because the subsequent re-authentication and node switching authentication process does not need the participation of the Home Subscriber Server (HSS) after initializing the authentication of the first MME, reduces the communication pressure of the HSS, and can also effectively resist the bandwidth exhaustion attack.
(3) Anonymity is achieved by anonymizing IMSI information using a hash function: in the embodiment, the IMSI information is anonymously processed in the authentication process (the transmitted information is HIMSI), so that the IMSI information is not revealed, different HIMSI values are obtained by adding different random numbers in each authentication process, and the problem of railway traffic safety caused by the fact that internal personnel steal the IMSI information is avoided.
(4) The random factor is added to ensure the forward and backward safety: the authentication method provided by the embodiment adds a random factor (namely a random number) in the re-authentication and node switching authentication processes, and ensures that the authentication parameters used each time are different from the authentication parameters used last time, thereby effectively resisting replay attack, ensuring the forward and backward security of a protocol and the security of data in each authentication, and further ensuring the railway traffic security.
(5) The physical unclonable function is introduced to resist impersonation attacks: according to the embodiment, a Physical Unclonable Function (PUF) is introduced, a PUF calculation mode is embedded in the vehicle-mounted unit, the HIMSI value is used as an input challenge of the PUF in the authentication process, the uniqueness of a message in each authentication is guaranteed, the input challenge and the output response of the PUF are not saved, and meanwhile the obtained secret value is added into the message verification in the authentication process, so that the impersonation attack is effectively resisted.
(6) Avoiding using time stamps against time stamp based DoS attacks: the embodiment avoids using the time stamp while realizing authentication, can effectively prevent denial of service attack based on the time stamp, and verifies the high efficiency and the safety by the safety analysis and the security protocol test.
Example 2:
the present embodiment is used to provide a vehicle-to-ground wireless communication authentication system based on an extended chebyshev polynomial, as shown in fig. 7, the authentication system includes:
the system initialization module M1 is configured to complete system initialization: the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity; the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key; the system public key is calculated by the home subscriber server based on the initialization parameter by using an extended chebyshev polynomial;
the USIM card registration module M2 is configured to complete USIM card registration: the home subscriber server receives a USIM card registration request generated by the vehicle-mounted unit based on the IMSI of the USIM card of the vehicle-mounted unit, calculates and obtains a first authentication token and first authentication signature information of the vehicle-mounted unit by using an extended chebyshev polynomial based on the USIM card registration request and the public parameter, and sends registration response information to the vehicle-mounted unit; the registration response information includes the first authentication token and the first authentication signature information;
An initialization authentication module M3, configured to complete initialization authentication: the mobile management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server; the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and sends initialization authentication response information to the mobility management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information; the mobile management entity calculates first authentication information based on the initialization authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; and the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes.
In this specification, each embodiment is mainly described in the specification as a difference from other embodiments, and the same similar parts between the embodiments are referred to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present invention and the core ideas thereof; also, it is within the scope of the present invention to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the invention.

Claims (7)

1. An extended chebyshev polynomial-based vehicle-ground wireless communication authentication method is characterized by comprising the following steps of:
initializing a system: the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity; the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key; the system public key is calculated by the home subscriber server based on the initialization parameter and the system private key by using an extended chebyshev polynomial, and specifically comprises the following steps:
The home subscriber server uses the system private key sk H And initializing parameters as input, and calculating by using the extended chebyshev polynomial to obtain a system public key pk HThe system private key is a positive integer;
the initialization parameters comprise seeds v E (- ≡, + -infinity) and big prime numbers n of an extended chebyshev polynomial; the plurality of one-way hash functions is 3 one-way hash functions h i ():{0,1} * →{0,1} l Wherein i=1, 2,3, h i () For mapping binary sequences of arbitrary length to binary sequences of fixed length/;
USIM card registration: the home subscriber server receives a USIM card registration request generated by the on-board unit based on an IMSI of a USIM card of the on-board unit, calculates by using an extended chebyshev polynomial based on the USIM card registration request and the public parameter to obtain a first authentication token and first authentication signature information of the on-board unit, and sends registration response information to the on-board unit, and specifically includes:
the vehicle-mounted unit obtains the IMSI of a USIM card of the vehicle-mounted unit, generates a first random number, takes the IMSI and the first random number as input, calculates an IMSI hash value by using a first one-way hash function in the public parameter, and sends a USIM card registration request to the home subscriber server; the USIM card registration request comprises the IMSI hash value;
The home subscriber server receives the USIM card registration request, generates a second random number, takes the second random number, the system public key and the initialization parameter as input, calculates by using an extended chebyshev polynomial to obtain a first authentication token of the vehicle-mounted unit, takes the first authentication token, the USIM card registration request, the second random number and the system private key as input, calculates by using a first one-way hash function to obtain first authentication signature information of the vehicle-mounted unit, and sends registration response information to the vehicle-mounted unit; the registration response information includes the first authentication token and the first authentication signature information;
initializing authentication: the mobile management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server; the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and sends initialization authentication response information to the mobility management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information; the mobile management entity calculates first authentication information based on the initialization authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes;
The mobility management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server, and specifically comprises the following steps:
the vehicle-mounted unit generates a third random number, calculates a first authentication secret parameter based on the third random number and the IMSI hash value, takes the first authentication secret parameter and the initialization parameter as input, and calculates a first key negotiation parameter by using an extended chebyshev polynomial; calculating to obtain an intermediate parameter based on the IMSI hash value and the first one-way hash function, and taking the IMSI hash value, the first key negotiation parameter and the intermediate parameter as inputs, and calculating to obtain a first integrity verification value by using a second one-way hash function in the public parameter; encrypting the IMSI hash value, the position information of the mobile management entity, the first authentication token and the intermediate parameter by using the system public key to obtain an encrypted ciphertext, and sending an initialization authentication request to the mobile management entity; the initialization authentication request comprises the first key negotiation parameter, the first integrity verification value, the encrypted ciphertext and the ID of the home subscriber server;
The mobile management entity receives the initialization authentication request, acquires the real position information and ID of the mobile management entity, generates a new authentication request, and sends the new authentication request to the home subscriber server; the new authentication request comprises the ID of the mobility management entity, the first key negotiation parameter, the first integrity verification value, the encrypted ciphertext and the real position information of the mobility management entity;
generating a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, specifically including:
the home subscriber server generates a fourth random number, takes the fourth random number, the system public key and the initialization parameter as inputs, calculates a second authentication token of the mobility management entity by using an extended chebyshev polynomial, takes the second authentication token, the ID of the mobility management entity, the fourth random number and the system private key as inputs, and calculates second authentication signature information of the mobility management entity by using the first one-way hash function;
the mobility management entity calculates first authentication information based on the initialization authentication response information, and specifically includes:
The mobility management entity generates a fifth random number, takes the ID of the mobility management entity and the fifth random number as inputs, calculates and obtains a second authentication secret parameter by using a first one-way hash function of the public parameter, takes the second authentication secret parameter and the initialization parameter as inputs, and calculates and obtains a second key negotiation parameter by using an extended Chebyshev polynomial; calculating to obtain a session key based on the second authentication secret parameter, the first key negotiation parameter, the second authentication signature information, the initialization parameter, the first authentication token and the IMSI hash value; taking the intermediate parameter, the session key and the authentication management domain identifier AMF as inputs, calculating to obtain a first message verification code and a first response parameter by using a third one-way hash function, obtaining first authentication information, and sending the first authentication information to the vehicle-mounted unit; the first authentication information includes the second authentication token, the second key agreement parameter, and the first message authentication code.
2. The authentication method according to claim 1, wherein the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, and generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and transmitting initialization authentication response information to the mobility management entity specifically includes:
The home subscriber server decrypts the encrypted ciphertext by using a system private key to obtain the IMSI hash value, the position information of the mobility management entity, the first authentication token and the intermediate parameter;
the home subscriber server judges whether the true position information of the mobility management entity is the same as the position information of the mobility management entity, if so, the authentication of the mobility management entity is passed; taking the IMSI hash value, the first key negotiation parameter and the intermediate parameter as inputs, calculating to obtain a second integrity verification value by using the second one-way hash function, judging whether the second integrity verification value is identical to the first integrity verification value, and if so, passing the authentication of the new authentication request;
sending initialization authentication response information to the mobility management entity; the initialization authentication response information includes the IMSI hash value, the first authentication token, the intermediate parameter, the second authentication token, and the second authentication signature information.
3. The authentication method according to claim 2, wherein the mobility management entity calculates first authentication information based on the initialization authentication response information, and sends the first authentication information to the in-vehicle unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and after the authentication is passed, the initialization authentication specifically comprises the following steps:
The vehicle-mounted unit calculates a session key based on the first authentication secret parameter, the second key negotiation parameter, the first authentication signature information, the initialization parameter, the second authentication token and the ID of the mobility management entity, takes the intermediate parameter, the session key and an authentication management domain identifier AMF as inputs, and calculates a second message verification code and a second response parameter by using a third one-way hash function; judging whether the second message verification code is the same as the first message verification code, if so, passing the authentication, and sending first response information to the mobility management entity; the first response information comprises a second response parameter;
and the mobility management entity judges whether the second response parameter is the same as the first response parameter, and if so, the authentication passes to finish initialization authentication.
4. The authentication method according to claim 1, wherein calculating an intermediate parameter based on the IMSI hash value and the first one-way hash function specifically comprises:
taking the IMSI hash value as input, and calculating by using a physical unclonable function to obtain a PUF output response; and taking the PUF output response as input, and calculating to obtain an intermediate parameter by using the first one-way hash function.
5. The authentication method according to claim 3, wherein when the in-vehicle unit needs to be reconnected with the mobility management entity that has completed initializing authentication, the authentication method further comprises:
and (5) re-authentication: the mobile management entity receives a re-authentication request generated by the vehicle-mounted unit based on the registration response information and the session key, authenticates the mobile management entity and the re-authentication request based on the session key, generates re-authentication response information after passing the authentication, and sends the re-authentication response information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the re-authentication response information, and sends second response information to the mobility management entity after the authentication is passed; and the mobile management entity authenticates the vehicle-mounted unit based on the second response information, and completes re-authentication after the authentication passes.
6. The authentication method according to claim 3, wherein when the on-board unit needs to connect with other mobility management entities, the authentication method further comprises:
Node switching authentication: the mobile management entity to be switched receives a switching authentication request generated by the vehicle-mounted unit based on the registration response information and the session key, and forwards the switching authentication request to the mobile management entity; the mobile management entity authenticates the mobile management entity and the switching authentication request based on the session key, generates switching authentication response information after passing authentication, and sends the switching authentication response information to the mobile management entity to be switched; the mobility management entity to be switched calculates third authentication information based on the switching authentication response information, and sends the third authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity to be switched based on the third authentication information, and sends third response information to the mobility management entity to be switched after the authentication is passed; and the mobility management entity to be switched authenticates the vehicle-mounted unit based on the third response information, and completes node switching authentication after authentication passes.
7. An extended chebyshev polynomial based train-ground wireless communication authentication system, the authentication system comprising:
The system initialization module is used for completing system initialization: the home subscriber server issues public parameters to the vehicle-mounted unit and the mobility management entity; the public parameters comprise an initialization parameter, a plurality of one-way hash functions and a system public key; the system public key is calculated by the home subscriber server based on the initialization parameter and the system private key by using an extended chebyshev polynomial, and specifically comprises the following steps:
the home subscriber server uses the system private key sk H And initializing parameters as input, and calculating by using the extended chebyshev polynomial to obtain a system public key pk HThe system private key is a positive integer;
the initialization parameters comprise seeds v E (- ≡, + -infinity) and big prime numbers n of an extended chebyshev polynomial; the plurality of one-way hash functions is 3 one-way hash functions h i ():{0,1} * →{0,1} l Wherein i=1, 2,3, h i () For mapping binary sequences of arbitrary length to binary sequences of fixed length/;
the USIM card registration module is used for finishing the registration of the USIM card: the home subscriber server receives a USIM card registration request generated by the on-board unit based on an IMSI of a USIM card of the on-board unit, calculates by using an extended chebyshev polynomial based on the USIM card registration request and the public parameter to obtain a first authentication token and first authentication signature information of the on-board unit, and sends registration response information to the on-board unit, and specifically includes:
The vehicle-mounted unit obtains the IMSI of a USIM card of the vehicle-mounted unit, generates a first random number, takes the IMSI and the first random number as input, calculates an IMSI hash value by using a first one-way hash function in the public parameter, and sends a USIM card registration request to the home subscriber server; the USIM card registration request comprises the IMSI hash value;
the home subscriber server receives the USIM card registration request, generates a second random number, takes the second random number, the system public key and the initialization parameter as input, calculates by using an extended chebyshev polynomial to obtain a first authentication token of the vehicle-mounted unit, takes the first authentication token, the USIM card registration request, the second random number and the system private key as input, calculates by using a first one-way hash function to obtain first authentication signature information of the vehicle-mounted unit, and sends registration response information to the vehicle-mounted unit; the registration response information includes the first authentication token and the first authentication signature information;
the initialization authentication module is used for completing initialization authentication: the mobile management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server; the home subscriber server authenticates the mobility management entity and the new authentication request based on a system private key, generates a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, and sends initialization authentication response information to the mobility management entity, wherein the initialization authentication response information comprises the first authentication token, the second authentication token and the second authentication signature information; the mobile management entity calculates first authentication information based on the initialization authentication response information and sends the first authentication information to the vehicle-mounted unit; the vehicle-mounted unit authenticates the mobility management entity based on the first authentication information, and sends first response information to the mobility management entity after the authentication is passed; the mobile management entity authenticates the vehicle-mounted unit based on the first response information, and completes initialization authentication after the authentication passes;
The mobility management entity receives an initialization authentication request generated by the vehicle-mounted unit based on the registration response information, generates a new authentication request based on the initialization authentication request, and sends the new authentication request to the home subscriber server, and specifically comprises the following steps:
the vehicle-mounted unit generates a third random number, calculates a first authentication secret parameter based on the third random number and the IMSI hash value, takes the first authentication secret parameter and the initialization parameter as input, and calculates a first key negotiation parameter by using an extended chebyshev polynomial; calculating to obtain an intermediate parameter based on the IMSI hash value and the first one-way hash function, and taking the IMSI hash value, the first key negotiation parameter and the intermediate parameter as inputs, and calculating to obtain a first integrity verification value by using a second one-way hash function in the public parameter; encrypting the IMSI hash value, the position information of the mobile management entity, the first authentication token and the intermediate parameter by using the system public key to obtain an encrypted ciphertext, and sending an initialization authentication request to the mobile management entity; the initialization authentication request comprises the first key negotiation parameter, the first integrity verification value, the encrypted ciphertext and the ID of the home subscriber server;
The mobile management entity receives the initialization authentication request, acquires the real position information and ID of the mobile management entity, generates a new authentication request, and sends the new authentication request to the home subscriber server; the new authentication request comprises the ID of the mobility management entity, the first key negotiation parameter, the first integrity verification value, the encrypted ciphertext and the real position information of the mobility management entity;
generating a second authentication token and second authentication signature information of the mobility management entity after authentication is passed, specifically including:
the home subscriber server generates a fourth random number, takes the fourth random number, the system public key and the initialization parameter as inputs, calculates a second authentication token of the mobility management entity by using an extended chebyshev polynomial, takes the second authentication token, the ID of the mobility management entity, the fourth random number and the system private key as inputs, and calculates second authentication signature information of the mobility management entity by using the first one-way hash function;
the mobility management entity calculates first authentication information based on the initialization authentication response information, and specifically includes:
The mobility management entity generates a fifth random number, takes the ID of the mobility management entity and the fifth random number as inputs, calculates and obtains a second authentication secret parameter by using a first one-way hash function of the public parameter, takes the second authentication secret parameter and the initialization parameter as inputs, and calculates and obtains a second key negotiation parameter by using an extended Chebyshev polynomial; calculating to obtain a session key based on the second authentication secret parameter, the first key negotiation parameter, the second authentication signature information, the initialization parameter, the first authentication token and the IMSI hash value; taking the intermediate parameter, the session key and the authentication management domain identifier AMF as inputs, calculating to obtain a first message verification code and a first response parameter by using a third one-way hash function, obtaining first authentication information, and sending the first authentication information to the vehicle-mounted unit; the first authentication information includes the second authentication token, the second key agreement parameter, and the first message authentication code.
CN202310786025.8A 2023-06-30 2023-06-30 Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial Active CN116528235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310786025.8A CN116528235B (en) 2023-06-30 2023-06-30 Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310786025.8A CN116528235B (en) 2023-06-30 2023-06-30 Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial

Publications (2)

Publication Number Publication Date
CN116528235A CN116528235A (en) 2023-08-01
CN116528235B true CN116528235B (en) 2023-10-20

Family

ID=87397941

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310786025.8A Active CN116528235B (en) 2023-06-30 2023-06-30 Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial

Country Status (1)

Country Link
CN (1) CN116528235B (en)

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330910A (en) * 2016-08-25 2017-01-11 重庆邮电大学 Strong privacy protection dual authentication method based on node identities and reputations in Internet of vehicles
JP2018085625A (en) * 2016-11-24 2018-05-31 トヨタ自動車株式会社 Vehicle authentication system
CN108260102A (en) * 2018-01-04 2018-07-06 西南交通大学 The car-ground communication Non-Access Stratum authentication methods of LTE-R based on allograph
CN110602698A (en) * 2019-09-02 2019-12-20 安徽大学 Chaotic mapping-based car networking complete session key negotiation method
CN110730455A (en) * 2019-10-21 2020-01-24 中国电子科技集团公司第五十四研究所 Underwater node authentication method based on symmetric polynomial and ECC algorithm
CN110768954A (en) * 2019-09-19 2020-02-07 西安电子科技大学 Lightweight security access authentication method suitable for 5G network equipment and application
WO2020091434A1 (en) * 2018-11-02 2020-05-07 엘지전자 주식회사 Method and device for performing authentication by using biometric information in wireless communication system
CN112055333A (en) * 2020-10-21 2020-12-08 西南交通大学 LTE-R vehicle-ground wireless communication security authentication method without certificate proxy signature
CN113453170A (en) * 2021-06-29 2021-09-28 重庆邮电大学 Block chain technology-based distributed authentication method for Internet of vehicles
CN114205091A (en) * 2021-11-30 2022-03-18 安徽大学 Chaos mapping-based network authentication and key agreement method for automatic driving vehicle
CN114302390A (en) * 2021-12-10 2022-04-08 重庆邮电大学 Intra-group authentication key negotiation method in vehicle-mounted ad hoc network
CN114362932A (en) * 2021-12-02 2022-04-15 四川大学 Chebyshev polynomial multiple registration center anonymous authentication key agreement protocol
KR102491403B1 (en) * 2021-09-02 2023-01-27 주식회사 엘지유플러스 Method for enhancing security of subscriber identification module based on physical unclonable function and apparatus and system therefor
CN116321147A (en) * 2023-02-01 2023-06-23 西安电子科技大学 Zero trust-based multi-attribute terminal identity authentication method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5310761B2 (en) * 2011-03-04 2013-10-09 トヨタ自動車株式会社 Vehicle network system

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330910A (en) * 2016-08-25 2017-01-11 重庆邮电大学 Strong privacy protection dual authentication method based on node identities and reputations in Internet of vehicles
JP2018085625A (en) * 2016-11-24 2018-05-31 トヨタ自動車株式会社 Vehicle authentication system
CN108260102A (en) * 2018-01-04 2018-07-06 西南交通大学 The car-ground communication Non-Access Stratum authentication methods of LTE-R based on allograph
WO2020091434A1 (en) * 2018-11-02 2020-05-07 엘지전자 주식회사 Method and device for performing authentication by using biometric information in wireless communication system
CN110602698A (en) * 2019-09-02 2019-12-20 安徽大学 Chaotic mapping-based car networking complete session key negotiation method
CN110768954A (en) * 2019-09-19 2020-02-07 西安电子科技大学 Lightweight security access authentication method suitable for 5G network equipment and application
CN110730455A (en) * 2019-10-21 2020-01-24 中国电子科技集团公司第五十四研究所 Underwater node authentication method based on symmetric polynomial and ECC algorithm
CN112055333A (en) * 2020-10-21 2020-12-08 西南交通大学 LTE-R vehicle-ground wireless communication security authentication method without certificate proxy signature
CN113453170A (en) * 2021-06-29 2021-09-28 重庆邮电大学 Block chain technology-based distributed authentication method for Internet of vehicles
KR102491403B1 (en) * 2021-09-02 2023-01-27 주식회사 엘지유플러스 Method for enhancing security of subscriber identification module based on physical unclonable function and apparatus and system therefor
CN114205091A (en) * 2021-11-30 2022-03-18 安徽大学 Chaos mapping-based network authentication and key agreement method for automatic driving vehicle
CN114362932A (en) * 2021-12-02 2022-04-15 四川大学 Chebyshev polynomial multiple registration center anonymous authentication key agreement protocol
CN114302390A (en) * 2021-12-10 2022-04-08 重庆邮电大学 Intra-group authentication key negotiation method in vehicle-mounted ad hoc network
CN116321147A (en) * 2023-02-01 2023-06-23 西安电子科技大学 Zero trust-based multi-attribute terminal identity authentication method and system

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
A Novel and Efficient Anonymous Authentication Scheme Based on Extended Chebyshev Chaotic Maps for Smart Grid;Cong Wang等;《2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM)》;第288-293页 *
一个改进的基于混沌映射的移动端认证协议;童彤;陈建华;;《计算机应用研究》(2017年第08期);第2443-2447页 *
基于切比雪夫多项式的匿名认证协议设计与分析;宋健;《中国优秀硕士学位论文全文数据库(信息科技辑)》(2018 年第12期);I139-84 *
谢永 ; 吴黎兵 ; 张宇波 ; 叶璐瑶 ; .面向车联网的多服务器架构的匿名双向认证与密钥协商协议.计算机研究与发展.2016,(第10期),第2323-2333页. *
面向智能家居的物联网轻量级身份认证协议研究与实现;韩志宇;《中国优秀硕士学位论文全文数据库(工程科技Ⅱ辑)》(第2022 年第11期期);C038-228 *

Also Published As

Publication number Publication date
CN116528235A (en) 2023-08-01

Similar Documents

Publication Publication Date Title
Cui et al. HCPA-GKA: A hash function-based conditional privacy-preserving authentication and group-key agreement scheme for VANETs
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
CN108809637B (en) LTE-R vehicle-ground communication non-access stratum authentication key agreement method based on mixed password
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
CN108260102B (en) LTE-R vehicle-ground communication non-access layer authentication method based on proxy signature
CN104754581A (en) Public key password system based LTE wireless network security certification system
EP2210437A2 (en) Secure wireless communication
CN110020524B (en) Bidirectional authentication method based on smart card
CN111447616B (en) Group authentication and key agreement method for LTE-R mobile relay
CN101192927B (en) Authorization based on identity confidentiality and multiple authentication method
CN110166445A (en) A kind of the secret protection anonymous authentication and cryptographic key negotiation method of identity-based
CN107896369A (en) A kind of message efficient devolved authentication method based on mobile vehicle ad-hoc network
CN112055333B (en) LTE-R vehicle-ground wireless communication security authentication method without certificate proxy signature
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN116528235B (en) Vehicle-ground wireless communication authentication method and system based on extended chebyshev polynomial
CN102739660A (en) Key exchange method for single sign on system
CN108809656A (en) A kind of Key Exchange Protocol building method based on double authentication protection signature
CN115379418A (en) Method suitable for vehicle-mounted ad hoc network secure communication and conditional privacy protection authentication
CN111586685B (en) Anonymous roaming authentication method based on lattices
Olufemi et al. SAMA: a secure and anonymous mutual authentication with conditional identity-tracking scheme for a unified car sharing system
Meyer et al. An approach to enhance inter-provider roaming through secret sharing and its application to WLANs
CN100499899C (en) Playback attack prevention method
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system
CN116567633B (en) Identity authentication method, system and equipment based on ECDSA signature algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant