[go: up one dir, main page]

CN117097488B - Device group security verification method based on node pathfinding - Google Patents

Device group security verification method based on node pathfinding Download PDF

Info

Publication number
CN117097488B
CN117097488B CN202311353330.4A CN202311353330A CN117097488B CN 117097488 B CN117097488 B CN 117097488B CN 202311353330 A CN202311353330 A CN 202311353330A CN 117097488 B CN117097488 B CN 117097488B
Authority
CN
China
Prior art keywords
node
devices
verification
information
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311353330.4A
Other languages
Chinese (zh)
Other versions
CN117097488A (en
Inventor
周让
陈文进
杨可
张新鹏
王洪辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Univeristy of Technology
Original Assignee
Chengdu Univeristy of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Univeristy of Technology filed Critical Chengdu Univeristy of Technology
Priority to CN202311353330.4A priority Critical patent/CN117097488B/en
Publication of CN117097488A publication Critical patent/CN117097488A/en
Application granted granted Critical
Publication of CN117097488B publication Critical patent/CN117097488B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/48Routing tree calculation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于节点寻路的设备群组安全验证方法,包括节点设备初始化;生成设备群组S的通信图;当验证者需要验证设备群组S的安全性时,从设备群组S选取一初始设备DS;从DS开始,用通信标识符在通信图中构建生成树;从叶子节点向根节点方向,逐级对设备群组S进行验证。本发明通过在通信图中构建生成树的方法,收集各节点设备的验证信息,从子节点开始自下而上的累计验证报告到验证者,以此来确保群设备的安全性。若验证报告返回途中出现主父节点不可通信则自动寻路,本发明能加强群验证方法的扩展性和安全性,使群设备返回更多有效的验证信息,以此来减小网络管理者的管理负担,同时也提高了整个系统的可靠性和安全性。

The invention discloses a device group security verification method based on node pathfinding, which includes node device initialization; generating a communication diagram of the device group S; when the verifier needs to verify the security of the device group S, the device group S selects an initial device D S ; starting from D S , the communication identifier is used to construct a spanning tree in the communication graph; from the leaf node to the root node, the device group S is verified step by step. The present invention collects the verification information of each node device by constructing a spanning tree in the communication graph, and sends bottom-up cumulative verification reports to the verifier starting from the child nodes, thereby ensuring the security of the group equipment. If the main and parent nodes cannot communicate during the return of the verification report, the path will be automatically found. The present invention can enhance the scalability and security of the group verification method, enable the group device to return more effective verification information, thereby reducing the management of the network manager. burden, while also improving the reliability and security of the entire system.

Description

Equipment group security verification method based on node path finding
Technical Field
The invention relates to the field of security of the Internet of things, in particular to a device group security verification method based on node routing.
Background
Currently, the idea of the emerging industry trend is to compose an intelligent system from a large number of heterogeneous embedded devices and mobile devices, i.e. to form the so-called internet of things (IoT). It is predicted that billions of connected devices will implement more new services and experiences in the future. Some examples of which include: 1. an industrial control system; 2. connected internet of things devices in an intelligent environment; 3. an ad hoc dynamic network. Such systems are commonly referred to as device clusters. In order to ensure proper operation of an internet of things system, it is critical to maintain its software integrity and protect it from attacks. In a group of devices, each device may have different functionality and security requirements, and thus a flexible and efficient method is needed to ensure the security of the overall system.
With the continuous development of the internet of things, the scale and complexity of equipment groups are also continuously increased. Therefore, there is a need to seek a more efficient, extensible and secure device group attestation method to accommodate the needs of future internet of things systems and ensure that device groups in the internet of things can reliably operate in complex environments. As the network scale expands, network attacks and data leakage events also frequently occur. Hackers can utilize the loopholes of the Internet of things equipment to carry out large-scale network attack to form a huge botnet, and threaten network security and social stability. In order to cope with these security challenges, effective security measures need to be taken in various fields, and protection and monitoring of the internet of things equipment are enhanced. The method comprises the steps of strengthening the security design and encryption mechanism of the equipment, periodically updating and maintaining the firmware and software of the equipment, establishing a security audit and monitoring system, and timely discovering and coping with potential security threats.
In recent years, researchers have devised a solution for group attestation, which is an emerging security technology that provides a powerful solution to these security threats. Group certification allows multiple devices to cooperatively and jointly generate certification information, improves the reliability and security of verification, and provides more reliable verification results. In addition, group attestation can also enhance trust and collaboration capabilities between devices, facilitating multi-device collaboration in a distributed system.
However, the conventional group proof method also has various problems: 1. conventional group attestation methods may utilize broadcast technology for inter-device communication, which may result in significant communication overhead, and information is readily available to adversaries, thereby reducing security of the system. 2. In the traditional group proving method, a spanning tree construction mode is utilized, only a simple verification result can be returned to prove the safety of the whole group, but the safety condition of each device cannot be specified, and the method is not beneficial to the maintenance and safety management of a network manager on the devices. 3. In the traditional group proving method, a spanning tree construction method is utilized, so that the dropped equipment cannot be well processed. Once this is encountered, all the security reports accumulated by all devices under the subtree will be invalidated, affecting the security assessment of the entire device group.
Disclosure of Invention
The invention aims to provide the node-based security verification method for the equipment group, which can still provide a reliable group verification report for a verifier under the condition of equipment disconnection and can adapt to the dynamic property of the embedded equipment of the Internet of things.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: a device group security verification method based on node routing comprises the following steps:
(1) Initializing node equipment;
initializing each node device, including: generating an initial software configuration digest c, a software configuration digest certificate cert (c), a signature key pair (SK, PK), an identity certificate cert (PK) and a neighbor device list for each node device, wherein the neighbor device list is empty and is used for storing neighbor devices of the node device, and the neighbor devices are node devices which are directly communicated with the node device;
(2) Generating a communication diagram of the device group S;
(21) Selecting N node devices, and setting the connection relation between each node device and the rest node devices;
(22) Establishing communication connection among the node devices connected with each other, registering, adding the node devices connected with each other into a neighbor device list of the other party, and forming a communication diagram of a device group S by the communication connection of N node devices;
for two interconnected node devices, the registration process is: generating a communication key between the two, exchanging and verifying a software configuration abstract certificate of the other party;
(3) When the verifier needs to verify the security of the device group S, a communication identifier q is generated, and a node device for transmitting q is selected from the device group S and marked as an initial device D S
(4) From D S Firstly, constructing a spanning tree in a communication diagram by q, wherein the spanning tree comprises (41) - (44);
(41) Presetting a receiving time t 0 D is to S As the root node of the spanning tree, to D S Is broadcast q by a neighbor device;
(42) Neighbor device at t 0 Receiving communication identifier q, if received, triggering execution of spanning tree protocol, D S Wherein a neighbor device D k The method for executing the spanning tree protocol comprises the following steps:
(42-1)D k at t 0 Receiving a communication identifier q, recording node equipment sent by the communication identifier q in time sequence, marking the first node as a main father node, and marking the rest nodes as standby father nodes;
(42-2) the Master parent node will D k Recording as own child node;
(43) To the next level topology:
D k is A k ,D k To A k Broadcasting q by other neighbor devices except the main father node to trigger the corresponding node device to execute the spanning tree protocol;
(44) Step-by-step downward topology until leaf nodes are generated;
(5) Verifying the equipment group S step by step from the leaf node to the root node, specifically;
(51) Determining a father node for each child node, wherein the father node is one of a main father node or a standby father node of the child node;
(52) Starting from the leaf node, the child node sends self-signed security verification information to the parent node, and the parent node obtains a verification result after security verification;
(53) Generating a verification report by the father node after obtaining verification results of all child nodes, forming an information packet by the verification report and safety verification information of the father node, sending the information packet to the father node, wherein the father node sending the information packet is a subordinate father node, and the father node receiving the information packet is an superordinate father node;
(54) The upper parent node performs security verification on the security verification information of the lower parent node to obtain a verification result, and accumulates the verification report sent by the lower parent node upwards until the information packet Jing Gen node is sent to a verifier;
(55) The verifier performs security verification on the security verification information of the root node to obtain a verification result of the root node, and receives a verification report sent from the root node.
Preferably, the node devices are devices of the same class or heterogeneous devices, and each node device at least comprises a read-only memory, a memory protection unit and a clock with a write protection function.
Preferably, in step (1), for a node device:
an initial software configuration digest c, generated by a hash function for each node device according to the initial software configuration;
a software configuration digest certificate cert (c), a certificate that signs the initial software configuration digest c for the network administrator OP using its public key PKo;
in the signature key pair (SK, PK), SK is a private key of the node equipment, and PK is a public key of the node equipment;
the identity certificate cert (PK) is a certificate signed by the network manager OP using its public key PKo.
Preferably, the step (22) forms a communication map specifically;
(b1) Two node devices are selected from N node devices to form a device group S;
(b2) Selecting whether to connect and executing a registration protocol according to the connection relation of the two node devices;
if the two are connected, establishing communication connection between the two, executing a registration protocol, and mutually joining into a neighbor device list of the other party; otherwise, not executing the operation;
(b3) Adding S from one node device selected from N-2 node devices, selecting whether to connect and executing a registration protocol according to the connection relation between the node device and other node devices in the S;
(b4) And adding the rest node devices into the S in turn, and forming a communication diagram of the device group S by the communication connection relation of the N node devices.
Preferably, step (51) determines that the parent node is specifically;
(a1) Presetting a receiving time t 1
(a2) The child node sends security verification information to the main parent node, if the main parent node receives the security verification information, the child node returns confirmation information, otherwise, the child node does not return;
(a3) Child node at t 1 Waiting for confirmation information in the duration, if the confirmation information is received, taking the main father node as the father node, otherwise, marking the main father node as an unvented node, and executing the step (a 4);
(a4) Traversing the standby father node, finding a child node, after sending the security verification information, returning the confirmation information and at t 1 And the standby parent node received by the child node in the duration is used as the parent node.
Preferably, in step (52), the sending, by the child node, security verification information signed by the child node to the parent node is specifically:
for a child node D j Its father node is D i ,D j To D i Transmitted security verification information M j Comprises D j Heartbeat message hb j Verification message u j Software-configured digest certificate cert (c) j ) Information category;
said heartbeat message hb j From ID j 、t j 、c j ' and cert (c) j ) A constitution in which ID j For D j Device ID, t of (a) j For D j To D i Time stamp for transmitting security verification information, c j ' configure digest for current software, is D j Generating through a hash function according to the current software configuration;
the verification message u j From hb j Through D j And D i Inter-communication key k ij Encrypting by using a MAC algorithm;
the information category includes a verification request;
D j for M j Is signed HB j = sign(SK j ; hb j , u j , MSGTYPE=req);
Wherein SK is j For D j Msgtype=req represents M j Is an authentication request.
Preferably, when the position of a node device changes or a node device is newly added, the communication connection of the original communication diagram is disconnected, and the communication diagram of the device group S is regenerated according to the step (2).
Noun interpretation:
1. group proof: english Swarm Attestation. The group attestation method allows a verifier to attest multiple attestations in parallel. Unlike traditional remote attestation, group attestation is not just an individual attestation, but rather a plurality of individuals participate together and cooperate to complete an attestation process. Group certificates may be used in a variety of scenarios, such as group authentication, group authorization, group decision, etc. In group attestation, each group member has its own identity and certificate, and through cooperation and coordination, the group members can jointly attest to the security and integrity of the device.
2. The verifier: english Verifier, abbreviated Ver. It is mainly responsible for verifying and auditing certificates and related information from other participants, ensuring validity and correctness of group certificates. The role of the verifier may be played by different entities, such as servers in the network, blockchain nodes, or other legitimate participants. The verifier typically has some computational and memory resources to execute the verification algorithm and store the relevant verification information.
3. Network manager: english Network Operator, abbreviation OP: is a security entity that we assume, all devices in the group are initialized and deployed by it, mainly responsible for distributing keys and distributing security certificates. The network manager is in an absolutely secure environment, so that in this solution, the adversary's software attacks and physical attacks on him are not considered.
4. Group: english Swarm. Refers to a collection of multiple participants. These participants may be individuals, devices, nodes, or other entities that may cooperate and cooperate with each other. In the scheme, a network consisting of various heterogeneous embedded devices is specified.
5. Signature: english Signature. Refers to a digital signature attached to information or a document for verifying the integrity, authenticity and origin of the information or document. The signature is generated by the sender and appended to the information, and the receiver can verify the validity of the signature using the public key.
6. Hash function: english Hash function is an algorithm that converts input data (messages, files, etc.) into output values of fixed length. The output value of a hash function is often referred to as a hash value, digest, or hash value. The hash function maps the input data to a short, fixed-length binary string, which is ideally unique. The present invention requires the use of hash functions in both generating the initial software configuration digest c and the current software configuration digest.
7. Group node devices are a number of common devices in a network. The system is composed of a network of a plurality of nodes, each node device having its own independent and unique device number ID. Each node device needs to maintain a list of neighbor devices, e.g., node device D i Is A i The list records information of all neighbor devices of the node device. These devices may be heterogeneous, but they must have the lightest security framework, including read only memory ROM, memory protection unit MPU, and clocks with write protection. Furthermore, these devices may be geographically distributed over a wide area. The ROM, the MPU and the clocks with write protection function are used to indicate that each device needs to have these physical protection functions, such as a write protection clock, to prevent an intruder from modifying the later used time stamp.
Compared with the prior art, the invention has the advantages that:
(1) The method can effectively verify the integrity state of the group node equipment, ensure the validity of the identity of the node equipment and the correctness of the running software of the node equipment, and effectively prevent various malicious attacks of the adversary equipment on the node equipment.
(2) The invention constructs the spanning tree in the communication diagram, improves the spanning tree protocol, marks the father node and the son node, improves the broadcasting mode, greatly reduces the communication cost compared with the traditional broadcasting mode, and simultaneously effectively reduces the calculation performance requirement on the embedded equipment in the Internet of things.
(3) The invention provides a new equipment group proving method, which finally reports the safety states of all node equipment to a verifier by accumulating verification reports of each node from a child node to a father node, thereby providing more information for the maintenance of the equipment group and greatly reducing the management burden and maintenance cost of a network manager.
(4) The invention also adds a path finding method, records a main father node and a standby father node for each child node, and determines a new father node according to steps (a 1) - (a 4) in the case of the father node equipment dropping during verification.
Drawings
FIG. 1 is a flow chart of the present invention;
fig. 2 is a communication diagram of a device group S according to the present invention;
FIG. 3 is a flow chart of step (5) of the present invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
Example 1: referring to fig. 1-3, a device group security verification method based on node routing includes the following steps:
(1) Initializing node equipment;
initializing each node device, including: generating an initial software configuration digest c, a software configuration digest certificate cert (c), a signature key pair (SK, PK), an identity certificate cert (PK) and a neighbor device list for each node device, wherein the neighbor device list is empty and is used for storing neighbor devices of the node device, and the neighbor devices are node devices which are directly communicated with the node device;
(2) Generating a communication diagram of the device group S;
(21) Selecting N node devices, and setting the connection relation between each node device and the rest node devices;
(22) Establishing communication connection among the node devices connected with each other, registering, adding the node devices connected with each other into a neighbor device list of the other party, and forming a communication diagram of a device group S by the communication connection of N node devices;
for two interconnected node devices, the registration process is: generating a communication key between the two, exchanging and verifying a software configuration abstract certificate of the other party;
(3) When the verifier needs to verify the security of the device group S, a communication identifier q is generated, and a node device for transmitting q is selected from the device group S and marked as an initial device D S
(4) From D S Firstly, constructing a spanning tree in a communication diagram by q, wherein the spanning tree comprises (41) - (44);
(41) Presetting a receiving time t 0 D is to S As the root node of the spanning tree, to D S Is broadcast q by a neighbor device;
(42) Neighbor device at t 0 Receiving communication identifier q, if received, triggering execution of spanning tree protocol, D S Wherein a neighbor device D k The method for executing the spanning tree protocol comprises the following steps:
(42-1)D k at t 0 Receiving communication identifier q and pressingThe node equipment from q is recorded in time sequence, the first node is marked as a main father node, and the rest nodes are marked as standby father nodes;
(42-2) the Master parent node will D k Recording as own child node;
(43) To the next level topology:
D k is A k ,D k To A k Broadcasting q by other neighbor devices except the main father node to trigger the corresponding node device to execute the spanning tree protocol;
(44) Step-by-step downward topology until leaf nodes are generated;
(5) Verifying the equipment group S step by step from the leaf node to the root node, specifically;
(51) Determining a father node for each child node, wherein the father node is one of a main father node or a standby father node of the child node;
(52) Starting from the leaf node, the child node sends self-signed security verification information to the parent node, and the parent node obtains a verification result after security verification;
(53) Generating a verification report by the father node after obtaining verification results of all child nodes, forming an information packet by the verification report and safety verification information of the father node, sending the information packet to the father node, wherein the father node sending the information packet is a subordinate father node, and the father node receiving the information packet is an superordinate father node;
(54) The upper parent node performs security verification on the security verification information of the lower parent node to obtain a verification result, and accumulates the verification report sent by the lower parent node upwards until the information packet Jing Gen node is sent to a verifier;
(55) The verifier performs security verification on the security verification information of the root node to obtain a verification result of the root node, and receives a verification report sent from the root node.
In the invention, the node devices are the same type devices or heterogeneous devices, and each node device at least comprises a read-only memory, a memory protection unit and a clock with a write protection function.
In step (1), for a node device:
an initial software configuration digest c, generated by a hash function for each node device according to the initial software configuration;
a software configuration digest certificate cert (c), a certificate that signs the initial software configuration digest c for the network administrator OP using its public key PKo;
in the signature key pair (SK, PK), SK is a private key of the node equipment, and PK is a public key of the node equipment;
the identity certificate cert (PK) is a certificate signed by the network manager OP using its public key PKo.
The step (22) forms a communication diagram specifically;
(b1) Two node devices are selected from N node devices to form a device group S;
(b2) Selecting whether to connect and executing a registration protocol according to the connection relation of the two node devices;
if the two are connected, establishing communication connection between the two, executing a registration protocol, and mutually joining into a neighbor device list of the other party; otherwise, not executing the operation;
(b3) Adding S from one node device selected from N-2 node devices, selecting whether to connect and executing a registration protocol according to the connection relation between the node device and other node devices in the S;
(b4) And adding the rest node devices into the S in turn, and forming a communication diagram of the device group S by the communication connection relation of the N node devices.
Step (51) determining that the parent node is specifically;
(a1) Presetting a receiving time t 1
(a2) The child node sends security verification information to the main parent node, if the main parent node receives the security verification information, the child node returns confirmation information, otherwise, the child node does not return;
(a3) Child node at t 1 Waiting for confirmation information in the duration, if the confirmation information is received, taking the main father node as the father node, otherwise, marking the main father node as an unvented node, and executing the step (a 4);
(a4) Traversing alternate parent nodesAfter finding a child node and sending security verification information, the child node can return confirmation information and send the confirmation information to the child node at t 1 And the standby parent node received by the child node in the duration is used as the parent node.
In step (52), the child node sends the security verification information signed by itself to the parent node specifically:
for a child node D j Its father node is D i ,D j To D i Transmitted security verification information M j Comprises D j Heartbeat message hb j Verification message u j Software-configured digest certificate cert (c) j ) Information category;
said heartbeat message hb j From ID j 、t j 、c j ' and cert (c) j ) A constitution in which ID j For D j Device ID, t of (a) j For D j To D i Time stamp for transmitting security verification information, c j ' configure digest for current software, is D j Generating through a hash function according to the current software configuration;
the verification message u j From hb j Through D j And D i Inter-communication key k ij Encrypting by using a MAC algorithm;
the information category includes a verification request;
D j for M j Is signed HB j = sign(SK j ; hb j , u j , MSGTYPE=req);
Wherein SK is j For D j Msgtype=req represents M j Is an authentication request.
In addition, it should be noted that when a node device changes in position or a node device is newly added, the communication connection of the original communication diagram is disconnected, and the communication diagram of the device group S is regenerated in step (2).
Regarding the initialization of the node device in step (1): each node device of the invention is initialized by the network manager OP, and for the node device D i Network manager OP uses software configuration c i Initializing and making use of the networkSoftware configuration digest certificate cert signed by the network manager OP (c) i ) Verify to ensure c i Is D i Is provided. Each node device is initialized with the OP public key to later verify the software configuration digest certificates and identity certificates of the other node devices.
Regarding the neighbor device list: each node device has a neighbor list with an initial state of null. In step (22), the node devices are joined to the neighbor device list of the other party only after the communication connection is established between the node devices connected to each other and registered. The addition method is that, assume D i Broadcasting a collection information, and after receiving the collection information, replying a feedback information, D i After receiving the feedback information, the node equipment is added into a neighbor equipment list A i Is a kind of medium.
Registration with respect to step (22): in the present invention, when a device node device initially joins the device group S or changes its location, the newly joined node device will execute a registration protocol with all new neighbor devices. Suppose that an access node device D in device group S j The network manager accesses the new node device D again i In step (21), the two are in communication connection, D i For new access equipment, D j Is an accessed device.
D j 、D i During registration, D i And D j Generates a shared communication key k therebetween ij And represents a key set formed by communication authentication keys established by all neighbor devices accessed subsequently as K i . The establishment of the communication key may use D-based i Private key SK of (1) i 、D j Private key SK of (1) j 、D i Is certificate cert (PK) i )、D j Is certificate cert (PK) j ) Is accomplished using a key pre-allocation technique. After the two-device communication key is constructed, the two parties establish a use k ij An encryption channel is formed to exchange the subsequent safety information data, D j Will accept D i Transmitted software configurationDigest certificate cert (c) i ) Come to learn D i Initial software configuration digest c of (2) i At the same time, the software configuration digest certificate cert (c j ) Transmitting D i Newly added node device D i Will and follow all accessed devices such as D k All of the above operations are performed, if the certificate verification is successful, D will be k Initial software configuration digest c of (2) k The method is stored so as to facilitate the follow-up verification of the proving report of the neighbor device; if the authentication fails, the device is not accepted as a new neighbor.
Regarding spanning tree protocol: in the spanning tree protocol designed by the invention, the maximum limit is not set for the number of the child nodes, because the limit for the number of the child nodes can cause that some devices can not be correctly added into the spanning tree under the condition of huge number of node devices.
Regarding the step-by-step verification of the device group S in the step (5), in the verification process, the child node sends its own security verification information to the parent node. For each subordinate father node, after the security verification of each corresponding child node is completed, the corresponding child node and the security verification information are sent to the superior father node for security verification, before each verification report is sent, the node checks whether the superior father node can pass, the superior father node returns a message to the subordinate father node after receiving the information, tells the subordinate father node that the verification information is received, and finally accumulates the verification report to the root node. During the verification process, the non-passable nodes are recorded in the non-passable node list and recorded together in the verification report.
Determining a parent node in step (51): when the spanning tree is built from top to bottom, each child node has its own main parent node, but when the verifier verifies, the node device may not communicate with the child node due to attack, disconnection and other reasons, and step (51) is adopted at this time to reselect the parent node from the standby parent nodes, thereby realizing automatic path finding. During selection, one can select one to prepareWith parent node, see if it can be at t 1 And if the confirmation information returned by the standby father node is received in the duration, the standby father node is directly used as the father node, and if the confirmation information is not received, a standby father node is selected again, and the judgment is reconfirmed according to the method.
In summary, the method of the present invention aims to ensure the security of group devices by collecting verification information of each node device by constructing a spanning tree in a communication graph, and accumulating verification reports from bottom to top from child nodes to verifiers. When the node equipment returns the verification report, if the situation that the father node equipment cannot communicate is met, a path-finding protocol is started, a standby node is found to resend the verification report, the expansibility and the safety of the group proving method can be effectively enhanced, and the group equipment can return more effective verification information, so that the management burden of a network manager is reduced, and meanwhile, the reliability and the safety of the whole system are also improved.
Example 2: referring to fig. 1-3, we present a specific method for verifying security of a device group based on node routing. In the present embodiment, a total of 8 device nodes, D1 to D8, respectively, are assumed.
(1) D1 to D8 are first initialized separately.
(2) Generating a communication map of the device group S, comprising steps (21) - (22).
(21) Selecting 8 node devices from D1 to D8, and setting the connection relation between each node device and the rest node devices; in fig. 2, we set that D1 is directly connected to D2, D3, D2 is connected to D1, D3, D4, D5, D3 is connected to D1, D2, D4 is connected to D6, and as shown in fig. 2, the connection modes are all preset.
(22) And establishing communication connection between the interconnected node devices, registering, and adding the interconnected node devices into a neighbor device list of the other party.
For D1, communication connection with D2 and D3 is required to be established and registered, and D2 and D3 are added into a neighbor device list of the device;
for D2, communication connection with D1, D3, D4 and D5 needs to be established and registered, and D1, D3, D4 and D5 are added into a neighbor device list of the device; and the communication diagram of the device group S is formed by processing the communication network up to D8 and finally forming a communication network by 8 nodes.
(3) When the verifier needs to verify the security of the device group S, a communication identifier q is generated, and a node device for transmitting q is selected from the device group S and marked as an initial device D S In this embodiment, D1 is selected as the initial device, and for convenience of description, D1 is directly used to denote the initial device D S
(4) Starting from D1, constructing a spanning tree in the communication diagram by q, and marking a father node and a standby father node in the construction process.
(5) The device group S is verified step by step from the leaf node to the root node, we take a leaf node D7 as an example, in fig. 2, D7 is a leaf node, its main father nodes are D4, and the standby father nodes are D6 and D8, including (51) - (54).
(51) For the leaf node D7, the parent node is determined, assuming that the leaf node D7 sends security verification information to D4, D4 can receive and return confirmation information, D4 at t 1 If the confirmation information is received in the duration, D4 is the father node, otherwise, the father node is selected from the standby nodes D6 and D8;
(52) Starting from D7, sending self-signed security verification information to D4, and obtaining a verification result after the D4 performs security verification;
(53) In fig. 2, all the child nodes D4 are D6 and D7, and after obtaining the verification results of all the child nodes, a verification report is generated, and the verification report and the security verification information of the child nodes form an information packet and are sent to the parent node D2 of the child nodes;
(54) And D2, carrying out security verification on the security verification information of the D4 to obtain a verification result, and accumulating the verification report sent by the D4 upwards until the information packet is sent to a verifier through the D1.
(55) And the verifier receives the information packet sent by the D1, and can obtain verification results of all the node devices accumulated upwards only by carrying out security verification on the D1 and acquiring the verification report accumulated to the D1.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (7)

1.一种基于节点寻路的设备群组安全验证方法,其特征在于,包括以下步骤:1. A device group security verification method based on node pathfinding, which is characterized by including the following steps: (1)节点设备初始化;(1) Node device initialization; 对每个节点设备进行初始化操作,包括:为每个节点设备生成初始软件配置摘要c、软件配置摘要证书cert(c)、签名密钥对(SK,PK)、身份证书cert(PK)和邻居设备列表,所述邻居设备列表为空,用于存储该节点设备的邻居设备,所述邻居设备为直接与该节点设备连通的节点设备;Perform initialization operations on each node device, including: generating initial software configuration summary c, software configuration summary certificate cert (c), signature key pair (SK, PK), identity certificate cert (PK) and neighbor for each node device A device list. The neighbor device list is empty and is used to store neighbor devices of the node device. The neighbor device is a node device directly connected to the node device; (2)生成设备群组S的通信图;(2) Generate the communication graph of device group S; (21)选取N个节点设备,设定各节点设备与其余节点设备的连接关系;(21) Select N node devices and set the connection relationship between each node device and other node devices; (22)在相互连接的节点设备间建立通信连接并注册,将相互连接的节点设备加入到对方的邻居设备列表中,N个节点设备的通信连接构成设备群组S的通信图;(22) Establish and register communication connections between interconnected node devices, and add the interconnected node devices to each other's neighbor device list. The communication connections of N node devices constitute the communication graph of the device group S; 对两相互连接的节点设备,所述注册过程为:生成二者间的通信密钥、交换并验证对方软件配置摘要证书;For two mutually connected node devices, the registration process is: generating a communication key between the two, exchanging and verifying the other party's software configuration summary certificate; (3)当验证者需要验证设备群组S的安全性时,生成一通信标识符q,并从设备群组S选取一用于发送q的节点设备,标记为初始设备DS(3) When the verifier needs to verify the security of the device group S, a communication identifier q is generated, and a node device used to send q is selected from the device group S, marked as the initial device D S ; (4)从DS开始,用q在通信图中构建生成树,包括(41)~(44);(4) Starting from D S , use q to build a spanning tree in the communication graph, including (41) ~ (44); (41)预设一接收时长t0,将DS作为生成树的根节点,向DS的邻居设备广播q;(41) Preset a reception duration t 0 , use DS as the root node of the spanning tree, and broadcast q to the neighbor devices of DS ; (42)邻居设备在t0内接收通信标识符q,若接收到,则触发执行生成树协议,DS其中一邻居设备Dk执行生成树协议的方法为:(42) The neighbor device receives the communication identifier q within t 0. If received, it triggers the execution of the spanning tree protocol. The method for one of the neighbor devices D k of D S to execute the spanning tree protocol is: (42-1)Dk在t0内接收通信标识符q,并按时间顺序记录发来q的节点设备,将第一个标记为主父节点,其余标记为备用父节点;(42-1) D k receives the communication identifier q within t 0 , and records the node device that sent q in chronological order, marking the first one as the main parent node, and the others as backup parent nodes; (42-2)主父节点将Dk记录为自己的子节点;(42-2) The main parent node records D k as its own child node; (43)向下一级拓扑:(43) To the next level topology: Dk的邻居设备列表为Ak,Dk向Ak中除主父节点的其他邻居设备广播q,以触发对应节点设备执行生成树协议;The neighbor device list of D k is A k , and D k broadcasts q to other neighbor devices in A k except the primary parent node to trigger the corresponding node device to execute the spanning tree protocol; (44)逐级向下拓扑,直至生成叶子节点;(44) Topology downwards step by step until leaf nodes are generated; (5)从叶子节点向根节点方向,逐级对设备群组S进行验证,具体为;(5) Verify the device group S step by step from the leaf node to the root node, specifically as follows; (51)为每个子节点确定父节点,所述父节点为该子节点的主父节点或备用父节点之一;(51) Determine a parent node for each child node, and the parent node is one of the primary parent node or the backup parent node of the child node; (52)从叶子节点开始,子节点向父节点发送自己签名的安全验证信息,父节点进行安全验证后得到验证结果;(52) Starting from the leaf node, the child node sends its own signed security verification information to the parent node, and the parent node obtains the verification result after performing security verification; (53)父节点得到其所有子节点的验证结果后生成验证报告,将验证报告和自己的安全验证信息构成信息包,发送给自己的父节点,发送信息包的父节点为下级父节点,接收信息包的父节点为上级父节点;(53) The parent node generates a verification report after obtaining the verification results of all its child nodes, forms an information package with the verification report and its own security verification information, and sends it to its parent node. The parent node that sends the information package is the subordinate parent node, and the receiving node The parent node of the information package is the superior parent node; (54)上级父节点对下级父节点的安全验证信息进行安全验证得到验证结果,并对下级父节点发来的验证报告向上累计,直到信息包经根节点发送给验证者;(54) The upper-level parent node performs security verification on the security verification information of the lower-level parent node to obtain the verification results, and accumulates the verification reports sent by the lower-level parent node upward until the information packet is sent to the verifier via the root node; (55)验证者对根节点的安全验证信息进行安全验证得到根节点的验证结果,并接收从根节点发来的验证报告。(55) The verifier performs security verification on the security verification information of the root node to obtain the verification result of the root node, and receives the verification report sent from the root node. 2.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,所述节点设备为相同类别设备或异构设备,每个节点设备至少包括只读存储器、内存保护单元和具有写保护功能的时钟。2. The device group security verification method based on node pathfinding according to claim 1, characterized in that the node devices are devices of the same category or heterogeneous devices, and each node device at least includes a read-only memory, memory protection unit and a write-protected clock. 3.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,步骤(1)中,对一节点设备:3. The device group security verification method based on node pathfinding according to claim 1, characterized in that, in step (1), for a node device: 初始软件配置摘要c,为每个节点设备根据初始软件配置通过哈希函数生成;Initial software configuration summary c, generated by a hash function for each node device based on the initial software configuration; 软件配置摘要证书cert(c),为网络管理者OP使用其公钥PKo对初始软件配置摘要c进行签名的证书;The software configuration summary certificate cert(c) is the certificate used by the network manager OP to sign the initial software configuration summary c using its public key PKo; 签名密钥对(SK,PK)中,SK为节点设备的私钥,PK为节点设备的公钥;In the signature key pair (SK, PK), SK is the private key of the node device, and PK is the public key of the node device; 身份证书cert(PK)为网络管理者OP使用其公钥PKo进行签名的证书。The identity certificate cert (PK) is a certificate signed by the network administrator OP using its public key PKo. 4.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,所述步骤(22)构成通信图具体为;4. The device group security verification method based on node pathfinding according to claim 1, characterized in that the step (22) forming a communication graph is specifically: (b1)从N个节点设备中任选两节点设备构成设备群组S;(b1) Select any two node devices from N node devices to form the device group S; (b2)根据两节点设备的连接关系选择是否连接并执行注册协议;(b2) Select whether to connect and execute the registration protocol based on the connection relationship between the two node devices; 若二者相连,则在二者间建立通信连接、执行注册协议、并互相加入到对方的邻居设备列表;否则不执行操作;If the two are connected, establish a communication connection between the two, execute the registration protocol, and add each other to each other's neighbor device list; otherwise, no operation is performed; (b3)从N-2个节点设备中任选一节点设备加入S,根据该节点设备与S内其他节点设备的连接关系,选择是否连接并执行注册协议;(b3) Select any node device from N-2 node devices to join S, and choose whether to connect and execute the registration protocol based on the connection relationship between the node device and other node devices in S; (b4)依次将其余节点设备加入S,N个节点设备的通信连接关系构成设备群组S的通信图。(b4) Add the remaining node devices to S in turn, and the communication connection relationships of N node devices constitute the communication graph of the device group S. 5.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,步骤(51)确定父节点具体为;5. The device group security verification method based on node pathfinding according to claim 1, characterized in that step (51) determines the parent node to be; (a1)预设一接收时长t1(a1) Preset a reception duration t 1 ; (a2)子节点向主父节点发送安全验证信息,若主父节点收到安全验证信息,则返回确认信息,否则不返回;(a2) The child node sends security verification information to the main parent node. If the main parent node receives the security verification information, it returns confirmation information, otherwise it does not return; (a3)子节点在t1时长内等待确认信息,若收到确认信息,则将主父节点作为父节点,否则将主父节点标记为不可通行节点,并执行步骤(a4);(a3) The child node waits for the confirmation message within the duration of t 1. If the confirmation message is received, the main parent node will be regarded as the parent node. Otherwise, the main parent node will be marked as an inaccessible node, and step (a4) will be executed; (a4)遍历备用父节点,找到一子节点在发送安全验证信息后,能返回确认信息并在t1时长内被子节点收到的备用父节点,作为父节点。(a4) Traverse the backup parent node and find a backup parent node that can return confirmation information after the child node sends the security verification information and is received by the child node within the duration of t 1 , as the parent node. 6.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,步骤(52)中,子节点向父节点发送自己签名的安全验证信息具体为:6. The device group security verification method based on node pathfinding according to claim 1, characterized in that in step (52), the child node sends its own signed security verification information to the parent node specifically as follows: 对一子节点Dj、其父节点为Di,Dj向Di发送的安全验证信息Mj包括Dj的心跳消息hbj、验证消息uj、软件配置摘要证书cert(cj)及信息类别;For a child node D j and its parent node is D i , the security verification information M j sent by D j to D i includes D j 's heartbeat message hb j , verification message u j , software configuration summary certificate cert(c j ) and information category; 所述心跳消息hbj由IDj、tj、cj’和cert(cj)构成,其中,IDj为Dj的设备ID,tj为Dj向Di发送安全验证信息的时间戳,cj’为当前软件配置摘要,是Dj根据当前软件配置通过哈希函数生成;The heartbeat message hb j is composed of ID j , t j , c j ' and cert(c j ), where ID j is the device ID of D j and t j is the timestamp when D j sends security verification information to D i , c j ' is the current software configuration summary, which is generated by D j according to the current software configuration through a hash function; 所述验证消息uj由hbj通过Dj和Di间通信密钥kij使用MAC算法加密得到;The verification message u j is encrypted by hb j using the MAC algorithm through the communication key k ij between D j and D i ; 所述信息类别包括验证请求;The information categories include verification requests; Dj对Mj的签名为HBj= sign(SKj; hbj, uj, MSGTYPE=req);The signature of D j to M j is HB j = sign(SK j ; hb j , u j , MSGTYPE=req); 其中,SKj为Dj的私钥,MSGTYPE=req表示Mj的信息类别为验证请求。Among them, SK j is the private key of D j , and MSGTYPE=req indicates that the information category of M j is a verification request. 7.根据权利要求1所述的基于节点寻路的设备群组安全验证方法,其特征在于,当一节点设备位置发生改变,或新增节点设备,则断开原通信图的通信连接,并按步骤(2)重新生成设备群组S的通信图。7. The device group security verification method based on node pathfinding according to claim 1, characterized in that when the location of a node device changes or a new node device is added, the communication connection of the original communication diagram is disconnected, and Follow step (2) to regenerate the communication diagram of device group S.
CN202311353330.4A 2023-10-19 2023-10-19 Device group security verification method based on node pathfinding Active CN117097488B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311353330.4A CN117097488B (en) 2023-10-19 2023-10-19 Device group security verification method based on node pathfinding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311353330.4A CN117097488B (en) 2023-10-19 2023-10-19 Device group security verification method based on node pathfinding

Publications (2)

Publication Number Publication Date
CN117097488A CN117097488A (en) 2023-11-21
CN117097488B true CN117097488B (en) 2023-12-19

Family

ID=88775507

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311353330.4A Active CN117097488B (en) 2023-10-19 2023-10-19 Device group security verification method based on node pathfinding

Country Status (1)

Country Link
CN (1) CN117097488B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118802170B (en) * 2024-09-13 2024-12-13 湖北华中电力科技开发有限责任公司 Cluster security authentication method, device and equipment based on aggregated MAC

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501484A (en) * 2004-08-16 2014-01-08 高通股份有限公司 Methods and apparatus for managing group membership for group communications
CN110022312A (en) * 2019-03-20 2019-07-16 杭州职业技术学院 One kind being used for the prolongable lightweight method of proof of internet of things equipment
CN114168703A (en) * 2021-11-17 2022-03-11 南方电网科学研究院有限责任公司 Group encrypted data retrieval method
CN114244499A (en) * 2020-09-09 2022-03-25 如般量子科技有限公司 Group communication method and system based on tree structure symmetric key pool
CN115001723A (en) * 2021-02-20 2022-09-02 南京如般量子科技有限公司 Group communication method and system based on tree structure and asymmetric key pool

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012195774A (en) * 2011-03-16 2012-10-11 Toshiba Corp Node and program
US11362835B2 (en) * 2019-06-28 2022-06-14 Intel Corporation Efficient post-quantum anonymous attestation with signature-based join protocol and unlimited signatures

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501484A (en) * 2004-08-16 2014-01-08 高通股份有限公司 Methods and apparatus for managing group membership for group communications
CN110022312A (en) * 2019-03-20 2019-07-16 杭州职业技术学院 One kind being used for the prolongable lightweight method of proof of internet of things equipment
CN114244499A (en) * 2020-09-09 2022-03-25 如般量子科技有限公司 Group communication method and system based on tree structure symmetric key pool
CN115001723A (en) * 2021-02-20 2022-09-02 南京如般量子科技有限公司 Group communication method and system based on tree structure and asymmetric key pool
CN114168703A (en) * 2021-11-17 2022-03-11 南方电网科学研究院有限责任公司 Group encrypted data retrieval method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
File-Centric Multi-Key Aggregate Keyword Searchable Encryption for Industrial Internet of Things;Rang Zhou等;《 IEEE Transactions on Industrial Informatics 》;全文 *
面向船联网的群组认证密钥协商协议设计;孙青等;《硕士电子期刊》;全文 *

Also Published As

Publication number Publication date
CN117097488A (en) 2023-11-21

Similar Documents

Publication Publication Date Title
CN113194469B (en) 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain
CN111010376B (en) IoT authentication system and method based on master-slave chain
US10257161B2 (en) Using neighbor discovery to create trust information for other applications
CN101222331A (en) Method and system for two-way authentication in authentication server and mesh network
US20190014531A1 (en) Network Access Permission Management Method and Related Device
WO2011134395A1 (en) Authentication method and device, authentication centre and system
CN113626781B (en) Block chain efficient authentication method based on trusted group
CN113935016A (en) Trusted access and cross-domain authentication method based on block chain in named data network
CN112436940B (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
CN115021958B (en) A smart home identity authentication method and system integrating fog computing and blockchain
He et al. ROAchain: Securing route origin authorization with blockchain for inter-domain routing
CN114785622B (en) Access control method, device and storage medium for multi-identification network
CN115378604A (en) An identity authentication method for edge computing terminal equipment based on reputation value mechanism
CN117097488B (en) Device group security verification method based on node pathfinding
Abdel-Malek et al. A proxy signature-based drone authentication in 5G D2D networks
Ngai et al. An authentication service based on trust and clustering in wireless ad hoc networks: description and security evaluation
US11509565B2 (en) Network link verification
CN101227452A (en) Method and system for network access authentication
CN114726604B (en) Multi-factor identity authentication method based on edge calculation and SDN under everything interconnection
CN118138213A (en) Internet of things scene-oriented trusted identity authentication system and method
CN114172742B (en) Hierarchical authentication method for power Internet of Things terminal equipment based on node map and edge authentication
Martignon et al. DSA‐Mesh: a distributed security architecture for wireless mesh networks
CN117201042B (en) Automatic equipment verification method based on node information credibility metering
Liu Integrating security and privacy protection into a mobility-centric internet architecture
Verma et al. Progressive authentication in ad hoc networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant