TWI754464B - Authentication system and method for interent of things device based on edge computing and edge authentication server thereof - Google Patents

Authentication system and method for interent of things device based on edge computing and edge authentication server thereof Download PDF

Info

Publication number
TWI754464B
TWI754464B TW109140967A TW109140967A TWI754464B TW I754464 B TWI754464 B TW I754464B TW 109140967 A TW109140967 A TW 109140967A TW 109140967 A TW109140967 A TW 109140967A TW I754464 B TWI754464 B TW I754464B
Authority
TW
Taiwan
Prior art keywords
authentication
edge
token
authentication server
iot device
Prior art date
Application number
TW109140967A
Other languages
Chinese (zh)
Other versions
TW202222090A (en
Inventor
黃雅喻
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109140967A priority Critical patent/TWI754464B/en
Priority to CN202110962952.1A priority patent/CN114756361A/en
Application granted granted Critical
Publication of TWI754464B publication Critical patent/TWI754464B/en
Publication of TW202222090A publication Critical patent/TW202222090A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The present invention is an authentication system and method for IOT device based on edge computing and an edge authentication server thereof. The fast authentication is distributed to the edge authentication server of the edge node, and each edge authentication server can intelligently calculate the appropriate token timeliness to effectively reduce the authentication delay and the burden of a core authentication server, and can improve the security of fast authentication. The security problems extended by the traditional centralized authentication heavy load, authentication delay, and the timeliness of the fixed token used for fast authentication can be solved in the present invention.

Description

基於邊緣計算之物聯網裝置認證系統、方法及其邊緣認證伺服器 IoT device authentication system, method and edge authentication server based on edge computing

本揭露係關於裝置認證技術,詳而言之,係關於一種基於邊緣計算之物聯網裝置認證系統、方法及其邊緣認證伺服器。 The present disclosure relates to device authentication technology, and more specifically, to an IoT device authentication system and method based on edge computing, and an edge authentication server thereof.

目前物聯網裝置認證與授權機制係為集中式認證與授權,舉例來說,物聯網裝置認證與授權系統為集中式的核心認證系統,該系統能提供一般認證(AAA認證)以及快速認證機制,如圖1所示,物聯網裝置11向核心認證系統12發送認證請求,核心認證系統12接收用戶資訊後會先進行資料驗證,亦即一般認證,待一般認證通過後核心認證系統12會給予物聯網裝置11一組令牌(Token),之後,物聯網裝置11會利用該令牌向核心認證系統12再次發送認證請求時,核心認證系統12會先驗證該令牌是否有效,如有效,則不需要進行一般認證,此稱為快速認證,若無效,則需要進行一般認證並且重新取得令牌。 At present, the authentication and authorization mechanism of IoT devices is centralized authentication and authorization. For example, the IoT device authentication and authorization system is a centralized core authentication system, which can provide general authentication (AAA authentication) and fast authentication mechanisms. As shown in FIG. 1 , the IoT device 11 sends an authentication request to the core authentication system 12. After the core authentication system 12 receives the user information, it will first perform data verification, that is, general authentication. After the general authentication is passed, the core authentication system 12 will give the object The networking device 11 has a set of tokens. After that, the IoT device 11 will use the token to send an authentication request to the core authentication system 12 again. The core authentication system 12 will first verify whether the token is valid. General authentication is not required, which is called fast authentication. If invalid, general authentication is required and the token is re-acquired.

現有的核心認證系統採用單一系統認證機制,雖然簡單,但仍有其他問題,例如單一的核心認證系統能提供集中式快速認證,但集中在單一系統 進行認證和授權,仍容易造成系統之負擔或是有認證延遲的情形,況且,固定之令牌時效並非是最適合的,例如時效過長時,會導致令牌容易被竊取或盜用,因而有安全疑慮,但若時效過短時,令牌易失效,將導致一般認證之負擔。 The existing core authentication system adopts a single system authentication mechanism. Although it is simple, there are still other problems. For example, a single core authentication system can provide centralized and rapid authentication, but it is centralized in a single system. For authentication and authorization, it is still easy to cause the burden of the system or the situation of authentication delay. Moreover, the fixed token validity period is not the most suitable. For example, if the validity period is too long, the token will be easily stolen or stolen. Security concerns, but if the time limit is too short, the token will easily fail, which will lead to the burden of general authentication.

有鑑於此,如何找出一種裝置認證機制,在無需複雜程序與系統組構下,能進行物聯網裝置之認證,特別是能減輕系統負擔以及避免認證延遲,此將成為本技術領域人員極欲解決的課題。 In view of this, how to find a device authentication mechanism that can authenticate IoT devices without the need for complex procedures and system configuration, especially to reduce system burden and avoid authentication delay, will be highly desired by those skilled in the art. problem to be solved.

為解決上述現有技術之問題,本發明提出一種基於邊緣計算之物聯網裝置認證系統,係包括:邊緣認證伺服器,係用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求並判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置;以及核心認證伺服器,係用於在該邊緣認證伺服器判斷該令牌的效期為失效時,接收該邊緣認證伺服器所傳送之該用戶資料,進行一般認證。 In order to solve the above-mentioned problems of the prior art, the present invention proposes an IoT device authentication system based on edge computing, which includes: an edge authentication server, which is used for receiving an authentication request including user data and tokens sent by the IoT device and judging The validity period of the token is to send an authentication success message to the IoT device when the validity period of the token is valid; and the core authentication server is used for determining the validity of the token at the edge authentication server When the period expires, receive the user data sent by the edge authentication server for general authentication.

於一實施例中,該核心認證伺服器向該邊緣認證伺服器回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服器儲存該新的令牌至一邊緣認證資料庫,以及回傳該新的令牌至該物聯網裝置以供後續快速認證使用。 In one embodiment, the core authentication server responds to the edge authentication server that the general authentication is a success or a failure, so as to respond with a new token when the authentication succeeds, and the edge authentication server stores the new token. The token is sent to an edge authentication database, and the new token is returned to the IoT device for subsequent rapid authentication.

於一實施例中,該邊緣認證伺服器係依據該邊緣認證伺服器之認證結果,週期性建立認證因子資料,以儲存該認證因子資料於該邊緣認證資料庫。 In one embodiment, the edge authentication server periodically creates authentication factor data according to the authentication result of the edge authentication server, so as to store the authentication factor data in the edge authentication database.

上述之認證因子資料包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 The above authentication factor data includes incoming line traffic, fast authentication success rate and response time of the core authentication server.

於一實施例中,該邊緣認證伺服器復包括動態調整令牌時效單元,係依據該認證因子資料以及利用令牌時效調整演算分析法取得該令牌的時效,透過評價該令牌的效期之判斷結果以及評價的落點分析,以據之調整該令牌的效期。 In one embodiment, the edge authentication server further includes a dynamic adjustment token aging unit, which obtains the validity of the token according to the authentication factor data and using the token aging adjustment algorithm analysis method, and evaluates the validity period of the token by evaluating the validity period of the token. The result of the judgment and the analysis of the impact of the evaluation are used to adjust the validity period of the token.

於一實施例中,該邊緣認證伺服器復包括:流程控制單元,係用於接收該認證請求及認證結果之回應、檢查該令牌的效期及判斷是否進行核心認證;評價演算分析單元,係用於認證因子之權重設定、數據統計及評價計算;以及時效性決策演算分析單元,係用於該評價之落點分析,以決定該令牌的時效。 In one embodiment, the edge authentication server further includes: a process control unit, which is used for receiving the authentication request and the response of the authentication result, checking the validity period of the token and judging whether to perform the core authentication; the evaluation algorithm analysis unit, It is used for the weight setting of authentication factors, data statistics and evaluation calculation; and the time-sensitive decision-making calculation and analysis unit is used for the analysis of the landing point of the evaluation to determine the validity of the token.

於一實施例中,該基於邊緣計算之物聯網裝置認證系統復包括連接該核心認證伺服器之認證中心,係用於執行用戶認證及密鑰協商。 In one embodiment, the edge computing-based IoT device authentication system further includes an authentication center connected to the core authentication server for performing user authentication and key negotiation.

本發明復提出一種基於邊緣計算之物聯網裝置認證方法,係包含:令物聯網裝置發出包含用戶資料及令牌之認證請求;令邊緣認證伺服器接收來自該物聯網裝置之該認證請求並執行該令牌的效期之判斷;以及於該邊緣認證伺服器判斷該令牌的效期為有效時,由該邊緣認證伺服器向該物聯網裝置回應認證成功訊息,而於該邊緣認證伺服器判斷該令牌的效期為失效時,令該邊緣認證伺服器將該用戶資料傳送至核心認證伺服器,進行一般認證。 The present invention further proposes an IoT device authentication method based on edge computing, which includes: causing the IoT device to issue an authentication request including user data and tokens; and causing an edge authentication server to receive the authentication request from the IoT device and execute the authentication request. Judgment of the validity period of the token; and when the edge authentication server determines that the validity period of the token is valid, the edge authentication server responds with an authentication success message to the IoT device, and the edge authentication server When it is determined that the validity period of the token is invalid, the edge authentication server transmits the user data to the core authentication server for general authentication.

於上述方法中,該核心認證伺服器向該邊緣認證伺服器回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服 器儲存該新的令牌至一邊緣認證資料庫,以及回傳該新的令牌至該物聯網裝置以供後續快速認證使用。 In the above method, the core authentication server responds to the edge authentication server that the general authentication is success or failure, so that when the authentication succeeds, it also responds with a new token, and the edge authentication server The device stores the new token in an edge authentication database, and returns the new token to the IoT device for subsequent quick authentication.

於上述方法中,該邊緣認證伺服器係週期性建立認證因子資料,以儲存該認證因子資料於該邊緣認證資料庫。另外,該認證因子資料包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 In the above method, the edge authentication server periodically creates authentication factor data to store the authentication factor data in the edge authentication database. In addition, the authentication factor data includes incoming line traffic, rapid authentication success rate and response time of the core authentication server.

於一實施例中,該邊緣認證伺服器復包括對該令牌的效期之判斷結果進行評價以及依據該評價的結果作落點分析,以據之調整該令牌的效期。 In one embodiment, the edge authentication server further includes evaluating the judgment result of the validity period of the token and performing a point analysis according to the result of the evaluation, so as to adjust the validity period of the token accordingly.

本發明另提出一種邊緣認證伺服器,係包含:接收單元,用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求;以及判斷單元,用於判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置,而於該令牌的效期為失效時,傳送該用戶資料以進行一般認證。 The present invention further provides an edge authentication server, which includes: a receiving unit for receiving an authentication request including user data and a token sent by an IoT device; and a judging unit for judging the validity period of the token, so as to When the validity period of the token is valid, an authentication success message is sent to the IoT device, and when the validity period of the token is invalid, the user information is transmitted for general authentication.

綜上可知,本發明為一種基於邊緣計算之物聯網裝置認證系統、方法及其邊緣認證伺服器,係關於一種有效率且能保有令牌安全性之認證方法,物聯網裝置會先使用令牌於邊緣認證伺服器進行快速認證,邊緣認證伺服器進而判斷令牌是否有效並記錄快速認證結果,如令牌有效則可在邊緣進行低延遲之快速認證,另外,邊緣認證伺服器會根據已存在的認證結果週期性的調整令牌時效,達到自我優化,例如快速認證成功率低、進線流量大,大量用戶必須進行一般認證,使得核心認證伺服器繁忙,將致使使用者體驗變糟糕,此時,邊緣認證伺服器可自動延長令牌時效,使得物聯網裝置在邊緣進行認證的機會大增,快速認證成功率大大提高,此將能降低核心認證伺服器的負擔且有效改善使用者體驗。 To sum up, the present invention is an authentication system and method for IoT devices based on edge computing, and an edge authentication server thereof, and relates to an efficient authentication method that can maintain token security. The IoT device will first use the token Perform fast authentication at the edge authentication server. The edge authentication server then determines whether the token is valid and records the fast authentication result. If the token is valid, fast authentication with low latency can be performed at the edge. The authentication result is periodically adjusted to achieve self-optimization. For example, the success rate of fast authentication is low, the incoming traffic is large, and a large number of users must perform general authentication, which makes the core authentication server busy, which will lead to poor user experience. At the same time, the edge authentication server can automatically extend the token validity period, which greatly increases the opportunity for IoT devices to authenticate at the edge, and greatly improves the success rate of rapid authentication, which will reduce the burden on the core authentication server and effectively improve the user experience.

11、20:物聯網裝置 11, 20: IoT devices

12:核心認證系統 12: Core Authentication System

2:基於邊緣計算之物聯網裝置認證系統 2: IoT device authentication system based on edge computing

21:邊緣認證伺服器 21: Edge Authentication Server

211:流程控制單元 211: Process Control Unit

212:評價演算分析單元 212: Evaluation Calculus Analysis Unit

213:時效性決策演算分析單元 213: Time-sensitive decision-making calculus analysis unit

214:動態調整令牌時效單元 214: Dynamically adjust the token aging unit

215:接收單元 215: Receiver unit

216:判斷單元 216: Judgment unit

22:核心認證伺服器 22: Core Authentication Server

23:邊緣認證資料庫 23: Edge Authentication Repository

24:認證中心 24: Certification Center

A1-A6:步驟 A1-A6: Steps

B1-B3:步驟 B1-B3: Steps

S51-S53:步驟 S51-S53: Steps

圖1為現有物聯網裝置之認證與授權機制的系統架構圖。 FIG. 1 is a system architecture diagram of an authentication and authorization mechanism of an existing IoT device.

圖2為本發明基於邊緣計算之物聯網裝置認證系統的系統架構圖。 FIG. 2 is a system architecture diagram of an IoT device authentication system based on edge computing of the present invention.

圖3為本發明邊緣認證伺服器的細部架構圖。 FIG. 3 is a detailed structural diagram of the edge authentication server of the present invention.

圖4為本發明基於邊緣計算之物聯網裝置認證系統一具體實施例的系統架構圖。 FIG. 4 is a system architecture diagram of a specific embodiment of an IoT device authentication system based on edge computing of the present invention.

圖5為本發明基於邊緣計算之物聯網裝置認證方法的步驟圖。 FIG. 5 is a step diagram of an IoT device authentication method based on edge computing of the present invention.

圖6為本發明基於邊緣計算之物聯網裝置認證方法的時序圖。 FIG. 6 is a sequence diagram of an authentication method for an IoT device based on edge computing of the present invention.

圖7為本發明執行評價落點分析的示意圖。 FIG. 7 is a schematic diagram of the present invention performing evaluation drop point analysis.

圖8為本發明關於令牌時效調整的示意圖。 FIG. 8 is a schematic diagram of token aging adjustment according to the present invention.

圖9為本發明之多個邊緣認證系統的情境示意圖。 FIG. 9 is a schematic diagram of a situation of multiple edge authentication systems of the present invention.

圖10為本發明之快速認證失敗的流程示意圖。 FIG. 10 is a schematic flow chart of the rapid authentication failure of the present invention.

圖11為本發明之快速認證成功的流程示意圖。 FIG. 11 is a schematic flow chart of a successful rapid authentication of the present invention.

以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention through specific embodiments, and those skilled in the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied by other different specific embodiments.

圖2為本發明基於邊緣計算之物聯網裝置認證系統的系統架構圖。如圖所示,基於邊緣計算之物聯網裝置認證系統2至少包括邊緣認證伺服器21以及核心認證伺服器22。 FIG. 2 is a system architecture diagram of an IoT device authentication system based on edge computing of the present invention. As shown in the figure, the IoT device authentication system 2 based on edge computing at least includes an edge authentication server 21 and a core authentication server 22 .

邊緣認證伺服器21用於接收物聯網裝置20發出之包含用戶資料及令牌之認證請求並判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置20。 The edge authentication server 21 is used for receiving an authentication request including user information and a token sent by the IoT device 20 and judging the validity period of the token, so as to send an authentication success message to the token when the validity period of the token is valid. IoT device 20 .

核心認證伺服器22用於在該邊緣認證伺服器21判斷該令牌的效期為失效時,接收該邊緣認證伺服器21所傳送之該用戶資料,進行一般認證。具體來說,該核心認證伺服器22向該邊緣認證伺服器21回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服器21儲存該新的令牌至一邊緣認證資料庫23,以及回傳該新的令牌至該物聯網裝置20以供後續快速認證使用。 The core authentication server 22 is used for receiving the user data sent by the edge authentication server 21 to perform general authentication when the edge authentication server 21 determines that the validity period of the token is invalid. Specifically, the core authentication server 22 responds to the edge authentication server 21 that the general authentication is successful or unsuccessful, so as to respond with a new token when the authentication succeeds, and the edge authentication server 21 stores the new token The token is sent to an edge authentication database 23, and the new token is returned to the IoT device 20 for subsequent quick authentication.

於一實施例中,該核心認證伺服器22連接一認證中心24,該認證中心24用於執行用戶認證及密鑰協商,亦即在邊緣認證伺服器21無法快速認證下,由核心認證伺服器22進行一般認證,而核心認證伺服器22會將相關資料傳送至認證中心24以對用戶對進行認證和協商通信密鑰。 In one embodiment, the core authentication server 22 is connected to an authentication center 24, and the authentication center 24 is used to perform user authentication and key negotiation. 22 performs general authentication, and the core authentication server 22 transmits relevant data to the authentication center 24 to authenticate the user pair and negotiate the communication key.

為了能達到快速認證,本發明於邊緣認證伺服器21內對物聯網裝置20所提供之令牌進行驗證,確認其是否有效,但仍須考量到效率問題,亦即邊緣認證伺服器21要負擔大量認證工作時,但因令牌關係導致認證時間延宕,恐非較佳情況,故本發明之邊緣認證伺服器21具備調整機制,即邊緣認證伺服器21能依據邊緣認證伺服器21之認證結果,週期性建立認證因子資料,以儲存該認證因子資料於該邊緣認證資料庫23,而該認證因子資料可包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 In order to achieve fast authentication, the present invention verifies the token provided by the IoT device 20 in the edge authentication server 21 to confirm whether it is valid, but the efficiency problem still needs to be considered, that is, the edge authentication server 21 has to bear the burden When a large number of authentication works, the authentication time is delayed due to the token relationship, which may not be the best situation. Therefore, the edge authentication server 21 of the present invention has an adjustment mechanism, that is, the edge authentication server 21 can rely on the authentication result of the edge authentication server 21. , periodically establishing authentication factor data to store the authentication factor data in the edge authentication database 23, and the authentication factor data may include incoming line traffic, rapid authentication success rate and response time of the core authentication server.

由上可知,邊緣認證伺服器21用於進行快速認證、收集認證結果並進行評價以及動態調整令牌時效,利用令牌進行快速認證,並依據令牌是否有 效以決定快速認證是否成功,再者,能週期性地根據認證因子資料計算出評價後,動態分析並調整該邊緣認證系統之令牌效期,而核心認證伺服器22則是進行用戶身分認證亦即一般認證、提供可信的令牌資料。 It can be seen from the above that the edge authentication server 21 is used to perform fast authentication, collect and evaluate the authentication results, dynamically adjust the token aging, use the token to perform fast authentication, and determine whether the token has It can be used to determine whether the quick authentication is successful. Furthermore, it can dynamically analyze and adjust the token validity period of the edge authentication system after calculating the evaluation periodically according to the authentication factor data, while the core authentication server 22 is used for user identity authentication. That is, general authentication, providing trusted token information.

圖3為本發明邊緣認證伺服器的細部架構圖。如圖所示,邊緣認證伺服器21係包括流程控制單元211、評價演算分析單元212、時效性決策演算分析單元213、動態調整令牌時效單元214、接收單元215以及判斷單元216,其中,各單元係彼此電性連接。 FIG. 3 is a detailed structural diagram of the edge authentication server of the present invention. As shown in the figure, the edge authentication server 21 includes a process control unit 211, an evaluation calculation analysis unit 212, a timeliness decision calculation analysis unit 213, a dynamic adjustment token aging unit 214, a receiving unit 215 and a judgment unit 216, wherein each The units are electrically connected to each other.

邊緣認證伺服器21之接收單元215用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求;邊緣認證伺服器21之判斷單元216用於判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置,而於該令牌的效期為失效時,傳送該用戶資料以進行一般認證。 The receiving unit 215 of the edge authentication server 21 is used for receiving the authentication request including user data and token sent by the IoT device; When the validity period of the token is valid, an authentication success message is sent to the IoT device, and when the validity period of the token is invalid, the user information is sent for general authentication.

邊緣認證伺服器21之流程控制單元211用於接收該認證請求及認證結果之回應、檢查該令牌的效期以及判斷是否進行核心認證,亦即涉及資訊傳遞和檢查令牌的效期,並且依據令牌檢查結果,決定是否進行核心認證;邊緣認證伺服器21之評價演算分析單元212用於認證因子之權重設定、數據統計以及評價計算,簡言之,評價演算分析單元212執行有關數據統計,藉以進行評價計算以及認證因子的權重設定;邊緣認證伺服器21之時效性決策演算分析單元213用於該評價之落點分析,以決定該令牌的時效,亦即時效性決策演算分析單元213可對評價進行落點分析,進而依據落點分析結果來決定是否調整令牌的時效。 The flow control unit 211 of the edge authentication server 21 is used for receiving the authentication request and the authentication result response, checking the validity period of the token and judging whether to perform core authentication, that is, involving information transmission and checking the validity period of the token, and According to the token check result, it is decided whether to perform core authentication; the evaluation algorithm analysis unit 212 of the edge authentication server 21 is used for weight setting of authentication factors, data statistics and evaluation calculation. In short, the evaluation algorithm analysis unit 212 executes relevant data statistics , in order to perform evaluation calculation and weight setting of authentication factors; the time-sensitive decision-making calculation and analysis unit 213 of the edge authentication server 21 is used for the analysis of the impact of the evaluation to determine the time-effectiveness of the token, which is also the time-sensitive decision-making calculation and analysis unit 213 may perform a drop point analysis on the evaluation, and then decide whether to adjust the validity period of the token according to the result of the drop point analysis.

動態調整令牌時效單元214依據該認證因子資料以及利用令牌時效調整演算分析法取得該令牌的時效,透過評價該令牌的效期之判斷結果以及評價的落點分析,以據之調整該令牌的效期。如前所述,邊緣認證伺服器21會依 據認證情況來調整令牌的效期,其依據就是評價令牌的效期之判斷結果,並進行評價的落點分析,藉此得到是否調整令牌的效期之依據。 The dynamic adjustment token aging unit 214 obtains the validity of the token according to the authentication factor data and the token aging adjustment algorithm analysis method, and adjusts the validity of the token by evaluating the judgment result of the validity period of the token and analyzing the impact of the evaluation. The validity period of this token. As mentioned above, the edge authentication server 21 will The validity period of the token is adjusted according to the authentication situation, and the basis is to evaluate the judgment result of the validity period of the token, and analyze the impact of the evaluation, thereby obtaining the basis for whether to adjust the validity period of the token.

圖4為本發明基於邊緣計算之物聯網裝置認證系統一具體實施例的系統架構圖,請一併參考圖2和圖3。具體來說,基於邊緣計算之物聯網裝置認證系統可包含物聯網裝置、邊緣認證系統以及核心認證系統等架構。 FIG. 4 is a system architecture diagram of a specific embodiment of an IoT device authentication system based on edge computing of the present invention. Please refer to FIG. 2 and FIG. 3 together. Specifically, the IoT device authentication system based on edge computing may include architectures such as an IoT device, an edge authentication system, and a core authentication system.

邊緣認證系統係透過網際網路傳輸協定,以接受來自物聯網裝置20之認證請求,該認證請求包含用戶資訊和令牌以作為認證之憑據,當該令牌失效時,邊緣認證系統會透過網際網路傳輸協定將用戶資訊發送至核心認證系統(Entitlement System,ES)進行一般認證。 The edge authentication system accepts the authentication request from the IoT device 20 through the Internet transmission protocol. The authentication request includes the user information and the token as the authentication credential. When the token is invalid, the edge authentication system will pass the Internet The network transport protocol sends user information to the core authentication system (Entitlement System, ES) for general authentication.

邊緣認證系統各自獨立並且各自包含邊緣認證伺服器21以及邊緣認證資料庫23,用於儲存令牌資料以及物聯網裝置20認證因子資料,其中,邊緣認證伺服器21若接受物聯網裝置20之認證請求,即表示其為該物聯網裝置20之最接近的邊緣認證系統。於邊緣認證伺服器21中,包括流程控制單元211、評價演算分析單元212以及時效性決策演算分析單元213,其中,流程控制單元211係負責連接提供服務的軟體與資料庫以完成服務邏輯的執行,主要功能包含接收物聯網裝置認證請求與回應、檢查令牌時效是否到期、判斷是否進行核心認證,評價演算分析單元212係負責權重設定、數據統計、評價計算,關於設定因子之權重值以及評價演算分析,後面會再詳述,而時效性決策演算分析單元213係負責評價落點分析,決定令牌時效,關於時效性決策演算分析,後面會再詳述。 The edge authentication systems are independent and each includes an edge authentication server 21 and an edge authentication database 23 for storing token data and authentication factor data of the IoT device 20 , wherein, if the edge authentication server 21 accepts the authentication of the IoT device 20 The request means that it is the closest edge authentication system to the IoT device 20 . The edge authentication server 21 includes a process control unit 211, an evaluation algorithm analysis unit 212, and a timeliness decision algorithm analysis unit 213, wherein the process control unit 211 is responsible for connecting the software and database providing services to complete the execution of service logic , the main functions include receiving IoT device authentication requests and responses, checking whether the token validity period has expired, and judging whether to perform core authentication. The evaluation calculus analysis will be described in detail later, and the time-sensitive decision-making calculus analysis unit 213 is responsible for evaluating the placement point analysis and determining the token aging. The time-sensitive decision-making calculus analysis will be described in detail later.

核心認證系統可包括核心認證伺服器22以及連接核心認證伺服器22之認證中心24,其中,認證伺服器22又稱授權伺服器(Entitlement Server),負責當通過認證中心認證後取得令牌,並將其回傳給邊緣認證系統,而認證中心24 為AAA(Authentication、Authorization、Accounting)認證,負責核心認證,進行用戶認證和密鑰協商。 The core authentication system may include a core authentication server 22 and an authentication center 24 connected to the core authentication server 22, wherein the authentication server 22 is also called an entitlement server (Entitlement Server), which is responsible for obtaining a token after passing the authentication by the authentication center, and pass it back to the edge authentication system, and the authentication center 24 It is AAA (Authentication, Authorization, Accounting) authentication, responsible for core authentication, user authentication and key negotiation.

圖5為本發明基於邊緣計算之物聯網裝置認證方法的步驟圖。 FIG. 5 is a step diagram of an IoT device authentication method based on edge computing of the present invention.

如圖所示,於步驟S51,令物聯網裝置發出包含戶資料及令牌之認證請求。本步驟係物聯網裝置發出認證請求,該認證請求包含戶資料及令牌。 As shown in the figure, in step S51, the IoT device is made to issue an authentication request including user information and a token. In this step, the IoT device sends an authentication request, and the authentication request includes user information and tokens.

於步驟S52,令邊緣認證伺服器接收來自該物聯網裝置之該認證請求並執行該令牌的效期之判斷。本步驟係邊緣認證伺服器接收認證請求後,判斷該令牌的效期是否有效。 In step S52, the edge authentication server is made to receive the authentication request from the IoT device and execute the judgment of the validity period of the token. In this step, after the edge authentication server receives the authentication request, it determines whether the validity period of the token is valid.

於步驟S53,於該邊緣認證伺服器判斷該令牌的效期為有效時,由該邊緣認證伺服器向該物聯網裝置回應認證成功訊息,而於該邊緣認證伺服器判斷該令牌的效期為失效時,令該邊緣認證伺服器將該用戶資料傳送至核心認證伺服器,進行一般認證。本步驟係在令牌的效期為有效時,由邊緣認證伺服器回應認證成功訊息至物聯網裝置,而在令牌的效期為失效時,由邊緣認證伺服器將用戶資料傳送至核心認證伺服器,進行一般認證。 In step S53, when the edge authentication server determines that the validity period of the token is valid, the edge authentication server returns an authentication success message to the IoT device, and the edge authentication server determines the validity of the token. When the period expires, make the edge authentication server transmit the user data to the core authentication server for general authentication. In this step, when the validity period of the token is valid, the edge authentication server responds with an authentication success message to the IoT device, and when the validity period of the token is invalid, the edge authentication server transmits the user data to the core authentication Server for general authentication.

於上述步驟S53中,復包括該核心認證伺服器向該邊緣認證伺服器回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服器儲存該新的令牌至一邊緣認證資料庫,以及回傳該新的令牌至該物聯網裝置以供後續快速認證使用。簡言之,由核心認證伺服器執行一般驗證,若成功時,一併產生新的令牌並更新邊緣認證伺服器那一端的令牌,以利後續快速認證使用。 In the above-mentioned step S53, it further includes that the core authentication server responds to the edge authentication server that the general authentication is successful or failed, so that when the authentication succeeds, it also responds with a new token, and the edge authentication server stores the new token. The new token is sent to an edge authentication database, and the new token is returned to the IoT device for subsequent rapid authentication. In short, the core authentication server performs general verification, and if successful, a new token is generated and the token at the edge authentication server is updated to facilitate subsequent quick authentication.

於一實施例中,上述方法復包括邊緣認證伺服器係週期性建立認證因子資料,以儲存該認證因子資料於該邊緣認證資料庫,其中,該認證因子資料包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 In one embodiment, the above-mentioned method further includes that the edge authentication server periodically establishes authentication factor data to store the authentication factor data in the edge authentication database, wherein the authentication factor data includes incoming line traffic, rapid authentication success rate and the response time of the core authentication server.

於一實施例中,上述方法復包括邊緣認證伺服器對該令牌的效期之判斷結果進行評價以及依據該評價的結果作落點分析,以據之調整該令牌的效期。簡言之,邊緣認證伺服器根據認證因子資料並且使用評價演算分析單元進行認證結果之評價,接著,再使用時效性決策演算分析單元進行該評價之落點分析,如評價之落點落在嚴重,則延長令牌時效,可提升快速認證成功率,改善使用者體驗,如評價之落點落在良好,則縮短令牌時效,可提升令牌安全性,改善令牌被竊取或盜用之風險,如評價之落點落在中等,則不進行調整,表示快速認證有效率且保有令牌安全性。本發明藉由以上動態調整令牌時效之方法,達到自我優化之效果。 In one embodiment, the above-mentioned method further includes the edge authentication server evaluating the result of judging the validity period of the token, and performing a point analysis according to the result of the evaluation, so as to adjust the validity period of the token accordingly. In short, the edge authentication server uses the evaluation algorithm and analysis unit to evaluate the authentication result according to the authentication factor data, and then uses the time-sensitive decision algorithm and analysis unit to analyze the impact of the evaluation. , then prolonging the validity period of the token can increase the success rate of rapid authentication and improve the user experience. If the evaluation falls well, the validity period of the token can be shortened, which can improve the security of the token and improve the risk of the token being stolen or stolen. , if the evaluation falls in the medium point, no adjustment will be made, which means that the fast authentication is efficient and the token security is maintained. The present invention achieves the effect of self-optimization through the above method of dynamically adjusting the token aging.

圖6為本發明基於邊緣計算之物聯網裝置認證方法的時序圖。如圖所示,分為認證階段以及動態調整令牌時效階段。認證階段之執行步驟包含:步驟A1,物聯網裝置使用令牌向邊緣認證伺服器進行快速認證;步驟A2,邊緣認證伺服器判斷令牌時效並且儲存快速認證結果;步驟A3,如令牌有效,則表示於邊緣認證伺服器快速認證成功,則回傳認證成功訊息給物聯網裝置。 FIG. 6 is a sequence diagram of an authentication method for an IoT device based on edge computing of the present invention. As shown in the figure, it is divided into the authentication phase and the dynamic adjustment token aging phase. The execution steps of the authentication stage include: step A1, the IoT device uses the token to perform fast authentication to the edge authentication server; step A2, the edge authentication server judges the validity of the token and stores the fast authentication result; step A3, if the token is valid, It means that the quick authentication is successful at the edge authentication server, and the authentication success message is returned to the IoT device.

以下步驟為令牌失效,快速認證失敗才執行。步驟A4,如於邊緣認證伺服器快速認證失敗,則轉導至核心認證伺服器進行一般認證;步驟A5,核心認證伺服器回傳一般認證成功或失敗結果給邊緣認證伺服器,並於一般認證成功時則同時更新物聯網裝置的令牌;步驟A6,邊緣認證伺服器回傳一般認證成功或失敗結果給物聯網裝置,一般認證成功時則同時更新物聯網裝置的令牌。 The following steps are executed when the token is invalid and the quick authentication fails. In step A4, if the quick authentication fails at the edge authentication server, it will be transferred to the core authentication server for general authentication; in step A5, the core authentication server returns the success or failure result of the general authentication to the edge authentication server, and the general authentication is performed. When successful, the token of the IoT device is updated at the same time; in step A6, the edge authentication server returns a general authentication success or failure result to the IoT device, and when the general authentication succeeds, the token of the IoT device is simultaneously updated.

動態調整令牌時效階段為週期性執行且皆在邊緣認證伺服器執行,執行步驟包含:步驟B1,根據步驟A2所記錄之快速認證結果建立認證因子資料;步驟B2,運用令牌時效調整演算分析法取得令牌時效;步驟B3,邊緣認證伺服器自動調整令牌之效期,此步驟會影響步驟A2判斷令牌是否有效之結果。 The dynamic adjustment token aging stage is executed periodically and is executed on the edge authentication server. The execution steps include: step B1, establishing authentication factor data according to the quick authentication result recorded in step A2; step B2, using the token aging adjustment algorithm to analyze The validity period of the token is obtained by the method; in step B3, the edge authentication server automatically adjusts the validity period of the token, and this step will affect the result of judging whether the token is valid in step A2.

認證因子資料探討的是容易造成核心認證伺服器擁擠或導致使用者體驗不佳之因子,可包括進線流量、快速認證成功率以及核心認證伺服器回應時間。具體來說,進線流量係指一時間內,由此邊緣認證伺服器進入核心認證伺服器之流量數,流量越大越容易造成核心認證伺服器擁擠;快速認證成功率係指計算一時間內此邊緣認證伺服器總流量中快速認證成功率,倘如成功率越高,則表示此邊緣認證伺服器大部分用戶可進行快速認證,不易造成核心認證伺服器壅擠,反之,容易造成核心認證伺服器壅擠;核心認證伺服器回應時間係指核心認證伺服器目前回應時間,假如回應時間長,則表示使用者需要等待長時間,導致使用者體驗不佳。 The authentication factor data discusses factors that are likely to cause the core authentication server to be crowded or cause poor user experience, including incoming traffic, rapid authentication success rate, and core authentication server response time. Specifically, the incoming line traffic refers to the number of traffic from the edge authentication server to the core authentication server within a period of time. The larger the traffic, the easier it is to cause congestion on the core authentication server. The success rate of fast authentication in the total traffic of the edge authentication server. If the success rate is higher, it means that most users of this edge authentication server can perform fast authentication, and it is not easy to cause the core authentication server to be crowded. On the contrary, it is easy to cause the core authentication server The server is crowded; the response time of the core authentication server refers to the current response time of the core authentication server. If the response time is long, it means that the user needs to wait for a long time, resulting in a poor user experience.

上述令牌時效調整演算分析法係包括設定認證因子資料之權重值、評價演算分析以及時效性決策演算分析等步驟。設定認證因子資料之權重值係指系統專家可依據觀測數據設定不同因子之權重值,例如專家認為快速認證成功率較為重要,可以將其設定較大之權重;評價演算分析係指採用理想解類似度偏好順序評估法(Technique for Order Preference by Similarity to an Ideal Solution,TOPSIS)方法計算該時間內認證結果之評價,評價會落在0~1之間;時效性決策演算分析係指進行評價落點分析,如圖7所示,認證情況越靠近0,表示越差,反之則越好。 The above-mentioned token aging adjustment algorithm analysis method includes the steps of setting the weight value of the authentication factor data, evaluating the algorithm analysis, and the timeliness decision algorithm analysis. Setting the weight value of the authentication factor data means that the system experts can set the weight value of different factors according to the observation data. For example, if the expert thinks that the rapid authentication success rate is more important, it can set a larger weight; The TOPSIS (Technique for Order Preference by Similarity to an Ideal Solution, TOPSIS) method calculates the evaluation of the certification results within this time, and the evaluation will fall between 0 and 1; the time-sensitive decision calculus analysis refers to the evaluation point Analysis, as shown in Figure 7, the closer the authentication situation is to 0, the worse it is, and vice versa.

於此可將評價分成嚴重、中等以及良好3個部分。嚴重表示進線流量大、快速認證成功率低或者核心認證伺服器忙碌,容易造成核心認證伺服器負載過大,需增加令牌時效性,時效性變長表示物聯網裝置在邊緣認證伺服器認證 的機會越大,核心認證伺服器負載會降低,但同時安全性也會降低。良好表示沒有造成核心認證伺服器負載過大,可減少令牌時效性,時效性變短表示安全性提高,但是時效性太短容易到期就必須回到核心認證伺服器進行認證,這樣也會導致核心認證伺服器負載變大。因此,折衷方法為落在中等評價時屬於收斂範圍,表示此時認證既有效率,令牌時效又保有安全性,故不用調整令牌時效性。 Here, the evaluation can be divided into 3 parts: severe, moderate and good. Seriously indicates that the incoming traffic is large, the success rate of fast authentication is low, or the core authentication server is busy. The greater the chance that the core authentication server load will be reduced, but at the same time the security will be reduced. Good means that the load of the core authentication server is not too large, which can reduce the validity of the token. The shortening of the validity period means that the security is improved, but if the validity period is too short and it is easy to expire, it must return to the core authentication server for authentication, which will also lead to The core authentication server load has increased. Therefore, the compromise method is that it falls within the convergence range when it falls in the middle evaluation range, which means that at this time, the authentication is both efficient and the token validity is secure, so there is no need to adjust the token validity.

令牌時效調整公式可如下所示,其中, T′ 為目前系統令牌時效性,t為調整單位時間。 The token aging adjustment formula can be as follows, where T' is the current system token aging, and t is the adjustment unit time.

Figure 109140967-A0101-12-0012-1
Figure 109140967-A0101-12-0012-1

前述TOPSIS方法如下所述。首先,建立特徵矩陣,其中,通常有m個評價目標D 1,D 2,…,D m ,每個目標有n評價指標X 1,X 2,…,X n The aforementioned TOPSIS method is described below. First, a feature matrix is established, in which there are usually m evaluation targets D 1 , D 2 ,…, D m , and each target has n evaluation indicators X 1 , X 2 ,…, X n .

Figure 109140967-A0101-12-0012-2
Figure 109140967-A0101-12-0012-2

接著,計算正規化矩陣。對特徵矩陣進行正規化處理得到向量rij,建立關於向量rij的正規化矩陣。 Next, the normalization matrix is calculated. The feature matrix is normalized to obtain a vector r ij , and a normalized matrix about the vector r ij is established.

Figure 109140967-A0101-12-0012-3
Figure 109140967-A0101-12-0012-3

i=1,2,...,m,j=1,2,...,n i =1,2,..., m , j =1,2,..., n .

接著,權重正規化矩陣。通過計算權重正規化值vij,建立關於權重正規化值vij的權重正規化矩陣,Wj是第j個指標的權重。 Next, the weights normalize the matrix. By calculating the weight normalization value v ij , a weight normalization matrix about the weight normalization value vi ij is established, and Wj is the weight of the jth index.

vv ijij =ω = ω jj rr ijij ,i=1,2,…,m,j=1,2,…,n, i =1,2,…, m , j =1,2,…, n .

接著,確定正理想解和負理想解。根據權重正規化值vij來確定正理想解A*和負理想解A-,其中,J1是收益性指標集,表示在第i個指標上的最優值,J2是損耗性指標集,表示在第i個指標上的最劣值。收益性指標越大、損耗性指標越小,對評估結果越有利。反之,則對評估結果不利。 Next, determine the positive ideal solution and the negative ideal solution. Determine the positive ideal solution A * and the negative ideal solution A - according to the weight normalization value v ij , where J1 is the set of profitability indicators, representing the optimal value on the i-th indicator, and J2 is the set of loss indicators, representing the The worst value on the ith index. The larger the profitability index and the smaller the loss index, the more favorable the evaluation result. On the contrary, it will be detrimental to the evaluation results.

Figure 109140967-A0101-12-0013-6
Figure 109140967-A0101-12-0013-6

接著,計算距離尺度。 Next, the distance scale is calculated.

Figure 109140967-A0101-12-0013-4
Figure 109140967-A0101-12-0013-4

i=1,2,…,m i =1,2,…, m .

最後,計算正理想解的貼近度。下面式中,0

Figure 109140967-A0101-12-0013-34
1。當
Figure 109140967-A0101-12-0013-35
=0時,Ai=A-,表示該目標為最劣目標,當
Figure 109140967-A0101-12-0013-33
=1時,Ai=A*,表示該目標為最優目標。在實際的多目標決策中,最優目標和最劣目標存在的可能性很小。 Finally, calculate the closeness to the positive ideal solution. In the following formula, 0
Figure 109140967-A0101-12-0013-34
1. when
Figure 109140967-A0101-12-0013-35
When =0, A i =A - , indicating that the target is the worst target, when
Figure 109140967-A0101-12-0013-33
When =1, A i =A * , indicating that the target is the optimal target. In the actual multi-objective decision-making, the possibility of the existence of the optimal objective and the worst objective is very small.

Figure 109140967-A0101-12-0013-9
i=1,2,…,m
Figure 109140967-A0101-12-0013-9
, i = 1,2,…, m .

圖9為本發明之多個邊緣認證系統的情境示意圖、圖10為本發明之快速認證失敗的流程示意圖以及圖11為本發明之快速認證成功的流程示意圖。下面透過實際範例來說明本發明,有三個邊緣認證伺服器A、B和C,涵蓋範圍例如北、中、南。一用戶Tom位於南部屬於邊緣認證伺服器C的服務範圍,因此, Tom的智慧型手錶會與最接近之邊緣認證伺服器C進行快速認證。簡言之,邊緣認證伺服器C判斷令牌是否有效並且儲存快速認證結果,令牌有效則表示於邊緣認證伺服器C快速認證成功,有效期間內進行多次認證時,認證僅在邊緣節點執行即可。上述過程亦對應圖6的步驟A1-A3。 FIG. 9 is a schematic diagram of a scenario of multiple edge authentication systems of the present invention, FIG. 10 is a schematic flowchart of a failed quick authentication of the present invention, and FIG. 11 is a schematic flowchart of a successful quick authentication of the present invention. The present invention is described below through a practical example. There are three edge authentication servers A, B, and C, covering areas such as north, middle, and south. A user Tom located in the south belongs to the service area of edge authentication server C. Therefore, Tom's smartwatch will be quickly authenticated with the closest edge authentication server C. In short, the edge authentication server C determines whether the token is valid and stores the quick authentication result. If the token is valid, it means that the quick authentication is successful at the edge authentication server C. When multiple authentications are performed within the valid period, the authentication is only performed on the edge node. That's it. The above process also corresponds to steps A1-A3 in FIG. 6 .

另外,圖6的步驟A4-A6為令牌失效,快速認證失敗才執行,範例情境如下。如圖10所示,如邊緣認證伺服器C為人潮聚集地、核心認證伺服器現階段回應時間為30秒、目前令牌時效性為1分鐘,用戶Tom的智慧型手錶再次認證時已超過1分鐘,此時令牌失效,必須至核心認證中心重新進行用戶身分認證並且取得新的令牌亦即一般認證,且需要等待至少30秒才能完成認證,造成使用者體驗不佳。 In addition, steps A4-A6 in FIG. 6 are executed only when the token fails and the fast authentication fails. The example scenario is as follows. As shown in Figure 10, if the edge authentication server C is a crowded place, the current response time of the core authentication server is 30 seconds, and the current token validity period is 1 minute, the user Tom's smart watch has been re-authenticated for more than 1 minute. Minutes, when the token expires, you must go to the core authentication center to re-authenticate the user identity and obtain a new token, that is, general authentication, and you need to wait at least 30 seconds to complete the authentication, resulting in poor user experience.

邊緣認證伺服器C利用圖6步驟A2之快速認證結果以及動態調整令牌時效模組判斷核心認證伺服器很壅擠,故將邊緣認證伺服器C的令牌時效調整為11分鐘。用戶Tom的智慧型手錶再次認證時,圖6步驟A2判斷令牌有效,表示用戶Tom的智慧型手錶可以持續在邊緣認證伺服器C進行低延遲之快速認證,使用者體驗佳,如圖11所示。 The edge authentication server C uses the quick authentication result in step A2 of FIG. 6 and the dynamic adjustment token aging module to determine that the core authentication server is crowded, so the token aging of the edge authentication server C is adjusted to 11 minutes. When the user Tom's smart watch is re-authenticated, step A2 in Figure 6 determines that the token is valid, which means that the user Tom's smart watch can continue to perform low-latency fast authentication at the edge authentication server C, and the user experience is good, as shown in Figure 11 Show.

關於動態調整令牌時效的範例如下,請一併參考圖6。步驟B1,認證因子資料結構範例如下表所示,即每10分鐘收集認證資料。 An example of dynamically adjusting token aging is as follows, please refer to Figure 6 together. Step B1, the example of the authentication factor data structure is shown in the following table, that is, the authentication data is collected every 10 minutes.

Figure 109140967-A0101-12-0014-10
Figure 109140967-A0101-12-0014-10

步驟B2,目前時間為00:20,這10分鐘內有30%用戶快速認證失敗,須至核心認證伺服器進行一般認證且等待時間至少需要30秒。以下進一步說明 為令牌時效調整演算分析法步驟,界以進行該時間之認證結果評價,證明認證情況為嚴重,導致使用者體驗不佳。 Step B2, the current time is 00:20, 30% of the users fail the quick authentication within 10 minutes, they must go to the core authentication server for general authentication, and the waiting time is at least 30 seconds. Further explanation below Adjust the algorithm analysis method steps for the token aging, and evaluate the authentication result at this time to prove that the authentication situation is serious, resulting in poor user experience.

令牌時效調整演算分析法之步驟(1),系統專家針對各因子重要性設定之權重,範例如下。 In step (1) of the token aging adjustment algorithm analysis method, the weights set by the system experts according to the importance of each factor are as follows.

Figure 109140967-A0101-12-0015-11
Figure 109140967-A0101-12-0015-11

令牌時效調整演算分析法步驟之步驟(2),採用評價演算分析法計算出正理想距與負理想距後,進而得到評價分數。TOPSIS方法計算範例如下。 In step (2) of the algorithm analysis method for token aging adjustment, the evaluation score is obtained after calculating the positive ideal distance and the negative ideal distance by using the evaluation algorithm analysis method. The TOPSIS method calculation example is as follows.

TOPSIS方法步驟(T1),將步驟B1之認證資料轉換成績效表現值之特徵矩陣,依據專家決定評分標準,此範例評分為1-10分。 Step (T1) of the TOPSIS method, convert the certification data of step B1 into a feature matrix of performance performance values, according to the expert-determined scoring standard, this example is scored as 1-10 points.

Figure 109140967-A0101-12-0015-12
Figure 109140967-A0101-12-0015-12

TOPSIS方法步驟(T2),認證資料之正規化績效表現值。 TOPSIS method step (T2), the normalized performance value of the certification data.

Figure 109140967-A0101-12-0015-13
Figure 109140967-A0101-12-0015-13

TOPSIS方法步驟(T3),加權後正規化績效表現值。 TOPSIS method step (T3), normalized performance value after weighting.

Figure 109140967-A0101-12-0015-14
Figure 109140967-A0101-12-0015-14

TOPSIS方法步驟(T4),確定正負理想解,其中,正理想解表示進線流量越少越好、快速認證成功率越高越好、ES回應時間越少越好,反之為負理想解。 The TOPSIS method step (T4) is to determine the positive and negative ideal solutions, where the positive ideal solution means that the less incoming line traffic, the better, the higher the success rate of rapid authentication, the better, and the less ES response time, the better, otherwise it is a negative ideal solution.

Figure 109140967-A0101-12-0016-15
Figure 109140967-A0101-12-0016-15

TOPSIS方法步驟(T5),取得各認證資料之理想距,並計算正理想解的貼近度即為評價。 In the TOPSIS method step (T5), the ideal distance of each certification data is obtained, and the closeness of the positive ideal solution is calculated as the evaluation.

Figure 109140967-A0101-12-0016-16
Figure 109140967-A0101-12-0016-16

令牌時效調整演算分析法步驟之步驟(3),採用本發明所提出之時效性決策演算分析法,實施範例如下:評價落點分析收斂範圍在0.4~0.6,其中, T′ 為目前令牌時效性(1分鐘), t 為每次調整10分鐘,如圖8所示,評價分數0.33落點分析為嚴重,使用令牌時效調整公式計算出新的效期為11分鐘。 The step (3) of the algorithm analysis method of token aging adjustment adopts the algorithm analysis method of time-sensitive decision-making proposed by the present invention, and the implementation example is as follows: the convergence range of the evaluation landing analysis is 0.4~0.6, wherein, T' is the current token Timeliness (1 minute), t is adjusted for 10 minutes each time, as shown in Figure 8, the evaluation score of 0.33 is considered severe, and the new validity period is calculated to be 11 minutes using the token aging adjustment formula.

最後,回到步驟B3,邊緣認證伺服器將令牌效期自動調整為11分鐘。 Finally, returning to step B3, the edge authentication server automatically adjusts the token validity period to 11 minutes.

後續用戶進行快速認證時,邊緣認證伺服器皆會以新的效期進行令牌是否有效之判斷,因令牌時效延長使得用戶在邊緣完成快速認證的機會增加,因此,在下個週期時間00:30進行認證因子資料收集,其範例如下表所示。 When the subsequent user performs quick authentication, the edge authentication server will use the new validity period to judge whether the token is valid or not. The extension of the token validity period increases the chances of the user completing the quick authentication at the edge. Therefore, at the next cycle time 00: 30 Perform authentication factor data collection, an example of which is shown in the following table.

Figure 109140967-A0101-12-0016-17
Figure 109140967-A0101-12-0016-17

Figure 109140967-A0101-12-0017-18
Figure 109140967-A0101-12-0017-18

快速認證成功率來到90%,而進線流量與核心認證伺服器回應時間沒有改變的情況下,進行評價演算分析,評價結果如下表所示。 When the success rate of quick authentication reaches 90%, and the incoming line traffic and the response time of the core authentication server do not change, the evaluation calculation and analysis are carried out. The evaluation results are shown in the following table.

Figure 109140967-A0101-12-0017-19
Figure 109140967-A0101-12-0017-19

得到評價分數為0.49,利用時效性決策演算分析法判斷評價落在中等,無需調整令牌效期,表示令牌效期11分鐘在該邊緣有90%用戶可進行低延遲之快速認證,提高了認證效率,改善了使用者體驗,而且令牌亦保有安全性。而如果評價分數改善落到良好範圍,則可縮短令牌效期,進而提高令牌安全性。 The evaluation score obtained is 0.49, and the time-sensitive decision-making algorithm analysis method is used to judge that the evaluation is in the middle, and there is no need to adjust the token validity period, which means that the token validity period is 11 minutes. At this edge, 90% of users can perform low-latency fast authentication, which improves the Authentication efficiency improves user experience, and the token remains secure. On the other hand, if the improvement of the evaluation score falls within the good range, the token validity period can be shortened, thereby improving the security of the token.

綜上所述,本發明為一種基於邊緣計算之物聯網裝置認證系統、方法及其邊緣認證伺服器,其中,物聯網裝置可向邊緣節點進行快速認證,各個邊緣節點會收集每個時間之認證因子資料,包含快速認證成功率、進線流量以及核心認證伺服器回應時間,各個邊緣節點依據認證資料並透過動態調整令牌時效單元判斷邊緣認證伺服器之認證情況,如認證情況屬於嚴重,則延長令牌時效,使得物聯網裝置可在邊緣認證的機會大增,以減輕核心認證伺服器之負擔,如認證情況屬於良好,則縮短令牌時效,使得快速認證安全性提高。 In summary, the present invention is an IoT device authentication system and method based on edge computing, and an edge authentication server thereof, wherein the IoT device can quickly authenticate to edge nodes, and each edge node will collect the authentication at each time Factor data, including rapid authentication success rate, incoming line traffic, and response time of the core authentication server. Each edge node judges the authentication status of the edge authentication server by dynamically adjusting the token aging unit based on the authentication data. If the authentication situation is serious, then Extending the token validity period greatly increases the opportunities for IoT devices to be authenticated at the edge, thereby reducing the burden on the core authentication server. If the authentication status is good, the token validity period is shortened, which improves the security of rapid authentication.

上述實施例僅為例示性說明,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與改變。因此,本發明之權利保護範圍係由本發明所附之申請專利範圍所定義,只要不影響本發明之效果及實施目的,應涵蓋於此公開技術內容中。 The above-mentioned embodiments are only illustrative, and are not intended to limit the present invention. Any person skilled in the art can modify and change the above embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of the right protection of the present invention is defined by the scope of the patent application attached to the present invention, as long as the effect and implementation purpose of the present invention are not affected, it shall be included in the technical content disclosed herein.

2:基於邊緣計算之物聯網裝置認證系統 2: IoT device authentication system based on edge computing

20:物聯網裝置 20: IoT Devices

21:邊緣認證伺服器 21: Edge Authentication Server

22:核心認證伺服器 22: Core Authentication Server

23:邊緣認證資料庫 23: Edge Authentication Repository

24:認證中心 24: Certification Center

Claims (11)

一種基於邊緣計算之物聯網裝置認證系統,係包括:邊緣認證伺服器,係用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求並判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置,其中,該邊緣認證伺服器係依據該邊緣認證伺服器之認證結果,週期性建立認證因子資料,以儲存該認證因子資料於一邊緣認證資料庫;以及核心認證伺服器,係用於在該邊緣認證伺服器判斷該令牌的效期為失效時,接收該邊緣認證伺服器所傳送之該用戶資料,進行一般認證。 An IoT device authentication system based on edge computing, comprising: an edge authentication server, which is used for receiving an authentication request including user data and a token sent by the IoT device and judging the validity period of the token, so as to determine the validity period of the token. When the validity period of the card is valid, an authentication success message is sent to the IoT device, wherein the edge authentication server periodically establishes authentication factor data according to the authentication result of the edge authentication server, so as to store the authentication factor data in an edge authentication database; and a core authentication server for receiving the user data sent by the edge authentication server to perform general authentication when the edge authentication server determines that the validity period of the token is invalid. 如請求項1所述之基於邊緣計算之物聯網裝置認證系統,其中,該核心認證伺服器向該邊緣認證伺服器回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服器儲存該新的令牌至該邊緣認證資料庫,以及回傳該新的令牌至該物聯網裝置以供後續快速認證使用。 The IoT device authentication system based on edge computing as described in claim 1, wherein the core authentication server responds to the edge authentication server that the general authentication is success or failure, so as to respond with a new token when the authentication succeeds , and the edge authentication server stores the new token to the edge authentication database, and returns the new token to the IoT device for subsequent quick authentication. 如請求項1所述之基於邊緣計算之物聯網裝置認證系統,其中,該認證因子資料包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 The IoT device authentication system based on edge computing according to claim 1, wherein the authentication factor data includes incoming traffic, rapid authentication success rate and response time of the core authentication server. 如請求項3所述之基於邊緣計算之物聯網裝置認證系統,其中,該邊緣認證伺服器復包括動態調整令牌時效單元,係依據該認證因子資料以及利用令牌時效調整演算分析法取得該令牌的時效,透過評價該令牌的效期之判斷結果以及評價的落點分析,以據之調整該令牌的效期。 The IoT device authentication system based on edge computing according to claim 3, wherein the edge authentication server further includes a dynamic adjustment token aging unit, which is obtained by using the token aging adjustment algorithm and analysis method according to the authentication factor data The validity period of the token is adjusted according to the judgment result of evaluating the validity period of the token and the analysis of the impact of the evaluation. 一種基於邊緣計算之物聯網裝置認證系統,係包括: 邊緣認證伺服器,係用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求並判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置;以及核心認證伺服器,係用於在該邊緣認證伺服器判斷該令牌的效期為失效時,接收該邊緣認證伺服器所傳送之該用戶資料,進行一般認證,其中,該邊緣認證伺服器復包括:流程控制單元,係用於接收該認證請求及認證結果之回應、檢查該令牌的效期及判斷是否進行核心認證;評價演算分析單元,係用於認證因子之權重設定、數據統計及評價計算;以及時效性決策演算分析單元,係用於該評價之落點分析,以決定該令牌的時效。 An IoT device authentication system based on edge computing, comprising: The edge authentication server is used to receive the authentication request including user information and token sent by the IoT device and determine the validity period of the token, so as to send an authentication success message to the token when the validity period of the token is valid an IoT device; and a core authentication server, used for receiving the user data sent by the edge authentication server to perform general authentication when the edge authentication server determines that the validity period of the token is invalid, wherein the The edge authentication server further includes: a process control unit, which is used for receiving the authentication request and the response of the authentication result, checking the validity period of the token and judging whether to perform core authentication; an evaluation calculation and analysis unit, which is used for the weight of authentication factors Setting, data statistics and evaluation calculation; and a time-sensitive decision-making calculation and analysis unit, which are used for the analysis of the evaluation point to determine the time-effectiveness of the token. 如請求項1或5所述之基於邊緣計算之物聯網裝置認證系統,復包括連接該核心認證伺服器之認證中心,係用於執行用戶認證及密鑰協商。 The IoT device authentication system based on edge computing as described in claim 1 or 5 further includes an authentication center connected to the core authentication server, which is used to perform user authentication and key negotiation. 一種基於邊緣計算之物聯網裝置認證方法,係包含:令物聯網裝置發出包含用戶資料及令牌之認證請求;令邊緣認證伺服器接收來自該物聯網裝置之該認證請求並執行該令牌的效期之判斷;以及於該邊緣認證伺服器判斷該令牌的效期為有效時,由該邊緣認證伺服器向該物聯網裝置回應認證成功訊息,而於該邊緣認證伺服器判斷該令牌的效期為失效時,令該邊緣認證伺服器將該用戶資料傳送至核心認證伺服器,進行一般 認證,其中,該邊緣認證伺服器係週期性建立認證因子資料,以儲存該認證因子資料於一邊緣認證資料庫。 An IoT device authentication method based on edge computing, comprising: causing the IoT device to issue an authentication request including user data and a token; enabling an edge authentication server to receive the authentication request from the IoT device and execute the authentication request of the token. Judging the validity period; and when the edge authentication server judges that the validity period of the token is valid, the edge authentication server responds with an authentication success message to the IoT device, and the edge authentication server judges the token When the validity period is expired, make the edge authentication server transmit the user data to the core authentication server for normal authentication, wherein the edge authentication server periodically establishes authentication factor data to store the authentication factor data in an edge authentication database. 如請求項7所述之基於邊緣計算之物聯網裝置認證方法,其中,該核心認證伺服器向該邊緣認證伺服器回應該一般認證為成功或失敗,以於認證成功時同時回應新的令牌,並由該邊緣認證伺服器儲存該新的令牌至該邊緣認證資料庫,以及回傳該新的令牌至該物聯網裝置以供後續快速認證使用。 The IoT device authentication method based on edge computing as described in claim 7, wherein the core authentication server responds to the edge authentication server as success or failure of the general authentication, so as to respond with a new token when the authentication succeeds , and the edge authentication server stores the new token to the edge authentication database, and returns the new token to the IoT device for subsequent quick authentication. 如請求項7所述之基於邊緣計算之物聯網裝置認證方法,其中,該認證因子資料包括進線流量、快速認證成功率以及該核心認證伺服器之回應時間。 The edge computing-based IoT device authentication method according to claim 7, wherein the authentication factor data includes incoming traffic, rapid authentication success rate and response time of the core authentication server. 一種基於邊緣計算之物聯網裝置認證方法,係包含:令物聯網裝置發出包含用戶資料及令牌之認證請求;令邊緣認證伺服器接收來自該物聯網裝置之該認證請求並執行該令牌的效期之判斷;以及於該邊緣認證伺服器判斷該令牌的效期為有效時,由該邊緣認證伺服器向該物聯網裝置回應認證成功訊息,而於該邊緣認證伺服器判斷該令牌的效期為失效時,令該邊緣認證伺服器將該用戶資料傳送至核心認證伺服器,進行一般認證,其中,該邊緣認證伺服器復包括對該令牌的效期之判斷結果進行評價以及依據該評價的結果作落點分析,以據之調整該令牌的效期。 An IoT device authentication method based on edge computing, comprising: causing the IoT device to issue an authentication request including user data and a token; enabling an edge authentication server to receive the authentication request from the IoT device and execute the authentication request of the token. Judging the validity period; and when the edge authentication server judges that the validity period of the token is valid, the edge authentication server responds with an authentication success message to the IoT device, and the edge authentication server judges the token When the validity period of the token expires, make the edge authentication server transmit the user data to the core authentication server for general authentication, wherein the edge authentication server further includes evaluating the judgment result of the validity period of the token and According to the results of the evaluation, a placement analysis is made to adjust the validity period of the token accordingly. 一種邊緣認證伺服器,係包含: 接收單元,用於接收物聯網裝置發出之包含用戶資料及令牌之認證請求;以及判斷單元,用於判斷該令牌的效期,以於該令牌的效期為有效時,發送認證成功訊息至該物聯網裝置,而於該令牌的效期為失效時,傳送該用戶資料以進行一般認證,其中,該判斷單元係依據該判斷單元之認證結果,週期性建立認證因子資料,以儲存該認證因子資料於一邊緣認證資料庫。 An edge authentication server, comprising: The receiving unit is used for receiving the authentication request including the user data and the token sent by the IoT device; and the judging unit is used for judging the validity period of the token, so as to send the authentication successfully when the validity period of the token is valid Send a message to the IoT device, and when the validity period of the token is expired, transmit the user data for general authentication, wherein the judging unit periodically establishes authentication factor data according to the authentication result of the judging unit, so as to The authentication factor data is stored in an edge authentication database.
TW109140967A 2020-11-23 2020-11-23 Authentication system and method for interent of things device based on edge computing and edge authentication server thereof TWI754464B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW109140967A TWI754464B (en) 2020-11-23 2020-11-23 Authentication system and method for interent of things device based on edge computing and edge authentication server thereof
CN202110962952.1A CN114756361A (en) 2020-11-23 2021-08-20 Internet of things device authentication system and method based on edge computing and server thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109140967A TWI754464B (en) 2020-11-23 2020-11-23 Authentication system and method for interent of things device based on edge computing and edge authentication server thereof

Publications (2)

Publication Number Publication Date
TWI754464B true TWI754464B (en) 2022-02-01
TW202222090A TW202222090A (en) 2022-06-01

Family

ID=81329308

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109140967A TWI754464B (en) 2020-11-23 2020-11-23 Authentication system and method for interent of things device based on edge computing and edge authentication server thereof

Country Status (2)

Country Link
CN (1) CN114756361A (en)
TW (1) TWI754464B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102801722A (en) * 2012-08-09 2012-11-28 福建物联天下信息科技有限公司 Internet of things authentication method and system
US8970450B2 (en) * 2011-03-03 2015-03-03 Citrix Systems, Inc. Reverse seamless integration between local and remote computing environments
US9736126B2 (en) * 2014-12-04 2017-08-15 International Business Machines Corporation Authenticating mobile applications using policy files
US9820146B2 (en) * 2015-06-12 2017-11-14 At&T Intellectual Property I, L.P. Method and apparatus for authentication and identity management of communicating devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8970450B2 (en) * 2011-03-03 2015-03-03 Citrix Systems, Inc. Reverse seamless integration between local and remote computing environments
CN102801722A (en) * 2012-08-09 2012-11-28 福建物联天下信息科技有限公司 Internet of things authentication method and system
US9736126B2 (en) * 2014-12-04 2017-08-15 International Business Machines Corporation Authenticating mobile applications using policy files
US9820146B2 (en) * 2015-06-12 2017-11-14 At&T Intellectual Property I, L.P. Method and apparatus for authentication and identity management of communicating devices

Also Published As

Publication number Publication date
TW202222090A (en) 2022-06-01
CN114756361A (en) 2022-07-15

Similar Documents

Publication Publication Date Title
US11003749B2 (en) Risk analysis apparatus and method for risk based authentication
US20180191784A1 (en) Selectively Enabling and Disabling Biometric Authentication Based on Mobile Device State Information
US7676069B2 (en) Method and apparatus for rolling enrollment for signature verification
US20210058388A1 (en) Dedicated network authentication and allocation for dedicated virtual machine host clusters
US9230066B1 (en) Assessing risk for third-party data collectors
US20030126441A1 (en) Method and system for single authentication for a plurality of services
CN102265255A (en) Method and system for providing a federated authentication service with gradual expiration of credentials
CN106682825A (en) System and method for evaluating credit of Social Internet of Things based on block chain
CN106095554B (en) The method and device of batch data processing is carried out in the online stage in the daytime
CN105141580B (en) A kind of resource access control method based on the domain AD
EP3038317B1 (en) User authentication for resource transfer based on mapping of physiological characteristics
CN114465807A (en) Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning
US11765153B2 (en) Wireless LAN (WLAN) public identity federation trust architecture
Yuan et al. Efficient Byzantine consensus mechanism based on reputation in IoT blockchain
WO2020233318A1 (en) Data adjustment method based on data analysis and related devices
CN110381509A (en) A kind of joint qualification method and server suitable for Dynamic link library scene
TWI754464B (en) Authentication system and method for interent of things device based on edge computing and edge authentication server thereof
CN109905863B (en) Relay access method of distributed cooperative communication based on block chain storage
CN103780395B (en) Network insertion proves the method and system of two-way measurement
CN106101025A (en) Flow allocation method and device
CN107045613B (en) Information monitoring control method and device
US11862175B2 (en) User identification and authentication
Yuan et al. CA-PSO: a combinatorial auction and improved particle swarm optimization based computation offloading approach for E-healthcare
CN113392385B (en) User trust measurement method and system in cloud environment
US20190333035A1 (en) System for facilitating real-time transactions