CN116707956A - Zero knowledge proof-based internet of things equipment authentication method and device - Google Patents
Zero knowledge proof-based internet of things equipment authentication method and device Download PDFInfo
- Publication number
- CN116707956A CN116707956A CN202310787523.4A CN202310787523A CN116707956A CN 116707956 A CN116707956 A CN 116707956A CN 202310787523 A CN202310787523 A CN 202310787523A CN 116707956 A CN116707956 A CN 116707956A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- authentication
- equipment
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000012795 verification Methods 0.000 claims abstract description 38
- 230000002159 abnormal effect Effects 0.000 claims description 37
- 230000007246 mechanism Effects 0.000 claims description 23
- 230000006399 behavior Effects 0.000 claims description 9
- 238000013527 convolutional neural network Methods 0.000 claims description 7
- 238000012790 confirmation Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 18
- 238000010586 diagram Methods 0.000 description 13
- 238000004364 calculation method Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000002452 interceptive effect Effects 0.000 description 10
- 238000012545 processing Methods 0.000 description 10
- 230000002829 reductive effect Effects 0.000 description 10
- 238000013507 mapping Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000000739 chaotic effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 239000011159 matrix material Substances 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000011423 initialization method Methods 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- AZFKQCNGMSSWDS-UHFFFAOYSA-N MCPA-thioethyl Chemical compound CCSC(=O)COC1=CC=C(Cl)C=C1C AZFKQCNGMSSWDS-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an internet of things equipment authentication method based on zero knowledge proof, and belongs to the technical field of identity authentication. The authentication method comprises the steps of determining public parameters through an authority, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to an authentication center; receiving an authentication message of the internet of things device through an authentication center, and determining whether the internet of things device is registered; under the condition that the Internet of things equipment is registered, generating a blind certificate and a certificate through the Internet of things equipment, and encrypting a public key of the Internet of things equipment; calculating a verification value through an authentication center, and verifying the certification and the public key of the Internet of things equipment; and under the condition that the certification and the public key are valid, determining that the authentication of the equipment of the Internet of things is successful. The scheme provided by the application can improve the authentication efficiency and the safety performance of the system.
Description
Technical Field
The application relates to the technical field of identity authentication, in particular to an internet of things equipment authentication method and device based on zero knowledge proof.
Background
In recent years, the rapid development of internet of things technology has promoted the growth of intelligent and mobile internet of things equipment, resulting in explosive growth of data, thereby promoting a series of computationally intensive and delay-sensitive applications such as intelligent driving, smart cities, virtual reality, and the like. The data information becomes an important production element in the current society, and the quality of network application and service can be improved through the analysis and the processing of the data of the Internet of things, so that the rapid development of the society is promoted. However, the number of devices of the internet of things is increasing, and malicious devices exist in the network, which puts higher demands on the security and response time of data. Therefore, how to exchange data and information safely and efficiently in an internet of things environment is a significant challenge. The identity authentication is used as a first defense line for the safety protection of the Internet of things system, and can ensure that only legal users or equipment can access the system, so that the identity authentication becomes a research hotspot for the safety and privacy problems of the Internet of things. However, in the face of large-scale intelligent devices with frequent authentication and various malicious devices in the internet of things environment, the traditional and complex authentication method is difficult to be suitable for the internet of things scene with high authentication speed and full of various malicious attacks. Therefore, a safe and efficient identity authentication method is needed, the safety and the high efficiency of legal equipment in the authentication process are guaranteed, and illegal access of malicious equipment can be prevented.
At present, identity authentication based on zero knowledge proof is widely applied to the fields of intelligent transportation, intelligent medical treatment, intelligent home furnishing and the like. The students at home and abroad focus on researching identity authentication based on interactive zero knowledge proof. If the queen and the like put forward a five-round zero-knowledge identity authentication method based on the matrix filling problem, namely an improved three-round authentication method based on the matrix filling problem, the random challenge value communication of a verifier and a prover is added once, so that the spoofing probability of single-round authentication is reduced, the spoofing probability of single-round interaction is reduced from 2/3 to 1/2, and the method needs to be repeatedly authenticated for a plurality of times in order to achieve the expected security. Han et al propose an efficient and safe authentication method with zero knowledge proof. The method improves Feige-Fiat-Shamir zero knowledge proof protocol, adopts zero-one reversal and two-to-one verification methods, and solves the problem that guessing attack cannot be effectively resisted. Xi et al propose a secure and efficient anonymous authentication method. The method adopts lightweight Fujisaki-Okamoto promise and elliptic curve encryption to realize safe and efficient identity authentication. However, this method needs to maintain a revocation list, and it must be checked whether the current user is in the revocation list during each verification process, which reduces authentication efficiency and increases additional storage cost. The Boubakri et al propose a zero-knowledge proof chaotic authentication method, which uses a public key encryption technology based on Chebyshev chaotic mapping to construct a public and private key, and utilizes the half-group property of a Chebyshev polynomial, the degree of the polynomial and the arithmetic relation between the output of the polynomial, so as to construct a zero-knowledge proof protocol, thereby realizing anonymous identity authentication. However, the data interacted in each authentication process of the method is not random, and the unlinkability is not satisfied. An attacker may associate an anonymous credential with the true identity of the user, causing privacy disclosure problems. Zhang et al propose an authentication method based on chebyshev chaotic mapping, namely, a binary power algorithm based on a square matrix is adopted to provide safe and efficient chebyshev polynomial calculation, and lightweight encryption primitives such as hash, exclusive or and the like are combined to construct a rapid authentication and key negotiation method, so that calculation and communication cost in the authentication process is reduced. Liu et al propose a multi-factor authentication method based on zero knowledge proof. The method takes the user identity, the password and the user biological characteristics as a part of the secret key to participate in the secret key protocol process, and applies chebyshev chaotic mapping with low calculation cost to zero knowledge proof and fuzzy extraction technology, thereby realizing safe and efficient multi-factor authentication and secret key negotiation. However, the above method needs to perform multiple rounds of calculation and interaction, has high communication overhead, and is not suitable for batch verification. Therefore, part of the scholars focus on studying identity authentication methods based on non-interactive zero knowledge proof. For example, ashutosh et al propose an internet of things privacy protection authentication system based on non-interactive zero knowledge proof. The system improves the traditional interactive Schnorr protocol, takes the promised hash value calculated by the prover as the challenge value of the verifier, and rapidly verifies the identity of the equipment through modular exponentiation. Antonio et al propose a lightweight authentication method. The method replaces the asymmetric encryption used in the traditional public key infrastructure with elliptic curve encryption and improves the interactive Schnorr protocol by Fiat-Shamir transformation. The method uses a secure hash function to generate a random challenge value instead of being randomly generated by a verifier, thereby avoiding multiple interactions of both communication parties in an authentication process, but is applicable to devices with limited resources, but is not applicable to devices requiring small verification delays. Andola et al propose a lightweight distributed authentication and anonymous authorization method. According to the method, anonymous authentication of the unmanned aerial vehicle is realized on a blockchain by adopting a bilinear mapping non-interactive zero knowledge proof and ring signature algorithm, but the method relates to bilinear mapping, ring signature and other complex algorithms, so that the calculated amount is large. Liu et al propose an intelligent home privacy protection authentication method. The method provides a concept of non-interactive chaos zero knowledge for the first time, all authentication factors are directly authenticated by the gateway to resist secret leakage attack, and the calculation and communication cost of the equipment is reduced through lightweight operations such as Chebyshev chaos mapping, hash functions, exclusive or and the like. However, the method still has the problems of large authentication calculation amount and low efficiency, and cannot detect, trace back and cancel the identity of the abnormal equipment. Furthermore, the above methods all assume that the verifier is trusted and is vulnerable to internal attacks. This results in a malicious device that can link identification data such as public keys, commitments, etc. to a particular device, thereby creating privacy leakage issues.
In summary, in terms of performance, the conventional zero-knowledge identity authentication method needs elliptic curve encryption and bilinear matching and equivalent operation, which consumes a large amount of computing resources of the device, and results in larger time consumption of the operation of generating and verifying the proof and low equipment authentication efficiency; in terms of security, the existing authentication method is easy to suffer from internal attack of illegal equipment, has the risks of privacy disclosure and the like, and is easy to suffer from malicious behaviors (such as abnormal flow, irregular reporting frequency and the like) of abnormal equipment, so that the risks of system faults, security threat and the like are caused.
Disclosure of Invention
The embodiment of the application provides an internet of things equipment authentication method and device based on zero knowledge proof, which can solve the problems that equipment authentication efficiency is low, system faults are easy to cause and safety risks exist in the existing scheme.
In a first aspect of the embodiment of the present application, there is provided an authentication method for an internet of things device based on zero knowledge proof, the authentication method including:
determining public parameters through an authority, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to an authentication center;
receiving an authentication message of the internet of things device through the authentication center, and determining whether the internet of things device is registered;
generating a blind certificate and a certification through the internet of things equipment under the condition that the internet of things equipment is registered, and encrypting a public key of the internet of things equipment;
calculating a verification value through the authentication center, and verifying the certificate and the public key of the Internet of things equipment;
and under the condition that the certificate and the public key are valid, determining that the authentication of the Internet of things equipment is successful.
Optionally, the authentication method further comprises:
under the condition that the Internet of things equipment is unregistered, transmitting a unique Identification (ID) of the Internet of things equipment to the authority;
and generating a public key, a private key and a certificate of the Internet of things equipment through the authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database.
Optionally, the authentication method further comprises:
detecting malicious behaviors of equipment accessing the Internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism of the authority;
searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information;
and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
Optionally, in the case that the number of the devices of the internet of things is one, the authentication center calculates the verification value D by the following formula 1 :
Optionally, in the case that the number of the devices of the internet of things is plural, the authentication center calculates the verification values of the plural devices of the internet of things by the following formula
In a second aspect of the embodiment of the present application, there is provided an authentication apparatus for an internet of things device based on zero knowledge proof, the authentication apparatus comprising:
the public parameter determining device is used for determining public parameters through the authority mechanism, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to the authentication center;
the authentication confirmation device is used for receiving the authentication information of the internet of things equipment through the authentication center and determining whether the internet of things equipment is registered or not;
the device comprises a certification generation device, a public key generation device and a public key generation device, wherein the certification generation device is used for generating a blind certificate and a certification through the internet of things equipment and encrypting the public key of the internet of things equipment under the condition that the internet of things equipment is registered;
the public key verification device is used for calculating a verification value through the authentication center and verifying the certification and the public key of the internet of things equipment;
and the identity authentication device is used for determining that the equipment of the Internet of things is successfully authenticated under the condition that the certificate and the public key are valid.
Optionally, the authentication device further includes an identity registration device, configured to send, when the internet of things device is unregistered, a unique identifier ID of the internet of things device to the authority;
and generating a public key, a private key and a certificate of the Internet of things equipment through the authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database.
Optionally, the authentication device further comprises an anomaly detection device, which is used for detecting the malicious behavior of the device accessing the internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism by the authority;
searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information;
and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
Optionally, in the case that the number of the devices of the internet of things is one, the authentication center calculates the verification value D by the following formula 1 :
Optionally, in the case that the number of the devices of the internet of things is plural, the authentication center calculates the verification values of the plural devices of the internet of things by the following formula
According to the internet of things equipment authentication method based on zero knowledge proof, public parameters are determined through an authority mechanism, private parameters are determined according to the public parameters, a public key and a private key are generated, and the public parameters and the private parameters are sent to an authentication center; receiving an authentication message of the internet of things device through an authentication center, and determining whether the internet of things device is registered; under the condition that the Internet of things equipment is registered, generating a blind certificate and a certificate through the Internet of things equipment, and encrypting a public key of the Internet of things equipment; calculating a verification value through an authentication center, and verifying the certification and the public key of the Internet of things equipment; and under the condition that the certification and the public key are valid, determining that the authentication of the equipment of the Internet of things is successful. The application provides a safe and efficient evidence generation and verification method, which aims to simultaneously meet the anonymity and traceability of equipment and improve the initialization method of an authentication method, thereby ensuring the anonymity of the equipment, creating preconditions for the traceability of the equipment and the safety of a system, ensuring the unlinked equipment and the evidence and reducing the calculation amount of verification. In addition, the application provides a large-scale internet of things anonymous batch authentication protocol based on non-interactive zero-knowledge proof, which can reduce the calculated amount, improve the authentication efficiency and ensure the authentication safety of equipment.
Drawings
Fig. 1 is a flow chart of an internet of things device authentication method based on zero knowledge proof provided by an embodiment of the application;
fig. 2 is a schematic structural diagram of an internet of things device authentication apparatus based on zero knowledge proof according to an embodiment of the present application;
fig. 3 is a step diagram of internet of things equipment authentication based on zero knowledge proof provided by the embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein.
It should be understood that, in various embodiments of the present application, the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
It should be understood that in the present application, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus.
The technical scheme of the application is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
First, a brief description will be given of zero knowledge proof technology. Zero knowledge was demonstrated by s.goldwasser, s.micali, and c.rackoff in the beginning of the 80 s of the 20 th century. It refers to the ability of a prover to trust that a certain assertion is correct without providing any useful information to the verifier. Zero knowledge proof is essentially a protocol involving two or more parties, i.e., a series of steps that two or more parties need to take to complete a task. The prover proves to the verifier and believes itself to know or possess a certain message, but the proving process cannot reveal any information about the certified message to the verifier, which is commonly used in cryptography and authentication.
Fig. 1 schematically illustrates a flowchart of an authentication method for an internet of things device based on zero knowledge proof according to an embodiment of the present application, as shown in fig. 1, where the authentication method includes:
s101, determining public parameters through an authority mechanism, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to an authentication center;
the authority mechanism refers to a main server in the Internet of things and is used for generating the secret key. The authentication center is a third party service mechanism with authority and fairness, which is used for undertaking the online secure electronic transaction authentication service in the Internet of things, issuing a digital certificate, confirming the identity of a user and the like. The authentication center may officially authorize a certain public key to the user. The public key is generated by the authority, and specifically, the authority sets public parameters, three random numbers are selected from a finite field, the public key is obtained through a preset algorithm, and the public key is sent to the authority. A finite field, also known as a galois field, is a field containing only a limited number of elements. The feature number of the finite field must be a prime number p, so the prime field it contains is isomorphic to Zp. If F is a finite field characterized by p, the number of elements in F is pn, and n is a positive integer.
S102, receiving an authentication message of the Internet of things equipment through the authentication center, and determining whether the Internet of things equipment is registered or not;
it can be understood that when the authentication center receives the authentication message sent by the internet of things device, it first determines whether the identity of the internet of things device is a registered user in the network, if so, it indicates that the identity information of the internet of things device in the system database can be directly invoked, and if not, it needs to register the internet of things device first.
When registering the Internet of things equipment, transmitting a unique identification ID of the Internet of things equipment to an authority; and generating a public key, a private key and a certificate of the Internet of things equipment through an authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database. Therefore, when the internet of things equipment performs identity authentication next time, the identity can be directly determined through key comparison.
S103, under the condition that the Internet of things equipment is registered, generating a blind certificate and a proof through the Internet of things equipment, and encrypting a public key of the Internet of things equipment;
in this step, in order to ensure that the device is not linkable, the real certificate of the device may be blinded by a certificate blinding formula. Based on efficient Fiat-Shamir heuristic design, the calculation amount of verification is reduced by checking arithmetic relations between random data such as blind certificates and certificates, guaranteeing unlinked equipment and certificates, and the like.
S104, calculating a verification value through the authentication center, and verifying the certificate and the public key of the Internet of things equipment;
in a specific verification value calculation process, a corresponding algorithm can be determined according to the number of the internet of things devices to be verified. If only one to-be-verified Internet of things device exists, the verification value can be directly calculated; if only a plurality of to-be-verified Internet of things equipment are provided, verification values can be calculated for the whole of the plurality of to-be-verified Internet of things equipment, so that the operation amount can be reduced, and the verification efficiency is improved.
And S105, under the condition that the certificate and the public key are valid, determining that the authentication of the Internet of things equipment is successful.
After the identity authentication is successful, the equipment in the network is required to be scanned and detected at regular time, so that malicious behaviors of the equipment accessing the Internet of things system are prevented, and the safety of the Internet of things system is improved. The authority can detect malicious behaviors of equipment accessing the Internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism; searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information; and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
The method for authenticating the internet of things device based on the zero knowledge proof provided by the application is described in detail below by using a specific embodiment, please refer to fig. 3, which is a specific step diagram of the embodiment of the application:
step 1: the authority sets the public parameters { g, p }, and is defined from the finite field Z p Is selected from three random numbers x and { z 1 ,z 2 Computing group public key Y 1 =g x mod p, calculate public key { Y by equation (1) 2 ,Y 3 ,Y 4 };
Wherein g represents a primitive root of modulus p, p represents a large prime number, Y 1 The public key of the group is represented,
{Y 2 ,Y 3 ,Y 4 the public key of the authority is denoted { z 1 ,z 2 -represents the private key of the authority and x represents the secret parameter.
Step 2: the authority transmits the public parameters { g, p } and the secret parameter x to the authentication center;
step 3: when the equipment of the Internet of things needs to carry out identity authentication, judging whether the current equipment is registered or not. If the current device is unregistered, the device sends a unique identification ID to the authority. Authority selects a random number k e Z p As the private key of the device and calculates the public key p=g of the device k modp. Selecting a random number r E Z p And secret parameter y E Z p Generating a device by equation (2)Certificate { c 1 ,c 2 ,c 3 Jump to step 4, otherwise, indicate that the current device is registered, jump to step 5;
step 4: the authority will random number r, secret parameter y, private key k, public key P and certificate { c } 1 ,c 2 ,c 3 Transmitting the public key P and the unique identification ID of the device to the device through a secure channel, and uniformly storing the public key P and the unique identification ID of the device in a local database;
step 5: internet of things device selection random number r 1 ,r 2 ∈Z p In combination with certificates { c 1 ,c 2 ,c 3 Computing blind certificates by equation (3) and selecting random numbers rp, rm e Z p Generating a proof of device identity by equation (4);
wherein { C 1 ,C 2 ,C 3 And represents the blind certificate of the device for generating and verifying the device attestation. r is (r) 1 And r 2 Representing that the device is in finite field Z p Is selected from the two random numbers.
Wherein { D 1 ,D 2 ,D 3 The attestation of the device, m the request message for the device to access the platform, tsstamp the current timestamp.
Step 6: considering identity traceback, the device uses an authority public key { Y } 2 ,Y 3 ,Y 4 Encryption of its public key P into ciphertext { T } by equation (5) 1 ,T 2 ,T 3 }. Will blind certificate { C 1 ,C 2 ,C 3 Proof { D } 1 ,D 2 ,D 3 Public keyCiphertext { T ] 1 ,T 2 ,T 3 Packing the time stamp Tstamp and the message m into a digital signature, and sending the digital signature to an authentication center;
wherein { T } 1 ,T 2 ,T 3 The ciphertext of the public key P of the device is represented, and alpha and beta represent that the device is in the finite field Z p Is selected from the two random numbers.
Step 7: the authentication center receives the public key ciphertext { T } 1 ,T 2 ,T 3 And transmitted to the authority over the secure channel. Authority is based on private key { z 1 ,z 2 The public key P of the device is obtained by equation (6), checked whether the public key P is stored in the local database, and the result is returned to the authentication center. If the public key P is stored in the database, the authority records the public key ciphertext;
step 8: if the authentication center receives the digital signature of a single device, the authentication value D is calculated by the formula (7) in combination with all the data and secret parameters x provided by the device 1 . Verification of equation D by authentication center 1 =?D 1 Whether the public key ciphertext of the device is valid or not is checked to verify the validity of the identity of the device. If the equation is true and the public key of the device is stored in the database, the authentication center accepts the digital signature of the device. The identity authentication of the equipment is successful. Otherwise, the authentication center considers the device as illegal device, refuses the signature, and fails the identity authentication of the illegal device. Finally, the authentication center feeds the authentication result back to the current equipment;
step (a)9: if the authentication center receives digital signatures of more than n devices in a short time, the verification values of the n devices are calculated by formula (8)Authentication center check equation->And checking whether the public key ciphertext of the n devices is valid or not to uniformly verify the validity of the n device identities. If the equation is satisfied and the public keys of the n devices are all stored in the database, the authentication center accepts the digital signatures of the n devices simultaneously. The identity authentication of all the devices is successful. Otherwise, the authentication center divides the n digital signatures into two subsets and performs batch verification again. The process continues until all invalid digital signatures are found and all legitimate digital signatures are verified. Finally, the authentication center feeds the authentication result back to the current n devices;
step 10: the authority detects malicious behaviors of equipment accessing the Internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism;
step 11: if the authority detects abnormal information of a certain device, the public key ciphertext of the device is extracted from the abnormal information. Combining private key { z 1 ,z 2 -calculating the public key P of the anomalous device by means of equation (6). The authority searches a local database to find the real identity ID of the abnormal equipment corresponding to the public key P, otherwise, the abnormal equipment is not detected, and the step 3 is skipped;
step 12: authority randomly selects secret parameter x' e Z p The secret parameters and the true identity ID of the abnormal equipment are periodically sent to an authentication center through a secure channel;
step 13: the authentication center generates a new group public key Y according to the secret parameter x 1 ' group public keyY 1 ' sharing to all legal Internet of things equipment through a secure channel, canceling sharing of abnormal equipment, and jumping to the step 3.
According to the method for authenticating the Internet of things equipment based on zero knowledge proof, in the aspect of initialization of an authority and an authentication center, the public and private keys of the authority are generated by utilizing the exponential nature of a Diffie-Hellman key exchange protocol, and a group public key is introduced, so that preconditions are created for equipment traceability and system safety; in the aspect of the registration of the Internet of things equipment, the anonymity of the equipment is ensured by issuing a certificate. Aiming at an identity tracing and revocation mechanism, real identities of abnormal devices are traced by decrypting public key ciphertext of the devices, and identities of a plurality of abnormal devices are rapidly revoked by updating a group public key, so that access of the abnormal devices is avoided, and extra cost brought by the revocation mechanism is reduced. Aiming at the explicit generation and verification method, a certificate blinding formula is provided for ensuring that the equipment cannot be linked, and the real certificate of the equipment is blinded. Based on efficient Fiat-Shamir heuristic design, a new proof generation formula and a verification formula are proposed by checking the arithmetic relation between random data such as a blind certificate and a proof, so that the unlinked equipment and the proof are ensured, and the verification calculation amount is reduced. A polynomial with multiplication homomorphism is provided for batch verification. Based on the improved formula, a large-scale internet of things anonymous batch authentication protocol based on non-interactive zero knowledge proof is provided, so that the calculated amount is reduced, the authentication efficiency is improved, and the authentication safety of equipment is ensured. The method can initialize the method, the identity tracing and canceling mechanism and the large-scale internet of things anonymous batch authentication protocol with non-interactive zero knowledge proof through the method, so that the calculated amount can be reduced, the identity authentication efficiency of the internet of things equipment can be improved, the safety and the privacy of the internet of things equipment in the identity authentication process can be ensured, and the abnormal equipment can be prevented from accessing the internet of things system.
The embodiment of the application also provides an internet of things equipment authentication device 20 based on zero knowledge proof, which comprises:
public parameter determining means 201, configured to determine a public parameter by an authority, determine a private parameter according to the public parameter, generate a public key and a private key, and send the public parameter and the private parameter to an authentication center;
authentication confirmation means 202, configured to receive an authentication message of an internet of things device through the authentication center, and determine whether the internet of things device is registered;
a proof generating device 203, configured to generate a blind certificate and a proof through the internet of things device and encrypt a public key of the internet of things device when the internet of things device is registered;
public key verification means 204 for calculating a verification value by the authentication center and verifying the certificate and the public key of the internet of things device;
and the identity authentication device 205 is configured to determine that the authentication of the internet of things device is successful when both the certificate and the public key are valid.
Optionally, the authentication device further includes an identity registration device 206, configured to send, when the internet of things device is unregistered, a unique identifier ID of the internet of things device to the authority; and generating a public key, a private key and a certificate of the Internet of things equipment through the authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database.
Optionally, the authentication device further comprises an anomaly detection device 207, configured to detect, by the authority, malicious behaviors of a device accessing the internet of things system in real time based on a convolutional neural network long-short term memory model of an attention mechanism; searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information; and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
The device 20 for authenticating the internet of things based on the zero knowledge proof provided by the embodiment of the application can realize each process realized in the embodiment of the device authentication method for the internet of things based on the zero knowledge proof, and in order to avoid repetition, the description is omitted.
According to the internet of things equipment authentication device based on zero knowledge proof, public parameters are determined through an authority mechanism, private parameters are determined according to the public parameters, a public key and a private key are generated, and the public parameters and the private parameters are sent to an authentication center; receiving an authentication message of the internet of things device through an authentication center, and determining whether the internet of things device is registered; under the condition that the Internet of things equipment is registered, generating a blind certificate and a certificate through the Internet of things equipment, and encrypting a public key of the Internet of things equipment; calculating a verification value through an authentication center, and verifying the certification and the public key of the Internet of things equipment; and under the condition that the certification and the public key are valid, determining that the authentication of the equipment of the Internet of things is successful. The embodiment of the application can ensure the anonymity of the equipment by improving the initialization method of the authentication method, creates preconditions for the traceability of the equipment and the safety of the system, can reduce the consumption of operation resources, improves the authentication efficiency and improves the safety performance of the system.
The present application may be a method, apparatus, system, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for performing various aspects of the present application.
The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for carrying out operations of the present application may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present application are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information for computer readable program instructions, which can execute the computer readable program instructions.
Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Note that all features disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature claimed is one example only of a generic set of equivalent or similar features. Where used, further, preferably, still further and preferably, the brief description of the other embodiment is provided on the basis of the foregoing embodiment, and further, preferably, further or more preferably, the combination of the contents of the rear band with the foregoing embodiment is provided as a complete construct of the other embodiment. A further embodiment is composed of several further, preferably, still further or preferably arrangements of the strips after the same embodiment, which may be combined arbitrarily.
It will be appreciated by persons skilled in the art that the embodiments of the application described above and shown in the drawings are by way of example only and are not limiting. The objects of the present application have been fully and effectively achieved. The functional and structural principles of the present application have been shown and described in the examples and embodiments of the application may be modified or practiced without departing from the principles described.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (10)
1. The authentication method of the Internet of things equipment based on zero knowledge proof is characterized by comprising the following steps of:
determining public parameters through an authority, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to an authentication center;
receiving an authentication message of the internet of things device through the authentication center, and determining whether the internet of things device is registered;
generating a blind certificate and a certification through the internet of things equipment under the condition that the internet of things equipment is registered, and encrypting a public key of the internet of things equipment;
calculating a verification value through the authentication center, and verifying the certificate and the public key of the Internet of things equipment;
and under the condition that the certificate and the public key are valid, determining that the authentication of the Internet of things equipment is successful.
2. The zero-knowledge proof-based internet of things device authentication method of claim 1, wherein the authentication method further comprises:
under the condition that the Internet of things equipment is unregistered, transmitting a unique Identification (ID) of the Internet of things equipment to the authority;
and generating a public key, a private key and a certificate of the Internet of things equipment through the authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database.
3. The zero-knowledge proof-based internet of things device authentication method of claim 1, wherein the authentication method further comprises:
detecting malicious behaviors of equipment accessing the Internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism of the authority;
searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information;
and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
4. The zero-knowledge proof-based internet of things device authentication method as claimed in claim 1, wherein:
in the case that the number of the devices of the internet of things is one, the authentication center calculates the verification value D by the following formula 1 :
5. The zero-knowledge proof-based internet of things device authentication method as set forth in claim 4, wherein:
under the condition that the number of the internet of things devices is a plurality of, the authentication center calculates the verification values of the plurality of the internet of things devices through the following formula
6. An internet of things device authentication apparatus based on zero knowledge proof, wherein the authentication apparatus comprises:
the public parameter determining device is used for determining public parameters through the authority mechanism, determining private parameters according to the public parameters, generating a public key and a private key, and sending the public parameters and the private parameters to the authentication center;
the authentication confirmation device is used for receiving the authentication information of the internet of things equipment through the authentication center and determining whether the internet of things equipment is registered or not;
the device comprises a certification generation device, a public key generation device and a public key generation device, wherein the certification generation device is used for generating a blind certificate and a certification through the internet of things equipment and encrypting the public key of the internet of things equipment under the condition that the internet of things equipment is registered;
the public key verification device is used for calculating a verification value through the authentication center and verifying the certification and the public key of the internet of things equipment;
and the identity authentication device is used for determining that the equipment of the Internet of things is successfully authenticated under the condition that the certificate and the public key are valid.
7. The zero-knowledge proof based internet of things device authentication apparatus of claim 6, wherein the authentication apparatus further comprises an identity registration apparatus for:
under the condition that the Internet of things equipment is unregistered, transmitting a unique Identification (ID) of the Internet of things equipment to the authority;
and generating a public key, a private key and a certificate of the Internet of things equipment through the authority mechanism, and storing the public key and the unique identification ID of the Internet of things equipment in a local database.
8. The authentication device of internet of things based on zero-knowledge proof of claim 6, wherein the authentication device further comprises anomaly detection means for:
detecting malicious behaviors of equipment accessing the Internet of things system in real time through a convolutional neural network long-short-term memory model based on an attention mechanism of the authority;
searching a local database to find the true Identity (ID) of the abnormal equipment under the condition that the authority detects the abnormal information;
and sending the information of the abnormal equipment to legal Internet of things equipment in the Internet of things, and canceling sharing of the abnormal equipment.
9. The zero-knowledge proof-based internet of things device authentication apparatus of claim 6, wherein:
in the case that the number of the devices of the internet of things is one, the authentication center calculates the verification value D by the following formula 1 :
10. The zero-knowledge proof-based internet of things device authentication apparatus of claim 9, wherein:
under the condition that the number of the internet of things devices is a plurality of, the authentication center calculates the verification values of the plurality of the internet of things devices through the following formula
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310787523.4A CN116707956A (en) | 2023-06-29 | 2023-06-29 | Zero knowledge proof-based internet of things equipment authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310787523.4A CN116707956A (en) | 2023-06-29 | 2023-06-29 | Zero knowledge proof-based internet of things equipment authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116707956A true CN116707956A (en) | 2023-09-05 |
Family
ID=87845023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310787523.4A Pending CN116707956A (en) | 2023-06-29 | 2023-06-29 | Zero knowledge proof-based internet of things equipment authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116707956A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117272293A (en) * | 2023-11-20 | 2023-12-22 | 北京信安世纪科技股份有限公司 | Method, system, device and storage medium for generating common parameters in zero knowledge proof |
| CN117675412A (en) * | 2024-01-31 | 2024-03-08 | 中国民用航空总局第二研究所 | Data sharing method with strong privacy protection in industrial Internet of things scene |
| CN117896183A (en) * | 2024-03-14 | 2024-04-16 | 杭州海康威视数字技术股份有限公司 | Aggregation batch authentication method and system for large-scale Internet of things equipment |
-
2023
- 2023-06-29 CN CN202310787523.4A patent/CN116707956A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117272293A (en) * | 2023-11-20 | 2023-12-22 | 北京信安世纪科技股份有限公司 | Method, system, device and storage medium for generating common parameters in zero knowledge proof |
| CN117272293B (en) * | 2023-11-20 | 2024-02-13 | 北京信安世纪科技股份有限公司 | Method, system, device and storage medium for generating common parameters in zero knowledge proof |
| CN117675412A (en) * | 2024-01-31 | 2024-03-08 | 中国民用航空总局第二研究所 | Data sharing method with strong privacy protection in industrial Internet of things scene |
| CN117896183A (en) * | 2024-03-14 | 2024-04-16 | 杭州海康威视数字技术股份有限公司 | Aggregation batch authentication method and system for large-scale Internet of things equipment |
| CN117896183B (en) * | 2024-03-14 | 2024-07-02 | 杭州海康威视数字技术股份有限公司 | Aggregation batch authentication method and system for large-scale Internet of things equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zeng et al. | E-AUA: An efficient anonymous user authentication protocol for mobile IoT | |
| Irshad et al. | A provably secure and efficient authenticated key agreement scheme for energy internet-based vehicle-to-grid technology framework | |
| Sun et al. | Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5. 0 and its countermeasure | |
| Zhao et al. | An efficient certificateless aggregate signature scheme for the Internet of Vehicles | |
| Mei et al. | Blockchain-enabled privacy-preserving authentication mechanism for transportation CPS with cloud-edge computing | |
| Ma et al. | Redactable blockchain in decentralized setting | |
| CN106341232B (en) | A kind of anonymous entity discrimination method based on password | |
| CN116707956A (en) | Zero knowledge proof-based internet of things equipment authentication method and device | |
| CN108337092B (en) | Method and system for performing collective authentication in a communication network | |
| CN112787796B (en) | Aggregation method and device for detecting false data injection in edge calculation | |
| Gong et al. | LCDMA: Lightweight cross-domain mutual identity authentication scheme for Internet of Things | |
| Liu et al. | A novel secure authentication scheme for heterogeneous internet of things | |
| Li et al. | A provably secure group key agreement scheme with privacy preservation for online social networks using extended chaotic maps | |
| Pathak et al. | Secure authentication using zero knowledge proof | |
| Luo et al. | Cross-domain certificateless authenticated group key agreement protocol for 5G network slicings | |
| CN113162773A (en) | Heterogeneous blind signcryption method capable of proving safety | |
| CN115442057A (en) | Randomizable blind signature method and system with strong unlinkability | |
| Liang et al. | Physically secure and conditional-privacy authenticated key agreement for VANETs | |
| Han et al. | Zero-knowledge identity authentication for internet of vehicles: Improvement and application | |
| Xia et al. | A secure and efficient authenticated key exchange scheme for smart grid | |
| Cui et al. | Efficient blockchain-based mutual authentication and session key agreement for cross-domain IIoT | |
| Xu et al. | An efficient identity authentication scheme with provable security and anonymity for mobile edge computing | |
| Wang et al. | Lightweight zero-knowledge authentication scheme for IoT embedded devices | |
| Roy et al. | An anonymity-preserving mobile user authentication protocol for global roaming services | |
| Chang et al. | On making U2F protocol leakage-resilient via re-keying |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |