[go: up one dir, main page]

CN117097561B - Trusted equipment transfer identity authentication method for industrial Internet of things - Google Patents

Trusted equipment transfer identity authentication method for industrial Internet of things Download PDF

Info

Publication number
CN117097561B
CN117097561B CN202311345057.0A CN202311345057A CN117097561B CN 117097561 B CN117097561 B CN 117097561B CN 202311345057 A CN202311345057 A CN 202311345057A CN 117097561 B CN117097561 B CN 117097561B
Authority
CN
China
Prior art keywords
server
gateway
authentication information
information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311345057.0A
Other languages
Chinese (zh)
Other versions
CN117097561A (en
Inventor
万涛
李森
廖维川
周洁
江天天
封顺
梅江涛
吕浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Jiaotong University
Original Assignee
East China Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Jiaotong University filed Critical East China Jiaotong University
Priority to CN202311345057.0A priority Critical patent/CN117097561B/en
Publication of CN117097561A publication Critical patent/CN117097561A/en
Application granted granted Critical
Publication of CN117097561B publication Critical patent/CN117097561B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention belongs to the technical field of internet of things authentication, and relates to an industrial internet of things-oriented trusted equipment identity authentication method, which comprises four processes of registration of equipment and a gateway, direct authentication of the equipment and authentication of the equipment; according to the invention, each device can generate own device fingerprint, so that the device fingerprint can not be tampered, and the safety of the device fingerprint is ensured; the method comprises the steps of using a random character generation algorithm, a hash function, an exclusive OR operation, character strings and other lightweight operations to realize mutual authentication among equipment, a gateway and a server of the Internet of things; the new equipment which cannot be connected to the gateway is transmitted and authenticated through the trusted equipment authenticated by the server, so that the trusted equipment assists the new equipment to authenticate, single-point faults generated by authentication of a single equipment are avoided, and meanwhile, the application range of a protocol is greatly improved.

Description

面向工业物联网的可信设备传递身份认证方法Trusted device delivery identity authentication method for industrial Internet of things

技术领域Technical field

本发明属于物联网认证技术领域,涉及一种面向工业物联网的可信设备传递身份认证方法。The invention belongs to the technical field of Internet of Things authentication, and relates to a trusted device transfer identity authentication method for the industrial Internet of Things.

背景技术Background technique

随着通信技术与物联网的持续发展,物联网的应用范围从一些只需要少数传感器的智能家居到需要大量物联网设备的智慧城市和智能工厂。后者可能使用成千上万的物联网设备,将大量物联网设备集成到网络物理系统是一项非常具有挑战性的任务。从安全隐私的角度来看,其中将会产生大量的通信数据,这些设备的信息安全需要可靠的通信协议来进行保护。因此,设计出一个可靠的安全通信协议是保障大型物联网系统正常运转的基础。With the continuous development of communication technology and the Internet of Things, the application range of the Internet of Things ranges from smart homes that require only a few sensors to smart cities and smart factories that require a large number of IoT devices. The latter may use thousands of IoT devices, and integrating a large number of IoT devices into cyber-physical systems is a very challenging task. From the perspective of security and privacy, a large amount of communication data will be generated, and the information security of these devices requires reliable communication protocols to protect it. Therefore, designing a reliable secure communication protocol is the basis for ensuring the normal operation of large-scale Internet of Things systems.

在大规模物联网应用中,如工业物联网或智慧城市中包含数千台设备,并不是所有设备都能够直接连接到物联网系统中的网关,而可以连接到相应距离的设备。因此,有些不能直接连接到网关的物联网设备则需要借助已经通过验证的可信设备来支持该设备进行认证。In large-scale IoT applications, such as industrial IoT or smart cities containing thousands of devices, not all devices can be directly connected to the gateway in the IoT system, but can be connected to devices at a corresponding distance. Therefore, some IoT devices that cannot be directly connected to the gateway need to use a verified trusted device to support the device for authentication.

专利申请号为CN202110386425.0的发明专利申请提出了一种面向智能家居场景下的双因素身份认证方法,但该方法存在以下缺陷:1)使用源消耗巨大的密码学加密技术,不适用于资源受限的物联网设备;2)该方式只能适用于特定场景,无法适用于更复杂的环境。The invention patent application with patent application number CN202110386425.0 proposes a two-factor identity authentication method for smart home scenarios. However, this method has the following flaws: 1) It uses cryptographic encryption technology that consumes huge amounts of resources and is not suitable for resources. Restricted IoT devices; 2) This method can only be applied to specific scenarios and cannot be applied to more complex environments.

专利申请号为CN202310607953.3的发明专利申请提出了一种无证书身份认证与密钥协商方法以及系统,但该方法存在以下缺陷:1)密钥生成中心存在单点故障的风险,该中心如果发送故障或被攻击,整个安全体系可能会瘫痪;2)该方案存在隐私泄露风险。The invention patent application with patent application number CN202310607953.3 proposes a certificate-less identity authentication and key agreement method and system. However, this method has the following flaws: 1) The key generation center has the risk of a single point of failure. If the center If the transmission fails or is attacked, the entire security system may be paralyzed; 2) This solution has the risk of privacy leakage.

现有设备认证方法存在以下缺点:无法保障设备的匿名性,无法抵抗节点捕获攻击,在信息传输过程中可能会存在共享密钥暴露的风险,无法保障前向安全性,不具备数据完整性,方案大多数使用花费较大的加密计算,不适合资源受限的物联网设备,适用范围较窄。Existing device authentication methods have the following shortcomings: they cannot guarantee the anonymity of the device, they cannot resist node capture attacks, there may be a risk of shared keys being exposed during information transmission, they cannot guarantee forward security, and they do not have data integrity. Most solutions use expensive encryption calculations, are not suitable for resource-constrained IoT devices, and have a narrow scope of application.

发明内容Contents of the invention

针对现有技术的不足,本发明提出了一种面向工业物联网的可信设备传递身份认证方法。In view of the shortcomings of the existing technology, the present invention proposes a trusted device transfer identity authentication method for the industrial Internet of Things.

本发明通过下述技术方案来实现:一种面向工业物联网的可信设备传递身份认证方法,包括设备和网关的注册、网关的直接认证、设备的直接认证和设备的传递认证四个过程;所述设备的传递认证过程包括以下步骤:The present invention is realized through the following technical solutions: a trusted device transfer identity authentication method for the industrial Internet of Things, including four processes of registration of the device and gateway, direct authentication of the gateway, direct authentication of the device, and transfer authentication of the device; The transfer authentication process of the device includes the following steps:

步骤D1:新设备输入新设备身份标识和新设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分新设备认证信息,然后,新设备选择随机数和获取第一当前时间戳和位置信息,通过计算的信息与存储的信息进行级联、异或和哈希运算生成新设备认证信息,并将新设备认证信息通过公共信道发送给可信的设备;Step D1: The new device enters the new device identity and new device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the new device authentication information. Then, the new device selects a random number and obtains the first current timestamp. and location information, generate new device authentication information through cascade, XOR and hash operations of calculated information and stored information, and send the new device authentication information to trusted devices through public channels;

步骤D2:可信的设备收到新设备认证信息后,获取第二当前时间戳和位置信息,并验证新设备的第一当前时间戳和位置信息;可信的设备使用会话密钥对新设备认证信息进行加密,然后使用与网关的会话密钥结合时间戳得到设备验证参数,将新设备认证消息通过公共信道发送给网关;Step D2: After receiving the new device authentication information, the trusted device obtains the second current timestamp and location information, and verifies the first current timestamp and location information of the new device; the trusted device uses the session key to authenticate the new device The authentication information is encrypted, and then the device authentication parameters are obtained using the gateway's session key combined with the timestamp, and the new device authentication message is sent to the gateway through the public channel;

步骤D3:网关收到新设备认证信息后,获取第三当前时间戳并与第二当前时间戳比较,验证通信延时是否在最大通信延时范围内,网关通过存储的会话密钥对设备验证参数进行验证,然后,网关将新设备认证信息通过公共信道发送给服务器;Step D3: After receiving the new device authentication information, the gateway obtains the third current timestamp and compares it with the second current timestamp to verify whether the communication delay is within the maximum communication delay range. The gateway authenticates the device through the stored session key. The parameters are verified, and then the gateway sends the new device authentication information to the server through the public channel;

步骤D4:服务器收到新设备认证信息后,获取第四当前时间戳与第三当前时间戳比较,并验证通信延时是否在最大通信延时范围内,服务器根据新设备认证信息在数据库中检索存储的数据,验证可信的设备的设备认证信息;然后,服务器根据解密的信息验证新设备认证信息;服务器生成随机数与解密的新设备认证信息进行级联和哈希运算生成与新设备的会话密钥和部分服务器认证信息;Step D4: After receiving the new device authentication information, the server obtains the fourth current timestamp and compares it with the third current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The server searches the database based on the new device authentication information. The stored data verifies the device authentication information of the trusted device; then, the server verifies the new device authentication information based on the decrypted information; the server generates random numbers and performs cascade and hash operations with the decrypted new device authentication information to generate the new device's authentication information. Session keys and some server authentication information;

步骤D5:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到新设备对应的秘密信息并存储在数据库,并且服务器通过随机数和自身私有密钥计算新设备与可信设备之间的会话密钥,将消息加密为服务器认证信息后,服务器将服务器认证信息通过公共信道发送给网关;Step D5: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the new device and stores it in the database. The server uses random numbers and its own private key to calculate the new device and the available secret information. The session key between the communication devices, and after encrypting the message into server authentication information, the server sends the server authentication information to the gateway through the public channel;

步骤D6:网关收到服务器认证信息后,获取第五当前时间戳与第四当前时间戳比较,并验证通信延时是否在最大通信延时范围内,网关将服务器认证信息通过公共信道发送给可信的设备;Step D6: After receiving the server authentication information, the gateway obtains the fifth current timestamp and compares it with the fourth current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The gateway sends the server authentication information to the public through the public channel. letter equipment;

步骤D7:可信的设备接收到服务器认证信息后,获取第六当前时间戳并与第五当前时间戳比较,验证通信延时是否在最大通信延时范围内;可信的设备使用自身的秘密信息解密部分服务器认证信息后,使用解密的信息与秘密信息进行哈希运算后得到与新设备的会话密钥;可信的设备根据会话密钥和隐私数据进行异或生成与新设备对应的秘密信息并存储在数据库;将服务器认证消息通过公共信道发送给新设备;Step D7: After receiving the server authentication information, the trusted device obtains the sixth current timestamp and compares it with the fifth current timestamp to verify whether the communication delay is within the maximum communication delay range; the trusted device uses its own secret After the information decrypts part of the server authentication information, the decrypted information and the secret information are used for hashing to obtain the session key with the new device; the trusted device performs XOR based on the session key and private data to generate a secret corresponding to the new device. information and store it in the database; send the server authentication message to the new device through the public channel;

步骤D8:新设备收到服务器认证消息后,获取第七当前时间戳并与第六当前时间戳比较,验证通信延时是否在最大通信延时范围内,然后验证服务器认证消息;新设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算生成与服务器、可信的设备的会话密钥;新设备根据会话密钥和隐私数据进行异或生成与服务器、新设备对应的秘密信息并存储在数据库。Step D8: After receiving the server authentication message, the new device obtains the seventh current timestamp and compares it with the sixth current timestamp to verify whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new device passes the server The authentication message and its own private data are concatenated and hashed to generate a session key with the server and trusted device; the new device performs XOR based on the session key and private data to generate secret information corresponding to the server and new device. Stored in database.

进一步优选,所述设备的注册过程如下步骤:Further preferably, the registration process of the device is as follows:

设备选择设备身份标识和设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成相应设备注册信息并通过安全信道发送给服务器;The device selects the device identity and device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate the corresponding device registration information and sends it to the server through a secure channel;

服务器接收到设备注册信息后,生成随机数,使用私有密钥与收到的设备注册信息进行级联和哈希运算生成服务器认证信息并存储,然后将服务器认证信息通过安全信道发送给设备;After receiving the device registration information, the server generates a random number, uses the private key to concatenate and hash the received device registration information to generate server authentication information and stores it, and then sends the server authentication information to the device through a secure channel;

设备接收认证信息并存储。The device receives the authentication information and stores it.

进一步优选,所述网关的注册过程如下:Further preferably, the registration process of the gateway is as follows:

网关选择网关身份标识和网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成相应网关注册信息并通过安全信道发送给服务器;The gateway selects the gateway identity and gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate the corresponding gateway registration information and sends it to the server through a secure channel;

服务器接收到网关注册信息后,生成随机数,使用私有密钥与收到的网关注册信息进行级联和哈希运算生成服务器认证信息并存储,然后将服务器认证信息通过安全信道发送给网关;After receiving the gateway registration information, the server generates a random number, uses the private key to concatenate and hash the received gateway registration information to generate server authentication information and stores it, and then sends the server authentication information to the gateway through a secure channel;

网关接收认证信息并存储。The gateway receives the authentication information and stores it.

进一步优选,所述网关的直接认证包括如下步骤:Further preferably, the direct authentication of the gateway includes the following steps:

步骤B1:网关输入网关身份标识和网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分网关认证信息;然后,网关选择随机数和获取第一当前时间戳,通过计算的信息与存储的信息进行级联、异或和哈希运算生成网关认证信息,并将网关认证信息通过公共信道发送给服务器;Step B1: The gateway inputs the gateway identity and gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the gateway authentication information; then, the gateway selects a random number and obtains the first current timestamp, and uses the calculated information Concatenate, XOR and hash operations with the stored information to generate gateway authentication information, and send the gateway authentication information to the server through the public channel;

步骤B2:服务器收到网关认证信息后,获取第二当前时间戳,并与第一当前时间戳比较验证通信延时是否在范围内,服务器根据网关认证信息在数据库中检索在注册期间存储的数据,验证网关认证信息,然后,服务器生成随机数与收到的网关认证信息进行级联和哈希运算生成与网关的会话密钥和服务器认证信息;Step B2: After receiving the gateway authentication information, the server obtains the second current timestamp and compares it with the first current timestamp to verify whether the communication delay is within the range. The server retrieves the data stored during registration in the database based on the gateway authentication information. , verify the gateway authentication information, and then, the server generates a random number and concatenates and hashes the received gateway authentication information to generate the gateway's session key and server authentication information;

步骤B3:服务器计算服务器认证信息并通过公共信道发送给网关;Step B3: The server calculates the server authentication information and sends it to the gateway through the public channel;

步骤B4:网关收到服务器认证信息后,获取第三当前时间戳,并验证通信延时是否在范围内和服务器认证信息,验证成功,网关通过服务器认证信息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥。网关根据会话密钥和隐私数据进行异或生成与服务器对应的加密信息并存储在数据库。Step B4: After receiving the server authentication information, the gateway obtains the third current timestamp and verifies whether the communication delay is within the range and the server authentication information. If the verification is successful, the gateway performs cascading and hashing through the server authentication information and its own private data. Hashes compute the session key with the server. The gateway performs XOR based on the session key and private data to generate encrypted information corresponding to the server and stores it in the database.

进一步优选,设备的直接认证过程,包括以下步骤:Further preferably, the direct authentication process of the device includes the following steps:

步骤C1:设备输入设备身份标识和设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分设备认证信息,然后,设备选择随机数和获取第一当前时间戳,通过计算的信息与存储的信息进行级联、异或和哈希运算生成设备认证信息,并将设备认证信息通过公共信道发送给网关;Step C1: The device inputs the device identity and device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the device authentication information. Then, the device selects a random number and obtains the first current timestamp, through the calculated information Concatenate, XOR and hash operations with the stored information to generate device authentication information, and send the device authentication information to the gateway through the public channel;

步骤C2:网关收到消息后,获取第二当前时间戳,并验证与第一当前时间戳的时间差是否在最大通信延时范围内,网关使用会话密钥对设备的部分认证信息进行加密后将消息通过公共信道发送给服务器;Step C2: After receiving the message, the gateway obtains the second current timestamp and verifies whether the time difference with the first current timestamp is within the maximum communication delay range. The gateway uses the session key to encrypt part of the device's authentication information and then Messages are sent to the server over a public channel;

步骤C3:服务器收到消息后,获取第三当前时间戳,并验证与第二当前时间戳的时间差是否在最大通信延时范围内,服务器根据设备认证信息在数据库中检索存储的数据,验证设备认证信息,然后,服务器生成随机数与收到的设备认证信息进行级联和哈希运算得到服务器与设备的会话密钥、设备与网关的会话密钥和服务器认证信息;Step C3: After receiving the message, the server obtains the third current timestamp and verifies whether the time difference with the second current timestamp is within the maximum communication delay range. The server retrieves the stored data in the database based on the device authentication information and verifies the device. Authentication information, then, the server generates a random number and concatenates and hashes it with the received device authentication information to obtain the session key between the server and the device, the session key between the device and the gateway, and the server authentication information;

步骤C4:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到设备对应的秘密信息并存储在数据库,服务器将服务器认证信息通过公共信道发送给网关;Step C4: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the device and store it in the database. The server sends the server authentication information to the gateway through the public channel;

步骤C5:网关接收到消息后获取第四当前时间戳,并验证与第三当前时间戳的时间差是否在最大通信延时范围内,网关使用自身的秘密信息对服务器认证信息进行解密,并将解密的信息与自身的私密信息进行异或后保存在数据库;网关将服务器认证信息通过公共信道发送给设备;Step C5: After receiving the message, the gateway obtains the fourth current timestamp and verifies whether the time difference with the third current timestamp is within the maximum communication delay range. The gateway uses its own secret information to decrypt the server authentication information and decrypts it. The information is XORed with its own private information and then stored in the database; the gateway sends the server authentication information to the device through the public channel;

步骤C6:设备收到消息后,获取第五当前时间戳,并验证与第四当前时间戳的时间差是否在最大通信延时范围内,验证服务器认证消息,设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥,设备根据与服务器的会话密钥和隐私数据得到与网关的会话密钥,然后对这些信息进行异或得到与服务器、网关对应的秘密信息并存储在数据库。Step C6: After receiving the message, the device obtains the fifth current timestamp, verifies whether the time difference with the fourth current timestamp is within the maximum communication delay range, and verifies the server authentication message. The device passes the server authentication message and its own private data. Perform cascade and hash operations to calculate the session key with the server. The device obtains the session key with the gateway based on the session key with the server and private data, and then XORs the information to obtain the secret information corresponding to the server and gateway. and stored in database.

本发明的优点:Advantages of the invention:

(1)采用设备指纹,可以有效提升准确率、稳定性、生成率、安全性。(1) Using device fingerprints can effectively improve accuracy, stability, generation rate, and security.

有些认证因素的安全性不高,容易被冒充或者不稳定。在本发明的方案中,不同设备生成的设备指纹都是不同的,每个设备的设备指纹都是独一无二的,使用设备指纹通过随机字符生成算法Gen(•)提取的设备特征也是唯一的,保证设备指纹的不会被冒充,保证设备指纹的准确率重复。物联网系统升级或少量参数的改变,不会影响设备指纹,保证设备指纹的稳定性。每个设备都会生成自己的设备指纹,保证设备指纹的生成率。设备指纹不会被篡改,保证设备指纹的安全性。Some authentication factors are not very secure and can be easily impersonated or unstable. In the solution of the present invention, the device fingerprints generated by different devices are different, and the device fingerprint of each device is unique. The device features extracted by using the device fingerprint through the random character generation algorithm Gen(•) are also unique, ensuring that Device fingerprints will not be impersonated and the accuracy of device fingerprints is guaranteed to be repeated. Internet of Things system upgrades or changes in a small number of parameters will not affect the device fingerprint, ensuring the stability of the device fingerprint. Each device generates its own device fingerprint to ensure the device fingerprint generation rate. The device fingerprint will not be tampered with, ensuring the security of the device fingerprint.

(2)采用轻量级的密码技术来确保安全。(2) Use lightweight cryptography technology to ensure security.

目前物联网系统中,大多数物联网的设备都是资源受限的,无法适用高计算开销和高通信开销的协议。因此轻量级的协议对于物联网的设备来说是十分重要的,能够极大提高整体的效率。本发明使用随机字符生成算法、哈希函数、异或运算、字符串连等轻量级操作,实现物联网的设备、网关与服务器之间的相互认证。哈希函数、异或运算和字符串连所需的计算开销很低,因此可以在减少计算的资源消耗的同时保证安In current IoT systems, most IoT devices are resource-constrained and cannot apply protocols with high computing overhead and high communication overhead. Therefore, lightweight protocols are very important for IoT devices and can greatly improve the overall efficiency. The invention uses lightweight operations such as random character generation algorithms, hash functions, XOR operations, and string concatenation to realize mutual authentication between devices, gateways and servers in the Internet of Things. Hash functions, XOR operations, and string concatenation require very low computational overhead, so they can reduce computational resource consumption while ensuring security.

(3)使用传递认证提高了适用范围。(3) Using pass-through authentication improves the scope of application.

传统的认证方案一般只有直接认证,大多数协议都没有考虑法直接连接到网关的新设备该如何认证,这极大限制了协议的适用范围。因此本发明提出在物联网系统中使用传递认证,通过已经由服务器认证过的可信设备来对无法连接到网关的新设备进行传递认证,既可信设备辅助新设备进行认证,避免了由单一设备进行认证而产生的单点故障,同时极大提升了协议的适用范围。Traditional authentication solutions generally only have direct authentication, and most protocols do not consider how to authenticate new devices that are directly connected to the gateway, which greatly limits the scope of application of the protocol. Therefore, the present invention proposes to use pass-through authentication in the Internet of Things system, through a trusted device that has been authenticated by the server to perform pass-through authentication on a new device that cannot be connected to the gateway. The trusted device assists the new device in the authentication, avoiding the need for a single The single point of failure generated by the device for authentication also greatly enhances the scope of application of the protocol.

附图说明Description of the drawings

图1为本发明的面向工业物联网的可信设备传递身份认证方法流程图。Figure 1 is a flow chart of the identity authentication method for trusted devices oriented to the industrial Internet of Things of the present invention.

图2为本发明的方法的网络模型示意图。Figure 2 is a schematic diagram of the network model of the method of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例详细阐述本发明。需要说明的是,本发明所述的设备均为物联网的设备。The present invention will be described in detail below with reference to the drawings and examples. It should be noted that the devices described in the present invention are all Internet of Things devices.

参照图1和图2,一种面向工业物联网的可信设备传递身份认证方法,包括设备和网关的注册、网关的直接认证、设备的直接认证和设备的传递认证四个过程。Referring to Figures 1 and 2, a trusted device transfer identity authentication method for the industrial Internet of Things includes four processes: registration of the device and gateway, direct authentication of the gateway, direct authentication of the device, and transfer authentication of the device.

设备和网关的注册过程均相同,包括如下步骤:The registration process for both devices and gateways is the same, including the following steps:

步骤A1:设备或网关选择设备或网关身份标识和设备或网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成相应设备或网关注册信息并通过安全信道发送给服务器;Step A1: The device or gateway selects the device or gateway identity and device or gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate the corresponding device or gateway registration information and sends it to the server through a secure channel;

步骤A2:服务器接收到设备或网关注册信息后,生成随机数,使用私有密钥与收到的设备或网关注册信息进行级联和哈希运算生成服务器认证信息并存储,然后将服务器认证信息通过安全信道发送给设备或网关;Step A2: After receiving the device or gateway registration information, the server generates a random number, uses the private key to concatenate and hash the received device or gateway registration information to generate server authentication information and stores it, and then passes the server authentication information through Secure channel sent to device or gateway;

步骤A3:设备或网关接收认证信息并存储。Step A3: The device or gateway receives the authentication information and stores it.

注册完成后,进行网关的直接认证过程。所述网关的直接认证过程包括如下步骤:After registration is completed, proceed to the direct authentication process of the gateway. The direct authentication process of the gateway includes the following steps:

步骤B1:网关输入网关身份标识和网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分网关认证信息;然后,网关选择随机数和获取第一当前时间戳,通过计算的信息与存储的信息进行级联、异或和哈希运算生成网关认证信息,并将网关认证信息通过公共信道发送给服务器;Step B1: The gateway inputs the gateway identity and gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the gateway authentication information; then, the gateway selects a random number and obtains the first current timestamp, and uses the calculated information Concatenate, XOR and hash operations with the stored information to generate gateway authentication information, and send the gateway authentication information to the server through the public channel;

步骤B2:服务器收到网关认证信息后,获取第二当前时间戳,并与第一当前时间戳比较验证通信延时是否在范围内,服务器根据网关认证信息在数据库中检索在注册期间存储的数据,验证网关认证信息,然后,服务器生成随机数与收到的网关认证信息进行级联和哈希运算生成与网关的会话密钥和服务器认证信息;Step B2: After receiving the gateway authentication information, the server obtains the second current timestamp and compares it with the first current timestamp to verify whether the communication delay is within the range. The server retrieves the data stored during registration in the database based on the gateway authentication information. , verify the gateway authentication information, and then, the server generates a random number and concatenates and hashes the received gateway authentication information to generate the gateway's session key and server authentication information;

步骤B3:服务器计算服务器认证信息并通过公共信道发送给网关;Step B3: The server calculates the server authentication information and sends it to the gateway through the public channel;

步骤B4:网关收到服务器认证信息后,获取第三当前时间戳,并验证通信延时是否在范围内和服务器认证信息,验证成功,网关通过服务器认证信息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥。网关根据会话密钥和隐私数据进行异或生成与服务器对应的加密信息并存储在数据库。Step B4: After receiving the server authentication information, the gateway obtains the third current timestamp and verifies whether the communication delay is within the range and the server authentication information. If the verification is successful, the gateway performs cascading and hashing through the server authentication information and its own private data. Hashes compute the session key with the server. The gateway performs XOR based on the session key and private data to generate encrypted information corresponding to the server and stores it in the database.

设备的直接认证过程,包括以下步骤:The direct certification process for devices includes the following steps:

步骤C1:设备输入设备身份标识和设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分设备认证信息,然后,设备选择随机数和获取第一当前时间戳,通过计算的信息与存储的信息进行级联、异或和哈希运算生成设备认证信息,并将设备认证信息通过公共信道发送给网关;Step C1: The device inputs the device identity and device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the device authentication information. Then, the device selects a random number and obtains the first current timestamp, through the calculated information Concatenate, XOR and hash operations with the stored information to generate device authentication information, and send the device authentication information to the gateway through the public channel;

步骤C2:网关收到消息后,获取第二当前时间戳,并验证与第一当前时间戳的时间差是否在最大通信延时范围内,网关使用会话密钥对设备的部分认证信息进行加密后将消息通过公共信道发送给服务器;Step C2: After receiving the message, the gateway obtains the second current timestamp and verifies whether the time difference with the first current timestamp is within the maximum communication delay range. The gateway uses the session key to encrypt part of the device's authentication information and then Messages are sent to the server over a public channel;

步骤C3:服务器收到消息后,获取第三当前时间戳,并验证与第二当前时间戳的时间差是否在最大通信延时范围内,服务器根据设备认证信息在数据库中检索存储的数据,验证设备认证信息,然后,服务器生成随机数与收到的设备认证信息进行级联和哈希运算得到服务器与设备的会话密钥、设备与网关的会话密钥和服务器认证信息;Step C3: After receiving the message, the server obtains the third current timestamp and verifies whether the time difference with the second current timestamp is within the maximum communication delay range. The server retrieves the stored data in the database based on the device authentication information and verifies the device. Authentication information, then, the server generates a random number and concatenates and hashes it with the received device authentication information to obtain the session key between the server and the device, the session key between the device and the gateway, and the server authentication information;

步骤C4:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到设备对应的秘密信息并存储在数据库,服务器将服务器认证信息通过公共信道发送给网关;Step C4: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the device and store it in the database. The server sends the server authentication information to the gateway through the public channel;

步骤C5:网关接收到消息后获取第四当前时间戳,并验证与第三当前时间戳的时间差是否在最大通信延时范围内,网关使用自身的秘密信息对服务器认证信息进行解密,并将解密的信息与自身的私密信息进行异或后保存在数据库;网关将服务器认证信息通过公共信道发送给设备;Step C5: After receiving the message, the gateway obtains the fourth current timestamp and verifies whether the time difference with the third current timestamp is within the maximum communication delay range. The gateway uses its own secret information to decrypt the server authentication information and decrypts it. The information is XORed with its own private information and then stored in the database; the gateway sends the server authentication information to the device through the public channel;

步骤C6:设备收到消息后,获取第五当前时间戳,并验证与第四当前时间戳的时间差是否在最大通信延时范围内,验证服务器认证消息,设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥,设备根据与服务器的会话密钥和隐私数据得到与网关的会话密钥,然后对这些信息进行异或得到与服务器、网关对应的秘密信息并存储在数据库。Step C6: After receiving the message, the device obtains the fifth current timestamp, verifies whether the time difference with the fourth current timestamp is within the maximum communication delay range, and verifies the server authentication message. The device passes the server authentication message and its own private data. Perform cascade and hash operations to calculate the session key with the server. The device obtains the session key with the gateway based on the session key with the server and private data, and then XORs the information to obtain the secret information corresponding to the server and gateway. and stored in database.

设备的传递认证过程,包括以下步骤:The device delivery certification process includes the following steps:

步骤D1:新设备输入新设备身份标识和新设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分新设备认证信息,然后,新设备选择随机数和获取第一当前时间戳和位置信息,通过计算的信息与存储的信息进行级联、异或和哈希运算生成新设备认证信息,并将新设备认证信息通过公共信道发送给可信的设备;Step D1: The new device enters the new device identity and new device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the new device authentication information. Then, the new device selects a random number and obtains the first current timestamp. and location information, generate new device authentication information through cascade, XOR and hash operations of calculated information and stored information, and send the new device authentication information to trusted devices through public channels;

步骤D2:可信的设备收到新设备认证信息后,获取第二当前时间戳和位置信息,并验证新设备的第一当前时间戳和位置信息;可信的设备使用会话密钥对新设备认证信息进行加密,然后使用与网关的会话密钥结合时间戳得到设备验证参数,将新设备认证信息通过公共信道发送给网关;Step D2: After receiving the new device authentication information, the trusted device obtains the second current timestamp and location information, and verifies the first current timestamp and location information of the new device; the trusted device uses the session key to authenticate the new device The authentication information is encrypted, and then the session key combined with the gateway's time stamp is used to obtain the device authentication parameters, and the new device authentication information is sent to the gateway through the public channel;

步骤D3:网关收到新设备认证信息后,获取第三当前时间戳并与第二当前时间戳比较,验证通信延时是否在最大通信延时范围内,网关通过存储的会话密钥对设备验证参数进行验证,然后,网关将新设备认证信息通过公共信道发送给服务器;Step D3: After receiving the new device authentication information, the gateway obtains the third current timestamp and compares it with the second current timestamp to verify whether the communication delay is within the maximum communication delay range. The gateway authenticates the device through the stored session key. The parameters are verified, and then the gateway sends the new device authentication information to the server through the public channel;

步骤D4:服务器收到新设备认证信息后,获取第四当前时间戳与第三当前时间戳比较,并验证通信延时是否在最大通信延时范围内,服务器根据新设备认证信息在数据库中检索存储的数据,验证可信的设备的设备认证信息;然后,服务器根据解密的信息验证新设备认证信息;服务器生成随机数与解密的新设备认证信息进行级联和哈希运算生成与新设备的会话密钥和部分服务器认证信息;Step D4: After receiving the new device authentication information, the server obtains the fourth current timestamp and compares it with the third current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The server searches the database based on the new device authentication information. The stored data verifies the device authentication information of the trusted device; then, the server verifies the new device authentication information based on the decrypted information; the server generates random numbers and performs cascade and hash operations with the decrypted new device authentication information to generate the new device's authentication information. Session keys and some server authentication information;

步骤D5:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到新设备对应的秘密信息并存储在数据库,并且服务器通过随机数和自身私有密钥计算新设备与可信设备之间的会话密钥,将消息加密为服务器认证信息后,服务器将服务器认证信息通过公共信道发送给网关;Step D5: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the new device and stores it in the database. The server uses random numbers and its own private key to calculate the new device and the available secret information. The session key between the communication devices, and after encrypting the message into server authentication information, the server sends the server authentication information to the gateway through the public channel;

步骤D6:网关收到服务器认证信息后,获取第五当前时间戳与第四当前时间戳比较,并验证通信延时是否在最大通信延时范围内,网关将服务器认证信息通过公共信道发送给可信的设备;Step D6: After receiving the server authentication information, the gateway obtains the fifth current timestamp and compares it with the fourth current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The gateway sends the server authentication information to the public through the public channel. letter equipment;

步骤D7:可信的设备接收到服务器认证信息后,获取第六当前时间戳并与第五当前时间戳比较,验证通信延时是否在最大通信延时范围内;可信的设备使用自身的秘密信息解密部分服务器认证信息后,使用解密的信息与秘密信息进行哈希运算后得到与新设备的会话密钥;可信的设备根据会话密钥和隐私数据进行异或生成与新设备对应的秘密信息并存储在数据库;将服务器认证消息通过公共信道发送给新设备;Step D7: After receiving the server authentication information, the trusted device obtains the sixth current timestamp and compares it with the fifth current timestamp to verify whether the communication delay is within the maximum communication delay range; the trusted device uses its own secret After the information decrypts part of the server authentication information, the decrypted information and the secret information are used for hashing to obtain the session key with the new device; the trusted device performs XOR based on the session key and private data to generate a secret corresponding to the new device. information and store it in the database; send the server authentication message to the new device through the public channel;

步骤D8:新设备收到服务器认证消息后,获取第七当前时间戳并与第六当前时间戳比较,验证通信延时是否在最大通信延时范围内,然后验证服务器认证消息;新设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算生成与服务器、可信的设备的会话密钥;新设备根据会话密钥和隐私数据进行异或生成与服务器、新设备对应的秘密信息并存储在数据库。Step D8: After receiving the server authentication message, the new device obtains the seventh current timestamp and compares it with the sixth current timestamp to verify whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new device passes the server The authentication message and its own private data are concatenated and hashed to generate a session key with the server and trusted device; the new device performs XOR based on the session key and private data to generate secret information corresponding to the server and new device. Stored in database.

本发明的一个实施例,以设备Di举例,其中i为设备的编号,说明设备的注册过程:An embodiment of the present invention takes device D i as an example, where i is the number of the device, to illustrate the registration process of the device:

步骤A1:设备Di选择自己的设备身份标识IDi、设备指纹BIOi。设备Di根据设备指纹BIOi使用随机字符生成算法Gen(•)生成设备Di的特征数据Ri和辅助数据Pi,并计算设备第一秘密信息Ai=h(IDi||Ri),设备第二秘密信息Bi=h(Ai||Ri),h表示哈希函数。设备Di通过安全信道将设备注册信息{IDi,Bi}发送给服务器S。Step A1: Device D i selects its own device identity ID i and device fingerprint BIO i . The device D i uses the random character generation algorithm Gen(•) to generate the characteristic data R i and auxiliary data Pi of the device D i based on the device fingerprint BIO i , and calculates the first secret information of the device A i =h(ID i ||R i ), the second secret information of the device B i =h(A i ||R i ), h represents the hash function. Device D i sends device registration information {ID i , B i } to server S through a secure channel.

步骤A2:服务器S接收到设备注册信息{IDi,Bi}后,生成随机数ri,并利用服务器的私有密钥x,分别计算设备伪身份标识CIDi=h(IDi||ri),设备第一认证秘密Ci=h(CIDi||x||Bi),设备第二认证秘密Ei=h(Bi||Ci||CIDi)。服务器S在其数据库中保存服务器认证信息{CIDi,Ei},并将服务器认证信息{CIDi,Ci}通过安全信道发送给设备DiStep A2: After receiving the device registration information {ID i ,B i }, the server S generates a random number r i , and uses the server's private key x to calculate the device pseudo-identity CID i =h(ID i ||r i ), the first authentication secret of the device C i =h(CID i ||x||B i ), the second authentication secret of the device E i =h(B i ||C i ||CID i ). The server S saves the server authentication information {CID i , E i } in its database, and sends the server authentication information {CID i , C i } to the device D i through the secure channel.

步骤A3:设备Di接收服务器认证信息{CIDi,Ci}并存储。Step A3: Device D i receives server authentication information {CID i , C i } and stores it.

本发明的一个实施例,以网关Gj举例,其中j为网关的编号,说明网关的注册过程:An embodiment of the present invention takes gateway G j as an example, where j is the number of the gateway, to illustrate the registration process of the gateway:

步骤A1:网关Gj选择自己的网关身份标识GIDj、网关指纹GBIOj。网关Gj根据网关指纹GBIOj使用随机字符生成算法Gen(•)生成网关Gj的特征数据GRj和辅助数据GPj,并计算网关第一秘密信息GAj=h(GIDj||GRj),网关第二秘密信息GBj=h(GAj||GRj)。网关Gj通过安全信道将网关注册信息{GIDj,GBj}发送给服务器S。Step A1: Gateway G j selects its own gateway identity GID j and gateway fingerprint GBIO j . The gateway G j uses the random character generation algorithm Gen(•) to generate the characteristic data GR j and auxiliary data GP j of the gateway G j based on the gateway fingerprint GBIO j , and calculates the first secret information of the gateway GA j =h(GID j ||GR j ), the second secret information of the gateway GB j =h(GA j ||GR j ). The gateway G j sends the gateway registration information {GID j , GB j } to the server S through the secure channel.

步骤A2:服务器S接收到网关注册信息{GIDj,GBj}后,生成随机数Grj,并利用服务器的私有密钥x,分别计算网关伪身份标识GCIDj=h(GIDj||Grj),网关第一认证秘密GCj=h(GCIDj||x||GBj),网关第二认证秘密GEj=h(GBj||GCj||GCIDj)。服务器S在其数据库中保存服务器认证信息{GCIDj,GEj},并将服务器认证信息{GCIDj,GCj}通过安全信道发送给网关GjStep A2: After receiving the gateway registration information {GID j , GB j }, the server S generates a random number Gr j , and uses the server's private key x to calculate the gateway pseudo identity GCID j =h(GID j ||Gr j ), the gateway's first authentication secret GC j =h(GCID j ||x||GB j ), the gateway's second authentication secret GE j =h(GB j ||GC j ||GCID j ). The server S saves the server authentication information {GCID j , GE j } in its database, and sends the server authentication information {GCID j , GC j } to the gateway G j through the secure channel.

步骤A3:网关Gj接收服务器认证信息{GCIDj,GCj}并存储。Step A3: Gateway G j receives the server authentication information {GCID j , GC j } and stores it.

进一步的,本实施例中,所述网关的直接认证过程包括如下步骤:Further, in this embodiment, the direct authentication process of the gateway includes the following steps:

步骤B1:网关Gj输入网关身份标识GIDj和网关指纹GBIOj,j为网关编号,根据网关指纹GBIOj使用随机字符生成算法Gen(•)生成网关Gj的特征数据GRj和辅助数据GPj,并计算网关第一秘密信息GAj=h(GIDj||GRj),网关第二秘密信息GBj=h(GAj||GRj)。网关Gj选择随机数GNj和获取第一当前时间戳T1,并利用自己存储的网关伪身份标识GCIDj=h(GIDj||Grj),Grj为随机数,和网关第一认证秘密GCj=h(GCIDj||x||GBj),计算网关第二认证秘密GEj=h(GBj||GCj||GCIDj),网关第三认证秘密GFj=h(GNj)⊕GEj,网关第四认证秘密GQj=h(GCIDj||GEj)和网关完整性验证信息M1=h(GCIDj||h(GNj)||GEj||GQj||T1),并将网关认证信息{T1,GCIDj,GFj,GQj,M1}通过公共信道发送给服务器S。Step B1: Gateway G j inputs the gateway identity GID j and gateway fingerprint GBIO j , j is the gateway number, and uses the random character generation algorithm Gen(•) to generate the characteristic data GR j and auxiliary data GP of gateway G j based on the gateway fingerprint GBIO j j , and calculate the first secret information of the gateway GA j =h(GID j ||GR j ), and the second secret information of the gateway GB j =h(GA j ||GR j ). The gateway G j selects the random number GN j and obtains the first current timestamp T 1 , and uses its own stored gateway pseudo identity GCID j =h(GID j ||Gr j ), Gr j is a random number, and the gateway first Authentication secret GC j =h(GCID j ||x||GB j ), calculate gateway’s second authentication secret GE j =h(GB j ||GC j ||GCID j ), gateway’s third authentication secret GF j =h (GN j )⊕GE j , gateway fourth authentication secret GQ j =h(GCID j ||GE j ) and gateway integrity verification information M 1 =h(GCID j ||h(GN j )||GE j | |GQ j ||T 1 ), and sends the gateway authentication information {T 1 , GCID j , GF j , GQ j , M 1 } to the server S through the public channel.

步骤B2:服务器S接收到网关认证信息{T1,GCIDj,GFj,GQj,M1}后,获取第二当前时间戳T2,验证通信延时是否在最大通信延时范围内,如果不在范围内,则终止通信,如果在范围内,则根据网关伪身份标识GCIDj在数据库中检索网关第二认证秘密GEj,并计算网关第四认证秘密校验值GQ* j=h(GCIDj||GEj)。服务器S验证网关第四认证秘密校验值GQ* j是否等于网关第四认证秘密GQj,如若不相等则终止通信。服务器S计算哈希值h(GNj)*=GFj⊕GEj,网关完整性验证消息校验值M* 1=h(GCIDj||h(GNj)*||GEj||Qj||T1)。服务器S验证校验网关完整性验证消息校验值M* 1是否等于网关完整性验证信息M1,如若不相等则终止通信,否则生成随机数GNsj,并计算其与网关Gj的会话密钥GSKj=h(h(GNsj)||GEj)。Step B2: After receiving the gateway authentication information {T 1 , GCID j , GF j , GQ j , M 1 }, server S obtains the second current timestamp T 2 and verifies whether the communication delay is within the maximum communication delay range. If it is not within the range, the communication is terminated. If it is within the range, the gateway's second authentication secret GE j is retrieved in the database according to the gateway pseudo identity GCID j , and the gateway's fourth authentication secret check value GQ * j =h( GCID j ||GE j ). The server S verifies whether the gateway's fourth authentication secret check value GQ * j is equal to the gateway's fourth authentication secret GQ j . If not, the communication is terminated. Server S calculates hash value h(GN j ) * =GF j ⊕GE j , gateway integrity verification message check value M * 1 =h(GCID j ||h(GN j ) * ||GE j ||Q j ||T 1 ). The server S verifies whether the gateway integrity verification message check value M * 1 is equal to the gateway integrity verification information M 1 . If not, the communication is terminated. Otherwise, a random number GN sj is generated, and the session key with the gateway G j is calculated. Key GSK j =h(h(GN sj )||GE j ).

步骤B3:服务器S计算对应网关Gj的服务器第一认证秘密GWj=h(GNsj)⊕GEj,服务器完整性验证信息M2=h(h(GNsj)||GCIDj||T2||GEj);计算服务器与网关的会话密钥的加密信息GVsj=GSKj⊕h(x),服务器S存储元组{GVsj}在数据库,并将服务器认证信息{T2,GWj,M2}通过公共信道发送给网关GjStep B3: Server S calculates the server first authentication secret GW j =h(GN sj )⊕GE j corresponding to gateway G j , and server integrity verification information M 2 =h(h(GN sj )||GCID j ||T 2 ||GE j ); calculate the encrypted information GV sj =GSK j ⊕h(x) of the session key between the server and the gateway, the server S stores the tuple {GV sj } in the database, and stores the server authentication information {T 2 , GW j ,M 2 } is sent to gateway G j through the public channel.

步骤B4:当网关Gj接收到服务器认证信息{T2,GWj,M2}后,获取第三当前时间戳T3,验证通信延时是否在最大通信延时范围内,如果不在范围内,则终止通信。网关Gj计算哈希值h(GNsj)*=GWj⊕GEj,服务器完整性验证信息校验值M* 2=h(h(GNsj)*||GCIDj||T2||GEj)。网关Gj验证服务器完整性验证信息校验值M* 2是否等于服务器完整性验证信息M2,如若不相等则终止通信。验证成功后,网关Gj计算其与服务器S的会话密钥GSKj=h(h(GNsj)||GEj),并计算网关与服务器会话密钥的加密信息GVj=GSKj⊕GAj,将存储元组{GVj}保存在数据库中。Step B4: After the gateway G j receives the server authentication information {T 2 , GW j , M 2 }, obtain the third current timestamp T 3 and verify whether the communication delay is within the maximum communication delay range. If not, , the communication is terminated. Gateway G j calculates hash value h(GN sj ) * =GW j ⊕GE j , server integrity verification information check value M * 2 =h(h(GN sj ) * ||GCID j ||T 2 || GE j ). The gateway G j verifies whether the server integrity verification information check value M * 2 is equal to the server integrity verification information M 2 . If not, the communication is terminated. After the verification is successful, the gateway G j calculates the session key GSK j =h(h(GN sj )||GE j ) between it and the server S, and calculates the encrypted information of the session key between the gateway and the server GV j =GSK j ⊕GA j , save the storage tuple {GV j } in the database.

进一步的,所述设备的直接认证过程包括如下步骤:Further, the direct authentication process of the device includes the following steps:

步骤C1:设备Di输入设备身份标识IDi和设备指纹BIOi,根据设备指纹BIOi使用随机字符生成算法Gen(•)生成设备Di的特征数据Ri和辅助数据Pi,并计算设备第一秘密信息Ai=h(IDi||Ri),设备第二秘密信息Bi=h(Ai||Ri)。设备Di选择随机数Ni和获取第一当前时间戳T1,并利用自己存储的设备伪身份标识CIDi=h(IDi||ri),ri为随机数,和设备第一认证秘密Ci=h(CIDi||x||Bi),计算设备第二认证秘密Ei=h(Bi||Ci||CIDi),设备第三认证秘密Fi=h(Ni)⊕Ei,设备第四认证秘密Qi=h(CIDi||Ei)和设备完整性验证信息M3=h(CIDi||h(Ni)||Ei||Qi||T1),并将设备认证消息{T1,CIDi,Fi,Qi,M3}通过公共信道发送给网关GjStep C1: The device D i inputs the device identity ID i and the device fingerprint BIO i , uses the random character generation algorithm Gen(•) to generate the characteristic data R i and auxiliary data P i of the device D i based on the device fingerprint BIO i , and calculates the device The first secret information A i =h(ID i ||R i ), the second secret information of the device B i =h(A i ||R i ). Device D i selects a random number N i and obtains the first current timestamp T 1 , and uses its own stored device pseudo-identity CID i =h(ID i ||ri ) , ri is a random number, and the device first Authentication secret C i =h(CID i ||x||B i ), computing device second authentication secret E i =h(B i ||C i ||CID i ), device third authentication secret F i =h (N i )⊕E i , device fourth authentication secret Q i =h(CID i ||E i ) and device integrity verification information M 3 =h(CID i ||h(N i )||E i | |Q i ||T 1 ), and sends the device authentication message {T 1 ,CID i ,Fi , Q i ,M 3 } to the gateway G j through the public channel.

步骤C2:网关Gj接收到设备认证消息{T1,CIDi,Fi,Qi,M3}后,获取第二当前时间戳T2,与第一当前时间戳T1比较验证通信延时是否在最大通信延时范围内。如果通信延时在范围内,网关Gj则输入网关身份标识GIDj与网关指纹GBIOj,网关Gj根据Gen(GBIOj)=(GRj,GPj)提取网关Gj的特征数据GRj和辅助数据GPj,并计算网关第一秘密信息GAj=h(GIDj||GRj),GSKj=GVj⊕GAj。网关Gj使用GSKj对信息{CIDi,Fi,Qi,M3}进行对称加密后生成网关对称加密信息Mesj,将设备认证消息{T1,T2,GMesj,CIDj}通过公共信道发送给服务器S。Step C2: After receiving the device authentication message {T 1 , CID i , Fi , Q i , M 3 }, the gateway G j obtains the second current timestamp T 2 and compares it with the first current timestamp T 1 to verify the communication delay. time is within the maximum communication delay range. If the communication delay is within the range, the gateway G j inputs the gateway identity GID j and the gateway fingerprint GBIO j . The gateway G j extracts the characteristic data GR j of the gateway G j according to Gen(GBIO j )=(GR j ,GP j ). and auxiliary data GP j , and calculate the gateway's first secret information GA j =h(GID j ||GR j ), GSK j =GV j ⊕GA j . The gateway G j uses GSK j to symmetrically encrypt the information {CID i , Fi , Q i , M 3 } and then generates the gateway symmetric encrypted information Mes j , and converts the device authentication message {T 1 , T 2 , GMes j , CID j } Sent to server S through public channel.

步骤C3:服务器S接收到设备认证消息{T1,T2,GMesj,GCIDj}后,获取第三当前时间戳T3,与第二当前时间戳T2比较验证通信延时是否在最大通信延时范围内。服务器S根据网关伪身份标识GCIDj在其数据库检索GVsj和GEj,服务器S使用自身私钥的哈希值计算出与网关Gj的会话密钥GSKj=GVsj⊕h(x)。然后,服务器S使用会话密钥GSKj解密网关对称加密信息GMesj,得到设备伪身份标识CIDi,设备第三认证秘密Fi,设备第四认证秘密Qi,设备完整性验证信息M3。服务器S使用设备伪身份标识CIDi在其数据库检索设备第二认证秘密Ei,计算设备第四认证秘密校验值Q* i=h(CIDi||Ei),验证设备第四认证秘密校验值Q* i是否等于设备第四认证秘密Qi。服务器S计算哈希值h(Ni)*=Fi⊕Ei,设备完整性验证信息校验值M* 3=h(CIDi||h(Ni)*||Ei||Qi||T1),验证校验设备完整性验证信息校验值M* 3是否等于设备完整性验证信息M3。验证通过后,服务器S生成两个随机数Nsi,NS,并计算与设备Di的会话密钥SKi=h(h(Nsi)||Ei),计算设备Di和网关Gj的会话密钥SKij=h(NS||x)。Step C3: After receiving the device authentication message {T 1 , T 2 , GMes j , GCID j }, the server S obtains the third current timestamp T 3 and compares it with the second current timestamp T 2 to verify whether the communication delay is at the maximum within the communication delay range. Server S retrieves GV sj and GE j in its database based on the gateway pseudo identity GCID j . Server S uses the hash value of its own private key to calculate the session key GSK j =GV sj ⊕h(x) with gateway G j . Then, the server S uses the session key GSK j to decrypt the gateway symmetric encrypted information GMes j , and obtains the device pseudo identity ID CID i , the device third authentication secret F i , the device fourth authentication secret Q i , and the device integrity verification information M 3 . Server S uses the device pseudo-identity identifier CID i to retrieve the device's second authentication secret E i in its database, calculates the device's fourth authentication secret check value Q * i =h (CID i ||E i ), and verifies the device's fourth authentication secret Check whether the check value Q * i is equal to the fourth authentication secret Q i of the device. Server S calculates hash value h(N i ) * =F i ⊕E i , device integrity verification information check value M * 3 =h(CID i ||h(N i ) * ||E i ||Q i ||T 1 ), verify whether the device integrity verification information check value M * 3 is equal to the device integrity verification information M 3 . After the verification is passed, the server S generates two random numbers N si and N S , and calculates the session key SK i = h(h(N si )||E i ) with the device D i , and calculates the device D i and the gateway G Session key SK ij =h(N S ||x) of j .

步骤C4:服务器S计算服务器第一认证秘密Wi=h(Nsi)⊕Ei,服务器完整性验证信息M4=h(h(Nsi)||CIDi||T3||Ei),网关对应秘密信息GGwj=SKij⊕h(Ei),设备对应秘密信息Devi=SKij⊕h(Ei),网关对应秘密信息对称加密GGOj=EncGSKj(GGwj),设备对应秘密信息对称加密Oi=EncSKi(Devi),服务器与设备会话密钥的加密信息Vsi=SKi⊕h(x),服务器存储元组{Vsi}在数据库,将服务器认证消息{T3,Wi,M4,GOj,Oi}通过公共信道发送给网关GjStep C4: Server S calculates the server's first authentication secret Wi =h(N si )⊕E i , and the server integrity verification information M 4 =h(h(N si )||CID i ||T 3 ||E i ), the gateway corresponds to secret information GGw j =SK ij ⊕h(E i ), the device corresponds to secret information Dev i =SK ij ⊕h(E i ), the gateway corresponds to symmetric encryption of secret information GGO j =Enc GSKj (GGw j ), The device corresponding secret information is symmetrically encrypted O i =Enc SKi (Dev i ), the encrypted information of the session key between the server and the device V si =SK i ⊕h(x), the server stores the tuple {V si } in the database, and authenticates the server The message {T 3 , Wi , M 4 , GO j , O i } is sent to the gateway G j through the public channel.

步骤C5:网关Gj接收到服务器认证消息{T3,Wi,M4,GOj,Oi}后,获取第四当前时间戳T4,与第三当前时间戳T3比较验证通信延时是否在最大通信延时范围内。然后网关Gj计算GBj=h(GAj||GRj),GEj=h(GBj||GCj||GCIDj),GSKj=GVj⊕GAj,GGwj=DecGSKj(GOj),网关与设备的会话密钥SKij=GGwj⊕h(GEj),网关与设备的会话密钥的加密信息GZj=SKij⊕GAj,存储元组{GZj}在数据库。将服务器认证消息{T4,T3,Wi,M4,Oi}通过公共信道发送给设备DiStep C5: After receiving the server authentication message {T 3 , Wi , M 4 , GO j , O i }, the gateway G j obtains the fourth current timestamp T 4 and compares it with the third current timestamp T 3 to verify the communication delay. time is within the maximum communication delay range. Then gateway G j calculates GB j =h(GA j ||GR j ), GE j =h(GB j ||GC j ||GCID j ), GSK j =GV j ⊕GA j , GGw j =Dec GSKj ( GO j ), the session key of the gateway and the device SK ij =GGw j ⊕h(GE j ), the encrypted information of the session key of the gateway and the device GZ j =SK ij ⊕GA j , and the tuple {GZ j } is stored in database. Send the server authentication message {T 4 , T 3 , Wi , M 4 , O i } to the device D i through the public channel.

步骤C6:设备Di接收到服务器认证消息{T4,T3,Wi,M4,Oi}后,获取第五当前时间戳T5,与第四当前时间戳T4比较验证通信延时是否在最大通信延时范围内。设备Di计算哈希值h(Nsi)*=Wi⊕Ei,校验服务器完整性验证信息M* 4=h(h(Nsi)*||CIDi||T3||Ei),验证服务器完整性验证信息校验值M* 4是否等于服务器完整性验证信息M4。然后设备Di计算其与服务器S之间的会话密钥SKi=h(h(Nsi)||Ei),计算设备对应信息Devi=DecSKi(Oi),设备与网关的会话密钥SKij=Devi⊕h(Ei),设备与服务器会话密钥的加密信息Vi=SKi⊕Ai,设备与网关会话密钥的加密信息Zi=SKij⊕h(Ai),设备Di存储元组{Vi,Zi}在数据库。Step C6: After receiving the server authentication message {T 4 , T 3 , Wi , M 4 , O i }, the device D i obtains the fifth current timestamp T 5 and compares it with the fourth current timestamp T 4 to verify the communication delay. time is within the maximum communication delay range. Device D i calculates the hash value h(N si ) * =W i ⊕E i and verifies the server integrity verification information M * 4 =h(h(N si ) * ||CID i ||T 3 ||E i ), verify whether the server integrity verification information check value M * 4 is equal to the server integrity verification information M 4 . Then the device D i calculates the session key SK i =h(h(N si )||E i ) between it and the server S, calculates the device corresponding information Dev i =Dec SKi (O i ), and the session between the device and the gateway Key SK ij =Dev i ⊕h(E i ), encrypted information of device and server session key V i =SK i ⊕A i , encrypted information of device and gateway session key Z i =SK ij ⊕h(A i ), device D i stores tuples {V i , Z i } in the database.

进一步的,本实施例所述设备的传递认证过程包括如下步骤:Further, the transfer authentication process of the device described in this embodiment includes the following steps:

步骤D1:新设备Dn输入新设备身份标识IDn和新设备指纹BIOn,根据新设备指纹BIOn使用随机字符生成算法Gen(•)生成新设备Dn的特征数据Rn和辅助数据Pn,并计算新设备第一秘密信息An=h(IDn||Rn),新设备第二秘密信息Bn=h(An||Rn);新设备Dn选择随机数Nn和第一当前时间戳T1,并利用自己存储的新设备伪身份标识CIDn=h(IDn||rn),rn为随机数,和新设备第一认证秘密Cn=h(CIDn||x||Bn),计算新设备第二认证秘密En=h(Bn||Cn||CIDn),新设备第三认证秘密Fn=h(Nn)⊕En,新设备第四认证秘密Qn=h(CIDn||En)和新设备完整性验证信息M1n=h(CIDn||h(Nn)||En||Qn||T1),生成新设备当前位置Ln,并将新设备认证消息{T1,Ln,CIDn,Fn,Qn,M1n}通过公共信道发送给可信的设备DiStep D1: The new device D n inputs the new device identity ID n and the new device fingerprint BIO n , and uses the random character generation algorithm Gen(•) to generate the characteristic data R n and auxiliary data P of the new device D n based on the new device fingerprint BIO n . n , and calculate the first secret information of the new device A n =h(ID n ||R n ), the second secret information of the new device B n =h(A n ||R n ); the new device D n selects a random number N n and the first current timestamp T 1 , and use the new device’s pseudo identity CID n =h(ID n ||r n ) stored by itself, r n is a random number, and the new device’s first authentication secret C n =h (CID n ||x||B n ), calculate the second authentication secret of the new device E n =h(B n ||C n ||CID n ), and calculate the third authentication secret of the new device F n =h(N n ) ⊕E n , the fourth authentication secret of the new device Q n =h(CID n ||E n ) and the new device integrity verification information M 1n =h(CID n ||h(N n )||E n ||Q n ||T 1 ), generate the current location L n of the new device, and send the new device authentication message {T 1 ,L n ,CID n ,F n ,Q n ,M 1n } to the trusted device D through the public channel i .

步骤D2:可信的设备Di接收到新设备消息{T1,Ln,CIDn,Fn,Qn,M1n}后,获取第二当前时间戳T2和可信的设备位置信息Li,可信的设备Di验证通信延时和位置距离是否在最大范围内,如果在范围内,则输入设备身份标识IDi和设备指纹BIOi,可信的设备Di根据Gen(BIOi)=(Ri,Pi)提取设备的特征数据Ri和辅助数据Pi,计算Ai=h(IDi||Ri),SKi=Vi⊕Ai,SKij=Zi⊕h(Ai),可信的设备Di与网关Gj的秘密信息Yi=h(SKij||T2)。可信的设备Di使用会话密钥SKi对数据{CIDn||Fn||Qn||M1n}进行对称加密得到设备对称加密信息M5,将新设备认证消息{T1,T2,Yi,M5,CIDi}通过公共信道发送给网关GjStep D2: After receiving the new device message {T 1 , L n , CID n , F n , Q n , M 1n }, the trusted device D i obtains the second current timestamp T 2 and the trusted device location information. L i , the trusted device D i verifies whether the communication delay and location distance are within the maximum range. If it is within the range, enter the device identity ID i and device fingerprint BIO i . The trusted device D i verifies whether the communication delay and location distance are within the maximum range. i )=(R i ,P i ) extract the device’s characteristic data R i and auxiliary data P i , calculate A i =h(ID i ||R i ), SK i =V i ⊕A i , SK ij =Z i ⊕h(A i ), the secret information Y i =h(SK ij ||T 2 ) of the trusted device D i and the gateway G j . The trusted device D i uses the session key SK i to symmetrically encrypt the data {CID n ||F n ||Q n ||M 1n } to obtain the device symmetric encryption information M 5 , and converts the new device authentication message {T 1 , T 2 , Y i , M 5 , CID i } are sent to the gateway G j through the public channel.

步骤D3:网关Gj接收到新设备认证消息{T1,T2,Yi,M5,CIDi}后,获取第三当前时间戳T3,验证通信延时是否在最大通信延时范围内,如果在范围内,则输入网关身份标识GIDj和网关指纹GBIOj,网关Gj根据Gen(GBIOj)=(GRj,GPj)提取网关Gj的特征数据GRj和辅助数据GPj,并计算GAj=h(GIDj||GRj),SKij=GZj⊕GAj,并计算可信的设备Di与网关Gj的秘密信息校验值Y* i=h(SKij||T2),验证Y* i是否与Yi相等,如若不相等,则终止通信。将新设备认证消息{T1,T3,M5,CIDi,GCIDj}通过公共信道发送给服务器S。Step D3: After receiving the new device authentication message {T 1 , T 2 , Yi , M 5 , CID i }, the gateway G j obtains the third current timestamp T 3 and verifies whether the communication delay is within the maximum communication delay range. If within the range, input the gateway identity GID j and gateway fingerprint GBIO j , and the gateway G j extracts the characteristic data GR j and auxiliary data GP of the gateway G j according to Gen(GBIO j )=(GR j ,GP j ) j , and calculate GA j =h(GID j ||GR j ) , SK ij =GZ j ⊕GA j , and calculate the secret information check value Y * i = h( SK ij ||T 2 ), verify whether Y * i is equal to Y i , if not, terminate the communication. Send the new device authentication message {T 1 , T 3 , M 5 , CID i , GCID j } to the server S through the public channel.

步骤D4:服务器S接收到新设备认证消息{T1,T3,M5,CIDi,GCIDj}后,获取第四当前时间戳T4,验证通信延时是否在最大通信延时范围内。服务器S根据设备伪身份标识CIDi在其数据库检索Vsi和Ei,使用自身的私钥哈希值计算出与可信的设备Di的会话密钥SKi=Vsi⊕h(x)。然后服务器S使用会话密钥SKi解密设备对称加密信息M5得到新设备伪身份标识CIDn,新设备第三认证秘密Fn,新设备第四认证秘密Qn,新设备完整性验证信息M1n。服务器S使用CIDn在其数据库检索新设备第二认证秘密En,并计算新设备第四认证秘密校验值Q* n=h(CIDn||En),验证新设备第四认证秘密校验值Q* n是否等于新设备第四认证秘密Qn,如若不相等,则终止通信;否则服务器S计算哈希值h(Nn)*=Fn⊕En,新设备完整性验证信息校验值M* 1n=h(CIDn||h(Nn)*||En||Q* n||T1),验证M* 1n是否等于M1n。如若不相等,则终止通信。否则服务器S生成随机数Nsn,并计算与新设备Dn的会话密钥SKn=h(h(Nsn)||En),计算新设备Dn与可信的设备Di之间的会话密钥SKni=h(Nsn||x)。Step D4: After receiving the new device authentication message {T 1 , T 3 , M 5 , CID i , GCID j }, the server S obtains the fourth current timestamp T 4 and verifies whether the communication delay is within the maximum communication delay range. . Server S retrieves V si and E i in its database based on the device pseudo identity CID i , and uses its own private key hash value to calculate the session key SK i =V si ⊕h(x) with the trusted device D i . Then the server S uses the session key SK i to decrypt the device symmetric encryption information M 5 to obtain the new device pseudo identity CID n , the new device's third authentication secret F n , the new device's fourth authentication secret Q n , and the new device's integrity verification information M 1n . Server S uses CID n to retrieve the new device's second authentication secret En in its database, and calculates the new device's fourth authentication secret check value Q * n =h (CID n ||E n ) to verify the new device's fourth authentication secret. Check whether the check value Q * n is equal to the fourth authentication secret Q n of the new device. If not, the communication is terminated; otherwise, the server S calculates the hash value h(N n ) * =F n ⊕E n and verifies the integrity of the new device. Information check value M * 1n =h(CID n ||h(N n ) * ||E n ||Q * n ||T 1 ), verify whether M * 1n is equal to M 1n . If not equal, communication is terminated. Otherwise, the server S generates a random number N sn and calculates the session key SK n =h(h(N sn )||E n ) with the new device D n , and calculates the relationship between the new device D n and the trusted device D i The session key SK ni =h(N sn ||x).

步骤D5:服务器S计算对应新设备Dn的服务器第一认证秘密Wn=h(Nsn)⊕En,服务器完整性验证信息M6=h(h(Nsn)||CIDn||T4||En),可信的设备对应秘密信息Dev'i=SKni⊕h(Ei),新设备对应秘密信息Devn=SKni⊕h(En),可信的设备对应秘密信息的对称加密O'i=EncSKi(Dev'i),新设备对应秘密信息的对称加密On=EncSKn(Devn),服务器与新设备会话密钥的加密信息Vsn=SKn⊕h(x),服务器S保存{Vsn}在其数据库,将服务器认证消息{T4,Wn,M6,O'i,On}通过公共信道发送给网关GjStep D5: Server S calculates the server's first authentication secret W n =h(N sn )⊕E n corresponding to the new device D n , and the server integrity verification information M 6 =h(h(N sn )||CID n || T 4 ||E n ), the trusted device corresponds to the secret information Dev' i =SK ni ⊕h(E i ), the new device corresponds to the secret information Dev n =SK ni ⊕h(E n ), the trusted device corresponds Symmetric encryption of secret information O' i =Enc SKi (Dev' i ), symmetric encryption of secret information corresponding to the new device O n =Enc SKn (Dev n ), encrypted information of the session key between the server and the new device V sn =SK n ⊕h(x), server S saves {V sn } in its database, and sends the server authentication message {T 4 , W n , M 6 , O' i , O n } to the gateway G j through the public channel.

步骤D6:网关Gj接收到服务器认证消息{T4,Wn,M6,O'i,On}后,获取第五当前时间戳T5,验证通信延时是否在最大通信延时范围内,将服务器认证消息{T5,T4,Wn,M6,O'i,On}通过公共信道发送给可信的设备DiStep D6: After receiving the server authentication message {T 4 , W n , M 6 , O' i , On } , the gateway G j obtains the fifth current timestamp T 5 and verifies whether the communication delay is within the maximum communication delay range. Within, the server authentication message {T 5 , T 4 , W n , M 6 , O' i , On } is sent to the trusted device D i through the public channel.

步骤D7:可信的设备Di接收到服务器认证消息{T5,T4,Wn,M6,O'i,On}后,获取第六当前时间戳T6,验证通信延时是否在最大通信延时范围内。可信的设备Di计算Dev'i=DecSKi(O'i),计算其与新设备的会话密钥SKni=Dev'i⊕h(Ei),并计算可信的设备与新设备会话密钥的加密信息Vt=SKtn⊕Ai,可信的设备Di存储元组{Vt}在其数据库,将服务器认证消息{T6,T4,Wn,M6,On}通过公共信道发送给新设备DnStep D7: After receiving the server authentication message {T 5 , T 4 , W n , M 6 , O' i , On } , the trusted device Di obtains the sixth current timestamp T 6 and verifies whether the communication delay is Within the maximum communication delay range. The trusted device D i calculates Dev' i =Dec SKi (O' i ), calculates its session key SK ni =Dev' i ⊕h(E i ) with the new device, and calculates the relationship between the trusted device and the new device The encrypted information of the session key V t =SK tn ⊕A i , the trusted device D i stores the tuple {V t } in its database, and sends the server authentication message {T 6 , T 4 , W n , M 6 , O n } is sent to the new device D n through the public channel.

步骤D8:新设备Dn接收到服务器认证消息{T6,T4,Wn,M6,On}后,获取第七当前时间戳T7,验证通信延时是否在最大通信延时范围内;新设备Dn计算哈希值h(Nsn)*=Wn⊕En,服务器完整性验证消息校验值M* 6=h(h(Nsn)||CIDn||T4||En),验证M* 6是否等于M6。如若不相等,则终止通信。否则计算新设备Dn与服务器S之间的会话密钥SKn=h(h(Nsn)||En),计算新设备对应秘密Devn=DecSKn(On)。新设备Dn计算其与可信的设备Di的会话密钥SKni=Devn⊕h(En),并计算新设备与服务器会话密钥的加密信息V1=SKn⊕An,新设备与可信的设备会话密钥的加密信息V2=SKni⊕h(An),新设备Dn存储元组{V1,V2}在其数据库。Step D8: After receiving the server authentication message {T 6 , T 4 , W n , M 6 , On } , the new device D n obtains the seventh current timestamp T 7 and verifies whether the communication delay is within the maximum communication delay range. Within; new device D n calculates hash value h(N sn ) * =W n ⊕E n , server integrity verification message check value M * 6 =h(h(N sn )||CID n ||T 4 ||E n ), verify whether M * 6 is equal to M 6 . If not equal, communication is terminated. Otherwise, calculate the session key SK n =h(h(N sn )||E n ) between the new device D n and the server S, and calculate the new device corresponding secret Dev n =Dec SKn (O n ). The new device D n calculates its session key SK ni =Dev n ⊕h(E n ) with the trusted device D i , and calculates the encrypted information V 1 =SK n ⊕A n of the session key between the new device and the server, The new device has encrypted information V 2 =SK ni ⊕h(A n ) with the trusted device session key, and the new device D n stores the tuple {V 1 , V 2 } in its database.

以上公开的本发明优选实施例只是用于帮助阐述本发明。优选实施例并没有详尽叙述所有的细节,也不限制该本发明仅为所述的具体实施方式。显然,根据本说明书的内容,可作很多的修改和变化。本说明书选取并具体描述这些实施例,是为了更好地解释本发明的原理和实际应用,从而使所属技术领域技术人员能很好地理解和利用本发明。本发明仅受权利要求书及其全部范围和等效物的限制。The preferred embodiments of the invention disclosed above are only intended to help illustrate the invention. The preferred embodiments do not describe all details, nor do they limit the invention to the specific implementations described. Obviously, many modifications and variations are possible in light of the contents of this specification. These embodiments are selected and described in detail in this specification to better explain the principles and practical applications of the present invention, so that those skilled in the art can better understand and utilize the present invention. The invention is limited only by the claims and their full scope and equivalents.

Claims (3)

1.一种面向工业物联网的可信设备传递身份认证方法,其特征在于,包括设备和网关的注册、网关的直接认证、设备的直接认证和设备的传递认证四个过程;所述设备的传递认证过程包括以下步骤:1. A trusted device transfer identity authentication method for the industrial Internet of Things, which is characterized in that it includes four processes: registration of the device and the gateway, direct authentication of the gateway, direct authentication of the device, and transfer authentication of the device; The pass-through certification process includes the following steps: 步骤D1:新设备输入新设备身份标识和新设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分新设备认证信息,然后,新设备选择随机数和获取第一当前时间戳和位置信息,通过与新设备存储的在注册阶段由服务器生成的认证信息进行级联、异或和哈希运算生成新设备认证信息,并将新设备认证信息通过公共信道发送给可信的设备;Step D1: The new device enters the new device identity and new device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the new device authentication information. Then, the new device selects a random number and obtains the first current timestamp. and location information, by concatenating, XORing and hashing the authentication information stored by the new device and generated by the server during the registration phase to generate new device authentication information, and sending the new device authentication information to the trusted device through the public channel ; 步骤D2:可信的设备收到新设备认证信息后,获取第二当前时间戳和位置信息,并验证新设备的第一当前时间戳和位置信息;可信的设备使用会话密钥对新设备认证信息进行加密,然后使用与网关的会话密钥结合时间戳得到可信的设备验证参数,将新设备认证消息通过公共信道发送给网关;Step D2: After receiving the new device authentication information, the trusted device obtains the second current timestamp and location information, and verifies the first current timestamp and location information of the new device; the trusted device uses the session key to authenticate the new device The authentication information is encrypted, and then the session key and timestamp of the gateway are used to obtain trusted device authentication parameters, and the new device authentication message is sent to the gateway through the public channel; 步骤D3:网关收到新设备认证信息后,获取第三当前时间戳并与第二当前时间戳比较,验证通信延时是否在最大通信延时范围内,网关通过存储的会话密钥对可信的设备验证参数进行验证,然后,网关将新设备认证信息通过公共信道发送给服务器;Step D3: After receiving the new device authentication information, the gateway obtains the third current timestamp and compares it with the second current timestamp to verify whether the communication delay is within the maximum communication delay range. The gateway uses the stored session key to trust Verify the device authentication parameters, and then the gateway sends the new device authentication information to the server through the public channel; 步骤D4:服务器收到新设备认证信息后,获取第四当前时间戳与第三当前时间戳比较,并验证通信延时是否在最大通信延时范围内,服务器根据新设备认证信息在数据库中检索存储的数据,验证可信的设备的设备认证信息;然后,服务器根据解密的信息验证新设备认证信息;服务器生成随机数与解密的新设备认证信息进行级联和哈希运算生成与新设备的会话密钥和部分服务器认证信息;Step D4: After receiving the new device authentication information, the server obtains the fourth current timestamp and compares it with the third current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The server searches the database based on the new device authentication information. The stored data verifies the device authentication information of the trusted device; then, the server verifies the new device authentication information based on the decrypted information; the server generates random numbers and performs cascade and hash operations with the decrypted new device authentication information to generate the new device's authentication information. Session keys and partial server authentication information; 步骤D5:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到新设备对应的秘密信息并存储在数据库,并且服务器通过随机数和自身私有密钥计算新设备与可信设备之间的会话密钥,将消息加密为服务器认证信息后,服务器将服务器认证信息通过公共信道发送给网关;Step D5: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the new device and stores it in the database. The server uses random numbers and its own private key to calculate the new device and the available secret information. The session key between the communication devices, and after encrypting the message into server authentication information, the server sends the server authentication information to the gateway through the public channel; 步骤D6:网关收到服务器认证信息后,获取第五当前时间戳与第四当前时间戳比较,并验证通信延时是否在最大通信延时范围内,网关将服务器认证信息通过公共信道发送给可信的设备;Step D6: After receiving the server authentication information, the gateway obtains the fifth current timestamp and compares it with the fourth current timestamp, and verifies whether the communication delay is within the maximum communication delay range. The gateway sends the server authentication information to the public through the public channel. letter equipment; 步骤D7:可信的设备接收到服务器认证信息后,获取第六当前时间戳并与第五当前时间戳比较,验证通信延时是否在最大通信延时范围内;可信的设备使用自身的秘密信息解密部分服务器认证信息后,使用解密的信息与秘密信息进行哈希运算后得到与新设备的会话密钥;可信的设备根据会话密钥和隐私数据进行异或生成与新设备对应的秘密信息并存储在数据库;将服务器认证消息通过公共信道发送给新设备;Step D7: After receiving the server authentication information, the trusted device obtains the sixth current timestamp and compares it with the fifth current timestamp to verify whether the communication delay is within the maximum communication delay range; the trusted device uses its own secret After the information decrypts part of the server authentication information, the decrypted information and the secret information are used for hashing to obtain the session key with the new device; the trusted device performs XOR based on the session key and private data to generate a secret corresponding to the new device. information and store it in the database; send the server authentication message to the new device through the public channel; 步骤D8:新设备收到服务器认证消息后,获取第七当前时间戳并与第六当前时间戳比较,验证通信延时是否在最大通信延时范围内,然后验证服务器认证消息;新设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算生成与服务器、可信的设备的会话密钥;新设备根据会话密钥和隐私数据进行异或生成与服务器、新设备对应的秘密信息并存储在数据库;Step D8: After receiving the server authentication message, the new device obtains the seventh current timestamp and compares it with the sixth current timestamp to verify whether the communication delay is within the maximum communication delay range, and then verifies the server authentication message; the new device passes the server The authentication message and its own private data are concatenated and hashed to generate a session key with the server and trusted device; the new device performs XOR based on the session key and private data to generate secret information corresponding to the server and new device. stored in database; 所述设备的注册过程如下:The registration process for the device is as follows: 设备选择设备身份标识和设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成相应设备注册信息并通过安全信道发送给服务器;The device selects the device identity and device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate the corresponding device registration information and sends it to the server through a secure channel; 服务器接收到设备注册信息后,生成随机数,使用私有密钥与收到的设备注册信息进行级联和哈希运算生成服务器认证信息并存储,然后将服务器认证信息通过安全信道发送给设备;After receiving the device registration information, the server generates a random number, uses the private key to concatenate and hash the received device registration information to generate server authentication information and stores it, and then sends the server authentication information to the device through a secure channel; 设备接收认证信息并存储;The device receives the authentication information and stores it; 所述网关的注册过程如下:The registration process of the gateway is as follows: 网关选择网关身份标识和网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成相应网关注册信息并通过安全信道发送给服务器;The gateway selects the gateway identity and gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate the corresponding gateway registration information and sends it to the server through a secure channel; 服务器接收到网关注册信息后,生成随机数,使用私有密钥与收到的网关注册信息进行级联和哈希运算生成服务器认证信息并存储,然后将服务器认证信息通过安全信道发送给网关;After receiving the gateway registration information, the server generates a random number, uses the private key to concatenate and hash the received gateway registration information to generate server authentication information and stores it, and then sends the server authentication information to the gateway through a secure channel; 网关接收认证信息并存储。The gateway receives the authentication information and stores it. 2.根据权利要求1所述的一种面向工业物联网的可信设备传递身份认证方法,其特征在于,所述网关的直接认证包括如下步骤:2. A trusted device transfer identity authentication method for the industrial Internet of Things according to claim 1, characterized in that the direct authentication of the gateway includes the following steps: 步骤B1:网关输入网关身份标识和网关指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分网关认证信息;然后,网关选择随机数和获取第一当前时间戳,通过与网关存储的在注册阶段由服务器生成的认证信息进行级联、异或和哈希运算生成网关认证信息,并将网关认证信息通过公共信道发送给服务器;Step B1: The gateway inputs the gateway identity and gateway fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the gateway authentication information; then, the gateway selects a random number and obtains the first current timestamp, and stores it with the gateway The authentication information generated by the server during the registration phase is concatenated, XORed and hashed to generate gateway authentication information, and the gateway authentication information is sent to the server through the public channel; 步骤B2:服务器收到网关认证信息后,获取第二当前时间戳,并与第一当前时间戳比较验证通信延时是否在范围内,服务器根据网关认证信息在数据库中检索在注册期间存储的数据,验证网关认证信息,然后,服务器生成随机数与收到的网关认证信息进行级联和哈希运算生成与网关的会话密钥和服务器认证信息;Step B2: After receiving the gateway authentication information, the server obtains the second current timestamp and compares it with the first current timestamp to verify whether the communication delay is within the range. The server retrieves the data stored during registration in the database based on the gateway authentication information. , verify the gateway authentication information, and then, the server generates a random number and concatenates and hashes the received gateway authentication information to generate the gateway's session key and server authentication information; 步骤B3:服务器计算服务器认证信息并通过公共信道发送给网关;Step B3: The server calculates the server authentication information and sends it to the gateway through the public channel; 步骤B4:网关收到服务器认证信息后,获取第三当前时间戳,并验证通信延时是否在范围内和服务器认证信息,验证成功,网关通过服务器认证信息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥;网关根据会话密钥和隐私数据进行异或生成与服务器对应的加密信息并存储在数据库。Step B4: After receiving the server authentication information, the gateway obtains the third current timestamp and verifies whether the communication delay is within the range and the server authentication information. If the verification is successful, the gateway performs cascading and hashing through the server authentication information and its own private data. The hash operation calculates the session key with the server; the gateway performs XOR based on the session key and private data to generate encrypted information corresponding to the server and stores it in the database. 3.根据权利要求1所述的一种面向工业物联网的可信设备传递身份认证方法,其特征在于,设备的直接认证过程,包括以下步骤:3. A trusted device transfer identity authentication method for the industrial Internet of Things according to claim 1, characterized in that the direct authentication process of the device includes the following steps: 步骤C1:设备输入设备身份标识和设备指纹,并利用随机字符生成算法Gen(•)和哈希函数生成部分设备认证信息,然后,设备选择随机数和获取第一当前时间戳,通过与设备存储的在注册阶段由服务器生成的认证信息进行级联、异或和哈希运算生成生成设备认证信息,并将设备认证信息通过公共信道发送给网关;Step C1: The device inputs the device identity and device fingerprint, and uses the random character generation algorithm Gen(•) and the hash function to generate part of the device authentication information. Then, the device selects a random number and obtains the first current timestamp, and stores it with the device The authentication information generated by the server during the registration phase is concatenated, XORed and hashed to generate device authentication information, and the device authentication information is sent to the gateway through the public channel; 步骤C2:网关收到消息后,获取第二当前时间戳,并验证与第一当前时间戳的时间差是否在最大通信延时范围内,网关使用会话密钥对设备的部分认证信息进行加密后将消息通过公共信道发送给服务器;Step C2: After receiving the message, the gateway obtains the second current timestamp and verifies whether the time difference with the first current timestamp is within the maximum communication delay range. The gateway uses the session key to encrypt part of the device's authentication information and then Messages are sent to the server over a public channel; 步骤C3:服务器收到消息后,获取第三当前时间戳,并验证与第二当前时间戳的时间差是否在最大通信延时范围内,服务器根据设备认证信息在数据库中检索存储的数据,验证设备认证信息,然后,服务器生成随机数与收到的设备认证信息进行级联和哈希运算得到服务器与设备的会话密钥、设备与网关的会话密钥和服务器认证信息;Step C3: After receiving the message, the server obtains the third current timestamp and verifies whether the time difference with the second current timestamp is within the maximum communication delay range. The server retrieves the stored data in the database based on the device authentication information and verifies the device. Authentication information, then, the server generates a random number and concatenates and hashes it with the received device authentication information to obtain the session key between the server and the device, the session key between the device and the gateway, and the server authentication information; 步骤C4:服务器使用自身的私有密钥进行哈希运算后和会话密钥进行异或操作得到设备对应的秘密信息并存储在数据库,服务器将服务器认证信息通过公共信道发送给网关;Step C4: The server uses its own private key to perform a hash operation and performs an XOR operation with the session key to obtain the secret information corresponding to the device and store it in the database. The server sends the server authentication information to the gateway through the public channel; 步骤C5:网关接收到消息后获取第四当前时间戳,并验证与第三当前时间戳的时间差是否在最大通信延时范围内,网关使用自身的秘密信息对服务器认证信息进行解密,并将解密的信息与自身的私密信息进行异或后保存在数据库;网关将服务器认证信息通过公共信道发送给设备;Step C5: After receiving the message, the gateway obtains the fourth current timestamp and verifies whether the time difference with the third current timestamp is within the maximum communication delay range. The gateway uses its own secret information to decrypt the server authentication information and decrypts it. The information is XORed with its own private information and then stored in the database; the gateway sends the server authentication information to the device through the public channel; 步骤C6:设备收到消息后,获取第五当前时间戳,并验证与第四当前时间戳的时间差是否在最大通信延时范围内,验证服务器认证消息,设备通过服务器认证消息和自身的隐私数据进行级联和哈希运算计算与服务器的会话密钥,设备根据与服务器的会话密钥和隐私数据得到与网关的会话密钥,然后对这些信息进行异或得到与服务器、网关对应的秘密信息并存储在数据库。Step C6: After receiving the message, the device obtains the fifth current timestamp, verifies whether the time difference with the fourth current timestamp is within the maximum communication delay range, and verifies the server authentication message. The device passes the server authentication message and its own private data. Perform cascade and hash operations to calculate the session key with the server. The device obtains the session key with the gateway based on the session key with the server and private data, and then XORs the information to obtain the secret information corresponding to the server and gateway. and stored in database.
CN202311345057.0A 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things Active CN117097561B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311345057.0A CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311345057.0A CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Publications (2)

Publication Number Publication Date
CN117097561A CN117097561A (en) 2023-11-21
CN117097561B true CN117097561B (en) 2024-01-16

Family

ID=88783662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311345057.0A Active CN117097561B (en) 2023-10-18 2023-10-18 Trusted equipment transfer identity authentication method for industrial Internet of things

Country Status (1)

Country Link
CN (1) CN117097561B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR20190007572A (en) * 2017-07-12 2019-01-23 덕성여자대학교 산학협력단 Method for setting secret key and authenticating mutual device of internet of things environment
WO2019083082A1 (en) * 2017-10-26 2019-05-02 순천향대학교 산학협력단 Ksi-based authentication and communication method for safe smart home environment, and system therefor
KR20210072711A (en) * 2019-12-09 2021-06-17 세종대학교산학협력단 Method and apparatus for mutual authentication between internet of things device and trusted server
CN113746632A (en) * 2021-07-20 2021-12-03 南京邮电大学 Multi-level identity authentication method for Internet of things system
WO2023071751A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Authentication method and communication apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12047519B2 (en) * 2021-07-15 2024-07-23 Nanyang Technological University Physical unclonable function based mutual authentication and key exchange
CN113872763B (en) * 2021-09-07 2024-10-01 杭州师范大学 Privacy protection authentication method based on wireless body area network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180130203A (en) * 2017-05-29 2018-12-07 한국전자통신연구원 APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
KR20190007572A (en) * 2017-07-12 2019-01-23 덕성여자대학교 산학협력단 Method for setting secret key and authenticating mutual device of internet of things environment
WO2019083082A1 (en) * 2017-10-26 2019-05-02 순천향대학교 산학협력단 Ksi-based authentication and communication method for safe smart home environment, and system therefor
KR20210072711A (en) * 2019-12-09 2021-06-17 세종대학교산학협력단 Method and apparatus for mutual authentication between internet of things device and trusted server
CN113746632A (en) * 2021-07-20 2021-12-03 南京邮电大学 Multi-level identity authentication method for Internet of things system
WO2023071751A1 (en) * 2021-10-29 2023-05-04 华为技术有限公司 Authentication method and communication apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WanTao ; LiaoWeichuan.《Cryptanalysis on Polynomial-Based E-Voting Schemes》.《IEEE》.2010,全文. *

Also Published As

Publication number Publication date
CN117097561A (en) 2023-11-21

Similar Documents

Publication Publication Date Title
CN110971415B (en) An anonymous access authentication method and system for a space-earth integrated spatial information network
CN108768608B (en) Privacy protection identity authentication method supporting thin client under block chain PKI
CN112737779B (en) Cryptographic machine service method, device, cryptographic machine and storage medium
CN101917270B (en) Weak authentication and key agreement method based on symmetrical password
US11223486B2 (en) Digital signature method, device, and system
CN116707791B (en) Distributed authentication key negotiation method in intelligent vehicle-mounted networking system
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
CN106961336A (en) A kind of key components trustship method and system based on SM2 algorithms
CN114036539B (en) Secure and auditable IoT data sharing system and method based on blockchain
CN115549887A (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
US20220345298A1 (en) Systems and methods for providing signatureless, confidential and authentication of data during handshake for classical and quantum computing environments
CN110999202B (en) Computer-implemented system and method for highly secure, high-speed encryption and transmission of data
CN110601838A (en) Identity authentication method, device and system based on quantum key
CN113630248B (en) Session key negotiation method
WO2010005071A1 (en) Password authenticating method
CN106487786B (en) Cloud data integrity verification method and system based on biological characteristics
CN111786786A (en) Proxy re-encryption method and system supporting equality determination in cloud computing environment
CN114024698A (en) A security interaction method and system for power distribution Internet of things business based on national secret algorithm
CN115632880B (en) A method and system for reliable data transmission and storage based on national secret algorithm
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN117614626B (en) A lightweight identity authentication method based on PUF
CN116318654A (en) SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution
CN111065097B (en) Channel protection method and system based on shared secret key in mobile internet
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN106230840B (en) A kind of command identifying method of high security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant