CN108566240A - Networking Verification System and method between a kind of star suitable for double layer minipellet - Google Patents

Networking Verification System and method between a kind of star suitable for double layer minipellet Download PDF

Info

Publication number
CN108566240A
CN108566240A CN201810262750.4A CN201810262750A CN108566240A CN 108566240 A CN108566240 A CN 108566240A CN 201810262750 A CN201810262750 A CN 201810262750A CN 108566240 A CN108566240 A CN 108566240A
Authority
CN
China
Prior art keywords
authentication
satellite
leo
certification
geo
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810262750.4A
Other languages
Chinese (zh)
Other versions
CN108566240B (en
Inventor
朱辉
武衡
张之义
李晖
赵海强
王宇辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
CETC 54 Research Institute
Original Assignee
Xidian University
CETC 54 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University, CETC 54 Research Institute filed Critical Xidian University
Priority to CN201810262750.4A priority Critical patent/CN108566240B/en
Publication of CN108566240A publication Critical patent/CN108566240A/en
Application granted granted Critical
Publication of CN108566240B publication Critical patent/CN108566240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18521Systems of inter linked satellites, i.e. inter satellite service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • General Physics & Mathematics (AREA)
  • Radio Relay Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention belongs to field of information security technology, networking Verification System and method between a kind of star suitable for double layer minipellet are disclosed, system includes ground certificate server, high rail satellite Authentication Client and low orbit satellite Authentication Client;Ground certificate server is responsible for completing the initialization of satellite Verification System, that is, generates and the required identity information of distribution inter-satellite certification, key, orbit parameter;High rail satellite Authentication Client and low orbit satellite Authentication Client are the main bodys of networking certification between star, pass through authentication and key agreement between interactive authentication parameter realization star.Using satellite network clock high level of synchronization, the predictable feature of node running orbit, the present invention devises certification precomputation mechanism, effectively improves intersatellite authentication efficiency.The present invention can realize that high and low rail satellite can be used for the intersatellite networking certification of high and low rail in the safe and efficient authentication of networking stage and key agreement in double layer minipellet.

Description

Networking Verification System and method between a kind of star suitable for double layer minipellet
Technical field
The invention belongs to networkings between field of information security technology more particularly to a kind of star suitable for double layer minipellet to recognize Demonstrate,prove system and method.It can be used for providing satellite identity authentication service in Satellite Networking for network of commercial satellites, it can be can not In the case of believing that third party participates in, the Trust Establishment between satellite and secure communication are realized.
Background technology
Currently, the prior art commonly used in the trade is such:
Since current satellite network includes that number of satellite is less, such as iridium satellite (66), GPS (24), Satellite Networking master It to be completed by ground station control.It is directly that satellite distribution certification is joined that the mode of Satellite Networking certification generally use, which is by earth station, Number, session key etc..In this control structure, satellite does not have autonomous networking capability usually, cause its networking certification into Row heavy dependence earth station.
However, with the development of space technology, satellite network tends to complicate, as satellite node is large number of, satellite control Simulation is complicated.Under this trend, traditional Satellite Networking control mode because the deployed position of earth station, processing capacity, The problems such as managerial ability, there are certain application limitations.Simultaneously as satellite communication link uses wireless transmission medium, letter Road high opening, Content of Communication are easily monitored, distort, forge, and Satellite Networking is very likely because of the nothing by malicious interference Method is completed.In addition, the deployed environment that satellite network is special, more stringent requirements are proposed for the design of identity authentication protocol between star. First, resource-constrained on star, it is difficult to cope with larger computing cost, need the scheme of complicated calculations that can seriously affect certification effect Rate.Secondly, interstellar distance farther out, can not ignore by communication delay, and communication overhead has to consideration as one in conceptual design Problem.
For the networking problems of satellite network, there has been proposed some solutions, such as:
A kind of patent " satellite in orbit identity identifying method " of No.30 Inst., China Electronic Sci. & Tech. Group Co's application (2017101415439 application publication number CN106850674A of application number CN) discloses a kind of satellite in orbit identity identifying method, Its periodicity based on satellite orbit solves the Verify Your Identity questions between star ground using public and private key authentication mechanism.
However, with the development of space technology, the satellite network in design includes that node is more and more, if Satellite Networking Certification needs the frequent participation of earth station, authentication efficiency can because star communication delay the problems such as and be severely impacted.Therefore, To ensure that the safe efficient of Satellite Networking, authentication protocol need to reduce the third-party participation such as earth station to the greatest extent, certification section is improved The independence and independence of point, to ensure that satellite network being capable of the safe operation under earth station's fault condition.
In conclusion problem of the existing technology is:
(1) authentication needs ground to participate between star, in the case where the trusted third party such as no earth station participate in, it is difficult to real Independent, autonomous Trust Establishment and secure communication between existing satellite, the inadaptable satellite network networking scene for possessing magnanimity node;
(2) authentication does not protect self-identity information between star, causes attacker that can utilize the plaintext intercepted and captured Identity information forges access request, to implement the attacks such as refusal service, interferes Satellite Networking;
(3) computing cost of authentication can influence authentication time delay between star, the satellite network less compared to number of nodes, In the satellite network for possessing magnanimity node, since networking certification is more frequent, networking can be because of the calculation of On board computer between star Power problem and generate authentication time delay.Solve the difficulty and meaning of above-mentioned technical problem:
(1) networking authentication method between design independence, autonomous star, needs for its design safety, efficient key updating side Formula should reduce the participation of earth station, also ensure that satellite can accurately update authentication key;
(2) networking authentication method between the star of the identity information of design protection satellite needs to consider therefore to bring additional Computing cost should ensure the confidentiality of satellite identity information, also reduce the computing cost therefore generated;
(3) design is suitable for networking authentication method between the star of complicated satellite network, needs to consider the calculating in verification process Expense, when avoiding the occurrence of the certification simultaneously of more stars as possible, because of the calculation delay that computing resource is limited and brings.
With the development of space technology, following satellite network will include more and more satellite nodes, and design is not necessarily to Networking authentication method possesses magnanimity satellite section for guarantee between earth station frequently participates in can be realized as the star of independent, autonomous networking Point satellite network can stable operation be of great significance.
Invention content
In view of the problems of the existing technology, the present invention provides networkings between a kind of star suitable for double layer minipellet to recognize Demonstrate,prove system and method.
The invention is realized in this way
Networking Verification System between a kind of star suitable for double layer minipellet of the present invention, including:
Ground certificate server is responsible for completing the initialization of satellite Verification System, that is, generates and distribution inter-satellite certification institute The identity information that needs, key, orbit parameter;
High rail satellite (GEO) Authentication Client is responsible for receiving the certification request from LEO, calculates simultaneously return authentication token Token calculates intended response XRES and session key CK, examines whether the temporary identity TID that LEO is used in certification request has Whether effect, examine the response RES that LEO is returned correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client is responsible for submitting certification request to GEO, the authentication token for examining GEO to return Whether Token is effective, calculates temporary identity TID, response RES and session key CK, and an authentication information table is safeguarded for GEO.
Ground certificate server includes:
System initialization module, the initialization for completing satellite Verification System generate identity information generation module Identity information, key production module generate key, track distribution module distribution orbit parameter write-in satellite certification system System;
Identity information generation module is used for the production sequence according to satellite, shooting sequence etc., is generated needed for certification for satellite The identity information wanted;
Key production module, for generating the required key of certification for satellite;
Track distribution module, for being satellite distribution running track.
High rail satellite (GEO) Authentication Client includes:
System initialization module, the initialization for completing Verification System on star are defended from the acquisition of ground certificate server The required identity information of star certification, key, orbit parameter;
Networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management submodule Block.Wherein, authentication sub module is used for and the required parameter of low orbit satellite (LEO) Authentication Client interactive authentication;Data processing Submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, uses In the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing LEO authentication informations.
Low orbit satellite (LEO) Authentication Client includes:
System initialization module, the initialization for completing Verification System on star are defended from the acquisition of ground certificate server The required identity information of star certification, key, orbit parameter;
Networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management submodule Block.Wherein, authentication sub module is used for and the required parameter of high rail satellite (GEO) Authentication Client interactive authentication;Data processing Submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, uses In the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing GEO authentication informations.
Recognize equipped with networking between the star suitable for double layer minipellet another object of the present invention is to provide a kind of The information data processing terminal of card system.
To achieve the above object, the present invention provides networking authentication method between a kind of star suitable for double layer minipellet, packet It includes:
1, Verification System initializes
(1a) in the transmitting preparation stage, by satellite, earthward the initialization of certificate server submission system is applied.
After (1b) receives application, ground certificate server is that satellite generates and distribute identity information, key, orbit parameter, Including identity information ID, group identification information SGID, satellite identity information anonymous protection key ID Key, satellite certification Master key MainKey.
2, satellite authentication information is registered
(2a) LEO sends the precise orbit data of itself to GEO, such as orbit altitude, orbit inclination angle carry out satellite rail position Predict required orbit parameter.
After (2b) receives the orbit information of LEO transmissions, GEO adds the authentication information of the LEO in authentication information table, i.e., will The ID of the LEO is stored in the authentication information database on satellite together with orbital data.After the completion of registration, GEO is returned to the LEO The precise orbit data of itself.
After (2c) receives the orbital data of return, which is stored in the authentication data of itself by LEO using same operation Library.
3, authentication and key agreement between star
Authentication and key agreement are divided into two sub-protocols according to the execution stage of networking certification between star between star, are respectively The certification sub-protocol after certification sub-protocol and the registration of satellite authentication information before the registration of satellite authentication information.
3.1) the certification sub-protocol before authentication information registration
(3.1.a) LEO obtains time stamp T by spaceborne clockTID.T based on acquisitionTIDIt is counted with preset IDKey, LEO Calculate temporary identity TID, TID=f that this certification should useTID(IDKey, TTID||RID).After the completion of calculating, LEO connects TID GEO is sent jointly to certification request.
After (3.1b) receives TID, GEO decrypts TID using preset IDKey, and by decrypting obtained TTIDAnd RID The freshness and validity of certification request are judged.
(3.1.c) GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth.T based on acquisitionAuthWith Preset MainKey, AuthKey=fAK(MainKey, TAuth);GEO generates a disposable random parameter RAND;Based on generation RAND and AuthKey, GEO calculates timestamp protection sequence TK, TK=fTK(AuthKey, RAND);GEO passes through spaceborne clock Obtain the time stamp T generated needed for TokenToken.The T of RAND, acquisition based on generationToken, storage SGID, GEO calculating disappears Cease identifying code MAC, MAC=fMAC(AuthKey, RAND | | TToken||SGID);GEO is by RAND, TToken, TK, SGID, MAC close And at an authentication token Token,And calculate intended response XRES With session key CK, CK=fCK(AuthKey, RAND), XRES=fRES(CK, RAND).
(3.1.d) LEO makes the AuthKey generated in the same way, and using the AuthKey generated to the new of Token Fresh property and validity are judged.
After (3.1.e) is verified, LEO makes to calculate CK and RES in the same way, and RES is returned to GEO.
After (3.1.f) receives RES, whether the XRES of RES and storage that GEO is relatively received are equal.If equal, completion pair The certification of LEO;Otherwise, authentification failure.
3.2) the certification sub-protocol after authentication information registration
After (3.2.a) establishes communication link, LEO first determines whether own orbit parameter changes.If there is rail Road perturbs, and since the parameters for authentication that certification precomputation obtains is no longer valid, needs to terminate this agreement, re-executes certification sub-protocol (3.1).If running track is normal, the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request.
After (3.2.b) receives access request, the TID received and RES is compared by GEO with the XTID of storage and XRES. If equal, the certification to LEO is completed, and the Token of storage is returned into LEO;If differed, mistake is returned, is re-executed Certification sub-protocol (3.1).
(3.2.c) LEO carries out availability deciding using the AuthKey that precomputation obtains to authentication token.
(3.2.d) if the verification passes, LEO calculates session key CK using AuthKey.
4, certification precomputation
Certification precomputation is divided into two sub-protocols according to the execution stage of networking certification between star, is satellite authentication information respectively The precomputation sub-protocol after precomputation sub-protocol and the registration of satellite authentication information before registration.
4.1) the certification precomputation sub-protocol before authentication information registration
(4.1.a) LEO applies for a blank Token to GEO.
(4.1.b) GEO is calculated and is returned to a blank Token.
(4.1.c) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、 TAuth、TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification And AuthKey.The RES that next certification should use is calculated based on blank Token, LEO that GEO is returned.After calculating, LEO is deposited Store up TID and RES.
(4.1.d) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、 TAuth、TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, the key ID Key of storage and XTID, XRES, Token, CK for using are needed when MainKey, GEO calculate next certification.After calculating, GEO storages XTID, XRES、、Token、CK。
4.2) the certification precomputation sub-protocol after authentication information registration
(4.1.a) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、 TAuth、TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification And AuthKey.Token is returned to based on GEO in certification sub-protocol (3.2), LEO calculates the RES that next certification should use.It has been calculated Bi Hou, LEO store TID and RES.
(4.1.b) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、 TAuth、TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, the key ID Key of storage and XTID, XRES, Token, CK for using are needed when MainKey, GEO calculate next certification.After calculating, GEO storages XTID, XRES、Token、CK。
Another object of the present invention is to provide described in a kind of realize be suitable for double layer minipellet star between networking certification The computer program of method.
Another object of the present invention is to provide described in a kind of realize be suitable for double layer minipellet star between networking certification The information data processing terminal of method.
Another object of the present invention is to provide a kind of computer readable storage mediums, including instruction, when it is in computer When upper operation so that computer executes networking authentication method between the star suitable for double layer minipellet.
The present invention by the generating process of parameters for authentication reasonable employment timestamp achieve the purpose that preventing playback attack.Into The parameters for authentication transmitted is needed to have TID, Token and RES when row authentication, between GEO and LEO.Wherein, the generation of TID needs Want time stamp TTID, GEO can judge the freshness of TID whereby;Include encrypted time parameter T in TokenToken, LEO It can judge whether the Token received is to reset message in conjunction with MAC value;There are correspondences by RES and Token, can be by disappearing Breath return speed judges whether RES is to reset message.
Authentication and key agreement are divided into two sons according to the execution stage of networking certification between star and assist between the present invention star View, the certification sub-protocol after certification sub-protocol and the registration of satellite authentication information before being the registration of satellite authentication information respectively. After satellite completes authentication information registration, precomputation can be carried out to parameters for authentication by the satellite precise orbit parameter of exchange. By designing precomputation mechanism, between completing the star after authentication information registration certification can execute light-weighted networking certification association View, greatly improves authentication efficiency.
Temporary identity generation method of the present invention, when generating temporary identity, satellite use between GEO and LEO groups by sharing IDKey to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID, satellite is indicated using operation result Temporary identity.It since temporary identity is generated based on the time, can ensure that LEO initiates certification every time, use different identity Information.
Authentication key AuthKey generation methods of the present invention, the authentication key distribute master key by ground certificate server MainKey is derived based on the time.Be utilized satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and LEO can complete the update of authentication key according to predicted time.Parameters for authentication is calculated in advance based on predicted time, is both ensured The synchronism that agreement both sides calculate, and improve intersatellite authentication efficiency.
The method that the present invention reduces computing cost in verification process between star, utilizes satellite network clock high level of synchronization, operation The predictable feature of track, design verification pre-computation step calculate next time in advance in On board computer utilization rate lower period Required each parameter when certification.When next certification, it is only necessary to which authentication can be realized by carrying out parameter comparison, can be effective It avoids into the authentication time delay brought when networking certification because On board computer calculates power deficiency between planet.
In conclusion advantages of the present invention and good effect are:
The present invention realizes the bidirectional identity authentication between satellite.
In the present invention, after being initialized to the Verification System of satellite by earth station, LEO and GEO can independently, independently Carry out networking certification.LEO is by judging the XMAC obtained by local computing realizations whether equal with the MAC in Token to GEO Authentication;GEO is by judging authentication of the XRES the being locally stored realizations whether equal with the RES of return to LEO.It is double It can be resisted to ID authentication mechanism and the network attacks such as be palmed off, distorted during Satellite Networking, ensure that Satellite Networking Safety orderly carries out.
The present invention realizes the anonymous protection of satellite identity information.
In the present invention, when LEO sends certification request, using temporary identity, which is based on by true identity information Timestamp encryption generates, and can accomplish that the identity information that each certification uses is different;Simultaneously as certification precomputation mechanism Setting, the verification of identity information is main using charactor comparison by the way of in verification process, and satellite can't be made to increase additionally Computing cost.
The computing cost that The present invention reduces satellites in verification process.
Present invention combination satellite network clock high unity, the predictable scene feature of running orbit, it is pre- to devise certification Calculating step so that satellite can utilize the time parameter obtained by orbital prediction, calculate each parameter needed for next certification in advance, It only needs to carry out simple parameter comparison operation when networking again certification can be completed.The present invention passes through design verification precomputation machine System will largely calculate the low utilization rate stage for being arranged in satellite processor, so as to avoid more needed for verification process The authentication time delay brought in the case of star certification simultaneously because satellite calculates power deficiency.
Description of the drawings
Fig. 1 is networking Verification System figure between the star provided in an embodiment of the present invention suitable for double layer minipellet.
Fig. 2 is networking authentication method flow chart between the star provided in an embodiment of the present invention suitable for double layer minipellet.
Fig. 3 is the identifying procedure figure of low orbit satellite provided in an embodiment of the present invention.
Fig. 4 is the identifying procedure figure of high rail satellite provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to Limit the present invention.
In the case where without TTP participates in, the Trust Establishment and safety that can not achieve between satellite lead to the prior art Letter.The present invention provides networking authentication methods between a kind of star suitable for double layer minipellet, including:
LEO is by judging the XMAC obtained by local computing the identity completed to GEO whether equal with the MAC in Token Certification;GEO is by judging authentication of the XRES the being locally stored completions whether equal with the RES of return to LEO;Carry out identity When certification, the parameters for authentication transmitted between GEO and LEO has TID, Token and RES;Wherein, the generation of TID needs timestamp TTID, GEO judge the freshness of TID whereby;Include encrypted time parameter T in TokenToken, the judgement of LEO combination MAC values Whether the Token received is to reset message;There are correspondence, GEO to be judged by message return speed by RES and Token Whether RES is to reset message;
When LEO sends certification request, using the temporary identity generated based on the time, the identity information that each certification uses is each It differs;The verification of identity information is by the way of charactor comparison in verification process;Generate temporary identity when, satellite use by The IDKey shared between GEO and LEO groups is to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID, The temporary identity of satellite is indicated using operation result;
Using satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and LEO are all in accordance with predicted time It is authenticated the update of key A uthKey and calculates parameters for authentication in advance.
Fig. 1, networking Verification System includes that ground is recognized between the star provided in an embodiment of the present invention suitable for double layer minipellet Demonstrate,prove server, three big module of high rail satellite (GEO) Authentication Client and low orbit satellite (LEO) Authentication Client.
Wherein:
Ground certificate server completes the initialization of satellite Verification System for being responsible for, that is, generates and recognize with distribution inter-satellite Demonstrate,prove required identity information, key, orbit parameter;
High rail satellite (GEO) Authentication Client receives the certification request from LEO for being responsible for, calculates simultaneously return authentication Token Token calculates intended response XRES and session key CK, whether examines in certification request the temporary identity TID that use of LEO Effectively, whether the response RES for examining LEO to return is correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client submits certification request for being responsible for GEO, and the certification that GEO is returned is examined to enable Whether board Token is effective, calculates temporary identity TID, response RES and session key CK, and an authentication information is safeguarded for GEO Table.
The ground certificate server includes:System initialization module, identity information generation module, key production module, Track distribution module.
The system initialization module, the initialization for completing satellite Verification System give birth to identity information generation module At identity information, key production module generate key, track distribution module distribution orbit parameter be written satellite certification System;
The identity information generation module, is used for the production sequence according to satellite, shooting sequence etc., and certification institute is generated for satellite The identity information needed;
The key production module, for generating the required key of certification for satellite;
The track distribution module, for being satellite distribution running track.
High rail satellite (GEO) Authentication Client includes:System initialization module, networking authentication module, orbital prediction Module, authentication information managing module.
The system initialization module, the initialization for completing Verification System on star are obtained from ground certificate server The required identity information of satellite certification, key, orbit parameter;
The networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management Module.Wherein, authentication sub module is used for and the required parameter of low orbit satellite (LEO) Authentication Client interactive authentication;At data Submodule is managed, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, For the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
The orbit prediction module, the timing node for calculating inter-satellite certification next time;
The authentication information managing module, registration, update for managing LEO authentication informations.
Low orbit satellite (LEO) Authentication Client includes:System initialization module, networking authentication module, orbital prediction Module, authentication information managing module.
The system initialization module, the initialization for completing Verification System on star are obtained from ground certificate server The required identity information of satellite certification, key, orbit parameter;
The networking authentication module, including three submodules:Authentication sub module, data processing submodule, it is contemplated that calculate management Module.Wherein, authentication sub module is used for and the required parameter of high rail satellite (GEO) Authentication Client interactive authentication;At data Submodule is managed, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;Precomputation manages submodule, For the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguard authentication information table;
The orbit prediction module, the timing node for calculating inter-satellite certification next time;
The authentication information managing module, registration, update for managing GEO authentication informations.
As shown in figs 2-4, networking authentication method between the star provided in an embodiment of the present invention suitable for double layer minipellet Including authentication and key agreement, four part of certification precomputation between Verification System initialization, the registration of satellite authentication information, star.
With reference to Verification System initialization, the invention will be further described.
1, Verification System initializes:
Step 1:In the transmitting preparation stage, by satellite earthward certificate server submission system initialization application;
Step 2:After receiving application, ground certificate server is according to information such as the production number of the satellite, transmitting sequences Satellite generates ID, SGID, IDKey, MainKey and orbit parameter.After the completion of parameter generates, each parameter is stored in the certification of satellite Database, wherein:
(1) ID is the identity information of satellite, is carried out only to satellite node when being executed for identity authentication protocol between star One mark;
(2) SGID is the group identification information of satellite, for identifying the affiliated group of the satellite, belongs to the auxiliary of satellite Identity, it is combinable actually to be configured;
(3) IDKey is the anonymous protection key of the identity information of satellite, belongs to shared between GEO and LEO groups Key, the generation for LEO temporary identities in verification process;
(4) MainKey is satellite into the master key between planet when certification, belongs to shared between GEO and LEO satellite Secret, for generating authentication key AuthKey.
With reference to the registration of satellite authentication information, the invention will be further described.
2, satellite authentication information is registered
Satellite authentication information is registered between GEO and LEO complete star for the first time between carry out after authentication, including following step Suddenly:
Step 1:LEO sends the precise orbit data of itself to GEO, such as orbit altitude, orbit inclination angle carry out satellite rail The required orbit parameter of position prediction;
Step 2:After the orbit information for receiving LEO transmissions, GEO adds the authentication information of the LEO in authentication information table, i.e., The authentication information database ID of the LEO being stored in together with orbital data on satellite.After the completion of registration, GEO is returned to the LEO Return the precise orbit data of itself;
Step 3:After the orbital data for receiving return, which is stored in the certification number of itself by LEO using same operation According to library.
With reference to authentication between star, the invention will be further described with key agreement.
3, authentication and key agreement between star
Authentication and key agreement are divided into according to the execution stage of networking certification between star between the star of authentication method of the present invention Two sub-protocols, the certification after certification sub-protocol and the registration of satellite authentication information before being the registration of satellite authentication information respectively Sub-protocol.
(1) the certification sub-protocol before authentication information registration
Authentication needs to execute following with key agreement sub-protocol between star before being happened at the registration of satellite authentication information Step:
Step 1:LEO generates and sends temporary identity.
LEO obtains time stamp T by spaceborne clockTID.T based on acquisitionTIDThis is calculated with preset IDKey, LEO to recognize Demonstrate,prove the temporary identity TID, TID=f that should be usedTID(IDKey, TTID||RID).Wherein, fTIDIt is temporary identity generating algorithm, it can To be realized with reference to HMAC-SM3 (hash message authentication code based on the close SM3 algorithms of state);RID is the true identity information of satellite. After the completion of calculating, TID is sent jointly to GEO by LEO together with certification request.
Step 2:GEO judges the validity of certification request.
2.1) novelty verification
After receiving TID, GEO decrypts TID using preset IDKey.If obtained TTIDMeet TTID-T0< Δs TTID, Then the request meets freshness requirement, continues step 2.2), otherwise terminates certification, discharges the connection;
2.2) validation verification
If decrypting obtained RID meets predetermined Naming conventions, authentication passes through, and executes step 3, otherwise terminates and recognizes Card, discharges the connection.
Step 3:GEO is generated and return authentication token.
3.1) authentication key is generated
GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth.T based on acquisitionAuthWith it is preset MainKey, GEO calculate the authentication key AuthKey, AuthKey=f that this certification usesAK(MainKey, TAuth).Wherein fAK It is authentication key generating algorithm, is used for the generation of AuthKey, it is real ECB-SM4 (the close SM4 algorithms code book pattern of state) can be referred to It is existing.
3.2) generated time stamp protection sequence
GEO generates a disposable random parameter RAND.RAND based on generation and AuthKey, GEO calculate timestamp protection Sequence TK, TK=fTK(AuthKey, RAND).Wherein, fTKIt is timestamp protection Sequence Generation Algorithm, ECB-SM4 can be referred to It realizes.
3.3) Message Authentication Code is generated
GEO obtains the time stamp T generated needed for authentication token Token by spaceborne clockToken.RAND based on generation, The T of acquisitionToken, storage SGID, GEO calculates Message Authentication Code MAC, MAC=fMAC(AuthKey, RAND | | TToken|| SGID).Wherein fMACIt is Message Authentication Code generating algorithm, MAC-SM4 can be referred to and realized.
3.4) authentication token is generated
GEO is by RAND, TToken、TK、SGID, MAC be merged into a Token,
3.5) intended response and session key are generated
GEO calculates intended response XRES and session key CK, CK=fCK(AuthKey, RAND), XRES=fRES(CK, RAND).Wherein, fCKIt is authentication key generating algorithm, fRESIt is authentication response value generating algorithm, HMAC-SM3 can be referred to and realized.
After the completion of parameters for authentication calculates, GEO stores XRES and CK, and Token is returned to LEO.
Step 4:LEO carries out availability deciding to authentication token.
4.1) novelty verification
LEO calculates TK using the RAND in the AuthKey and Token generated.T is obtained using TK decryption TokenTokenAfterwards, Judge TToken-T0Whether < Δs T is true.If TTokenMeet the requirement of message freshness, execute step 4.2), otherwise, certification is lost It loses, discharges the connection.
4.2) identity information is verified
LEO utilizes RAND, T in the AuthKey and Token generatedTokenAnd SGID, it adopts and calculates message in a like fashion Identifying code XMAC.After calculating, judge whether the XMAC being calculated is equal with the MAC in Token, if equal, completes Certification to GEO discharges the connection if differed, authentification failure.
Step 5:LEO generates authentication response value and session key.
After being verified, LEO uses f using RAND and AuthKeyCKAnd fRESCK and RES are calculated, and RES is returned to GEO。
Step 6:GEO auth response values.
After receiving RES, whether the XRES of RES and storage that GEO is relatively received are equal.If equal, LEO is recognized in completion Card;Otherwise, authentification failure.
Certification sub-protocol after authentication information registration
The authentication after authentication information is registered is happened to need using the parameters for authentication obtained in certification precomputation, it should The execution needs of certification sub-protocol follow the steps below:
Step 1:LEO sends certification request.
After establishing communication link, LEO first determines whether own orbit parameter changes.If there is orbit perturbation, It since the parameters for authentication that certification precomputation obtains is no longer valid, needs to terminate this agreement, and re-executes certification sub-protocol (1). If running track is normal, the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request.
Step 2:GEO carries out availability deciding to access request.
After receiving access request, the TID received and RES is compared by GEO with the XTID of storage and XRES.If phase Deng, certification of the completion to LEO, and the Token of storage is returned into LEO;If differed, mistake is returned, re-executes certification Agreement (1).
Step 3:LEO carries out availability deciding to authentication token.
3.1) novelty verification
RAND in AuthKey and Token that LEO is obtained using precomputation calculates TK.It is obtained using TK decryption Token TTokenAfterwards, judge TToken-T0Whether < Δs T is true.If TTokenMeet the requirement of message freshness, executes step 3.2), it is no Then, authentification failure discharges the connection.
3.2) identity information is verified
LEO utilizes RAND, T in the AuthKey and Token generatedTokenAnd SGID, it adopts and calculates message in a like fashion Identifying code XMAC.After calculating, judge whether the XMAC being calculated is equal with the MAC in Token, if equal, completes Certification to GEO discharges the connection if differed, authentification failure.
Step 4:LEO generates session key.
If the verification passes, the RAND in LEO is obtained using precomputation AuthKey and Token uses fCKCalculate CK.
With reference to certification precomputation, the invention will be further described.
4, certification precomputation
The certification precomputation of authentication method of the present invention is divided into two sub-protocols according to the execution stage of networking certification between star, point The precomputation sub-protocol after precomputation sub-protocol and the registration of satellite authentication information before not being the registration of satellite authentication information.
(1) the certification precomputation sub-protocol before authentication information registration
Certification precomputation sub-protocol before being happened at the registration of satellite authentication information needs to execute following steps:
Step 1:LEO applies for a blank Token to GEO.
Step 2:GEO is calculated and is returned to a blank Token.
Step 3:LEO is authenticated precomputation
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification and AuthKey.The RES that next certification should use is calculated based on blank Token, LEO that GEO is returned.After calculating, LEO storages TID and RES.
Step 4:GEO is authenticated precomputation
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO XTID, XRES, Token, CK for using are needed when calculating next certification.After calculating, GEO storages XTID, XRES, Token、CK。
(2) the certification precomputation sub-protocol after authentication information registration
The certification precomputation sub-protocol after satellite authentication information is registered is happened to need to execute following steps:Step 1: LEO is authenticated precomputation
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters.Next, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID that should be used when next certification and AuthKey.Token is returned based on GEO in certification sub-protocol (2),
LEO calculates the RES that next certification should use.After calculating, LEO stores TID and RES.
Step 2:GEO is authenticated precomputation
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters.The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO XTID, XRES, Token, CK for using are needed when calculating next certification.After calculating, GEO store XTID, XRES, Token, CK。
Above-mentioned steps 1 and step 2 are independently calculated by LEO and GEO in processor free time respectively, without considering execution Sequencing.
With reference to emulation experiment, the invention will be further described.
In above-mentioned authentication method, if not considering the communication and meter that certification precomputation is brought in networking verification process between star Expense is calculated (because the core concept of authentication method of the present invention is exactly by design verification precomputation mechanism, to reduce satellite and recognized Expense when card interaction), the certification expense of authentication method of the present invention is as follows:
(1) interaction times, the authentication before being happened at the registration of satellite authentication information need 3 session interactions, occur Authentication after the registration of satellite authentication information needs 2 session interactions;
(2) main operational number, the authentication before being happened at the registration of satellite authentication information need 2B+2H+2M+2C times Operation is happened at the authentication after satellite authentication information is registered and 1M+2C operation, wherein B representatives is needed once to be divided Group encryption, H, which is represented, carries out a Hash operation, and M represents a Message Authentication Code operation, and C represents a comparison operation;
(3) time is calculated, the authentication before being happened at the registration of satellite authentication information needs 20.3 microseconds, is happened at and defends It is the computer of i5 4590+8G RAM that authentication after the registration of star authentication information, which needs 5.9 microseconds, above-mentioned experimental situation, Hash calculating is carried out using SM3-256bit, SM3-HMAC-256bit carries out MAC calculating, and SM4-128bit is grouped encryption, Use length for the random number of 128bits, length is the timestamp of 48bits.
It can be obtained by above-mentioned experimental result, when using this authentication method, due to the setting of certification precomputation mechanism, between satellite As long as completing the registration of authentication information, so that it may to complete networking certification between star by less expense, while with lower expense Realize the anonymous protection of LEO identity informations.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real It is existing.When using entirely or partly realizing in the form of a computer program product, the computer program product include one or Multiple computer instructions.When loading on computers or executing the computer program instructions, entirely or partly generate according to Flow described in the embodiment of the present invention or function.The computer can be all-purpose computer, special purpose computer, computer network Network or other programmable devices.The computer instruction can store in a computer-readable storage medium, or from one Computer readable storage medium is transmitted to another computer readable storage medium, for example, the computer instruction can be from one A web-site, computer, server or data center pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL) Or wireless (such as infrared, wireless, microwave etc.) mode is carried out to another web-site, computer, server or data center Transmission).The computer read/write memory medium can be that any usable medium that computer can access either includes one The data storage devices such as a or multiple usable mediums integrated server, data center.The usable medium can be magnetic Jie Matter, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk Solid State Disk (SSD)) etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.

Claims (10)

1. networking authentication method between a kind of star suitable for double layer minipellet, which is characterized in that described to be suitable for double-layer satellite Networking authentication method includes between the star of network:
LEO is by judging authentication of the XMAC obtained by local computing the completions whether equal with the MAC in Token to GEO; GEO is by judging authentication of the XRES the being locally stored completions whether equal with the RES of return to LEO;Carry out authentication When, the parameters for authentication transmitted between GEO and LEO has TID, Token and RES;Wherein, the generation of TID needs time stamp TTID, GEO The freshness of TID is judged whereby;Include encrypted time parameter T in TokenToken, LEO combination MAC values judge to receive Whether Token is to reset message;There are correspondence, GEO whether to judge RES by message return speed by RES and Token To reset message;
When LEO sends certification request, using the temporary identity generated based on the time, each not phase of identity information that each certification uses Together;The verification of identity information is by the way of charactor comparison in verification process;Generate temporary identity when, satellite use by GEO with The IDKey shared between LEO groups is to time stamp TTIDCrypto-operation is carried out with the composite characters string of true identity RID, uses fortune Calculate the temporary identity that result indicates satellite;
It is carried out all in accordance with predicted time using satellite network clock high level of synchronization, the predictable feature of running orbit, GEO and LEO The update of authentication key AuthKey simultaneously calculates parameters for authentication in advance.
2. as described in claim 1 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that described suitable Include for networking authentication method tool between the star of double layer minipellet:
The first step, Verification System initialization, earth station generate and the required identity information of distribution inter-satellite certification, key, rail Road parameter;
Second step, the registration of satellite authentication information, after receiving the orbit information that LEO is sent, GEO is added in authentication information table should The authentication information of LEO, the authentication information database ID of LEO being stored in together with orbital data on satellite;After the completion of registration, GEO returns to the precise orbit data of itself to LEO;
Third walks, authentication and key agreement between star, before selecting execution satellite authentication information to register according to authentication phase Certification sub-protocol after certification sub-protocol and the registration of satellite authentication information;
4th step, certification precomputation select to execute the precomputation sub-protocol before satellite authentication information is registered according to authentication phase Precomputation sub-protocol after being registered with satellite authentication information.
3. as claimed in claim 2 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that first Step, Verification System initialization specifically include:
(1a) in the transmitting preparation stage, by satellite, earthward the initialization of certificate server submission system is applied;
After (1b) receives application, ground certificate server is satellite generation and distributes identity information, key, orbit parameter, including Identity information ID, group identification information SGID, satellite identity information anonymous protection key ID Key, the certification master of satellite it is close Key MainKey.
4. as claimed in claim 2 suitable for networking authentication method between the star of double layer minipellet, which is characterized in that second Step, the registration of satellite authentication information specifically include:
(2a) LEO sends the precise orbit data of itself to GEO, including the orbit altitude of progress satellite rail position prediction, track incline Angle road parameter;
After (2b) receives the orbit information of LEO transmissions, GEO adds the authentication information of LEO in authentication information table, by the ID of LEO The authentication information database being stored in together with orbital data on satellite;After the completion of registration, GEO returns to the accurate of itself to LEO Orbital data;
After (2c) receives the orbital data of return, data are stored in the authentication database of itself by LEO;
Third walks, between star authentication specifically included with key agreement:
Execute the certification sub-protocol before satellite authentication information is registered and the certification sub-protocol after the registration of satellite authentication information;
Certification sub-protocol before authentication information registration includes:
(3a) LEO obtains time stamp T by spaceborne clockTID;T based on acquisitionTIDThis is calculated with preset IDKey, LEO to recognize Demonstrate,prove the temporary identity TID, TID=f that should be usedTID(IDKey, TTID||RID);After the completion of calculating, LEO asks TID together with certification It asks and sends jointly to GEO;
After (3b) receives TID, GEO decrypts TID using preset IDKey, and by decrypting obtained TTIDWith RID to certification The freshness and validity of request are judged;
(3c) GEO obtains the time stamp T generated needed for AuthKey by spaceborne clockAuth;T based on acquisitionAuthWith it is preset MainKey, AuthKey=fAK(MainKey, TAuth);GEO generates a disposable random parameter RAND;RAND based on generation And AuthKey, GEO calculate timestamp protection sequence TK, TK=fTK(AuthKey, RAND);GEO is obtained by spaceborne clock and is given birth to At Token time stamp TsToken;The T of RAND, acquisition based on generationToken, storage SGID, GEO calculate Message Authentication Code MAC, MAC=fMAC(AuthKey, RAND | | TToken||SGID);GEO is by RAND, TToken, TK, SGID, MAC be merged into a certification Token Token,And intended response XRES and session key CK are calculated, CK=fCK(AuthKey, RAND), XRES=fRES(CK, RAND);
(3d) LEO uses the AuthKey that the mode of (3b)-(3c) generates, and using the AuthKey generated to the fresh of Token Property and validity are judged;
After (3e) verification, LEO calculates CK and RES, and RES is returned to GEO;
After (3f) receives RES, whether the XRES of RES and storage that GEO is relatively received are equal;If equal, LEO is recognized in completion Card;Otherwise, authentification failure;
Certification sub-protocol after authentication information registration includes:
After establishing communication link, LEO first determines whether own orbit parameter changes;If there is orbit perturbation, certification The parameters for authentication failure that precomputation obtains, terminates this agreement, re-executes the certification sub-protocol before authentication information registration;If Running track is normal, and the TID that precomputation obtains and RES are sent jointly to GEO by LEO together with access request;
After receiving access request, the TID received and RES is compared by GEO with the XTID of storage and XRES;If equal, complete Certification to LEO, and the Token of storage is returned into LEO;If differing, return mistake, re-execute authentication information registration before Certification sub-protocol;
LEO carries out availability deciding using the AuthKey that precomputation obtains to authentication token;
It is verified, LEO calculates session key CK using AuthKey;
4th step, certification precomputation specifically include:
The estimated operator after precomputation sub-protocol and the registration of satellite authentication information before executing the registration of satellite authentication information is assisted View;
Certification precomputation sub-protocol before the authentication information registration, specifically includes:
(4a) LEO applies for a blank Token to GEO;
(4b) GEO is calculated and is returned to a blank Token;
(4c) LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters;Then, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID and AuthKey of next certification;Based on GEO The blank Token, LEO of return calculate the RES of next certification;After calculating, LEO stores TID and RES;
(4d) GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、 TTokenThree time parameters;The satellite ID of time parameter, storage based on acquisition, storage key ID Key and MainKey, GEO Calculate XTID, XRES, Token, CK of next certification;After calculating, GEO store XTID, XRES, Token, CK;
Certification precomputation sub-protocol after the authentication information registration specifically includes:
LEO calculates the time point being authenticated with target GEO next time by rail position prediction technology, obtains TTID、TAuth、TTokenThree A time parameter;Then, LEO passes through T respectivelyTIDAnd TAuthGenerate the TID and AuthKey of next certification;Based on certification sub-protocol Middle GEO returns to Token, and LEO calculates the RES of next certification;After calculating, LEO stores TID and RES;
GEO calculates the time point being authenticated with target LEO next time by rail position prediction technology, obtains TTID、TAuth、TTokenThree A time parameter;The satellite ID of time parameter, storage based on acquisition, the key ID Key and MainKey of storage, under GEO is calculated XTID, XRES, Token, CK of secondary certification;After calculating, GEO stores XTID, XRES, Token, CK.
5. a kind of realize described in Claims 1 to 4 any one suitable for networking authentication method between the star of double layer minipellet Computer program.
6. a kind of realize described in Claims 1 to 4 any one suitable for networking authentication method between the star of double layer minipellet Information data processing terminal.
7. a kind of computer readable storage medium, including instruction, when run on a computer so that computer is executed as weighed Profit requires networking authentication method between the star suitable for double layer minipellet described in 1~4 any one.
8. networking authentication method defends suitable for bilayer between a kind of star as described in claim 1 suitable for double layer minipellet Networking Verification System between the star of StarNet's network, which is characterized in that networking Verification System between the star suitable for double layer minipellet Including:
Ground certificate server, the initialization for completing satellite Verification System generate and believe with the identity of distribution inter-satellite certification Breath, key, orbit parameter;
High rail satellite GEO Authentication Clients, for receiving the certification request from LEO, calculating and return authentication token Token, Intended response XRES and session key CK is calculated, examines the temporary identity TID that LEO is used in certification request whether effective, is examined Whether the response RES that LEO is returned is correct, and an authentication information table is safeguarded for LEO;
Low orbit satellite (LEO) Authentication Client, for submitting certification request to GEO, the authentication token Token for examining GEO to return Whether effectively, temporary identity TID, response RES and session key CK are calculated, an authentication information table is safeguarded for GEO.
9. as claimed in claim 8 suitable for networking Verification System between the star of double layer minipellet, which is characterized in that ground is recognized Demonstrate,proving server includes:
System initialization module, the initialization for completing satellite Verification System, the identity that identity information generation module is generated The Verification System of the orbit parameter write-in satellite of key, the distribution of track distribution module that information, key production module generate;
Identity information generation module, for according to the production sequence of satellite, shooting sequence, the required body of certification to be generated for satellite Part information;
Key production module, for generating the required key of certification for satellite;
Track distribution module, for being satellite distribution running track;
High rail satellite GEO Authentication Clients include:
System initialization module, the initialization for completing Verification System on star obtain satellite certification from ground certificate server Required identity information, key, orbit parameter;
Networking authentication module, including authentication sub module, data processing submodule and precomputation manage submodule;
Authentication sub module, the parameter for being needed with low orbit satellite LEO Authentication Client interactive authentications;
Data processing submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;
Precomputation manages submodule, for the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguards Authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing LEO authentication informations;
Low orbit satellite LEO Authentication Clients include:
System initialization module, the initialization for completing Verification System on star obtain satellite certification from ground certificate server Required identity information, key, orbit parameter;
Networking authentication module, including authentication sub module, data processing submodule and precomputation manage submodule;
Authentication sub module is used for and the required parameter of high rail satellite GEO Authentication Client interactive authentications;
Data processing submodule, for generating and parsing parameters for authentication, examine the parameters for authentication received whether effective;
Precomputation manages submodule, for the parameters for authentication precomputation according to data management satellite in authentication information table, and safeguards Authentication information table;
Orbit prediction module, the timing node for calculating inter-satellite certification next time;
Authentication information managing module, registration, update for managing GEO authentication informations.
10. it is a kind of equipped with described in claim 8~9 any one be suitable for double layer minipellet star between networking Verification System Information data processing terminal.
CN201810262750.4A 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network Active CN108566240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810262750.4A CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810262750.4A CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Publications (2)

Publication Number Publication Date
CN108566240A true CN108566240A (en) 2018-09-21
CN108566240B CN108566240B (en) 2020-10-27

Family

ID=63533118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810262750.4A Active CN108566240B (en) 2018-03-28 2018-03-28 Inter-satellite networking authentication system and method suitable for double-layer satellite network

Country Status (1)

Country Link
CN (1) CN108566240B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication
CN109547213A (en) * 2018-12-14 2019-03-29 西安电子科技大学 Suitable for networking Verification System and method between the star of low-track satellite network
CN111897816A (en) * 2020-07-16 2020-11-06 中国科学院上海微***与信息技术研究所 Interactive method for computing information between satellites and generation method of information table applied by interactive method
CN112019258A (en) * 2020-09-04 2020-12-01 中国电子科技集团公司第五十四研究所 GEO and LEO mixed constellation and design method thereof
CN112291783A (en) * 2020-10-28 2021-01-29 中国科学院空天信息创新研究院 Text authentication method and system, sending end and receiving end
CN112671452A (en) * 2020-12-17 2021-04-16 西安电子科技大学 Heterogeneous satellite network management method, system, medium, equipment, terminal and application
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium
CN114007219A (en) * 2021-10-25 2022-02-01 北京计算机技术及应用研究所 Low-orbit satellite communication-oriented stealth access authentication method
CN114466359A (en) * 2022-01-07 2022-05-10 中国电子科技集团公司电子科学研究院 Distributed user authentication system and authentication method suitable for low earth orbit satellite network
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
CN114828005A (en) * 2022-05-24 2022-07-29 西安电子科技大学 Enhanced inter-satellite networking authentication method based on location key
CN115334505A (en) * 2022-06-21 2022-11-11 西安电子科技大学 Multimode intelligent terminal safety communication method and system facing 5G + Beidou
CN117156433A (en) * 2023-10-31 2023-12-01 航天宏图信息技术股份有限公司 Satellite internet key management distribution method, device and deployment architecture
CN117278109A (en) * 2023-11-20 2023-12-22 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Satellite on-orbit safety anomaly identification method for far-sea wind power plant
CN112291783B (en) * 2020-10-28 2024-05-31 中国科学院空天信息创新研究院 Text authentication method and system, transmitting end and receiving end

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059939A1 (en) * 2002-09-13 2004-03-25 Sun Microsystems, Inc., A Delaware Corporation Controlled delivery of digital content in a system for digital content access control
US20050190915A1 (en) * 2003-12-22 2005-09-01 Pare David F. System and method for using a streaming protocol
CN101222329A (en) * 2006-08-17 2008-07-16 上海航天计算机***工程有限公司 Mixed type distributed authentication system
CN102379141A (en) * 2009-02-05 2012-03-14 北方电讯网络有限公司 Method and system for user equipment location determination on a wireless transmission system
US20120222089A1 (en) * 2010-11-18 2012-08-30 The Boeing Company Network topology aided by smart agent download
CN106059650A (en) * 2016-05-24 2016-10-26 北京交通大学 Air-ground integrated network architecture and data transmission method based on SDN and NFV technology
CN107094047A (en) * 2017-06-09 2017-08-25 西安电子科技大学 Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data
CN107409051A (en) * 2015-03-31 2017-11-28 深圳市大疆创新科技有限公司 For generating the Verification System and method of air traffic control
CN107615358A (en) * 2015-03-31 2018-01-19 深圳市大疆创新科技有限公司 For identifying the Verification System and method of authorized participant

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059939A1 (en) * 2002-09-13 2004-03-25 Sun Microsystems, Inc., A Delaware Corporation Controlled delivery of digital content in a system for digital content access control
US20050190915A1 (en) * 2003-12-22 2005-09-01 Pare David F. System and method for using a streaming protocol
CN101222329A (en) * 2006-08-17 2008-07-16 上海航天计算机***工程有限公司 Mixed type distributed authentication system
CN102379141A (en) * 2009-02-05 2012-03-14 北方电讯网络有限公司 Method and system for user equipment location determination on a wireless transmission system
US20120222089A1 (en) * 2010-11-18 2012-08-30 The Boeing Company Network topology aided by smart agent download
CN107409051A (en) * 2015-03-31 2017-11-28 深圳市大疆创新科技有限公司 For generating the Verification System and method of air traffic control
CN107615358A (en) * 2015-03-31 2018-01-19 深圳市大疆创新科技有限公司 For identifying the Verification System and method of authorized participant
CN106059650A (en) * 2016-05-24 2016-10-26 北京交通大学 Air-ground integrated network architecture and data transmission method based on SDN and NFV technology
CN107094047A (en) * 2017-06-09 2017-08-25 西安电子科技大学 Based on pre-stored and segment transmissions the double layer minipellet method for routing of grouped data

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
AYAN ROY-CHOWDHURY: "A Lightweight Certificate-based Source Authentication Protocol for Group Communication in Hybrid Wireless_Satellite Networks", 《 2008 IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE》 *
JAE-WOOK LEE: "Satellite over Satellite (SOS) Network_ A Novel Concept of Hierarchical Architecture and Routing in Satellite Network", 《PROCEEDINGS 25TH ANNUAL IEEE CONFERENCE ON LOCAL COMPUTER NETWORKS》 *
YUANYUAN ZHANG: "Security analysis of an authentication and key agreement protocol", 《INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS》 *
ZHONG YANTAO: "A Highly Secure Identity-Based Authenticated", 《EXCHANGE PROTOCOL FOR SATELLITE COMMUNICATION》 *
任方: "空间信息网基于证书的混合式公钥基础设施", 《吉林大学学报(工学版)》 *
刘宇新: "开放网络环境下敏感信息传输安全模型研究", 《中国优秀硕士学位论文全文库》 *
曹利峰: "面向多级安全的网络安全通信模型及其关键技术研究", 《中国博士学位论文全文数据库》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication
CN109547213B (en) * 2018-12-14 2021-08-10 西安电子科技大学 Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
CN109547213A (en) * 2018-12-14 2019-03-29 西安电子科技大学 Suitable for networking Verification System and method between the star of low-track satellite network
WO2022002175A1 (en) * 2020-07-01 2022-01-06 大唐移动通信设备有限公司 Dynamic authentication method and apparatus, and device and readable storage medium
CN111897816A (en) * 2020-07-16 2020-11-06 中国科学院上海微***与信息技术研究所 Interactive method for computing information between satellites and generation method of information table applied by interactive method
CN111897816B (en) * 2020-07-16 2024-04-02 中国科学院上海微***与信息技术研究所 Interaction method of calculation information between satellites and generation method of information table applied by same
CN112019258B (en) * 2020-09-04 2022-03-22 中国电子科技集团公司第五十四研究所 GEO and LEO mixed constellation and design method thereof
CN112019258A (en) * 2020-09-04 2020-12-01 中国电子科技集团公司第五十四研究所 GEO and LEO mixed constellation and design method thereof
CN112291783A (en) * 2020-10-28 2021-01-29 中国科学院空天信息创新研究院 Text authentication method and system, sending end and receiving end
CN112291783B (en) * 2020-10-28 2024-05-31 中国科学院空天信息创新研究院 Text authentication method and system, transmitting end and receiving end
CN112671452A (en) * 2020-12-17 2021-04-16 西安电子科技大学 Heterogeneous satellite network management method, system, medium, equipment, terminal and application
CN112671452B (en) * 2020-12-17 2023-03-14 西安电子科技大学 Heterogeneous satellite network management method, system, medium, equipment, terminal and application
CN112953726A (en) * 2021-03-01 2021-06-11 西安电子科技大学 Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
CN114007219A (en) * 2021-10-25 2022-02-01 北京计算机技术及应用研究所 Low-orbit satellite communication-oriented stealth access authentication method
CN114007219B (en) * 2021-10-25 2024-03-26 北京计算机技术及应用研究所 Invisible identification access authentication method for low-orbit satellite communication
CN114466359B (en) * 2022-01-07 2024-03-01 中国电子科技集团公司电子科学研究院 Distributed user authentication system and authentication method suitable for low orbit satellite network
CN114466359A (en) * 2022-01-07 2022-05-10 中国电子科技集团公司电子科学研究院 Distributed user authentication system and authentication method suitable for low earth orbit satellite network
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
CN114584975B (en) * 2022-02-23 2023-09-15 重庆邮电大学 SDN-based anti-quantum satellite network access authentication method
CN114828005A (en) * 2022-05-24 2022-07-29 西安电子科技大学 Enhanced inter-satellite networking authentication method based on location key
CN115334505A (en) * 2022-06-21 2022-11-11 西安电子科技大学 Multimode intelligent terminal safety communication method and system facing 5G + Beidou
CN115334505B (en) * 2022-06-21 2024-05-14 西安电子科技大学 5 G+Beidou-oriented multimode intelligent terminal secure communication method and system
CN117156433B (en) * 2023-10-31 2024-02-06 航天宏图信息技术股份有限公司 Satellite internet key management distribution method, device and deployment architecture
CN117156433A (en) * 2023-10-31 2023-12-01 航天宏图信息技术股份有限公司 Satellite internet key management distribution method, device and deployment architecture
CN117278109A (en) * 2023-11-20 2023-12-22 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Satellite on-orbit safety anomaly identification method for far-sea wind power plant
CN117278109B (en) * 2023-11-20 2024-03-01 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Satellite in-orbit security anomaly identification method, system and computer readable storage medium

Also Published As

Publication number Publication date
CN108566240B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN108566240A (en) Networking Verification System and method between a kind of star suitable for double layer minipellet
CN109547213B (en) Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
Eddine et al. EASBF: An efficient authentication scheme over blockchain for fog computing-enabled internet of vehicles
Lee et al. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
Shen et al. Secure and efficient blockchain-assisted authentication for edge-integrated Internet-of-Vehicles
Xu et al. BAGKD: A batch authentication and group key distribution protocol for VANETs
CN112953726B (en) Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network
Wu et al. A provably secure authentication and key exchange protocol in vehicular ad hoc networks
CN108260102A (en) The car-ground communication Non-Access Stratum authentication methods of LTE-R based on allograph
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
Chuang et al. PPAS: A privacy preservation authentication scheme for vehicle-to-infrastructure communication networks
Wei et al. BAVP: blockchain-based access verification protocol in LEO constellation using IBE keys
CN109688583A (en) A kind of data ciphering method in star earth communication system
CN108964897A (en) Identity authorization system and method based on group communication
CN108964896A (en) A kind of Kerberos identity authorization system and method based on group key pond
Mahmood et al. A neural computing-based access control protocol for AI-driven intelligent flying vehicles in industry 5.0-assisted consumer electronics
CN108270572A (en) A kind of Key Exchange Protocol based on position and password
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN108964895A (en) User-to-User identity authorization system and method based on group key pond and improvement Kerberos
Wang et al. A blockchain-based conditional privacy-preserving authentication scheme for edge computing services
Kim et al. A secure batch authentication scheme for multiaccess edge computing in 5G-enabled intelligent transportation system
CN116743387A (en) Vehicle fog service safety communication system, method and terminal based on blockchain
Hegde et al. MFZKAP: multi factor zero knowledge proof authentication for secure service in vehicular cloud computing
Yang et al. Design of Key Management Protocols for Internet of Things.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant