CN105530253B - Wireless sensor network access authentication method under Restful framework based on CA certificate - Google Patents
Wireless sensor network access authentication method under Restful framework based on CA certificate Download PDFInfo
- Publication number
- CN105530253B CN105530253B CN201510947803.2A CN201510947803A CN105530253B CN 105530253 B CN105530253 B CN 105530253B CN 201510947803 A CN201510947803 A CN 201510947803A CN 105530253 B CN105530253 B CN 105530253B
- Authority
- CN
- China
- Prior art keywords
- web server
- certificate
- public key
- data
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种基于CA证书的Restful架构下的无线传感器网络接入认证方法,将传感器节点和汇聚节点自组织成为网络,将汇聚节点连接到基于Restful架构的Web服务器,客户端与Web服务器之间的认证,汇聚节点与Web服务器之间的认证、传感器节点与汇聚节点之间的认证以及客户端与汇聚节点之间的认证均基于CA证书完成,用户通过客户端访问Web服务器获取无线传感器节点的数据。本发明能有效防止恶意攻击者对数据的破坏,保护无线传感器网络中数据的安全。
The invention discloses a wireless sensor network access authentication method under the Restful architecture based on the CA certificate, self-organizes the sensor nodes and the aggregation nodes into a network, connects the aggregation nodes to the Web server based on the Restful architecture, and connects the client and the Web server The authentication between the aggregation node and the Web server, the authentication between the sensor node and the aggregation node, and the authentication between the client and the aggregation node are all based on the CA certificate. The user accesses the Web server through the client to obtain the wireless sensor node's data. The invention can effectively prevent malicious attackers from destroying data and protect the security of data in the wireless sensor network.
Description
Technical field
The present invention relates under technical field of the computer network more particularly to a kind of Restful framework based on CA certificate
Wireless sensor network access authentication method.
Background technique
Wireless sensor network (Wireless Sensor Networks, WSN) be by one group of microsensor node with
The wireless network that Ad hoc mode is constituted, the purpose is to collaboratively perceive, acquire and handle in the covering geographic area of network to perceive
The information of object, and it is distributed to observer.Each sensor in wireless sensor network has one or more nodes, sensing
Device node is usually a miniature embedded system.Each node monitors oneself sensing range object, and monitoring is specific
Behavior acquires data using node, by collected data transmission to nearest aggregation node, subsequently enters the convergence stage,
It is analyzed and is handled from close to the collected data of node institute, then result is sent to base station as needed, base station will most
Termination fruit sends observer to.
Since sensor network configuration surroundings are generally relatively severe, the fragility of wireless network inherently in addition, thus
It is highly prone to various attacks.For the safety transmitting for guaranteeing information, a kind of mechanism is needed to verify communication parties identity
Legitimacy.In traditional cable network, Public Key Infrastructure efficiently solves this problem, it passes through to digital certificate
Use and manage, to provide comprehensive public key encryption and digital signature service.By Public Key Infrastructure, can by public key with
The identity binding of lawful owner gets up, to establish and safeguard a believable network environment.However, asymmetry sampling
Very high calculating, communication and storage overhead are needed, which dictates that using digital signature and public key on resource-constrained sensor
Certificate mechanism is infeasible.For the safety transmitting for guaranteeing information, a kind of mechanism is needed to verify the conjunction of communication parties identity
Method, it is necessary to establish and a set of comprehensively consider safety, efficiency and performance and carry out reasonable sensor network identity authentication scheme.
Summary of the invention
Wireless sensor network access under the object of the present invention is to provide a kind of Restful framework based on CA certificate is recognized
Card method effectively prevent destruction of the malicious attacker to data, protects the safety of data in wireless sensor network.
A kind of the technical solution adopted by the present invention are as follows: the wireless sensor network under the Restful framework based on CA certificate
Sensor node and aggregation node are organized themselves into as network, aggregation node are connected to based on Restful by access authentication method
The Web server of framework, the certification between client and Web server, certification, biography between aggregation node and Web server
The certification between certification and client and aggregation node between sensor node and aggregation node is based on CA certificate completion, uses
Family accesses the data that Web server obtains wireless sensor node by client.
It further include the certification based on token between third party application and Web server.
In verification process, the side of being certified holds the first CA certificate, the first public key and the first private key, and authenticating party holds the 2nd CA
Certificate, the second public key and the second private key, verification process include the following steps:
A is certified direction authenticating party and sends access request, and receives the first random number and the 2nd CA card of authenticating party return
Book;
The CA public key that the side of being certified B is saved with itself verifies the second CA certificate received, if being verified,
C is entered step, D is otherwise entered step;
The side of being certified C obtains the second public key of the carrying in the second CA certificate, using the first private key itself saved to the
One random number is encrypted, and is encrypted again using the second public key obtained to the first random number after the first private key encryption;
The side of being certified D determines that authenticating party is illegal identity, refuses to send data information to authenticating party;
The side of being certified E carries the first public key in the first CA certificate that itself is saved, using obtaining the second public key to the
One CA certificate is encrypted, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to authenticating party;
The second private key that F authenticating party uses itself to save decrypts encrypted first CA certificate received, obtains
First CA certificate, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, enter
Step G, otherwise enters step H;
G authenticating party obtains the first public key for carrying in the first CA certificate, using the second private key that itself is saved, to again plus
The first random number after close is decrypted, and is decrypted again using the first public key to the first random number after decryption;
When H authenticating party determines that decrypted result is identical as the first random number that itself sends, it is logical that confirmation is returned to the side of being certified
Know and encrypted second random number;
The side of being certified I obtains the second random number, and using the second random number as session key.
In verification process, the side of being certified generates and saves the first public key and the first private using error checking correct algorithm
Key, authenticating party are generated using error checking correct algorithm and are saved the second public key and the second private key.
Verification process between aggregation node and Web server further includes the certification to the ID of aggregation node, specifically:
The side of being certified encrypts the ID of itself using the first public key obtained, and is sent to authenticating party;
ID after the first private key pair encryption that authenticating party is saved using itself is decrypted, and obtains the ID for the side of being certified, and
Whether the ID for verifying the side of being certified is legal.
Certification between third party application and Web server uses the token authentication based on restful framework, certification
Process is divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to sensing data when registration
Operating rights authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that
Certification between third party application and Web server at this time, comprising the following steps:
A1, third party application issue access request of data to Web server, enter step B1;
B1, Web server decide whether that generating interim token returns to third party application, if not allowing, refuses
Access;If allowing, C1 is entered step;
C1, Web server send interim token to third party application, enter step D1;
D1, third party application receive interim token, and send the data for carrying interim token again to Web server
Access request enters step E1;
E1, Web server parse interim token after receiving data access request, judge whether interim token loses
Effect, if not failing, returns to the data that third party application wants access to;If failure, regenerates interim token and returns
Back to third party application, third party application sends data access request using new interim token;
Situation two: user carries out identity registration after completing authentication with Web server, to the biography possessed when registration
The operating rights of sensor data do not carry out authorization or third party application and be not authorization can square, third-party application journey at this time
Authenticating step between sequence and Web server has:
A2, third party application issue access request of data to Web server, enter step B2;
Whether B2, Web server requry the users allows to access data, if not allowing, denied access;If allowing,
Enter step C2;
C2, user give Web server authorization, and Web server sends interim token to third party application, enter
Step D2;
D2, third party application receive interim token, and send the data for carrying interim token again to Web server
Access request enters step E2;
E2, Web server parse interim token after receiving data access request, judge whether interim token loses
Effect, if not failing, returns to the data that third party application wants access to;If failure, enters step B2;
Wireless sensor network access authentication method under Restful framework based on CA certificate, it is characterised in that:
In step C1 and step C2, returned to inside Web server with the Element generation of current time one interim token
Third party application;
In step E1 and step E2, interim token is parsed, the generation time of interim token is reduced into, to judge
Whether interim token fails.
The present invention organizes themselves into sensor node and aggregation node for network, and aggregation node is connected to and is based on
The Web server of Restful framework, the certification between client and Web server, between aggregation node and Web server
The certification between certification and client and aggregation node between certification, sensor node and aggregation node is based on CA certificate
It completes, user accesses the data that Web server obtains wireless sensor node by client.The present invention can effectively prevent malice
The safety of data in wireless sensor network is protected in destruction of the attacker to data.
Detailed description of the invention
Fig. 1 is that the present invention is based on the wireless sensor network topology figures of Restful framework;
Fig. 2 is authentication topological diagram of the invention;
Fig. 3 is the identifying procedure figure of the authenticating party and the side of being certified in the present invention based on CA certificate;
Fig. 4 is the identifying procedure figure in the present invention between aggregation node and Web server;
Fig. 5 is the authentication process figure between third party application and Web server in the present invention.
Specific embodiment
Wireless sensor network access authentication method under Restful framework of the present invention based on CA certificate, will
Sensor node sensor and aggregation node sink node organizes themselves into as network, and aggregation node sink node is connected to base
Certification, aggregation node sink node between the Web server of Restful framework, client user and Web server with
Certification and client between certification, sensor node sensor between Web server and aggregation node sink node
Certification between user and aggregation node sink node is based on CA certificate completion, client user, Web server, convergence section
Point sink node and sensor node sensor all has the CA certificate that CA certificate center is issued;Third party application and Web
Certification between server, using the token authentication based on restful framework;User accesses Web service by client user
The data of device acquisition wireless sensor node
REST full name is Representational State Transfer, i.e., declarative state transfer refers to one group
Framework constraint condition and principle, if as soon as framework meets the constraint condition and principle of REST, it is called Restful framework.
HTTP is unique example relevant to REST at present.
Restful framework follows stateless communication principle.Stateless communication principle refers to client user and Web service
Device interaction during each time request between be stateless.REST claimed condition otherwise be placed into resource status or by
It is stored on client user, i.e., Web server is not able to maintain any client communicated with other than single request
The communications status of user.Such communications status makes the available space of Web server have scalability, if Web server
It needs to keep client user state, then the memory that a large amount of client user interaction can seriously affect Web server is available
Space (footprint).To realize stateless communication, the certification request based on Restful framework should be independent of cookie
Or session, and each request should carry certain type of Service Ticket.
CA certificate include the information of E-VISA organ, public key user information, public key, private key, authoritative institution signature and
Validity period etc..The true and false for identifying CA certificate need to verify the signature on CA certificate with CA public key, be verified, CA card
Book is regarded as effectively.Currently, the format and verification method of certificate generally follow X.509 international standard.
Fig. 1 is the wireless sensor network topology figure based on Restful framework, an aggregation node sink node connection
For collecting measurement data, aggregation node sink node is mainly born by several sensor node sensor, sensor node sensor
Duty manipulation sensor node sensor collects data, receives the data of all the sensors node sensor and connect with outer net,
Gateway node can be regarded as.One Web server can access a large amount of aggregation node sink node, and Web server is used to store convergence
The measurement data that node sink node is sent, user can log in Web server by the client user of webpage, pass through
Browser sends data operation request and dominates node completion task or check the collection data saved in Web server.If with
Family possesses private aggregation node sink node, then client user can directly be established with aggregation node sink node connection without
It needs that data are checked or manipulated by Web server.
Fig. 2 is authentication topological diagram of the invention, in entire Verification System, client user, Web server, remittance
The CA certificate that there is CA certificate center to issue by poly- node sink node and sensor node sensor, and four all save
There is the CA public key of verifying CA certificate.Token authentication is carried out between third party application and Web server.
It is unified the certification between client user and Web server, aggregation node sink node in identifying procedure
Certification between Web server, certification and client between sensor node sensor and aggregation node sink node
The former in certification between user and aggregation node sink node is known as the side of being certified, and the latter is known as authenticating party, the side of being certified
Hold the first CA certificate, the first public key and the first private key, authenticating party holds the second CA certificate, the second public key and the second private key, by
The data of first public key encryption can only be decrypted by the first private key, by the first private key encryption data can only by the first public key into
Row decryption, similarly, can only be decrypted by the data of the second public key encryption by the second private key, by the data of the second private key encryption
It can be decrypted by the second public key, therefore, even if the data packet in the side of being certified and authenticating party verification process is intercepted, the illegal
It threatens due to there is no key that cannot obtain critical data, thus not can be carried out identity to pretend to be to data.
In the present embodiment, since aggregation node sink node and the computing capability of sensor node sensor are limited, no
The biggish algorithm of computational complexity can be effectively supported, for example, public key encryption RSA Algorithm, is authenticated when using RSA Algorithm
When, very long authenticated time can be consumed, thus the communication efficiency between reducing communication network.Therefore in order to improve between communication network
Communication efficiency, sensor node sensor, aggregation node sink node, Web server and client user in the verification process
(Error Correcting Code, ECC) algorithm is corrected using error checking and generates and save the first public key, the first private key, the
Two public keys and the second private key, corresponding algorithms for encryption and decryption are also to be encrypted and decrypted according to ECC algorithm.
Fig. 3 is the certification between client user and Web server in the present invention, aggregation node sink node and Web
Certification between server, certification and client user between sensor node sensor and aggregation node sink node
With the certification between aggregation node sink node, verification process includes the following steps:
S101, it is certified direction authenticating party transmission access request, and receives the first random number and second of authenticating party return
CA certificate;
In the present embodiment, when the side of being certified is communicated with authenticating party, first access request, authenticating party to be sent to authenticating party
After receiving the access request, the first random number is generated, and return to the first random number to the side of being certified.In order to further increase by
The safety for the data information that authenticating party is sent, authenticating party will also return to the second CA certificate of itself preservation to the side of being certified.
The CA public key that S102, the side of being certified are saved with itself verifies the second CA certificate received, if verifying is logical
It crosses, enters step S103, otherwise enter step S104;
In the present embodiment, the side of being certified can according to itself save CA public key, to the second CA certificate received into
Row verifying, i.e., verify authenticating party.
S103, the side of being certified obtain the second public key of the carrying in the second CA certificate, the first private key saved using itself
First random number is encrypted, and the first random number after the first private key encryption is added again using the second public key obtained
It is close;
When being verified, that is, when determining that authenticating party is legal, it is public that the side of being certified obtains second carried in the second CA certificate
Key, the first private key saved using itself encrypt first random number, and using the second public key to encrypted first
Random number is encrypted again.
S104, the side of being certified determine that authenticating party is illegal identity, refuse to send data information to authenticating party;
Obstructed out-of-date when verifying, that is, when determining that the side of being certified is illegal, the side of being certified refuses to send data information to authenticating party.
S105, the side of being certified carry the first public key in the first CA certificate that itself is saved, public using the second of acquisition
Key encrypts the first CA certificate, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to
Authenticating party;
In the present embodiment, first public key that the side of being certified saves itself carries in the first CA certificate, and uses
It obtains the second public key to encrypt the first CA certificate, this in encrypted first CA certificate and step S103 is added again
The first random number after close is sent to authenticating party.
The second private key that S106, authenticating party use itself to save, decrypts encrypted first CA certificate received, obtains
The first CA certificate is taken, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, into
Enter step S107, otherwise enters step S110;
Authenticating party obtains the second CA certificate using the second CA certificate decryption after the second private key pair encryption itself saved,
The CA public key saved according to itself verifies the first CA certificate of acquisition, i.e., verifies to the side of being certified.
S107, authenticating party obtain the first public key carried in the first CA certificate, using the second private key that itself is saved, to again
Encrypted first random number is decrypted, and is decrypted again using the first public key to the first random number after decryption;
When being verified, authenticating party obtains the first public key for carrying in the first CA certificate, and the saved using itself
The first random number after this is re-encrypted is decrypted in two private keys, using the first public key, to the first random number after decryption again into
Row decryption.
When S108, authenticating party determine that decrypted result is identical as the first random number that itself sends, returned to the side of being certified true
Recognize notice and using the second random number after the first public key encryption;
In the present embodiment, the decrypted result after authenticating party decrypt twice to the first random number after re-encrypting,
When identical as first random number that itself sends, the side's of being certified safety is determined, return to acknowledgement notification and use to the side of being certified
The second random number after first public key encryption, the second random number is for encrypting the data information in communication process.
S109, the side of being certified are decrypted the second random number after the encryption received using the first private key, obtain second
Random number, and using the second random number as session key.
S110, authenticating party determine that the side of being certified is illegal identity, the data information that the rejection side of being certified is sent;
In the present embodiment, the first private key that the side of being certified is saved using itself is to the second random number after the encryption received
It is decrypted, obtains the second random number, and using the second random number as the session key of the data information in communication process.
In above process, when the second CA certificate that verifying receives passes through, i.e., authentication verification side passes through for the side of being certified
When, the second public key carried in the second CA certificate is obtained, the first private key saved using itself is to the first random number received
It is encrypted, and the first random number after the first private key encryption is encrypted again using the second public key, using the second public key pair
The first CA certificate for carrying the first public key is encrypted, and first by encrypted first CA certificate, and after re-encrypting is random
Number is sent to authenticating party, and authenticating party is being verified using the first CA certificate decryption after the second private key pair encryption itself saved
When first CA certificate passes through, the first public key is obtained, the second private key saved using itself is to the first random number after re-encrypting
Decryption, and the first random number after decryption is decrypted again using the first public key, in first for determining decrypted result and itself sending
When random number is identical, acknowledgement notification is returned to aggregation node sink node and is used for using after the first public key encryption to communication
The second random number that data information in the process is encrypted, greatly improves the safety for the data information that the side of being certified is sent
Property.
In practical applications, illegal aggregation node sink node may use more than two difference ID frequent
Access request is sent to Web server side, i.e., malicious attack is carried out to the Web server, since authentication process itself needs one
The fixed time, thus will lead to Web server due to and meanwhile the verification process that carries out it is excessive and generate data and overstock, finally make
Web server paralysis.Attack of the illegal aggregation node sink node to Web server in order to prevent, in the present embodiment,
Before Web server is to the encrypted CA certificate decryption of the aggregation node sink node received, aggregation node is also received
The sequence number (Identity, ID) for the node that sink node is sent, and verifies the ID, when verify the ID it is legal when,
Subsequent step is carried out again.
Fig. 4 is the certification in the present invention between aggregation node sink node and Web server, specifically includes the following steps:
S201: aggregation node sink node sends registration request to Web server.
In the present embodiment, identity note is carried out when aggregation node sink node and Web server establish connection for the first time
Volume, i.e., be sent to Web server for the ID of itself, and Web server saves the ID of aggregation node sink node.
S202: aggregation node sink node sends access request to Web server, and receives the of Web server return
One random number and the second CA certificate.
In the present embodiment, it when aggregation node sink node is communicated with Web server, first to be sent to Web server
Access request after Web server receives the access request, generates the first random number, and return to aggregation node sink node
First random number.In order to further increase the safety for the data information that aggregation node sink node is sent, Web server is also
The second CA certificate of itself preservation is returned to aggregation node sink node.
S203: aggregation node sink node according to the CA public key itself saved, and the second CA certificate received, to Web
Server is verified, if carrying out step S204 by verifying, otherwise carries out step S205.
In the present embodiment, aggregation node sink node can be according to the CA public key itself saved, to second received
CA certificate is verified, i.e., verifies to Web server.
The second public key for carrying in S204: aggregation node sink node the second CA certificate of acquisition, using the first private key to the
One random number encryption, and the first random number after the first private key encryption is encrypted again using the second public key obtained.
When being verified, that is, when determining that Web server is legal, aggregation node sink node is obtained in the second CA certificate
The second public key carried, encrypts first random number using first private key, and using the second public key to encrypted
First random number is encrypted again.
S205: aggregation node sink node determines that Web server is illegal Web server, refuses to Web server
Send data information.
Obstructed out-of-date when verifying, that is, when determining that Web server is illegal, aggregation node sink node refuses to Web server
Send data information.
S206: aggregation node sink node carries the first public key in the first CA certificate that itself is saved, using acquisition
The second public key the ID of its own is encrypted, which is encrypted, and by encrypted ID, the first CA demonstrate,prove
Book, and the first random number after re-encrypting are sent to Web server.
In the present embodiment, in order to further increase aggregation node sink node transmission data information safety, converge
The first public key that poly- node sink node saves itself carries in the first CA certificate, and using the second public key pair obtained
First CA certificate is encrypted, by the first random number after re-encrypting in encrypted second CA certificate and step S204
It is sent to Web server.Also, attack of the illegal aggregation node sink node to Web server in order to prevent, convergence section
Point sink node will also be encrypted using ID of second public key to itself, and encrypted ID is also sent to Web server.
The second private key that S207:Web server uses itself to save decrypts encrypted ID, obtains the ID, and verifying should
The legitimacy of ID carries out step S208 if being verified, and otherwise carries out step S212.
Web server first uses the ID decryption after the second private key pair encryption, obtains the ID of aggregation node sink node, and
Judge whether the ID is stored in Web server local, if then to be legal, it is otherwise, illegal.
The second private key that S208:Web server uses itself to save decrypts encrypted first CA certificate, obtains
First CA certificate, the CA public key saved according to itself verifies first CA certificate of acquisition, if being verified, into
Otherwise row step S209 carries out step S212.
When Web server determine aggregation node sink node ID it is legal when, using first after the second private key pair encryption
CA certificate is decrypted, and obtains the first CA certificate, and verify to first CA certificate according to the CA public key that itself is saved, i.e.,
Further whether verifying aggregation node sink node is safe.
S209:Web server obtains the first public key for carrying in the first CA certificate, using the second private key that itself is saved,
To encrypted first random nnrber decryption, and the first public key is used, the first random number after decryption is decrypted again, judges decryption knot
Whether first random number that fruit sends with itself is identical, if they are the same, then carries out step S210, otherwise, carries out step S212.
When the first CA certificate of verifying passes through, the first public key carried in the first CA certificate is obtained, using the second private key pair
The first random number after re-encrypting is decrypted, and is solved again using the first public key obtained to the first random number after decryption
It is close, decrypted result is obtained, whether first random number for judging that decrypted result is sent with itself is identical, to judge aggregation node
Whether sink node is safe.
S210:Web server encrypts the second random number using the first public key, will confirm that notice and encrypted the
Two random numbers return to aggregation node sink node.
When determining that the decrypted result is identical as the first random number that itself sends, Web server determines aggregation node
Sink node safety, is generated acknowledgement notification and the second random number, is encrypted using the first public key to the second random number, by this
Acknowledgement notification and encrypted second random number are sent to aggregation node sink node.
S211: aggregation node sink node receives the acknowledgement notification that Web server returns and encrypted second at random
Number, the second random nnrber decryptions after the first private key pair encryption saved using itself, obtains second random number, and by second with
Machine number is as session key.
It is encrypted second random to this using the first private key after aggregation node sink node receives the acknowledgement notification
Number be decrypted, obtain the second random number, using the second random number to sent data information encrypt, i.e., Web server with
Aggregation node sink node agreement is using the second random number as subsequent session key.
S212:Web server determines that aggregation node sink node is dangerous, rejection aggregation node sink node hair
The data information sent.
When Web server determine aggregation node sink node ID it is illegal when, or verify first CA certificate and do not pass through
When, or when determining decrypted result and not identical the first random number itself sent, determine that aggregation node sink node is dangerous,
Reject the data information that aggregation node sink node is sent.
Wherein, the first public key in the above process and the first private key are that aggregation node sink node is generated according to ECC algorithm
And save, the second public key and the second private key are what Web server was generated and saved according to ECC algorithm, corresponding encryption with
Decipherment algorithm is also to be encrypted and decrypted according to ECC algorithm.
In above process, aggregation node sink node receives the first random number that Web server returns, using itself
The first private key saved is returned to the first random number encryption, and by the first public key itself saved and encrypted first random number
It returns, whether Web server is decrypted encrypted first random number using the first public key, sent out with itself according to decrypted result
The first random number sent is identical, judges whether safety receives aggregation node when determining safe to aggregation node sink node
The data information that sink node is sent.Due to the first random number for using the first private key to be encrypted in the embodiment of the present invention, only
The first public key decryptions, if first public key is stolen by illegal aggregation node sink node, illegal convergence section can be used
After point sink node encrypts the first random number using the first public key stolen, Web server cannot use the first public key
Encrypted first random number is decrypted, so that the first random number cannot be obtained correctly, refuses illegal aggregation node
The data information that sink node is sent, therefore improve the data information that aggregation node sink node is sent to Web server
Safety.
Also, attack of the illegal aggregation node sink node to Web server in order to prevent, cause Web server because
Data overstock and paralyse, and aggregation node sink node also sends the ID of its own to Web server, and Web server verifies the ID
Legitimacy, subsequent step is just carried out when being verified, otherwise determine aggregation node sink node it is dangerous, refusal connects
Receive the data information that aggregation node sink node is sent.
Meanwhile Web server also returns to the second CA certificate to aggregation node sink node, aggregation node sink node exists
It verifies after the second CA certificate passes through, determines that Web server is legal, obtain the second public key carried in the second CA certificate, using the
Two public keys are to itself ID and carry the first CA certificate of the first public key and encrypt, and to first after the first private key encryption with
Machine number is encrypted again, and the first random number by encrypted ID and the first CA certificate, and after re-encrypting returns to Web service
Device, Web server is after the ID and the first CA certificate for determining aggregation node sink node are legal, using corresponding manner of decryption
The first random number after re-encrypting to this is decrypted, and decrypted result is obtained, further according to the decrypted result and first random number
It is whether identical, judge whether aggregation node sink node is safe, further improves the number of aggregation node sink node transmission
It is believed that the safety of breath.
In addition, the first public key, the first private key, the second public key and the second private key in the above process are according to ECC algorithm
It generates, since aggregation node sink node can effectively support the ECC algorithm, improves aggregation node sink
Communication efficiency between node and mobile communications network.
Fig. 5 is the authentication process figure between third party application and Web server in the present invention, and third party answers
Use the token authentication based on Restful framework with the certification between program and Web server, access token can by with
Uniquely to identify and authenticate a user, each request of user requires to carry safety of the token to realize access, here
The granting of token is divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to sensing data when registration
Operating rights authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that
Certification between third party application and Web server at this time successively the following steps are included:
S301: third party application issues access request of data to Web server;
S302:Web server decides whether that generating interim token Token returns to third party application, if not allowing,
Then denied access;If allowing, S303 is entered step;
S303:Web server sends interim token Token to third party application;
Third-party application journey is returned to the Element generation of current time one interim token Token inside Web server
Sequence;
S304: third party application receives interim token Token, and sends the interim order of carrying again to Web server
The data access request of board Token;
S305:Web server parses interim token Token after receiving data access request, judges interim token
Whether Token fails, if not failing, returns to the data that third party application wants access to;If failure, regenerates
Interim token Token returns to third party application, and third party application sends data using new interim token Token
Access request;
Web server receive request after to interim token Token carry out parsing restore the generation of interim token Token when
Between, judge whether interim token Token fails, if not failing, returns to the data that third party application wants access to;If
Failure then regenerates interim token Token and returns to third party application, and third party application uses new interim order
Board Token sends data access request.
Situation two: user carries out identity registration after completing authentication with Web server, to the biography possessed when registration
The operating rights of sensor data do not carry out authorization or third party application and be not authorization can square, third-party application journey at this time
Authenticating step between sequence and Web server has:
S401: third party application issues access request of data to Web server;
Whether S402:Web server requries the users allows to access data, if not allowing, denied access;If allowing,
Then enter step S403;
S403: user gives Web server authorization, and Web server sends interim token Token and gives third-party application journey
Sequence;
Third-party application journey is returned to the Element generation of current time one interim token Token inside Web server
Sequence;
S404: third party application receives interim token Token, and sends the interim order of carrying again to Web server
The data access request of board Token;
S405:Web server parses interim token Token after receiving data access request, judges interim token
Whether Token fails, if not failing, returns to the data that third party application wants access to;If failure, enters step
S402。
Existing token authentication generallys use dynamic-password technique.Dynamic-password technique is to traditional static password technology
Improvement, user will possess some vouchers, and such as the interim token Token that system is issued, and the number on interim token Token is
It is continually changing, and be synchronous with the Web server of certification, therefore it is also constantly to become that user, which logs on to the password of system,
Change, i.e., it is so-called " one-time pad ".
There are two types of synchronization schemes for existing dynamic-password technique: time synchronization, event synchronization.
1. time synchronization refers to interim token Token using a seed of the time as dynamic password, Web server
The password generated by using the time as the interim token Token of a seed certification.
2. event synchronization refers to when interim token Token generates dynamic password every time using current counting as one kind
Son is generated every time after completing dynamic password, which can be incremented by automatically, when Web server equally uses number as verifying
Seed.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (6)
1. the wireless sensor network access authentication method under a kind of Restful framework based on CA certificate, it is characterised in that: will
Sensor node and aggregation node organize themselves into as network, and aggregation node is connected to the Web service based on Restful framework
Device, certification, aggregation node between client and Web server and the certification between Web server, sensor node and convergence
The certification between certification and client and aggregation node between node is based on CA certificate completion, and user is visited by client
Ask that Web server obtains the data of wireless sensor node;In verification process, the side of being certified holds the first CA certificate, the first public affairs
Key and the first private key, authenticating party are held the second CA certificate, the second public key and the second private key, verification process and are included the following steps:
A, it is certified direction authenticating party and sends access request, and receive the first random number and the second CA certificate of authenticating party return;
B, the CA public key that the side of being certified is saved with itself verifies the second CA certificate received, if being verified, enters
Step C, otherwise enters step D;
C, the side of being certified obtains the second public key for carrying in the second CA certificate, using the first private key itself saved to first with
Machine number is encrypted, and is encrypted again using the second public key obtained to the first random number after the first private key encryption;
D, the side of being certified determines that authenticating party is illegal identity, refuses to send data information to authenticating party;
E, the side of being certified carries the first public key in the first CA certificate that itself is saved, using the second public key of acquisition to first
CA certificate is encrypted, and by encrypted first CA certificate, and the first random number after re-encrypting is sent to authenticating party;
F, the second private key that authenticating party uses itself to save decrypts encrypted first CA certificate received, obtains first
CA certificate, and the first CA certificate of acquisition is verified according to the CA public key that itself is saved, if being verified, enter step
Otherwise G enters step H;
G, authenticating party obtains the first public key carried in the first CA certificate, using the second private key that itself is saved, after re-encrypting
The first random number be decrypted, and the first random number after decryption is decrypted again using the first public key;
H, when authenticating party determines that decrypted result is identical as the first random number that itself sends, acknowledgement notification is returned to the side of being certified
With encrypted second random number;
I, the side of being certified obtains the second random number, and using the second random number as session key.
2. the wireless sensor network access authentication side under the Restful framework according to claim 1 based on CA certificate
Method, it is characterised in that: further include the certification based on token between third party application and Web server.
3. the wireless sensor network access authentication side under the Restful framework according to claim 1 based on CA certificate
Method, it is characterised in that: in verification process, the side of being certified generates and save the first public key and the using error checking correct algorithm
One private key, authenticating party are generated using error checking correct algorithm and are saved the second public key and the second private key.
4. the wireless sensor network access authentication under the Restful framework according to claim 1 or 3 based on CA certificate
Method, it is characterised in that: the verification process between aggregation node and Web server further includes the certification to the ID of aggregation node,
Specifically:
The side of being certified encrypts the ID of itself using the first public key obtained, and is sent to authenticating party;
ID after the first private key pair encryption that authenticating party is saved using itself is decrypted, and obtains the ID for the side of being certified, and verifies
Whether the ID for the side of being certified is legal.
5. the wireless sensor network access authentication side under the Restful framework according to claim 2 based on CA certificate
Method, which is characterized in that the certification between third party application and Web server is recognized using the token based on Restful framework
Card, verification process are divided into two kinds of situations:
Situation one: user carries out identity registration after completing authentication with Web server, to the behaviour of sensing data when registration
Make power to be authorized, show possessed sensor data be only personal visible, all visible or certain people as it can be seen that at this time
Certification between third party application and Web server, comprising the following steps:
A1, third party application issue access request of data to Web server, enter step B1;
B1, Web server decide whether that generating interim token returns to third party application, if not allowing, denied access;
If allowing, C1 is entered step;
C1, Web server send interim token to third party application, enter step D1;
D1, third party application receive interim token, and send the data access for carrying interim token again to Web server
Request, enters step E1;
E1, Web server parse interim token after receiving data access request, judge whether interim token fails, if
It does not fail, then returns to the data that third party application wants access to;If failure, regenerates interim token and return to the
Tripartite's application program, third party application send data access request using new interim token;
Situation two: user carries out identity registration after completing authentication with Web server, to the sensor possessed when registration
The operating rights of data do not carry out authorization or third party application be not authorization can square, at this time third party application with
Authenticating step between Web server has:
A2, third party application issue access request of data to Web server, enter step B2;
Whether B2, Web server requry the users allows to access data, if not allowing, denied access;If allowing, enter
Step C2;
C2, user give Web server authorization, and Web server sends interim token to third party application, enters step
D2;
D2, third party application receive interim token, and send the data access for carrying interim token again to Web server
Request, enters step E2;
E2, Web server parse interim token after receiving data access request, judge whether interim token fails, if
It does not fail, then returns to the data that third party application wants access to;If failure, enters step B2.
6. according to the method described in claim 5, it is characterized in that, wireless sensing under the Restful framework based on CA certificate
Device network access verifying method, it is characterised in that:
In step C1 and step C2, third is returned to the Element generation of current time one interim token inside Web server
Square application program;
In step E1 and step E2, interim token is parsed, is reduced into the generation time of interim token, so that judgement is interim
Whether token fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510947803.2A CN105530253B (en) | 2015-12-17 | 2015-12-17 | Wireless sensor network access authentication method under Restful framework based on CA certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510947803.2A CN105530253B (en) | 2015-12-17 | 2015-12-17 | Wireless sensor network access authentication method under Restful framework based on CA certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105530253A CN105530253A (en) | 2016-04-27 |
| CN105530253B true CN105530253B (en) | 2018-12-28 |
Family
ID=55772235
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510947803.2A Active CN105530253B (en) | 2015-12-17 | 2015-12-17 | Wireless sensor network access authentication method under Restful framework based on CA certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105530253B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073964A (en) * | 2020-10-26 | 2020-12-11 | 河南大学 | An authentication method for communication between UAV and base station based on elliptic curve encryption |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107872445B (en) * | 2016-09-28 | 2021-01-29 | 华为技术有限公司 | Access authentication method, device and authentication system |
| CN107918731A (en) * | 2016-10-11 | 2018-04-17 | 百度在线网络技术(北京)有限公司 | Method and apparatus for controlling the authority to access to open interface |
| CN107241341B (en) * | 2017-06-29 | 2020-07-07 | 北京五八信息技术有限公司 | Access control method and device |
| CN109391594B (en) * | 2017-08-09 | 2021-07-30 | 中国电信股份有限公司 | Security authentication system and method |
| CN108429732B (en) * | 2018-01-23 | 2021-01-08 | 平安普惠企业管理有限公司 | Method and system for acquiring resources |
| CN109286639A (en) * | 2018-11-29 | 2019-01-29 | 郑静 | A kind of digital certificate compatibility control system and application method based on RESTful framework |
| CN110351385B (en) * | 2019-07-11 | 2022-03-11 | 苏州高博软件技术职业学院 | Home gateway system and data forwarding method |
| CN111988779B (en) * | 2020-07-13 | 2022-10-18 | 北京工业大学 | Wireless sensor network node access authentication method based on trusted connection architecture |
| CN114629651A (en) * | 2020-12-14 | 2022-06-14 | 南京如般量子科技有限公司 | Anti-quantum computing communication method and system based on CA |
| CN114070649A (en) * | 2021-12-15 | 2022-02-18 | 武汉天喻信息产业股份有限公司 | Method and system for secure communication between devices |
| CN115567297A (en) * | 2022-09-26 | 2023-01-03 | 中国银行股份有限公司 | Cross-site request data processing method and device |
| CN119232377B (en) * | 2024-11-29 | 2025-03-21 | 国网浙江省电力有限公司金华供电公司 | Network node authentication and key exchange protocol method for smart grid scenarios |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729565A (en) * | 2009-12-31 | 2010-06-09 | 卓望数码技术(深圳)有限公司 | Safety access method for sensor, sensor and safety access system |
| CN102916810A (en) * | 2011-08-05 | 2013-02-06 | 中国移动通信集团公司 | Method, system and apparatus for authenticating sensor |
| CN103220285A (en) * | 2013-04-10 | 2013-07-24 | 中国科学技术大学苏州研究院 | Access system based on RESTful interface in ubiquitous service environment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9043886B2 (en) * | 2011-09-29 | 2015-05-26 | Oracle International Corporation | Relying party platform/framework for access management infrastructures |
| US20140085050A1 (en) * | 2012-09-25 | 2014-03-27 | Aliphcom | Validation of biometric identification used to authenticate identity of a user of wearable sensors |
-
2015
- 2015-12-17 CN CN201510947803.2A patent/CN105530253B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729565A (en) * | 2009-12-31 | 2010-06-09 | 卓望数码技术(深圳)有限公司 | Safety access method for sensor, sensor and safety access system |
| CN102916810A (en) * | 2011-08-05 | 2013-02-06 | 中国移动通信集团公司 | Method, system and apparatus for authenticating sensor |
| CN103220285A (en) * | 2013-04-10 | 2013-07-24 | 中国科学技术大学苏州研究院 | Access system based on RESTful interface in ubiquitous service environment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073964A (en) * | 2020-10-26 | 2020-12-11 | 河南大学 | An authentication method for communication between UAV and base station based on elliptic curve encryption |
| CN112073964B (en) * | 2020-10-26 | 2021-11-19 | 河南大学 | Unmanned aerial vehicle and base station communication identity authentication method based on elliptic curve encryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105530253A (en) | 2016-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105530253B (en) | Wireless sensor network access authentication method under Restful framework based on CA certificate | |
| Al‐Turjman et al. | An overview of security and privacy in smart cities' IoT communications | |
| Wang et al. | Blockchain-based anonymous authentication with key management for smart grid edge computing infrastructure | |
| Harbi et al. | Recent security trends in internet of things: A comprehensive survey | |
| Moghadam et al. | An efficient authentication and key agreement scheme based on ECDH for wireless sensor network | |
| Dhillon et al. | A lightweight biometrics based remote user authentication scheme for IoT services | |
| Yang et al. | A survey on security and privacy issues in Internet-of-Things | |
| EP3318037B1 (en) | Content security at service layer | |
| Turkanovic et al. | An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks | |
| Rao et al. | A review on lightweight cryptography for Internet-of-Things based applications | |
| Mahalle et al. | Identity authentication and capability based access control (iacac) for the internet of things | |
| Khalil et al. | A blockchain footprint for authentication of IoT-enabled smart devices in smart cities: State-of-the-art advancements, challenges and future research directions | |
| Tsai et al. | Secure session key generation method for LoRaWAN servers | |
| Usman et al. | A mobile multimedia data collection scheme for secured wireless multimedia sensor networks | |
| Srikanth et al. | An efficient Key Agreement and Authentication Scheme (KAAS) with enhanced security control for IIoT systems | |
| KR20100134745A (en) | Method for distributed identification, station in network | |
| Park et al. | A selective group authentication scheme for IoT-based medical information system | |
| Rizzardi et al. | Analysis on functionalities and security features of Internet of Things related protocols | |
| Wazid et al. | TACAS-IoT: Trust aggregation certificate-based authentication scheme for edge-enabled IoT systems | |
| Naoui et al. | Novel enhanced LoRaWAN framework for smart home remote control security | |
| Chen et al. | Enhanced authentication protocol for the Internet of Things environment | |
| Zhang et al. | Is today's end-to-end communication security enough for 5g and its beyond? | |
| Badar et al. | Secure authentication protocol for home area network in smart grid-based smart cities | |
| Sudha et al. | A review on privacy requirements and application layer security in internet of things (IoT) | |
| Ehui et al. | A lightweight mutual authentication protocol for IoT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |