CN118075734B - Security lightweight group authentication system and method based on smart grid end-to-end communication - Google Patents

Abstract

The invention relates to a safety lightweight group authentication system and method based on smart grid end-to-end communication, comprising user equipment, an AMF and a 5G base station; the user equipment is connected with the AMF unit through a 5G base station; the AMF distributes the public key and the private key to the user equipment to provide anonymous identity protection for the user equipment, then verifies the user equipment through an aggregate signature scheme, and finally negotiates a session key through the ECDH. The invention effectively improves the end-to-end communication safety and authentication efficiency in the intelligent power grid, and simultaneously reduces the calculation and communication expenditure of equipment and a server.

Description

Security lightweight group authentication system and method based on smart grid end-to-end communication

Technical Field

The invention relates to the technical field of power communication, in particular to a safety lightweight group authentication system and method based on smart grid end-to-end communication.

Background

With the continuous development of technology, electric power resources are closely related to life of people, and play a vital role in modern times. However, as demand increases, the grid becomes more and more complex, resulting in significant changes to the power system. How to ensure the reliability of electric power has become an urgent problem to be solved. At the same time, the advent of smart grids has led to the development of power systems towards intellectualization and modernization, which is the result of technological development reaching a certain stage. The method can provide a comprehensive, real-time and efficient flexible processing method for related services in the power system, realize new application in the power service, and construct a complex multi-mode system based on the power system. In a traditional relay protection service scenario, both ends of the power device use optical fibers to transmit data. However, as more and more power supply devices are connected, the cost of the optical fiber structure is high, the scalability is low, and the high reliability and low delay characteristics of the 5G wireless communication technology are key to solving the above problems.

Disclosure of Invention

In order to solve the problems, the invention aims to provide a safety lightweight group authentication system and method based on smart grid end-to-end communication, which effectively improve the end-to-end communication safety and authentication efficiency in the smart grid and reduce the calculation and communication costs of equipment and servers.

In order to achieve the above purpose, the present invention adopts the following technical scheme:

A security lightweight group authentication system based on smart grid end-to-end communication comprises user equipment, an AMF and a 5G base station; the user equipment is connected with the AMF unit through a 5G base station; the AMF distributes the public key and the private key to the user equipment to provide anonymous identity protection for the user equipment, then verifies the user equipment through an aggregate signature scheme, and finally negotiates a session key through the ECDH.

A secure lightweight group authentication method based on smart grid end-to-end communication comprises the following steps:

S1, generating a q-order additive circulation group G by inputting a safety parameter K through an AMF, wherein P is a generator of a group G; AMF random selection Computing system public key as master keyAnd selecting a secure hash function:， Finally, the AMF unit outputs the system parameters = { q, G, P, ,,-Secret and save key s;

step S2, the user equipment firstly executes a 5G-AKA or EAP-AKA protocol to finish user authentication, saves the real identities of all the user equipment through an AMF, stores the real identities in a user equipment identification list, and registers the temporary identities of the user equipment through the AMF;

Step S3, after the user registration is completed, using their temporary identity to perform end-to-end discovery, mutually discovering each user through the end-to-end discovery process Finally, an end-to-end conversation list is obtained;

Step S4, after obtaining the end-to-end session list, the user equipment sends session request information to the AMF, when the AMF receives all the requests, it checks whether the user identity in the request information is legal registered identity, if not, it will reject the end-to-end session request, if the verification is successful, the AMF will create an end-to-end group session for all legal users, and generate a session identifier . AMF then forms a set of ring structures=,,...,Based on the identity of the user,AndLogically respectivelyIs then AMF broadcast,}；

And S5, after receiving the session response message of the AMF, the users start mutual authentication and key negotiation, and finally, the users in the group carry out secure communication.

Further, the step S2 specifically includes:

Step S2.1: first a secret value is selected Calculating intermediate parametersTemporary identificationWhereinFor the private identification of the user,As a function of the hash-up,System parameters output for AMF units will then {-Send to AMF;

step S2.2: AMF receipt of Transmitted {After } calculateAnd inquires whether the user equipment identification list containsIf not, the execution is terminated, otherwise, { is saved in the temporary identification index database,AMF generates a message={,}, WhereinIs temporary identity validity period whenAt the time of expiration of the time period,AMF random selection of secret valueAnd calculate,,Send {To (V)Wherein, the method comprises the steps of,、All are calculated intermediate process quantities;

Step S2.3: when (when) Received {When } calculate the partial private key，WhereinTo calculate the intermediate process quantity to verify the formulaIf not, the part of the private key is re-requested, and if so, the part of the private key is accepted; Randomly selecting secret values Calculation ofFinally, setting the public key of the user equipment) And private key);

Further, the step S3 specifically includes:

First, user equipment Selecting random numbersCalculation ofAnd generates request information={,,,}, WhereinRepresenting a time stamp, calculating，WhereinTo calculate the intermediate process quantity, a signature is obtainedFinally broadcast {}；

Adjacent users receive usersAfter broadcasting a message, verify the equationWhether or not to establish; if the formula is true, thenAdding into the end-to-end dialogue list, and storing; Setting n end-to-end users,，...，) Through the above end-to-end discovery process, each user finally obtains an end-to-end session list l=,,...,}。

Further, the step S5 specifically includes:

step S5.1 user equipment Generating a message) And randomly select a response valueAnd calculate，，Wherein、To calculate the intermediate process quantity, the user equipmentGenerating signaturesThen toAndWherein (i+1) mod n represents the result of adding 1 to i and then adding n to the remainder, and is a numerical result, and sends a message,,,}, WhereinIs thatAnd adds a timestamp to prevent the message from being replayed;

Step S5.2 when When receiving the messages sent by two adjacent users, it first verifiesIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, it will verify whether the time stamp is within the specified time, and if so, it will verify the signature information,Verification of,If it passes the verification, thenWill calculate,To calculate the intermediate process quantity, where (i+1) mod n represents the result of adding 1 to i and then taking the remainder of n, is a numerical result, at which time messages are broadcast to other users,,,};

Step S5.3: when the user equipmentUpon receipt of the broadcast request,First verifyIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, verifying whether the time stamp is within a specified time, if so, waiting for verification to passCollecting the remaining broadcast messages, when the number of last received messages is less than n-1, or the identity is not in the previously formed end-to-end group,The negotiation will be exited. At this time, the liquid crystal display device,All signatures in the end-to-end group are received and an aggregate signature is generatedWherein,Then verify the signature. If the signature is verified, it is accepted; otherwise, it may verify each received message once to collect the correct signature, or simply choose to discard the signature, at which point,Will calculate the session key The members of the group have generated the same session key. At this time, the liquid crystal display device,Using session keysCalculation ofAnd then generate a message,,And } wherein,To calculate the intermediate process quantity and send the message to the AMF;

step S5.4: when AMF receives the transmitted message, it verifies If it is within the specified range, the AMF will waitThe method comprises the steps of collecting the rest information and verifying whether the received hash values are equal, if so, the group equipment is provided with an equal session key, the AMF sends a confirmation information to all users, when the users receive the confirmation information, the users start to communicate, and finally, the users in the group perform secure communication.

Further, the new user joins the group, specifically as follows:

1) First, from In selecting two usersAndJoining a new group, the grouping beingAnd；

2）AndReselection response value,Calculation of，，，And a signature value; due to the original groupHas been negotiated, so authentication negotiation is not required; the key of the group is; New groupThe identity verification process is executed to finally obtainIs a key to a key (a);

3） And Using the original keyEncryption keyAnd send it to other members of the original group; And The key will be usedEncrypted keySending to other members of the new group;

4) Combining the two combinations into The new group key at this time is。

Further, the user leaves the group, specifically as follows:

let u= Is the current group, and V =Is a leaving member set in whichThe remaining set of members at this time can be expressed as a=；

1) Each memberInspection ofLeft member of (2)Or right memberWhether or not it has left; if it isOr (b)ThenRequiring re-selection of secret values, re-computationAnd signing and sending it to setting a;

2) If a member Does not change, thenSimply propagate their previous calculationsAnd signing to set a;

3) Upon receiving all values And after signing, each memberThe aggregate signature is verified. After verification is successful, the relevant parties can continue to calculate using the same procedure as before.

The invention has the following beneficial effects:

1. the invention realizes identity privacy protection, mutual authentication and aggregation signature, and has resistance to various attacks. Identity privacy protection, mutual authentication and aggregation signature are realized, malicious attacks are effectively resisted, and safety is ensured;

2. The invention can reduce the workload of the verifier and improve the verification efficiency by using signature aggregation.

Drawings

FIG. 1 is a flow chart of an authentication process of the present invention;

FIG. 2 is a diagram of communication overhead according to an embodiment of the present invention;

FIG. 3 is a diagram of a system architecture according to an embodiment of the present invention.

Detailed Description

The invention is described in further detail below with reference to the attached drawings and specific examples:

1-3, the invention provides a security lightweight group authentication system based on smart grid end-to-end communication, which comprises user equipment, an AMF and a 5G base station; the user equipment is connected with the AMF unit through a 5G base station; the AMF distributes the public key and the private key to the user equipment to provide anonymous identity protection for the user equipment, then verifies the user equipment through an aggregate signature scheme, and finally negotiates a session key through the ECDH.

The communication scenario of the present invention includes end-to-end one-to-one communication and end-to-end group communication, wherein the AMF is responsible for handling all transactions in the end-to-end communication process, and all power consumer devices are equipped with PUF modules.

In this embodiment, there is also provided a secure lightweight group authentication method based on smart grid end-to-end communication, including the steps of:

S1, generating a q-order additive circulation group G by inputting a safety parameter K through an AMF, wherein P is a generator of a group G; AMF random selection Computing system public key as master keyAnd selecting a secure hash function:， Finally, the AMF unit outputs the system parameters = { q, G, P, ,,-Secret and save key s;

step S2, the user equipment firstly executes a 5G-AKA or EAP-AKA protocol to finish user authentication, saves the real identities of all the user equipment through an AMF, stores the real identities in a user equipment identification list, and registers the temporary identities of the user equipment through the AMF;

Step S3, after the user registration is completed, using their temporary identity to perform end-to-end discovery, mutually discovering each user through the end-to-end discovery process Finally, an end-to-end conversation list is obtained;

Step S4, after obtaining the end-to-end session list, the user equipment sends session request information to the AMF, when the AMF receives all the requests, it checks whether the user identity in the request information is legal registered identity, if not, it will reject the end-to-end session request, if the verification is successful, the AMF will create an end-to-end group session for all legal users, and generate a session identifier . AMF then forms a set of ring structures=,,...,Based on the identity of the user,AndLogically respectivelyIs then AMF broadcast,}；

And S5, after receiving the session response message of the AMF, the users start mutual authentication and key negotiation, and finally, the users in the group carry out secure communication.

In this embodiment, step S2 specifically includes:

Step S2.1: first a secret value is selected Calculating intermediate parametersTemporary identificationWhereinFor the private identification of the user,As a function of the hash-up,System parameters output for AMF units will then {-Send to AMF;

step S2.2: AMF receipt of Transmitted {After } calculateAnd inquires whether the user equipment identification list containsIf not, the execution is terminated, otherwise, { is saved in the temporary identification index database,AMF generates a message={,}, WhereinIs temporary identity validity period whenAt the time of expiration of the time period,AMF random selection of secret valueAnd calculate,,Send {To (V)Wherein, the method comprises the steps of,、All are calculated intermediate process quantities;

Step S2.3: when (when) Received {When } calculate the partial private key，WhereinTo calculate the intermediate process quantity to verify the formulaIf not, the part of the private key is re-requested, and if so, the part of the private key is accepted; Randomly selecting secret values Calculation ofFinally, setting the public key of the user equipment) And private key);

In this embodiment, the step S3 specifically includes:

First, user equipment Selecting random numbersCalculation ofAnd generates request information={,,,}, WhereinRepresenting a time stamp, calculating，WhereinTo calculate the intermediate process quantity, a signature is obtainedFinally broadcast {}；

Adjacent users receive usersAfter broadcasting a message, verify the equationWhether or not to establish; if the formula is true, thenAdding into the end-to-end dialogue list, and storing; Setting n end-to-end users,，...，) Through the above end-to-end discovery process, each user finally obtains an end-to-end session list l=,,...,}。

In this embodiment, step S5 specifically includes:

step S5.1 user equipment Generating a message) And randomly select a response valueAnd calculate，，Wherein、To calculate the intermediate process quantity, the user equipmentGenerating signaturesThen toAndWherein (i+1) mod n represents the result of adding 1 to i and then adding n to the remainder, and is a numerical result, and sends a message,,,}, WhereinIs thatAnd adds a timestamp to prevent the message from being replayed;

Step S5.2 when When receiving the messages sent by two adjacent users, it first verifiesIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, it will verify whether the time stamp is within the specified time, and if so, it will verify the signature information,Verification of,If it passes the verification, thenWill calculate,To calculate the intermediate process quantity, where (i+1) mod n represents the result of adding 1 to i and then taking the remainder of n, is a numerical result, at which time messages are broadcast to other users,,,};

Step S5.3: when the user equipmentUpon receipt of the broadcast request,First verifyIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, verifying whether the time stamp is within a specified time, if so, waiting for verification to passCollecting the remaining broadcast messages, when the number of last received messages is less than n-1, or the identity is not in the previously formed end-to-end group,The negotiation will be exited. At this time, the liquid crystal display device,All signatures in the end-to-end group are received and an aggregate signature is generatedWherein,Then verify the signature. If the signature is verified, it is accepted; otherwise, it may verify each received message once to collect the correct signature, or simply choose to discard the signature, at which point,Will calculate the session key The members of the group have generated the same session key. At this time, the liquid crystal display device,Using session keysCalculation ofAnd then generate a message,,And } wherein,To calculate the intermediate process quantity and send the message to the AMF;

step S5.4: when AMF receives the transmitted message, it verifies If it is within the specified range, the AMF will waitThe method comprises the steps of collecting the rest information and verifying whether the received hash values are equal, if so, the group equipment is provided with an equal session key, the AMF sends a confirmation information to all users, when the users receive the confirmation information, the users start to communicate, and finally, the users in the group perform secure communication.

In this embodiment, the new user joins the group as follows:

1) First, from In selecting two usersAndJoining a new group, the grouping beingAnd；

2）AndReselection response value,Calculation of，，，And a signature value; due to the original groupHas been negotiated, so authentication negotiation is not required; the key of the group is; New groupThe identity verification process is executed to finally obtainIs a key to a key (a);

3） And Using the original keyEncryption keyAnd send it to other members of the original group; And The key will be usedEncrypted keySending to other members of the new group;

4) Combining the two combinations into The new group key at this time is。

In this embodiment, the user leaves the group as follows:

let u= Is the current group, and V =Is a leaving member set in whichThe remaining set of members at this time can be expressed as a=；

1) Each memberInspection ofLeft member of (2)Or right memberWhether or not it has left; if it isOr (b)ThenRequiring re-selection of secret values, re-computationAnd signing and sending it to setting a;

2) If a member Does not change, thenSimply propagate their previous calculationsAnd signing to set a;

3) Upon receiving all values And after signing, each memberThe aggregate signature is verified. After verification is successful, the relevant parties can continue to calculate using the same procedure as before.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only a preferred embodiment of the present invention, and is not intended to limit the invention in any way, and any person skilled in the art may make modifications or alterations to the disclosed technical content to the equivalent embodiments. However, any simple modification, equivalent variation and variation of the above embodiments according to the technical substance of the present invention still fall within the protection scope of the technical solution of the present invention.

Claims (6)

1. A security lightweight group authentication method based on smart grid end-to-end communication is characterized in that a system is provided and comprises user equipment, an AMF and a 5G base station; the user equipment is connected with the AMF unit through the 5G base station; the AMF distributes the public key and the private key to the user equipment to provide anonymous identity protection for the user equipment, then verifies the user equipment through an aggregate signature scheme, and finally negotiates a session key through the ECDH;

The specific authentication method comprises the following steps:

S1, generating a q-order additive circulation group G by inputting a safety parameter K through an AMF, wherein P is a generator of a group G; AMF random selection Computing system public key as master keyAnd selecting a secure hash function:， Finally, the AMF unit outputs the system parameters = { q, G, P, ,,-Secret and save key s;

step S2, the user equipment firstly executes a 5G-AKA or EAP-AKA protocol to finish user authentication, saves the real identities of all the user equipment through an AMF, stores the real identities in a user equipment identification list, and registers the temporary identities of the user equipment through the AMF;

Step S3, after the user registration is completed, using their temporary identity to perform end-to-end discovery, mutually discovering each user through the end-to-end discovery process Finally, an end-to-end conversation list is obtained;

Step S4, after obtaining the end-to-end session list, the user equipment sends session request information to the AMF, when the AMF receives all the requests, it checks whether the user identity in the request information is legal registered identity, if not, it will reject the end-to-end session request, if the verification is successful, the AMF will create an end-to-end group session for all legal users, and generate a session identifier ; AMF then forms a set of ring structures=,,...,Based on the identity of the user,AndLogically respectivelyIs then AMF broadcast,}；

And S5, after receiving the session response message of the AMF, the users start mutual authentication and key negotiation, and finally, the users in the group carry out secure communication.

2. The authentication method according to claim 1, wherein the step S2 is specifically:

Step S2.1: first a secret value is selected Calculating intermediate parametersTemporary identificationWhereinFor the private identification of the user,As a function of the hash-up,System parameters output for AMF units will then {-Send to AMF;

step S2.2: AMF receipt of Transmitted {After } calculateAnd inquires whether the user equipment identification list containsIf not, the execution is terminated, otherwise, { is saved in the temporary identification index database,AMF generates a message={,}, WhereinIs temporary identity validity period whenAt the time of expiration of the time period,AMF random selection of secret valueAnd calculate,,Send {To (V)Wherein, the method comprises the steps of,、All are calculated intermediate process quantities;

Step S2.3: when (when) Received {When } calculate the partial private key，WhereinTo calculate the intermediate process quantity to verify the formulaIf not, the part of the private key is re-requested, and if so, the part of the private key is accepted; Randomly selecting secret values Calculation ofFinally, setting the public key of the user equipment) And private key)。

3. The authentication method according to claim 2, wherein the step S3 is specifically:

First, user equipment Selecting random numbersCalculation ofAnd generates request information={,,,}, WhereinRepresenting a time stamp, calculating，WhereinTo calculate the intermediate process quantity, a signature is obtainedFinally broadcast {}；

Adjacent users receive usersAfter broadcasting a message, verify the equationWhether or not to establish; if the formula is true, thenAdding into the end-to-end dialogue list, and storing; Setting n end-to-end users,，...，) Through the above end-to-end discovery process, each user finally obtains an end-to-end session list l=,,...,}。

4. The authentication method according to claim 3, wherein the step S5 is specifically:

step S5.1 user equipment Generating a message) And randomly select a response valueAnd calculate，，Wherein、To calculate the intermediate process quantity, the user equipmentGenerating signaturesThen toAndWherein (i+1) mod n represents the result of adding 1 to i and then adding n to the remainder, and is a numerical result, and sends a message,,,}, WhereinIs thatAnd adds a timestamp to prevent the message from being replayed;

Step S5.2 when When receiving the messages sent by two adjacent users, it first verifiesIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, it will verify whether the time stamp is within the specified time, and if so, it will verify the signature information,Verification of,If it passes the verification, thenWill calculate,To calculate the intermediate process quantity, where (i+1) mod n represents the result of adding 1 to i and then taking the remainder of n, is a numerical result, at which time messages are broadcast to other users,,,};

Step S5.3: when the user equipmentUpon receipt of the broadcast request,First verifyIf it is equal, then proceed and verifyWhether it is a legal registered identity, if so, verifying whether the time stamp is within a specified time, if so, waiting for verification to passCollecting the remaining broadcast messages, when the number of last received messages is less than n-1, or the identity is not in the previously formed end-to-end group,Will exit the negotiation; at this time, the liquid crystal display device,All signatures in the end-to-end group are received and an aggregate signature is generatedWherein,Then verify the signature; If the signature is verified, it is accepted; otherwise, it may verify each received message once to collect the correct signature, or simply choose to discard the signature, at which point,Will calculate the session keyMembers of the group have generated the same session key; at this time, the liquid crystal display device,Using session keysCalculation ofAnd then generate a message,,And } wherein,To calculate the intermediate process quantity and send the message to the AMF;

step S5.4: when AMF receives the transmitted message, it verifies If it is within the specified range, the AMF will waitThe method comprises the steps of collecting the rest information and verifying whether the received hash values are equal, if so, the group equipment is provided with an equal session key, the AMF sends a confirmation information to all users, when the users receive the confirmation information, the users start to communicate, and finally, the users in the group perform secure communication.

5. The authentication method according to claim 1, characterized in that the new user joins the group, in particular as follows:

1) First, from In selecting two usersAndJoining a new group, the grouping beingAnd；

2）AndReselection response value,Calculation of，，，And a signature value; due to the original groupHas been negotiated, so authentication negotiation is not required; the key of the group is; New groupThe identity verification process is executed to finally obtainIs a key to a key (a);

3） And Using the original keyEncryption keyAnd send it to other members of the original group; And The key will be usedEncrypted keySending to other members of the new group;

4) Combining the two combinations into The new group key at this time is。

6. The authentication method according to claim 1, characterized in that the user leaves the group, in particular as follows:

let u= Is the current group, and V =Is a leaving member set in whichThe remaining set of members at this time can be expressed as a=；

1) Each memberInspection ofLeft member of (2)Or right memberWhether or not it has left; if it isOr (b)ThenRequiring re-selection of secret values, re-computationAnd signing and sending it to setting a;

2) If a member Does not change, thenSimply propagate their previous calculationsAnd signing to set a;

3) Upon receiving all values And after signing, each memberVerifying the aggregate signature; after verification is successful, the relevant parties can continue to calculate using the same procedure as before.