WO2023115667A1 - Authentication and key negotiation method, gateway, sensor and electronic equipment - Google Patents

Authentication and key negotiation method, gateway, sensor and electronic equipment Download PDF

Info

Publication number
WO2023115667A1
WO2023115667A1 PCT/CN2022/071463 CN2022071463W WO2023115667A1 WO 2023115667 A1 WO2023115667 A1 WO 2023115667A1 CN 2022071463 W CN2022071463 W CN 2022071463W WO 2023115667 A1 WO2023115667 A1 WO 2023115667A1
Authority
WO
WIPO (PCT)
Prior art keywords
gateway
user
sensor
information
identity
Prior art date
Application number
PCT/CN2022/071463
Other languages
French (fr)
Chinese (zh)
Inventor
张磊
谷双
吴铤
齐永兴
刘建伟
关振宇
Original Assignee
北京航空航天大学杭州创新研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京航空航天大学杭州创新研究院 filed Critical 北京航空航天大学杭州创新研究院
Publication of WO2023115667A1 publication Critical patent/WO2023115667A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Definitions

  • the application belongs to the technical field of wireless communication, and in particular relates to an authentication and key agreement method.
  • Wireless Sensor Networks is one of the core technologies of the Internet of Things (IoT), which consists of heterogeneous sensors widely distributed in space and is mainly used to monitor physical or environmental variables.
  • the wireless sensor network is mainly composed of three participants: sensor node (Sensor Node, SN), gateway node (Gateway Node, GWN) and user (User).
  • SN collects different types of information and communicates with GWN; users can access real-time data of SN through GWN, and decide whether to take measures according to the application requirements in specific environments. Since the data collected by sensors is transmitted through wireless public channels, it is easy to be intercepted or even tampered by attackers, so the security issue of WSNs is very important.
  • the present application provides an authentication and key agreement method, a gateway, a sensor, and electronics and equipment.
  • an embodiment of the present application provides an authentication and key agreement method for a wireless sensor network, where the wireless sensor network includes a sensor, a gateway, a smart card, and a user equipment, and the method includes:
  • the user equipment verifies the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the authentication is passed, and the login information includes a pseudo-random user identity;
  • the gateway verifies the identity of the user according to the login information, and after passing the verification, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway;
  • Preset parameters include pseudo-random sensor identity and shared key between sensor nodes and gateway nodes;
  • the target sensor verifies the access request information, updates the sensor preset parameters after the verification is passed, generates a session key, and sends it to the gateway based on the session key and the updated sensor preset parameters Request information, the sensor preset parameters include pseudo-random sensor identity, shared key between sensor nodes and gateway nodes;
  • the gateway calculates the session key and verifies the request passing information, and generates access confirmation information based on the second preset parameter of the gateway after the verification is passed, and updates the second preset parameter of the gateway, and the gateway
  • the second preset parameter includes a pseudo-random user identity, a shared key between the user and the gateway node;
  • the user equipment calculates the session key and verifies the access confirmation information, and updates the preset parameters of the smart card after the verification is passed, and the preset parameters of the smart card include pseudo-random user identity, shared between the user and the gateway node key;
  • the user equipment and the sensor perform secure communication by using the session key.
  • the access request information also includes the number of updates of the first preset parameter of the gateway, then:
  • the sensor preset parameter further includes a sensor serial number
  • the gateway first preset parameter further includes a sensor serial number at the gateway node side.
  • the access confirmation information includes the number of updates of the second preset parameter of the gateway, then:
  • the smart card preset parameters also include a user serial number
  • the gateway second preset parameters also include a user ID and a user serial number at the gateway node side.
  • the S20 includes:
  • the gateway receives the login information, and detects the time validity of the login information according to the timestamp in the login information;
  • the gateway calculates an actual authentication value based on the user identity, the shared key between the user and the gateway node, and the login information, and verifies the validity of the user identity;
  • the second random number is generated by the gateway
  • the gateway updates the pseudo-random user identity, the user serial number on the gateway node side, and the shared key between the user and the gateway node,
  • the gateway sends the updated user serial number on the gateway node side, the time stamp, the second key parameter information, and the second authentication value to the target sensor as access request information.
  • S30 includes:
  • the target sensor receives the access request information, detects the time validity of the access request information according to the time stamp in the access request information, and detects the access request information according to the user serial number on the gateway node side synchronicity;
  • the target sensor updates the pseudo-random sensor identity, the serial number on the sensor side, and the shared key between the sensor node and the gateway node;
  • the target sensor sends the third key parameter information, the third authentication value, and a time stamp to the gateway as request passing information.
  • the smart card preset parameters also include user registration verification value, user-side serial number initial value, hash function, user identity information value, and user biological public parameters, and the preset parameters are generated when the user performs identity registration of.
  • the S10 includes:
  • the user equipment acquires identity information input by the user, and calculates a verification value according to smart card preset parameters and the identity information;
  • the first random number is generated by the smart card
  • the user equipment sends the pseudo-random user identity, the time stamp, the first key parameter information, and the first authentication value to the gateway as login information.
  • the embodiment of the present application provides a sensor, including:
  • a first verification module configured to verify the access request information
  • the parameter update module is used to update the sensor preset parameters after the verification is passed, and the sensor preset parameters include pseudo-random sensor identification, shared keys between sensor nodes and gateway nodes;
  • a key generation module configured to generate a session key, and send request passing information to the gateway based on the session key and the updated sensor preset parameters;
  • a first communication module configured to use the session key to perform secure communication with the user equipment.
  • the embodiment of the present application provides a gateway, including:
  • the access request information generation module is used to verify the identity of the user according to the login information. After the verification is passed, the access request information of the target sensor is generated based on the first preset parameters of the gateway, and the first preset parameters of the gateway are updated; the first preset parameters of the gateway are updated; A preset parameter includes a pseudo-random sensor identity and a shared key between the sensor node and the gateway node;
  • the access confirmation information generation module is used to calculate the session key and verify the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameter of the gateway, and the second preset parameter of the gateway is updated.
  • the second preset parameters of the gateway include a pseudo-random user identity and a shared key between the user and the gateway node.
  • the embodiment of the present application provides an electronic device, including:
  • the login information generating module is used to verify the identity of the user through the smart card according to the identity information input by the user, and sends the login information to the gateway after the verification is passed, and the login information includes a pseudo-random user identity;
  • the verification module is used to calculate the session key and verify the access confirmation information. After the verification is passed, the smart card preset parameters are updated, and the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
  • the second communication module is configured to use the session key to perform secure communication with the target sensor.
  • the present application proposes a wireless sensor network authentication and key agreement method, device, and readable storage medium, wherein the method includes: the user equipment verifies the user identity through a smart card according to the identity information input by the user, Send login information to the gateway; the gateway verifies the user's identity, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway; the target sensor verifies the access request information, and after the verification passes, the The sensor preset parameters are updated, a session key is generated, and the request pass information is sent to the gateway; the gateway calculates the session key and verifies the request pass information, generates access confirmation information and updates the second gateway preset parameter; the user device calculates the session The key is used to verify the access confirmation information and update the preset parameters of the smart card; the user equipment and the sensor use the session key for secure communication.
  • the wireless sensor network authentication and key agreement method of the present application the anonymity, non-traceability and confidentiality of communication of
  • FIG. 1 is a schematic flow diagram of an authentication and key agreement method for a wireless sensor network in an embodiment of the present application
  • Fig. 2 is the data flow diagram of user registration process in another embodiment of the present application.
  • FIG. 3 is a data flow diagram of a sensor registration process in another embodiment of the present application.
  • FIG. 4 is a data flow diagram of a wireless sensor network authentication and key agreement process in another embodiment of the present application.
  • FIG. 5 is a data flow diagram of a password and biometric key update process in another embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of the sensor in Embodiment 3 of the present application.
  • FIG. 7 is a schematic diagram of a gateway structure in Embodiment 4 of the present application.
  • FIG. 8 is a schematic structural diagram of an electronic device in Embodiment 5 of the present application.
  • the authentication and key negotiation method for a wireless sensor network in this embodiment is applied to a wireless sensor network.
  • the wireless sensor network includes a sensor, a gateway, a smart card, and a user device.
  • the user logs in and accesses the target sensor through the user device and the smart card, and the user device can Terminal devices such as mobile phones, tablets, and computers are not limited here; there can be one or more sensors and gateways, and each sensor is connected to the gateway through a wireless network.
  • the sensor is used to collect data and send the collected data to the gateway.
  • the gateway processes the data and sends the processed data results to the user device; the user needs to register with the gateway before logging in, and then perform security authentication and key negotiation through the gateway and the sensor.
  • Fig. 1 is a schematic flow diagram of a method for authentication and key agreement of a wireless sensor network in an embodiment of the present application. As shown in Fig. 1, this embodiment includes:
  • the user device verifies the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the verification is passed, and the login information includes a pseudo-random user identity;
  • the gateway verifies the identity of the user according to the login information, and after passing the verification, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway;
  • the first preset parameters of the gateway include pseudo-random sensor identities Identification and shared keys between sensor nodes and gateway nodes;
  • the target sensor verifies the access request information, updates the sensor preset parameters after the verification is passed, generates a session key, and sends request passing information to the gateway based on the session key and the updated sensor preset parameters, and the sensor preset parameters Including pseudo-random sensor identity, shared key between sensor nodes and gateway nodes;
  • the gateway calculates the session key and verifies the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameter of the gateway, and the second preset parameter of the gateway is updated.
  • the second preset parameter of the gateway includes a pseudo-random User identity, shared key between user and gateway node;
  • the user equipment calculates the session key and verifies the access confirmation information. After the verification is passed, the smart card preset parameters are updated.
  • the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
  • the user equipment and the sensor perform secure communication using the session key.
  • the authentication and key agreement method of the wireless sensor network in this embodiment adopts the dynamic pseudo-random identity identification technology to realize the privacy protection of the user and the sensor node, that is, the pseudo-random user identification and the pseudo-random sensor identification are used to realize the sensor node
  • the anonymity of the sensor node is achieved by updating the pseudo-random user ID and the pseudo-random sensor ID after each successful authentication negotiation, and the untraceability of the sensor node is realized, and the confidentiality of communication is realized by updating the preset parameters of the current device, ensuring user data security.
  • the user equipment authenticates the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the authentication is passed, where the login information includes a pseudo-random user identity identifier.
  • the user's identity information may include, but not limited to, an identity mark, an identity password, and a user's biometric feature.
  • the smart card can be a separate memory card, or a storage space specified in the user terminal, which is not limited here.
  • the preset parameters stored in the smart card are the parameters written into the smart card by the client and the gateway during the identity registration process of the user.
  • the smart card preset parameters also include user registration verification value, user-side serial number initial value, hash function, user identity information value, and user biological public parameters.
  • the preset parameters are generated when the user performs identity registration.
  • the user terminal can obtain the identity information input by the user, read the stored preset parameters from the smart card, and calculate the verification value according to the preset parameters and identity information stored in the smart card.
  • the verification value is used to verify the identity information entered by the user.
  • S10 includes:
  • the user equipment acquires identity information input by the user, and calculates a verification value according to smart card preset parameters and the identity information;
  • the first random number is generated by the smart card
  • the user equipment sends the pseudo-random user identity, the time stamp, the first key parameter information, and the first authentication value to the gateway as login information.
  • a one-way hash function may be used as a parameter update method.
  • the access request information also includes the update times of the first preset parameter of the gateway, then:
  • the sensor preset parameter also includes the sensor serial number
  • the gateway first preset parameter also includes the sensor serial number at the gateway node side.
  • the access confirmation information also includes the update times of the second preset parameter of the gateway, then:
  • the smart card preset parameter also includes the user serial number
  • the gateway second preset parameter also includes the user identity mark and the user serial number at the gateway node side.
  • This embodiment adopts the serial number method to realize the anti-desynchronization attack of the protocol, that is, use the user serial number and user serial number on the gateway node side, the sensor serial number and the sensor serial number on the gateway node side to realize the sensor node and the gateway node. Synchronization between users and gateway nodes.
  • S20 includes:
  • the gateway receives the login information, and detects the time validity of the login information according to the time stamp in the login information;
  • the gateway calculates an actual authentication value based on the user identity, the shared key between the user and the gateway node, and the login information, and verifies the validity of the user identity;
  • the second random number is generated by the gateway
  • the gateway updates the pseudo-random user identity, the user serial number on the gateway node side, and the shared key between the user and the gateway node,
  • the gateway sends the updated user serial number on the gateway node side, the time stamp, the second key parameter information, and the second authentication value to the target sensor as access request information.
  • S30 includes:
  • the target sensor receives the access request information, detects the time validity of the access request information according to the time stamp in the access request information, and detects the access request information according to the user serial number on the gateway node side synchronicity;
  • the target sensor updates the pseudo-random sensor identity, the serial number on the sensor side, and the shared key between the sensor node and the gateway node;
  • the target sensor sends the third key parameter information, the third authentication value, and a time stamp to the gateway as request passing information.
  • the method in this embodiment is an AKA protocol suitable for WSNs environment, which can effectively prevent unauthorized access and ensure the availability and security of WSNs communication.
  • this embodiment describes in detail the specific implementation process of the method proposed in the application.
  • the method includes four execution subjects: user, smart card, sensor node and gateway node.
  • the user here refers to the device used on the user side.
  • the steps of the method include:
  • Device initialization including:
  • Step a1 the gateway node selects two random integers as the gateway node identity ID G and the gateway node master key K, and stores them in the gateway node's memory;
  • Step a2 the gateway node selects the sensor node identity ID S for the sensor node, and stores it in the memory of the sensor node;
  • Step a3 the gateway node pre-initializes all smart cards, selects a smart card ID SC for each smart card and stores it in the smart card.
  • FIG. 3 is a data flow diagram of the user registration process in another embodiment of the application. Please refer to Fig. 3, and the user registration steps include :
  • Step b1 the new user inserts the smart card pre-assigned to him/her into the system card reader, reads its ID SC and sends it to the gateway node through a secure channel;
  • Step b2 After receiving the ID SC , the gateway node first checks whether it exists in the smart card database. If it exists, the gateway node returns the confirmation value Conf to the user. Otherwise, deny the registration request;
  • Step b3 the user sets the user identity ID U and the user password PW U , and enters the user biometric BIO U through the biometric information collection device.
  • the client generates a random number a i and calculates and generates the user biometric key BK i , the user biometric public parameter P i , and the pseudo-random user password MPW U :
  • MPW U h(ID U
  • h( ) represents a one-way hash function
  • y represents a join operation on x and y.
  • Step b4 After the gateway node receives the registration information, it first checks whether the user identity ID U exists in the user database. If present, the gateway node rejects the registration request and requires the user to enter a new ID U . Otherwise, the gateway node calculates the shared key K GU and the pseudo-random user identity ID U between the user and the gateway node:
  • K GU h(ID U
  • K represents the master key of the gateway node.
  • n 0 is an integer between 24 and 28 .
  • the gateway node initializes the value FAIL for recording the number of user login failures to NULL. Finally, the gateway node writes the information ⁇ MID U , D i , K GU , NU i0 , FAIL, h( )> into the smart card and sends it to the user through a secure channel;
  • Step b5. After the user receives the information from the gateway node, calculate the user identity information value A i , and write the information ⁇ A i , P i > into the smart card,
  • the smart card contains the information ⁇ MID U ,A i ,D i ,P i ,K GU ,NU i0 ,FAIL,h( ⁇ )>.
  • Fig. 4 is a data flow diagram of the sensor registration process in another embodiment of the present application, referring to Fig. 4, the sensor registration steps include:
  • Step c1 the new sensor node sends the sensor node identity ID S to the gateway node through a secure channel
  • Step c2 After the gateway node receives the identity ID S , it first checks whether it exists in the sensor node database. If not present, the gateway node rejects the registration request. Otherwise, the gateway node generates a random number m j and calculates the shared key K GS and the pseudo-random sensor ID MID S between the sensor node and the gateway node:
  • K GS h(ID S
  • the sensor node After receiving the information from the gateway node, the sensor node stores the information ⁇ MIDS , K GS , NS k0 ⁇ into memory and deletes the identity ID S .
  • the parameters marked with * are parameters input or generated during the user login and authentication negotiation process, or the same parameters stored in different devices, and the parameter meanings are the same as those in S1 and S2 The same, and will not be described one by one below.
  • FIG. 5 is a data flow diagram of the wireless sensor network authentication and key negotiation process in another embodiment of the present application. Please refer to FIG. 5.
  • the user login and authentication negotiation process includes:
  • Step d1 the user inserts the smart card into the card reader, enters the user identity ID U and the user password PW U and enters Afterwards the smart card calculates:
  • the smart card generates a random number R i and obtains the current time stamp T 1 . After that, the user selects the sensor node that he wants to visit, and calculates the temporary sensor ID TID s :
  • V 1 h(ID U
  • the user sends the login information Msg1: ⁇ MID U ,M 1 ,V 1 ,T 1 ⁇ to the gateway node through the public channel;
  • Step d2 When the gateway node receives the login information Msg1 from the user, it first checks the validity of the time stamp. The gateway node gets the current time And compare it with the received time T1 . if If the value exceeds the preset threshold - the maximum transmission delay time ⁇ T, the session is terminated. Otherwise, the gateway node extracts the corresponding ID U and K GU from the user database through the pseudo-random user ID MID U. Afterwards, the gateway node computes:
  • the gateway node confirms the legitimacy of the user, calculates the ID S of the sensor node through the following formula and searches whether the ID S exists in the sensor database.
  • the gateway node extracts the corresponding MID S and K GS . Afterwards, the gateway node generates a random number R j , obtains the current timestamp T 2 , and calculates:
  • V 2 h(ID U
  • the gateway node updates K GS , MIDS and NS k through the following formulas, and sends information Msg2: ⁇ M 2 , V 2 , NS k , T 2 ⁇ to the sensor nodes through the public channel.
  • Step d3 when the sensor node receives the information Msg2 from the gateway node, first detect and whether NS k -NS k0 ⁇ 1 holds true. If not, terminate the session. Otherwise, the sensor node orders:
  • N NS k -NS k0
  • the sensor nodes compute:
  • K GS h(K GS *
  • V 3 h(MID S
  • SK is a session key.
  • the sensor node sends information Msg3: ⁇ M 3 , V 3 , T 3 ⁇ to the gateway node through the public channel;
  • Step d4 when the gateway node receives the message Msg3 from the sensor node, it first detects the freshness of T3 , and calculates:
  • the gateway node will Compare with received V3 . If the two are not equal, terminate the session. Otherwise, the gateway node gets the current timestamp T 4 and calculates:
  • V 4 h(ID U
  • K GU h(K GU
  • the gateway node sends information Msg4: ⁇ M 4 ,V 4 ,NU i ,T 4 ⁇ to the user through the public channel;
  • K GU h(K GU *
  • the serial number method is used to realize the anti-desynchronization attack of authentication and negotiation, that is, use NU i and NU i0 , NS k and NS k0 to realize the synchronization between the user and the gateway node, the sensor node and the gateway node respectively It maintains the consistency between users, gateway nodes and sensor nodes, thereby avoiding the interruption of the synchronization process between the participants caused by the attacker's blocking attack on the authentication negotiation process.
  • it may also include
  • the user updates the password or biometric information.
  • FIG. 6 is a data flow diagram of a password and biometric key update process in another embodiment of the present application. Please refer to FIG. 6.
  • a user needs to update a password or biometric information, he/she needs to perform the following process.
  • Step e1 the user inserts the smart card into the card reader, enters ID U and PW U and enters Smart card calculations:
  • the smart card will Compare with the D i stored in it. If the two are not equal, the smart card rejects the password/biometric information update request. Otherwise, the smart card confirms the user's validity and allows the user to enter a new user password or new user biometrics At the same time, the smart card generates a random number bi and obtains the current timestamp T c1 , and then calculates:
  • Step e2 after the gateway node receives the request information from the user, it first checks the freshness of T c1 . If the conditions are met, the gateway node searches the user database for the corresponding ID U , K GU and MPW U through MID U , and calculates:
  • the gateway node sends the reply information ⁇ M c2 , V c2 , T c2 ⁇ to the user and updates the corresponding data;
  • Step e3 after the smart card receives the reply message from the gateway node, it first checks the freshness of Tc2 . If the conditions are met, the smart card calculates:
  • the smart card detects Are they equal, and if so, the smart card calculates:
  • the key parameter information M 1 , M 2 , M 3 , M 4 , Mc 1 , and Mc 2 can also be transmitted using a symmetric encryption algorithm between the user, the gateway node and the sensor node;
  • Information V 1 , V 2 , V 3 , V 4 , Vc 1 , and Vc 2 mutually authenticated by users, gateway nodes, and sensor nodes can also use message authentication codes based on hash functions.
  • the invention proposes a safe lightweight identity authentication method, which is based on the combination of hash function and XOR operation, adopts the three-factor authentication method combining user password, user biometric feature and smart card, and reduces the impact of identity authentication protocol on sensors.
  • the energy consumption overhead caused by the network improves the efficiency of the sensor network.
  • FIG. 6 is a schematic structural diagram of the sensor in the third embodiment of the present application. As shown in FIG. 6, the sensor includes:
  • the first verification module 11 is configured to verify the access request information
  • the parameter update module 12 is used to update the sensor preset parameters after the verification is passed, and the sensor preset parameters include a pseudo-random sensor identification, a shared key between sensor nodes and gateway nodes;
  • the key generation module 13 is used to generate a session key, and sends request passing information to the gateway based on the session key and the updated sensor preset parameters;
  • the first communication module 14 is configured to use the session key to perform secure communication with the user equipment.
  • the sensor provided in this embodiment can be used to execute the steps in the above method embodiments where the sensor is the main execution body, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.
  • FIG. 7 is a schematic structural diagram of the gateway in the fourth embodiment of the present application. As shown in FIG. 7, the gateway includes:
  • the access request information generation module 21 is used to verify the user identity according to the login information, and after the verification is passed, the access request information of the target sensor is generated based on the first preset parameters of the gateway, and the first preset parameters of the gateway are updated; Parameters include pseudo-random sensor identity and shared key between sensor nodes and gateway nodes;
  • the access confirmation information generation module 22 is used to calculate the session key and verify the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameters of the gateway, and the second preset parameters of the gateway are updated.
  • the preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node.
  • the gateway provided in this embodiment can be used to execute the steps in the above method embodiments where the gateway is the execution subject, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.
  • FIG. 8 is a schematic structural diagram of the electronic device in Embodiment 5 of the present application. As shown in FIG. 8 , the electronic device includes:
  • Login information generating module 31 used for verifying user identity by smart card according to the identity information input by the user, and sending login information to gateway after verification, and login information includes pseudo-random user identification;
  • the verification module 32 is used to calculate the session key and verify the access confirmation information. After the verification is passed, the smart card preset parameters are updated, and the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
  • the second communication module 33 is configured to use the session key to perform secure communication with the target sensor.
  • the electronic device provided in this embodiment can be used to execute the steps in the above method embodiments where the user equipment is the execution subject.
  • the implementation principles and technical effects are similar, and details will not be repeated here in this embodiment.
  • the authentication and key agreement method of the wireless sensor network in the present invention realizes the anonymity, non-traceability and confidentiality of communication of the sensor nodes, and guarantees the security of user data, thus, the authentication of the wireless sensor network of the present invention Has utility with the key agreement method.
  • any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps not listed in a claim.
  • the word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer.
  • the use of the words first, second, third, etc. is for convenience of presentation only and does not indicate any order. These words are to be understood as part of the name of the part.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to an authentication and key negotiation method for a wireless sensor network. The method comprises: the user equipment verifies the identity of a user on the basis of the identity information input by a user by means of a smart card, and sends login information to a gateway; the gateway verifies the identity of the user, generates access request information for a target sensor based on a first preset parameter of the gateway, and updates the first preset parameter of the gateway; the target sensor verifies the access request information, after verification is passed successfully, the target sensor updates the preset parameters of the sensor, generates a session key, and sends request approval information to the gateway; the gateway calculates a session key and verifies the request approval information, the gateway generates access validation information and updates a second preset parameter of the gateway; the user equipment calculates a session key and verifies the access validation information, and updates a preset parameter of the smart card; the user equipment and the sensor carry out secure communication utilizing the session key. The method allows for anonymity, untraceability and confidentiality of communication among the nodes.

Description

认证与密钥协商方法、网关、传感器和电子设备Authentication and key agreement method, gateway, sensor and electronic device 技术领域technical field
本申请属于无线通信技术领域,具体涉及一种认证与密钥协商方法。The application belongs to the technical field of wireless communication, and in particular relates to an authentication and key agreement method.
背景技术Background technique
无线传感器网络(Wireless Sensor Networks,WSNs)是物联网(Internet of Thing,IoT)的核心技术之一,它由广泛分布在空间中的异构传感器组成,主要用于监测物理或环境变量。无线传感器网络主要由传感器节点(Sensor Node,SN)、网关节点(Gateway Node,GWN)和用户(User)三种参与方组成。通常情况下,SN采集不同类型的信息,并与GWN进行通信;用户可以通过GWN访问SN的实时数据,并根据具体环境下的应用需求决定是否采取措施。由于传感器采集的数据通过无线公共信道传输,很容易被攻击者截获甚至篡改,因此WSNs的安全问题至关重要。Wireless Sensor Networks (WSNs) is one of the core technologies of the Internet of Things (IoT), which consists of heterogeneous sensors widely distributed in space and is mainly used to monitor physical or environmental variables. The wireless sensor network is mainly composed of three participants: sensor node (Sensor Node, SN), gateway node (Gateway Node, GWN) and user (User). Normally, SN collects different types of information and communicates with GWN; users can access real-time data of SN through GWN, and decide whether to take measures according to the application requirements in specific environments. Since the data collected by sensors is transmitted through wireless public channels, it is easy to be intercepted or even tampered by attackers, so the security issue of WSNs is very important.
现有的WSN安全认证协议中,只考虑了合法用户身份和位置信息的隐私保护。然而,作为WSN中另一个重要的组成部分——传感器节点负责采集的信息种类与其类型紧密相关,并且每个传感器节点只负责采集特定范围内信息。因此,通常需要根据传感器节点的功能和采集范围对目标区域进行合理的配置。在这种情况下,攻击者有可能通过传感器节点的身份信息分析出目标用户的敏感信息,并通过传感器节点的位置信息分析出用户所采集信息的目标范围,导致重要数据的泄露。In the existing WSN security authentication protocol, only the privacy protection of legal user identity and location information is considered. However, as another important component in WSN - the type of information that sensor nodes are responsible for collecting is closely related to its type, and each sensor node is only responsible for collecting information within a specific range. Therefore, it is usually necessary to configure the target area reasonably according to the sensor node's function and acquisition range. In this case, the attacker may analyze the sensitive information of the target user through the identity information of the sensor node, and analyze the target range of the information collected by the user through the location information of the sensor node, resulting in the leakage of important data.
发明内容Contents of the invention
(一)要解决的技术问题(1) Technical problems to be solved
鉴于现有技术的上述缺点、不足,本申请提供一种认证与密钥协商方法、网关、传感器和电子和设备。In view of the above-mentioned shortcomings and deficiencies of the prior art, the present application provides an authentication and key agreement method, a gateway, a sensor, and electronics and equipment.
(二)技术方案(2) Technical solutions
为达到上述目的,本申请采用如下技术方案:In order to achieve the above object, the application adopts the following technical solutions:
第一方面,本申请实施例提供一种无线传感器网络的认证与密钥协 商方法,所述无线传感器网络包括传感器、网关、智能卡,用户设备,该方法包括:In a first aspect, an embodiment of the present application provides an authentication and key agreement method for a wireless sensor network, where the wireless sensor network includes a sensor, a gateway, a smart card, and a user equipment, and the method includes:
S10、所述用户设备根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向所述网关发送登录信息,所述登录信息包括伪随机用户身份标识;S10. The user equipment verifies the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the authentication is passed, and the login information includes a pseudo-random user identity;
S20、所述网关根据所述登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对所述网关第一预置参数进行更新;所述网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;S20. The gateway verifies the identity of the user according to the login information, and after passing the verification, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway; Preset parameters include pseudo-random sensor identity and shared key between sensor nodes and gateway nodes;
S30、所述目标传感器对所述访问请求信息进行验证,验证通过后对传感器预置参数进行更新,生成会话密钥,基于所述会话密钥和更新后的传感器预置参数向所述网关发送请求通过信息,所述传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;S30, the target sensor verifies the access request information, updates the sensor preset parameters after the verification is passed, generates a session key, and sends it to the gateway based on the session key and the updated sensor preset parameters Request information, the sensor preset parameters include pseudo-random sensor identity, shared key between sensor nodes and gateway nodes;
S40、所述网关计算会话密钥并对所述请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对所述网关第二预置参数进行更新,所述网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;S40. The gateway calculates the session key and verifies the request passing information, and generates access confirmation information based on the second preset parameter of the gateway after the verification is passed, and updates the second preset parameter of the gateway, and the gateway The second preset parameter includes a pseudo-random user identity, a shared key between the user and the gateway node;
S50、所述用户设备计算会话密钥并对所述访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,所述智能卡预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;S50. The user equipment calculates the session key and verifies the access confirmation information, and updates the preset parameters of the smart card after the verification is passed, and the preset parameters of the smart card include pseudo-random user identity, shared between the user and the gateway node key;
S60、所述用户设备和所述传感器利用所述会话密钥进行保密通信。S60. The user equipment and the sensor perform secure communication by using the session key.
可选地,所述访问请求信息还包括所述网关第一预置参数的更新次数,则:Optionally, the access request information also includes the number of updates of the first preset parameter of the gateway, then:
S30中验证通过后还包括:根据所述网关第一预置参数的更新次数更新所述传感器预置参数中的传感器节点和网关节点间共享密钥;After the verification in S30 is passed, it also includes: updating the shared key between the sensor node and the gateway node in the sensor preset parameter according to the update times of the first preset parameter of the gateway;
所述传感器预置参数还包括传感器序列号,所述网关第一预置参数还包括网关节点侧的传感器序列号。The sensor preset parameter further includes a sensor serial number, and the gateway first preset parameter further includes a sensor serial number at the gateway node side.
可选地,所述访问确认信息包括所述网关第二预置参数的更新次数,则:Optionally, the access confirmation information includes the number of updates of the second preset parameter of the gateway, then:
S50中验证通过后还包括:根据所述网关第二预置参数的更新次数更新所述智能卡预置参数中的用户和网关节点间共享密钥;After the verification in S50 is passed, it also includes: updating the shared key between the user and the gateway node in the smart card preset parameters according to the update times of the second preset parameters of the gateway;
所述智能卡预置参数中还包括用户序列号,所述网关第二预置参数还包括用户身份标识、网关节点侧的用户序列号。The smart card preset parameters also include a user serial number, and the gateway second preset parameters also include a user ID and a user serial number at the gateway node side.
可选地,S20包括:Optionally, the S20 includes:
S201、所述网关接收所述登录信息,根据所述登录信息中的时间戳检测所述登录信息的时间有效性;S201. The gateway receives the login information, and detects the time validity of the login information according to the timestamp in the login information;
S202、若检测通过,则根据所述伪随机用户身份标识从所述网关第二预置参数中提取所述用户身份标识和用户和网关节点间共享密钥;S202. If the detection passes, extract the user identity and the shared key between the user and the gateway node from the second preset parameter of the gateway according to the pseudo-random user identity;
S203、所述网关基于所述用户身份标识和用户和网关节点间共享密钥、所述登录信息计算实际认证值,对用户身份进行合法性验证;S203. The gateway calculates an actual authentication value based on the user identity, the shared key between the user and the gateway node, and the login information, and verifies the validity of the user identity;
S204、若验证通过,则计算传感器身份标识并在所述网关第一预置参数中搜索所述传感器身份标识是否存在;S204. If the verification is passed, calculate the sensor ID and search whether the sensor ID exists in the first preset parameter of the gateway;
S205、若存在,则基于第二随机数通过所述哈希函数生成的第二关键参数信息和第二认证值,所述第二随机数由所述网关生成;S205. If it exists, based on the second key parameter information and the second authentication value generated by the hash function based on the second random number, the second random number is generated by the gateway;
S206、所述网关对所述伪随机用户身份标识、所述网关节点侧的用户序列号、所述用户和网关节点间共享密钥进行更新,S206. The gateway updates the pseudo-random user identity, the user serial number on the gateway node side, and the shared key between the user and the gateway node,
S207、所述网关将更新后的网关节点侧的用户序列号、时间戳、所述第二关键参数信息和第二认证值作为访问请求信息发送至所述目标传感器。S207. The gateway sends the updated user serial number on the gateway node side, the time stamp, the second key parameter information, and the second authentication value to the target sensor as access request information.
可选地,S30包括:Optionally, S30 includes:
S301、所述目标传感器接收所述访问请求信息,根据所述访问请求信息中的时间戳检测所述访问请求信息的时间有效性,根据所述网关节点侧的用户序列号检测所述访问请求信息的同步性;S301. The target sensor receives the access request information, detects the time validity of the access request information according to the time stamp in the access request information, and detects the access request information according to the user serial number on the gateway node side synchronicity;
S302、若检测通过,则根据所述网关节点侧的用户序列号对所述传 感器节点和网关节点间共享密钥进行更新;S302. If the detection is passed, update the shared key between the sensor node and the gateway node according to the user serial number on the gateway node side;
S303、基于更新后的传感器节点和网关节点间共享密钥计算实际认证值,对网关进行合法性验证;S303. Calculate an actual authentication value based on the updated shared key between the sensor node and the gateway node, and verify the validity of the gateway;
S304、若验证通过,则所述目标传感器更新所述伪随机传感器身份标识、所述传感器侧的序列号、所述传感器节点和网关节点间共享密钥;S304. If the verification is passed, the target sensor updates the pseudo-random sensor identity, the serial number on the sensor side, and the shared key between the sensor node and the gateway node;
S305、基于第三随机数通过所述哈希函数生成第三关键参数信息和第三认证值,所述第三随机数由所述目标传感器生成;S305. Generate third key parameter information and a third authentication value through the hash function based on a third random number, where the third random number is generated by the target sensor;
S305、所述目标传感器将所述第三关键参数信息和第三认证值、时间戳作为请求通过信息发送至所述网关。S305. The target sensor sends the third key parameter information, the third authentication value, and a time stamp to the gateway as request passing information.
可选地,所述智能卡预置参数还包括用户注册验证值、用户侧序列号初值、哈希函数、用户身份信息值、用户生物公开参数,所述预置参数为用户进行身份注册时生成的。Optionally, the smart card preset parameters also include user registration verification value, user-side serial number initial value, hash function, user identity information value, and user biological public parameters, and the preset parameters are generated when the user performs identity registration of.
可选地,S10包括:Optionally, the S10 includes:
S101、所述用户设备获取用户输入的身份信息,根据智能卡预置参数和所述身份信息计算验证值;S101. The user equipment acquires identity information input by the user, and calculates a verification value according to smart card preset parameters and the identity information;
S102、通过对比所述验证值与所述用户注册验证值对所述身份信息进行验证;S102. Verify the identity information by comparing the verification value with the user registration verification value;
S103、当验证通过时,针对所述目标传感器,基于第一随机数通过所述哈希函数生成的第一关键参数信息和第一认证值,所述第一随机数由智能卡生成;S103. When the verification is passed, for the target sensor, based on the first key parameter information and the first authentication value generated by the hash function based on the first random number, the first random number is generated by the smart card;
S104、所述用户设备将所述伪随机用户身份标识、时间戳、所述第一关键参数信息和第一认证值作为登录信息发送至所述网关。S104. The user equipment sends the pseudo-random user identity, the time stamp, the first key parameter information, and the first authentication value to the gateway as login information.
第二方面,本申请实施例提供一种传感器,包括:In a second aspect, the embodiment of the present application provides a sensor, including:
第一验证模块,用于对访问请求信息进行验证;A first verification module, configured to verify the access request information;
参数更新模块,用于验证通过后对传感器预置参数进行更新,所述传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;The parameter update module is used to update the sensor preset parameters after the verification is passed, and the sensor preset parameters include pseudo-random sensor identification, shared keys between sensor nodes and gateway nodes;
密钥生成模块,用于生成会话密钥,基于所述会话密钥和更新后的传感器预置参数向网关发送请求通过信息;A key generation module, configured to generate a session key, and send request passing information to the gateway based on the session key and the updated sensor preset parameters;
第一通信模块,用于利用所述会话密钥与用户设备进行保密通信。A first communication module, configured to use the session key to perform secure communication with the user equipment.
第三方面,本申请实施例提供一种网关,包括:In a third aspect, the embodiment of the present application provides a gateway, including:
访问请求信息生成模块,用于根据登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对所述网关第一预置参数进行更新;所述网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;The access request information generation module is used to verify the identity of the user according to the login information. After the verification is passed, the access request information of the target sensor is generated based on the first preset parameters of the gateway, and the first preset parameters of the gateway are updated; the first preset parameters of the gateway are updated; A preset parameter includes a pseudo-random sensor identity and a shared key between the sensor node and the gateway node;
访问确认信息生成模块,用于计算会话密钥并对请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对所述网关第二预置参数进行更新,所述网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥。The access confirmation information generation module is used to calculate the session key and verify the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameter of the gateway, and the second preset parameter of the gateway is updated. The second preset parameters of the gateway include a pseudo-random user identity and a shared key between the user and the gateway node.
第四方面,本申请实施例提供一种电子设备,包括:In a fourth aspect, the embodiment of the present application provides an electronic device, including:
登录信息生成模块,用于根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向网关发送登录信息,所述登录信息包括伪随机用户身份标识;The login information generating module is used to verify the identity of the user through the smart card according to the identity information input by the user, and sends the login information to the gateway after the verification is passed, and the login information includes a pseudo-random user identity;
验证模块,用于计算会话密钥并对访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,所述智能卡预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;The verification module is used to calculate the session key and verify the access confirmation information. After the verification is passed, the smart card preset parameters are updated, and the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
第二通信模块,用于利用所述会话密钥与目标传感器进行保密通信。The second communication module is configured to use the session key to perform secure communication with the target sensor.
(三)有益效果(3) Beneficial effects
本申请的有益效果是:本申请提出了一种无线传感器网络的认证与密钥协商方法、设备和可读存储介质,其中的方法包括:用户设备根据用户输入的身份信息通过智能卡验证用户身份,向网关发送登录信息;网关验证用户身份,基于网关第一预置参数生成目标传感器的访问请求信息,并对网关第一预置参数进行更新;目标传感器对访问请求信息进行验证,验证通过后对传感器预置参数进行更新、生成会话密钥,并向 网关发送请求通过信息;网关计算会话密钥并对请求通过信息进行验证,生成访问确认信息并更新网关第二预置参数;用户设备计算会话密钥并对访问确认信息进行验证,更新智能卡预置参数;用户设备和传感器利用会话密钥进行保密通信。通过本申请的无线传感器网络的认证与密钥协商方法,实现了传感器节点的匿名性、不可追溯性和通信的保密性,保证了用户数据安全。The beneficial effects of the present application are: the present application proposes a wireless sensor network authentication and key agreement method, device, and readable storage medium, wherein the method includes: the user equipment verifies the user identity through a smart card according to the identity information input by the user, Send login information to the gateway; the gateway verifies the user's identity, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway; the target sensor verifies the access request information, and after the verification passes, the The sensor preset parameters are updated, a session key is generated, and the request pass information is sent to the gateway; the gateway calculates the session key and verifies the request pass information, generates access confirmation information and updates the second gateway preset parameter; the user device calculates the session The key is used to verify the access confirmation information and update the preset parameters of the smart card; the user equipment and the sensor use the session key for secure communication. Through the wireless sensor network authentication and key agreement method of the present application, the anonymity, non-traceability and confidentiality of communication of sensor nodes are realized, and the security of user data is guaranteed.
附图说明Description of drawings
本申请借助于以下附图进行描述:The application is described with the aid of the following figures:
图1为本申请一个实施例中的无线传感器网络的认证与密钥协商方法流程示意图;FIG. 1 is a schematic flow diagram of an authentication and key agreement method for a wireless sensor network in an embodiment of the present application;
图2为本申请另一个实施例中用户注册过程的数据流图;Fig. 2 is the data flow diagram of user registration process in another embodiment of the present application;
图3为本申请另一个实施例中传感器注册过程的数据流图;FIG. 3 is a data flow diagram of a sensor registration process in another embodiment of the present application;
图4为本申请另一个实施例中无线传感器网络认证与密钥协商过程的数据流图;FIG. 4 is a data flow diagram of a wireless sensor network authentication and key agreement process in another embodiment of the present application;
图5为本申请另一个实施例中口令与生物特征密钥更新过程的数据流图;FIG. 5 is a data flow diagram of a password and biometric key update process in another embodiment of the present application;
图6为本申请实施例三中的传感器结构示意图;FIG. 6 is a schematic structural diagram of the sensor in Embodiment 3 of the present application;
图7为本申请实施例四中的网关结构示意图;FIG. 7 is a schematic diagram of a gateway structure in Embodiment 4 of the present application;
图8为本申请实施例五中的电子设备结构示意图。FIG. 8 is a schematic structural diagram of an electronic device in Embodiment 5 of the present application.
具体实施方式Detailed ways
为了更好的解释本发明,以便于理解,下面结合附图,通过具体实施方式,对本发明作详细描述。可以理解的是,以下所描述的具体的实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合;为了便于描述,附图中仅示出了与发明相关的部分。In order to better explain the present invention and facilitate understanding, the present invention will be described in detail below through specific embodiments in conjunction with the accompanying drawings. It should be understood that the specific embodiments described below are only used to explain related inventions, rather than to limit the invention. In addition, it should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other; for the convenience of description, only the parts related to the invention are shown in the drawings.
实施例一Embodiment one
本实施例的无线传感器网络的认证与密钥协商方法应用于无线传感器网络中,无线传感器网络包括传感器、网关、智能卡,用户设备,其中,用户通过用户设备及智能卡登录访问目标传感器,用户设备可以为手机、平板、电脑等终端设备,在此不作限定;传感器、网关可以是一个或多个,每个传感器通过无线网络连接到网关,传感器用于采集数据,并将采集的数据发送给网关,网关对数据进行处理,将处理后的数据结果发送给用户设备;用户登录前需要先行向网关注册,之后通过网关和传感器进行安全认证及密钥协商。The authentication and key negotiation method for a wireless sensor network in this embodiment is applied to a wireless sensor network. The wireless sensor network includes a sensor, a gateway, a smart card, and a user device. Wherein, the user logs in and accesses the target sensor through the user device and the smart card, and the user device can Terminal devices such as mobile phones, tablets, and computers are not limited here; there can be one or more sensors and gateways, and each sensor is connected to the gateway through a wireless network. The sensor is used to collect data and send the collected data to the gateway. The gateway processes the data and sends the processed data results to the user device; the user needs to register with the gateway before logging in, and then perform security authentication and key negotiation through the gateway and the sensor.
图1为本申请一个实施例中的无线传感器网络的认证与密钥协商方法流程示意图,如图1所示,本实施例的包括:Fig. 1 is a schematic flow diagram of a method for authentication and key agreement of a wireless sensor network in an embodiment of the present application. As shown in Fig. 1, this embodiment includes:
S10、用户设备根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向所述网关发送登录信息,登录信息包括伪随机用户身份标识;S10. The user device verifies the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the verification is passed, and the login information includes a pseudo-random user identity;
S20、网关根据登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对网关第一预置参数进行更新;网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;S20. The gateway verifies the identity of the user according to the login information, and after passing the verification, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway; the first preset parameters of the gateway include pseudo-random sensor identities Identification and shared keys between sensor nodes and gateway nodes;
S30、目标传感器对访问请求信息进行验证,验证通过后对传感器预置参数进行更新,生成会话密钥,基于会话密钥和更新后的传感器预置参数向网关发送请求通过信息,传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;S30, the target sensor verifies the access request information, updates the sensor preset parameters after the verification is passed, generates a session key, and sends request passing information to the gateway based on the session key and the updated sensor preset parameters, and the sensor preset parameters Including pseudo-random sensor identity, shared key between sensor nodes and gateway nodes;
S40、网关计算会话密钥并对请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对网关第二预置参数进行更新,网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;S40. The gateway calculates the session key and verifies the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameter of the gateway, and the second preset parameter of the gateway is updated. The second preset parameter of the gateway includes a pseudo-random User identity, shared key between user and gateway node;
S50、用户设备计算会话密钥并对访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,智能卡预置参数包括伪随机用户身份标 识、用户和网关节点间共享密钥;S50. The user equipment calculates the session key and verifies the access confirmation information. After the verification is passed, the smart card preset parameters are updated. The smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
S60、用户设备和所述传感器利用会话密钥进行保密通信。S60. The user equipment and the sensor perform secure communication using the session key.
本实施例的无线传感器网络的认证与密钥协商方法,采用动态伪随机身份标识技术来实现用户和传感器节点的隐私保护,即利用伪随机用户身份标识和伪随机传感器身份标识来实现了传感器节点的匿名性,在每次认证协商成功后更新伪随机用户身份标识和伪随机传感器身份标识来实现了传感器节点的不可追踪性,并且通过更新当前设备的预置参数实现了通信的保密性,保证了用户数据安全。The authentication and key agreement method of the wireless sensor network in this embodiment adopts the dynamic pseudo-random identity identification technology to realize the privacy protection of the user and the sensor node, that is, the pseudo-random user identification and the pseudo-random sensor identification are used to realize the sensor node The anonymity of the sensor node is achieved by updating the pseudo-random user ID and the pseudo-random sensor ID after each successful authentication negotiation, and the untraceability of the sensor node is realized, and the confidentiality of communication is realized by updating the preset parameters of the current device, ensuring user data security.
为了更好地理解本发明,以下对本实施例中的各步骤进行展开说明。In order to better understand the present invention, each step in this embodiment is described below.
S10、用户设备根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向所述网关发送登录信息,登录信息包括伪随机用户身份标识。S10. The user equipment authenticates the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the authentication is passed, where the login information includes a pseudo-random user identity identifier.
本实施例中,用户的身份信息可以包括但不限于身份标识、身份口令、用户生物特征。智能卡可以为单独的一张存储卡,也可以为用户端中指定的一个存储空间,在此不作限定。智能卡存储的预置参数为用户在进行身份注册过程中用户端和网关写入到智能卡的参数。In this embodiment, the user's identity information may include, but not limited to, an identity mark, an identity password, and a user's biometric feature. The smart card can be a separate memory card, or a storage space specified in the user terminal, which is not limited here. The preset parameters stored in the smart card are the parameters written into the smart card by the client and the gateway during the identity registration process of the user.
本实施例中,智能卡预置参数还包括用户注册验证值、用户侧序列号初值、哈希函数、用户身份信息值、用户生物公开参数,预置参数为用户进行身份注册时生成的。In this embodiment, the smart card preset parameters also include user registration verification value, user-side serial number initial value, hash function, user identity information value, and user biological public parameters. The preset parameters are generated when the user performs identity registration.
用户端可以获取用户输入的身份信息,从智能卡读取存储的预置参数,根据智能卡存储的预置参数和身份信息计算验证值。验证值用于对用户输入的身份信息进行验证。The user terminal can obtain the identity information input by the user, read the stored preset parameters from the smart card, and calculate the verification value according to the preset parameters and identity information stored in the smart card. The verification value is used to verify the identity information entered by the user.
具体地,本实施例中,S10包括:Specifically, in this embodiment, S10 includes:
S101、所述用户设备获取用户输入的身份信息,根据智能卡预置参数和所述身份信息计算验证值;S101. The user equipment acquires identity information input by the user, and calculates a verification value according to smart card preset parameters and the identity information;
S102、通过对比所述验证值与所述用户注册验证值对所述身份信息进行验证;S102. Verify the identity information by comparing the verification value with the user registration verification value;
S103、当验证通过时,针对所述目标传感器,基于第一随机数通过所述哈希函数生成的第一关键参数信息和第一认证值,所述第一随机数由智能卡生成;S103. When the verification is passed, for the target sensor, based on the first key parameter information and the first authentication value generated by the hash function based on the first random number, the first random number is generated by the smart card;
S104、所述用户设备将所述伪随机用户身份标识、时间戳、所述第一关键参数信息和第一认证值作为登录信息发送至所述网关。S104. The user equipment sends the pseudo-random user identity, the time stamp, the first key parameter information, and the first authentication value to the gateway as login information.
本实施例中,参数更新方式可以采用单向哈希函数。In this embodiment, a one-way hash function may be used as a parameter update method.
当各参与方在每次认证协商成功后,会通过单向哈希函数更新用户和网关节点之间共享密钥、传感器节点和网关节点之间共享密钥。因此,攻击者无法由本次的共享密钥获取之前的用户和网关节点之间共享密钥、传感器节点和网关节点之间共享密钥,从而实现用户、网关节点和传感器节点之间的前向安全,保证了通信的保密性。When each participant succeeds in each authentication negotiation, the shared key between the user and the gateway node, and the shared key between the sensor node and the gateway node will be updated through a one-way hash function. Therefore, the attacker cannot obtain the previous shared key between the user and the gateway node, the shared key between the sensor node and the gateway node from this shared key, so as to realize the forward communication between the user, the gateway node and the sensor node. Security ensures the confidentiality of communication.
本实施例中,访问请求信息还包括网关第一预置参数的更新次数,则:In this embodiment, the access request information also includes the update times of the first preset parameter of the gateway, then:
S30中验证通过后还包括:根据网关第一预置参数的更新次数更新传感器预置参数中的传感器节点和网关节点间共享密钥;After the verification in S30 is passed, it also includes: updating the shared key between the sensor node and the gateway node in the sensor preset parameter according to the update times of the first preset parameter of the gateway;
传感器预置参数还包括传感器序列号,网关第一预置参数还包括网关节点侧的传感器序列号。The sensor preset parameter also includes the sensor serial number, and the gateway first preset parameter also includes the sensor serial number at the gateway node side.
访问确认信息还包括网关第二预置参数的更新次数,则:The access confirmation information also includes the update times of the second preset parameter of the gateway, then:
S50中验证通过后还包括:根据网关第二预置参数的更新次数更新智能卡预置参数中的用户和网关节点间共享密钥;After the verification in S50 is passed, it also includes: updating the shared key between the user and the gateway node in the smart card preset parameters according to the update times of the gateway second preset parameters;
智能卡预置参数中还包括用户序列号,网关第二预置参数还包括用户身份标识、网关节点侧的用户序列号。The smart card preset parameter also includes the user serial number, and the gateway second preset parameter also includes the user identity mark and the user serial number at the gateway node side.
本实施例采用序列号方法来实现协议的抗去同步攻击,即分别利用网关节点侧的用户序列号和用户序列号,网关节点侧的传感器序列号和传感器序列号来实现传感器节点和网关节点、用户与网关节点之间的同步性。This embodiment adopts the serial number method to realize the anti-desynchronization attack of the protocol, that is, use the user serial number and user serial number on the gateway node side, the sensor serial number and the sensor serial number on the gateway node side to realize the sensor node and the gateway node. Synchronization between users and gateway nodes.
本实施例中,S20包括:In this embodiment, S20 includes:
S201、网关接收登录信息,根据登录信息中的时间戳检测登录信息的时间有效性;S201. The gateway receives the login information, and detects the time validity of the login information according to the time stamp in the login information;
S202、若检测通过,则根据所述伪随机用户身份标识从所述网关第二预置参数中提取所述用户身份标识和用户和网关节点间共享密钥;S202. If the detection passes, extract the user identity and the shared key between the user and the gateway node from the second preset parameter of the gateway according to the pseudo-random user identity;
S203、所述网关基于所述用户身份标识和用户和网关节点间共享密钥、所述登录信息计算实际认证值,对用户身份进行合法性验证;S203. The gateway calculates an actual authentication value based on the user identity, the shared key between the user and the gateway node, and the login information, and verifies the validity of the user identity;
S204、若验证通过,则计算传感器身份标识并在所述网关第一预置参数中搜索所述传感器身份标识是否存在;S204. If the verification is passed, calculate the sensor ID and search whether the sensor ID exists in the first preset parameter of the gateway;
S205、若存在,则基于第二随机数通过所述哈希函数生成的第二关键参数信息和第二认证值,所述第二随机数由所述网关生成;S205. If it exists, based on the second key parameter information and the second authentication value generated by the hash function based on the second random number, the second random number is generated by the gateway;
S206、所述网关对所述伪随机用户身份标识、所述网关节点侧的用户序列号、所述用户和网关节点间共享密钥进行更新,S206. The gateway updates the pseudo-random user identity, the user serial number on the gateway node side, and the shared key between the user and the gateway node,
S207、所述网关将更新后的网关节点侧的用户序列号、时间戳、所述第二关键参数信息和第二认证值作为访问请求信息发送至所述目标传感器。S207. The gateway sends the updated user serial number on the gateway node side, the time stamp, the second key parameter information, and the second authentication value to the target sensor as access request information.
本实施例中,S30包括:In this embodiment, S30 includes:
S301、所述目标传感器接收所述访问请求信息,根据所述访问请求信息中的时间戳检测所述访问请求信息的时间有效性,根据所述网关节点侧的用户序列号检测所述访问请求信息的同步性;S301. The target sensor receives the access request information, detects the time validity of the access request information according to the time stamp in the access request information, and detects the access request information according to the user serial number on the gateway node side synchronicity;
S302、若检测通过,则根据所述网关节点侧的用户序列号对所述传感器节点和网关节点间共享密钥进行更新;S302. If the detection passes, update the shared key between the sensor node and the gateway node according to the user serial number on the gateway node side;
S303、基于更新后的传感器节点和网关节点间共享密钥计算实际认证值,对网关进行合法性验证;S303. Calculate an actual authentication value based on the updated shared key between the sensor node and the gateway node, and verify the validity of the gateway;
S304、若验证通过,则所述目标传感器更新所述伪随机传感器身份标识、所述传感器侧的序列号、所述传感器节点和网关节点间共享密钥;S304. If the verification is passed, the target sensor updates the pseudo-random sensor identity, the serial number on the sensor side, and the shared key between the sensor node and the gateway node;
S305、基于第三随机数通过所述哈希函数生成第三关键参数信息和第三认证值,所述第三随机数由所述目标传感器生成;S305. Generate third key parameter information and a third authentication value through the hash function based on a third random number, where the third random number is generated by the target sensor;
S305、所述目标传感器将所述第三关键参数信息和第三认证值、时间戳作为请求通过信息发送至所述网关。S305. The target sensor sends the third key parameter information, the third authentication value, and a time stamp to the gateway as request passing information.
本实施例方法是适合于WSNs环境的AKA协议,可以有效防止未经授权的访问,确保WSNs通信的可用性和安全性。The method in this embodiment is an AKA protocol suitable for WSNs environment, which can effectively prevent unauthorized access and ensure the availability and security of WSNs communication.
实施例二Embodiment two
本实施例在实施例一的基础上,对申请提出的方法的具体实现过程进行详细说明。该方法包括四个执行主体:用户、智能卡、传感器节点和网关节点,这里的用户指的是用户侧使用的设备,该方法的步骤包括:On the basis of the first embodiment, this embodiment describes in detail the specific implementation process of the method proposed in the application. The method includes four execution subjects: user, smart card, sensor node and gateway node. The user here refers to the device used on the user side. The steps of the method include:
S1、设备初始化,包括:S1. Device initialization, including:
步骤a1、网关节点选择两个随机整数作为网关节点身份标识ID G和网关节点主密钥K,并将其存储至网关节点的内存中; Step a1, the gateway node selects two random integers as the gateway node identity ID G and the gateway node master key K, and stores them in the gateway node's memory;
步骤a2、网关节点为传感器节点选择传感器节点身份标识ID S,并将其存储至传感器节点的内存中; Step a2, the gateway node selects the sensor node identity ID S for the sensor node, and stores it in the memory of the sensor node;
步骤a3、网关节点预初始化所有的智能卡,为每一个智能卡选择智能卡身份标识ID SC并将其存储至智能卡中。 Step a3, the gateway node pre-initializes all smart cards, selects a smart card ID SC for each smart card and stores it in the smart card.
S2、用户注册和传感器节点注册。S2. User registration and sensor node registration.
当新用户想要访问WSNs中传感器节点采集的数据时,必须向网关节点完成合法注册,图3为本申请另一个实施例中用户注册过程的数据流图,请参阅图3,用户注册步骤包括:When a new user wants to access the data collected by sensor nodes in WSNs, he must complete legal registration to the gateway node. Fig. 3 is a data flow diagram of the user registration process in another embodiment of the application. Please refer to Fig. 3, and the user registration steps include :
步骤b1、新用户将预分配给他/她的智能卡插入系统读卡器,读取其身份标识ID SC并通过安全通道发送给网关节点; Step b1, the new user inserts the smart card pre-assigned to him/her into the system card reader, reads its ID SC and sends it to the gateway node through a secure channel;
步骤b2、当网关节点接收到身份标识ID SC后,首先检测其在智能卡数据库中是否存在。如果存在,网关节点返回确认值Conf给用户。否则,拒绝注册请求; Step b2. After receiving the ID SC , the gateway node first checks whether it exists in the smart card database. If it exists, the gateway node returns the confirmation value Conf to the user. Otherwise, deny the registration request;
步骤b3、用户设置用户身份标识ID U和用户口令PW U,并通过生物特征信息采集设备录入用户生物特征BIO U。之后,用户端生成随机数a i并计算生成用户生物特征密钥BK i、用户生物公开参数P i、伪随机用户口 令MPW UStep b3, the user sets the user identity ID U and the user password PW U , and enters the user biometric BIO U through the biometric information collection device. Afterwards, the client generates a random number a i and calculates and generates the user biometric key BK i , the user biometric public parameter P i , and the pseudo-random user password MPW U :
Gen(BIO U)=(BK i,P i) Gen(BIO U )=(BK i ,P i )
MPW U=h(ID U||PW U||BK i||a i) MPW U =h(ID U ||PW U ||BK i ||a i )
其中,h(·)表示单向哈希函数,x||y表示对x和y联接操作。Among them, h( ) represents a one-way hash function, and x||y represents a join operation on x and y.
将注册信息{ID U,MPW U}通过安全通道传送至网关节点; Send the registration information {ID U , MPW U } to the gateway node through a secure channel;
步骤b4、当网关节点接收到注册信息后,首先检测用户身份标识ID U在用户数据库中是否存在。如果存在,网关节点拒绝注册请求并要求用户输入新的ID U。否则,网关节点计算用户和网关节点间共享密钥K GU和伪随机用户身份标识MID UStep b4. After the gateway node receives the registration information, it first checks whether the user identity ID U exists in the user database. If present, the gateway node rejects the registration request and requires the user to enter a new ID U . Otherwise, the gateway node calculates the shared key K GU and the pseudo-random user identity ID U between the user and the gateway node:
K GU=h(ID U||ID G||MPW U||K) K GU =h(ID U ||ID G ||MPW U ||K)
MID U=h(ID U||ID G||K GU) MID U =h(ID U ||ID G ||K GU )
其中,K表示网关节点主密钥。Among them, K represents the master key of the gateway node.
设置序列号初值NU i=NU i0=0,其中,NU i0表示用户侧的序列号,NU i表示网关节点侧的用户序列号,并计算用户注册验证值D iSet the serial number initial value NU i =NU i0 =0, where NU i0 represents the serial number of the user side, NU i represents the user serial number of the gateway node side, and calculates the user registration verification value D i :
D i=h(ID U||K GU||MPW U)mod n 0 D i =h(ID U ||K GU ||MPW U ) mod n 0
其中,n 0为2 4和2 8之间的整数。 Wherein, n 0 is an integer between 24 and 28 .
之后将信息<ID U,MID U,K GU,NU i>存储在用户数据库中。同时,网关节点将记录用户登录失败次数的值FAIL初始化为NULL。最后,网关节点将信息<MID U,D i,K GU,NU i0,FAIL,h(·)>写入智能卡并通过安全通道发送给用户; Then store the information <ID U , MID U , K GU , NU i > in the user database. At the same time, the gateway node initializes the value FAIL for recording the number of user login failures to NULL. Finally, the gateway node writes the information <MID U , D i , K GU , NU i0 , FAIL, h( )> into the smart card and sends it to the user through a secure channel;
步骤b5、当用户接收到来自网关节点的信息后,计算用户身份信息值A i,并将信息<A i,P i>写入智能卡, Step b5. After the user receives the information from the gateway node, calculate the user identity information value A i , and write the information <A i , P i > into the smart card,
Figure PCTCN2022071463-appb-000001
Figure PCTCN2022071463-appb-000001
其中,
Figure PCTCN2022071463-appb-000002
表示异或操作。 in,
Figure PCTCN2022071463-appb-000002
Indicates an XOR operation.
最终,智能卡包含信息<MID U,A i,D i,P i,K GU,NU i0,FAIL,h(·)>。 Finally, the smart card contains the information <MID U ,A i ,D i ,P i ,K GU ,NU i0 ,FAIL,h(·)>.
当传感器节点需要加入WSNs中并执行采集数据工作时,必须向网关节点完成合法注册。图4为本申请另一个实施例中传感器注册过程的 数据流图,请参阅图4,传感器注册步骤包括:When sensor nodes need to join WSNs and perform data collection work, they must complete legal registration with gateway nodes. Fig. 4 is a data flow diagram of the sensor registration process in another embodiment of the present application, referring to Fig. 4, the sensor registration steps include:
步骤c1、新传感器节点通过安全通道发送传感器节点身份标识ID S给网关节点; Step c1, the new sensor node sends the sensor node identity ID S to the gateway node through a secure channel;
步骤c2、当网关节点接收到身份标识ID S后,首先检测其在传感器节点数据库中是否存在。如果不存在,网关节点拒绝注册请求。否则,网关节点生成随机数m j并计算传感器节点和网关节点之间的共享密钥K GS、伪随机传感器身份标识MID SStep c2. After the gateway node receives the identity ID S , it first checks whether it exists in the sensor node database. If not present, the gateway node rejects the registration request. Otherwise, the gateway node generates a random number m j and calculates the shared key K GS and the pseudo-random sensor ID MID S between the sensor node and the gateway node:
K GS=h(ID S||ID G||K||m j) K GS =h(ID S ||ID G ||K||m j )
MID S=h(ID S||ID G||K GS) MID S =h(ID S ||ID G ||K GS )
网关节点设置序列号初值NS k=NS k0=0,其中,NS k为网关节点侧的传感器序列号,NS k0为传感器节点侧的序列号,并存储信息<ID S,MID S,K GS,NS k>至传感器数据表。最后,通过安全信道发送信息{MID S,K GS,NS k0}至传感器节点; The gateway node sets the initial value of the serial number NS k = NS k0 = 0, where NS k is the serial number of the sensor on the gateway node side, NS k0 is the serial number on the sensor node side, and stores information <ID S , MID S , K GS , NS k > to sensor data sheet. Finally, send information { MIDS , K GS , NS k0 } to the sensor nodes through a secure channel;
步骤c3、当接收到来自网关节点的信息后,传感器节点将信息{MID S,K GS,NS k0}存储至内存并删除身份标识ID SStep c3. After receiving the information from the gateway node, the sensor node stores the information { MIDS , K GS , NS k0 } into memory and deletes the identity ID S .
S3、用户登录与认证协商。S3. User login and authentication negotiation.
需要说明的是,以下实施例中,带*的参数为在用户登录与认证协商过程中输入或生成的参数,或者是保存在不同设备中的同一参数,参数含义与S1和S2中的参数含义相同,以下不再一一说明。It should be noted that, in the following embodiments, the parameters marked with * are parameters input or generated during the user login and authentication negotiation process, or the same parameters stored in different devices, and the parameter meanings are the same as those in S1 and S2 The same, and will not be described one by one below.
当用户需要获取某个传感器节点采集的数据时,他/她需要先登录网关节点。图5为本申请另一个实施例中无线传感器网络认证与密钥协商过程的数据流图,请参阅图5,用户登录与认证协商过程包括:When a user needs to obtain data collected by a sensor node, he/she needs to log in to the gateway node first. FIG. 5 is a data flow diagram of the wireless sensor network authentication and key negotiation process in another embodiment of the present application. Please refer to FIG. 5. The user login and authentication negotiation process includes:
步骤d1、用户将智能卡插入读卡器中,输入用户身份标识ID U和用户口令PW U并录入
Figure PCTCN2022071463-appb-000003
之后智能卡计算: Step d1, the user inserts the smart card into the card reader, enters the user identity ID U and the user password PW U and enters
Figure PCTCN2022071463-appb-000003
Afterwards the smart card calculates:
Figure PCTCN2022071463-appb-000004
Figure PCTCN2022071463-appb-000004
Figure PCTCN2022071463-appb-000005
Figure PCTCN2022071463-appb-000005
Figure PCTCN2022071463-appb-000006
Figure PCTCN2022071463-appb-000006
Figure PCTCN2022071463-appb-000007
Figure PCTCN2022071463-appb-000007
Figure PCTCN2022071463-appb-000008
与存储其中的D i进行比较。如果二者不相等,拒绝登录请求,并将FAIL的值加1。当FAIL的值超过预设阈值时,认为智能卡已不安全,将其挂起直至用户重新注册。否则,智能卡完成用户合法性的验证并执行后续过程。 Will
Figure PCTCN2022071463-appb-000008
Compare with the D i stored in it. If the two are not equal, reject the login request and increment the value of FAIL by 1. When the value of FAIL exceeds the preset threshold, it is considered that the smart card is not safe, and it will be suspended until the user re-registers. Otherwise, the smart card completes the authentication of the user's validity and executes subsequent procedures.
智能卡生成随机数R i并获取当前时间戳T 1。之后,用户选择想要访问的传感器节点,并计算临时传感器身份标识TID sThe smart card generates a random number R i and obtains the current time stamp T 1 . After that, the user selects the sensor node that he wants to visit, and calculates the temporary sensor ID TID s :
Figure PCTCN2022071463-appb-000009
Figure PCTCN2022071463-appb-000009
Figure PCTCN2022071463-appb-000010
Figure PCTCN2022071463-appb-000010
V 1=h(ID U||R 1||K GU||T 1) V 1 =h(ID U ||R 1 ||K GU ||T 1 )
最后,用户将登录信息Msg1:{MID U,M 1,V 1,T 1}通过公共信道发送给网关节点; Finally, the user sends the login information Msg1:{MID U ,M 1 ,V 1 ,T 1 } to the gateway node through the public channel;
步骤d2、当网关节点接收到来自用户的登录信息Msg1时,首先检测时间戳的有效性。网关节点获取当前时间
Figure PCTCN2022071463-appb-000011
并与接收到的时间T 1进行比较。如果
Figure PCTCN2022071463-appb-000012
的值超过预设阈值——最大传输延迟时间ΔT,终止会话。否则,网关节点通过伪随机用户身份标识MID U从用户数据库中提取对应的ID U和K GU。之后,网关节点计算: Step d2. When the gateway node receives the login information Msg1 from the user, it first checks the validity of the time stamp. The gateway node gets the current time
Figure PCTCN2022071463-appb-000011
And compare it with the received time T1 . if
Figure PCTCN2022071463-appb-000012
If the value exceeds the preset threshold - the maximum transmission delay time ΔT, the session is terminated. Otherwise, the gateway node extracts the corresponding ID U and K GU from the user database through the pseudo-random user ID MID U. Afterwards, the gateway node computes:
Figure PCTCN2022071463-appb-000013
Figure PCTCN2022071463-appb-000013
Figure PCTCN2022071463-appb-000014
Figure PCTCN2022071463-appb-000014
Figure PCTCN2022071463-appb-000015
与接收到的V 1进行比较。如果二者不相等,终止会话。否则,网关节点确认了用户的合法性,通过下式计算传感器节点身份标识ID S并在传感器数据库中搜索身份标识ID S是否存在。 Will
Figure PCTCN2022071463-appb-000015
Compare with received V1 . If the two are not equal, terminate the session. Otherwise, the gateway node confirms the legitimacy of the user, calculates the ID S of the sensor node through the following formula and searches whether the ID S exists in the sensor database.
Figure PCTCN2022071463-appb-000016
Figure PCTCN2022071463-appb-000016
如果存在,网关节点提取对应的MID S和K GS。之后,网关节点生成随机数R j,获取当前时间戳T 2,并计算: If present, the gateway node extracts the corresponding MID S and K GS . Afterwards, the gateway node generates a random number R j , obtains the current timestamp T 2 , and calculates:
Figure PCTCN2022071463-appb-000017
Figure PCTCN2022071463-appb-000017
V 2=h(ID U||R i||R j||K GS||NS k||T 2)。 V 2 =h(ID U ||R i ||R j ||K GS ||NS k ||T 2 ).
最后,网关节点通过以下式子分别更新K GS,MID S和NS k,并通过公共信道发送信息Msg2:{M 2,V 2,NS k,T 2}至传感器节点。 Finally, the gateway node updates K GS , MIDS and NS k through the following formulas, and sends information Msg2: {M 2 , V 2 , NS k , T 2 } to the sensor nodes through the public channel.
K GS=h(K GS) K GS =h(K GS )
MID S=h(ID S||ID G||K GS) MID S =h(ID S ||ID G ||K GS )
NS k=NS k+1 NS k =NS k +1
步骤d3、当传感器节点接收到来自网关节点的信息Msg2时,首先检测
Figure PCTCN2022071463-appb-000018
和NS k-NS k0≥1是否成立。如果不成立,终止会话。否则,传感器节点令: Step d3, when the sensor node receives the information Msg2 from the gateway node, first detect
Figure PCTCN2022071463-appb-000018
and whether NS k -NS k0 ≥ 1 holds true. If not, terminate the session. Otherwise, the sensor node orders:
N=NS k-NS k0 N=NS k -NS k0
Figure PCTCN2022071463-appb-000019
Figure PCTCN2022071463-appb-000019
并计算N–1次
Figure PCTCN2022071463-appb-000020
之后,传感器节点计算: and calculate N–1 times
Figure PCTCN2022071463-appb-000020
Afterwards, the sensor nodes compute:
Figure PCTCN2022071463-appb-000021
Figure PCTCN2022071463-appb-000021
Figure PCTCN2022071463-appb-000022
Figure PCTCN2022071463-appb-000022
并将
Figure PCTCN2022071463-appb-000023
与接收到的V 2进行比较。如果二者相等,传感器节点通过 and will
Figure PCTCN2022071463-appb-000023
Compare with received V2 . If both are equal, the sensor node passes
K GS=h(K GS *||ID S||ID G) K GS =h(K GS * ||ID S ||ID G )
MID S=h(ID S||ID G||K GS) MID S =h(ID S ||ID G ||K GS )
NS k0=NS k NS k0 = NS k
分别更新K GS,MID S和NS k0。接着,传感器节点生成随机数R k,获取当前时间戳T 3并计算: Update K GS , MID S and NS k0 respectively. Next, the sensor node generates a random number R k , obtains the current timestamp T 3 and calculates:
SK=h(ID U||ID G||ID S||R i||R j||R k) SK=h(ID U ||ID G ||ID S ||R i ||R j ||R k )
Figure PCTCN2022071463-appb-000024
Figure PCTCN2022071463-appb-000024
V 3=h(MID S||ID U||SK||R k||NS k0||T 3) V 3 =h(MID S ||ID U ||SK||R k ||NS k0 ||T 3 )
其中,SK为会话密钥。Among them, SK is a session key.
最后,传感器节点通过公共信道发送信息Msg3:{M 3,V 3,T 3}至网关节点; Finally, the sensor node sends information Msg3: {M 3 , V 3 , T 3 } to the gateway node through the public channel;
步骤d4、当网关节点接收到来自传感器节点的信息Msg3时,首先检测T 3的新鲜性,并计算: Step d4, when the gateway node receives the message Msg3 from the sensor node, it first detects the freshness of T3 , and calculates:
Figure PCTCN2022071463-appb-000025
Figure PCTCN2022071463-appb-000025
Figure PCTCN2022071463-appb-000026
Figure PCTCN2022071463-appb-000026
Figure PCTCN2022071463-appb-000027
Figure PCTCN2022071463-appb-000027
之后,网关节点将
Figure PCTCN2022071463-appb-000028
与接收到的V 3进行比较。如果二者不相等,终止会话。否则,网关节点获取当前时间戳T 4并计算: Afterwards, the gateway node will
Figure PCTCN2022071463-appb-000028
Compare with received V3 . If the two are not equal, terminate the session. Otherwise, the gateway node gets the current timestamp T 4 and calculates:
Figure PCTCN2022071463-appb-000029
Figure PCTCN2022071463-appb-000029
V 4=h(ID U||MID U||SK||R j||NU i||T 4) V 4 =h(ID U ||MID U ||SK||R j ||NU i ||T 4 )
接着通过:Then pass:
K GU=h(K GU||ID U) K GU =h(K GU ||ID U )
MID U=h(MID U||ID G||K GU) MID U =h(MID U ||ID G ||K GU )
NU i=NU i+1 NU i = NU i +1
分别更新K GU,MID U和NU i。最后,网关节点通过公共信道发送信息Msg4:{M 4,V 4,NU i,T 4}至用户; Update K GU , MID U and NU i respectively. Finally, the gateway node sends information Msg4:{M 4 ,V 4 ,NU i ,T 4 } to the user through the public channel;
步骤d5、当用户接收到来自网关节点的信息Msg4时,首先检测
Figure PCTCN2022071463-appb-000030
Figure PCTCN2022071463-appb-000031
和NU i-NU i0≥1是否成立。如果不成立,终止会话。否则,用户令M=NU i-NU i0
Figure PCTCN2022071463-appb-000032
并计算M–1次
Figure PCTCN2022071463-appb-000033
之后,用户计算: Step d5, when the user receives the information Msg4 from the gateway node, first detect
Figure PCTCN2022071463-appb-000030
Figure PCTCN2022071463-appb-000031
and whether NU i -NU i0 ≥ 1 holds true. If not, terminate the session. Otherwise, the user lets M = NU i - NU i0 and
Figure PCTCN2022071463-appb-000032
and compute M–1 times
Figure PCTCN2022071463-appb-000033
Afterwards, the user computes:
Figure PCTCN2022071463-appb-000034
Figure PCTCN2022071463-appb-000034
SK=h(ID U||ID G||ID S||R i||R j||R k) SK=h(ID U ||ID G ||ID S ||R i ||R j ||R k )
Figure PCTCN2022071463-appb-000035
Figure PCTCN2022071463-appb-000035
接着,用户将
Figure PCTCN2022071463-appb-000036
与接收到的V 4进行比较。如果相等,用户通过 Next, the user will
Figure PCTCN2022071463-appb-000036
Compare with received V 4 . If equal, the user passes
K GU=h(K GU *||ID U) K GU =h(K GU * ||ID U )
MID U=h(MID U||ID G||K GU) MID U =h(MID U ||ID G ||K GU )
NU i0=NU i NU i0 = NU i
分别更新K GU,MID U和NU i0。最后,用户完成该认证与协商过程。 Update K GU , MID U and NU i0 respectively. Finally, the user completes the authentication and negotiation process.
本实施例中,采用序列号方法来实现认证与协商的抗去同步攻击,即分别利用NU i和NU i0,NS k和NS k0来实现用户与网关节点、传感器节点 和网关节点之间的同步性,维护用户、网关节点和传感器节点之间的一致性,从而避免了攻击者对认证协商过程进行阻塞攻击而导致的参与方之间的同步过程中断。 In this embodiment, the serial number method is used to realize the anti-desynchronization attack of authentication and negotiation, that is, use NU i and NU i0 , NS k and NS k0 to realize the synchronization between the user and the gateway node, the sensor node and the gateway node respectively It maintains the consistency between users, gateway nodes and sensor nodes, thereby avoiding the interruption of the synchronization process between the participants caused by the attacker's blocking attack on the authentication negotiation process.
本实施例中,还可以包括In this embodiment, it may also include
S4、用户对口令或生物特征信息进行更新。S4. The user updates the password or biometric information.
图6为本申请另一个实施例中口令与生物特征密钥更新过程的数据流图,请参阅图6,在用户需要更新口令或生物特征信息,他/她需要执行如下过程。FIG. 6 is a data flow diagram of a password and biometric key update process in another embodiment of the present application. Please refer to FIG. 6. When a user needs to update a password or biometric information, he/she needs to perform the following process.
步骤e1、用户将智能卡插入读卡器,输入ID U和PW U并录入
Figure PCTCN2022071463-appb-000037
智能卡计算: Step e1, the user inserts the smart card into the card reader, enters ID U and PW U and enters
Figure PCTCN2022071463-appb-000037
Smart card calculations:
Figure PCTCN2022071463-appb-000038
Figure PCTCN2022071463-appb-000038
Figure PCTCN2022071463-appb-000039
Figure PCTCN2022071463-appb-000039
Figure PCTCN2022071463-appb-000040
Figure PCTCN2022071463-appb-000040
Figure PCTCN2022071463-appb-000041
Figure PCTCN2022071463-appb-000041
之后,智能卡将
Figure PCTCN2022071463-appb-000042
与其中存储的D i进行比较。如果二者不相等,智能卡拒绝口令/生物特征信息的更新请求。否则,智能卡确认了用户的合法性并允许用户输入新的用户口令
Figure PCTCN2022071463-appb-000043
或新的用户生物特征
Figure PCTCN2022071463-appb-000044
同时,智能卡生成随机数b i并获取当前时间戳T c1,之后计算: Afterwards, the smart card will
Figure PCTCN2022071463-appb-000042
Compare with the D i stored in it. If the two are not equal, the smart card rejects the password/biometric information update request. Otherwise, the smart card confirms the user's validity and allows the user to enter a new user password
Figure PCTCN2022071463-appb-000043
or new user biometrics
Figure PCTCN2022071463-appb-000044
At the same time, the smart card generates a random number bi and obtains the current timestamp T c1 , and then calculates:
Figure PCTCN2022071463-appb-000045
Figure PCTCN2022071463-appb-000045
Figure PCTCN2022071463-appb-000046
Figure PCTCN2022071463-appb-000046
Figure PCTCN2022071463-appb-000047
Figure PCTCN2022071463-appb-000047
Figure PCTCN2022071463-appb-000048
Figure PCTCN2022071463-appb-000048
最后,将请求信息{MPW U,M c1,V c1,T c1}发送至网关节点; Finally, send the request information {MPW U ,M c1 ,V c1 ,T c1 } to the gateway node;
步骤e2、当网关节点接收到来自用户的请求信息后,首先检测T c1的新鲜性。如果满足条件,网关节点通过MID U在用户数据库中搜索对应的ID U,K GU和MPW U,并计算: Step e2, after the gateway node receives the request information from the user, it first checks the freshness of T c1 . If the conditions are met, the gateway node searches the user database for the corresponding ID U , K GU and MPW U through MID U , and calculates:
Figure PCTCN2022071463-appb-000049
Figure PCTCN2022071463-appb-000049
Figure PCTCN2022071463-appb-000050
Figure PCTCN2022071463-appb-000050
之后,网关节点检测V c1 *=V c1是否成立,如果成立,网关节点生成随机数n j并获取当前时间戳T c2。接着计算: Afterwards, the gateway node detects whether V c1 * =V c1 is established, and if it is established, the gateway node generates a random number n j and obtains the current time stamp T c2 . Then calculate:
Figure PCTCN2022071463-appb-000051
Figure PCTCN2022071463-appb-000051
Figure PCTCN2022071463-appb-000052
Figure PCTCN2022071463-appb-000052
Figure PCTCN2022071463-appb-000053
Figure PCTCN2022071463-appb-000053
Figure PCTCN2022071463-appb-000054
Figure PCTCN2022071463-appb-000054
最后,网关节点将回复信息{M c2,V c2,T c2}发送至用户并更新相应数据; Finally, the gateway node sends the reply information {M c2 , V c2 , T c2 } to the user and updates the corresponding data;
步骤e3、当智能卡接收到来自网关节点的回复信息后,首先检测T c2的新鲜性。如果满足条件,智能卡计算: Step e3, after the smart card receives the reply message from the gateway node, it first checks the freshness of Tc2 . If the conditions are met, the smart card calculates:
Figure PCTCN2022071463-appb-000055
Figure PCTCN2022071463-appb-000055
Figure PCTCN2022071463-appb-000056
Figure PCTCN2022071463-appb-000056
Figure PCTCN2022071463-appb-000057
Figure PCTCN2022071463-appb-000057
Figure PCTCN2022071463-appb-000058
Figure PCTCN2022071463-appb-000058
之后,智能卡检测
Figure PCTCN2022071463-appb-000059
是否相等,如果相等,智能卡计算: Afterwards, the smart card detects
Figure PCTCN2022071463-appb-000059
Are they equal, and if so, the smart card calculates:
Figure PCTCN2022071463-appb-000060
Figure PCTCN2022071463-appb-000060
Figure PCTCN2022071463-appb-000061
Figure PCTCN2022071463-appb-000061
将内存中的D i,A i,P i,MID U和K GU替换为
Figure PCTCN2022071463-appb-000062
Figure PCTCN2022071463-appb-000063
否则,用户端立即终止该阶段,并重新尝试口令/生物特征信息更新过程。 Replace D i , A i , P i , MID U and K GU in memory with
Figure PCTCN2022071463-appb-000062
Figure PCTCN2022071463-appb-000063
Otherwise, the UE immediately terminates this phase and retries the password/biometric information update process.
需要说明的是,本实施例中,在用户、网关节点和传感器节点之间传输关键参数的信息M 1,M 2,M 3,M 4,Mc 1,Mc 2也可以采用对称加密算法;用于用户、网关节点和传感器节点相互认证的信息V 1,V 2,V 3,V 4,Vc 1,Vc 2也可以采用基于哈希函数的消息认证码。 It should be noted that, in this embodiment, the key parameter information M 1 , M 2 , M 3 , M 4 , Mc 1 , and Mc 2 can also be transmitted using a symmetric encryption algorithm between the user, the gateway node and the sensor node; Information V 1 , V 2 , V 3 , V 4 , Vc 1 , and Vc 2 mutually authenticated by users, gateway nodes, and sensor nodes can also use message authentication codes based on hash functions.
本发明提出一种安全的轻量级身份认证方法,该方法基于哈希函数与异或运算的组合,采用用户口令、用户生物特征与智能卡相结合的三 因子认证方式,减少身份认证协议对传感器网络造成的能耗开销,提高传感器网络的效率。The invention proposes a safe lightweight identity authentication method, which is based on the combination of hash function and XOR operation, adopts the three-factor authentication method combining user password, user biometric feature and smart card, and reduces the impact of identity authentication protocol on sensors. The energy consumption overhead caused by the network improves the efficiency of the sensor network.
实施例三Embodiment Three
本申请第二方面通过实施例三提供了一种传感器,图6为本申请实施例三中的传感器结构示意图,如图6所示,该传感器包括:The second aspect of the present application provides a sensor through the third embodiment. FIG. 6 is a schematic structural diagram of the sensor in the third embodiment of the present application. As shown in FIG. 6, the sensor includes:
第一验证模块11,用于对访问请求信息进行验证;The first verification module 11 is configured to verify the access request information;
参数更新模块12,用于验证通过后对传感器预置参数进行更新,所述传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;The parameter update module 12 is used to update the sensor preset parameters after the verification is passed, and the sensor preset parameters include a pseudo-random sensor identification, a shared key between sensor nodes and gateway nodes;
密钥生成模块13,用于生成会话密钥,基于会话密钥和更新后的传感器预置参数向网关发送请求通过信息;The key generation module 13 is used to generate a session key, and sends request passing information to the gateway based on the session key and the updated sensor preset parameters;
第一通信模块14,用于利用会话密钥与用户设备进行保密通信。The first communication module 14 is configured to use the session key to perform secure communication with the user equipment.
本实施例提供的传感器,可用于执行上述方法实施例中以传感器为执行主体的步骤,其实现原理和技术效果类似,本实施例此处不再赘述。The sensor provided in this embodiment can be used to execute the steps in the above method embodiments where the sensor is the main execution body, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.
实施例四Embodiment Four
本申请第三方面通过实施例四提供了一种网关,图7为本申请实施例四中的网关结构示意图,如图7所示,该网关包括:The third aspect of the present application provides a gateway through the fourth embodiment. FIG. 7 is a schematic structural diagram of the gateway in the fourth embodiment of the present application. As shown in FIG. 7, the gateway includes:
访问请求信息生成模块21,用于根据登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对网关第一预置参数进行更新;网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;The access request information generation module 21 is used to verify the user identity according to the login information, and after the verification is passed, the access request information of the target sensor is generated based on the first preset parameters of the gateway, and the first preset parameters of the gateway are updated; Parameters include pseudo-random sensor identity and shared key between sensor nodes and gateway nodes;
访问确认信息生成模块22,用于计算会话密钥并对请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对网关第二预置参数进行更新,网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥。The access confirmation information generation module 22 is used to calculate the session key and verify the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameters of the gateway, and the second preset parameters of the gateway are updated. The preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node.
本实施例提供的网关,可用于执行上述方法实施例中以网关为执行 主体的步骤,其实现原理和技术效果类似,本实施例此处不再赘述。The gateway provided in this embodiment can be used to execute the steps in the above method embodiments where the gateway is the execution subject, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.
实施例五Embodiment five
本申请第四方面通过实施例五提供了一种电子设备,图8为本申请实施例五中的电子设备结构示意图,如图8所示,该电子设备包括:The fourth aspect of the present application provides an electronic device through Embodiment 5. FIG. 8 is a schematic structural diagram of the electronic device in Embodiment 5 of the present application. As shown in FIG. 8 , the electronic device includes:
登录信息生成模块31,用于根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向网关发送登录信息,登录信息包括伪随机用户身份标识;Login information generating module 31, used for verifying user identity by smart card according to the identity information input by the user, and sending login information to gateway after verification, and login information includes pseudo-random user identification;
验证模块32,用于计算会话密钥并对访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,智能卡预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;The verification module 32 is used to calculate the session key and verify the access confirmation information. After the verification is passed, the smart card preset parameters are updated, and the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
第二通信模块33,用于利用所述会话密钥与目标传感器进行保密通信。The second communication module 33 is configured to use the session key to perform secure communication with the target sensor.
本实施例提供的电子设备,可用于执行上述方法实施例中以用户设备为执行主体的步骤,其实现原理和技术效果类似,本实施例此处不再赘述。The electronic device provided in this embodiment can be used to execute the steps in the above method embodiments where the user equipment is the execution subject. The implementation principles and technical effects are similar, and details will not be repeated here in this embodiment.
实用性Practicality
由于本发明中的无线传感器网络的认证与密钥协商方法,实现了传感器节点的匿名性、不可追溯性和通信的保密性,保证了用户数据安全,由此,本发明的无线传感器网络的认证与密钥协商方法具有实用性。Since the authentication and key agreement method of the wireless sensor network in the present invention realizes the anonymity, non-traceability and confidentiality of communication of the sensor nodes, and guarantees the security of user data, thus, the authentication of the wireless sensor network of the present invention Has utility with the key agreement method.
应当注意的是,在权利要求中,不应将位于括号之间的任何附图标记理解成对权利要求的限制。词语“包含”不排除存在未列在权利要求中的部件或步骤。位于部件之前的词语“一”或“一个”不排除存在多个这样的部件。本发明可以借助于包括有若干不同部件的硬件以及借助于适当编程的计算机来实现。词语第一、第二、第三等的使用,仅是为了表述方便,而不表示任何顺序。可将这些词语理解为部件名称的一部分。It should be noted that, in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. The use of the words first, second, third, etc. is for convenience of presentation only and does not indicate any order. These words are to be understood as part of the name of the part.
此外,需要说明的是,在本说明书的描述中,术语“一个实施例”、 “一些实施例”、“实施例”、“示例”、“具体示例”或“一些示例”等的描述,是指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In addition, it should be noted that, in the description of this specification, descriptions of terms such as "one embodiment", "some embodiments", "embodiment", "example", "specific example" or "some examples" are It means that a specific feature, structure, material or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.
尽管已描述了本发明的优选实施例,但本领域的技术人员在得知了基本创造性概念后,则可对这些实施例作出另外的变更和修改。所以,权利要求应该解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is understood. Therefore, the claims should be construed to include the preferred embodiments and all changes and modifications that fall within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种修改和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也应该包含这些修改和变型在内。Obviously, those skilled in the art can make various modifications and variations to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention should also include these modifications and variations.

Claims (10)

  1. 一种无线传感器网络的认证与密钥协商方法,其特征在于,所述无线传感器网络包括传感器、网关、智能卡,用户设备,该方法包括:An authentication and key agreement method for a wireless sensor network, characterized in that the wireless sensor network includes a sensor, a gateway, a smart card, and a user equipment, and the method includes:
    S10、所述用户设备根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向所述网关发送登录信息,所述登录信息包括伪随机用户身份标识;S10. The user equipment verifies the user identity through the smart card according to the identity information input by the user, and sends login information to the gateway after the authentication is passed, and the login information includes a pseudo-random user identity;
    S20、所述网关根据所述登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对所述网关第一预置参数进行更新;所述网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;S20. The gateway verifies the identity of the user according to the login information, and after passing the verification, generates the access request information of the target sensor based on the first preset parameters of the gateway, and updates the first preset parameters of the gateway; Preset parameters include pseudo-random sensor identity and shared key between sensor nodes and gateway nodes;
    S30、所述目标传感器对所述访问请求信息进行验证,验证通过后对传感器预置参数进行更新,生成会话密钥,基于所述会话密钥和更新后的传感器预置参数向所述网关发送请求通过信息,所述传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;S30, the target sensor verifies the access request information, updates the sensor preset parameters after the verification is passed, generates a session key, and sends it to the gateway based on the session key and the updated sensor preset parameters Request information, the sensor preset parameters include pseudo-random sensor identity, shared key between sensor nodes and gateway nodes;
    S40、所述网关计算会话密钥并对所述请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对所述网关第二预置参数进行更新,所述网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;S40. The gateway calculates the session key and verifies the request passing information, and generates access confirmation information based on the second preset parameter of the gateway after the verification is passed, and updates the second preset parameter of the gateway, and the gateway The second preset parameter includes a pseudo-random user identity, a shared key between the user and the gateway node;
    S50、所述用户设备计算会话密钥并对所述访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,所述智能卡预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;S50. The user equipment calculates the session key and verifies the access confirmation information, and updates the preset parameters of the smart card after the verification is passed, and the preset parameters of the smart card include pseudo-random user identity, shared between the user and the gateway node key;
    S60、所述用户设备和所述传感器利用所述会话密钥进行保密通信。S60. The user equipment and the sensor perform secure communication by using the session key.
  2. 根据权利要求1所述的无线传感器网络的认证与密钥协商方法,其特征在于,所述访问请求信息还包括所述网关第一预置参数的更新次数,则:The authentication and key agreement method for a wireless sensor network according to claim 1, wherein the access request information also includes the number of updates of the first preset parameter of the gateway, then:
    S30中验证通过后还包括:根据所述网关第一预置参数的更新次数更新所述传感器预置参数中的传感器节点和网关节点间共享密钥;After the verification in S30 is passed, it also includes: updating the shared key between the sensor node and the gateway node in the sensor preset parameter according to the update times of the first preset parameter of the gateway;
    所述传感器预置参数还包括传感器序列号,所述网关第一预置参数 还包括网关节点侧的传感器序列号。The sensor preset parameter also includes a sensor serial number, and the first gateway preset parameter also includes a sensor serial number on the gateway node side.
  3. 根据权利要求2所述的无线传感器网络的认证与密钥协商方法,其特征在于,所述访问确认信息还包括所述网关第二预置参数的更新次数,则:The authentication and key agreement method for a wireless sensor network according to claim 2, wherein the access confirmation information also includes the number of updates of the second preset parameter of the gateway, then:
    S50中验证通过后还包括:根据所述网关第二预置参数的更新次数更新所述智能卡预置参数中的用户和网关节点间共享密钥;After the verification in S50 is passed, it also includes: updating the shared key between the user and the gateway node in the smart card preset parameters according to the update times of the second preset parameters of the gateway;
    所述智能卡预置参数中还包括用户序列号,所述网关第二预置参数还包括用户身份标识、网关节点侧的用户序列号。The smart card preset parameters also include a user serial number, and the gateway second preset parameters also include a user ID and a user serial number at the gateway node side.
  4. 根据权利要求3所述的无线传感器网络的认证与密钥协商方法,其特征在于,S20包括:The authentication and key agreement method for a wireless sensor network according to claim 3, wherein S20 includes:
    S201、所述网关接收所述登录信息,根据所述登录信息中的时间戳检测所述登录信息的时间有效性;S201. The gateway receives the login information, and detects the time validity of the login information according to the timestamp in the login information;
    S202、若检测通过,则根据所述伪随机用户身份标识从所述网关第二预置参数中提取所述用户身份标识和用户和网关节点间共享密钥;S202. If the detection passes, extract the user identity and the shared key between the user and the gateway node from the second preset parameter of the gateway according to the pseudo-random user identity;
    S203、所述网关基于所述用户身份标识和用户和网关节点间共享密钥、所述登录信息计算实际认证值,对用户身份进行合法性验证;S203. The gateway calculates an actual authentication value based on the user identity, the shared key between the user and the gateway node, and the login information, and verifies the validity of the user identity;
    S204、若验证通过,则计算传感器身份标识并在所述网关第一预置参数中搜索所述传感器身份标识是否存在;S204. If the verification is passed, calculate the sensor ID and search whether the sensor ID exists in the first preset parameter of the gateway;
    S205、若存在,则基于第二随机数通过所述哈希函数生成的第二关键参数信息和第二认证值,所述第二随机数由所述网关生成;S205. If it exists, based on the second key parameter information and the second authentication value generated by the hash function based on the second random number, the second random number is generated by the gateway;
    S206、所述网关对所述伪随机用户身份标识、所述网关节点侧的用户序列号、所述用户和网关节点间共享密钥进行更新,S206. The gateway updates the pseudo-random user identity, the user serial number on the gateway node side, and the shared key between the user and the gateway node,
    S207、所述网关将更新后的网关节点侧的用户序列号、时间戳、所述第二关键参数信息和第二认证值作为访问请求信息发送至所述目标传感器。S207. The gateway sends the updated user serial number on the gateway node side, the time stamp, the second key parameter information, and the second authentication value to the target sensor as access request information.
  5. 根据权利要求3所述的无线传感器网络的认证与密钥协商方法,其特征在于,S30包括:The authentication and key agreement method for a wireless sensor network according to claim 3, wherein S30 includes:
    S301、所述目标传感器接收所述访问请求信息,根据所述访问请求信息中的时间戳检测所述访问请求信息的时间有效性,根据所述网关节点侧的用户序列号检测所述访问请求信息的同步性;S301. The target sensor receives the access request information, detects the time validity of the access request information according to the time stamp in the access request information, and detects the access request information according to the user serial number on the gateway node side synchronicity;
    S302、若检测通过,则根据所述网关节点侧的用户序列号对所述传感器节点和网关节点间共享密钥进行更新;S302. If the detection passes, update the shared key between the sensor node and the gateway node according to the user serial number on the gateway node side;
    S303、基于更新后的传感器节点和网关节点间共享密钥计算实际认证值,对网关进行合法性验证;S303. Calculate an actual authentication value based on the updated shared key between the sensor node and the gateway node, and verify the validity of the gateway;
    S304、若验证通过,则所述目标传感器更新所述伪随机传感器身份标识、所述传感器侧的序列号、所述传感器节点和网关节点间共享密钥;S304. If the verification is passed, the target sensor updates the pseudo-random sensor identity, the serial number on the sensor side, and the shared key between the sensor node and the gateway node;
    S305、基于第三随机数通过所述哈希函数生成第三关键参数信息和第三认证值,所述第三随机数由所述目标传感器生成;S305. Generate third key parameter information and a third authentication value through the hash function based on a third random number, where the third random number is generated by the target sensor;
    S305、所述目标传感器将所述第三关键参数信息和第三认证值、时间戳作为请求通过信息发送至所述网关。S305. The target sensor sends the third key parameter information, the third authentication value, and a time stamp to the gateway as request passing information.
  6. 根据权利要求1所述的无线传感器网络的认证与密钥协商方法,其特征在于,所述智能卡预置参数还包括用户注册验证值、用户侧序列号初值、哈希函数、用户身份信息值、用户生物公开参数,所述预置参数为用户进行身份注册时生成的。The authentication and key agreement method for a wireless sensor network according to claim 1, wherein the smart card preset parameters also include a user registration verification value, an initial value of a user-side serial number, a hash function, and a user identity information value . The public biometric parameters of the user, the preset parameters are generated when the user performs identity registration.
  7. 根据权利要求6所述的无线传感器网络的认证与密钥协商方法,其特征在于,S10包括:The authentication and key agreement method for a wireless sensor network according to claim 6, wherein S10 includes:
    S101、所述用户设备获取用户输入的身份信息,根据智能卡预置参数和所述身份信息计算验证值;S101. The user equipment acquires identity information input by the user, and calculates a verification value according to smart card preset parameters and the identity information;
    S102、通过对比所述验证值与所述用户注册验证值对所述身份信息进行验证;S102. Verify the identity information by comparing the verification value with the user registration verification value;
    S103、当验证通过时,针对所述目标传感器,基于第一随机数通过所述哈希函数生成的第一关键参数信息和第一认证值,所述第一随机数由智能卡生成;S103. When the verification is passed, for the target sensor, based on the first key parameter information and the first authentication value generated by the hash function based on the first random number, the first random number is generated by the smart card;
    S104、所述用户设备将所述伪随机用户身份标识、时间戳、所述第 一关键参数信息和第一认证值作为登录信息发送至所述网关。S104. The user equipment sends the pseudo-random user identity, time stamp, the first key parameter information and the first authentication value to the gateway as login information.
  8. 一种传感器,其特征在于,包括:A sensor, characterized in that it comprises:
    第一验证模块,用于对访问请求信息进行验证;A first verification module, configured to verify the access request information;
    参数更新模块,用于验证通过后对传感器预置参数进行更新,所述传感器预置参数包括伪随机传感器身份标识、传感器节点和网关节点间共享密钥;The parameter update module is used to update the sensor preset parameters after the verification is passed, and the sensor preset parameters include pseudo-random sensor identification, shared keys between sensor nodes and gateway nodes;
    密钥生成模块,用于生成会话密钥,基于所述会话密钥和更新后的传感器预置参数向网关发送请求通过信息;A key generation module, configured to generate a session key, and send request passing information to the gateway based on the session key and the updated sensor preset parameters;
    第一通信模块,用于利用所述会话密钥与用户设备进行保密通信。A first communication module, configured to use the session key to perform secure communication with the user equipment.
  9. 一种网关,其特征在于,包括:A gateway, characterized in that it comprises:
    访问请求信息生成模块,用于根据登录信息验证用户身份,验证通过后基于网关第一预置参数生成目标传感器的访问请求信息,并对所述网关第一预置参数进行更新;所述网关第一预置参数包括伪随机传感器身份标识和传感器节点和网关节点间共享密钥;The access request information generation module is used to verify the identity of the user according to the login information. After the verification is passed, the access request information of the target sensor is generated based on the first preset parameters of the gateway, and the first preset parameters of the gateway are updated; the first preset parameters of the gateway are updated; A preset parameter includes a pseudo-random sensor identity and a shared key between the sensor node and the gateway node;
    访问确认信息生成模块,用于计算会话密钥并对请求通过信息进行验证,验证通过后基于网关第二预置参数生成访问确认信息,并对所述网关第二预置参数进行更新,所述网关第二预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥。The access confirmation information generation module is used to calculate the session key and verify the request passing information. After the verification is passed, the access confirmation information is generated based on the second preset parameter of the gateway, and the second preset parameter of the gateway is updated. The second preset parameters of the gateway include a pseudo-random user identity and a shared key between the user and the gateway node.
  10. 一种电子设备,其特征在于,包括:An electronic device, characterized in that it comprises:
    登录信息生成模块,用于根据用户输入的身份信息通过智能卡验证用户身份,验证通过后向网关发送登录信息,所述登录信息包括伪随机用户身份标识;The login information generating module is used to verify the identity of the user through the smart card according to the identity information input by the user, and sends the login information to the gateway after the verification is passed, and the login information includes a pseudo-random user identity;
    验证模块,用于计算会话密钥并对访问确认信息进行验证,验证通过后对智能卡预置参数进行更新,所述智能卡预置参数包括伪随机用户身份标识、用户和网关节点间共享密钥;The verification module is used to calculate the session key and verify the access confirmation information. After the verification is passed, the smart card preset parameters are updated, and the smart card preset parameters include a pseudo-random user identity, a shared key between the user and the gateway node;
    第二通信模块,用于利用所述会话密钥与目标传感器进行保密通信。The second communication module is configured to use the session key to perform secure communication with the target sensor.
PCT/CN2022/071463 2021-12-22 2022-01-11 Authentication and key negotiation method, gateway, sensor and electronic equipment WO2023115667A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111583644.4 2021-12-22
CN202111583644.4A CN114302389B (en) 2021-12-22 2021-12-22 Authentication and key agreement method, gateway, sensor and electronic equipment

Publications (1)

Publication Number Publication Date
WO2023115667A1 true WO2023115667A1 (en) 2023-06-29

Family

ID=80968665

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/071463 WO2023115667A1 (en) 2021-12-22 2022-01-11 Authentication and key negotiation method, gateway, sensor and electronic equipment

Country Status (2)

Country Link
CN (1) CN114302389B (en)
WO (1) WO2023115667A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117896183A (en) * 2024-03-14 2024-04-16 杭州海康威视数字技术股份有限公司 Aggregation batch authentication method and system for large-scale Internet of things equipment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710290B (en) * 2022-06-06 2022-08-26 科大天工智能装备技术(天津)有限公司 Safety authentication method for intelligent greenhouse sensor equipment
CN115085945B (en) * 2022-08-22 2022-11-29 北京科技大学 Authentication method and device for intelligent lamp pole equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180124600A1 (en) * 2016-11-02 2018-05-03 National Chin-Yi University Of Technology Anonymity authentication method for wireless sensor networks
CN110351727A (en) * 2019-07-05 2019-10-18 北京邮电大学 A kind of certifiede-mail protocol method suitable for wireless sensor network
CN110933675A (en) * 2019-11-08 2020-03-27 北京邮电大学 Wireless sensor network authentication method, system and electronic equipment
CN112887978A (en) * 2021-02-24 2021-06-01 曲阜师范大学 Anonymous identity authentication and key agreement protocol in WSN

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103313246B (en) * 2013-06-05 2016-02-03 中国科学院计算技术研究所 A kind of wireless sense network double factor authentication method and device and network thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180124600A1 (en) * 2016-11-02 2018-05-03 National Chin-Yi University Of Technology Anonymity authentication method for wireless sensor networks
CN110351727A (en) * 2019-07-05 2019-10-18 北京邮电大学 A kind of certifiede-mail protocol method suitable for wireless sensor network
CN110933675A (en) * 2019-11-08 2020-03-27 北京邮电大学 Wireless sensor network authentication method, system and electronic equipment
CN112887978A (en) * 2021-02-24 2021-06-01 曲阜师范大学 Anonymous identity authentication and key agreement protocol in WSN

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GUO, YAN; WANG, LIEJUN; LIU, SHUANG: "Wireless Sensor Networks Based on A Shared Key Mutual Authentication And Key Agreement Scheme", CHINA SCIENCEPAPER, vol. 11, no. 8, 30 April 2016 (2016-04-30), pages 865 - 868, XP009547790, ISSN: 2095-2783 *
SU, BIN; MA, LI-MEI; CUI, BAO-JIANG: "Light Weight Security Communication Protocol for Sensor Data Collection Network", COMPUTER ENGINEERING AND DESIGN, vol. 39, no. 5, 16 May 2018 (2018-05-16), pages 1262 - 1268, XP009547621, ISSN: 1000-7024, DOI: 10.16208/j.issn1000-7024.2018.05.011 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117896183A (en) * 2024-03-14 2024-04-16 杭州海康威视数字技术股份有限公司 Aggregation batch authentication method and system for large-scale Internet of things equipment

Also Published As

Publication number Publication date
CN114302389A (en) 2022-04-08
CN114302389B (en) 2024-02-09

Similar Documents

Publication Publication Date Title
Gope et al. Lightweight and physically secure anonymous mutual authentication protocol for real-time data access in industrial wireless sensor networks
Roy et al. Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing Internet of Things
Shin et al. A privacy-preserving authentication, authorization, and key agreement scheme for wireless sensor networks in 5G-integrated Internet of Things
Wazid et al. Authenticated key management protocol for cloud-assisted body area sensor networks
Chaudhry et al. A secure and reliable device access control scheme for IoT based sensor cloud systems
Das A secure and effective biometric‐based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor
Das A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks
Amin et al. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks
Wu et al. A new and secure authentication scheme for wireless sensor networks with formal proof
Xiang et al. A permissioned blockchain-based identity management and user authentication scheme for e-health systems
WO2023115667A1 (en) Authentication and key negotiation method, gateway, sensor and electronic equipment
He et al. Design and validation of an efficient authentication scheme with anonymity for roaming service in global mobility networks
Liu et al. A physically secure, lightweight three-factor and anonymous user authentication protocol for IoT
Liu et al. Secure remote multi-factor authentication scheme based on chaotic map zero-knowledge proof for crowdsourcing internet of things
Fan et al. An efficient and DoS-resistant user authentication scheme for two-tiered wireless sensor networks
Luo et al. Lightweight three factor scheme for real-time data access in wireless sensor networks
Jia et al. Signature-based three-factor authenticated key exchange for internet of things applications
Arasteh et al. A new lightweight authentication and key agreement protocol for Internet of Things
Srinivas et al. Provably secure biometric based authentication and key agreement protocol for wireless sensor networks
Zhao et al. A secure biometrics and PUFs-based authentication scheme with key agreement for multi-server environments
Hajian et al. SHAPARAK: Scalable healthcare authentication protocol with attack-resilience and anonymous key-agreement
Han et al. An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems
Xia et al. PUF-assisted lightweight group authentication and key agreement protocol in smart home
Maurya et al. Secure user authentication mechanism for IoT-enabled Wireless Sensor Networks based on multiple Bloom filters
Shao et al. A PUF-based anonymous authentication protocol for wireless medical sensor networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22909013

Country of ref document: EP

Kind code of ref document: A1