KR20130042266A - Authentification method based cipher and smartcard for wsn - Google Patents

Abstract

PURPOSE: A user authentication method based on a password and a smartcard for a wireless sensor network to offer a user authentication framework, various services for a user though configurations of user anonymity, cross certification, security session key, and a user authentication method which the user can regularly choose and update his/her cipher if necessary. CONSTITUTION: A user authentication method based on a cipher and a smartcard for a wireless sensor network comprises: a step of registering a client node using a user cipher and random constant number in a gateway; a step of generating a first message, by a smartcard, using the user cipher and random constant number inputted by a user at the client node and transmitting the first message to a sensor node; generating a second message from the first message at the sensor node, and transmitting the second message with a Hash value to the gateway; authenticating the user and the sensor node, at the gateway node, using the second message and the Hash value, generating a third message and transmitting the third message with a Hash value to the sensor node; validating the third message at the sensor node, generating a fourth message and transmitting the fourth message to the client node; and authenticating the sensor node by validating the fourth message at the client node.

Description

Password and smartcard based user authentication for wireless sensor networks. {Authentification method based cipher and smartcard for WSN}

The present invention relates to a user authentication method on a wireless network, and more particularly, to a user authentication method based on a password and a smart card for a wireless sensor network.

Wireless sensor networks (WSNs) have recently emerged as potential solutions for real-time monitoring applications, and the next generation of these WSNs will have a real impact.

WSNs wireless sensors are quick and easy to deploy and are used in a variety of real-time applications such as vehicle tracking, environmental monitoring, environmental control, military surveillance, medical monitoring, wildlife monitoring, and traffic monitoring. However, WSNs do not consider proper security before deployment, or if there is a security flaw, an attacker can exploit it to endanger the application.

User authentication is one of the most important security services for protecting WSN data access from unauthorized users as a means of proving that the user is a legitimate user before allowing access to the sensor network data. The user authentication must be accompanied by mutual authentication and session key setting. .

In addition, a sensor network providing a service to a user has a need to control a connection in accessing information, and access control is an essential requirement for preventing unauthorized users from accessing data.

An object of the present invention to solve the above problems is to propose a password and smart card-based user authentication framework for a wireless sensor network, to provide a variety of user anonymity, mutual authentication, secure session key settings It is to provide a service and to propose a user authentication method that allows a user to select / update a password regularly if necessary.

A feature of the present invention for solving the above problems is a user authentication method using a sensor network system consisting of a client (USER) node, a smart card, a gateway node, a sensor node, (a) the client node is a user's password and random Registering as a gateway node using a constant; (b) the smart card generating a first message using the ID and password input by the user at the client node and transmitting the first message to the sensor node; (c) generating a second message from a first message at the sensor node and sending the second message to the gateway node with a hash value; (d) authenticating a user and a sensor node using the second message and the hash value at the gateway node, and generating a third message and transmitting the hash message to the sensor node along with the hash value; (e) authenticating the third message at the sensor node, generating a fourth message and sending the fourth message to the client node; And (f) authenticating the fourth message received by the client node to authenticate the sensor node.

Here, the client node and the smart card preferably further comprises the step of updating by replacing the password of the user, the step of updating by replacing the password of the user, the smart card is stored the ID and password of the user Checking the validity of the; If the validity of the ID and password is confirmed, it is preferable to include the step of replacing the user's password by receiving a new password.

Preferably, the step (a) may include: requesting, by the client node, registration with the gateway node after calculating a hash value of the ID, password, and random constant of the user; And calculating, by the gateway node using the ID, password, and random constant, and customizing a smart card of each user.

The step (b) may include: checking the validity using a hash value of the ID and password of the user in the smart card and recognizing the user as a legitimate user; And generating a first message which is a login request message using the ID and password, and transmitting the first message to the sensor node, wherein step (c) is performed by the sensor node. Verifying validity; And generating, by the sensor node, a second message and a user authentication code value using the first message, and transmitting the generated second message and the user authentication code value to the gateway node.

In addition, the step (d) may include: checking the validity of the time at which the second message and the user authentication code value are received at the gateway node; Checking a validity of the second message by calculating a user authentication value for a second message at the gate node and comparing a user authentication code value generated at the sensor node; Authenticating the user and the sensor node using encryption and hash values at the gateway node; And generating, by the gateway node, a third message using an ID of the user and transmitting the third message to the sensor node.

The step (e) may include: checking the validity of the time when the third message is received at the sensor node; Verifying the validity of the third message by decoding the third message at the sensor node; And calculating a session key at the sensor node, generating a fourth message, and transmitting the generated session message to the client node.

Furthermore, step (f) may include: validating a time at which the fourth message is received at the client node; And verifying validity by decrypting the fourth message at the client node.

The present invention provides mutual authentication and user anonymity and confidentiality between all entities (users, gateways, sensors, etc.), session key settings, protects the system from existing retransmission attacks, spoofing attacks, insider attacks, MITM attacks, etc. It also has the advantage of being safe from gateway secret key guessing attacks and theft of inspection equipment (verifiers).

In addition, it can be more secure in terms of user authentication, and the protocol is actually implemented with low computational cost (computation amount), transmission cost (energy consumption for transmission), and message exchange cost (computation / transmission amount for message exchange). The big advantage is that it can be applied.

1 is a schematic diagram of a user authentication system using a wireless sensor network according to the present invention,
2 is a view showing the flow of the registration process in the user authentication method using a wireless sensor network according to the present invention,
3 is a view showing a flow of a user authentication method using a wireless sensor network according to the present invention,
4 is a flowchart illustrating a process of replacing and updating a password in a user authentication method using a sensor network according to the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and how to accomplish it, will be described with reference to the embodiments described in detail below with reference to the accompanying drawings. However, the present invention is not limited to the embodiments described herein but may be embodied in other forms. The embodiments are provided so that those skilled in the art can easily carry out the technical idea of the present invention to those skilled in the art.

In the drawings, embodiments of the present invention are not limited to the specific forms shown and are exaggerated for clarity. In addition, parts denoted by the same reference numerals throughout the specification represent the same components.

The expression "and / or" is used herein to mean including at least one of the components listed before and after. In addition, the singular also includes the plural unless specifically stated otherwise in the text. Also, components, steps, operations and elements referred to in the specification as " comprises "or" comprising " refer to the presence or addition of one or more other components, steps, operations, elements, and / or devices.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a schematic diagram of a user authentication system using a wireless sensor network according to the present invention, Figures 2 and 3 is a view showing the flow of a user authentication method using a wireless sensor network according to the present invention.

As shown in FIGS. 1 and 2, a user authentication system using a wireless sensor network includes a client node 100 corresponding to a user, a smart card 200 inserted into the client node 100, a gateway node 300, and the like. It consists of a sensor node 400.

In addition, the user authentication method using the wireless sensor network according to the present invention includes the steps of: (a) the client node 100 registering as a gateway using a user's password and a random constant (S100); (B) the smart card 200 generates a first message using the ID and password input by the user in the client node 100 and transmits to the sensor node 400 (S200); (c) generating a second message from the first message in the sensor node 400 and transmitting the second message to the gateway node 300 together with a hash value (S300); (d) authenticating the user and the sensor node 400 using the second message and the hash value in the gateway node 300, and generating a third message and transmitting the generated third message to the sensor node 400 together with the hash value. (S400); (e) authenticating the third message in the sensor node 400, generating a fourth message and transmitting the fourth message to the client node (S500); And (f) authenticating the sensor node 400 by authenticating the fourth message received by the client node 100 (S600).

As such, the present invention proposes a user authentication protocol so that only legitimate users can access the WSN data.

Before issuing a query to the sensor node 400 to access the real-time sensor data, each user must register with the gateway node 300 in a secure manner (S100), Figure 2 is a gateway in the user authentication method according to the present invention A flowchart illustrating a process of registering a user with the A-node 300. When the user or client node 100 requests a registration from the gateway, the gateway node 300 customizes the personal smart card 200 for all registered users. In the following, it is assumed that the user USER represents the client node 100, and the client node 100 refers to a point on the communication network represented by the user.

This registration process allows users to submit their queries in an authenticated manner and access the sensor network data at any time within a set period of time according to the management scheme. Before starting the system, the gateway and sensor node 400 is assumed to share a common secret key for a long time, the secret key used in the present invention is SK _gs = h (Sn || y) , and other such as DH Use a key agreement protocol.

PW _k )을 계산한다.(S110) ID _k 와 PW _k 는 영어 대문자, 소문자 등의 문자와 0~9 사이의 숫자를 포함해야 한다.Looking at the registration phase (RP) step (a) with reference to Figure 2, in the registration step, each user or client node 100 registers with the gateway (gateway) node 300. The user or client node U _k selects the ID _k , password PW _k , and any random number R that authenticates itself, and h (r

PW _k (S110) ID _k and PW _k must include letters between English upper and lower case letters and numbers between 0 and 9.

The user then sends a registration request to the gateway node 300 over a secure channel. After receiving the registration request of the user U _k , the gateway node 300 is calculated as shown in [Equation 1].

The gateway node 300 then customizes each user's smart card 200 with the parameters { A _k , B _k , V _k , h (.), E _k [.], D _k [.]}. do. Here, l is any random number generated by the gateway node 300, and the gateway secret keys x and h (.) Are one-way functions without collision, such as SHA-1.

Then, a random number r of user U _k enters the user's smart card 200, and the user does not need to remember his / her random number. { A _k , B _k , V _k , h (.), E _k [.], D _k [.], R } with the smart card 200 are as shown in FIG. 2.

3 is a flowchart illustrating a login and authentication process in a user authentication method using a wireless sensor network according to the present invention. As shown in FIG. 3, this step is invoked whenever the user U _k wishes to submit a query to access the sensor after login. Hereinafter, the first message is indicated by M1, the second message by M2, the third message by M3, and the fourth message by M4.

U _k inserts the smart card 200 into the terminal and inputs its ID _k and PW _k , the smart card 200 performs the following login operation (Login Phase: LP).

PW _k )). (LP-1). Calculation: V _k * = h ( ID _k || h ( r

PW _k )) .

(LP-2). Check whether V _k * and V _k are equal. If it is not the same, it rejects the login request, and if it is the same, it is recognized as a legitimate user and moves on to the next step.

(LP-3). Calculation: H _k = h ( A _k ) .

(LP-4). Calculation: AID _k = E _TkTu [h ( ID _k ) || Sn || X _g ] ;

Where Tk _Tu = ( Tu | H _k ) is the short-term key and Sn is the sensor node 400 that user U _k wants to access. X _g is a random secret number generated when user U _k logs in and helps to generate a session key between user and sensor node 400. Tu represents the current time stamp of user U _k 's system to prevent replay attacks.

(LP-5). Login message M1 = < B _k , AID _k , Tu > is transmitted to the sensor node 400 through the published channel (S200).

After completing the login process, the authentication node (Authentication Phase: AP) of the sensor node 400 is performed. As shown in FIG. 3, in the authentication phase, the sensor node 400 receives a user login request message at a time Ts . Called when < M1 > is received.

The process of processing a user authentication request of the sensor node 400 is as follows.

(AP-1). Sensor node 400 Sn validates Tu : If ( Ts - Tu ) = ΔT , Sn rejects the request and terminates the process. If not, continue to the next step. Ts is the current time stamp of Sn and is the time interval defined for the ΔT transmission delay.

(AP-2). The sensor node 400 generates messages M2 = < B _k , AID _k , Tu , Ts , Sn > and Q , and then transmits < M2 , Q> to the gateway node 300 through the public network. S300) The message authentication code (MAC) is the message M2 (ie, Q = MAC _ SKgs (( B _k || AID _k || Tu || Ts || Sn ))) to verify integrity with the gateway node 300). Is calculated on.

(AP-3). Upon receiving the messages M2 and Q from the sensor node 400, the gateway node 300 performs the following tasks.

The gateway node 300 confirms the validity of the time Ts : If ( Tg - Ts ) ≥ ΔT , the gateway node 300 rejects the request and terminates the process. If not, continue to the next step. Tg is the current time stamp in the gateway node (300), △ T is the time interval defined for the transmission delay.

Gateway node 300 calculates Q ' for message M2 using long-term secret key SKgs and verifies Q' = Q. If the same, the gateway node 300 confirms that it is the original message and performs the following process. If it is not the same, it rejects the request and terminates further work.

l')와 H _k ' = h( A _k ' )을 계산한다. 이후, 게이트웨이 노드(300)는 임시 키 TkTu ( Tu || Hk' )을 생성한다. 또한 게이트웨이 노드(300)는 TkTu을 사용하여 하위 메시지 AID _k 을 복호화하고 [h( ID _k *)|| Sn *|| Xg ]을 얻는다. Gateway node 300 decrypts B _k using secret key x to obtain ID _k ' and l' of user U _k and h ( ID _k ' ), A _k ' = h ( IDk '

l ') and H _k ' = h ( A _k ' ) . The gateway node 300 then generates a temporary key TkTu ( Tu || Hk ' ) . Gateway node 300 also uses TkTu to decode the lower message AID _k and [h ( ID _k *) || Sn * || Xg ] .

The gateway node 300 then compares h ( ID _k ' ) and h ( ID _k *) to authenticate that they are legitimate users if they are identical. h ( ID _k *) is a sub-message of AID _k . At the same time, the gateway node 300 is Sn and Sn * are the same and confirmed that this is included in the sub-message of the AID _k, and if the same plane gateway node 300 Sn wants to user U _k that access is legitimate node Consider that. Otherwise, the gateway node 300 rejects the authentication process.

After authenticating the user and sensor node 400; The gateway node informs the sensor node 400 that the user U _k is a legitimate user. Accordingly, the gateway node 300 calculates a message M3 = < Tg , C> and transmits it to the sensor node 400. (S400) C = E _SKgs [h ( ID _k ) || Xg || Tg ] , where Tg is the current time stamp of the gateway node 300.

(AP-4). Upon receipt of message M3 from gateway node 300, sensor node 400 performs the following process:

Sn first checks time Tg and if ( Ts - Tg ) ≥ ΔT , sensor node 400 rejects the request and terminates the process, otherwise proceeds to the next step. Ts is the current time stamp in the sensor node (400) △ T is the time interval defined for the transmission delay.

Sensor node 400, with the contents of SK _gs , sends the sub-message C = D _SKgs [h ( ID _k ) || Xg || Decode Tg *] and check if Tg and Tg * are equal. If the Tg is not the same, the process ends and if it is the same, the sensor node 400 considers that the gateway node 300 is a legitimate node and the message M3 is generated by the legitimate gateway node 300.

- since, Sn has calculated the session key _{Ses K = h (h (ID} k) || Xg || Sn || Ts || Tu) for secure communication between the sensor node 400 and the user. Sn then generates a message M4 = <L, Ts > and sends it to user U _k . (S500) L = E _SesK [ Xg || Ts ] , where Ts is the current time stamp of the sensor node 400.

(AP-5). While receiving message M4 from sensor node 400, user U _k performs the following procedure.

-First, U _k checks the validity of time Ts : If ( Tu - Ts ) = ΔT , then sensor node 400 rejects the request and terminates the process, otherwise proceeds to the next step. Tu is the current time stamp of user U _k and Δ T is the time interval defined for transmission support.

And user U _k computes the session key Ses _K = h (h ( ID _k ) || Xg || Sn || Ts || Tu ) and the _submessage L (ie, D _SesK [ Xg * || Ts *] ) To get Xg * and Ts * . The user U _k confirms that Xg = Xg *, and if Ts = Ts * is the same, it confirms that Sn is the actual sensor node 400, otherwise it checks that it is not the actual sensor node 400. (S600)

In addition, users U _k and Sn share a symmetric session key Ses _K = h (h ( ID _k ) || Xg || Sn || Ts || Tu ) to perform further work during the session.

Finally, a legitimate user can communicate with the actual sensor node 400 and access network data.

4 is a flowchart illustrating a process of replacing and updating a password in a user authentication method using a sensor network according to the present invention. , Password replacement process as shown in Fig. 4 (Password change Phase: PP) is called when you want to update the user U _k that their old password (PW _k).

The password update step proceeds as follows (S700):

(PP-1). The user U _k inserts his smart card 200 into the terminal and inputs his ID _k and password PW _k .

PW _k )). (PP-2). First, the smart card 200 with the stored value of the user U _k ' Validate the entered ID _k and PW _k as follows: V _k * = h ( ID _k || h (r

PW _k )).

(PP-3). V _k * and V _k If it is not the same, deny the password update request and proceed to the next step.

PW _knew *))을 계산한다.(PP-4). Receiving the new password PW _knew * of the user U _k, the smart card 200 receives Vknew * = h ( ID _k || h (r

PW _knew *))

(PP-5). Now smart card 200 replaces V _k with V _knew * .

After this process, the password update process is successful.

As such, the present invention proposes a user authentication framework for a wireless sensor network based on dual access (that is, a password and a smart card 200) by using the advantages of a cryptographic hash function and a cryptographic system. It provides mutual authentication between all entities (users, gateways, sensors, etc.), user anonymity and confidentiality, session key settings, and protects the system from existing replay attacks, spoofing attacks, insider attacks, and MITM attacks. It is also safe from gateway secret key guessing attacks and theft of inspection equipment (verifiers).

That is, the existing authentication method and encryption method and process is the same, but by using two passwords and smart card 200, it can have stronger security in terms of user authentication. The actual implementation of the protocol (applied) with the energy consumption required for the time) and the cost of the message exchange (the computation / transmission required for the message exchange).

Table 1 compares the methods on a conventional sensor network. As shown in [Table 1], the user authentication protocol proposed by the present invention is guaranteed by the existing authentication methods such as mutual authentication, user privacy protection, message integrity, secure session key sharing, insider attack, gateway secret key guessing attack, etc. The big advantage is that you can provide all the parts you can't.

In addition, the protocol proposed in the present invention adopts a low-cost calculation method such as a one-way hash function and a symmetric key cryptographic system for the WSN, thereby providing a detailed security function for a reasonable calculation cost.

In the registration phase, the protocol requires 4H and one symmetric key system, and in the login and authentication phase, 9H 6S and 2MAC are required. This requires four message exchanges during the proposed protocol-wide communication process and identifies virtually all entities (users, gateways and sensors) for real-time applications. Here, H represents a time for performing a one-way hash function, S: symmetric key system, and MAC: MAC.

While the invention has been shown and described with respect to the specific embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Anyone with it will know easily.

Claims (9)

In the user authentication method using a sensor network system consisting of a client (USER) node, smart card, gateway node, sensor node,
(a) the client node registering with the gateway using a user's password and a random constant;
(b) the smart card generating a first message using the ID and password input by the user at the client node and transmitting the first message to the sensor node;
(c) generating a second message from a first message at the sensor node and sending the second message to the gateway node with a hash value;
(d) authenticating a user and a sensor node using the second message and the hash value at the gateway node, and generating a third message and transmitting the hash message to the sensor node along with the hash value;
(e) authenticating the third message at the sensor node, generating a fourth message and sending the fourth message to the client node; And
and (f) authenticating the fourth node received by the client node to authenticate the sensor node.
The method of claim 1,
Password and smart card-based user authentication method for a wireless sensor network, characterized in that further comprising the step of updating the password of the user in the client node and the smart card.
The method of claim 2,
Replacing and updating the password of the user,
Verifying the validity of the user ID and password stored in the smart card;
And verifying the validity of the ID and password, receiving a new password and replacing the password of the user.
4. The method according to any one of claims 1 to 3,
The step (a)
The client node requesting registration with the gateway node after calculating a hash value of the user's ID, password, and random constant;
The gateway node calculates a parameter using the ID, password, and random constant, and customizes each user's smart card. .
4. The method according to any one of claims 1 to 3,
The step (b)
Confirming the validity by using a hash value of the ID and password of the user in the smart card and recognizing the user as a legitimate user;
And generating a first message, which is a login request message, using the ID and password, and transmitting the first message to the sensor node.
4. The method according to any one of claims 1 to 3,
The step (c)
Confirming validity of a time at which the first message is received at a sensor node;
And generating a second message and a user authentication code value by using the first message in a sensor node, and transmitting the generated second message and a user authentication code value to a gateway node.
4. The method according to any one of claims 1 to 3,
The step (d)
Confirming validity of a time at which the second message and the user authentication code value are received at the gateway node;
Checking a validity of the second message by calculating a user authentication value for a second message at the gateway node and comparing a user authentication code value generated at the sensor node;
Authenticating the user and the sensor node using encryption and hash values at the gateway node; And
And generating a third message by using the ID of the user in the gateway node and transmitting the third message to the sensor node.
4. The method according to any one of claims 1 to 3,
In step (e),
Confirming validity of a time at which the third message is received at the sensor node;
Verifying the validity of the third message by decoding the third message at the sensor node;
Computing a session key in the sensor node and generating a fourth message and transmitting to the client node, characterized in that the password and smart card-based user authentication method.
4. The method according to any one of claims 1 to 3,
The step (f)
Confirming validity of a time at which the fourth message is received at a client node; And
And decrypting the fourth message in the client node to confirm validity.

Images