CN108964904B - Group key security management method and device, electronic equipment and storage medium - Google Patents

Group key security management method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN108964904B
CN108964904B CN201810780127.8A CN201810780127A CN108964904B CN 108964904 B CN108964904 B CN 108964904B CN 201810780127 A CN201810780127 A CN 201810780127A CN 108964904 B CN108964904 B CN 108964904B
Authority
CN
China
Prior art keywords
group
user equipment
information
node
group key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810780127.8A
Other languages
Chinese (zh)
Other versions
CN108964904A (en
Inventor
陈建铭
王光杰
王景行
吴祖扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Graduate School Harbin Institute of Technology
Original Assignee
Shenzhen Graduate School Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Graduate School Harbin Institute of Technology filed Critical Shenzhen Graduate School Harbin Institute of Technology
Priority to CN201810780127.8A priority Critical patent/CN108964904B/en
Publication of CN108964904A publication Critical patent/CN108964904A/en
Application granted granted Critical
Publication of CN108964904B publication Critical patent/CN108964904B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

A group key security management method comprises the following steps: carrying out group key negotiation and initialization on user equipment in a group; distributing the initialized group key to all user equipment in the group; and when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after the initialization again to all the user equipment in the group. The invention also provides a group key safety management device, electronic equipment and a storage medium. The invention can initialize the group key when the user equipment leaves or joins, and redistribute the initialized group key to the user equipment in the group, thereby avoiding the group key from being leaked, improving the communication safety of the user equipment in the group and reducing the communication calculation amount.

Description

Group key security management method and device, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a group key security management method, a group key security management device, electronic equipment and a storage medium.
Background
Most of the existing group key management methods are key distribution management methods based on key distribution centers, and user equipment in a group needs to send messages pairwise, so that the communication volume is large, and the communication volume with high complexity is difficult to meet the actual requirements in the environment of the internet of things with limited resources.
In addition, when new user equipment joins the group or user equipment exits the group, the group key cannot be changed, so that the group key is easy to leak, the security of the group key is low, and the communication security of the user equipment in the group cannot be guaranteed.
Disclosure of Invention
In view of the above, there is a need for a group key security management method, device, electronic device, and storage medium, which can initialize a group key when a user device leaves or joins, redistribute the initialized group key to user devices in a group, avoid the group key from being leaked, improve the security of communication between the user devices in the group, and reduce the amount of communication computation.
A first aspect of the present invention provides a group key security management method applied in an electronic device, where the method includes:
carrying out group key negotiation and initialization on user equipment in a group;
distributing the initialized group key to all user equipment in the group;
and when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after the initialization again to all the user equipment in the group.
Preferably, the negotiating and initializing the group key for the user equipments in the group includes:
11) node u according to user equipment N11,k1,2=s1P2Elliptic curve point k1,2=(x1,2,y1,2) Sequentially calculate out
Figure BDA0001732352410000021
B1=h(u1||u2||t1,2)、NK1=B1And information m1={NK1U, node u1Sending information m1To the next node u2
12) Node ui(i belongs to {2, 3.., n-1}) receives the information m sent by the previous nodei-1Then analyzing the information NK thereini-1Sequentially calculating B according to step 11)i
Figure BDA0001732352410000022
And information mi={NKiU, node uiSending miTo the next node ui+1
13) Node unReceived information mn-1Then analyzing the information NK thereinn-1Sequentially calculate Bn
Figure BDA0001732352410000028
Bn-1
Figure BDA0001732352410000023
And information mn={MKnU, node unSending information mnTo node un-1
14) Node ui(i ∈ {2, 3.., n-1}) receives information mi+1Analyze the information MK in the datai+1Sequentially calculate out
Figure BDA0001732352410000024
Bi-1
Figure BDA0001732352410000025
And information mi={MKiU, node uiSending information mi={MKiGive node ui-1(ii) a And
15) node u1Received information m2Then, information MK is analyzed2And calculate out
Figure BDA0001732352410000026
In the above steps 11) -15), n is the number of the user equipments in the network; s is a key distribution center; n is a radical ofiAre nodes in the network; siFor user equipment NiThe private key of (1); p is a radical ofiFor user equipment NiThe public key of (2); u. ofiFor user equipment NiIdentity information of (2); u is a user equipment identity information list in the group; q is a large prime number; p is the order of the elliptic curve; g is an elliptic curveA base point; an | join operation;
Figure BDA0001732352410000027
is an exclusive or operation.
Preferably, the detecting that the state of the ue in the group changes includes:
detecting whether the number of user equipment in the group is reduced;
when the number of the user equipment in the group is detected to be reduced, determining that the state change of the user equipment in the group is detected; or
Detecting whether the number of the user equipment in the group is increased or not when detecting that the number of the user equipment in the group is not reduced;
when detecting that the number of the user equipment in the group is increased, determining that the state of the user equipment in the group is detected to be changed; or
When detecting that the number of the user equipment in the group is not increased, detecting whether the identification of the user equipment in the group is changed;
and when detecting that the identification of the user equipment in the group changes, determining that the state change of the user equipment in the group is detected.
Preferably, when the detecting that the state of the ue changes to detecting that the number of the ues decreases, the performing of the group key negotiation and initialization again includes:
and carrying out first updating on the user equipment identity information list in the group, and carrying out group key agreement and initialization according to the first updated user equipment identity information list.
Preferably, when the detecting that the state of the ue changes to detecting that the number of ues increases, the performing of the group key negotiation and initialization again includes:
and carrying out second updating on the node information of the user equipment in the group, and carrying out group key negotiation and initialization according to the second updated node information.
Preferably, when it is detected that the state of the ue changes and the number of the ues does not change but the identifier of the ue changes, the performing group key negotiation and initialization again includes:
and performing third updating on the node information of the user equipment in the group, and performing group key negotiation and initialization according to the node information after the third updating.
Preferably, after distributing the re-initialized group key to all the user equipments in the group, the method further includes:
judging whether the group key is successfully distributed to all user equipment in the group;
and when the transmission is determined to fail, the group key negotiation and initialization or retransmission is carried out again.
A second aspect of the present invention provides a group key security management apparatus, operating in an electronic device, the apparatus including:
the first initialization module is used for carrying out group key agreement and initialization on user equipment in a group;
a first sending module, configured to distribute the initialized group key to all user devices in the group;
the detection module is used for detecting whether the state of the user equipment in the group changes;
the second initialization module is used for carrying out group key negotiation and initialization again when the detection module detects that the state of the user equipment in the group changes;
and the second sending module is used for distributing the re-initialized group key to all the user equipment in the group.
A third aspect of the invention provides an electronic device comprising a processor for implementing the group key security management method when executing a computer program stored in a memory.
A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the group key security management method.
The invention solves the problem of safe and effective group communication between user equipment in the environment of Internet of things, can initialize the group key when the user equipment joins or leaves, redistributes the initialized group key to the user equipment in the group, avoids the group key from being leaked, improves the communication safety of the user equipment in the group and reduces the communication calculation amount. And because the high efficiency of its communication can guarantee to the better adaptability of thing networking environment, realized the maximize of resource and security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a group key security management method according to an embodiment of the present invention.
Fig. 2 is a signaling interaction diagram of a group key initialization process in the embodiment of the present invention.
Fig. 3 is a block diagram of a group key security management apparatus according to a second embodiment of the present invention.
Fig. 4 is a schematic diagram of an electronic device according to a third embodiment of the present invention.
The following detailed description will further illustrate the invention in conjunction with the above-described figures.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a detailed description of the present invention will be given below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
Preferably, the group key security management method of the present invention is applied to one or more electronic devices. The electronic device is a device capable of automatically performing numerical calculation and/or information processing according to instructions set or stored in advance, and the hardware thereof includes but is not limited to a microprocessor, an application specific integrated circuit, a programmable gate array, an embedded device, and the like.
The electronic device may be a desktop computer or a computing device such as a cloud server. The electronic equipment can be in man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The group key security management method can also be applied to a hardware environment consisting of an electronic device and a server connected to the electronic device via a network. Networks include, but are not limited to: a wide area network, a metropolitan area network, or a local area network. The group key security management method of the embodiment of the invention can be executed by the server, the electronic device, or both the server and the electronic device.
For example, for an electronic device that needs to perform group key security management, the group key security management function provided by the method of the present invention may be directly integrated on the electronic device, or a client for implementing the method of the present invention may be installed. For another example, the method provided by the present invention may further run on a device such as a server in the form of a Software Development Kit (SDK), and an interface with a group key security management function is provided in the form of an SDK, so that an electronic device or other devices can implement security management on a group key through the provided interface.
Example one
Fig. 1 is a flowchart of a group key security management method according to an embodiment of the present invention. The group key safety management method is applied to the electronic equipment. The execution sequence in the flowchart shown in fig. 1 may be changed and some steps may be omitted according to different requirements.
As shown in fig. 1, the group key security management method specifically includes the following steps:
step 101: group key agreement and initialization are performed for the user equipments in the group.
In this embodiment, the electronic device may receive registration requests of all user devices in a group before negotiating and initializing a group key; and registering the user equipment which passes the verification of the registration request.
Fig. 2 is a schematic signaling diagram illustrating a group key initialization process according to an embodiment of the present invention. In this embodiment, the specific process of the electronic device performing group key negotiation and initialization on the user devices in the group may include:
11) node u according to user equipment N11,k1,2=s1P2Elliptic curve point k1,2=(x1,2,y1,2) Sequentially calculate out
Figure BDA0001732352410000061
B1=h(u1||u2||t1,2)、NK1=B1And information m1={NK1U, node u1Sending information m1To the next node u2
12) Node ui(i belongs to {2, 3.., n-1}) receives the information m sent by the previous nodei-1Then analyzing the information NK thereini-1Sequentially calculating B according to step 11)i
Figure BDA0001732352410000062
And information mi={NKiU, node uiSending miTo the next node ui+1
13) Node unReceived information mn-1Then analyzing the information NK thereinn-1Sequentially calculate Bn
Figure BDA0001732352410000063
Bn-1
Figure BDA0001732352410000064
And information mn={MKnU, node unSending information mnTo node un-1
14) Node ui(i∈{2,3...,n-1}) receive the information mi+1Analyze the information MK in the datai+1Sequentially calculate out
Figure BDA0001732352410000065
Bi-1
Figure BDA0001732352410000066
And information mi={MKiU, node uiSending information mi={MKiGive node ui-1(ii) a And
15) node u1Received information m2Then, information MK is analyzed2And calculate out
Figure BDA0001732352410000071
In the above steps 11) -15), n is the number of the user equipments in the network; s is a key distribution center; n is a radical ofiAre nodes in the network; siFor user equipment NiThe private key of (1); p is a radical ofiFor user equipment NiThe public key of (2); u. ofiFor user equipment NiIdentity information of (2); u is a user equipment identity information list in the group; q is a large prime number; p is the order of the elliptic curve; g is a base point of the elliptic curve; an | join operation;
Figure BDA0001732352410000072
is an exclusive or operation.
It should be understood that one node corresponds to one user equipment, i.e. one user equipment corresponds to one node.
Step 102: the initialized group key is distributed to all user devices in the group.
In this embodiment, the electronic device may set a key distribution center for the main group in advance. Under the environment of the internet of things, a trusted entity can be set for the main group to serve as a key distribution center to distribute and manage the key of the main group. The electronic equipment distributes the group key to each piece of user equipment through the key distribution center, the same group key is shared among all the user equipment, and the group key is used for ensuring the communication safety between the user equipment and the user equipment.
Step 103: and when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after the initialization again to all the user equipment in the group.
In this embodiment, the change of the state of the ue in the group may include one or more of the following combinations: the number of user equipments in the group changes; the identities of the user devices in the group change. The present invention is not limited to this, and any change may be considered that the state of the ue in the group has changed.
In this embodiment, the changing the number of the user equipments in the group includes: the number of user equipments in the group increases or decreases. The increase in the number of user equipments in the group indicates that a new user equipment has joined the group. A decrease in the number of user devices in the group indicates that a user device has exited the group.
Further, the detecting that the state of the ues in the group changes includes: detecting whether the number of user equipment in the group is reduced; when the number of the user equipment in the group is detected to be reduced, determining that the state change of the user equipment in the group is detected; detecting whether the number of the user equipment in the group is increased or not when detecting that the number of the user equipment in the group is not reduced; when detecting that the number of the user equipment in the group is increased, determining that the state of the user equipment in the group is detected to be changed; when detecting that the number of the user equipment in the group is not increased, detecting whether the identification of the user equipment in the group is changed; and when detecting that the identification of the user equipment in the group changes, determining that the state change of the user equipment in the group is detected.
Judging whether the state of the user equipment in the group changes or not by detecting whether the number of the user equipment in the group is reduced or not; when the number is not reduced, judging whether the state of the user equipment in the group is changed or not by detecting whether the number of the user equipment in the group is increased or not; and finally, judging whether the state of the user equipment in the group changes or not by detecting whether the identification of the user equipment in the group changes or not when the determined number does not increase. Therefore, when the number of the user equipment in the group is reduced due to the fact that the original user equipment exits the group, the state of the user equipment in the group can be found to be changed in the first time, group key negotiation and initialization are carried out in time, and the user equipment exiting the group is ensured not to reveal the group key. And secondly, when new user equipment is added into the group to increase the number of the user equipment in the group, group key negotiation and initialization are carried out, the newly added user equipment cannot acquire the original group key, and the communication safety of the original user equipment in the group is ensured. And finally, adding new user equipment into the group, and performing group key negotiation and initializing the group key when the number of the user equipment in the group is not changed but the identification of the user equipment in the group is changed because the original user equipment exits the group. In addition, the state of the user equipment in the group can be more intuitively reflected by the change of the number than the change of the identification, so that whether the number of the user equipment is changed or not is preferentially detected, whether the identification of the user equipment is changed or not is detected, the detection time is saved, and the calculation amount is reduced.
Further, when detecting that the status of the ue changes to detect that the number of ues decreases, the performing the group key negotiation and initialization again may include: and carrying out first updating on the user equipment identity information list in the group, and carrying out group key agreement and initialization according to the first updated user equipment identity information list.
For example, when the user equipment uiUpon exiting the group, according to the user equipment uiNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,...,un-1According to the reallocated U-U1,u2,...,un-1And (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Further, when it is detected that the state of the ue changes to detect that the number of ues increases, the performing of the group key negotiation and initialization again may include: and carrying out second updating on the node information of the user equipment in the group, and carrying out group key negotiation and initialization according to the second updated node information.
For example, when the user equipment uiWhen joining the group, according to the user equipment uiNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,...,un,un+1}; according to the reallocated U-U1,u2,...,un,un+1And (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Further, when it is detected that the status of the ue changes to that the number of the ues does not change but the identities of the ues change, the performing of the group key negotiation and initialization again may include: and performing third updating on the node information of the user equipment in the group, and performing group key negotiation and initialization according to the node information after the third updating.
For example, when the user equipment uiExit group and user equipment ujWhen joining the group, according to the user equipment uiAnd ujNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,…,un}; according to the reallocated U-U1,u2,…,unAnd (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Preferably, after distributing the re-initialized group key to all user equipments in the group, the method may further include: and judging whether the group key is successfully distributed to all the user equipment in the group or not, and when the group key is determined to be unsuccessfully transmitted, carrying out group key negotiation and initialization or retransmission again.
The group key safety management method of the embodiment of the invention carries out group key negotiation and initialization on user equipment in a group; distributing the initialized group key to all user equipment in the group; and when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after the initialization again to all the user equipment in the group. The invention solves the problem of safe and effective group communication between user equipment in the environment of Internet of things, can initialize the group key when the user equipment joins or leaves, redistributes the initialized group key to the user equipment in the group, avoids the group key from being leaked, improves the communication safety of the user equipment in the group and reduces the communication calculation amount. And because the high efficiency of its communication can guarantee to the better adaptability of thing networking environment, realized the maximize of resource and security.
The above-mentioned fig. 1-2 describe the group key security management method of the present invention in detail, and the following describes the functional modules of the software system for implementing the group key security management method and the hardware system architecture for implementing the group key security management method, respectively, with reference to fig. 3 to 4.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
Example two
Fig. 3 is a functional block diagram of a group key security management apparatus according to a second embodiment of the present invention.
The group key security management apparatus 30 is operated in an electronic device. The group key security management apparatus 30 may include a plurality of functional modules composed of program code segments. The program codes of the respective program segments in the group key security management apparatus 30 may be stored in a memory of the electronic device and executed by at least one processor of the electronic device to perform distribution and management of the group key.
In this embodiment, the group key security management apparatus 30 may be divided into a plurality of functional modules according to the functions to be executed. The functional module may include: a first initialization module 301, a first sending module 302, a detecting module 303, a second initialization module 304, a second sending module 305, a first updating module 306, a second updating module 307, and a third updating module 308. The modules communicate with each other through at least one communication bus. The module referred to herein is a series of computer program segments capable of being executed by a processor and of performing a fixed function and stored in memory. In the present embodiment, the functions of the modules will be described in detail in the following embodiments.
The first initialization module 301 is configured to perform group key agreement and initialization on user equipment in a group.
In this embodiment, the electronic device may receive registration requests of all user devices in a group before negotiating and initializing a group key; and registering the user equipment which passes the verification of the registration request.
Fig. 2 is a schematic signaling diagram illustrating a group key initialization process according to an embodiment of the present invention. In this embodiment, the specific process of the first initialization module 301 performing group key agreement and initialization on the ue in the group may include:
11) node u according to user equipment N11,k1,2=s1P2Elliptic curve point k1,2=(x1,2,y1,2) Sequentially calculate out
Figure BDA0001732352410000111
B1=h(u1||u2||t1,2)、NK1=B1And information m1={NK1U, node u1Sending information m1To the next node u2
12) Node ui(i belongs to {2, 3.., n-1}) receives the information m sent by the previous nodei-1Then analyzing the information NK thereini-1Sequentially calculating B according to step 11)i
Figure BDA0001732352410000112
And information mi={NKiU, node uiSending miTo the next node ui+1
13) Node unReceived information mn-1Then analyzing the information NK thereinn-1In turn, areCalculate Bn
Figure BDA0001732352410000113
Bn-1
Figure BDA0001732352410000114
And information mn={MKnU, node unSending information mnTo node un-1
14) Node ui(i ∈ {2, 3.., n-1}) receives information mi+1Analyze the information MK in the datai+1Sequentially calculate out
Figure BDA0001732352410000115
Bi-1
Figure BDA0001732352410000116
And information mi={MKiU, node uiSending information mi={MKiGive node ui-1(ii) a And
15) node u1Received information m2Then, information MK is analyzed2And calculate out
Figure BDA0001732352410000117
In the above steps 11) -15), n is the number of the user equipments in the network; s is a key distribution center; n is a radical ofiAre nodes in the network; siFor user equipment NiThe private key of (1); p is a radical ofiFor user equipment NiThe public key of (2); u. ofiFor user equipment NiIdentity information of (2); u is a user equipment identity information list in the group; q is a large prime number; p is the order of the elliptic curve; g is a base point of the elliptic curve; an | join operation;
Figure BDA0001732352410000118
is an exclusive or operation.
It should be understood that one node corresponds to one user equipment, i.e. one user equipment corresponds to one node.
A first sending module 302, configured to distribute the initialized group key to all user equipments in the group.
In this embodiment, the electronic device may set a key distribution center for the main group in advance. Under the environment of the internet of things, a trusted entity can be set for the main group to serve as a key distribution center to distribute and manage the key of the main group. The electronic equipment distributes the group key to each piece of user equipment through the key distribution center, the same group key is shared among all the user equipment, and the group key is used for ensuring the communication safety between the user equipment and the user equipment.
The detecting module 303 is configured to detect whether a state of the ue in the group changes.
The second initialization module 304 is configured to perform group key negotiation and initialization again when the detection module 303 detects that the state of the ue in the group changes.
A second sending module 305, configured to distribute the re-initialized group key to all the user devices in the group.
In this embodiment, the change of the state of the ue in the group may include one or more of the following combinations: the number of user equipments in the group changes; the identities of the user devices in the group change. The present invention is not limited to this, and any change may be considered that the state of the ue in the group has changed.
In this embodiment, the changing the number of the user equipments in the group includes: the number of user equipments in the group increases or decreases. The increase in the number of user equipments in the group indicates that a new user equipment has joined the group. A decrease in the number of user devices in the group indicates that a user device has exited the group.
Further, the detecting module 303 may be further configured to detect whether the number of the ues in the group is decreased; when the detecting module 303 detects that the number of the ues in the group decreases, it is determined that the state of the ue in the group has changed; when the detecting module 303 detects that the number of the ues in the group is not decreased, detecting whether the number of the ues in the group is increased; when the detecting module 303 detects that the number of the ues in the group increases, it is determined that the state of the ue in the group is detected to change; when the detecting module 303 detects that the number of the ues in the group is not increased, detecting whether the identifier of the ue in the group changes; when the detecting module 303 detects that the identifier of the ue in the group changes, it is determined that the status of the ue in the group has changed.
Judging whether the state of the user equipment in the group changes or not by detecting whether the number of the user equipment in the group is reduced or not; when the number is not reduced, judging whether the state of the user equipment in the group is changed or not by detecting whether the number of the user equipment in the group is increased or not; and finally, judging whether the state of the user equipment in the group changes or not by detecting whether the identification of the user equipment in the group changes or not when the determined number does not increase. Therefore, when the number of the user equipment in the group is reduced due to the fact that the original user equipment exits the group, the state of the user equipment in the group can be found to be changed in the first time, group key negotiation and initialization are carried out in time, and the user equipment exiting the group is ensured not to reveal the group key. And secondly, when new user equipment is added into the group to increase the number of the user equipment in the group, group key negotiation and initialization are carried out, the newly added user equipment cannot acquire the original group key, and the communication safety of the original user equipment in the group is ensured. And finally, adding new user equipment into the group, and performing group key negotiation and initializing the group key when the number of the user equipment in the group is not changed but the identification of the user equipment in the group is changed because the original user equipment exits the group. In addition, the state of the user equipment in the group can be more intuitively reflected by the change of the number than the change of the identification, so that whether the number of the user equipment is changed or not is preferentially detected, whether the identification of the user equipment is changed or not is detected, the detection time is saved, and the calculation amount is reduced.
Further, the group key security management apparatus 30 may further include a first updating module 306, configured to perform a first update on the ue identity information list in the group when the detecting module 303 detects that the state of the ue changes to detect that the number of the ues is decreased, and the second initializing module 304 is further configured to perform group key negotiation and initialization according to the first updated ue identity information list.
For example, when the user equipment uiUpon exiting the group, according to the user equipment uiNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,...,un-1According to the reallocated U-U1,u2,...,un-1And (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Further, the group key security management apparatus 30 may further include a second updating module 307, configured to perform a second update on the node information of the ue in the group when the detecting module 303 detects that the state of the ue changes to detect that the number of the ue increases, and the second initializing module 304 is further configured to perform group key negotiation and initialization according to the second updated node information.
For example, when the user equipment uiWhen joining the group, according to the user equipment uiNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,...,un,un+1}; according to the reallocated U-U1,u2,...,un,un+1And (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Further, the group key security management apparatus 30 may further include a third updating module 308, configured to perform a third update on the node information of the ue in the group when the detecting module 303 detects that the state of the ue changes and detects that the number of the ues does not change but the identifier of the ue changes, and the second initializing module 304 is further configured to perform group key negotiation and initialization according to the node information after the third update.
For example, when the user equipmentuiExit group and user equipment ujWhen joining the group, according to the user equipment uiAnd ujNode location reassignment group of (1) user equipment identity information list U ═ { U ═ U1,u2,…,un}; according to the reallocated U-U1,u2,…,unAnd (5) carrying out group key negotiation and initialization according to the steps 12) to 15).
Preferably, the detecting module 303 is further configured to determine whether the group key is successfully distributed to all the user equipments in the group, and when it is determined that the sending fails, perform group key negotiation and initialization again or resend.
The group key safety management device of the embodiment of the invention carries out group key negotiation and initialization on user equipment in a group; distributing the initialized group key to all user equipment in the group; and when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after the initialization again to all the user equipment in the group. The invention solves the problem of safe and effective group communication between user equipment in the environment of Internet of things, can initialize the group key when the user equipment joins or leaves, redistributes the initialized group key to the user equipment in the group, avoids the group key from being leaked, improves the communication safety of the user equipment in the group and reduces the communication calculation amount. And because the high efficiency of its communication can guarantee to the better adaptability of thing networking environment, realized the maximize of resource and security.
EXAMPLE III
Fig. 4 is a schematic diagram of an electronic device 4 according to a third embodiment of the present invention. The electronic device 4 comprises a memory 20, a processor 30, a computer program 40 stored in the memory 20 and executable on the processor 30, and at least one communication bus 60. The processor 30 implements the above-described group key security management method when executing the computer program 40. Alternatively, the processor 30 implements the functions of the modules/units in the above-described apparatus embodiments when executing the computer program 40.
Illustratively, the computer program 40 may be partitioned into one or more modules/units that are stored in the memory 20 and executed by the processor 30. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program 40 in the electronic device 4.
The electronic device 4 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. It will be understood by those skilled in the art that the schematic diagram 4 is merely an example of the electronic device 4, and does not constitute a limitation to the electronic device 4, and may include more or less components than those shown, or combine some components, or different components, for example, the electronic device 4 may further include an input-output device, a network access device, a bus, etc.
The processor 30 may be a central processing unit, but may also be other general purpose processors, digital signal processors, application specific integrated circuits, off-the-shelf programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor may be a microprocessor or the processor 30 may be any conventional processor or the like, the processor 30 being the control center of the electronic device 4 and connecting the various parts of the entire electronic device 4 using various interfaces and lines.
The memory 20 may be used for storing the computer program 40 and/or the module/unit, and the processor 30 may implement various functions of the electronic device 4 by running or executing the computer program and/or the module/unit stored in the memory 20 and calling data stored in the memory 20. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the stored data area may store data (such as audio data, a phonebook, etc.) created according to the use of the electronic apparatus 4, and the like. Further, the memory 20 may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card, a secure digital card, a flash memory card, at least one magnetic disk storage device, a flash memory device, or other volatile solid state storage device.
The integrated modules/units of the electronic device 4 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory, random access memory, electrical carrier signal, telecommunications signal, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
In the embodiments provided in the present invention, it should be understood that the disclosed electronic device and method can be implemented in other ways. For example, the above-described embodiments of the electronic device are merely illustrative, and for example, the division of the units is only one logical functional division, and there may be other divisions when the actual implementation is performed.
In addition, functional units in the embodiments of the present invention may be integrated into the same processing unit, or each unit may exist alone physically, or two or more units are integrated into the same unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (9)

1. A group key security management method is applied to electronic equipment, and is characterized by comprising the following steps:
carrying out group key negotiation and initialization on user equipment in a group;
distributing the initialized group key to all user equipment in the group;
when detecting that the state of the user equipment in the group changes, performing group key negotiation and initialization again, and distributing the group key after being initialized again to all the user equipment in the group;
wherein the group key agreement and initialization for the user equipments in the group comprises:
11) node u according to user equipment N11Point k of elliptic curve1,2=s1P2=(x1,2,y1,2) Sequentially calculate out
Figure FDA0002764294660000011
B1=h(u1||u2||t1,2)、NK1=B1And information m1={NK1U, node u1Sending information m1To the next node u2
12) Node ui(i belongs to {2, 3.., n-1}) receives the information m sent by the previous nodei-1Then analyzing the information NK thereini-1Sequentially calculating B according to step 11)i
Figure FDA0002764294660000012
And information mi={NKiU, node uiSending information miTo the next node ui+1
13) Node unReceived information mn-1Then analyzing the information NK thereinn-1Sequentially calculate Bn
Figure FDA0002764294660000013
Bn-1
Figure FDA0002764294660000014
And information mn={MKnU, node unSending information mnTo node un-1
14) Node ui(i ∈ {2, 3.., n-1}) receives information mi+1Analyze the information MK in the datai+1Sequentially calculate out
Figure FDA0002764294660000015
Bi-1
Figure FDA0002764294660000016
And information mi={MKiU, node uiSending information mi={MKiGive node ui-1(ii) a And
15) node u1Received information m2Then, information MK is analyzed2And calculate out
Figure FDA0002764294660000017
In the above steps 11) -15), n is the number of the user equipments in the network; s is a key distribution center; n is a radical ofiAre nodes in the network; siFor user equipment NiThe private key of (1); p is a radical ofiFor user equipment NiThe public key of (2); u. ofiTo useUser equipment NiIdentity information of (2); u is a user equipment identity information list in the group; i is a connection operation;
Figure FDA0002764294660000018
is an exclusive or operation.
2. The method of claim 1, wherein the detecting the change in the status of the ues in the group comprises:
detecting whether the number of user equipment in the group is reduced;
when the number of the user equipment in the group is detected to be reduced, determining that the state change of the user equipment in the group is detected; or
Detecting whether the number of the user equipment in the group is increased or not when detecting that the number of the user equipment in the group is not reduced;
when detecting that the number of the user equipment in the group is increased, determining that the state of the user equipment in the group is detected to be changed; or
When detecting that the number of the user equipment in the group is not increased, detecting whether the identification of the user equipment in the group is changed;
and when detecting that the identification of the user equipment in the group changes, determining that the state change of the user equipment in the group is detected.
3. The method of claim 2, wherein when the detecting a change in the status of the ue is a decrease in the number of ues, the re-performing group key agreement and initialization comprises:
and carrying out first updating on the user equipment identity information list in the group, and carrying out group key agreement and initialization according to the first updated user equipment identity information list.
4. The method of claim 2, wherein when the detecting a change in the status of the ue is that an increase in the number of ues is detected, the re-performing group key agreement and initialization comprises:
and carrying out second updating on the node information of the user equipment in the group, and carrying out group key negotiation and initialization according to the second updated node information.
5. The method of claim 2, wherein when the detecting that the status of the ue changes is that the number of ues has not changed but the identities of the ues have changed, the performing the group key agreement and initialization again comprises:
and performing third updating on the node information of the user equipment in the group, and performing group key negotiation and initialization according to the node information after the third updating.
6. The method according to any of claims 1 to 5, wherein after distributing the re-initialized group key to all user devices in the group, the method further comprises:
judging whether the group key is successfully distributed to all user equipment in the group;
and when the transmission is determined to fail, the group key negotiation and initialization or retransmission is carried out again.
7. A group key security management apparatus, operable in an electronic device, the apparatus comprising:
the first initialization module is used for carrying out group key agreement and initialization on user equipment in a group;
a first sending module, configured to distribute the initialized group key to all user devices in the group;
the detection module is used for detecting whether the state of the user equipment in the group changes;
the second initialization module is used for carrying out group key negotiation and initialization again when the detection module detects that the state of the user equipment in the group changes;
a second sending module, configured to distribute the re-initialized group key to all user devices in the group;
wherein the group key agreement and initialization for the user equipments in the group comprises:
11) node u according to user equipment N11Point k of elliptic curve1,2=s1P2=(x1,2,y1,2) Sequentially calculate out
Figure FDA0002764294660000031
B1=h(u1||u2||t1,2)、NK1=B1And information m1={NK1U, node u1Sending information m1To the next node u2
12) Node ui(i belongs to {2, 3.., n-1}) receives the information m sent by the previous nodei-1Then analyzing the information NK thereini-1Sequentially calculating B according to step 11)i
Figure FDA0002764294660000032
And information mi={NKiU, node uiSending information miTo the next node ui+1
13) Node unReceived information mn-1Then analyzing the information NK thereinn-1Sequentially calculate Bn
Figure FDA0002764294660000041
Bn-1
Figure FDA0002764294660000042
And information mn={MKnU, node unSending information mnTo node un-1
14) Node ui(i ∈ {2, 3.., n-1}) receives information mi+1Analyze the information MK in the datai+1Sequentially calculate out
Figure FDA0002764294660000043
Bi-1
Figure FDA0002764294660000044
And information mi={MKiU, node uiSending information mi={MKiGive node ui-1(ii) a And
15) node u1Received information m2Then, information MK is analyzed2And calculate out
Figure FDA0002764294660000045
In the above steps 11) -15), n is the number of the user equipments in the network; s is a key distribution center; n is a radical ofiAre nodes in the network; siFor user equipment NiThe private key of (1); p is a radical ofiFor user equipment NiThe public key of (2); u. ofiFor user equipment NiIdentity information of (2); u is a user equipment identity information list in the group; i is a connection operation;
Figure FDA0002764294660000046
is an exclusive or operation.
8. An electronic device, characterized in that: the electronic device comprises a processor for implementing the group key security management method of any one of claims 1 to 6 when executing a computer program stored in a memory.
9. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program, when executed by a processor, implements the group key security management method of any one of claims 1 to 6.
CN201810780127.8A 2018-07-16 2018-07-16 Group key security management method and device, electronic equipment and storage medium Expired - Fee Related CN108964904B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810780127.8A CN108964904B (en) 2018-07-16 2018-07-16 Group key security management method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810780127.8A CN108964904B (en) 2018-07-16 2018-07-16 Group key security management method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN108964904A CN108964904A (en) 2018-12-07
CN108964904B true CN108964904B (en) 2020-12-22

Family

ID=64496040

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810780127.8A Expired - Fee Related CN108964904B (en) 2018-07-16 2018-07-16 Group key security management method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN108964904B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756524A (en) * 2019-03-26 2020-10-09 深圳市网安计算机安全检测技术有限公司 Dynamic group key generation method and device, computer equipment and storage medium
CN110784318B (en) * 2019-10-31 2020-12-04 广州华多网络科技有限公司 Group key updating method, device, electronic equipment, storage medium and communication system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119364A (en) * 2007-09-13 2008-02-06 上海大学 Authenticating Ad Hoc group cipher key negotiation protocol
CN101399660A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Method and device for negotiating group cipher
CN103023653A (en) * 2012-12-07 2013-04-03 哈尔滨工业大学深圳研究生院 Low-power-consumption communication method and device for safety group of internet of things
CN103731825A (en) * 2013-12-20 2014-04-16 北京理工大学 Bridge-type-based wireless sensing network key management scheme
CN104868963A (en) * 2015-05-11 2015-08-26 电子科技大学 Broadcast encryption scheme based on multi-linear mapping
CN105812349A (en) * 2016-01-20 2016-07-27 杭州安恒信息技术有限公司 Asymmetric secret key distribution and message encryption method based on identity information
CN107360571A (en) * 2017-09-08 2017-11-17 哈尔滨工业大学深圳研究生院 Anonymity in a mobile network is mutually authenticated and key agreement protocol

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444514B2 (en) * 2003-10-15 2008-10-28 International Business Machines Corporation Group key exchanges with failures
US7840810B2 (en) * 2007-01-18 2010-11-23 Panasonic Electric Works Co., Ltd. Systems and methods for rejoining a second group of nodes with a first group of nodes using a shared group key
US8510561B2 (en) * 2010-02-26 2013-08-13 Research In Motion Limited Methods and devices for computing a shared encryption key

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119364A (en) * 2007-09-13 2008-02-06 上海大学 Authenticating Ad Hoc group cipher key negotiation protocol
CN101399660A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Method and device for negotiating group cipher
CN103023653A (en) * 2012-12-07 2013-04-03 哈尔滨工业大学深圳研究生院 Low-power-consumption communication method and device for safety group of internet of things
CN103731825A (en) * 2013-12-20 2014-04-16 北京理工大学 Bridge-type-based wireless sensing network key management scheme
CN104868963A (en) * 2015-05-11 2015-08-26 电子科技大学 Broadcast encryption scheme based on multi-linear mapping
CN105812349A (en) * 2016-01-20 2016-07-27 杭州安恒信息技术有限公司 Asymmetric secret key distribution and message encryption method based on identity information
CN107360571A (en) * 2017-09-08 2017-11-17 哈尔滨工业大学深圳研究生院 Anonymity in a mobile network is mutually authenticated and key agreement protocol

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"A survey of key management schemes in wireless sensor networks";Yang Xiao;《Computer Communications》;20070510;全文 *
"物联网安全及隐私保护中若干关键技术研究";林巧民;《中国博士学位论文全文数据库》;20150531;全文 *
"非集中式社交网络隐私保护的研究";张晓洁;《中国优秀硕士学位论文全文数据库》;20180228;全文 *

Also Published As

Publication number Publication date
CN108964904A (en) 2018-12-07

Similar Documents

Publication Publication Date Title
US10601911B2 (en) Partitioning of a blockchain ledger
CN108900364B (en) Block chain network management method, block chain network management device, block chain network management medium and electronic equipment
US9323580B2 (en) Optimized resource management for map/reduce computing
US20170278100A1 (en) Cryptographically assured zero-knowledge cloud service for composable atomic transactions
US20170163479A1 (en) Method, Device and System of Renewing Terminal Configuration In a Memcached System
US11017387B2 (en) Cryptographically assured zero-knowledge cloud services for elemental transactions
CN109191287B (en) Block chain intelligent contract fragmentation method and device and electronic equipment
CN111163130B (en) Network service system and data transmission method thereof
CN113792347B (en) Federal learning method, device, equipment and storage medium based on block chain
CN111698205A (en) Service calling method and related equipment
US20200366660A1 (en) System and methods for securely storing data for efficient access by cloud-based computing instances
CN104811922A (en) Adjacent node registration method and the device and cross-node registration method and system
CN109711840B (en) Transaction data processing method and device and storage medium
US20170257263A1 (en) Method and appartus to allow dynamic changes of a replica network configuration in distrubted systems
CN108964904B (en) Group key security management method and device, electronic equipment and storage medium
US8838764B1 (en) Hosted network management
CN110659905A (en) Transaction verification method, device, terminal equipment and storage medium
CN112134883A (en) Method and device for quickly authenticating trust relationship between nodes based on trusted computing and related products
US20190310856A1 (en) Executing instructions based on a shared physical register
US20170171150A1 (en) Method and apparatus for processing public ip
CN115481440A (en) Data processing method, device, electronic equipment and medium
CN107320959B (en) Game role identification information generation method, device, medium and electronic equipment
CN113986995A (en) Request distribution method and device, storage medium and electronic equipment
TW202315360A (en) Microservice allocation method, electronic equipment, and storage medium
CN113961600A (en) Data query method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201222

Termination date: 20210716