CN117376026A - Internet of things equipment identity authentication method and system - Google Patents

Abstract

The invention discloses an identity authentication method and system for Internet of things equipment, belongs to the technical field of blockchains, and aims to solve the technical problem of how to realize the identity authentication of the Internet of things equipment based on the blockchains and provide a safe transmission channel. Carrying out identity authentication on the Internet of things equipment based on the blockchain and elliptic curve encryption algorithm, selecting a private key for each Internet of things equipment, generating a public key through the elliptic curve encryption algorithm, and obtaining a public key hash value; the identity authentication center performs identity registration calculation based on the registration request information to obtain local identity authentication information and identity registration information, and the internet of things equipment uploads the identity registration information and the public key of the internet of things equipment as identity authentication information to an identity authentication contract of the blockchain through a secure channel; the identity authentication center performs identity authentication on the internet of things equipment based on the login request information, the local identity authentication information and the identity authentication information stored in the identity intelligent contract, and returns a digital certificate to the internet of things equipment.

Description

Internet of things equipment identity authentication method and system

Technical Field

The invention relates to the technical field of blockchain, in particular to an identity authentication method and system for equipment of the Internet of things.

Background

With the continuous development of the internet of things technology, more and more devices and sensors are connected into a network. Therefore, the devices of different types can communicate and cooperate with each other, so that the acquisition, transmission, processing and application of data are realized. Multiple devices can share data and resources, and the speed and efficiency of information transmission are greatly improved. The internet of things has wide application scenarios including industrial automation, smart agriculture, smart city and smart home. The technology of the Internet of things has profound effects on social development, and efficiency, sustainability and intellectualization in each field are improved.

However, the internet of things device also has problems of single point of failure, data security and privacy disclosure. Therefore, an identity authentication scheme of the internet of things device is important to ensure legal identity of the participant. Unfortunately, data information is often transmitted through an unsafe channel, and the security of the data cannot be guaranteed.

Authentication is widely used to protect data and the identity of devices, and researchers have begun to apply blockchain techniques to the authentication of the identity of internet of things devices in order to better address the security issues faced by internet of things devices. Blockchains are a decentralized distributed database that ensures the security and non-tamper ability of data through encryption algorithms and consensus mechanisms. Blockchain-based authentication schemes have many advantages. First, due to the decentralized nature of blockchains, the risk of single point failure and centralized identity management is eliminated. Secondly, by using encryption algorithms, advanced encryption techniques are employed to ensure confidentiality and integrity of the data during transmission and storage. Meanwhile, a strong authentication and authorization mechanism is introduced, so that only authorized equipment and users can access and operate key data. The blockchain provides strong authentication and data encryption, ensuring confidentiality and integrity of communications. Most importantly, the blockchain technology provides an untampered identity record, so that the identity information of the equipment cannot be forged or tampered, and the credibility of identity authentication is enhanced.

How to realize the identity authentication of the internet of things equipment based on the blockchain and provide a safe transmission channel is a technical problem to be solved.

Disclosure of Invention

The technical task of the invention is to provide the identity authentication method and the system for the equipment of the Internet of things aiming at the defects, so as to solve the technical problem of how to realize the identity authentication of the equipment of the Internet of things based on the blockchain and provide a safe transmission channel.

In a first aspect, the invention provides an identity authentication method for an internet of things device, which performs identity authentication on the internet of things device based on a blockchain and elliptic curve encryption algorithm, and comprises the following steps:

identity identification generation: for each Internet of things device, selecting a random number as a private key, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and performing hash operation on the public key to obtain a public key hash value;

identity registration: for each piece of internet of things equipment, the internet of things equipment sends registration request information to an identity authentication center, the identity authentication center carries out identity registration calculation based on the registration request information to obtain local identity authentication information and identity registration information, the local identity authentication information and the registration request information are stored locally, the identity registration information is returned to the internet of things equipment, the internet of things equipment takes the identity registration information and a public key thereof as identity authentication information and uploads the identity authentication information and the public key thereof to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, login password, public key, private key and curve parameter of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises identity identification information and blockchain identity authentication intermediate information;

Identity authentication: for each Internet of things device, the Internet of things device sends login request information to an identity authentication center, the login request information comprises the identity registration information of the Internet of things device and a random number which is randomly generated, the identity authentication center carries out identity authentication on the Internet of things device based on the login request information, the local identity authentication information and the identity authentication information stored in an identity intelligent contract, and returns a digital certificate to the Internet of things device, and the digital certificate comprises the device ID, a public key and the validity period of the digital certificate of the Internet of things device;

access is granted: the internet of things equipment performs identity authentication with other internet of things equipment based on the identity digital certificate and obtains authorized access;

identity management: in the authorized access process of the Internet of things equipment, if the identity authentication fails, the identity authentication information of the Internet of things equipment in the blockchain is logged off.

Preferably, the public key is calculated as follows:

pubK＝priK*G

where G represents the base point, priK represents the private key, and pubK represents the public key.

Preferably, when the public key is hashed to obtain a public key hash value, the public key is hashed by using the SHA256 algorithm, and a digest with a fixed length is generated as the public key hash value H, where h=h (pubK).

Preferably, for the internet of things device Di and the identity authentication center IAC, the identity registration comprises the following steps:

the method comprises the steps that the Internet of things device performs hash calculation based on a device ID and a login password to obtain a device hash value, and sends the device hash value, a public key, a private key and curve parameters to an identity registration center as registration request information, wherein a calculation formula of the device hash value Ii is as follows: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation;

after receiving the registration request information, the identity registration center generates a random character string, performs identity registration calculation based on the registration request information and the random character string, and the identity registration calculation comprises the following steps:

PIDi＝h(Ri||ID _IAC ||Ii)⊕ID _IAC ，

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ti＝Ri⊕h(priK||PIDi),

Ai＝h(Ti⊕Ii⊕CK’)，

Ai’＝Ai*G，

the identity authentication center stores Ai ', PIDi and EXP_time as local identity authentication information to the local, and returns PIDi, CK' and Ti as identity registration information to the Internet of things equipment;

the internet of things device uploads the identity registration information and the public key of the internet of things device as identity authentication information to an identity authentication contract of the blockchain through a secure channel;

the PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

Preferably, for the internet of things device Di and the identity authentication center IAC, the identity authentication comprises the following steps:

the method comprises the steps that an Internet of things device generates a random number N1, generates a current time stamp T1, generates login request information { PIDi, P1, Y and T1} based on the random number N1, the current time stamp T1 and identity information PIDi, and sends the login request information { PIDi, P1, Y and T1} to an identity authentication center;

wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information;

after receiving login request information { PIDi, P1, Y, T1}, the identity authentication center obtains a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, the identity authentication center inquires corresponding EXP_time from the local based on PIDi, inquires corresponding Ti from a blockchain based on PIDi, judges whether the Internet of things equipment is out of date based on EXP_time, and if not, performs the following information calculation:

Rs＝Ti⊕h(priK||PIDi)，

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

judging whether Y' is equal to Y, if not, rejecting the login request of the Internet of things equipment, and if so, executing the next step;

the identity authentication center generates a random number N2, acquires a current time stamp T3 and calculates the following information: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), transmitting information { Z, P3, T3} to the Internet of things equipment;

After the internet of things equipment receives the information { Z, P3 and T3}, a current timestamp T4 is obtained, and if the time difference of T4-T3 is smaller than a time threshold T, the following information calculation is performed:

Ai＝h(Ti⊕Ii⊕CK’)，

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, executing the next step;

the internet of things equipment performs the following information calculation:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

the current timestamp is obtained and T4 is generated, and login information { Vi, T4} is sent to an identity authentication center;

after receiving login information { Vi, T4}, the identity authentication center obtains a current timestamp T5, and if the time difference between T5 and T4 is smaller than a time threshold T, the identity authentication center performs the following information calculation:

Vi’＝h((P1*CK)||SK)

judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises { IDi, pubK, info CA, T, signIAC }, the info CA represents information of a certificate issuer, the T represents the validity period of the certificate, the signIAC represents a digital signature of the issuer, the IDi represents the ID of the Internet of things equipment, and the pubK represents a public key of the Internet of things equipment;

where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.

In a second aspect, the invention provides an identity authentication system of an internet of things device, which is applied to an internet of things device, a blockchain and an identity authentication center, and comprises an internet of things device management module, a blockchain management module and an identity authentication management module;

the internet of things device management module is configured to perform the following: selecting a random number as a private key for each Internet of things device, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and carrying out hash operation on the public key to obtain a public key hash value;

the Internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

for each Internet of things device, the Internet of things device management module is used for sending registration request information to the identity authentication center;

the identity authentication center management module is used for carrying out identity registration calculation based on the registration request information, obtaining local identity verification information and identity registration information, storing the local identity verification information and the registration request information to the local, and returning the identity registration information to the Internet of things equipment;

for each piece of internet of things equipment, the internet of things equipment management module is used for uploading identity registration information and a public key of the internet of things equipment as identity authentication information to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, a login password, the public key, a private key and curve parameters of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises the identity identification information and the blockchain identity authentication intermediate information;

The internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

for each Internet of things device, the Internet of things device management module is used for sending login request information to the identity authentication center, wherein the login request information comprises the identity registration information of the Internet of things device and a random number generated randomly;

the identity authentication center management module is used for carrying out identity authentication on the Internet of things equipment based on the login request information, the local identity authentication information and the identity authentication information stored in the identity intelligent contract, and returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises the equipment ID, the public key and the validity period of the digital certificate of the Internet of things equipment;

for each Internet of things device, the Internet of things device management module is used for carrying out identity authentication with other Internet of things devices based on the identity digital certificate of the Internet of things device management module and obtaining authorized access;

for each Internet of things device, if identity authentication fails in the authorized access process of the Internet of things device, the blockchain management module is used for logging out the identity authentication information of the Internet of things device in the blockchain.

Preferably, the public key is calculated as follows:

pubK＝priK*G，

Where G represents the base point, priK represents the private key, and pubK represents the public key.

Preferably, when the public key is hashed to obtain a public key hash value, the internet of things device management module is configured to hash the public key by using SHA256 algorithm to generate a digest with a fixed length as the public key hash value H, where h=h (pubK).

Preferably, when identity registration is performed on the internet of things device Di and the identity authentication center IAC, for each internet of things device, the internet of things device management module is configured to perform hash computation based on a device ID and a login password thereof to obtain a device hash value, and send the device hash value, a public key, a private key and a curve parameter as registration request information to the identity registration center, where a computation formula of the device hash value Ii is as follows: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation;

correspondingly, the identity registration center management module is configured to perform the following:

after receiving the registration request information, generating a random character string, and carrying out identity registration calculation based on the registration request information and the random character string, wherein the identity registration calculation comprises the following steps:

PIDi＝h(Ri||ID _IAC ||Ii)⊕ID _IAC ，

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ti＝Ri⊕h(priK||PIDi)，

Ai＝h(Ti⊕Ii⊕CK’)，

Ai’＝Ai*G，

correspondingly, for each Internet of things device, the Internet of things device management module uploads the identity registration information and the public key of each Internet of things device as identity authentication information to an identity authentication contract of the blockchain through a secure channel;

The PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

Preferably, for the internet of things device Di and the identity authentication center IAC, when performing identity authentication, for each internet of things device, the internet of things device management module is configured to perform the following: generating a random number N1, generating a current timestamp T1, generating login request information { PIDi, P1, Y, T1} based on the random number N1, the current timestamp T1 and the identity information PIDi, and sending the login request information { PIDi, P1, Y, T1} to an identity authentication center;

wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information;

correspondingly, the identity authentication center management module is used for executing the following steps: after receiving login request information { PIDi, P1, Y, T1}, obtaining a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, inquiring corresponding EXP_time from the local based on PIDi, inquiring corresponding Ti from a blockchain based on PIDi, judging whether the Internet of things equipment is out of date based on EXP_time, and if not, performing the following information calculation:

Rs＝Ti⊕h(priK||PIDi)，

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

Judging whether Y' is equal to Y, if not, refusing the login Qin Qiu of the Internet of things equipment, and if so, executing the next step;

generating a random number N2, acquiring a current time stamp T3, and performing the following information calculation: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), transmitting information { Z, P3, T3} to the Internet of things equipment;

correspondingly, for each internet of things device, the internet of things device management module is configured to perform the following: after receiving the information { Z, P3, T3}, obtaining the current timestamp T4, and if the time difference of T4-T3 is smaller than the time threshold T, performing the following information calculation:

Ai＝h(Ti⊕Ii⊕CK’)，

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, executing the next step;

the following information calculations were performed:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

the current timestamp is obtained and T4 is generated, and login information { Vi, T4} is sent to an identity authentication center;

correspondingly, the identity authentication center management module is used for executing the following steps: after receiving the login information { Vi, T4}, obtaining a current timestamp T5, and if the time difference between T5 and T4 is smaller than the time threshold T, performing the following information calculation:

Vi’＝h((P1*CK)||SK)，

judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

Returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises { IDi, pubK, info CA, T, signIAC }, the info CA represents information of a certificate issuer, the T represents the validity period of the certificate, the signIAC represents a digital signature of the issuer, the Idi represents the ID of the Internet of things equipment, and the pubK represents a public key of the Internet of things equipment;

where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.

The identity authentication method and system of the Internet of things equipment have the following advantages:

1. the effective identity verification process is realized based on the blockchain and Elliptic Curve Cryptography (ECC) algorithm, a trust mechanism with decentralization, non-falsification and traceability can be created through the blockchain, the authenticity and the data integrity of the Internet of things equipment are ensured, and the use of the ECC algorithm can enable the Internet of things equipment to resist a series of attacks such as password guessing attack, replay attack, man-in-the-middle attack, session key attack, dos attack and the like;

2. the method has the advantages of anonymity and forward confidentiality of devices, mutual authentication between the devices can be performed, and an efficient key management and identity verification mechanism is provided.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments or the description of the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

The invention is further described below with reference to the accompanying drawings.

Fig. 1 is a flow chart of an identity authentication method of an internet of things device according to embodiment 1.

Detailed Description

The invention will be further described with reference to the accompanying drawings and specific examples, so that those skilled in the art can better understand the invention and implement it, but the examples are not meant to limit the invention, and the technical features of the embodiments of the invention and the examples can be combined with each other without conflict.

The embodiment of the invention provides an identity authentication system and an identity authentication system for Internet of things equipment, which are used for solving the technical problems of how to realize the identity authentication of the Internet of things equipment based on a blockchain and providing a safe transmission channel.

Example 1:

The invention discloses an identity authentication method for equipment of the Internet of things, which is used for carrying out identity authentication on the equipment of the Internet of things based on a blockchain and elliptic curve encryption algorithm.

Step S100, identity identification generation: for each Internet of things device, selecting a random number as a private key, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and carrying out hash operation on the public key to obtain a public key hash value.

In this step, the calculation formula of the public key is as follows:

pubK＝priK*G

where G represents the base point, priK represents the private key, and pubK represents the public key.

When the public key is hashed to obtain a public key hash value, the public key is hashed by the SHA256 algorithm to generate a digest with a fixed length as the public key hash value H, where h=h (pubK). The embodiment uses SHA256 algorithm to hash the public key of the device to generate a digest of fixed length. SHA256 is a commonly used hash function that can map any length of data to a 256-bit hash value.

Step S200, identity registration: for each piece of internet of things equipment, the internet of things equipment sends registration request information to an identity authentication center, the identity authentication center carries out identity registration calculation based on the registration request information to obtain local identity authentication information and identity registration information, the local identity authentication information and the registration request information are stored locally, the identity registration information is returned to the internet of things equipment, the internet of things equipment uploads the identity registration information and a public key of the internet of things equipment as identity authentication information to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, login password, public key, private key and curve parameter of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises the identity identification information and the blockchain identity authentication intermediate information.

As a specific implementation of identity registration, for the internet of things device Di and the identity authentication center IAC, the identity registration includes the following steps:

(1) The method comprises the steps that the Internet of things device performs hash calculation based on a device ID and a login password to obtain a device hash value, and sends the device hash value, a public key, a private key and curve parameters to an identity registration center as registration request information, wherein a calculation formula of the device hash value Ii is as follows: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation;

(2) After receiving the registration request information, the identity registration center generates a random character string, performs identity registration calculation based on the registration request information and the random character string, and the identity registration calculation comprises the following steps:

PIDi＝h(Ri||ID _IAC ||Ii)⊕ID _IAC ，

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ti＝Ri⊕h(priK||PIDi),

Ai＝h(Ti⊕Ii⊕CK’)，

Ai’＝Ai*G，

(3) The identity authentication center stores Ai ', PIDi and EXP_time as local identity authentication information to the local, and returns PIDi, CK' and Ti as identity registration information to the Internet of things equipment;

(4) The internet of things device uploads the identity registration information and the public key of the internet of things device as identity authentication information to an identity authentication contract of the blockchain through a secure channel;

the PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

Step S300, identity authentication: for each Internet of things device, the Internet of things device sends login request information to an identity authentication center, the login request information comprises the identity registration information of the Internet of things device and a random number which is randomly generated, the identity authentication center performs identity authentication on the Internet of things device based on the login request information, the local identity authentication information and the identity authentication information stored in the identity intelligent contract, and returns a digital certificate to the Internet of things device, and the digital certificate comprises the device ID, the public key and the validity period of the digital certificate of the Internet of things device.

As a specific implementation of identity authentication, for the internet of things device Di and the identity authentication center IAC, the identity authentication includes the following steps:

(1) The method comprises the steps that an Internet of things device generates a random number N1, generates a current time stamp T1, generates login request information { PIDi, P1, Y and T1} based on the random number N1, the current time stamp T1 and identity information PIDi, and sends the login request information { PIDi, P1, Y and T1} to an identity authentication center;

wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information;

(2) After receiving login request information { PIDi, P1, Y, T1}, the identity authentication center obtains a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, the identity authentication center inquires corresponding EXP_time from the local based on PIDi, inquires corresponding Ti from a blockchain based on PIDi, judges whether the Internet of things equipment is out of date based on EXP_time, and if not, performs the following information calculation:

Rs＝Ti⊕h(priK||PIDi)，

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

Judging whether Y' is equal to Y, if not, rejecting the login request of the Internet of things equipment, and if so, executing the next step;

(3) The identity authentication center generates a random number N2, acquires a current time stamp T3 and calculates the following information: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), transmitting information { Z, P3, T3} to the Internet of things equipment;

(4) After the internet of things equipment receives the information { Z, P3 and T3}, a current timestamp T4 is obtained, and if the time difference of T4-T3 is smaller than a time threshold T, the following information calculation is performed:

Ai＝h(Ti⊕Ii⊕CK’)，

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, executing the next step;

(5) The internet of things equipment performs the following information calculation:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

the current timestamp is obtained and T4 is generated, and login information { Vi, T4} is sent to an identity authentication center;

(6) After receiving login information { Vi, T4}, the identity authentication center obtains a current timestamp T5, and if the time difference between T5 and T4 is smaller than a time threshold T, the identity authentication center performs the following information calculation:

Vi’＝h((P1*CK)||SK)

judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

Returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises { IDi, pubK, info CA, T, signIAC }, the info CA represents information of a certificate issuer, the T represents the validity period of the certificate, the signIAC represents a digital signature of the issuer, the IDi represents the ID of the Internet of things equipment, and the pubK represents a public key of the Internet of things equipment;

where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.

Step S400 grants access: the internet of things equipment performs identity authentication with other internet of things equipment based on the identity digital certificate and obtains authorized access.

Step S500, identity management: in the authorized access process of the Internet of things equipment, if the identity authentication fails, the identity authentication information of the Internet of things equipment in the blockchain is logged off.

In the using process of the equipment, if the identity authentication of the user fails in the accessing process, the loss or theft of the equipment is proved, the identity information of the equipment is required to be cancelled, and an administrator deletes the public key of the equipment in the blockchain to prevent the malicious use of the equipment.

The method of the embodiment is based on elliptic curve cryptography algorithm and blockchain technology, and is used for verifying and managing the identity of the Internet of things equipment and ensuring confidentiality and integrity of data. According to the scheme, a unique identity key is generated for each Internet of things device by using an elliptic curve encryption algorithm, and the unique identity key is not only used for identity verification, but also used for encrypting communication data, so that confidentiality of the data is ensured, and each device has a highly-safe identity key and is difficult to crack due to complexity and safety of the elliptic curve encryption algorithm. The identity information and related authentication data of each internet of things device are stored in a scattered manner on the blockchain to form a tamper-proof account book, which means that the identity authentication record of the device cannot be tampered or altered without permission. Any access and verification to the identity of the device can be verified on the blockchain, enhancing the trustworthiness of the system.

Example 2:

the invention discloses an identity authentication system of Internet of things equipment, which is applied to Internet of things equipment, a blockchain and an identity authentication center and comprises an Internet of things equipment management module, a blockchain management module and an identity authentication management module, wherein the system can execute the method disclosed in the embodiment 1.

The internet of things device management module is configured to perform the following: and selecting a random number as a private key for each Internet of things device, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and carrying out hash operation on the public key to obtain a public key hash value.

As a specific implementation, the calculation formula of the public key is as follows:

pubK＝priK*G

where G represents the base point, priK represents the private key, and pubK represents the public key.

When the public key is hashed to obtain a public key hash value, the public key is hashed by the SHA256 algorithm to generate a digest with a fixed length as the public key hash value H, where h=h (pubK). The embodiment uses SHA256 algorithm to hash the public key of the device to generate a digest of fixed length. SHA256 is a commonly used hash function that can map any length of data to a 256-bit hash value.

The Internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

(1) For each Internet of things device, the Internet of things device management module is used for sending registration request information to the identity authentication center;

(2) The identity authentication center management module is used for carrying out identity registration calculation based on the registration request information, obtaining local identity verification information and identity registration information, storing the local identity verification information and the registration request information to the local, and returning the identity registration information to the Internet of things equipment;

(3) For each piece of internet of things equipment, the internet of things equipment management module is used for uploading identity registration information and a public key of the internet of things equipment as identity authentication information to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, a login password, the public key, a private key and curve parameters of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises the identity identification information and the blockchain identity authentication intermediate information.

As a specific implementation, when the identity registration is performed on the internet of things device Di and the identity authentication center IAC, for each internet of things device, the internet of things device management module is configured to perform hash computation based on its device ID and login password to obtain a device hash value, and send the device hash value, public key, private key and curve parameter as registration request information to the identity registration center, where a computation formula of the device hash value Ii is: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation.

Correspondingly, the identity registration center management module is configured to perform the following:

(1) After receiving the registration request information, generating a random character string, and carrying out identity registration calculation based on the registration request information and the random character string, wherein the identity registration calculation comprises the following steps:

PIDi＝h(Ri||ID _IAC ||Ii)⊕ID _IAC ，

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ti＝Ri⊕h(priK||PIDi)，

Ai＝h(Ti⊕Ii⊕CK’)，

Ai’＝Ai*G，

(2) And storing Ai ', PIDi and EXP_time as local identity authentication information to the local, and returning PIDi, CK' and Ti as identity registration information to the Internet of things equipment.

Correspondingly, for each Internet of things device, the Internet of things device management module uploads the identity registration information and the public key of each Internet of things device as identity authentication information to the identity authentication contract of the blockchain through the secure channel.

The PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

The internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

(1) For each Internet of things device, the Internet of things device management module is used for sending login request information to the identity authentication center, wherein the login request information comprises the identity registration information of the Internet of things device and a random number generated randomly;

(2) The identity authentication center management module is used for carrying out identity authentication on the Internet of things equipment based on the login request information, the local identity authentication information and the identity authentication information stored in the identity intelligent contract, and returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises the equipment ID of the Internet of things equipment, a public key and the validity period of the digital certificate.

As a specific implementation, for the internet of things device Di and the identity authentication center IAC, when performing identity authentication, for each internet of things device, the internet of things device management module is configured to perform the following: generating a random number N1, generating a current timestamp T1, generating login request information { PIDi, P1, Y, T1} based on the random number N1, the current timestamp T1 and the identity information PIDi, and sending the login request information { PIDi, P1, Y, T1} to an identity authentication center; wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information.

Correspondingly, the identity authentication center management module is used for executing the following steps:

(1) After receiving login request information { PIDi, P1, Y, T1}, obtaining a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, inquiring corresponding EXP_time from the local based on PIDi, inquiring corresponding Ti from a blockchain based on PIDi, judging whether the Internet of things equipment is out of date based on EXP_time, and if not, performing the following information calculation:

Rs＝Ti⊕h(priK||PIDi)，

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

(2) Judging whether Y' is equal to Y, if not, rejecting the login request of the Internet of things equipment, and if so, executing the next step;

(3) Generating a random number N2, acquiring a current time stamp T3, and performing the following information calculation: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), and sends the information { Z, P3, T3} to the Internet of things device.

Correspondingly, for each internet of things device, the internet of things device management module is configured to perform the following:

(1) After receiving the information { Z, P3, T3}, obtaining the current timestamp T4, and if the time difference of T4-T3 is smaller than the time threshold T, performing the following information calculation:

Ai＝h(Ti⊕Ii⊕CK’)，

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

(2) Judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, performing the following information calculation:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

(3) And obtaining the current timestamp and sending the login information { Vi, T4} to the identity authentication center.

Correspondingly, the identity authentication center management module is used for executing the following steps:

(1) After receiving the login information { Vi, T4}, obtaining a current timestamp T5, and if the time difference between T5 and T4 is smaller than the time threshold T, performing the following information calculation:

Vi’＝h((P1*CK)||SK)，

(2) Judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

(3) And returning a digital certificate to the internet of things device, wherein the digital certificate comprises { IDi, pubK, info CA, T, sign IAC }, the info CA represents information of a certificate issuer, T represents validity period of the certificate, the sign IAC represents a digital signature of the issuer, IDi represents ID of the internet of things device, and pubK represents a public key of the internet of things device.

Where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.

For each Internet of things device, the Internet of things device management module is used for carrying out identity authentication with other Internet of things devices based on the identity digital certificate of the Internet of things device management module and obtaining authorized access.

For each Internet of things device, if identity authentication fails in the authorized access process of the Internet of things device, the blockchain management module is used for logging out the identity authentication information of the Internet of things device in the blockchain.

While the invention has been illustrated and described in detail in the drawings and in the preferred embodiments, the invention is not limited to the disclosed embodiments, and it will be appreciated by those skilled in the art that the code audits of the various embodiments described above may be combined to produce further embodiments of the invention, which are also within the scope of the invention.

Claims (10)

1. The identity authentication method for the equipment of the Internet of things is characterized by comprising the following steps of:

identity identification generation: for each Internet of things device, selecting a random number as a private key, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and performing hash operation on the public key to obtain a public key hash value;

identity registration: for each piece of internet of things equipment, the internet of things equipment sends registration request information to an identity authentication center, the identity authentication center carries out identity registration calculation based on the registration request information to obtain local identity authentication information and identity registration information, the local identity authentication information and the registration request information are stored locally, the identity registration information is returned to the internet of things equipment, the internet of things equipment takes the identity registration information and a public key thereof as identity authentication information and uploads the identity authentication information and the public key thereof to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, login password, public key, private key and curve parameter of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises identity identification information and blockchain identity authentication intermediate information;

Identity authentication: for each Internet of things device, the Internet of things device sends login request information to an identity authentication center, the login request information comprises the identity registration information of the Internet of things device and a random number which is randomly generated, the identity authentication center carries out identity authentication on the Internet of things device based on the login request information, the local identity authentication information and the identity authentication information stored in an identity intelligent contract, and returns a digital certificate to the Internet of things device, and the digital certificate comprises the device ID, a public key and the validity period of the digital certificate of the Internet of things device;

access is granted: the internet of things equipment performs identity authentication with other internet of things equipment based on the identity digital certificate and obtains authorized access;

identity management: in the authorized access process of the Internet of things equipment, if the identity authentication fails, the identity authentication information of the Internet of things equipment in the blockchain is logged off.

2. The method for authenticating the identity of the internet of things device according to claim 1, wherein the calculation formula of the public key is as follows:

pubK＝priK*G

where G represents the base point, priK represents the private key, and pubK represents the public key.

3. The method for authenticating an identity of an internet of things device according to claim 1, wherein when performing a hash operation on a public key to obtain a public key hash value, performing a hash operation on the public key by using an SHA256 algorithm, and generating a digest with a fixed length as a public key hash value H, where h=h (pubK).

4. The method for authenticating the identity of the internet of things device according to claim 1, wherein for the internet of things device Di and the identity authentication center IAC, the identity registration comprises the steps of:

the method comprises the steps that the Internet of things device performs hash calculation based on a device ID and a login password to obtain a device hash value, and sends the device hash value, a public key, a private key and curve parameters to an identity registration center as registration request information, wherein a calculation formula of the device hash value Ii is as follows: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation;

after receiving the registration request information, the identity registration center generates a random character string, performs identity registration calculation based on the registration request information and the random character string, and the identity registration calculation comprises the following steps:

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ti＝Ri⊕h(priK||PIDi),

Ai’＝Ai*G，

the identity authentication center stores Ai ', PIDi and EXP_time as local identity authentication information to the local, and returns PIDi, CK' and Ti as identity registration information to the Internet of things equipment;

the internet of things device uploads the identity registration information and the public key of the internet of things device as identity authentication information to an identity authentication contract of the blockchain through a secure channel;

the PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

5. The method for authenticating the identity of the internet of things device according to claim 4, wherein for the internet of things device Di and the identity authentication center IAC, the identity authentication comprises the steps of:

the method comprises the steps that an Internet of things device generates a random number N1, generates a current time stamp T1, generates login request information { PIDi, P1, Y and T1} based on the random number N1, the current time stamp T1 and identity information PIDi, and sends the login request information { PIDi, P1, Y and T1} to an identity authentication center;

wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information;

after receiving login request information { PIDi, P1, Y, T1}, the identity authentication center obtains a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, the identity authentication center inquires corresponding EXP_time from the local based on PIDi, inquires corresponding Ti from a blockchain based on PIDi, judges whether the Internet of things equipment is out of date based on EXP_time, and if not, performs the following information calculation:

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

judging whether Y' is equal to Y, if not, rejecting the login request of the Internet of things equipment, and if so, executing the next step;

the identity authentication center generates a random number N2, acquires a current time stamp T3 and calculates the following information: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), transmitting information { Z, P3, T3} to the Internet of things equipment;

After the internet of things equipment receives the information { Z, P3 and T3}, a current timestamp T4 is obtained, and if the time difference of T4-T3 is smaller than a time threshold T, the following information calculation is performed:

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, executing the next step;

the internet of things equipment performs the following information calculation:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

the current timestamp is obtained and T4 is generated, and login information { Vi, T4} is sent to an identity authentication center;

after receiving login information { Vi, T4}, the identity authentication center obtains a current timestamp T5, and if the time difference between T5 and T4 is smaller than a time threshold T, the identity authentication center performs the following information calculation:

Vi’＝h((P1*CK)||SK)

judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises { IDi, pubK, info CA, T, signIAC }, the info CA represents information of a certificate issuer, the T represents the validity period of the certificate, the signIAC represents a digital signature of the issuer, the IDi represents the ID of the Internet of things equipment, and the pubK represents a public key of the Internet of things equipment;

where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.

6. The system is characterized by being applied to the equipment of the Internet of things, a blockchain and an identity authentication center and comprising an equipment management module of the Internet of things, a blockchain management module and an identity authentication management module;

the internet of things device management module is configured to perform the following: selecting a random number as a private key for each Internet of things device, selecting a curve parameter as a base point, generating a public key through an elliptic curve encryption algorithm, and carrying out hash operation on the public key to obtain a public key hash value;

the Internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

for each Internet of things device, the Internet of things device management module is used for sending registration request information to the identity authentication center;

the identity authentication center management module is used for carrying out identity registration calculation based on the registration request information, obtaining local identity verification information and identity registration information, storing the local identity verification information and the registration request information to the local, and returning the identity registration information to the Internet of things equipment;

for each piece of internet of things equipment, the internet of things equipment management module is used for uploading identity registration information and a public key of the internet of things equipment as identity authentication information to an identity authentication contract of a blockchain through a secure channel, wherein the equipment information comprises equipment ID, a login password, the public key, a private key and curve parameters of the internet of things equipment, the local identity authentication information comprises identity identification information, equipment expiration time and local identity authentication intermediate information, and the identity registration information comprises the identity identification information and the blockchain identity authentication intermediate information;

The internet of things equipment management module, the blockchain management module and the identity authentication management module are matched to execute the following steps of:

for each Internet of things device, the Internet of things device management module is used for sending login request information to the identity authentication center, wherein the login request information comprises the identity registration information of the Internet of things device and a random number generated randomly;

the identity authentication center management module is used for carrying out identity authentication on the Internet of things equipment based on the login request information, the local identity authentication information and the identity authentication information stored in the identity intelligent contract, and returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises the equipment ID, the public key and the validity period of the digital certificate of the Internet of things equipment;

for each Internet of things device, the Internet of things device management module is used for carrying out identity authentication with other Internet of things devices based on the identity digital certificate of the Internet of things device management module and obtaining authorized access;

for each Internet of things device, if identity authentication fails in the authorized access process of the Internet of things device, the blockchain management module is used for logging out the identity authentication information of the Internet of things device in the blockchain.

7. The internet of things device identity authentication system of claim 6, wherein the public key has a calculation formula as follows:

pubK＝priK*G，

Where G represents the base point, priK represents the private key, and pubK represents the public key.

8. The system of claim 6, wherein when performing a hash operation on a public key to obtain a public key hash value, the device management module of the internet of things is configured to perform a hash operation on the public key by using an SHA256 algorithm, and generate a digest with a fixed length as a public key hash value H, where h=h (pubK).

9. The system of claim 6, wherein, for each piece of internet of things equipment Di and the identity authentication center IAC, when performing identity registration, the internet of things equipment management module is configured to perform hash computation based on the equipment ID and the login password to obtain an equipment hash value, and send the equipment hash value, the public key, the private key and the curve parameter as registration request information to the identity registration center, where a calculation formula of the equipment hash value Ii is: ii=h (idi||pwi), IDi denotes a device ID, PWi denotes a login password, and h () denotes a hash operation;

correspondingly, the identity registration center management module is configured to perform the following:

after receiving the registration request information, generating a random character string, and carrying out identity registration calculation based on the registration request information and the random character string, wherein the identity registration calculation comprises the following steps:

CK＝h(Ri||priK||EXP_time||PIDi)，

CK’＝CK*G，

Ai’＝Ai*G，

Correspondingly, for each Internet of things device, the Internet of things device management module uploads the identity registration information and the public key of each Internet of things device as identity authentication information to an identity authentication contract of the blockchain through a secure channel;

the PIDi identification information, EXP_time represents equipment expiration time, CK represents an encryption key, CK 'represents a derived encryption key, ti represents a temporary value, ai represents an authentication code, and Ai' represents a derived authentication code; CK. CK ', ti, ai' as authentication intermediate information, ai 'as local authentication intermediate information, CK' and Ti as blockchain authentication intermediate information.

10. The system of claim 6, wherein, for each of the internet of things devices Di and the authentication center IAC, when performing authentication, the internet of things device management module is configured to perform the following: generating a random number N1, generating a current timestamp T1, generating login request information { PIDi, P1, Y, T1} based on the random number N1, the current timestamp T1 and the identity information PIDi, and sending the login request information { PIDi, P1, Y, T1} to an identity authentication center;

Wherein p1=n1×g, p2=h (n1×ck '), y=h (p1|| p2||t1), CK' is blockchain identity authentication information;

correspondingly, the identity authentication center management module is used for executing the following steps: after receiving login request information { PIDi, P1, Y, T1}, obtaining a current timestamp T2, if the time difference of T2-T1 is smaller than a threshold time T, inquiring corresponding EXP_time from the local based on PIDi, inquiring corresponding Ti from a blockchain based on PIDi, judging whether the Internet of things equipment is out of date based on EXP_time, and if not, performing the following information calculation:

CK＝h(Rs||priK||EXP_time||PIDi)，

P2’＝h(P1*CK)，

Y’＝h(P1||P2’||T1)，

judging whether Y' is equal to Y, if not, rejecting the login request of the Internet of things equipment, and if so, executing the next step;

generating a random number N2, acquiring a current time stamp T3, and performing the following information calculation: p3=n2×g, p4=n2×ai', z=h (p3|| p4||t3), transmitting information { Z, P3, T3} to the Internet of things equipment;

correspondingly, for each internet of things device, the internet of things device management module is configured to perform the following: after receiving the information { Z, P3, T3}, obtaining the current timestamp T4, and if the time difference of T4-T3 is smaller than the time threshold T, performing the following information calculation:

P4’＝P3*Ai，

Z’＝h(P3||P4’||T3)，

judging whether Z' is equal to Z, if not, rejecting the login request of the physical network equipment, and if so, executing the next step;

The following information calculations were performed:

Vi＝h(SK||(N1*CK’))，

SK＝h((N1*P3)||Ai||T4)，

the current timestamp is obtained and T4 is generated, and login information { Vi, T4} is sent to an identity authentication center;

correspondingly, the identity authentication center management module is used for executing the following steps: after receiving the login information { Vi, T4}, obtaining a current timestamp T5, and if the time difference between T5 and T4 is smaller than the time threshold T, performing the following information calculation:

Vi’＝h((P1*CK)||SK)，

judging whether Vi and Vi' are equal, if not, rejecting the login request of the internet of things equipment, if so, accepting the login request of the internet of things equipment, and calculating the following information:

SK’＝h((N2*P1)||Ai||T4)，

returning a digital certificate to the Internet of things equipment, wherein the digital certificate comprises { IDi, pubK, info CA, T, signIAC }, the info CA represents information of a certificate issuer, the T represents the validity period of the certificate, the signIAC represents a digital signature of the issuer, the Idi represents the ID of the Internet of things equipment, and the pubK represents a public key of the Internet of things equipment;

where P1 represents N times the point of N1, Y, Z and Vi are thermal codes obtained by a hash operation, Y ', Z ' and Vi ' represent derived authentication codes obtained by a hash operation, P3 represents N times the point of N2, and P2 and P4 represent points on an elliptic curve obtained by a hash operation.