[go: up one dir, main page]

CN113704736B - Lightweight access authentication method and system for power Internet of Things devices based on IBC system - Google Patents

Lightweight access authentication method and system for power Internet of Things devices based on IBC system Download PDF

Info

Publication number
CN113704736B
CN113704736B CN202110830359.1A CN202110830359A CN113704736B CN 113704736 B CN113704736 B CN 113704736B CN 202110830359 A CN202110830359 A CN 202110830359A CN 113704736 B CN113704736 B CN 113704736B
Authority
CN
China
Prior art keywords
key
target device
public
ciphertext
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110830359.1A
Other languages
Chinese (zh)
Other versions
CN113704736A (en
Inventor
付义伦
许海清
孙炜
赵兵
岑炜
翟峰
梁晓兵
曹永峰
刘鹰
李保丰
王晖南
刘佳易
许进
武文萍
徐萌
许斌
孔令达
冯云
冯占成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Marketing Service Center of State Grid Shanxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202110830359.1A priority Critical patent/CN113704736B/en
Publication of CN113704736A publication Critical patent/CN113704736A/en
Application granted granted Critical
Publication of CN113704736B publication Critical patent/CN113704736B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于IBC体系的电力物联网设备轻量级接入认证方法及系统,属于信息安全技术领域。本发明方法,包括:目标设备公私钥对密文的申请,包括:当目标设备生成密钥申请参数后,密钥生成中心KGC根据目标设备的唯一标识ID生成目标设备身份公私钥对,通过使用对称密钥加密后,将公私钥对密文传输至目标设备;目标设备与其他设备的加密密钥协商,包括:当目标设备与其他设备进行信息交互时,基于目标设备和其他设备的身份公私钥对,引入随机数协商主密钥,采用密钥衍生算法计算后生成数据加密密钥,即通过数据加密密钥接入认证。本发明提出的方法可以实现电力物联网设备的高效安全接入认证,增强物联网设备的安全性和智能化管理水平。

The present invention discloses a lightweight access authentication method and system for power Internet of Things devices based on the IBC system, and belongs to the field of information security technology. The method of the present invention includes: application of a ciphertext of a public-private key pair of a target device, including: after the target device generates key application parameters, a key generation center KGC generates a public-private key pair of a target device identity according to a unique identification ID of the target device, and after encryption using a symmetric key, transmits the public-private key pair ciphertext to the target device; encryption key negotiation between the target device and other devices, including: when the target device interacts with other devices, based on the public-private key pair of the identity of the target device and other devices, a random number is introduced to negotiate a master key, and a data encryption key is generated after calculation using a key derivation algorithm, that is, access authentication through a data encryption key. The method proposed by the present invention can realize efficient and secure access authentication of power Internet of Things devices, and enhance the security and intelligent management level of Internet of Things devices.

Description

Power Internet of things equipment lightweight access authentication method and system based on IBC system
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for authenticating lightweight access of power internet of things equipment based on an IBC system.
Background
With the development of new technologies such as mobile interconnection and artificial intelligence, bidirectional interaction between power users and smart power grids is more and more frequent, and requirements of users on service forms and service quality of the power grids are also higher and higher. In order to meet the application requirements of the power consumers, the perception and participation of the power consumers to the smart grid are enhanced, and the power Internet of things is generated. The network environment of the electric power Internet of things is complex in opening, flexible and changeable in access control, various in access equipment types, huge in quantity and uneven in safety performance. The devices can generate a large amount of data in the process of participating in the interaction of the power grid, and the terminal trust management and the network security are provided with serious challenges, so that the security access authentication technology research of mass electric power internet of things devices is required to be developed.
The traditional equipment security authentication is mainly based on a PKI system and is realized by adopting a digital certificate. However, PKI certificates are relatively complex to manage, a multi-level CA system needs to be built, and the issuing, revocation, verification and preservation of certificates need to occupy more resources. The device access authentication technology based on the IBC identification authentication system can effectively avoid the problem of complex certificate management, however, the traditional IBC password system has the problems of relatively complex private key escrow and password operation and the like. The above-described techniques are not suitable for access authentication of mass power internet of things devices.
Disclosure of Invention
Aiming at the problems, the invention provides a lightweight access authentication method for electric power Internet of things equipment based on an IBC system, which comprises the following steps:
the application of the public and private keys of the target equipment to the ciphertext comprises the following steps: after the target equipment generates a key application parameter, the key generation center KGC generates a public-private key pair of the identity of the target equipment according to the unique identification ID of the target equipment, and after the key application parameter is encrypted by using the symmetric key, the public-private key pair ciphertext is transmitted to the target equipment;
when the target equipment and other equipment interact information, a random number negotiation master key is introduced based on an identity public-private key pair of the target equipment and other equipment, and a data encryption key is generated after calculation by adopting a key derivation algorithm, namely, the data encryption key is accessed to authentication.
Optionally, the application of the public and private keys of the target device to the ciphertext specifically includes:
The target device first selects the random number r 1 and Wherein the cyclic group is a cyclic group,Is of the order q, and is provided withIs a secure one-way hash function of (a)According to r 1,q、And the target device ID, generating an identity key pair application parameter paramas 0={ID,r1,q,H(ID||r1) of the target device, and sending the application parameter paramas 0={ID,r1,q,H(ID||r1) to a key generation center KGC;
After the key generation center KGC receives the application parameters paramas 0={ID,r1,q,H(ID||r1), the security parameters see k are calculated, Inputting the safety parameter k into a parameter generator for operation to generate a system parameter paramas 1;
Wherein,
Where q is a safe prime number, G 1 is the q-order additive subgroup on elliptic curve meeting bilinear mapping property, G 2 is the q-order subgroup of multiplicative group on finite field,For bilinear mapping of G 1×G1→G2, n is the plaintext data length, P is any generator of G 1, i.e., P e G 1,Ppub is the system public key, P pub = ks P, s is the system master key factor,P r=ks,Ppub and P r are system public-private key pairs, and H 1,H2 is a system hash function, wherein H 1:{0,1}*→G1,H2:{0,1}n→G2;
The key generation center KGC sends the system parameters paramas 1 to the target device and saves the system paramas 1 through the target device;
The target equipment generates a random number r 2, acquires a symmetric key k 2,k2=KDF(r2 according to a key derivation algorithm aiming at the random number r 2, encrypts the symmetric key k 2 through a key generation center KGC, and acquires the encrypted symmetric key And calculates a symmetric key based on the target device IDAnd apply for parameters of (a) and will be symmetric keyThe application parameters of (a) are sent to a key generation center KGC;
wherein the symmetric key The application parameters of (a) are as follows:
The key generation center KGC receives the symmetric key After applying for parameters, verifying the symmetric keyIf passing verification, decrypting the symmetric key to obtain the integrity of the applied parameters of (a)Extracting a target device ID, detecting whether the target device ID is legal or not, and calculating a target device identity public key P pub1,Ppub1=H1(ID||Tv) if the target device ID is legal, wherein T v is a device validity period;
the key generation center KGC calculates the identity private key of the target equipment based on the system main key factor and the security parameter The target equipment identity private key is encrypted by a symmetric key k 2 to obtainFor private key ciphertextDevice identity public keys P pub1 and T v are used for signing the validity period of the device, and information after signature is obtainedAnd will beTransmitting to target equipment;
The target device receives After that, verifyIf the signature information of the target equipment passes the verification, the identity public key P pub1 of the target equipment is obtained, and the identity private key of the target equipment is obtained after the private key ciphertext information is decrypted by adopting the symmetric key k 2
Optionally, the target device negotiates with the encryption key of other devices, including:
The target device is used as the device 1, other devices are used as the device 2, the device ID 1 and the private key validity period T v1 are sent to the device 2 through the device 1, and after the device 2 receives the device ID 1 and the private key validity period T v1, the public key of the device 1 is determined, and the public key is determined
Device 2 sends device ID 2 and private key validity period T v2 to device 1, device 1 receives device ID 2 and private key validity period T v2, determines the public key of device 2, and the public key
Device 1 selects random number r 1 using the public key of device 2The ciphertext M 1 is obtained by encrypting the random number r 1,Signature is obtained after M 1 is signed by a private key of the device 1, signature S 1=H1(M1||r1) and ciphertext M 1 and S 1 are sent to the device 2;
after device 2 receives M 1 and S 1, decrypt M 1 to obtain And verifies the legitimacy of the signature S 1, if the verification passes, the random number r 2 is selected, and the public key of the device 1 is usedThe ciphertext M 2 is obtained by encrypting the random number r 2,Signature is obtained after M 2 is signed by a private key of the device 2, signature S 2=H1(M2||r2||r1) and ciphertext M 2 and S 2 are sent to the device 1;
after device 1 receives M 2 and S 2, decrypt M 2 to obtain Comparing whether the decrypted r 1 is equal to the random number r 1, if so, verifying the validity of the signature S 2, and if the verification is passed, obtainingObtaining a master key by a key derivation algorithm
Public key by device 2Ciphertext obtained by encrypting random number r 2 The verification passing information V p and the ciphertext M 3,r1,r2 are signed to obtain S 3=H1(Vp||M3||r1||r2), and M 3 and S 3 are sent to the device 2;
After receiving the transmissions of M 3 and S 3, device 2 decrypts M 3 to obtain Comparing whether the decrypted r 2 is equal to the random number r 2, if so, verifying the validity of the signature S 3, and if the verification is passed, obtainingObtaining an encryption key by a key derivation algorithm
Device 1 and device 2 pass through encryption keysAnd (3) protecting information interaction between the equipment 1 and the equipment 2, namely finishing lightweight access authentication of the electric power Internet of things equipment.
The invention also provides an IBC system-based lightweight access authentication system for the electric power Internet of things equipment, which comprises the following steps:
The device identity key pair application module is used for applying for the ciphertext of the public and private key of the target device and comprises the following steps: after the target equipment generates a key application parameter, the key generation center KGC generates a public-private key pair of the identity of the target equipment according to the unique identification ID of the target equipment, and after the key application parameter is encrypted by using the symmetric key, the public-private key pair ciphertext is transmitted to the target equipment;
the device encryption key negotiation module is used for carrying out encryption key negotiation on the target device and other devices, and comprises the steps of introducing a random number negotiation master key based on an identity public-private key pair of the target device and the other devices when the target device carries out information interaction with the other devices, and generating a data encryption key after calculation by adopting a key derivation algorithm, namely accessing authentication through the data encryption key.
Optionally, the application of the public and private keys of the target device to the ciphertext specifically includes:
The target device first selects the random number r 1 and Wherein the cyclic group is a cyclic group,Is of the order q, and is provided withIs a secure one-way hash function of (a)According to r 1,q、And the target device ID, generating an identity key pair application parameter paramas 0={ID,r1,q,H(ID||r1) of the target device, and sending the application parameter paramas 0={ID,r1,q,H(ID||r1) to a key generation center KGC;
After the key generation center KGC receives the application parameters paramas 0={ID,r1,q,H(ID||r1), the security parameters see k are calculated, Inputting the safety parameter k into a parameter generator for operation to generate a system parameter paramas 1;
Wherein,
Where q is a safe prime number, G 1 is the q-order additive subgroup on elliptic curve meeting bilinear mapping property, G 2 is the q-order subgroup of multiplicative group on finite field,For bilinear mapping of G 1×G1→G2, n is the plaintext data length, P is any generator of G 1, i.e., P e G 1,Ppub is the system public key, P pub = ks P, s is the system master key factor,P r=ks,Ppub and P r are system public-private key pairs, and H 1,H2 is a system hash function, wherein H 1:{0,1}*→G1,H2:{0,1}n→G2;
The key generation center KGC sends the system parameters paramas 1 to the target device and saves the system paramas 1 through the target device;
The target equipment generates a random number r 2, acquires a symmetric key k 2,k2=KDF(r2 according to a key derivation algorithm aiming at the random number r 2, encrypts the symmetric key k 2 through a key generation center KGC, and acquires the encrypted symmetric key And calculates a symmetric key based on the target device IDAnd apply for parameters of (a) and will be symmetric keyThe application parameters of (a) are sent to a key generation center KGC;
wherein the symmetric key The application parameters of (a) are as follows:
The key generation center KGC receives the symmetric key After applying for parameters, verifying the symmetric keyIf passing verification, decrypting the symmetric key to obtain the integrity of the applied parameters of (a)Extracting a target device ID, detecting whether the target device ID is legal or not, and calculating a target device identity public key P pub1,Ppub1=H1(ID||Tv) if the target device ID is legal, wherein T v is a device validity period;
the key generation center KGC calculates the identity private key of the target equipment based on the system main key factor and the security parameter The target equipment identity private key is encrypted by a symmetric key k 2 to obtainFor private key ciphertextDevice identity public keys P pub1 and T v are used for signing the validity period of the device, and information after signature is obtainedAnd will beTransmitting to target equipment;
The target device receives After that, verifyIf the signature information of the target equipment passes the verification, the identity public key P pub1 of the target equipment is obtained, and the identity private key of the target equipment is obtained after the private key ciphertext information is decrypted by adopting the symmetric key k 2
Optionally, the target device negotiates with the encryption key of other devices, including:
The target device is used as the device 1, other devices are used as the device 2, the device ID 1 and the private key validity period T v1 are sent to the device 2 through the device 1, and after the device 2 receives the device ID 1 and the private key validity period T v1, the public key of the device 1 is determined, and the public key is determined
Device 2 sends device ID 2 and private key validity period T v2 to device 1, device 1 receives device ID 2 and private key validity period T v2, determines the public key of device 2, and the public key
Device 1 selects random number r 1 using the public key of device 2The ciphertext M 1 is obtained by encrypting the random number r 1,Signature is obtained after M 1 is signed by a private key of the device 1, signature S 1=H1(M1||r1) and ciphertext M 1 and S 1 are sent to the device 2;
after device 2 receives M 1 and S 1, decrypt M 1 to obtain And verifies the legitimacy of the signature S 1, if the verification passes, the random number r 2 is selected, and the public key of the device 1 is usedThe ciphertext M 2 is obtained by encrypting the random number r 2,Signature is obtained after M 2 is signed by a private key of the device 2, signature S 2=H1(M2||r2||r1) and ciphertext M 2 and S 2 are sent to the device 1;
after device 1 receives M 2 and S 2, decrypt M 2 to obtain Comparing whether the decrypted r 1 is equal to the random number r 1, if so, verifying the validity of the signature S 2, and if the verification is passed, obtainingObtaining a master key by a key derivation algorithm
Public key by device 2Ciphertext obtained by encrypting random number r 2 The verification passing information V p and the ciphertext M 3,r1,r2 are signed to obtain S 3=H1(Vp||M3||r1||r2), and M 3 and S 3 are sent to the device 2;
After receiving the transmissions of M 3 and S 3, device 2 decrypts M 3 to obtain Comparing whether the decrypted r 2 is equal to the random number r 2, if so, verifying the validity of the signature S 3, and if the verification is passed, obtainingObtaining an encryption key by a key derivation algorithm
Device 1 and device 2 pass through encryption keysAnd (3) protecting information interaction between the equipment 1 and the equipment 2, namely finishing lightweight access authentication of the electric power Internet of things equipment.
The method provided by the invention can realize high-efficiency safety access authentication of the electric power Internet of things equipment, and enhance the safety and intelligent management level of the Internet of things equipment.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a flow chart of the device identity key pair application of the present invention;
FIG. 3 is a flow chart of the encryption key negotiation of the device of the present invention;
Fig. 4 is a flow chart of the system of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention is further illustrated by the following examples and the accompanying drawings:
In order to realize efficient and safe access authentication of electric power Internet of things equipment, the invention provides an IBC system-based lightweight access authentication method of the electric power Internet of things equipment, which mainly comprises two processes of equipment identity key pair application and encryption key negotiation, as shown in fig. 1, firstly, equipment generates a key application file, a key generation center KGC generates an equipment identity public-private key pair based on equipment unique identification ID, and the key generation center KGC utilizes a symmetric key to encrypt the private key and transmits the key to the equipment; when information interaction is needed between the devices, a random number is introduced to negotiate a master key based on an identity key pair, and then a key derivative algorithm is adopted to calculate to obtain a data encryption key.
The encryption key is generated by a key pair application and key negotiation method, so that the problems of information leakage and the like caused by unreliable key generation centers due to key escrow can be effectively avoided.
The device identity key pair applying step, as shown in fig. 2, is as follows:
the target device first selects a random number The order of the cyclic group is q.Is a secure one-way hash function. Generating a device identity key pair application parameter paramas 0={ID,r1,q,H(ID||r1) according to the device ID, and sending the generated device identity key pair application parameter paramas 0={ID,r1,q,H(ID||r1 to a key generation center KGC.
After receiving the application parameters, the key generation center KGC calculates the security parametersThe security parameter k is input into a parameter generator to be operated to generate a system parameter paramas 1.
Where q is a safe prime number, G 1 is the q-order additive subgroup on the elliptic curve that satisfies the bilinear mapping property, and G 2 is the q-order subgroup of the multiplicative group on the finite field.For bilinear mapping of G 1×G1→G2, n is the plaintext data length, P is any generator of G 1, i.e., P e G 1,Ppub is the system public key, P pub = ks P, s is the system master key factor,P r=ks,Ppub and P r are system public-private key pairs. H 1,H2 is a system hash function. Wherein, H 1:{0,1}*→G1,H2:{0,1}n→G2.
The key generation center KGC sends the system parameters paramas 1 to the device and is saved by the device.
The device generates a random number r 2, obtains a symmetric key k 2=KDF(r2 based on a key derivation algorithm, and encrypts k 2 by using a key generation center public key to obtainCalculating an application parameter of an identity key pair based on the equipment ID and sending the application parameter to a key generation center KGC;
The application parameters of the identity key pair are as follows:
after receiving the application parameters of the equipment identity key pair, the key generating center KGC firstly verifies the data integrity, and after verification, the symmetric key is obtained by decryption And extracts the device ID, and detects whether the device ID is legal. If it is legal, the device identity public key P pub1, i.e., P pub1=H1(ID||Tv) is calculated, where T v is the device validity period. Then, the key generation center KGC calculates the private key of the equipment identity based on the system main key factor and the security parameterThe device identity private key is encrypted by a symmetric key k 2 to obtainSecret key ciphertextDevice identity public keys P pub1 and T v are used for signing the validity period of the device to obtain signed informationWill thenTo the device.
After receiving the response message of the identity public and private key, the equipment firstly verifies the signature information, if the signature verification passes, the equipment identity public key P pub1 is obtained, and the equipment identity private key is obtained after decrypting the private key ciphertext information by adopting the symmetric key k 2
Wherein, the device encryption key negotiation step, as shown in fig. 3, is as follows:
Device 1 (target device) sends its own device ID 1 and private key validity period T v1 to device 2 (other devices), and device 2 receives the public key of computing device 1
Device 2 sends its own device ID 2 and private key expiration period T v2 to device 1, and device 1 receives the public key of computing device 2
Device 1 selects random number r 1, using device 2 public keyAfter encryption, ciphertext is obtainedThen, signing by using the private key of the device 1 to obtain S 1=H1(M1||r1), and sending ciphertext M 1 and S 1 to the device 2;
After receiving the information, device 2 first decrypts M 1 to obtain Then verifying the signature S 1, after verification, selecting the random number r 2, using the public key of the device 1After encryption, ciphertext is obtainedThen, signing by using the private key of the device 2 to obtain S 2=H1(M2||r2||r1), and sending ciphertext M 2 and S 2 to the device 1;
After receiving the information, the device 1 first decrypts M 2 to obtain Compare whether r 1 after decryption is equal to the original value. If the signature is equal, verifying the signature S 2, and after verification, calculatingThen the key derivation algorithm is used to calculate the master keyThereafter using the device 2 public keyAfter encrypting r 2, ciphertext is obtainedThe verification passes through the information V p, the ciphertext M 3,r1,r2 is signed to obtain S 3=H1(Vp||M3||r1||r2), and then M 3 and S 3 are sent to the device 2;
After receiving the information, device 2 first decrypts M 3 to obtain Compare whether r 2 after decryption is equal to the original value. If the signature S 3 is equal, the signature S 3 is verified, and after verification, the signature S 3 is calculated as wellComputing device encryption keys using a key derivation algorithm
The information interaction between the device 1 and the device 2 is all secured based on the device encryption key k.
The invention also provides an IBC system-based lightweight access authentication system 200 of the electric power Internet of things equipment, as shown in FIG. 4, comprising:
The device identity key pair application module 201 is configured to apply for a target device public and private key pair ciphertext, and includes: after the target equipment generates a key application parameter, the key generation center KGC generates a public-private key pair of the identity of the target equipment according to the unique identification ID of the target equipment, and after the key application parameter is encrypted by using the symmetric key, the public-private key pair ciphertext is transmitted to the target equipment;
The device encryption key negotiation module 202 is configured to perform encryption key negotiation on the target device and other devices, and includes introducing a random number negotiation master key based on an identity public-private key pair of the target device and other devices when the target device performs information interaction with other devices, and generating a data encryption key after calculation by adopting a key derivation algorithm, that is, accessing authentication through the data encryption key.
The application of the public and private keys of the target equipment to the ciphertext specifically comprises the following steps:
The target device first selects the random number r 1 and Wherein the cyclic group is a cyclic group,Is of the order q, and is provided withIs a secure one-way hash function of (a)According to r 1,q、And the target device ID, generating an identity key pair application parameter paramas 0={ID,r1,q,H(ID||r1) of the target device, and sending the application parameter paramas 0={ID,r1,q,H(ID||r1) to a key generation center KGC;
After the key generation center KGC receives the application parameters paramas 0={ID,r1,q,H(ID||r1), the security parameters see k are calculated, Inputting the safety parameter k into a parameter generator for operation to generate a system parameter paramas 1;
Wherein,
Where q is a safe prime number, G 1 is the q-order additive subgroup on elliptic curve meeting bilinear mapping property, G 2 is the q-order subgroup of multiplicative group on finite field,For bilinear mapping of G 1×G1→G2, n is the plaintext data length, P is any generator of G 1, i.e., P e G 1,Ppub is the system public key, P pub = ks P, s is the system master key factor,P r=ks,Ppub and P r are system public-private key pairs, and H 1,H2 is a system hash function, wherein H 1:{0,1}*→G1,H2:{0,1}n→G2;
The key generation center KGC sends the system parameters paramas 1 to the target device and saves the system paramas 1 through the target device;
The target equipment generates a random number r 2, acquires a symmetric key k 2,k2=KDF(r2 according to a key derivation algorithm aiming at the random number r 2, encrypts the symmetric key k 2 through a key generation center KGC, and acquires the encrypted symmetric key And calculates a symmetric key based on the target device IDAnd apply for parameters of (a) and will be symmetric keyThe application parameters of (a) are sent to a key generation center KGC;
wherein the symmetric key The application parameters of (a) are as follows:
The key generation center KGC receives the symmetric key After applying for parameters, verifying the symmetric keyIf passing verification, decrypting the symmetric key to obtain the integrity of the applied parameters of (a)Extracting a target device ID, detecting whether the target device ID is legal or not, and calculating a target device identity public key P pub1,Ppub1=H1(ID||Tv) if the target device ID is legal, wherein T v is a device validity period;
the key generation center KGC calculates the identity private key of the target equipment based on the system main key factor and the security parameter The target equipment identity private key is encrypted by a symmetric key k 2 to obtainFor private key ciphertextDevice identity public keys P pub1 and T v are used for signing the validity period of the device, and information after signature is obtainedAnd will beTransmitting to target equipment;
The target device receives After that, verifyIf the signature information of the target equipment passes the verification, the identity public key P pub1 of the target equipment is obtained, and the identity private key of the target equipment is obtained after the private key ciphertext information is decrypted by adopting the symmetric key k 2
The encryption key negotiation between the target device and other devices comprises the following steps:
The target device is used as the device 1, other devices are used as the device 2, the device ID 1 and the private key validity period T v1 are sent to the device 2 through the device 1, and after the device 2 receives the device ID 1 and the private key validity period T v1, the public key of the device 1 is determined, and the public key is determined
Device 2 sends device ID 2 and private key validity period T v2 to device 1, device 1 receives device ID 2 and private key validity period T v2, determines the public key of device 2, and the public key
Device 1 selects random number r 1 using the public key of device 2The ciphertext M 1 is obtained by encrypting the random number r 1,Signature is obtained after M 1 is signed by a private key of the device 1, signature S 1=H1(M1||r1) and ciphertext M 1 and S 1 are sent to the device 2;
after device 2 receives M 1 and S 1, decrypt M 1 to obtain And verifies the legitimacy of the signature S 1, if the verification passes, the random number r 2 is selected, and the public key of the device 1 is usedThe ciphertext M 2 is obtained by encrypting the random number r 2,Signature is obtained after M 2 is signed by a private key of the device 2, signature S 2=H1(M2||r2||r1) and ciphertext M 2 and S 2 are sent to the device 1;
after device 1 receives M 2 and S 2, decrypt M 2 to obtain Comparing whether the decrypted r 1 is equal to the random number r 1, if so, verifying the validity of the signature S 2, and if the verification is passed, obtainingObtaining a master key by a key derivation algorithm
Public key by device 2Ciphertext obtained by encrypting random number r 2 The verification passing information V p and the ciphertext M 3,r1,r2 are signed to obtain S 3=H1(Vp||M3||r1||r2), and M 3 and S 3 are sent to the device 2;
After receiving the transmissions of M 3 and S 3, device 2 decrypts M 3 to obtain Comparing whether the decrypted r 2 is equal to the random number r 2, if so, verifying the validity of the signature S 3, and if the verification is passed, obtainingObtaining an encryption key by a key derivation algorithm
Device 1 and device 2 pass through encryption keysAnd (3) protecting information interaction between the equipment 1 and the equipment 2, namely finishing lightweight access authentication of the electric power Internet of things equipment.
The method provided by the invention can realize high-efficiency safety access authentication of the electric power Internet of things equipment, and enhance the safety and intelligent management level of the Internet of things equipment.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the invention can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (4)

1.一种基于IBC体系的电力物联网设备轻量级接入认证方法,所述方法包括:1. A lightweight access authentication method for power Internet of Things devices based on the IBC system, the method comprising: 目标设备公私钥对密文的申请,包括:当目标设备生成密钥申请参数后,密钥生成中心KGC根据目标设备的唯一标识ID生成目标设备身份公私钥对,通过使用对称密钥加密后,将公私钥对密文传输至目标设备;The application of the ciphertext of the public and private key pair of the target device includes: after the target device generates the key application parameters, the key generation center KGC generates the public and private key pair of the target device identity according to the unique identification ID of the target device, and transmits the ciphertext of the public and private key pair to the target device after encrypting it with the symmetric key; 目标设备与其他设备的加密密钥协商,包括:当目标设备与其他设备进行信息交互时,基于目标设备和其他设备的身份公私钥对,引入随机数协商主密钥,采用密钥衍生算法计算后生成数据加密密钥,即通过数据加密密钥接入认证;The target device negotiates encryption keys with other devices, including: when the target device exchanges information with other devices, based on the public and private key pairs of the target device and other devices, a random number is introduced to negotiate a master key, and a key derivation algorithm is used to calculate and generate a data encryption key, that is, access authentication through data encryption keys; 所述目标设备与其他设备的加密密钥协商,包括:The target device negotiates an encryption key with other devices, including: 将目标设备作为设备1,其他设备作为设备2,通过设备1将设备ID1和私钥有效期Tv1发送至设备2,设备2收到设备ID1和私钥有效期Tv1后,确定设备1的公钥,公钥 The target device is regarded as device 1, and the other devices are regarded as device 2. Device 1 sends device ID 1 and private key validity period T v1 to device 2. After receiving device ID 1 and private key validity period T v1 , device 2 determines the public key of device 1. 设备2将设备ID2和私钥有效期Tv2发送至设备1,设备1收到设备ID2和私钥有效期Tv2,确定设备2的公钥,公钥 Device 2 sends device ID 2 and private key validity period T v2 to device 1. Device 1 receives device ID 2 and private key validity period T v2 and determines the public key of device 2. 设备1选取随机数r1,使用设备2的公钥加密随机数r1后得到密文M1通过设备1私钥对M1签名后得到签名,签名S1=H1(M1||r1),将密文M1和S1发送给设备2;Device 1 selects a random number r 1 and uses the public key of device 2 After encrypting the random number r 1, we get the ciphertext M 1 . After signing M 1 with the private key of device 1, the signature S 1 =H 1 (M 1 || r 1 ) is obtained, and the ciphertext M 1 and S 1 are sent to device 2; 设备2收到M1和S1后,解密M1得到并验证签名S1的合法性,若验证通过,选取随机数r2,使用设备1的公钥加密随机数r2后得到密文M2通过设备2私钥对M2签名后得到签名,签名S2=H1(M2||r2||r1),将密文M2和S2发送给设备1;After receiving M1 and S1 , device 2 decrypts M1 and obtains And verify the legitimacy of signature S 1. If the verification is successful, select a random number r 2 and use the public key of device 1 After encrypting the random number r 2, we get the ciphertext M 2 . After signing M 2 with the private key of device 2, the signature S 2 =H 1 (M 2 || r 2 || r 1 ) is obtained, and the ciphertext M 2 and S 2 are sent to device 1; 设备1收M2和S2后,解密M2得到比较解密后r1是否与随机数r1的值是否相等,若相等,验证签名S2的合法性,若验证通过,得到通过密钥衍生算法得到主密钥 After receiving M 2 and S 2 , device 1 decrypts M 2 and obtains Compare the decrypted r1 to see if it is equal to the value of the random number r1 . If they are equal, verify the legitimacy of the signature S2 . If the verification passes, get Get the master key through the key derivation algorithm 通过设备2的公钥加密随机数r2后得到密文将验证通过信息Vp,密文M3,r1,r2签名后得到S3=H1(Vp||M3||r1||r2),并将M3和S3发送给设备2;Through the public key of device 2 Encrypt the random number r 2 to get the ciphertext The verified information V p , the ciphertext M 3 , r 1 , and r 2 are signed to obtain S 3 =H 1 (V p || M 3 || r 1 || r 2 ), and M 3 and S 3 are sent to device 2; 设备2收到M3和S3发送后,解密M3得到比较解密后r2是否与随机数r2相等,若相等,验证签名S3的合法性,若验证通过,得到通过密钥衍生算法得到加密密钥 After receiving the transmission from M3 and S3 , device 2 decrypts M3 and obtains Compare the decrypted r 2 to see if it is equal to the random number r 2. If they are equal, verify the legitimacy of the signature S 3. If the verification passes, we get Get the encryption key through the key derivation algorithm 设备1与设备2通过加密密钥保护设备1与设备2间的信息交互,即完成电力物联网设备的轻量级接入认证。Device 1 and device 2 use encryption key Protect the information interaction between device 1 and device 2, that is, complete the lightweight access authentication of power Internet of Things devices. 2.根据权利要求1所述的方法,所述目标设备公私钥对密文的申请,具体包括:2. According to the method of claim 1, the application of the target device public and private key pair ciphertext specifically comprises: 目标设备先选择随机数r1其中为循环群,的阶为q,并设置的一个安全单向的哈希函数H:根据r1q、H:及目标设备ID,生成目标设备的身份密钥对申请参数paramas0={ID,r1,q,H(ID||r1)},并将申请参数paramas0={ID,r1,q,H(ID||r1)}发送至密钥生成中心KGC;The target device first selects a random number r 1 and Among them is a cyclic group, The order of is q, and set A secure one-way hash function H: According to r 1 , q、H: and the target device ID, generate the target device's identity key pair application parameter paramas 0 ={ID, r 1 ,q,H(ID||r 1 )}, and send the application parameter paramas 0 ={ID, r 1 ,q,H(ID||r 1 )} to the key generation center KGC; 密钥生成中心KGC收到申请参数paramas0={ID,r1,q,H(ID||r1)}后,计算安全参数看k,将安全参数k输入到参数生成器中运算,生成系统参数paramas1After receiving the application parameters paramas 0 = {ID, r 1 ,q,H(ID||r 1 )}, the key generation center KGC calculates the security parameters k, Input the security parameter k into the parameter generator to generate the system parameter paramas 1 ; 其中, in, 其中,q是一个安全素数,G1为满足双线性映射性质的椭圆曲线上的q阶加法子群,G2为有限域上乘法群的q阶子群,为G1×G1→G2的双线性映射,n是明文数据长度,P是G1的任意生成元,即P∈G1,Ppub是系统公钥,Ppub=ks·P,s是系统的主密钥因子,Pr=ks,Ppub和Pr为系统公私钥对,H1,H2是系统哈希函数,其中,H1:{0,1}*→G1,H2:{0,1}n→G2Where q is a safe prime number, G1 is a q-order additive subgroup on the elliptic curve that satisfies the bilinear mapping property, G2 is a q-order subgroup of the multiplicative group over a finite field, is a bilinear mapping of G 1 ×G 1 →G 2 , n is the length of plaintext data, P is any generator of G 1 , that is, P∈G 1 , P pub is the system public key, P pub =ks·P, s is the master key factor of the system, P r = ks, P pub and P r are the system public and private key pairs, H 1 , H 2 are system hash functions, where H 1 :{0,1} * →G 1 , H 2 :{0,1} n →G 2 ; 密钥生成中心KGC将系统参数paramas1发送至目标设备,并通过目标设备保存系统paramas1The key generation center KGC sends the system parameter paramas 1 to the target device, and saves the system paramas 1 through the target device; 目标设备生成随机数r2,针对随机数r2根据密钥衍生算法获取对称密钥k2,k2=KDF(r2),通过密钥生成中心KGC对对称密钥k2进行加密,获取加密后的对称密钥并根据目标设备ID计算对称密钥的申请参数,并将对称密钥的申请参数发送至密钥生成中心KGC;The target device generates a random number r 2 , obtains the symmetric key k 2 according to the key derivation algorithm for the random number r 2 , k 2 = KDF(r 2 ), encrypts the symmetric key k 2 through the key generation center KGC, and obtains the encrypted symmetric key And calculate the symmetric key based on the target device ID The application parameters and the symmetric key The application parameters are sent to the key generation center KGC; 其中,对称密钥的申请参数为: Among them, the symmetric key The application parameters are: 密钥生成中心KGC收到对称密钥的申请参数后,验证对称密钥的申请参数的完整性,若通过验证,解密对称密钥得到并提取目标设备ID,并检测目标设备ID是否合法,若合法,计算目标设备身份公钥Ppub1,Ppub1=H1(ID||Tv),其中,Tv为设备有效期;The key generation center KGC receives the symmetric key After applying for parameters, verify the symmetric key The integrity of the application parameters, if verified, decrypt the symmetric key to obtain And extract the target device ID, and check whether the target device ID is legal. If it is legal, calculate the target device identity public key P pub1 , P pub1 =H 1 (ID||T v ), where T v is the device validity period; 密钥生成中心KGC基于系统主密钥因子和安全参数,计算目标设备身份私钥将目标设备身份私钥用对称密钥k2加密后得到对私钥密文设备身份公钥Ppub1和Tv设备有效期签名,获取签名后信息并将发送至目标设备;The key generation center KGC calculates the target device identity private key based on the system master key factor and security parameters The target device identity private key is encrypted with the symmetric key k2 to obtain Ciphertext for private key Device identity public key P pub1 and T v device validity period signature, obtain the signed information and will Send to the target device; 目标设备收到后,验证的签名信息,若通过验证,获取目标设备的身份公钥Ppub1,采用对称密钥k2解密私钥密文信息后得到目标设备的身份私钥 The target device receives After verification If the signature information is verified, the target device's public key P pub1 is obtained, and the private key of the target device is obtained by decrypting the private key ciphertext information with the symmetric key k 2. 3.一种基于IBC体系的电力物联网设备轻量级接入认证系统,所述系统包括:3. A lightweight access authentication system for power Internet of Things devices based on the IBC system, the system comprising: 设备身份密钥对申请模块,用于对目标设备公私钥对密文的申请,包括:当目标设备生成密钥申请参数后,密钥生成中心KGC根据目标设备的唯一标识ID生成目标设备身份公私钥对,通过使用对称密钥加密后,将公私钥对密文传输至目标设备;The device identity key pair application module is used to apply for the ciphertext of the public and private key pair of the target device, including: when the target device generates the key application parameters, the key generation center KGC generates the target device identity public and private key pair according to the unique identification ID of the target device, and transmits the ciphertext of the public and private key pair to the target device after encrypting it with the symmetric key; 设备加密密钥协商模块,用于对目标设备与其他设备的加密密钥协商,包括:当目标设备与其他设备进行信息交互时,基于目标设备和其他设备的身份公私钥对,引入随机数协商主密钥,采用密钥衍生算法计算后生成数据加密密钥,即通过数据加密密钥接入认证;The device encryption key negotiation module is used to negotiate the encryption keys of the target device and other devices, including: when the target device exchanges information with other devices, based on the public and private key pairs of the target device and other devices, a random number is introduced to negotiate the master key, and a data encryption key is generated after calculation using a key derivation algorithm, that is, access authentication through the data encryption key; 所述目标设备与其他设备的加密密钥协商,包括:The target device negotiates an encryption key with other devices, including: 将目标设备作为设备1,其他设备作为设备2,通过设备1将设备ID1和私钥有效期Tv1发送至设备2,设备2收到设备ID1和私钥有效期Tv1后,确定设备1的公钥,公钥 The target device is regarded as device 1, and the other devices are regarded as device 2. Device 1 sends device ID 1 and private key validity period T v1 to device 2. After receiving device ID 1 and private key validity period T v1 , device 2 determines the public key of device 1. 设备2将设备ID2和私钥有效期Tv2发送至设备1,设备1收到设备ID2和私钥有效期Tv2,确定设备2的公钥,公钥 Device 2 sends device ID 2 and private key validity period T v2 to device 1. Device 1 receives device ID 2 and private key validity period T v2 and determines the public key of device 2. 设备1选取随机数r1,使用设备2的公钥加密随机数r1后得到密文M1通过设备1私钥对M1签名后得到签名,签名S1=H1(M1||r1),将密文M1和S1发送给设备2;Device 1 selects a random number r 1 and uses the public key of device 2 After encrypting the random number r 1, we get the ciphertext M 1 . After signing M 1 with the private key of device 1, the signature S 1 =H 1 (M 1 || r 1 ) is obtained, and the ciphertext M 1 and S 1 are sent to device 2; 设备2收到M1和S1后,解密M1得到并验证签名S1的合法性,若验证通过,选取随机数r2,使用设备1的公钥加密随机数r2后得到密文M2通过设备2私钥对M2签名后得到签名,签名S2=H1(M2||r2||r1),将密文M2和S2发送给设备1;After receiving M1 and S1 , device 2 decrypts M1 and obtains And verify the legitimacy of signature S 1. If the verification is successful, select a random number r 2 and use the public key of device 1 After encrypting the random number r 2, we get the ciphertext M 2 . After signing M 2 with the private key of device 2, the signature S 2 =H 1 (M 2 || r 2 || r 1 ) is obtained, and the ciphertext M 2 and S 2 are sent to device 1; 设备1收M2和S2后,解密M2得到比较解密后r1是否与随机数r1的值是否相等,若相等,验证签名S2的合法性,若验证通过,得到通过密钥衍生算法得到主密钥 After receiving M 2 and S 2 , device 1 decrypts M 2 and obtains Compare the decrypted r1 to see if it is equal to the value of the random number r1 . If they are equal, verify the legitimacy of the signature S2 . If the verification passes, get Get the master key through the key derivation algorithm 通过设备2的公钥加密随机数r2后得到密文将验证通过信息Vp,密文M3,r1,r2签名后得到S3=H1(Vp||M3||r1||r2),并将M3和S3发送给设备2;Through the public key of device 2 Encrypt the random number r 2 to get the ciphertext The verified information V p , the ciphertext M 3 , r 1 , and r 2 are signed to obtain S 3 =H 1 (V p || M 3 || r 1 || r 2 ), and M 3 and S 3 are sent to device 2; 设备2收到M3和S3发送后,解密M3得到比较解密后r2是否与随机数r2相等,若相等,验证签名S3的合法性,若验证通过,得到通过密钥衍生算法得到加密密钥 After receiving the transmission from M3 and S3 , device 2 decrypts M3 and obtains Compare the decrypted r 2 to see if it is equal to the random number r 2. If they are equal, verify the legitimacy of the signature S 3. If the verification passes, we get Get the encryption key through the key derivation algorithm 设备1与设备2通过加密密钥保护设备1与设备2间的信息交互,即完成电力物联网设备的轻量级接入认证。Device 1 and device 2 use encryption key Protect the information interaction between device 1 and device 2, that is, complete the lightweight access authentication of power Internet of Things devices. 4.根据权利要求3所述的系统,所述目标设备公私钥对密文的申请,具体包括:4. According to the system of claim 3, the application of the target device public and private key pair ciphertext specifically comprises: 目标设备先选择随机数r1其中为循环群,的阶为q,并设置的一个安全单向的哈希函数H:根据r1q、H:及目标设备ID,生成目标设备的身份密钥对申请参数paramas0={ID,r1,q,H(ID||r1)},并将申请参数paramas0={ID,r1,q,H(ID||r1)}发送至密钥生成中心KGC;The target device first selects a random number r 1 and Among them is a cyclic group, The order of is q, and set A secure one-way hash function H: According to r 1 , q、H: and the target device ID, generate the target device's identity key pair application parameter paramas 0 ={ID, r 1 ,q,H(ID||r 1 )}, and send the application parameter paramas 0 ={ID, r 1 ,q,H(ID||r 1 )} to the key generation center KGC; 密钥生成中心KGC收到申请参数paramas0={ID,r1,q,H(ID||r1)}后,计算安全参数看k,将安全参数k输入到参数生成器中运算,生成系统参数paramas1After receiving the application parameters paramas 0 = {ID, r 1 ,q,H(ID||r 1 )}, the key generation center KGC calculates the security parameters k, Input the security parameter k into the parameter generator to generate the system parameter paramas 1 ; 其中, in, 其中,q是一个安全素数,G1为满足双线性映射性质的椭圆曲线上的q阶加法子群,G2为有限域上乘法群的q阶子群,为G1×G1→G2的双线性映射,n是明文数据长度,P是G1的任意生成元,即P∈G1,Ppub是系统公钥,Ppub=ks·P,s是系统的主密钥因子,Pr=ks,Ppub和Pr为系统公私钥对,H1,H2是系统哈希函数,其中,H1:{0,1}*→G1,H2:{0,1}n→G2Where q is a safe prime number, G1 is a q-order additive subgroup on the elliptic curve that satisfies the bilinear mapping property, G2 is a q-order subgroup of the multiplicative group over a finite field, is a bilinear mapping of G 1 ×G 1 →G 2 , n is the length of plaintext data, P is any generator of G 1 , that is, P∈G 1 , P pub is the system public key, P pub =ks·P, s is the master key factor of the system, P r = ks, P pub and P r are the system public and private key pairs, H 1 , H 2 are system hash functions, where H 1 :{0,1} * →G 1 , H 2 :{0,1} n →G 2 ; 密钥生成中心KGC将系统参数paramas1发送至目标设备,并通过目标设备保存系统paramas1The key generation center KGC sends the system parameter paramas 1 to the target device, and saves the system paramas 1 through the target device; 目标设备生成随机数r2,针对随机数r2根据密钥衍生算法获取对称密钥k2,k2=KDF(r2),通过密钥生成中心KGC对对称密钥k2进行加密,获取加密后的对称密钥并根据目标设备ID计算对称密钥的申请参数,并将对称密钥的申请参数发送至密钥生成中心KGC;The target device generates a random number r 2 , obtains the symmetric key k 2 according to the key derivation algorithm for the random number r 2 , k 2 = KDF(r 2 ), encrypts the symmetric key k 2 through the key generation center KGC, and obtains the encrypted symmetric key And calculate the symmetric key based on the target device ID The application parameters and the symmetric key The application parameters are sent to the key generation center KGC; 其中,对称密钥的申请参数为: Among them, the symmetric key The application parameters are: 密钥生成中心KGC收到对称密钥的申请参数后,验证对称密钥的申请参数的完整性,若通过验证,解密对称密钥得到并提取目标设备ID,并检测目标设备ID是否合法,若合法,计算目标设备身份公钥Ppub1,Ppub1=H1(ID||Tv),其中,Tv为设备有效期;The key generation center KGC receives the symmetric key After applying for parameters, verify the symmetric key The integrity of the application parameters, if verified, decrypt the symmetric key to obtain And extract the target device ID, and check whether the target device ID is legal. If it is legal, calculate the target device identity public key P pub1 , P pub1 =H 1 (ID||T v ), where T v is the device validity period; 密钥生成中心KGC基于系统主密钥因子和安全参数,计算目标设备身份私钥将目标设备身份私钥用对称密钥k2加密后得到对私钥密文设备身份公钥Ppub1和Tv设备有效期签名,获取签名后信息并将发送至目标设备;The key generation center KGC calculates the target device identity private key based on the system master key factor and security parameters The target device identity private key is encrypted with the symmetric key k2 to obtain Ciphertext for private key Device identity public key P pub1 and T v device validity period signature, obtain the signed information and will Send to the target device; 目标设备收到后,验证的签名信息,若通过验证,获取目标设备的身份公钥Ppub1,采用对称密钥k2解密私钥密文信息后得到目标设备的身份私钥 The target device receives After verification If the signature information is verified, the target device's public key P pub1 is obtained, and the private key of the target device is obtained by decrypting the private key ciphertext information with the symmetric key k 2.
CN202110830359.1A 2021-07-22 2021-07-22 Lightweight access authentication method and system for power Internet of Things devices based on IBC system Active CN113704736B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110830359.1A CN113704736B (en) 2021-07-22 2021-07-22 Lightweight access authentication method and system for power Internet of Things devices based on IBC system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110830359.1A CN113704736B (en) 2021-07-22 2021-07-22 Lightweight access authentication method and system for power Internet of Things devices based on IBC system

Publications (2)

Publication Number Publication Date
CN113704736A CN113704736A (en) 2021-11-26
CN113704736B true CN113704736B (en) 2024-11-26

Family

ID=78650381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110830359.1A Active CN113704736B (en) 2021-07-22 2021-07-22 Lightweight access authentication method and system for power Internet of Things devices based on IBC system

Country Status (1)

Country Link
CN (1) CN113704736B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363086B (en) * 2022-01-24 2024-04-12 北京北卡星科技有限公司 Industrial Internet data encryption transmission method based on stream cipher
CN114900337B (en) * 2022-04-19 2024-04-05 贵州电网有限责任公司 An authentication encryption method and system suitable for power chips
CN114928491A (en) * 2022-05-20 2022-08-19 国网江苏省电力有限公司信息通信分公司 Internet of things security authentication method, device and system based on identification cryptographic algorithm
CN115065466B (en) * 2022-06-23 2024-01-19 中国电信股份有限公司 Key agreement method, device, electronic device and computer-readable storage medium
CN115242468B (en) * 2022-07-07 2023-05-26 广州河东科技有限公司 Safe communication system and method based on RS485 bus
CN115001717B (en) * 2022-08-03 2022-10-25 中国电力科学研究院有限公司 A terminal device authentication method and system based on identification public key
CN115567219A (en) * 2022-09-22 2023-01-03 国网智能电网研究院有限公司 Secure communication method, device and storage medium based on 5G virtual private network slicing
CN116193434A (en) * 2022-12-01 2023-05-30 国网河南省电力公司电力科学研究院 Distributed photovoltaic grid-connected lightweight access method and system based on certificate-free encryption
CN116192389B (en) * 2023-04-26 2023-07-25 杭州海康威视数字技术股份有限公司 Lightweight device communication key negotiation method, device, equipment and system
CN117335981A (en) * 2023-10-30 2024-01-02 天翼物联科技有限公司 Secure communication methods, devices, equipment and media based on lightweight key algorithms
CN117641504A (en) * 2023-11-27 2024-03-01 中电云计算技术有限公司 Trusted access method, system, equipment and readable storage medium for edge node equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity
CN111953705A (en) * 2020-08-20 2020-11-17 全球能源互联网研究院有限公司 Internet of things identity authentication method, device and power Internet of things identity authentication system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3613231B1 (en) * 2017-04-17 2022-10-12 Apple Inc. Group based context and security for massive internet of things devices
CN110266492B (en) * 2019-05-31 2023-06-09 中国能源建设集团甘肃省电力设计院有限公司 Traceable ubiquitous power internet of things identity authentication method
CN111372247A (en) * 2019-12-23 2020-07-03 国网天津市电力公司 Terminal secure access method and terminal secure access system based on narrowband Internet of things
CN112291230B (en) * 2020-10-26 2023-04-07 公安部第一研究所 Data security authentication transmission method and device for terminal of Internet of things
CN112887338B (en) * 2021-03-18 2022-08-05 南瑞集团有限公司 A kind of identity authentication method and system based on IBC identification password

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity
CN111953705A (en) * 2020-08-20 2020-11-17 全球能源互联网研究院有限公司 Internet of things identity authentication method, device and power Internet of things identity authentication system

Also Published As

Publication number Publication date
CN113704736A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN113704736B (en) Lightweight access authentication method and system for power Internet of Things devices based on IBC system
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
EP3349393B1 (en) Mutual authentication of confidential communication
CA2590989C (en) Protocol and method for client-server mutual authentication using event-based otp
CN112887338A (en) Identity authentication method and system based on IBC identification password
CN114785487B (en) Anti-quantum computing HTTPS communication method and system based on CA and national encryption algorithm
CN101286849A (en) Authentication system and method of a third party based on engagement arithmetic
CN102724041A (en) Steganography-based key transmission and key updating method
CN114244502B (en) Signature key generation method, device and computer equipment based on SM9 algorithm
CN114726546B (en) Digital identity authentication method, device, equipment and storage medium
CN108933659B (en) An identity verification system and verification method for a smart grid
CN106713349B (en) Inter-group proxy re-encryption method capable of resisting attack of selecting cipher text
JP5324813B2 (en) Key generation apparatus, certificate generation apparatus, service provision system, key generation method, certificate generation method, service provision method, and program
CN113886781B (en) Multi-authentication encryption method, system, electronic equipment and medium based on block chain
CN113572612B (en) Private key distribution method for SM9 cryptographic algorithm, user terminal and key generation center
CN119766433A (en) A method, device and system for encrypted communication supporting post-quantum algorithm
JP2011250335A (en) Efficient mutual authentication method, program, and device
KR20040013966A (en) Authentication and key agreement scheme for mobile network
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
CN114070570A (en) A secure communication method for power internet of things
KR101388452B1 (en) Method of migrating certificate to mobile terminal using certificate transmission server based on one-time public information and apparatus using the same
CN113779593A (en) An identity-based dual-server authorization ciphertext equivalent determination method
CN114070550A (en) Information processing method, device, equipment and storage medium
CN114095151A (en) Encryption and decryption method, authentication method, device, equipment and storage medium
CN117714066B (en) Key processing method, device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant