CN108566240A - Networking Verification System and method between a kind of star suitable for double layer minipellet - Google Patents
Networking Verification System and method between a kind of star suitable for double layer minipellet Download PDFInfo
- Publication number
- CN108566240A CN108566240A CN201810262750.4A CN201810262750A CN108566240A CN 108566240 A CN108566240 A CN 108566240A CN 201810262750 A CN201810262750 A CN 201810262750A CN 108566240 A CN108566240 A CN 108566240A
- Authority
- CN
- China
- Prior art keywords
- authentication
- satellite
- leo
- certification
- geo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B7/00—Radio transmission systems, i.e. using radiation field
- H04B7/14—Relay systems
- H04B7/15—Active relay systems
- H04B7/185—Space-based or airborne stations; Stations for satellite systems
- H04B7/18521—Systems of inter linked satellites, i.e. inter satellite service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Astronomy & Astrophysics (AREA)
- Aviation & Aerospace Engineering (AREA)
- General Physics & Mathematics (AREA)
- Radio Relay Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention belongs to field of information security technology, networking Verification System and method between a kind of star suitable for double layer minipellet are disclosed, system includes ground certificate server, high rail satellite Authentication Client and low orbit satellite Authentication Client;Ground certificate server is responsible for completing the initialization of satellite Verification System, that is, generates and the required identity information of distribution inter-satellite certification, key, orbit parameter;High rail satellite Authentication Client and low orbit satellite Authentication Client are the main bodys of networking certification between star, pass through authentication and key agreement between interactive authentication parameter realization star.Using satellite network clock high level of synchronization, the predictable feature of node running orbit, the present invention devises certification precomputation mechanism, effectively improves intersatellite authentication efficiency.The present invention can realize that high and low rail satellite can be used for the intersatellite networking certification of high and low rail in the safe and efficient authentication of networking stage and key agreement in double layer minipellet.
Description
Technical field
The invention belongs to networkings between field of information security technology more particularly to a kind of star suitable for double layer minipellet to recognize
Demonstrate,prove system and method.It can be used for providing satellite identity authentication service in Satellite Networking for network of commercial satellites, it can be can not
In the case of believing that third party participates in, the Trust Establishment between satellite and secure communication are realized.
Background technology
Currently, the prior art commonly used in the trade is such:
Since current satellite network includes that number of satellite is less, such as iridium satellite (66), GPS (24), Satellite Networking master
It to be completed by ground station control.It is directly that satellite distribution certification is joined that the mode of Satellite Networking certification generally use, which is by earth station,
Number, session key etc..In this control structure, satellite does not have autonomous networking capability usually, cause its networking certification into
Row heavy dependence earth station.
However, with the development of space technology, satellite network tends to complicate, as satellite node is large number of, satellite control
Simulation is complicated.Under this trend, traditional Satellite Networking control mode because the deployed position of earth station, processing capacity,
The problems such as managerial ability, there are certain application limitations.Simultaneously as satellite communication link uses wireless transmission medium, letter
Road high opening, Content of Communication are easily monitored, distort, forge, and Satellite Networking is very likely because of the nothing by malicious interference
Method is completed.In addition, the deployed environment that satellite network is special, more stringent requirements are proposed for the design of identity authentication protocol between star.
First, resource-constrained on star, it is difficult to cope with larger computing cost, need the scheme of complicated calculations that can seriously affect certification effect
Rate.Secondly, interstellar distance farther out, can not ignore by communication delay, and communication overhead has to consideration as one in conceptual design
Problem.
For the networking problems of satellite network, there has been proposed some solutions, such as:
A kind of patent " satellite in orbit identity identifying method " of No.30 Inst., China Electronic Sci. & Tech. Group Co's application
(2017101415439 application publication number CN106850674A of application number CN) discloses a kind of satellite in orbit identity identifying method,
Its periodicity based on satellite orbit solves the Verify Your Identity questions between star ground using public and private key authentication mechanism.
However, with the development of space technology, the satellite network in design includes that node is more and more, if Satellite Networking
Certification needs the frequent participation of earth station, authentication efficiency can because star communication delay the problems such as and be severely impacted.Therefore,
To ensure that the safe efficient of Satellite Networking, authentication protocol need to reduce the third-party participation such as earth station to the greatest extent, certification section is improved
The independence and independence of point, to ensure that satellite network being capable of the safe operation under earth station's fault condition.
In conclusion problem of the existing technology is:
(1) authentication needs ground to participate between star, in the case where the trusted third party such as no earth station participate in, it is difficult to real
Independent, autonomous Trust Establishment and secure communication between existing satellite, the inadaptable satellite network networking scene for possessing magnanimity node;
(2) authentication does not protect self-identity information between star, causes attacker that can utilize the plaintext intercepted and captured
Identity information forges access request, to implement the attacks such as refusal service, interferes Satellite Networking;
(3) computing cost of authentication can influence authentication time delay between star, the satellite network less compared to number of nodes,
In the satellite network for possessing magnanimity node, since networking certification is more frequent, networking can be because of the calculation of On board computer between star
Power problem and generate authentication time delay.Solve the difficulty and meaning of above-mentioned technical problem:
(1) networking authentication method between design independence, autonomous star, needs for its design safety, efficient key updating side
Formula should reduce the participation of earth station, also ensure that satellite can accurately update authentication key;
(2) networking authentication method between the star of the identity information of design protection satellite needs to consider therefore to bring additional
Computing cost should ensure the confidentiality of satellite identity information, also reduce the computing cost therefore generated;
(3) design is suitable for networking authentication method between the star of complicated satellite network, needs to consider the calculating in verification process
Expense, when avoiding the occurrence of the certification simultaneously of more stars as possible, because of the calculation delay that computing resource is limited and brings.
With the development of space technology, following satellite network will include more and more satellite nodes, and design is not necessarily to
Networking authentication method possesses magnanimity satellite section for guarantee between earth station frequently participates in can be realized as the star of independent, autonomous networking
Point satellite network can stable operation be of great significance.
Invention content
In view of the problems of the existing technology, the present invention provides networkings between a kind of star suitable for double layer minipellet to recognize
Demonstrate,prove system and method.
The invention is realized in this way
Networking Verification System between a kind of star suitable for double layer minipellet of the present invention, including:
Ground certificate server is responsible for completing the initialization of satellite Verification System, that is, generates and distribution inter-satellite certification institute
The identity information that needs, key, orbit parameter;
High rail satellite (GEO) Authentication Client is responsible for receiving the certification request from LEO, calculates simultaneously return authentication token
Token calculates intended response XRES and session key CK, examines whether the temporary identity TID that LEO is used in certification request has
Whether effect, examine the response RES that LEO is returned correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client is responsible for submitting certification request to GEO, the authentication token for examining GEO to return
Whether Token is effective, calculates temporary identity TID, response RES and session key CK, and an authentication information table is safeguarded for GEO.
Ground certificate server includes:
System initialization module, the initialization for completing satellite Verification System generate identity information generation module
Identity information, key production module generate key, track distribution module distribution orbit parameter write-in satellite certification system
System;
Identity information generation module is used for the production sequence according to satellite, shooting sequence etc., is generated needed for certification for satellite
The identity information wanted;
Key production module, for generating the required key of certification for satellite;
Track distribution module, for being satellite distribution running track.
High rail satellite (GEO) Authentication Client includes:
System initialization module, the initialization for completing Verification System on star are defended from the acquisition of ground certificate server
The required identity information of star certification, key, orbit parameter;
Networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management submodule
Block.Wherein, authentication sub module is used for and the required parameter of low orbit satellite (LEO) Authentication Client interactive authentication;Data processing
Submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, uses
In the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing LEO authentication informations.
Low orbit satellite (LEO) Authentication Client includes:
System initialization module, the initialization for completing Verification System on star are defended from the acquisition of ground certificate server
The required identity information of star certification, key, orbit parameter;
Networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management submodule
Block.Wherein, authentication sub module is used for and the required parameter of high rail satellite (GEO) Authentication Client interactive authentication;Data processing
Submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, uses
In the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing GEO authentication informations.
Recognize equipped with networking between the star suitable for double layer minipellet another object of the present invention is to provide a kind of
The information data processing terminal of card system.
To achieve the above object, the present invention provides networking authentication method between a kind of star suitable for double layer minipellet, packet
It includes:
1, Verification System initializes
(1a) in the transmitting preparation stage, by satellite, earthward the initialization of certificate server submission system is applied.
After (1b) receives application, ground certificate server is that satellite generates and distribute identity information, key, orbit parameter,
Including identity information ID, group identification information SGID, satellite identity information anonymous protection key ID Key, satellite certification
Master key MainKey.
2, satellite authentication information is registered
(2a) LEO sends the precise orbit data of itself to GEO, such as orbit altitude, orbit inclination angle carry out satellite rail position
Predict required orbit parameter.
After (2b) receives the orbit information of LEO transmissions, GEO adds the authentication information of the LEO in authentication information table, i.e., will
The ID of the LEO is stored in the authentication information database on satellite together with orbital data.After the completion of registration, GEO is returned to the LEO
The precise orbit data of itself.
After (2c) receives the orbital data of return, which is stored in the authentication data of itself by LEO using same operation
Library.
3, authentication and key agreement between star
Authentication and key agreement are divided into two sub-protocols according to the execution stage of networking certification between star between star, are respectively
The certification sub-protocol after certification sub-protocol and the registration of satellite authentication information before the registration of satellite authentication information.
3.1) the certification sub-protocol before authentication information registration
(3.1.a) LEO obtains time stamp T by spaceborne clockTID.T based on acquisitionTIDIt is counted with preset IDKey, LEO
Calculate temporary identity TID, TID=f that this certification should useTID(IDKey, TTID||RID).After the completion of calculating, LEO connects TID
GEO is sent jointly to certification request.
After (3.1b) receives TID, GEO decrypts TID using preset IDKey, and by decrypting obtained TTIDAnd RID
The freshness and validity of certification request are judged.
(3.1.c) GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth.T based on acquisitionAuthWith
Preset MainKey, AuthKey=fAK(MainKey, TAuth);GEO generates a disposable random parameter RAND;Based on generation
RAND and AuthKey, GEO calculates timestamp protection sequence TK, TK=fTK(AuthKey, RAND);GEO passes through spaceborne clock
Obtain the time stamp T generated needed for TokenToken.The T of RAND, acquisition based on generationToken, storage SGID, GEO calculating disappears
Cease identifying code MAC, MAC=fMAC(AuthKey, RAND | | TToken||SGID);GEO is by RAND, TToken, TK, SGID, MAC close
And at an authentication token Token,And calculate intended response XRES
With session key CK, CK=fCK(AuthKey, RAND), XRES=fRES(CK, RAND).
(3.1.d) LEO makes the AuthKey generated in the same way, and using the AuthKey generated to the new of Token
Fresh property and validity are judged.
After (3.1.e) is verified, LEO makes to calculate CK and RES in the same way, and RES is returned to GEO.
After (3.1.f) receives RES, whether the XRES of RES and storage that GEO is relatively received are equal.If equal, completion pair
The certification of LEO;Otherwise, authentification failure.
3.2) the certification sub-protocol after authentication information registration
After (3.2.a) establishes communication link, LEO first determines whether own orbit parameter changes.If there is rail
Road perturbs, and since the parameters for authentication that certification precomputation obtains is no longer valid, needs to terminate this agreement, re-executes certification sub-protocol
(3.1).If running track is normal, the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request.
After (3.2.b) receives access request, the TID received and RES is compared by GEO with the XTID of storage and XRES.
If equal, the certification to LEO is completed, and the Token of storage is returned into LEO;If differed, mistake is returned, is re-executed
Certification sub-protocol (3.1).
(3.2.c) LEO carries out availability deciding using the AuthKey that precomputation obtains to authentication token.
(3.2.d) if the verification passes, LEO calculates session key CK using AuthKey.
4, certification precomputation
Certification precomputation is divided into two sub-protocols according to the execution stage of networking certification between star, is satellite authentication information respectively
The precomputation sub-protocol after precomputation sub-protocol and the registration of satellite authentication information before registration.
4.1) the certification precomputation sub-protocol before authentication information registration
(4.1.a) LEO applies for a blank Token to GEO.
(4.1.b) GEO is calculated and is returned to a blank Token.
(4.1.c) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、
TAuth、TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification
And AuthKey.The RES that next certification should use is calculated based on blank Token, LEO that GEO is returned.After calculating, LEO is deposited
Store up TID and RES.
(4.1.d) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、
TAuth、TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, the key ID Key of storage and
XTID, XRES, Token, CK for using are needed when MainKey, GEO calculate next certification.After calculating, GEO storages XTID,
XRES、、Token、CK。
4.2) the certification precomputation sub-protocol after authentication information registration
(4.1.a) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、
TAuth、TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification
And AuthKey.Token is returned to based on GEO in certification sub-protocol (3.2), LEO calculates the RES that next certification should use.It has been calculated
Bi Hou, LEO store TID and RES.
(4.1.b) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、
TAuth、TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, the key ID Key of storage and
XTID, XRES, Token, CK for using are needed when MainKey, GEO calculate next certification.After calculating, GEO storages XTID,
XRES、Token、CK。
Another object of the present invention is to provide described in a kind of realize be suitable for double layer minipellet star between networking certification
The computer program of method.
Another object of the present invention is to provide described in a kind of realize be suitable for double layer minipellet star between networking certification
The information data processing terminal of method.
Another object of the present invention is to provide a kind of computer readable storage mediums, including instruction, when it is in computer
When upper operation so that computer executes networking authentication method between the star suitable for double layer minipellet.
The present invention by the generating process of parameters for authentication reasonable employment timestamp achieve the purpose that preventing playback attack.Into
The parameters for authentication transmitted is needed to have TID, Token and RES when row authentication, between GEO and LEO.Wherein, the generation of TID needs
Want time stamp TTID, GEO can judge the freshness of TID whereby;Include encrypted time parameter T in TokenToken, LEO
It can judge whether the Token received is to reset message in conjunction with MAC value;There are correspondences by RES and Token, can be by disappearing
Breath return speed judges whether RES is to reset message.
Authentication and key agreement are divided into two sons according to the execution stage of networking certification between star and assist between the present invention star
View, the certification sub-protocol after certification sub-protocol and the registration of satellite authentication information before being the registration of satellite authentication information respectively.
After satellite completes authentication information registration, precomputation can be carried out to parameters for authentication by the satellite precise orbit parameter of exchange.
By designing precomputation mechanism, between completing the star after authentication information registration certification can execute light-weighted networking certification association
View, greatly improves authentication efficiency.
Temporary identity generation method of the present invention, when generating temporary identity, satellite use between GEO and LEO groups by sharing
IDKey to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID, satellite is indicated using operation result
Temporary identity.It since temporary identity is generated based on the time, can ensure that LEO initiates certification every time, use different identity
Information.
Authentication key AuthKey generation methods of the present invention, the authentication key distribute master key by ground certificate server
MainKey is derived based on the time.Be utilized satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and
LEO can complete the update of authentication key according to predicted time.Parameters for authentication is calculated in advance based on predicted time, is both ensured
The synchronism that agreement both sides calculate, and improve intersatellite authentication efficiency.
The method that the present invention reduces computing cost in verification process between star, utilizes satellite network clock high level of synchronization, operation
The predictable feature of track, design verification pre-computation step calculate next time in advance in On board computer utilization rate lower period
Required each parameter when certification.When next certification, it is only necessary to which authentication can be realized by carrying out parameter comparison, can be effective
It avoids into the authentication time delay brought when networking certification because On board computer calculates power deficiency between planet.
In conclusion advantages of the present invention and good effect are:
The present invention realizes the bidirectional identity authentication between satellite.
In the present invention, after being initialized to the Verification System of satellite by earth station, LEO and GEO can independently, independently
Carry out networking certification.LEO is by judging the XMAC obtained by local computing realizations whether equal with the MAC in Token to GEO
Authentication;GEO is by judging authentication of the XRES the being locally stored realizations whether equal with the RES of return to LEO.It is double
It can be resisted to ID authentication mechanism and the network attacks such as be palmed off, distorted during Satellite Networking, ensure that Satellite Networking
Safety orderly carries out.
The present invention realizes the anonymous protection of satellite identity information.
In the present invention, when LEO sends certification request, using temporary identity, which is based on by true identity information
Timestamp encryption generates, and can accomplish that the identity information that each certification uses is different;Simultaneously as certification precomputation mechanism
Setting, the verification of identity information is main using charactor comparison by the way of in verification process, and satellite can't be made to increase additionally
Computing cost.
The computing cost that The present invention reduces satellites in verification process.
Present invention combination satellite network clock high unity, the predictable scene feature of running orbit, it is pre- to devise certification
Calculating step so that satellite can utilize the time parameter obtained by orbital prediction, calculate each parameter needed for next certification in advance,
It only needs to carry out simple parameter comparison operation when networking again certification can be completed.The present invention passes through design verification precomputation machine
System will largely calculate the low utilization rate stage for being arranged in satellite processor, so as to avoid more needed for verification process
The authentication time delay brought in the case of star certification simultaneously because satellite calculates power deficiency.
Description of the drawings
Fig. 1 is networking Verification System figure between the star provided in an embodiment of the present invention suitable for double layer minipellet.
Fig. 2 is networking authentication method flow chart between the star provided in an embodiment of the present invention suitable for double layer minipellet.
Fig. 3 is the identifying procedure figure of low orbit satellite provided in an embodiment of the present invention.
Fig. 4 is the identifying procedure figure of high rail satellite provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention
It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to
Limit the present invention.
In the case where without TTP participates in, the Trust Establishment and safety that can not achieve between satellite lead to the prior art
Letter.The present invention provides networking authentication methods between a kind of star suitable for double layer minipellet, including:
LEO is by judging the XMAC obtained by local computing the identity completed to GEO whether equal with the MAC in Token
Certification;GEO is by judging authentication of the XRES the being locally stored completions whether equal with the RES of return to LEO;Carry out identity
When certification, the parameters for authentication transmitted between GEO and LEO has TID, Token and RES;Wherein, the generation of TID needs timestamp
TTID, GEO judge the freshness of TID whereby;Include encrypted time parameter T in TokenToken, the judgement of LEO combination MAC values
Whether the Token received is to reset message;There are correspondence, GEO to be judged by message return speed by RES and Token
Whether RES is to reset message;
When LEO sends certification request, using the temporary identity generated based on the time, the identity information that each certification uses is each
It differs;The verification of identity information is by the way of charactor comparison in verification process;Generate temporary identity when, satellite use by
The IDKey shared between GEO and LEO groups is to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID,
The temporary identity of satellite is indicated using operation result;
Using satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and LEO are all in accordance with predicted time
It is authenticated the update of key A uthKey and calculates parameters for authentication in advance.
Fig. 1, networking Verification System includes that ground is recognized between the star provided in an embodiment of the present invention suitable for double layer minipellet
Demonstrate,prove server, three big module of high rail satellite (GEO) Authentication Client and low orbit satellite (LEO) Authentication Client.
Wherein:
Ground certificate server completes the initialization of satellite Verification System for being responsible for, that is, generates and recognize with distribution inter-satellite
Demonstrate,prove required identity information, key, orbit parameter;
High rail satellite (GEO) Authentication Client receives the certification request from LEO for being responsible for, calculates simultaneously return authentication
Token Token calculates intended response XRES and session key CK, whether examines in certification request the temporary identity TID that use of LEO
Effectively, whether the response RES for examining LEO to return is correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client submits certification request for being responsible for GEO, and the certification that GEO is returned is examined to enable
Whether board Token is effective, calculates temporary identity TID, response RES and session key CK, and an authentication information is safeguarded for GEO
Table.
The ground certificate server includes:System initialization module, identity information generation module, key production module,
Track distribution module.
The system initialization module, the initialization for completing satellite Verification System give birth to identity information generation module
At identity information, key production module generate key, track distribution module distribution orbit parameter be written satellite certification
System;
The identity information generation module, is used for the production sequence according to satellite, shooting sequence etc., and certification institute is generated for satellite
The identity information needed;
The key production module, for generating the required key of certification for satellite;
The track distribution module, for being satellite distribution running track.
High rail satellite (GEO) Authentication Client includes:System initialization module, networking authentication module, orbital prediction
Module, authentication information managing module.
The system initialization module, the initialization for completing Verification System on star are obtained from ground certificate server
The required identity information of satellite certification, key, orbit parameter;
The networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management
Module.Wherein, authentication sub module is used for and the required parameter of low orbit satellite (LEO) Authentication Client interactive authentication;At data
Submodule is managed, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule,
For the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
The orbit prediction module, the timing node for calculating inter-satellite certification next time;
The authentication information managing module, registration, update for managing LEO authentication informations.
Low orbit satellite (LEO) Authentication Client includes:System initialization module, networking authentication module, orbital prediction
Module, authentication information managing module.
The system initialization module, the initialization for completing Verification System on star are obtained from ground certificate server
The required identity information of satellite certification, key, orbit parameter;
The networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management
Module.Wherein, authentication sub module is used for and the required parameter of high rail satellite (GEO) Authentication Client interactive authentication;At data
Submodule is managed, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule,
For the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
The orbit prediction module, the timing node for calculating inter-satellite certification next time;
The authentication information managing module, registration, update for managing GEO authentication informations.
As shown in figs 2-4, networking authentication method between the star provided in an embodiment of the present invention suitable for double layer minipellet
Including authentication and key agreement, four part of certification precomputation between Verification System initialization, the registration of satellite authentication information, star.
With reference to Verification System initialization, the invention will be further described.
1, Verification System initializes:
Step 1:In the transmitting preparation stage, by satellite earthward certificate server submission system initialization application;
Step 2:After receiving application, ground certificate server is according to information such as the production number of the satellite, transmitting sequences
Satellite generates ID, SGID, IDKey, MainKey and orbit parameter.After the completion of parameter generates, each parameter is stored in the certification of satellite
Database, wherein:
(1) ID is the identity information of satellite, is carried out only to satellite node when being executed for identity authentication protocol between star
One mark;
(2) SGID is the group identification information of satellite, for identifying the affiliated group of the satellite, belongs to the auxiliary of satellite
Identity, it is combinable actually to be configured;
(3) IDKey is the anonymous protection key of the identity information of satellite, belongs to shared between GEO and LEO groups
Key, the generation for LEO temporary identities in verification process;
(4) MainKey is satellite into the master key between planet when certification, belongs to shared between GEO and LEO satellite
Secret, for generating authentication key AuthKey.
With reference to the registration of satellite authentication information, the invention will be further described.
2, satellite authentication information is registered
Satellite authentication information is registered between GEO and LEO complete star for the first time between carry out after authentication, including following step
Suddenly:
Step 1:LEO sends the precise orbit data of itself to GEO, such as orbit altitude, orbit inclination angle carry out satellite rail
The required orbit parameter of position prediction;
Step 2:After the orbit information for receiving LEO transmissions, GEO adds the authentication information of the LEO in authentication information table, i.e.,
The authentication information database ID of the LEO being stored in together with orbital data on satellite.After the completion of registration, GEO is returned to the LEO
Return the precise orbit data of itself;
Step 3:After the orbital data for receiving return, which is stored in the certification number of itself by LEO using same operation
According to library.
With reference to authentication between star, the invention will be further described with key agreement.
3, authentication and key agreement between star
Authentication and key agreement are divided into according to the execution stage of networking certification between star between the star of authentication method of the present invention
Two sub-protocols, the certification after certification sub-protocol and the registration of satellite authentication information before being the registration of satellite authentication information respectively
Sub-protocol.
(1) the certification sub-protocol before authentication information registration
Authentication needs to execute following with key agreement sub-protocol between star before being happened at the registration of satellite authentication information
Step:
Step 1:LEO generates and sends temporary identity.
LEO obtains time stamp T by spaceborne clockTID.T based on acquisitionTIDThis is calculated with preset IDKey, LEO to recognize
Demonstrate,prove the temporary identity TID, TID=f that should be usedTID(IDKey, TTID||RID).Wherein, fTIDIt is temporary identity generating algorithm, it can
To be realized with reference to HMAC-SM3 (hash message authentication code based on the close SM3 algorithms of state);RID is the true identity information of satellite.
After the completion of calculating, TID is sent jointly to GEO by LEO together with certification request.
Step 2:GEO judges the validity of certification request.
2.1) novelty verification
After receiving TID, GEO decrypts TID using preset IDKey.If obtained TTIDMeet TTID-T0< Δs TTID,
Then the request meets freshness requirement, continues step 2.2), otherwise terminates certification, discharges the connection;
2.2) validation verification
If decrypting obtained RID meets predetermined Naming conventions, authentication passes through, and executes step 3, otherwise terminates and recognizes
Card, discharges the connection.
Step 3:GEO is generated and return authentication token.
3.1) authentication key is generated
GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth.T based on acquisitionAuthWith it is preset
MainKey, GEO calculate the authentication key AuthKey, AuthKey=f that this certification usesAK(MainKey, TAuth).Wherein fAK
It is authentication key generating algorithm, is used for the generation of AuthKey, it is real ECB-SM4 (the close SM4 algorithms code book pattern of state) can be referred to
It is existing.
3.2) generated time stamp protection sequence
GEO generates a disposable random parameter RAND.RAND based on generation and AuthKey, GEO calculate timestamp protection
Sequence TK, TK=fTK(AuthKey, RAND).Wherein, fTKIt is timestamp protection Sequence Generation Algorithm, ECB-SM4 can be referred to
It realizes.
3.3) Message Authentication Code is generated
GEO obtains the time stamp T generated needed for authentication token Token by spaceborne clockToken.RAND based on generation,
The T of acquisitionToken, storage SGID, GEO calculates Message Authentication Code MAC, MAC=fMAC(AuthKey, RAND | | TToken||
SGID).Wherein fMACIt is Message Authentication Code generating algorithm, MAC-SM4 can be referred to and realized.
3.4) authentication token is generated
GEO is by RAND, TToken、TK、SGID, MAC be merged into a Token,
3.5) intended response and session key are generated
GEO calculates intended response XRES and session key CK, CK=fCK(AuthKey, RAND), XRES=fRES(CK,
RAND).Wherein, fCKIt is authentication key generating algorithm, fRESIt is authentication response value generating algorithm, HMAC-SM3 can be referred to and realized.
After the completion of parameters for authentication calculates, GEO stores XRES and CK, and Token is returned to LEO.
Step 4:LEO carries out availability deciding to authentication token.
4.1) novelty verification
LEO calculates TK using the RAND in the AuthKey and Token generated.T is obtained using TK decryption TokenTokenAfterwards,
Judge TToken-T0Whether < Δs T is true.If TTokenMeet the requirement of message freshness, execute step 4.2), otherwise, certification is lost
It loses, discharges the connection.
4.2) identity information is verified
LEO utilizes RAND, T in the AuthKey and Token generatedTokenAnd SGID, it adopts and calculates message in a like fashion
Identifying code XMAC.After calculating, judge whether the XMAC being calculated is equal with the MAC in Token, if equal, completes
Certification to GEO discharges the connection if differed, authentification failure.
Step 5:LEO generates authentication response value and session key.
After being verified, LEO uses f using RAND and AuthKeyCKAnd fRESCK and RES are calculated, and RES is returned to
GEO。
Step 6:GEO auth response values.
After receiving RES, whether the XRES of RES and storage that GEO is relatively received are equal.If equal, LEO is recognized in completion
Card;Otherwise, authentification failure.
Certification sub-protocol after authentication information registration
The authentication after authentication information is registered is happened to need using the parameters for authentication obtained in certification precomputation, it should
The execution needs of certification sub-protocol follow the steps below:
Step 1:LEO sends certification request.
After establishing communication link, LEO first determines whether own orbit parameter changes.If there is orbit perturbation,
It since the parameters for authentication that certification precomputation obtains is no longer valid, needs to terminate this agreement, and re-executes certification sub-protocol (1).
If running track is normal, the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request.
Step 2:GEO carries out availability deciding to access request.
After receiving access request, the TID received and RES is compared by GEO with the XTID of storage and XRES.If phase
Deng, certification of the completion to LEO, and the Token of storage is returned into LEO;If differed, mistake is returned, re-executes certification
Agreement (1).
Step 3:LEO carries out availability deciding to authentication token.
3.1) novelty verification
RAND in AuthKey and Token that LEO is obtained using precomputation calculates TK.It is obtained using TK decryption Token
TTokenAfterwards, judge TToken-T0Whether < Δs T is true.If TTokenMeet the requirement of message freshness, executes step 3.2), it is no
Then, authentification failure discharges the connection.
3.2) identity information is verified
LEO utilizes RAND, T in the AuthKey and Token generatedTokenAnd SGID, it adopts and calculates message in a like fashion
Identifying code XMAC.After calculating, judge whether the XMAC being calculated is equal with the MAC in Token, if equal, completes
Certification to GEO discharges the connection if differed, authentification failure.
Step 4:LEO generates session key.
If the verification passes, the RAND in LEO is obtained using precomputation AuthKey and Token uses fCKCalculate CK.
With reference to certification precomputation, the invention will be further described.
4, certification precomputation
The certification precomputation of authentication method of the present invention is divided into two sub-protocols according to the execution stage of networking certification between star, point
The precomputation sub-protocol after precomputation sub-protocol and the registration of satellite authentication information before not being the registration of satellite authentication information.
(1) the certification precomputation sub-protocol before authentication information registration
Certification precomputation sub-protocol before being happened at the registration of satellite authentication information needs to execute following steps:
Step 1:LEO applies for a blank Token to GEO.
Step 2:GEO is calculated and is returned to a blank Token.
Step 3:LEO is authenticated precomputation
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification and
AuthKey.The RES that next certification should use is calculated based on blank Token, LEO that GEO is returned.After calculating, LEO storages
TID and RES.
Step 4:GEO is authenticated precomputation
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO
XTID, XRES, Token, CK for using are needed when calculating next certification.After calculating, GEO storages XTID, XRES,
Token、CK。
(2) the certification precomputation sub-protocol after authentication information registration
The certification precomputation sub-protocol after satellite authentication information is registered is happened to need to execute following steps:Step 1:
LEO is authenticated precomputation
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification and
AuthKey.Token is returned based on GEO in certification sub-protocol (2),
LEO calculates the RES that next certification should use.After calculating, LEO stores TID and RES.
Step 2:GEO is authenticated precomputation
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO
XTID, XRES, Token, CK for using are needed when calculating next certification.After calculating, GEO store XTID, XRES, Token,
CK。
Above-mentioned steps 1 and step 2 are independently calculated by LEO and GEO in processor free time respectively, without considering execution
Sequencing.
With reference to emulation experiment, the invention will be further described.
In above-mentioned authentication method, if not considering the communication and meter that certification precomputation is brought in networking verification process between star
Expense is calculated (because the core concept of authentication method of the present invention is exactly by design verification precomputation mechanism, to reduce satellite and recognized
Expense when card interaction), the certification expense of authentication method of the present invention is as follows:
(1) interaction times, the authentication before being happened at the registration of satellite authentication information need 3 session interactions, occur
Authentication after the registration of satellite authentication information needs 2 session interactions;
(2) main operational number, the authentication before being happened at the registration of satellite authentication information need 2B+2H+2M+2C times
Operation is happened at the authentication after satellite authentication information is registered and 1M+2C operation, wherein B representatives is needed once to be divided
Group encryption, H, which is represented, carries out a Hash operation, and M represents a Message Authentication Code operation, and C represents a comparison operation;
(3) time is calculated, the authentication before being happened at the registration of satellite authentication information needs 20.3 microseconds, is happened at and defends
It is the computer of i5 4590+8G RAM that authentication after the registration of star authentication information, which needs 5.9 microseconds, above-mentioned experimental situation,
Hash calculating is carried out using SM3-256bit, SM3-HMAC-256bit carries out MAC calculating, and SM4-128bit is grouped encryption,
Use length for the random number of 128bits, length is the timestamp of 48bits.
It can be obtained by above-mentioned experimental result, when using this authentication method, due to the setting of certification precomputation mechanism, between satellite
As long as completing the registration of authentication information, so that it may to complete networking certification between star by less expense, while with lower expense
Realize the anonymous protection of LEO identity informations.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real
It is existing.When using entirely or partly realizing in the form of a computer program product, the computer program product include one or
Multiple computer instructions.When loading on computers or executing the computer program instructions, entirely or partly generate according to
Flow described in the embodiment of the present invention or function.The computer can be all-purpose computer, special purpose computer, computer network
Network or other programmable devices.The computer instruction can store in a computer-readable storage medium, or from one
Computer readable storage medium is transmitted to another computer readable storage medium, for example, the computer instruction can be from one
A web-site, computer, server or data center pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)
Or wireless (such as infrared, wireless, microwave etc.) mode is carried out to another web-site, computer, server or data center
Transmission).The computer read/write memory medium can be that any usable medium that computer can access either includes one
The data storage devices such as a or multiple usable mediums integrated server, data center.The usable medium can be magnetic Jie
Matter, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk Solid
State Disk (SSD)) etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.
Claims (10)
1. networking authentication method between a kind of star suitable for double layer minipellet, which is characterized in that described to be suitable for double-layer satellite
Networking authentication method includes between the star of network:
LEO is by judging authentication of the XMAC obtained by local computing the completions whether equal with the MAC in Token to GEO;
GEO is by judging authentication of the XRES the being locally stored completions whether equal with the RES of return to LEO;Carry out authentication
When, the parameters for authentication transmitted between GEO and LEO has TID, Token and RES;Wherein, the generation of TID needs time stamp TTID, GEO
The freshness of TID is judged whereby;Include encrypted time parameter T in TokenToken, LEO combination MAC values judge to receive
Whether Token is to reset message;There are correspondence, GEO whether to judge RES by message return speed by RES and Token
To reset message;
When LEO sends certification request, using the temporary identity generated based on the time, each not phase of identity information that each certification uses
Together;The verification of identity information is by the way of charactor comparison in verification process;Generate temporary identity when, satellite use by GEO with
The IDKey shared between LEO groups is to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID, uses fortune
Calculate the temporary identity that result indicates satellite;
It is carried out all in accordance with predicted time using satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and LEO
The update of authentication key AuthKey simultaneously calculates parameters for authentication in advance.
2. as described in claim 1 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that described suitable
Include for networking authentication method tool between the star of double layer minipellet:
The first step, Verification System initialization, earth station generate and the required identity information of distribution inter-satellite certification, key, rail
Road parameter;
Second step, the registration of satellite authentication information, after receiving the orbit information that LEO is sent, GEO is added in authentication information table should
The authentication information of LEO, the authentication information database ID of LEO being stored in together with orbital data on satellite;After the completion of registration,
GEO returns to the precise orbit data of itself to LEO;
Third walks, authentication and key agreement between star, before selecting execution satellite authentication information to register according to authentication phase
Certification sub-protocol after certification sub-protocol and the registration of satellite authentication information;
4th step, certification precomputation select to execute the precomputation sub-protocol before satellite authentication information is registered according to authentication phase
Precomputation sub-protocol after being registered with satellite authentication information.
3. as claimed in claim 2 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that first
Step, Verification System initialization specifically include:
(1a) in the transmitting preparation stage, by satellite, earthward the initialization of certificate server submission system is applied;
After (1b) receives application, ground certificate server is satellite generation and distributes identity information, key, orbit parameter, including
Identity information ID, group identification information SGID, satellite identity information anonymous protection key ID Key, the certification master of satellite it is close
Key MainKey.
4. as claimed in claim 2 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that second
Step, the registration of satellite authentication information specifically include:
(2a) LEO sends the precise orbit data of itself to GEO, including the orbit altitude of progress satellite rail position prediction, track incline
Angle road parameter;
After (2b) receives the orbit information of LEO transmissions, GEO adds the authentication information of LEO in authentication information table, by the ID of LEO
The authentication information database being stored in together with orbital data on satellite;After the completion of registration, GEO returns to the accurate of itself to LEO
Orbital data;
After (2c) receives the orbital data of return, data are stored in the authentication database of itself by LEO;
Third walks, between star authentication specifically included with key agreement:
Execute the certification sub-protocol before satellite authentication information is registered and the certification sub-protocol after the registration of satellite authentication information;
Certification sub-protocol before authentication information registration includes:
(3a) LEO obtains time stamp T by spaceborne clockTID;T based on acquisitionTIDThis is calculated with preset IDKey, LEO to recognize
Demonstrate,prove the temporary identity TID, TID=f that should be usedTID(IDKey, TTID||RID);After the completion of calculating, LEO asks TID together with certification
It asks and sends jointly to GEO;
After (3b) receives TID, GEO decrypts TID using preset IDKey, and by decrypting obtained TTIDWith RID to certification
The freshness and validity of request are judged;
(3c) GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth;T based on acquisitionAuthWith it is preset
MainKey, AuthKey=fAK(MainKey, TAuth);GEO generates a disposable random parameter RAND;RAND based on generation
And AuthKey, GEO calculate timestamp protection sequence TK, TK=fTK(AuthKey, RAND);GEO is obtained by spaceborne clock and is given birth to
At Token time stamp TsToken;The T of RAND, acquisition based on generationToken, storage SGID, GEO calculate Message Authentication Code MAC,
MAC=fMAC(AuthKey, RAND | | TToken||SGID);GEO is by RAND, TToken, TK, SGID, MAC be merged into a certification
Token Token,And intended response XRES and session key CK are calculated,
CK=fCK(AuthKey, RAND), XRES=fRES(CK, RAND);
(3d) LEO uses the AuthKey that the mode of (3b)-(3c) generates, and using the AuthKey generated to the fresh of Token
Property and validity are judged;
After (3e) verification, LEO calculates CK and RES, and RES is returned to GEO;
After (3f) receives RES, whether the XRES of RES and storage that GEO is relatively received are equal;If equal, LEO is recognized in completion
Card;Otherwise, authentification failure;
Certification sub-protocol after authentication information registration includes:
After establishing communication link, LEO first determines whether own orbit parameter changes;If there is orbit perturbation, certification
The parameters for authentication failure that precomputation obtains, terminates this agreement, re-executes the certification sub-protocol before authentication information registration;If
Running track is normal, and the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request;
After receiving access request, the TID received and RES is compared by GEO with the XTID of storage and XRES;If equal, complete
Certification to LEO, and the Token of storage is returned into LEO;If differing, return mistake, re-execute authentication information registration before
Certification sub-protocol;
LEO carries out availability deciding using the AuthKey that precomputation obtains to authentication token;
It is verified, LEO calculates session key CK using AuthKey;
4th step, certification precomputation specifically include:
The estimated operator after precomputation sub-protocol and the registration of satellite authentication information before executing the registration of satellite authentication information is assisted
View;
Certification precomputation sub-protocol before the authentication information registration, specifically includes:
(4a) LEO applies for a blank Token to GEO;
(4b) GEO is calculated and is returned to a blank Token;
(4c) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters;Then, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID and AuthKey of next certification;Based on GEO
The blank Token, LEO of return calculate the RES of next certification;After calculating, LEO stores TID and RES;
(4d) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、
TTokenThree time parameters;The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO
Calculate XTID, XRES, Token, CK of next certification;After calculating, GEO store XTID, XRES, Token, CK;
Certification precomputation sub-protocol after the authentication information registration specifically includes:
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、TTokenThree
A time parameter;Then, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID and AuthKey of next certification;Based on certification sub-protocol
Middle GEO returns to Token, and LEO calculates the RES of next certification;After calculating, LEO stores TID and RES;
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、TTokenThree
A time parameter;The satellite ID of time parameter, storage based on acquisition, the key ID Key and MainKey of storage, under GEO is calculated
XTID, XRES, Token, CK of secondary certification;After calculating, GEO stores XTID, XRES, Token, CK.
5. a kind of realize described in Claims 1 to 4 any one suitable for networking authentication method between the star of double layer minipellet
Computer program.
6. a kind of realize described in Claims 1 to 4 any one suitable for networking authentication method between the star of double layer minipellet
Information data processing terminal.
7. a kind of computer readable storage medium, including instruction, when run on a computer so that computer is executed as weighed
Profit requires networking authentication method between the star suitable for double layer minipellet described in 1~4 any one.
8. networking authentication method defends suitable for bilayer between a kind of star as described in claim 1 suitable for double layer minipellet
Networking Verification System between the star of StarNet's network, which is characterized in that networking Verification System between the star suitable for double layer minipellet
Including:
Ground certificate server, the initialization for completing satellite Verification System generate and believe with the identity of distribution inter-satellite certification
Breath, key, orbit parameter;
High rail satellite GEO Authentication Clients, for receiving the certification request from LEO, calculating and return authentication token Token,
Intended response XRES and session key CK is calculated, examines the temporary identity TID that LEO is used in certification request whether effective, is examined
Whether the response RES that LEO is returned is correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client, for submitting certification request to GEO, the authentication token Token for examining GEO to return
Whether effectively, temporary identity TID, response RES and session key CK are calculated, an authentication information table is safeguarded for GEO.
9. as claimed in claim 8 suitable for networking Verification System between the star of double layer minipellet, which is characterized in that ground is recognized
Demonstrate,proving server includes:
System initialization module, the initialization for completing satellite Verification System, the identity that identity information generation module is generated
The Verification System of the orbit parameter write-in satellite of key, the distribution of track distribution module that information, key production module generate;
Identity information generation module, for according to the production sequence of satellite, shooting sequence, the required body of certification to be generated for satellite
Part information;
Key production module, for generating the required key of certification for satellite;
Track distribution module, for being satellite distribution running track;
High rail satellite GEO Authentication Clients include:
System initialization module, the initialization for completing Verification System on star obtain satellite certification from ground certificate server
Required identity information, key, orbit parameter;
Networking authentication module, including authentication sub module, data processing submodule and precomputation manage submodule;
Authentication sub module, the parameter for being needed with low orbit satellite LEO Authentication Client interactive authentications;
Data processing submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;
Precomputation manages submodule, for the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguards
Authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing LEO authentication informations;
Low orbit satellite LEO Authentication Clients include:
System initialization module, the initialization for completing Verification System on star obtain satellite certification from ground certificate server
Required identity information, key, orbit parameter;
Networking authentication module, including authentication sub module, data processing submodule and precomputation manage submodule;
Authentication sub module is used for and the required parameter of high rail satellite GEO Authentication Client interactive authentications;
Data processing submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;
Precomputation manages submodule, for the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguards
Authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing GEO authentication informations.
10. it is a kind of equipped with described in claim 8~9 any one be suitable for double layer minipellet star between networking Verification System
Information data processing terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810262750.4A CN108566240B (en) | 2018-03-28 | 2018-03-28 | Inter-satellite networking authentication system and method suitable for double-layer satellite network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810262750.4A CN108566240B (en) | 2018-03-28 | 2018-03-28 | Inter-satellite networking authentication system and method suitable for double-layer satellite network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108566240A true CN108566240A (en) | 2018-09-21 |
CN108566240B CN108566240B (en) | 2020-10-27 |
Family
ID=63533118
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810262750.4A Active CN108566240B (en) | 2018-03-28 | 2018-03-28 | Inter-satellite networking authentication system and method suitable for double-layer satellite network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108566240B (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109039436A (en) * | 2018-10-23 | 2018-12-18 | 中国科学院信息工程研究所 | A kind of method and system of safety satellite access authentication |
CN109547213A (en) * | 2018-12-14 | 2019-03-29 | 西安电子科技大学 | Suitable for networking Verification System and method between the star of low-track satellite network |
CN111897816A (en) * | 2020-07-16 | 2020-11-06 | 中国科学院上海微***与信息技术研究所 | Interactive method for computing information between satellites and generation method of information table applied by interactive method |
CN112019258A (en) * | 2020-09-04 | 2020-12-01 | 中国电子科技集团公司第五十四研究所 | GEO and LEO mixed constellation and design method thereof |
CN112291783A (en) * | 2020-10-28 | 2021-01-29 | 中国科学院空天信息创新研究院 | Text authentication method and system, sending end and receiving end |
CN112671452A (en) * | 2020-12-17 | 2021-04-16 | 西安电子科技大学 | Heterogeneous satellite network management method, system, medium, equipment, terminal and application |
CN112953726A (en) * | 2021-03-01 | 2021-06-11 | 西安电子科技大学 | Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication |
WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
CN114007219A (en) * | 2021-10-25 | 2022-02-01 | 北京计算机技术及应用研究所 | Low-orbit satellite communication-oriented stealth access authentication method |
CN114466359A (en) * | 2022-01-07 | 2022-05-10 | 中国电子科技集团公司电子科学研究院 | Distributed user authentication system and authentication method suitable for low earth orbit satellite network |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
CN114828005A (en) * | 2022-05-24 | 2022-07-29 | 西安电子科技大学 | Enhanced inter-satellite networking authentication method based on location key |
CN115334505A (en) * | 2022-06-21 | 2022-11-11 | 西安电子科技大学 | Multimode intelligent terminal safety communication method and system facing 5G + Beidou |
CN117156433A (en) * | 2023-10-31 | 2023-12-01 | 航天宏图信息技术股份有限公司 | Satellite internet key management distribution method, device and deployment architecture |
CN117278109A (en) * | 2023-11-20 | 2023-12-22 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Satellite on-orbit safety anomaly identification method for far-sea wind power plant |
CN112291783B (en) * | 2020-10-28 | 2024-05-31 | 中国科学院空天信息创新研究院 | Text authentication method and system, transmitting end and receiving end |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040059939A1 (en) * | 2002-09-13 | 2004-03-25 | Sun Microsystems, Inc., A Delaware Corporation | Controlled delivery of digital content in a system for digital content access control |
US20050190915A1 (en) * | 2003-12-22 | 2005-09-01 | Pare David F. | System and method for using a streaming protocol |
CN101222329A (en) * | 2006-08-17 | 2008-07-16 | 上海航天计算机***工程有限公司 | Mixed type distributed authentication system |
CN102379141A (en) * | 2009-02-05 | 2012-03-14 | 北方电讯网络有限公司 | Method and system for user equipment location determination on a wireless transmission system |
US20120222089A1 (en) * | 2010-11-18 | 2012-08-30 | The Boeing Company | Network topology aided by smart agent download |
CN106059650A (en) * | 2016-05-24 | 2016-10-26 | 北京交通大学 | Air-ground integrated network architecture and data transmission method based on SDN and NFV technology |
CN107094047A (en) * | 2017-06-09 | 2017-08-25 | 西安电子科技大学 | Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data |
CN107409051A (en) * | 2015-03-31 | 2017-11-28 | 深圳市大疆创新科技有限公司 | For generating the Verification System and method of air traffic control |
CN107615358A (en) * | 2015-03-31 | 2018-01-19 | 深圳市大疆创新科技有限公司 | For identifying the Verification System and method of authorized participant |
-
2018
- 2018-03-28 CN CN201810262750.4A patent/CN108566240B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040059939A1 (en) * | 2002-09-13 | 2004-03-25 | Sun Microsystems, Inc., A Delaware Corporation | Controlled delivery of digital content in a system for digital content access control |
US20050190915A1 (en) * | 2003-12-22 | 2005-09-01 | Pare David F. | System and method for using a streaming protocol |
CN101222329A (en) * | 2006-08-17 | 2008-07-16 | 上海航天计算机***工程有限公司 | Mixed type distributed authentication system |
CN102379141A (en) * | 2009-02-05 | 2012-03-14 | 北方电讯网络有限公司 | Method and system for user equipment location determination on a wireless transmission system |
US20120222089A1 (en) * | 2010-11-18 | 2012-08-30 | The Boeing Company | Network topology aided by smart agent download |
CN107409051A (en) * | 2015-03-31 | 2017-11-28 | 深圳市大疆创新科技有限公司 | For generating the Verification System and method of air traffic control |
CN107615358A (en) * | 2015-03-31 | 2018-01-19 | 深圳市大疆创新科技有限公司 | For identifying the Verification System and method of authorized participant |
CN106059650A (en) * | 2016-05-24 | 2016-10-26 | 北京交通大学 | Air-ground integrated network architecture and data transmission method based on SDN and NFV technology |
CN107094047A (en) * | 2017-06-09 | 2017-08-25 | 西安电子科技大学 | Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data |
Non-Patent Citations (7)
Title |
---|
AYAN ROY-CHOWDHURY: "A Lightweight Certificate-based Source Authentication Protocol for Group Communication in Hybrid Wireless_Satellite Networks", 《 2008 IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE》 * |
JAE-WOOK LEE: "Satellite over Satellite (SOS) Network_ A Novel Concept of Hierarchical Architecture and Routing in Satellite Network", 《PROCEEDINGS 25TH ANNUAL IEEE CONFERENCE ON LOCAL COMPUTER NETWORKS》 * |
YUANYUAN ZHANG: "Security analysis of an authentication and key agreement protocol", 《INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS》 * |
ZHONG YANTAO: "A Highly Secure Identity-Based Authenticated", 《EXCHANGE PROTOCOL FOR SATELLITE COMMUNICATION》 * |
任方: "空间信息网基于证书的混合式公钥基础设施", 《吉林大学学报(工学版)》 * |
刘宇新: "开放网络环境下敏感信息传输安全模型研究", 《中国优秀硕士学位论文全文库》 * |
曹利峰: "面向多级安全的网络安全通信模型及其关键技术研究", 《中国博士学位论文全文数据库》 * |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109039436A (en) * | 2018-10-23 | 2018-12-18 | 中国科学院信息工程研究所 | A kind of method and system of safety satellite access authentication |
CN109547213B (en) * | 2018-12-14 | 2021-08-10 | 西安电子科技大学 | Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network |
CN109547213A (en) * | 2018-12-14 | 2019-03-29 | 西安电子科技大学 | Suitable for networking Verification System and method between the star of low-track satellite network |
WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
CN111897816A (en) * | 2020-07-16 | 2020-11-06 | 中国科学院上海微***与信息技术研究所 | Interactive method for computing information between satellites and generation method of information table applied by interactive method |
CN111897816B (en) * | 2020-07-16 | 2024-04-02 | 中国科学院上海微***与信息技术研究所 | Interaction method of calculation information between satellites and generation method of information table applied by same |
CN112019258B (en) * | 2020-09-04 | 2022-03-22 | 中国电子科技集团公司第五十四研究所 | GEO and LEO mixed constellation and design method thereof |
CN112019258A (en) * | 2020-09-04 | 2020-12-01 | 中国电子科技集团公司第五十四研究所 | GEO and LEO mixed constellation and design method thereof |
CN112291783A (en) * | 2020-10-28 | 2021-01-29 | 中国科学院空天信息创新研究院 | Text authentication method and system, sending end and receiving end |
CN112291783B (en) * | 2020-10-28 | 2024-05-31 | 中国科学院空天信息创新研究院 | Text authentication method and system, transmitting end and receiving end |
CN112671452A (en) * | 2020-12-17 | 2021-04-16 | 西安电子科技大学 | Heterogeneous satellite network management method, system, medium, equipment, terminal and application |
CN112671452B (en) * | 2020-12-17 | 2023-03-14 | 西安电子科技大学 | Heterogeneous satellite network management method, system, medium, equipment, terminal and application |
CN112953726A (en) * | 2021-03-01 | 2021-06-11 | 西安电子科技大学 | Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication |
CN114007219A (en) * | 2021-10-25 | 2022-02-01 | 北京计算机技术及应用研究所 | Low-orbit satellite communication-oriented stealth access authentication method |
CN114007219B (en) * | 2021-10-25 | 2024-03-26 | 北京计算机技术及应用研究所 | Invisible identification access authentication method for low-orbit satellite communication |
CN114466359B (en) * | 2022-01-07 | 2024-03-01 | 中国电子科技集团公司电子科学研究院 | Distributed user authentication system and authentication method suitable for low orbit satellite network |
CN114466359A (en) * | 2022-01-07 | 2022-05-10 | 中国电子科技集团公司电子科学研究院 | Distributed user authentication system and authentication method suitable for low earth orbit satellite network |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
CN114584975B (en) * | 2022-02-23 | 2023-09-15 | 重庆邮电大学 | SDN-based anti-quantum satellite network access authentication method |
CN114828005A (en) * | 2022-05-24 | 2022-07-29 | 西安电子科技大学 | Enhanced inter-satellite networking authentication method based on location key |
CN115334505A (en) * | 2022-06-21 | 2022-11-11 | 西安电子科技大学 | Multimode intelligent terminal safety communication method and system facing 5G + Beidou |
CN115334505B (en) * | 2022-06-21 | 2024-05-14 | 西安电子科技大学 | 5 G+Beidou-oriented multimode intelligent terminal secure communication method and system |
CN117156433B (en) * | 2023-10-31 | 2024-02-06 | 航天宏图信息技术股份有限公司 | Satellite internet key management distribution method, device and deployment architecture |
CN117156433A (en) * | 2023-10-31 | 2023-12-01 | 航天宏图信息技术股份有限公司 | Satellite internet key management distribution method, device and deployment architecture |
CN117278109A (en) * | 2023-11-20 | 2023-12-22 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Satellite on-orbit safety anomaly identification method for far-sea wind power plant |
CN117278109B (en) * | 2023-11-20 | 2024-03-01 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Satellite in-orbit security anomaly identification method, system and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108566240B (en) | 2020-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108566240A (en) | Networking Verification System and method between a kind of star suitable for double layer minipellet | |
CN109547213B (en) | Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network | |
Eddine et al. | EASBF: An efficient authentication scheme over blockchain for fog computing-enabled internet of vehicles | |
Lee et al. | Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks | |
Chattaraj et al. | A new two-server authentication and key agreement protocol for accessing secure cloud services | |
Shen et al. | Secure and efficient blockchain-assisted authentication for edge-integrated Internet-of-Vehicles | |
Xu et al. | BAGKD: A batch authentication and group key distribution protocol for VANETs | |
CN112953726B (en) | Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network | |
Wu et al. | A provably secure authentication and key exchange protocol in vehicular ad hoc networks | |
CN108260102A (en) | The car-ground communication Non-Access Stratum authentication methods of LTE-R based on allograph | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
Chuang et al. | PPAS: A privacy preservation authentication scheme for vehicle-to-infrastructure communication networks | |
Wei et al. | BAVP: blockchain-based access verification protocol in LEO constellation using IBE keys | |
CN109688583A (en) | A kind of data ciphering method in star earth communication system | |
CN108964897A (en) | Identity authorization system and method based on group communication | |
CN108964896A (en) | A kind of Kerberos identity authorization system and method based on group key pond | |
Mahmood et al. | A neural computing-based access control protocol for AI-driven intelligent flying vehicles in industry 5.0-assisted consumer electronics | |
CN108270572A (en) | A kind of Key Exchange Protocol based on position and password | |
CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
CN108964895A (en) | User-to-User identity authorization system and method based on group key pond and improvement Kerberos | |
Wang et al. | A blockchain-based conditional privacy-preserving authentication scheme for edge computing services | |
Kim et al. | A secure batch authentication scheme for multiaccess edge computing in 5G-enabled intelligent transportation system | |
CN116743387A (en) | Vehicle fog service safety communication system, method and terminal based on blockchain | |
Hegde et al. | MFZKAP: multi factor zero knowledge proof authentication for secure service in vehicular cloud computing | |
Yang et al. | Design of Key Management Protocols for Internet of Things. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |