CN118301607A - Distributed RFID network communication security authentication system and method - Google Patents

Abstract

The application relates to the technical field of communication, in particular to a network communication security authentication system and method of distributed RFID, comprising a receiver for generating random numbers, communication and verification; a tag and a transmitter for communication and authentication; the tag, receiver and transmitter possess the same shared key after performing the authentication steps of the security authentication method. The application performs identity authentication protection on the wireless communication channel between the transmitter and the receiver which appear after the splitting of the reader-writer by utilizing the cryptographic technology, thereby ensuring the reliability of information transmission among the transmitter, the receiver and the tag. The method is suitable for a substation temperature measurement scene, and improves the safety and accuracy of the process of measuring the power system equipment.

Description

Distributed RFID network communication security authentication system and method

Technical Field

The application relates to the technical field of communication, in particular to a distributed RFID network communication security authentication system and method.

Background

The transponders of the traditional RFID in an inductive coupling mode almost adopt a passive working mode, and the communication distance is mainly limited by the furthest distance of a signal forward link activation tag and the furthest distance of signal backward link scattering under the condition of not considering the receiving sensitivity of a reader-writer, wherein the smaller value of the furthest distance is the effective communication distance. Typically, the effective distance of the forward link is smaller than the scattering distance of the backward link, which is equivalent to limiting the overall performance of the RFID communication system. In a substation temperature measurement scene, in order to ensure that the temperature of important connection parts, sleeves and shells of various power equipment can be monitored by utilizing an RFID technology at all times, the design of a distributed reader-writer is adopted, and a receiver and a transmitter in an essential reader-writer are independently designed and respectively designed into receiving equipment and transmitting equipment, so that the restriction of short communication effective distance caused by the fact that a forward-backward link is embodied in the same equipment is eliminated, and the equipment performance is fully exerted.

In the distributed RFID design, the adopted reader-writer receiving-transmitting separation mechanism can greatly prolong the communication distance with the tag, but it is expected that the main body needing to carry out safety protection is a system master station, a reader-writer and a tag body before receiving-transmitting separation, and the three are all bidirectional channels, so that normal challenge response can be carried out for sharing the secret key. After the separation of the transmission and reception, a bidirectional wireless channel is still used between the transmitter and the receiver, but the forward link between the transmitter and the tag and the reverse link between the tag and the receiver are unidirectional links.

Therefore, in order to continue to maintain the safety protection mechanism like the mutual data transmission among the traditional reader-writer, the tag and the master station, a set of secret key sharing mechanism is established among the transmitter, the receiver and the tag and used for authenticating the identity among the three and encrypting the channel, so that the channel is prevented from being eavesdropped, tampered and interfered, a monitoring instruction can not be issued in time, data can not be acquired in time or in error is acquired, safety accidents are caused, and personal economic loss is caused.

Disclosure of Invention

The application provides a distributed RFID network communication security authentication system and a distributed RFID network communication security authentication method, which can establish a set of security protection mechanism based on key sharing among a transmitter, a receiver and a tag in an RFID communication system adopting a distributed design, prevent channels from eavesdropping, tampering and interference, and ensure the security of data transmission.

In order to achieve the above purpose, the present invention adopts the following technical scheme:

In a first aspect, the present invention provides a network communication security authentication system of a distributed RFID, including:

A receiver for generating a random number; establishing connection with the transmitter based on a preset key in the first connection, and performing networking authentication based on the random number; and verifying the tag information in the second secret based on the random number; after the tag identity is determined to be legal, a shared secret key is obtained based on the second ciphertext, and a third ciphertext containing tag information is sent to a transmitter through a networking session;

The transmitter is used for encrypting a first plaintext by using the preset secret key after passing the networking authentication with the receiver to obtain a first ciphertext and sending the first ciphertext to the tag, wherein the first ciphertext comprises the random number; decrypting the third ciphertext and combining the random number with the transmitter information to generate a fourth ciphertext, and transmitting the fourth ciphertext to the tag; obtaining a shared key based on the third ciphertext;

the tag is used for decrypting the first ciphertext by using the preset key after receiving the first ciphertext to obtain a first plaintext; the second ciphertext obtained after the combination of the first plaintext and the tag information is sent to the receiver; and verifying the random number and the tag information contained in the fourth ciphertext, and obtaining the shared secret key based on the fourth ciphertext after verification.

In a preferred embodiment of the present application, it may be further configured that the establishing a connection with the transmitter based on a preset key at the time of the first connection, further includes:

The connection is made using a challenge-response authentication mechanism.

In a preferred embodiment of the present application, the method may further include:

The common session key is negotiated when the connection is established with the transmitter based on the preset key at the first connection.

In a preferred embodiment of the present application, it may be further configured to perform networking authentication based on the random number, including:

encrypting the random number by using the session key to obtain a random number ciphertext, and then sending the random number ciphertext to a transmitter;

and after receiving the decryption success mark sent by the receiver, confirming that the networking authentication is successful.

In a preferred embodiment of the present application, the method may further include:

the first ciphertext and the second ciphertext also include a transmitter ID, a receiver ID.

In a preferred embodiment of the present application, the method may further include:

The third ciphertext includes a success flag that is generated after determining that the tag identity is legitimate.

In a preferred embodiment of the present application, the shared key may further include:

generated by the random number, tag ID, transmitter ID and receiver ID by a key derivation algorithm.

In a preferred embodiment of the present application, the sending, to the receiver, the second ciphertext obtained by combining the first plaintext with the tag information may further include:

Performing key derivation by using the tag ID and the random number to obtain a first tag key and a second tag key, and encrypting a first plaintext by using the first tag key to obtain a first part of a second ciphertext;

Calculating a second tag plaintext by using the second tag key, wherein the second tag plaintext is used as a second part of a second ciphertext;

taking the tag ID as a third part of a second ciphertext;

And sending a second ciphertext consisting of three parts to the receiver.

In a preferred embodiment of the present application, the verifying the tag information in the second secret based on the random number may further include:

Performing key derivation by using the random number and a third part of the second ciphertext to obtain the first tag key and the second tag key;

and verifying the second part of the second ciphertext by using the second tag, and determining that the tag identity is legal if verification is passed.

In a second aspect, the present application provides a network communication security authentication method of a distributed RFID, the method comprising:

step 100: the receiver generates a random number, establishes connection with the transmitter based on a preset key in the first connection, and then performs networking authentication based on the random number;

Step 200: after passing the networking authentication with the receiver, the transmitter encrypts a first plaintext by using the preset secret key to obtain a first ciphertext and sends the first ciphertext to a tag, wherein the first ciphertext comprises the random number;

Step 300: after receiving the first ciphertext, the tag decrypts the first ciphertext by using the preset key to obtain a first plaintext, combines the first plaintext with tag information to obtain a second ciphertext, and sends the second ciphertext to the receiver;

Step 400: the receiver verifies the tag information in the second cipher text based on the random number, obtains a shared key based on the second cipher text after determining that the tag identity is legal, and sends a third cipher text containing the tag information to the transmitter through a networking session;

Step 500: the transmitter decrypts the third ciphertext, combines the random number and the transmitter information to generate a fourth ciphertext, sends the fourth ciphertext to the tag, and obtains a shared key based on the third ciphertext;

Step 600: the tag verifies the random number and the tag information contained in the fourth ciphertext, and the shared key is obtained based on the fourth ciphertext after verification.

In summary, compared with the prior art, the technical scheme provided by the embodiment of the application has the following beneficial effects:

The application provides a distributed RFID network communication security authentication system and a distributed RFID network communication security authentication method, which are used for carrying out identity authentication protection on a wireless communication channel between a transmitter and a receiver after splitting a reader-writer by utilizing a password technology, so that the reliability of information transmission among the transmitter, the receiver and a tag is ensured. Specifically, session negotiation between the receiver, the transmitter and the tag is performed by a method of sharing a secret key, so that the three have a common secret key. The method is suitable for a substation temperature measurement scene, and improves the safety and accuracy of the process of measuring the power system equipment.

Drawings

Fig. 1 is a block diagram of a network communication security authentication system of a distributed RFID according to an embodiment of the present application.

Fig. 2 is a first stage flowchart of a network communication security authentication method of a distributed RFID according to an embodiment of the present application.

Fig. 3 is a second stage flowchart of a network communication security authentication method of distributed RFID according to an embodiment of the present application.

Fig. 4 is a third stage flowchart of a network communication security authentication method of distributed RFID according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In one embodiment of the present application, a network communication security authentication system of distributed RFID is provided, referring to fig. 1, the system includes:

A receiver 101 for generating a random number; establishing connection with the transmitter based on a preset key in the first connection, and performing networking authentication based on the random number; and verifying the tag information in the second secret based on the random number; after the tag identity is determined to be legal, a shared secret key is obtained based on the second ciphertext, and a third ciphertext containing tag information is sent to a transmitter through a networking session;

A transmitter 102, configured to encrypt a first ciphertext using the preset key and send the first ciphertext to a tag after passing a networking authentication with the receiver, where the first ciphertext includes the random number; decrypting the third ciphertext and combining the random number with the transmitter information to generate a fourth ciphertext, and transmitting the fourth ciphertext to the tag; obtaining a shared key based on the third ciphertext;

A tag 103, configured to decrypt the first ciphertext using the preset key after receiving the first ciphertext, to obtain a first plaintext; the second ciphertext obtained after the combination of the first plaintext and the tag information is sent to the receiver; and verifying the random number and the tag information contained in the fourth ciphertext, and obtaining the shared secret key based on the fourth ciphertext after verification.

In specific implementation, the system can be used for a temperature measurement scene of a transformer substation based on a radio frequency identification technology (RFID) adopting a distributed design, wherein the distributed design adopts a reader-writer receiving-transmitting separation mechanism for an RFID communication system, and the specific operation of temperature measurement is as follows: the method comprises the steps of deploying a tag and a temperature sensing probe at equipment needing temperature measurement, deploying a small number of receiver hosts in a transformer substation, receiving a tag reverse link signal in the whole station, and performing tag activation by using a mobile transmitter. In the operation process of temperature measurement, the session negotiation between the receiver transmitter and the tag is carried out by combining the method of the shared secret key of the system, so that the identity reliability and the channel safety during communication can be realized.

The tag, the transmitter and the receiver are all devices for realizing RFID communication and can also perform wireless network communication functions. The random number is used for improving communication security when creating a password, a secret key or other sensitive information in network communication. The tag information at least comprises tag IDs and related information derived from the tag IDs, and each tag is different. The plaintext and the ciphertext are both information in network communication, and the ciphertext is encrypted information.

The method of using the system, please refer to fig. 2, 3 and 4, includes:

Step 1: the receiver generates a random number R ₁, establishes connection with the transmitter based on a preset key K when the transmitter is connected for the first time, then performs networking authentication based on the random number R ₁, and negotiates a common session key K ₁;

step 2: after passing the networking authentication with the receiver, the transmitter encrypts a first ciphertext (R ₁、ID₁、ID₂) by using the preset key K to obtain a first ciphertext (Ek (R ₁、ID₁、ID₂)) and sends the first ciphertext to the tag, wherein the ID ₁、ID₂ is a transmitter ID and a receiver ID respectively;

step 3: after receiving the first ciphertext, the tag decrypts the first ciphertext by using the preset key K to obtain a first plaintext (R ₁′、ID₁′、ID₂'), and combines the first plaintext with tag information to obtain a second ciphertext The MAC ₁ and ID _t are two types of tag information sent to the receiver. Specifically, the tag uses ID _t、R₁ to derive key K _t1 and K _tmac, encrypts (R ₁′、ID₁′、ID₂ ') with K _t1 to obtain ciphertext K _t1(R₁′、ID₁′、ID₂'), calculates MAC ₁ corresponding to plaintext with K _tmac, and finally encrypts the second ciphertextTransmitting to a receiver;

Step 4: the receiver verifies the tag information in the second cipher text based on the random number, obtains the shared key K ₂ based on the second cipher text after determining that the tag identity is legal, and sends a third cipher text containing the tag information through the networking session To the transmitter. Specifically, after receiving the second ciphertext, the receiver derives the keys K _t1 and K _tmac by using the original R ₁ and the plaintext ID _t, and then performs the second ciphertextAfter obtaining the plaintext data R ₁′、ID₁′、ID₂' by decryption, the MAC ₁ is verified by K _tmac, and if the verification is passed, the receiver determines that the tag identity is legal. After the receiver judges that the label identity is legal, a success identification S ₁ is generated, and the ciphertext is obtained by encrypting S ₁、ID_t by using K1The receiver sends the ciphertext to the transmitter through reliable connection established by networking session negotiation;

step 5: the transmitter decrypts the third ciphertext and combines the random number with the transmitter information to generate a fourth ciphertext And sending the fourth ciphertext to the tag, and obtaining the shared key K ₂ based on the third ciphertext. Specifically, after receiving ciphertext (E _k1(S₁、ID_t)), the transmitter decrypts with session key K ₁, decrypts with ID ₁ and R ₁ derivative key K _t1, encrypts S ₁、ID_t、R₁ to obtain a fourth ciphertextTo the tag.

Step 6: the tag verifies the random number and the tag information contained in the fourth ciphertext, and obtains the shared key K ₂ based on the fourth ciphertext after verification. Specifically, after the tag receives the ciphertextDecryption was performed with K _t1 to obtain plaintext S ₁、ID_t″、R₁ ", comparing ID _t" with ID _t, and comparing R ₁ "with R ₁, the same values being successful in comparison, and after successful in comparison, indicating that authentication was completed, and deriving session key K ₂ with R ₁、ID_t、ID₁、ID₂.

Wherein, K _{Will be 1}、K _{Will be 2} of fig. 2, fig. 3, and fig. 4 respectively correspond to K ₁、K₂ in the above-mentioned flow.

At this time, the receiver, the transmitter and the tag all generate the same session key K ₂, and the system successfully performs networking authentication.

In this embodiment, the wireless communication channel between the transmitter and the receiver, which occurs after the splitting of the reader-writer, is protected by using the cryptographic technology for identity authentication, so that the reliability of information transmission among the transmitter, the receiver and the tag is ensured. Specifically, session negotiation between the receiver, the transmitter and the tag is performed by a method of sharing a secret key, so that the three have a common secret key. The method is suitable for a substation temperature measurement scene, and improves the safety and accuracy of the process of measuring the power system equipment.

In some embodiments, the establishing a connection with the transmitter based on the preset key at the first connection further comprises:

The connection is made using a challenge-response authentication mechanism.

In this embodiment, the security of the connection between the transmitter and the receiver is improved.

In some embodiments, further comprising:

The common session key is negotiated when the connection is established with the transmitter based on the preset key at the first connection.

In particular, as shown in fig. 2, the transmitter and the receiver negotiate a common session key K _{Will be 1}.

In some embodiments, performing networking authentication based on the random number includes:

encrypting the random number by using the session key to obtain a random number ciphertext, and then sending the random number ciphertext to a transmitter;

and after receiving the decryption success mark sent by the receiver, confirming that the networking authentication is successful.

In specific implementation, the receiver starts a networking authentication flow, firstly generates a random number R ₁ by using an internal hardware cryptographic module, calls the common session key K _{Will be 1}, encrypts R ₁ to obtain a ciphertext(R ₁) and sends it to the transmitter. The transmitter receives the ciphertextAfter (R ₁), the cipher text is untied by the session key K _{Will be 1} established by networking session negotiation to obtain a plaintext R ₁, and a decryption success mark is returned to the receiver.

In the embodiment, the safety of networking connection of the transmitter and the receiver is improved.

In some embodiments, comprising:

the first ciphertext and the second ciphertext also include a transmitter ID, a receiver ID.

In some embodiments, comprising:

The third ciphertext includes a success flag that is generated after determining that the tag identity is legitimate.

In some embodiments, the shared key comprises:

generated by the random number, tag ID, transmitter ID and receiver ID by a key derivation algorithm.

In the embodiment, the symmetric key algorithm is used for key derivation, encryption processing is simple, encryption and decryption speed is high, the key is short, and development history is long.

In some embodiments, the sending, to the receiver, the second ciphertext obtained by combining the first plaintext with the tag information includes:

Performing key derivation by using the tag ID and the random number to obtain a first tag key and a second tag key, and encrypting a first plaintext by using the first tag key to obtain a first part of a second ciphertext;

Calculating a second tag plaintext by using the second tag key, wherein the second tag plaintext is used as a second part of a second ciphertext;

taking the tag ID as a third part of a second ciphertext;

And sending a second ciphertext consisting of three parts to the receiver.

In this embodiment, the security of communication is improved.

In some embodiments, the verifying the tag information in the second secret based on the random number includes:

Performing key derivation by using the random number and a third part of the second ciphertext to obtain the first tag key and the second tag key;

and verifying the second part of the second ciphertext by using the second tag, and determining that the tag identity is legal if verification is passed.

In this embodiment, the security of communication is improved.

The application also provides a network communication security authentication method of the distributed RFID, which comprises the following steps:

step 100: the receiver generates a random number, establishes connection with the transmitter based on a preset key in the first connection, and then performs networking authentication based on the random number;

Step 200: after passing the networking authentication with the receiver, the transmitter encrypts a first plaintext by using the preset secret key to obtain a first ciphertext and sends the first ciphertext to a tag, wherein the first ciphertext comprises the random number;

Step 300: after receiving the first ciphertext, the tag decrypts the first ciphertext by using the preset key to obtain a first plaintext, combines the first plaintext with tag information to obtain a second ciphertext, and sends the second ciphertext to the receiver;

Step 400: the receiver verifies the tag information in the second cipher text based on the random number, obtains a shared key based on the second cipher text after determining that the tag identity is legal, and sends a third cipher text containing the tag information to the transmitter through a networking session;

Step 500: the transmitter decrypts the third ciphertext, combines the random number and the transmitter information to generate a fourth ciphertext, sends the fourth ciphertext to the tag, and obtains a shared key based on the third ciphertext;

Step 600: the tag verifies the random number and the tag information contained in the fourth ciphertext, and the shared key is obtained based on the fourth ciphertext after verification.

The steps in the network communication security authentication method of the distributed RFID correspond to the functions of the modules in the embodiment of the network communication security authentication system of the distributed RFID, and the execution process is not described here again.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description. The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (10)

1. A distributed RFID network communication security authentication system, comprising:

A receiver for generating a random number; establishing connection with the transmitter based on a preset key in the first connection, and performing networking authentication based on the random number; and verifying the tag information in the second secret based on the random number; after the tag identity is determined to be legal, a shared secret key is obtained based on the second ciphertext, and a third ciphertext containing tag information is sent to a transmitter through a networking session;

The transmitter is used for encrypting a first plaintext by using the preset secret key after passing the networking authentication with the receiver to obtain a first ciphertext and sending the first ciphertext to the tag, wherein the first ciphertext comprises the random number; decrypting the third ciphertext and combining the random number with the transmitter information to generate a fourth ciphertext, and transmitting the fourth ciphertext to the tag; obtaining a shared key based on the third ciphertext;

the tag is used for decrypting the first ciphertext by using the preset key after receiving the first ciphertext to obtain a first plaintext; the second ciphertext obtained after the combination of the first plaintext and the tag information is sent to the receiver; and verifying the random number and the tag information contained in the fourth ciphertext, and obtaining the shared secret key based on the fourth ciphertext after verification.

2. The distributed RFID network communication security authentication system of claim 1, wherein the establishing a connection with the transmitter based on a preset key at the first connection, further comprises:

The connection is made using a challenge-response authentication mechanism.

3. The distributed RFID network communication security authentication system of claim 2, further comprising:

The common session key is negotiated when the connection is established with the transmitter based on the preset key at the first connection.

4. A distributed RFID network communication security authentication system according to claim 3, wherein networking authentication based on the random number comprises:

encrypting the random number by using the session key to obtain a random number ciphertext, and then sending the random number ciphertext to a transmitter;

and after receiving the decryption success mark sent by the receiver, confirming that the networking authentication is successful.

5. The distributed RFID network communication security authentication system of claim 1, comprising:

the first ciphertext and the second ciphertext also include a transmitter ID, a receiver ID.

6. The distributed RFID network communication security authentication system of claim 5, comprising:

The third ciphertext includes a success flag that is generated after determining that the tag identity is legitimate.

7. The distributed RFID network communication security authentication system of claim 6, wherein the shared key comprises:

generated by the random number, tag ID, transmitter ID and receiver ID by a key derivation algorithm.

8. The system of claim 1, wherein the second ciphertext obtained by combining the first plaintext with the tag information is transmitted to the receiver, and comprises:

Performing key derivation by using the tag ID and the random number to obtain a first tag key and a second tag key, and encrypting a first plaintext by using the first tag key to obtain a first part of a second ciphertext;

Calculating a second tag plaintext by using the second tag key, wherein the second tag plaintext is used as a second part of a second ciphertext;

taking the tag ID as a third part of a second ciphertext;

And sending a second ciphertext consisting of three parts to the receiver.

9. The distributed RFID network communication security authentication system of claim 8, wherein verifying the tag information in the second secret based on the random number comprises:

Performing key derivation by using the random number and a third part of the second ciphertext to obtain the first tag key and the second tag key;

and verifying the second part of the second ciphertext by using the second tag, and determining that the tag identity is legal if verification is passed.

10. A network communication security authentication method of distributed RFID, comprising:

step 100: the receiver generates a random number, establishes connection with the transmitter based on a preset key in the first connection, and then performs networking authentication based on the random number;

Step 200: after passing the networking authentication with the receiver, the transmitter encrypts a first plaintext by using the preset secret key to obtain a first ciphertext and sends the first ciphertext to a tag, wherein the first ciphertext comprises the random number;

Step 300: after receiving the first ciphertext, the tag decrypts the first ciphertext by using the preset key to obtain a first plaintext, combines the first plaintext with tag information to obtain a second ciphertext, and sends the second ciphertext to the receiver;

Step 400: the receiver verifies the tag information in the second cipher text based on the random number, obtains a shared key based on the second cipher text after determining that the tag identity is legal, and sends a third cipher text containing the tag information to the transmitter through a networking session;

Step 500: the transmitter decrypts the third ciphertext, combines the random number and the transmitter information to generate a fourth ciphertext, sends the fourth ciphertext to the tag, and obtains a shared key based on the third ciphertext;

Step 600: the tag verifies the random number and the tag information contained in the fourth ciphertext, and the shared key is obtained based on the fourth ciphertext after verification.