CN104853351A - Internet of Vehicles distributed authentication method based on controllable privacy - Google Patents

Abstract

The invention discloses an Internet of Vehicles distributed authentication method based on controllable privacy, relates to the field of vehicle network communication safety, and specifically relates to an Internet of Vehicles distributed authentication method based on controllable privacy. The method specifically includes five following steps: system initialization; private key update of fake names and a part of signatures; message signature; message authentication of signatures; and real identity tracking and revocation. According to the method, the double hash chain is employed to establish the fake names, the communication cost for invalidating a vehicle identity is irrelevant to the numbers of the fake names and a part of the signature private keys of the vehicle, a vehicle user can update multiple parts of signature private keys by the adoption of one authorization, and the burden of trusted authority (TA) and road-side units (RSU) is reduced; when a message with a controversial signature occurs, the TA can distinguish whether the signature is forged by the RSU according to re-signature of the message uploaded by the vehicle, and the problem of non-repudiation in the distributed environment is solved. According to the method, the security is high, the cost is low, and the method is applicable to node high-speed movement, topology structure volatility, and large-scale VANET network.

Description

A kind of networking of the car based on controlled privacy distributed authentication method

Technical field

The present invention relates to In-vehicle networking field of communication security, particularly a kind of networking of the car based on controlled privacy distributed authentication method.

Background technology

Vehicular ad hoc network is mobile ad hoc network and the sensor technology embody rule at field of traffic, and it can greatly reduce the generation of traffic safety accident, improves road efficiency and provides information service.Vehicular ad hoc network adopts Dedicated Short Range Communications, supports that the communication V2V between car and car and car and roadside unit intercom V2I two kinds of communication patterns mutually, build a self-organizing, distributed, dispose facilitate, the inter-vehicular communication network of structure opening.

The deployment of vehicle-mounted net and enforcement have huge Social and economic benef@, cause showing great attention to of industrial quarters and academia in recent years, create many important achievements in research.But the development of this technology is also faced with many challenges, while the integrality mainly guaranteeing message and confirmability, protect the privacy of driver and conductor and meet the requirement of process in real time.Forge message to meet the needs of oneself because lawless person and selfish personnel may utilize vehicle-mounted net to propagate, so data signature mechanism must be used to guarantee, the information transmitted comes from true and reliable vehicle; But these message generally include position, the direction and time etc. of vehicle, can threaten the privacy of driver and conductor, so will realize anonymous authentication by other people after being known; And in distributed identity authentication environment, realize occurring that the message traceability of dispute just must meet the non-repudiation of information signature.

In order to address these problems, there are many representational achievements in research.Raya M etc. advise adopting another name authentication mechanism in vehicular ad hoc network the earliest.Vehicle is applied for a large amount of certificate to CA and is stored onboard, and CA stores the relation of true identity and another name.Armknecht F etc. have studied the routing policy under another name mechanism, considers between protection privacy and maintenance routing stability.Fischer L etc. points out if assailant can invade CA, and another name mechanism just loses the effect of secret protection.For this reason, author advises that vehicle adopts Proxy Signature from multiple CA application another name, which greatly enhances the threshold of privacy leakage.But the program generates but alias expense is too large, and the another name of the malice vehicle that cannot singlely cancel.Above-mentioned another name mechanism is all concentrated authorization, namely once obtains a large amount of another name certificates.Like this, greatly increased the weight of the burden of Certificate Authority, and the certificate that the vehicle that cancels will be held all cancels, and this means sizable calcellation expense.

For another name mechanism, the another name number that minimizing vehicle carries is the effective ways reducing calcellation expense.The suggestion such as Bellur adopts distributed certificate management mode, allows vehicle to upgrade another name by RSU in normal traveling process.Whole Region dividing is become some subregions, and every alias certificate can only use in a sub regions.Certain member of such calcellation just only needs to notice it and has the subregion calling place.The ECPP scheme that Lu etc. propose decreases the radio transmission expense of calcellation list and the storage overhead of common vehicle.Wasef etc. propose vehicle can apply for certificate from RSU as required, and author reduces the reliability rating of RSU under study for action, think that RSU is half believable, but the deficiency of the program is that the cost recovering malice testing vehicle register is larger.Priya etc. propose GAP scheme, and the program uses group ranking and batch certification, but does not reach the non-repudiation under distributed bad border, and in the program, the vehicle RSU that can countercharge forges a signature.

Summary of the invention

The object of the invention is to a kind of car based on controlled privacy networking distributed authentication method, reduce RSU computing cost and communication overhead, alleviate the burden of TA and RSU, solve the undeniable sex chromosome mosaicism of transmit leg under distributed environment, thus realize the Distributed Anonymous certification of the safety and efficiently rate in vehicle-mounted net.

In order to solve above technical problem, the present invention adopts the signature scheme of the part signature private key of secret value and the RSU place acquisition of providing based on authoritative institution, and the concrete technical scheme of car networking distributed authentication method proposed based on controlled privacy is as follows:

Based on a car networking distributed authentication method for controlled privacy, it is characterized in that comprising following steps:

Step one, system initialization: authoritative institution chooses common parameter, for RSU and vehicle are registered;

Step 2, assumed name and part signature private key upgrade: the identity of certifying authority vehicle, and for part signature private key request certificate provided by vehicle, described vehicle obtains a collection of corresponding part signature private key according to part signature private key request certificate from RSU;

Step 3, information signature: the secret value that vehicle utilizes authoritative institution to provide and the part signature private key that RSU place obtains are signed to message, obtain the message of signing; Described information signature have employed the secret value of authoritative institution's granting and the part signature private key of RSU granting simultaneously;

Step 4, the message authentication of signature: vehicle sends the message of signature according to other vehicle received, carries out certification to the message of signature;

Step 5, the tracking of true identity with cancel: when disputing on appears in the message of signature, authoritative institution tracks the true identity of vehicle according to the message of signing, and is cancelled by described testing vehicle register.

Described step one is specially further:

Process one, a Big prime p selects in authoritative institution, selects two constant a, b ∈ Z _pmake 4a ³+ 27b ²≠ 0 mod p, definition Z _pon elliptic curve E:y ²=x ³+ ax+b by one based on congruence expression y ²=x ³disaggregation and an infinite point O of+ax+b mod p form, if P is that on E, rank are a point of prime number q, TA selects a random number as system master key, computing system PKI PK _tA=SK _tAp ∈ G, then select two Hash functions with the cryptographic algorithm Enc of a safety _k(), last TA public address system parameter (q, P, G, H ₁, H ₂, Enc _k());

Process two, when vehicle registration, TA is to vehicle V _idistribute a true identity RID _i∈ G, and the public private key pair that traditional wherein last TA is V _iselect the seed of two hash chains with l is the number of the seed generation assumed name of two hash chains, and stores the mapping relations of true identity and hash chain seed;

Process three, TA is that each RSU selects a random number as the private key of RSU, and calculate as the PKI of RSU, finally by R _i=(RSU _i|| L _i), with safe sends RSU to, wherein L _ibe the positional information of RSU, thus obtain certificate ${\mathrm{Cert}}_{\mathrm{TA},R_i}=(R_i,{\mathrm{PK}}_{R_i},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(R_i,{\mathrm{PK}}_{R_i})).$

Described step 2 is specially following process further:

Process one, as vehicle V _iwhen entering RSU, vehicle V _iselect a random number r', then will by RSU send to TA, r' is used to prevent opponent from collecting information, thus obtains this vehicle through which RSU; TA decrypt X, checks RID _iwhether cancelling in chained list; Vehicle V in each RSU _ithe assumed name quantity upgraded once is needed to be fixing, at R _ithe interior quantity upgraded that needs is

TA is vehicle generating portion signature private key request certificate: first TA is by searching memory cell, calculates vehicle V _ithe assumed name quantity upgraded is m, and TA judges herein whether set up, if set up TA random selecting and calculate then will t _stamp, with with use vehicle V _iconventional public-key encryption generating messages $Y={\mathrm{Enc}}_{{\mathrm{PK}}_{V_i}}(U_i^1,t_{\mathrm{stamp}},x_{V_i},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1})),$ Y is sent to V by RSU _i, otherwise TA is vehicle V _iagain choose hash chain seed, TA will add self memory space and renewal tA chooses herein add part signature private key request certificate, object makes, when there is the message of controversial signature, can differentiate the source of the message of signature, reach non-repudiation;

Process two, vehicle V _iafter receiving enciphered message Y, use vehicle V _itraditional private key deciphering Y, obtain U ₁, t _stamp, with checking TA signature validity, if signature is effectively, V _iwill with part signature private key request certificate $Z=(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-m-n_{R_i}+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-m-n_{R_i}+1}))$ There is the memory space of self, V _iwait for and obtain signature private key from RSU;

Process three, RSU broadcasts certificate termly if legal, vehicle V _ichoose a random number and calculate symmetric key and decryption factor then, V _isend a request message to RSU rSU calculates symmetric key and decipher W, then proving time stamp t _stampfreshness, and signature validity; If the verification passes, RSU calculates assumed name PID _i,j,

$\left\{\begin{array}{c}{S}_{V_i}^{1,m+j}=h^{m+j}\left({\mathrm{SD}}_{V_i}^1\right),\\ S_{V_i}^{2,l-j-m+1}=h^{l-j-m+1}\left({\mathrm{SD}}_{V_i}^2\right),\\ {\mathrm{PID}}_{i,j}=h(S_{V_i}^{1,j+m}\⊕S_{V_i}^{2,l-j-m+1})(1\≤j\≤n_{R_i}).\end{array}\right.---\left(1\right),$

Choose corresponding to each assumed name RSU calculate $U_{i,j}^2=r_{i,j}P,U_{i,j}=U_i^1+U_{i,j}^2;$ Order wherein Δ t _i,jit is the time window that part signature private key uses; Calculate $d_{{\mathrm{PID}}_{i,j}}=r_{i,j}+h_{i,j}{\mathrm{SK}}_{R_i}\mathrm{mod}q,$ RSU handle $\mathrm{\Ψ}={\mathrm{Enc}}_{{\mathrm{\φ}}^{\′}}(U_{i,j},d_{{\mathrm{PID}}_{i,j}},{\mathrm{\Δt}}_{i,j},(1\≤j\≤n_{R_i}))$ Send to vehicle V _i, RSU will add the memory space of self;

Process four, vehicle V _iafter receiving message Ψ, obtain U with after φ deciphering _i,j, Δ t _i,j, and calculate assumed name according to formula (1), finally store n _riindividual four-tuple (PID _i,j, U _i,j, Δ t _i,j) for information signature.

Described step 3 is specially following process further:

For message M ∈ { 0,1} ^*, vehicle signature is as follows:

Process one, random selecting calculate R _i,j=k _i,jp;

Process two, order $e_{i,j}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j});$

Process three, calculates $v_{i,j}=k_{i,j}+e_{i,j}(d_{{\mathrm{PID}}_{i,j}}+x_{V_i});$

Then δ _i=(U _i,j, e _i,j, v _i,j) be exactly vehicle V _iwith assumed name PID _i,jto message M _isignature.

Described step 4 is specially further:

Verification algorithm: once receive the message (PID of signature _i,j, M _i, Δ t _i,j, δ _i), verifier proceeds as follows:

Process one, calculates $h_{i,j}=H_1({\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j});$

Process two, calculates $R_{i,j}^{\′}=v_{i,j}P-e_{i,j}(U_{i,j}+h_{i,j}{\mathrm{PK}}_{R_i});$

Process three, finally calculates $e_{i,j}^{\′}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j}^{\′});$

And if only if e ' _i,j=e _i,jtime, verifier accepts the message of signing.

Described step 5 is specially further:

When the message of an appearance controversial signature time, according to vehicle V _iassumed name PID _i,j, TA searches for the PID of storage from self memory space _i,jcorresponding true identity, obtains vehicle V _itrue identity RID _i, TA is once obtain RID _i, just can cancel V easily _i, mainly comprise two processes;

Process one, by RID _iadd and cancel chained list (CRL), V _ican not obtain new part signature private key request certificate from TA, RSU is no longer vehicle V _idistribution unit divides signature private key

Process two, first, cancels V _ithe not yet expired assumed name obtained and part signature private key, TA is according to the memory space of self find Current vehicle V _iobtain the RSU of assumed name and part signature private key; Then, TA will send to RSU, C is added that the signature of RSU is broadcast to all vehicle user of RSU region by RSU; Finally, third party is after receiving C, and third party calculates the effective assumed name PID cancelling vehicle and hold at present according to formula (1) _i,j, third party is PID _i,jbe added to time window Δ t _i,jin interior local CRL.

The application has beneficial effect.Present applicant proposes a kind of car based on controlled privacy networking distributed authentication method, this application uses Double Hash chains to build assumed name, on the basis keeping anonymity, the assumed name that the communication overhead of a calcellation testing vehicle register and this car are held and part signature private key number have nothing to do, and user utilizes a mandate can upgrade multiple part signature private key, alleviates the burden of TA and RSU; Due to when the distribution of signature private key, RSU is according to part signature private key request certificates constructing part signature private key, so when having dispute message, TA can according to vehicle upload to this message again sign distinguish this signature whether be forged by RSU, solve the undeniable sex chromosome mosaicism under distributed environment.In addition, this application, no matter in the distribution of part signature private key, signature process and verification process do not need expensive to computing, and signature authentication only needs three dot products operations, has increased substantially certification speed, has been highly suitable for VANET network.

Accompanying drawing explanation

The flow chart of the networking of the car based on the controlled privacy distributed authentication method that Fig. 1 provides for the embodiment of the present invention.

The assumed name that Fig. 2 provides for the embodiment of the present invention and the flow chart that part signature private key upgrades.

The flow chart of the information signature that Fig. 3 provides for the embodiment of the present invention.

The flow chart of the message authentication that Fig. 4 provides for the embodiment of the present invention.

The flow chart that Fig. 5 cancels for the identity that the embodiment of the present invention provides.

Embodiment

As shown in Figure 1, the present invention has 5 steps, is respectively:

(1) system initialization: authoritative institution chooses common parameter, for RSU and vehicle are registered;

(2) assumed name and part signature private key upgrade: the identity of certifying authority vehicle, and for signature private key request certificate provided by vehicle, described vehicle obtains a collection of corresponding signature private key according to signature private key request certificate from RSU;

(3) information signature: the secret value that vehicle utilizes authoritative institution to provide and the signature private key that RSU place obtains are signed to message;

(4) message authentication of signing: vehicle sends the message of signature according to other vehicle received, carries out certification to the message of signature;

(5) true identity tracking with cancel: when disputing on appears in the message of signature, authoritative institution tracks the true identity of vehicle according to the message of signing, and is cancelled by described testing vehicle register.

Below in conjunction with specific embodiments and the drawings, the present invention is further described.

(1) initialization system: authoritative institution chooses common parameter, for RSU and vehicle are registered;

Step 1.1: described authoritative institution, selects a Big prime p, selects two constant a, b ∈ Z _pmake 4a ³+ 27b ²≠ 0 mod p, definition Z _pon elliptic curve E:y ²=x ³+ ax+b by one based on congruence expression y ²=x ³disaggregation and an infinite point O of+ax+b mod p form, if P is that on E, rank are a point of prime number q.

Step 1.2:TA selects a random number as system master key, computing system PKI PK _tA=SK _tAp ∈ G, then select two Hash functions with the cryptographic algorithm Enc of a safety _k(), last TA public address system parameter (q, P, G, H ₁, H ₂, Enc _k());

Step 1.3: when vehicle registration, TA is to vehicle V _idistribute a true identity RID _i∈ G, and the public private key pair that traditional wherein last TA is V _iselect the seed of two hash chains with suppose that the seed of every two hash chains is used for generating l assumed name, and store the mapping relations of true identity and hash chain seed;

Step 1.4:TA is that each RSU selects a random number as the private key of RSU, and calculate as the PKI of RSU, finally by R _i=(RSU _i|| L _i), with safe sends RSU to, wherein L _ibe the positional information of RSU, can certificate be obtained ${\mathrm{Cert}}_{\mathrm{TA},R_i}=(R_i,{\mathrm{PK}}_{R_i},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(R_i,{\mathrm{PK}}_{R_i})).$

(2) assumed name and part signature private key upgrade: as shown in Figure 2, the identity of certifying authority vehicle, for signature private key request certificate provided by vehicle, described vehicle obtains a collection of corresponding signature private key according to signature private key request certificate from RSU, has 18 steps.

Step 2.1: as vehicle V _iwhen entering RSU, vehicle V _iselect a random number r', then will by RSU send to TA.

Step 2.2:TA decrypt X, checks RID _iwhether cancelling in chained list; RID _iif not cancelling in chained list, to step 2.3, otherwise to step 2.17.

Step 2.3:TA, by searching memory cell, calculates vehicle V _ithe assumed name quantity upgraded is m, and TA judges herein whether set up, if set up to step 2.4, otherwise to step 2.5.

Step 2.4:TA random selecting and calculate tA generating messages $Y={\mathrm{Enc}}_{{\mathrm{PK}}_{V_i}}(U_i^1,t_{\mathrm{stamp}},x_{V_i},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1})),$ Y is sent to V by RSU _i, to step 2.6.

Step 2.5:TA is vehicle V _iagain hash chain seed is chosen, to step 2.3.

Step 2.6:TA will add self memory space and renewal $(R_i,S_{V_i}^{1,m+n_{R_i}+1},$ $S_{V_i}^{2,l-m-n_{R_i}+1}).$

Step 2.7: vehicle V _iafter receiving enciphered message Y, use vehicle V _itraditional private key deciphering Y, obtain U ₁, t _stamp, with checking TA signature validity, if TA signature valid till step 2.8.Otherwise to step 2.1.

Step 2.8:V _istore secret value with part signature private key request certificate

$Z=(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-m-n_{R_i}+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-m-n_{R_i}+1})).$

Step 2.9:RSU broadcasts certificate termly ${\mathrm{Cert}}_{\mathrm{TA},R_i}=(R_i,{\mathrm{PK}}_{R_i},$ ${\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(R_i,{\mathrm{PK}}_{R_i})).$

Step 2.10:V _ichecking it is legitimacy.If certificate is legal in step 2.11, otherwise to step 2.17.

Step 2.11: vehicle V _ichoose a random number and calculate symmetric key and decryption factor then, V _isend a request message to RSU

Step 2.12:RSU calculates symmetric key and decipher W, then proving time stamp t _stampfreshness, and signature validity; If the verification passes, to step 2.13, otherwise to step 2.17.

Step 2.13:RSU calculates assumed name PID _i,j,

$\left\{\begin{array}{c}{S}_{V_i}^{1,m+j}=h^{m+j}\left({\mathrm{SD}}_{V_i}^1\right),\\ S_{V_i}^{2,l-j-m+1}=h^{l-j-m+1}\left({\mathrm{SD}}_{V_i}^2\right),\\ {\mathrm{PID}}_{i,j}=h(S_{V_i}^{1,j+m}\⊕S_{V_i}^{2,l-j-m+1})(1\≤j\≤n_{R_i}).\end{array}\right.---\left(1\right),$

Step 2.14: choose corresponding to each assumed name RSU calculate $U_{i,j}=U_i^1+U_{i,j}^2;$ Order $h_{i,j}=H_1({\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},{\mathrm{\Δt}}_{i,j},U_{i,j}),$ Wherein Δ t _i,jit is the time window that part signature private key uses; Calculate $d_{{\mathrm{PID}}_{i,j}}=r_{i,j}+h_{i,j}{\mathrm{SK}}_{R_i}\mathrm{mod}q.$

Step 2.15:RSU handle $\mathrm{\Ψ}={\mathrm{Enc}}_{{\mathrm{\φ}}^{\′}}(U_{i,j},d_{{\mathrm{PID}}_{i,j}},{\mathrm{\Δt}}_{i,j},(1\≤j\≤n_{R_i}))$ Send to vehicle V _i, RSU incites somebody to action ( t _stamp) add self memory space;

Step 2.16: vehicle V _iafter receiving message Ψ, obtain U with after φ deciphering _i,j, Δ t _{i, j}, and according to the assumed name of formula (1) calculating above, finally store individual four-tuple (PID _i,j, U _i,j, Δ t _i,j) for information signature.To step 2.18.

Step 2.17: protocol ends.

Step 2.18: assumed name and part signature private key upgrade and terminate.

So far assumed name and part signature private key upgrade and terminate, the message that in described Handshake Protocol, assailant is stolen by network monitoring, because do not decipher secret key can not decipher the content obtaining message, ensure that the confidentiality of message, with respective signature, each message ensure that message is not tampered.

(3) information signature: described information signature is characterised in that signature have employed the secret value of authoritative institution's granting and the signature private key of RSU granting simultaneously, as shown in Figure 3, has 3 steps.

For message M _i∈ { 0,1} ^*, vehicle signature is as follows:

Step 3.1: vehicle random selecting calculate R _i,j=k _i,jp;

Step 3.2: vehicle makes $e_{i,j}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j});$

Step 3.3: vehicle calculates $v_{i,j}=k_{i,j}+e_{i,j}(d_{{\mathrm{PID}}_{i,j}}+x_{V_i});$

Then δ _i=(U _i,j, e _i,j, v _i,j) be exactly vehicle V _iwith assumed name PID _i,jto message M _isignature.

So far information signature terminates, and described endorsement method cannot be forged, because the signature of the method not only needs secret value but also need part signature private key.Even if after RSU is attacked, forge a signature, also can review the source of message, as long as vehicle produces two signatures to message, whether TA can decision message be just that RSU forges.And the practical assumed name communication of the method, assumed name just with once, reaches identity anonymous and track not trackability well at every turn.

(4) message authentication: as shown in Figure 4, vehicle sends the message of signature according to other vehicle received, and carries out certification to the message of signature;

Verification algorithm: once receive the message (PID of signature _i,j, M _i, Δ t _i,j, δ _i), verifier proceeds as follows:

Step 4.1: verifier calculates $h_{i,j}=H_1({\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j});$

Step 4.2: verifier calculates $R_{i,j}^{\′}=v_{i,j}P-e_{i,j}(U_{i,j}+h_{i,j}{\mathrm{PK}}_{R_i});$

Step 4.3: last verifier calculates $e_{i,j}^{\′}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j}^{\′});$

Step 4.4: if e ' _i,j=e _i,jtime, verifier accepts the message of signing, otherwise abandons this message.

So far, the message authentication of signature terminates, described authentication method, only needs the time of three dot products, and do not need expensive to computing, authentication efficiency is very high.

(5) true identity tracking with cancel: as shown in Figure 5, when dispute appears in the message of signature, authoritative institution tracks the true identity of vehicle according to the message of signature, and is cancelled by described testing vehicle register.

Step 5.1:TA is by RID _iadd and cancel chained list (CRL).

Step 5.2:TA is according to the memory space of self find Current vehicle V _iobtain the RSU of assumed name and part signature private key.

Step 5.3:TA will send to RSU.

C is added that the signature of RSU is broadcast to all vehicle user of RSU region by step 5.4:RSU.

Step 5.5: third party is after receiving C, and third party can calculate according to formula (1) the effective assumed name PID cancelling vehicle and hold at present _i,j, third party is PID _i,jbe added to time window Δ t _i,jin interior local CRL.

Claims (6)

1., based on a car networking distributed authentication method for controlled privacy, it is characterized in that comprising following steps:

Step one, system initialization: authoritative institution chooses common parameter, for RSU and vehicle are registered;

Step 2, assumed name and part signature private key upgrade: the identity of certifying authority vehicle, and for part signature private key request certificate provided by vehicle, described vehicle obtains a collection of corresponding part signature private key according to part signature private key request certificate from RSU;

Step 3, information signature: the secret value that vehicle utilizes authoritative institution to provide and the part signature private key that RSU place obtains are signed to message, obtain the message of signing; Described information signature have employed the secret value of authoritative institution's granting and the part signature private key of RSU granting simultaneously;

Step 4, the message authentication of signature: vehicle sends the message of signature according to other vehicle received, carries out certification to the message of signature;

Step 5, the tracking of true identity with cancel: when disputing on appears in the message of signature, authoritative institution tracks the true identity of vehicle according to the message of signing, and is cancelled by described testing vehicle register.

2. a kind of networking of the car based on controlled privacy distributed authentication method according to claim 1, is characterized in that described step one is specially further:

Process one, a Big prime p selects in authoritative institution, selects two constant a, b ∈ Z _pmake 4a ³+ 27b ²≠ 0 mod p, definition Z _pon elliptic curve E:y ²=x ³+ ax+b by one based on congruence expression y ²=x ³disaggregation and an infinite point O of+ax+b mod p form, if P is that on E, rank are a point of prime number q, TA selects a random number as system master key, computing system PKI PK _tA=SK _tAp ∈ G, then select two Hash functions with the cryptographic algorithm Enc of a safety _k(), last TA public address system parameter (q, P, G, H ₁, H ₂, Enc _k());

Process two, when vehicle registration, TA is to vehicle V _idistribute a true identity RID _i∈ G, and the public private key pair that traditional wherein last TA is V _iselect the seed of two hash chains with l is the number of the seed generation assumed name of two hash chains, and stores the mapping relations of true identity and hash chain seed;

Process three, TA is that each RSU selects a random number as the private key of RSU, and calculate as the PKI of RSU, finally by R _i=(RSU _i|| L _i), with safe sends RSU to, wherein L _ibe the positional information of RSU, thus obtain certificate ${\mathrm{Cert}}_{{\mathrm{TA},R}_i}=(R_i,{\mathrm{PK}}_{R_i},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(R_i,{\mathrm{PK}}_{R_i})).$

3. a kind of networking of the car based on controlled privacy distributed authentication method according to claim 1, is characterized in that described step 2 is specially following process further:

Process one, as vehicle V _iwhen entering RSU, vehicle V _iselect a random number r', then will by RSU send to TA, r' is used to prevent opponent from collecting information, thus obtains this vehicle through which RSU; TA decrypt X, checks RID _iwhether cancelling in chained list; Vehicle V in each RSU _ithe assumed name quantity upgraded once is needed to be fixing, at R _ithe interior quantity upgraded that needs is

TA is vehicle generating portion signature private key request certificate: first TA is by searching memory cell, calculates vehicle V _ithe assumed name quantity upgraded is m, and TA judges herein whether set up, if set up TA random selecting and calculate then will t _stamp, with with use vehicle V _iconventional public-key encryption generating messages $Y={\mathrm{Enc}}_{{\mathrm{PK}}_{V_i}}(U_i^1,t_{\mathrm{stamp}},x_{V_i},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-n_{R_i}-m+1})),$ Y is sent to V by RSU _i, otherwise TA is vehicle V _iagain choose hash chain seed, TA will add self memory space and renewal tA chooses herein add part signature private key request certificate, object makes, when there is the message of controversial signature, can differentiate the source of the message of signature, reach non-repudiation;

Process two, vehicle V _iafter receiving enciphered message Y, use vehicle V _itraditional private key deciphering Y, obtain U ₁, with checking TA signature validity, if signature is effectively, V _iwill with part signature private key request certificate $Z=(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-{m-n}_{R_i}+1},{\mathrm{SIG}}_{{\mathrm{SK}}_{\mathrm{TA}}}(U_i^1,t_{\mathrm{stamp}},S_{V_i}^{1,m+1},S_{V_i}^{2,l-m-n_{R_i}+1}))$ There is the memory space of self, V _iwait for and obtain signature private key from RSU;

Process three, RSU broadcasts certificate termly if legal, vehicle V _ichoose a random number and calculate symmetric key and decryption factor then, V _isend a request message to RSU rSU calculates symmetric key and decipher W, then proving time stamp t _stampfreshness, and signature validity; If the verification passes, RSU calculates assumed name PID _i,j,

$\left\{\begin{array}{c}{S}_{V_i}^{1,m+j}=h^{m+j}\left({\mathrm{SD}}_{V_i}^1\right),\\ S_{V_i}^{2,l-j-m+1}=h^{l-j-m+1}\left({\mathrm{SD}}_{V_i}^2\right),\\ {\mathrm{PID}}_{i,j}=h(S_{V_i}^{1,j+m}\⊕S_{V_i}^{2,l-j-m+1})(1\≤j\≤n_{R_i}).\end{array}\right.---\left(1\right),$

Choose corresponding to each assumed name RSU calculate order wherein Δ t _i,jit is the time window that part signature private key uses; Calculate $\begin{array}{ccc}{d}_{{\mathrm{PID}}_{i,j}}=r_{i,j}+h_{i,j}{\mathrm{SK}}_{R_i}& \mathrm{mod}& q\end{array},$ RSU handle $\mathrm{\Ψ}={\mathrm{Enc}}_{{\mathrm{\φ}}^{\′}}(U_{i,j},d_{{\mathrm{PID}}_{i,j}},{\mathrm{\Δt}}_{i,j},(1\≤j\≤n_{R_i}))$ Send to vehicle V _i, RSU will add the memory space of self;

Process four, vehicle V _iafter receiving message Ψ, obtain U with after φ deciphering _i,j, Δ t _i,j, and calculate assumed name according to formula (1), finally store individual four-tuple for information signature.

4. a kind of networking of the car based on controlled privacy distributed authentication method according to claim 1, is characterized in that described step 3 is specially following process further:

For message M _i∈ { 0,1} ^*, vehicle signature is as follows:

Process one, random selecting calculate R _i,j=k _i,jp;

Process two, order $e_{i,j}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j});$

Process three, calculates $v_{i,j}=k_{i,j}+e_{i,j}(d_{{\mathrm{PID}}_{i,j}}+x_{V_i});$

Then δ _i=(U _i,j, e _i,j, v _i,j) be exactly vehicle V _iwith assumed name PID _i,jto message M _isignature.

5. a kind of networking of the car based on controlled privacy distributed authentication method according to claim 1, is characterized in that described step 4 is specially further:

Verification algorithm: once receive the message (PID of signature _i,j, M _i, Δ t _i,j, δ _i), verifier proceeds as follows:

Process one, calculates $h_{i,j}=H_1({\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j});$

Process two, calculates $R_{i,j}^{\′}=v_{i,j}P-e_{i,j}(U_{i,j}+h_{i,j}{\mathrm{PK}}_{R_i});$

Process three, finally calculates $e_{i,j}^{\′}=H_2(M_i,{\mathrm{PID}}_{i,j},{\mathrm{PK}}_{R_i},U_{i,j},R_{i,j}^{\′});$

And if only if e ' _i,j=e _i,jtime, verifier accepts the message of signing.

6. a kind of networking of the car based on controlled privacy distributed authentication method according to claim 1, is characterized in that described step 5 is specially further:

When the message of an appearance controversial signature time, according to vehicle V _iassumed name PID _i,j, TA searches for the PID of storage from self memory space _i,jcorresponding true identity, obtains vehicle V _itrue identity RID _i, TA is once obtain RID _i, just can cancel V easily _i, mainly comprise two processes;

Process one, by RID _iadd and cancel chained list (CRL), V _ican not obtain new part signature private key request certificate from TA, RSU is no longer vehicle V _idistribution unit divides signature private key

Process two, first, cancels V _ithe not yet expired assumed name obtained and part signature private key, TA is according to the memory space of self find Current vehicle V _iobtain the RSU of assumed name and part signature private key; Then, TA will send to RSU, C is added that the signature of RSU is broadcast to all vehicle user of RSU region by RSU; Finally, third party is after receiving C, and third party calculates the effective assumed name PID cancelling vehicle and hold at present according to formula (1) _i,j, third party is PID _i,jbe added to time window Δ t _i,jin the CRL (local CRL) of interior RSU region.