CN112822018A - Mobile equipment security authentication method and system based on bilinear pairings - Google Patents
Mobile equipment security authentication method and system based on bilinear pairings Download PDFInfo
- Publication number
- CN112822018A CN112822018A CN202110427217.0A CN202110427217A CN112822018A CN 112822018 A CN112822018 A CN 112822018A CN 202110427217 A CN202110427217 A CN 202110427217A CN 112822018 A CN112822018 A CN 112822018A
- Authority
- CN
- China
- Prior art keywords
- user equipment
- message
- signature
- timestamp
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004891 communication Methods 0.000 claims abstract description 31
- 238000012795 verification Methods 0.000 claims description 54
- 238000013507 mapping Methods 0.000 claims description 41
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000004064 recycling Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/40—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a mobile equipment safety certification method and a system based on bilinear pairings, aiming at one-to-one mobile equipment communication, user equipment carries out user identity certification through 5G certification and a key agreement protocol in a 5G network, a safety channel is established between the user equipment and the 5G network through certification, and the user equipment is initialized through the safety channel. When the user equipment prepares for communication, the user equipment verifies the identity between the equipment through a signature, and performs key negotiation by using a bilinear pairing algorithm, so that the equipment can establish connection and perform communication through the negotiated key. The method effectively resists common attacks such as eavesdropping, counterfeiting and the like, and improves the forward and backward security of the secret key. By using the invention, the mobile devices can communicate with each other safely and efficiently.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a mobile equipment security authentication method and system based on bilinear pairings.
Background
The next generation mobile communication, i.e. the 5G wireless mobile network, not only brings a solution to the ever-increasing large-scale connection devices such as the large data traffic demand and the internet of things, but also brings new services. One of the very promising solutions is that Device-to-Device (D2D) communication, i.e. communication between mobile devices, is expected to play a key role with the advantages of increased efficiency and low latency. Communication between mobile devices is a point-to-point communication mechanism between devices without intermediate nodes. Communication between mobile devices has many advantages in mobile networks. First, it can extend the coverage area of each cell in a cellular network, acting as a communication bridge to transmit data to nodes outside the coverage area. Second, communication between mobile devices helps to reduce power consumption of the base station by transferring data directly between the devices. Finally, the recycling efficiency of the same radio frequency is improved. In communication between mobile devices, the distance between the devices is much shorter than the distance between the devices and the base station. This means that radio frequency interference is reduced in the communication scenario between mobile devices, facilitating the transmission of multiple data using the same radio frequency. In addition, the communication between the mobile devices is a core technology of 5G vehicle network communication, and is a key technology of automatic driving. Therefore, it is of great significance to study the communication between mobile devices in the 5G network. However, in the prior art, the communication of the D2D is easy to attack, and the security performance is not high.
Disclosure of Invention
The invention aims to provide a mobile equipment security authentication method and system based on bilinear pairings so as to improve the security performance of communication between mobile equipment.
In order to achieve the purpose, the invention provides the following scheme:
a mobile device security authentication method based on bilinear pairings comprises the following steps:
the access and mobile management function module of the 5G network generates a temporary identity ID for the user equipment after successful authentication and sends the temporary identity ID to the corresponding user equipment through a secure channel;
the first user equipment generates a first public key of the first user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and sends a first messageBroadcasting; wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,a timestamp for the first message;
the second user equipment verifies the first user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the second user equipment according to the temporary identity ID of the second user equipment, and sends a second messageSending the information to the access and mobile management function module; wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,a timestamp for the second message;
the access and mobile management function module verifies the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment and the first signature of the second user equipment; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageSending the information to the first user equipment; wherein,is the first public key of the AMF,is the first signature of the AMF,a timestamp for the third message;
the first user equipment verifies the access and mobile management function module through the timestamp of the third message and the first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment, a second public key of the first user equipment and a second signature of the first user equipment, and sends a fourth messageSending the information to the second user equipment; wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,a timestamp for the fourth message;
the second user equipment verifies the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentSending the information to the first user equipment; wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,a timestamp of the fifth message;
the first user equipment passes the time stamp of the fifth message and the second user equipmentThe signature verifies the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; encrypting the session message by using the second shared key to generate a sixth message, and sending the sixth message to the second user equipment; the conversation message isThe sixth message is,The message is the message obtained by encrypting the session message by adopting the second shared secret key;
the second user equipment decrypts the sixth message through the first shared key and verifies the decrypted message and the first shared keyWhether they are equal; if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting a second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed; after the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by the first shared secret key, and the message sent to the first user equipment by the second user equipment is encrypted by the second shared secret key.
Optionally, the access and mobility management function module of the 5G network generates a temporary identity ID for the user equipment after the authentication is successful, and before that, the method further includes:
the user equipment is authenticated through a 5G-AKA protocol of the 5G network, and the 5G network establishes a security channel after the authentication is successful.
Optionally, the verifying, by the second user equipment, the first user equipment through the timestamp of the first message and the first signature of the first user equipment specifically includes:
the second user equipment verifies the timestamp of the first message; after the verification is passed, the judgment is passedWhether a first signature of first user equipment is verified or not is established, and if yes, the first user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate a private key corresponding to the first public key of the first user device,a hash value of the first user equipment temporary identity ID.
Optionally, the verifying, by the access and mobility management functional module, the first user equipment and the second user equipment according to the timestamp of the second message, the first signature of the first user equipment, and the first signature of the second user equipment specifically includes:
the access and mobile management function module verifies the timestamp of the second message; after the verification is passed, the judgment is passed And whether the first signature of the first user equipment and the first signature of the second user equipment are verified or not is established; if it isIf yes, the first user equipment is verified to be passed; if it isIf yes, the second user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate a private key corresponding to the first public key of the first user device,a hash value of the first user equipment temporary identity ID;to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,to generate a private key corresponding to the first public key of the second user device,a hash value of the second user equipment temporary identity ID.
Optionally, the verifying, by the first user equipment, the access and mobility management function module by using the timestamp of the third message and the first signature of the AMF specifically includes:
the first user equipment verifies the timestamp of the third message; after the verification is passed, the judgment is passedWhether the first signature of the AMF is verified or not is established, if so, the access and mobile management function module is verified to be passed; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate the private key corresponding to the first public key of the AMF,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,is the first public key of the AMF.
Optionally, the verifying, by the second user equipment, the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment specifically includes:
the second user equipment verifies the timestamp of the fourth message; after the verification is passed, the judgment is passedWhether the first user equipment is verified or not is established, and if the first user equipment is verified, the first user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a hash value of the first user equipment temporary identity ID,to generate the private value of the second signature of the first user device,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,=。
optionally, after the verification is passed, the second user equipment generates the first shared key by using a bilinear mapping algorithm, which specifically includes:
using formulasGenerating a first shared key; wherein,in order to be the first shared secret key,to representAndthe bilinear mapping values of (a) the image,is a hash value of the first user equipment temporary identity ID,a hash value of the second user equipment temporary identity ID,to generate the private value of the second signature of the first user device,to generate a secret value of the second signature of the second user device,is the master key of the system.
Optionally, the verifying, by the first user equipment, the second user equipment through the timestamp of the fifth message and a second signature of the second user equipment specifically includes:
the first user equipment verifies the timestamp of the fifth message; after the verification is passed, the judgment is passedWhether the signature of the second user equipment is verified or not is established, and if the signature of the second user equipment is established, the second user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,a bilinear map value of the and is represented,a bilinear map value of the and is represented,a hash value of the second user equipment temporary identity ID,to generate a secret value of the second signature of the second user device,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,=。
optionally, after the verification passes, generating a second shared key through a bilinear mapping algorithm includes:
The invention also provides a mobile equipment safety authentication system based on bilinear pairing, which comprises:
the temporary identity ID generation module is used for generating a temporary identity ID for the user equipment after the authentication is successful by adopting an access and mobile management function module of the 5G network and sending the temporary identity ID to the corresponding user equipment through a secure channel;
a first user equipment broadcasting module, configured to generate, by the first user equipment, a first public key of the first user equipment by using an elliptic curve cryptography algorithm, generate a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and send a first message to the first user equipmentBroadcasting; wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,a timestamp for the first message;
the second user equipment request communication module is used for verifying the first user equipment by the second user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the second user equipment according to the temporary identity ID of the second user equipment, and sends a second messageSending the information to the access and mobile management function module; wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,a timestamp for the second message;
the access and mobility management function module verification module is used for verifying the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment and the first signature of the second user equipment by the access and mobility management function module; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageSending the information to the first user equipment; wherein,is the first public key of the AMF,is the first signature of the AMF,a timestamp for the third message;
the AMF verification module is used for verifying the access and mobile management function module by the first user equipment through the timestamp of the third message and the first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment, a second public key of the first user equipment and the first userA second signature of the device, and a fourth messageSending the information to the second user equipment; wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,a timestamp for the fourth message;
the first shared key generation module is used for the second user equipment to verify the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentSending the information to the first user equipment; wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,a timestamp of the fifth message;
a second shared key generation module, configured to verify, by the first user equipment, the second user equipment through a timestamp of the fifth message and a second signature of the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; encrypting the session message by using the second shared key to generate a sixth message, and sending the sixth message to the second user equipment; the conversation message isThe sixth message is,The message is the message obtained by encrypting the session message by adopting the second shared secret key;
a shared key verification module, configured to decrypt the sixth message with the first shared key by the second user equipment, and verify the decrypted message withWhether they are equal; if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting a second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed; after the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by the first shared secret key, and the message sent to the first user equipment by the second user equipment is encrypted by the second shared secret key.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the communication entities in the method provided by the invention carry out mutual authentication, thereby avoiding impersonation attack and ensuring the safety of communication; the user equipment guarantees the freshness of the message through the timestamp, so that replay attack is avoided; the private key value of the user equipment is randomly generated every session in the authentication process. Therefore, the backward security of the key is ensured; the session key is generated by a bilinear pairwise algorithm, so that the actual session key can never be transmitted through an insecure free channel, and the security of the key is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic authentication diagram of a security authentication method for a mobile device based on bilinear pairing according to the present invention;
fig. 2 is a schematic diagram of an authentication process according to embodiment 1 of the present invention;
FIG. 3 is a schematic diagram of an authentication process in embodiment 2 of the present invention;
fig. 4 is a schematic structural diagram of a mobile device security authentication system based on bilinear pairing according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
FIG. 1 is a schematic diagram illustrating a security authentication method for a mobile device based on bilinear pairing according to the present invention, as shown in FIG. 1, according to the present invention, an Access and Mobility Function (AMF) module generates a common system parameter(s) ((AMF))). WhereinAre two groups of order q; h is a one-way hash function; f is a function map; randomly selecting s as the master key of the system, and calculating。
User Equipment (UE) is initialized, then the UE is authenticated with a 5G network through a Key Agreement protocol (5G-Authentication and Key Agreement, 5G-AKA), and a security channel is established after the Authentication is successful. At this time, the AMF generates a temporary identity ID of the user equipment UE, calculates S = h (ID), and M = sS, and then sends M, ID to the user equipment UE through the secure channel.
Then, a communication connection between the two user equipments is established, and the process is as follows:
(1) user equipmentFirstly, a random number a is selected and calculated= aP, for user equipmentTemporary identity ofCalculating the signature to obtainThen the user equipmentMessage sendingIs broadcast out, whereinRepresenting user equipmentThe current timestamp of.
(2) When the user equipmentWant to with user equipmentWhen establishing communication, the user equipmentReceive toAfter broadcasting the information, the user equipmentFirst checking the timestampWhether or not, if so, the user equipmentFirstly, for user equipmentIs signedPerforming verification by calculatingWhether or not equal, and if equal, the user equipment is verifiedThen the user equipmentSelecting a random number b, calculating= bP, for user equipmentTemporary identity ofCalculating the signature to obtainThen the user equipmentMessage sendingIs sent to AMF, whereinRepresenting user equipmentThe current timestamp of.
(3) When AMF receives user equipmentAfter the message is sent, the time stamp of the message is firstly verifiedIf the requirements are met, and if so, the AMF verifies the signatureFirst, based on the temporary identity informationComputingCalculating,Whether or not equal, and if equal, the user equipment is verified,Then AMF selects random number c and calculates= cP, for AMFCalculating the signature to obtainThen AMF sends the messageIs sent toWhereinRepresenting the current timestamp of the AMF.
(4) When the user equipmentAfter receiving the message sent by the AMF,first verifying the timestamp of the messageWhether the requirements are met, and if so, the user equipmentVerifying signaturesFirst, based on the temporary identity informationComputingCalculatingIs equal, if equal, the AMF is verified, at which time the AMF notifiesDiscover devices,Thinking and equipmentEstablishing a connection for communication, at which time the user equipmentRandomly selecting a secret valueCalculatingCalculating a signature valueThen the message is sentIs sent toWhereinRepresentsThe current timestamp of.
(5) When the user equipmentReceive fromAfter the message has been sent, the user may,first verifying the timestamp of the messageWhether the requirements are met, and if so, the user equipmentVerifying signaturesCalculatingWhether or not equal, and if equal, the user equipment is verified. At this time, the user equipmentRandomly selecting a secret valueCalculatingUser equipmentComputing and user equipmentIs shared with the keyCalculating a signature valueThen the message is sentIs sent toWhereinRepresentsThe current timestamp of.
(6) When the user equipmentReceive fromAfter the message has been sent, the user may,first verifying the timestamp of the messageWhether the requirements are met, and if so, the user equipmentVerifying signaturesCalculatingWhether or not equal, and if equal, the user equipment is verified. At this time, the user equipmentComputing and user equipmentIs shared with the keyUser equipmentEncrypted using shared key MKAnd to the user equipmentSendingA message.
(7) When the user equipmentReceive fromAfter the message is sent, first calculate U =Then decrypted using the session key MKTo obtainAnd verifies whether U is equal, if so, verifiesEqual session keys are generated, and finallySending an encrypted success message toAnd finally the user equipmentAnd user equipmentBy session keyCommunication is performed.
Two specific embodiments are provided below to further illustrate the security authentication process between mobile devices of the present invention.
Example 1
Fig. 2 is a schematic diagram of an authentication flow in embodiment 1 of the present invention, and as shown in fig. 2, a security authentication process between mobile devices disclosed in this embodiment is as follows:
step 100: and the access and mobile management function module of the 5G network generates a temporary Identity (ID) for the user equipment after the successful authentication and sends the ID to the corresponding user equipment through a secure channel.
Step 200: the first user equipment generates a first public key of the first user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and sends a first messageAnd broadcasting. Wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,is the timestamp of the first message. In this step, different methods may be used to generate the first public key of the first user equipment and the first signature of the first user equipment according to actual requirements.
Step 300: the second user equipment verifies the first user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, and generates a first public key of the second user equipment according to the temporary identity ID of the second user equipmentSign and sign the second messageAnd sending the information to an access and mobile management function module. Wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,is the timestamp of the second message. In this step, different methods may be used to verify the first user equipment according to actual requirements, and a first public key of the second user equipment and a first signature of the second user equipment are generated.
Step 400: the access and mobile management function module verifies the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment and the first signature of the second user equipment; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageAnd sending the data to the first user equipment. Wherein,is the first public key of the AMF,is the first signature of the AMF,is the third herbTime stamp of the message. In this step, different methods may be adopted to verify the first user equipment and the second user equipment according to actual requirements, and generate the first public key of the AMF and the first signature of the AMF.
Step 500: the first user equipment verifies the access and mobile management function module through the timestamp of the third message and the first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment, a second public key of the first user equipment and a second signature of the first user equipment, and sends a fourth messageAnd sending the data to the second user equipment. Wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,is the timestamp of the fourth message. In this step, different methods may be used to verify an Access and Mobility Management Function (AMF) module according to actual requirements, and generate a hash value of the first user equipment, a second public key of the first user equipment, and a second signature of the first user equipment.
Step 600: the second user equipment verifies the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentAnd sending the data to the first user equipment. Wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,is the timestamp of the fifth message. In this step, different methods may be adopted to verify the first user equipment according to actual requirements, and a hash value of the second user equipment, a second public key of the second user equipment, and a second signature of the second user equipment are generated.
Step 700: the first user equipment verifies the second user equipment through the timestamp of the fifth message and the second signature of the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; and the second shared key is adopted to encrypt the session message to generate a sixth message which is sent to the second user equipment. The conversation message isThe sixth message is,Is a message in which the session message is encrypted using the second shared key. In this step, different methods can be adopted to verify the second user equipment according to actual requirements.
Step 800: the second user equipment shares the key through the first shared keyDecrypting the sixth message and verifying the decrypted message withWhether they are equal; and if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting the second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed.
After the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by adopting a first shared key, and the message sent to the first user equipment by the second user equipment is encrypted by adopting a second shared key.
Example 2
This embodiment discloses a specific manner of each public key, signature, and authentication as compared with embodiment 1. Fig. 3 is a schematic diagram of an authentication flow in embodiment 2 of the present invention, and as shown in fig. 3, a security authentication process between mobile devices disclosed in this embodiment is as follows:
the method comprises the following steps: initializing User Equipment (UE), authenticating the UE through a protocol 5G-AKA protocol and a 5G network, and establishing a security channel after the authentication is successful. At this time, the AMF module generates a temporary identity ID of the UE, calculates S = h (ID), and M = sS, and then sends M, ID to the UE through the secure channel.
Step two: user equipmentFirstly, a random number a is selected, and a public key is calculated= aP, for user equipmentTemporary identity ofCalculating the signature to obtain the signatureThen the user equipmentMessage sendingAnd broadcasting. WhereinRepresenting user equipmentThe current timestamp of.
Step three: when the user equipmentWant to with user equipmentWhen establishing communication, the user equipmentReceive toAfter broadcasting the information, the user equipmentFirst checking the timestampIf true, determining the timestampWhether the time is within the preset time range or not, if so, the user equipmentFirst by calculatingWhether to equal user equipmentIs signedVerifying, if equal, the user equipment is verifiedThen the user equipmentSelecting random number b, calculating public key= bP, for user equipmentTemporary identity ofCalculating the signature to obtain the signatureThen the user equipmentMessage sendingIs sent to AMF, whereinRepresenting user equipmentThe current timestamp of.
Step four: when AMF receives user equipmentAfter the message is sent, the time stamp of the message is firstly verifiedWhether the requirements are met. If the requirements are met, then AMF verifies the signatureIn particular, based on temporary identity informationComputingCalculating,Whether or not equal, and if equal, the user equipment is verifiedAndthen AMF selects random number c and calculates public key= cP, for AMFCalculating the signature to obtain the signatureThen AMF sends the messageIs sent toWhereinRepresenting the current timestamp of the AMF.
Step five: when the user equipmentAfter receiving the message sent by the AMF,first verifying the timestamp of the messageWhether the requirements are met, and if so, the user equipmentFirstly, according to temporary identity informationComputingThen by calculatingVerifying signatures equallyIf equal, the AMF is verified, at which point the AMF notifiesDiscover devices,Thinking and equipmentEstablishing a connection for communication, at which time the user equipmentRandomly selecting a secret valueComputing public keysComputing a signature value signatureThen the message is sentIs sent toWhereinRepresentsThe current timestamp of.
Step six: when the user equipmentReceive fromAfter the message has been sent, the user may,first verifying the timestamp of the messageWhether the requirements are met. If the requirements are met, the user equipmentBy calculation ofVerifying signatures equallyAnd if equal, the user equipment is verified. At this time, the user equipmentRandomly selecting a secret valueComputing public keysUser equipmentComputing and user equipmentIs shared with the keyCalculating a signature valueThen the message is sentIs sent toWhereinRepresentsThe current timestamp of.
Step seven: when the user equipmentReceive fromAfter the message has been sent, the user may,first verifying the timestamp of the messageWhether the requirements are met, and if so, the user equipmentVerifying signaturesCalculatingWhether or not equal, and if equal, the user equipment is verified. At this time, the user equipmentComputing and user equipmentIs shared with the keyUser equipmentEncrypted using shared key MKAnd to the user equipmentSendingA message.
Step eight: when the user equipmentReceive fromAfter the message is sent, first calculate U =Then decrypted using the session key MKTo obtainAnd verifies whether U is equal, if so, verifiesEqual session keys are generated, and finallySending an encrypted success message toAnd finally the user equipmentAnd user equipmentBy separately calculated session keysCommunication is performed.
The invention has the following beneficial effects:
1. the communication entities in the method provided by the invention carry out mutual authentication, thereby avoiding impersonation attack and ensuring the security of communication.
2. The method provided by the invention ensures the message freshness through the time stamp by the user equipment. Thereby avoiding replay attacks.
3. Method session key provided by the inventionIs established in dependence on、Selected random numberAndand. Thus, the forward security of the key is guaranteed.
4. In the method provided by the invention, the private key value of the user equipment is randomly generated in each session in the authentication process. Thus, backward security of the key is guaranteed.
5. The method provided by the invention is a session keyIs generated by a bilinear pairwise algorithm, so the actual session key is never transmitted over an unsecured free channel. Thus, the security of the key is guaranteed.
Based on the above scheme, the present invention further provides a mobile device security authentication system based on bilinear pairings, and fig. 4 is a schematic structural diagram of the mobile device security authentication system based on bilinear pairings according to the present invention. As shown in fig. 4, the mobile device security authentication system based on bilinear pairing of the present invention includes:
and the temporary identity ID generation module 401 is configured to generate a temporary identity ID for the user equipment after the authentication is successful by using the access and mobility management function module of the 5G network, and send the temporary identity ID to the corresponding user equipment through the secure channel.
A first user equipment broadcasting module 402, configured to generate, by the first user equipment, a first public key of the first user equipment by using an elliptic curve cryptography algorithm, generate a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and send a first message to the first user equipmentBroadcasting; wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,is the timestamp of the first message.
A second user equipment request communication module 403, configured to verify, by the second user equipment, the first user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the second user equipment according to the temporary identity ID of the second user equipment, and sends a second messageSending the information to the access and mobile management function module; wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,is the timestamp of the second message.
An access and mobility management function module verification module 404, configured to verify, by the access and mobility management function module, the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment, and the first signature of the second user equipment; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageSending the information to the first user equipment; wherein,is the first public key of the AMF,is the first signature of the AMF,is the timestamp of the third message.
A first ue-to-AMF verification module 405, configured to verify, by the first ue, the access and mobility management function module through a timestamp of the third message and a first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment, a second public key of the first user equipment and a second signature of the first user equipment, and sends a fourth messageSending the information to the second user equipment; wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,is the timestamp of the fourth message.
A first shared key generating module 406, configured to verify, by the second user equipment, the first user equipment through the timestamp of the fourth message and a second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentSending the information to the first user equipment; wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,is the timestamp of the fifth message.
A second shared key generating module 407, configured to verify, by the first user equipment, the second user equipment through a timestamp of the fifth message and a second signature of the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; encrypting the session message by using the second shared key to generate a sixth message, and sending the sixth message to the second user equipment; the conversation message isThe sixth message is,The message is a message obtained by encrypting a session message by using the second shared key.
A shared key verification module 408, configured to decrypt the sixth message with the first shared key by the second user equipment, and verify the decrypted message withWhether they are equal; if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting a second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed; after the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by the first shared secret key, and the message sent to the first user equipment by the second user equipment is encrypted by the second shared secret key.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (10)
1. A mobile device security authentication method based on bilinear pairings is characterized by comprising the following steps:
the access and mobile management function module of the 5G network generates a temporary identity ID for the user equipment after successful authentication and sends the temporary identity ID to the corresponding user equipment through a secure channel;
the first user equipment generates a first public key of the first user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and sends a first messageBroadcasting; wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,a timestamp for the first message;
the second user equipment verifies the first user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the second user equipment according to the temporary identity ID of the second user equipment, and sends a second messageSending the information to the access and mobile management function module; wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,a timestamp for the second message;
the access and mobile management function module verifies the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment and the first signature of the second user equipment; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageSending the information to the first user equipment; wherein,is the first public key of the AMF,is the first signature of the AMF,a timestamp for the third message;
the first user equipment verifies the access and mobile management function module through the timestamp of the third message and the first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment, a second public key of the first user equipment and a second signature of the first user equipment, and sends a fourth messageSending the information to the second user equipment; wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,a timestamp for the fourth message;
the second user equipment verifies the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentSending the information to the first user equipment; wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,a timestamp of the fifth message;
the first user equipment verifies the second user equipment through the timestamp of the fifth message and a second signature of the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; encrypting the session message by using the second shared key to generate a sixth message, and sending the sixth message to the second user equipment; the conversation message isThe sixth message is,The message is the message obtained by encrypting the session message by adopting the second shared secret key;
the second user equipment decrypts the sixth message through the first shared key and verifies the decrypted message and the first shared keyWhether they are equal; if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting a second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed; after the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by the first shared secret key, and the message sent to the first user equipment by the second user equipment is encrypted by the second shared secret key.
2. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the access and mobility management function module of the 5G network generates a temporary identity ID for the user equipment after the authentication is successful, and the method further comprises:
the user equipment is authenticated through a 5G-AKA protocol of the 5G network, and the 5G network establishes a security channel after the authentication is successful.
3. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the second user device verifies the first user device through a timestamp of the first message and a first signature of the first user device, and specifically comprises:
the second user equipment verifies the timestamp of the first message; after the verification is passed, the judgment is passedWhether a first signature of first user equipment is verified or not is established, and if yes, the first user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate a private key corresponding to the first public key of the first user device,a hash value of the first user equipment temporary identity ID.
4. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the access and mobility management function module verifies the first user equipment and the second user equipment through a timestamp of the second message, a first signature of the first user equipment, and a first signature of the second user equipment, and specifically includes:
the access and mobile management function module verifies the timestamp of the second message; after the verification is passed, the judgment is passedAndwhether the first signature of the first user equipment and the first signature of the second user equipment are verified or not is established; if it isIf yes, the first user equipment is verified to be passed; if it isIf yes, the second user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate a private key corresponding to the first public key of the first user device,a hash value of the first user equipment temporary identity ID;to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,to generate a private key corresponding to the first public key of the second user device,for the second user equipmentA hash value of the time identity ID.
5. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the first user equipment verifies the access and mobility management function module according to a timestamp of the third message and a first signature of the AMF, and specifically comprises:
the first user equipment verifies the timestamp of the third message; after the verification is passed, the judgment is passedWhether the first signature of the AMF is verified or not is established, if so, the access and mobile management function module is verified to be passed; wherein,to representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a base point in the elliptic curve cryptography algorithm,to generate the private key corresponding to the first public key of the AMF,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,is the first public key of the AMF.
6. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the second user device verifies the first user device through a timestamp of the fourth message and a second signature of the first user device, and specifically comprises:
the second user equipment verifies the timestamp of the fourth message; after the verification is passed, the judgment is passedWhether the first user equipment is verified or not is established, and if the first user equipment is verified, the first user equipment is verified to pass; wherein,to representAndbilinear map value of,To representAndthe bilinear mapping values of (a) the image,to representAndthe bilinear mapping values of (a) the image,is a hash value of the first user equipment temporary identity ID,to generate the private value of the second signature of the first user device,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,=。
7. the bilinear pairing-based mobile device security authentication method of claim 1, wherein after the verification is passed, the second user equipment generates the first shared key by using a bilinear mapping algorithm, and specifically includes:
using formulasGenerating a first shared key; wherein,in order to be the first shared secret key,to representAndthe bilinear mapping values of (a) the image,is a hash value of the first user equipment temporary identity ID,a hash value of the second user equipment temporary identity ID,to generate the private value of the second signature of the first user device,to generate a secret value of the second signature of the second user device,is the master key of the system.
8. The bilinear pairing-based mobile device security authentication method of claim 1, wherein the first user equipment verifies the second user equipment through a timestamp of the fifth message and a second signature of the second user equipment, and specifically comprises:
the first user equipment verifies the timestamp of the fifth message; after the verification is passed, the judgment is passedWhether the signature of the second user equipment is verified or not is established, and if the signature of the second user equipment is established, the second user equipment is verified to pass; wherein,to representAndthe bilinear mapping values of (a) the image,a bilinear map value of the and is represented,a bilinear map value of the and is represented,a hash value of the second user equipment temporary identity ID,to generate a secret value of the second signature of the second user device,a connection symbol is represented and,is composed ofAndthe hash value after the concatenation of the hash values,=。
10. A mobile device security authentication system based on bilinear pairings, comprising:
the temporary identity ID generation module is used for generating a temporary identity ID for the user equipment after the authentication is successful by adopting an access and mobile management function module of the 5G network and sending the temporary identity ID to the corresponding user equipment through a secure channel;
a first user equipment broadcasting module, configured to generate, by the first user equipment, a first public key of the first user equipment by using an elliptic curve cryptography algorithm, generate a first signature of the first user equipment according to the temporary identity ID of the first user equipment, and send a first message to the first user equipmentBroadcasting; wherein,is the temporary identity ID of the first user equipment,is a first signature of the first user equipment,is the first public key of the first user equipment,a timestamp for the first message;
the second user equipment request communication module is used for verifying the first user equipment by the second user equipment through the timestamp of the first message and the first signature of the first user equipment; after the verification is passed, the second user equipment generates a first public key of the second user equipment by adopting an elliptic curve cryptography algorithm, generates a first signature of the second user equipment according to the temporary identity ID of the second user equipment, and sends a second messageSending the information to the access and mobile management function module; wherein,is the temporary identity ID of the second user equipment,is the first signature of the second user equipment,is the first public key of the second user equipment,a timestamp for the second message;
the access and mobility management function module verification module is used for verifying the first user equipment and the second user equipment through the timestamp of the second message, the first signature of the first user equipment and the first signature of the second user equipment by the access and mobility management function module; after the verification is passed, the access and mobile management functional module generates a first public key of the AMF and a first signature of the AMF, and sends a third messageSending the information to the first user equipment; wherein,is the first public key of the AMF,is the first signature of the AMF,a timestamp for the third message;
the AMF verification module is used for verifying the access and mobile management function module by the first user equipment through the timestamp of the third message and the first signature of the AMF; after the verification is passed, the first user equipment generates a hash value of the first user equipment and the first userThe second public key of the device and the second signature of the first user device, and send a fourth messageSending the information to the second user equipment; wherein,is the hash value of the first user equipment,is the second public key of the first user equipment,is the second signature of the first user equipment,a timestamp for the fourth message;
the first shared key generation module is used for the second user equipment to verify the first user equipment through the timestamp of the fourth message and the second signature of the first user equipment; after the verification is passed, the second user equipment generates a hash value of the second user equipment, a second public key of the second user equipment and a second signature of the second user equipment, a first shared key is generated by adopting a bilinear mapping algorithm, and a fifth message is sentSending the information to the first user equipment; wherein,is the hash value of the second user equipment,is the second public key of the second user equipment,is a second signature of the second user equipment,a timestamp of the fifth message;
a second shared key generation module, configured to verify, by the first user equipment, the second user equipment through a timestamp of the fifth message and a second signature of the second user equipment; after the verification is passed, generating a second shared secret key through a bilinear mapping algorithm; encrypting the session message by using the second shared key to generate a sixth message, and sending the sixth message to the second user equipment; the conversation message isThe sixth message is,The message is the message obtained by encrypting the session message by adopting the second shared secret key;
a shared key verification module, configured to decrypt the sixth message with the first shared key by the second user equipment, and verify the decrypted message withWhether they are equal; if the first user equipment and the second user equipment are equal, the second user generates a message which is successfully encrypted, encrypts the message which is successfully encrypted by adopting a second shared secret key, generates a seventh message and sends the seventh message to the first user equipment, and the authentication of the first user equipment and the second user equipment is completed; after the first user equipment and the second user equipment are authenticated, the message sent to the second user equipment by the first user equipment is encrypted by the first shared secret key, and the second user equipment sends the first shared secret key to the first user equipmentAnd the message sent by the user equipment is encrypted by adopting the second shared secret key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110427217.0A CN112822018B (en) | 2021-04-21 | 2021-04-21 | Mobile equipment security authentication method and system based on bilinear pairings |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110427217.0A CN112822018B (en) | 2021-04-21 | 2021-04-21 | Mobile equipment security authentication method and system based on bilinear pairings |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112822018A true CN112822018A (en) | 2021-05-18 |
CN112822018B CN112822018B (en) | 2021-07-02 |
Family
ID=75862516
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110427217.0A Active CN112822018B (en) | 2021-04-21 | 2021-04-21 | Mobile equipment security authentication method and system based on bilinear pairings |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112822018B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115085945A (en) * | 2022-08-22 | 2022-09-20 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101516114B1 (en) * | 2014-02-13 | 2015-05-04 | 부경대학교 산학협력단 | Certificate-based proxy re-encryption method and its system |
CN105163309A (en) * | 2015-09-10 | 2015-12-16 | 电子科技大学 | Method for secure communication of wireless sensor network based on combined password |
CN106027519A (en) * | 2016-05-18 | 2016-10-12 | 安徽大学 | Efficient condition privacy protection and security authentication method in internet of vehicles |
CN111327620A (en) * | 2020-02-27 | 2020-06-23 | 福州大学 | Data security traceability and access control system under cloud computing framework |
CN111355745A (en) * | 2020-03-12 | 2020-06-30 | 西安电子科技大学 | Cross-domain identity authentication method based on edge computing network architecture |
CN112399407A (en) * | 2021-01-20 | 2021-02-23 | 北京电信易通信息技术股份有限公司 | 5G network authentication method and system based on DH ratchet algorithm |
-
2021
- 2021-04-21 CN CN202110427217.0A patent/CN112822018B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101516114B1 (en) * | 2014-02-13 | 2015-05-04 | 부경대학교 산학협력단 | Certificate-based proxy re-encryption method and its system |
CN105163309A (en) * | 2015-09-10 | 2015-12-16 | 电子科技大学 | Method for secure communication of wireless sensor network based on combined password |
CN106027519A (en) * | 2016-05-18 | 2016-10-12 | 安徽大学 | Efficient condition privacy protection and security authentication method in internet of vehicles |
CN111327620A (en) * | 2020-02-27 | 2020-06-23 | 福州大学 | Data security traceability and access control system under cloud computing framework |
CN111355745A (en) * | 2020-03-12 | 2020-06-30 | 西安电子科技大学 | Cross-domain identity authentication method based on edge computing network architecture |
CN112399407A (en) * | 2021-01-20 | 2021-02-23 | 北京电信易通信息技术股份有限公司 | 5G network authentication method and system based on DH ratchet algorithm |
Non-Patent Citations (2)
Title |
---|
WEIJUN ZHANG等: "A novel key agreement protocol based on bilinear pairing", 《IEEE》 * |
罗铭: "基于双线性对的签密和密钥协商方案研究", 《中国博士学位论文全文数据库》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115085945A (en) * | 2022-08-22 | 2022-09-20 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
CN115085945B (en) * | 2022-08-22 | 2022-11-29 | 北京科技大学 | Authentication method and device for intelligent lamp pole equipment |
Also Published As
Publication number | Publication date |
---|---|
CN112822018B (en) | 2021-07-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2272271B1 (en) | Method and system for mutual authentication of nodes in a wireless communication network | |
CN102036238B (en) | Method for realizing user and network authentication and key distribution based on public key | |
US8578164B2 (en) | Method of one-way access authentication | |
US20110320802A1 (en) | Authentication method, key distribution method and authentication and key distribution method | |
CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
Sun et al. | Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet | |
CN107181597B (en) | PMIPv6 authentication system and method based on identity agent group signature | |
CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
WO2010020186A1 (en) | Multicast key distribution method, update method, and base station based on unicast conversation key | |
CN111049647B (en) | Asymmetric group key negotiation method based on attribute threshold | |
CN112039660B (en) | Internet of things node group identity security authentication method | |
WO2010121462A1 (en) | Method for establishing safe association among wapi stations in ad-hoc network | |
CN112399407B (en) | 5G network authentication method and system based on DH ratchet algorithm | |
CN117278330B (en) | Lightweight networking and secure communication method for electric power Internet of things equipment network | |
CN112333705B (en) | Identity authentication method and system for 5G communication network | |
CN112822018B (en) | Mobile equipment security authentication method and system based on bilinear pairings | |
CN106992866A (en) | It is a kind of based on wireless network access methods of the NFC without certificate verification | |
CN106953727B (en) | Group safety certifying method based on no certificate in D2D communication | |
CN113411801A (en) | Mobile terminal authentication method based on identity signcryption | |
Singh et al. | Elliptic curve cryptography based mechanism for secure Wi-Fi connectivity | |
CN213938340U (en) | 5G application access authentication network architecture | |
CN114070570A (en) | Safe communication method of power Internet of things | |
CN112533213B (en) | Key negotiation method, device, terminal and storage medium | |
Dao et al. | Prefetched asymmetric authentication for infrastructureless D2D communications: feasibility study and analysis | |
CN112822025B (en) | Mobile terminal equipment security authentication method and system based on elliptic curve algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |