CN113055394A - Multi-service double-factor authentication method and system suitable for V2G network - Google Patents

Multi-service double-factor authentication method and system suitable for V2G network Download PDF

Info

Publication number
CN113055394A
CN113055394A CN202110325774.1A CN202110325774A CN113055394A CN 113055394 A CN113055394 A CN 113055394A CN 202110325774 A CN202110325774 A CN 202110325774A CN 113055394 A CN113055394 A CN 113055394A
Authority
CN
China
Prior art keywords
information
server
user
key
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110325774.1A
Other languages
Chinese (zh)
Inventor
张伟剑
吕卓
王婧
郭志民
杨文�
陈岑
李暖暖
张铮
罗敏
何德彪
蔡军飞
李鸣岩
张伟
常昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Lianweitu Software Co ltd
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Original Assignee
Wuhan Lianweitu Software Co ltd
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Lianweitu Software Co ltd, State Grid Corp of China SGCC, State Grid Henan Electric Power Co Ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd filed Critical Wuhan Lianweitu Software Co ltd
Priority to CN202110325774.1A priority Critical patent/CN113055394A/en
Publication of CN113055394A publication Critical patent/CN113055394A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A multi-server two-factor authentication method suitable for a smart grid V2G network comprises the following steps: 1) generating a main private key and system parameters through a trusted registry KGC; 2) generating user equipment authentication information and user equipment verification information; 3) generating a server private key and a public key; 4) user equipment authentication; 5) the mobile equipment sends login request information to the server; 6) the mobile equipment logs in the server after passing the server authentication; 7) the method comprises the steps that mobile equipment of an electric automobile user authenticates a server and performs key agreement with the server; 8) the mobile device of the electric automobile calculates the session key and verifies the validity of the server message. The invention ensures the correctness and the high efficiency of mutual authentication, and can resist known attacks such as replay attack, user masquerade attack, server deception attack, mobile equipment loss attack, offline password attack and the like.

Description

Multi-service double-factor authentication method and system suitable for V2G network
Technical Field
The invention belongs to the technical field of smart power grids V2G, and particularly relates to a multi-server double-factor authentication method and system based on identity.
Background
The rapid development of the industrial internet of things has great influence on the application of industries such as medical care, transportation and manufacturing, smart power grids and the like. In addition, the access of billions of internet-of-things devices (such as sensors, smart meters, aggregators, and the like) makes the smart grid one of the main drivers of the industrial internet of things. With the rapid development of global electric vehicles, the network mode from Vehicle to Grid (V2G) is regarded as an important component of smart Grid communication, and is receiving more and more attention from the industry and academia. The core idea of the V2G technology is to utilize electric vehicle stored energy as a buffer for the grid and renewable energy. The problems of low power grid efficiency and renewable energy source fluctuation can be solved, waste of redundant electric energy of the electric vehicle can be avoided, and benefits are created for electric vehicle users. Since V2G has a bidirectional communication flow between the electric vehicle and the smart grid, various security attacks are inevitably faced during the wireless internet of things communication. In order to ensure seamless communication between the electric vehicle and the smart grid, it is necessary to ensure privacy of the user and confidentiality of the transmitted data.
Anonymous authentication and key agreement protocols are important components of network secure communications. By implementing an anonymous authentication protocol, two participants can authenticate each other over a common channel and negotiate a temporary session key to enable secure communication in an open network. In an anonymous protocol based on traditional public key cryptographic authentication, two communication parties possess a pair of public and private keys: the system comprises a public key and a private key, wherein the private key is used for generating authentication information, and the public key is used for verifying the legality of the information. In order to solve the problem that certificate management is difficult in an anonymous authentication protocol based on a traditional public key password, scientific researchers propose the anonymous authentication protocol based on identity based on the idea of a public key. In the protocol, the identity (name, telephone number, e-mail address, etc.) of the user, namely the public key of the user, greatly reduces the complexity of storage and maintenance of system legal persons. Considering the high mobility and unpredictability of vehicles in the V2G network, the authentication method based on the group signature and the ring signature needs to form a user group relationship in advance, and needs to introduce a large amount of complex operation operations in signature calculation, so that the authentication method is difficult to adapt to the V2G network authentication with limited resources and unpredictable groups; the registration and authentication method based on the client-server requires the client to register for many times in servers of different regions or service types to obtain diversified services, and the method is also difficult to be applied to highly mobile V2G networks; some existing multi-server authentication methods for V2G networks do not provide two-factor secure authentication of passwords and smart cards.
Aiming at the situation, the invention designs a multi-server two-factor authentication method suitable for a smart grid V2G network. In the method, an authenticated user holds mobile equipment (such as a smart card) matched with a vehicle and can communicate with a server in a network, the user can interact with servers in different regions and different types by using the mobile equipment only by registering once in a trusted registration center so as to realize mutual authentication and key agreement, and a third party is not required to be introduced in the authentication process so as to finish the cross-region and cross-server identity mutual authentication.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a service which simplifies the operation that an authenticated vehicle of a mobile vehicle can be authenticated and key-negotiated with different regions and different types of servers without multiple registrations, and can access a plurality of servers on the premise of ensuring the privacy and information confidentiality of a user.
In order to solve the technical problems, the invention adopts the following technical scheme:
a multi-server double-factor authentication method suitable for a smart grid V2G network is characterized by comprising the following steps:
step 1: generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, and sending the system parameters to a server and an electric vehicle user;
step 2: the electric automobile user sets registration request information, the registration request information after processing is sent to KGC, the KGC calculates user asymmetric secret key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
and step 3: the server sets server registration information and sends the server registration information to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server;
and 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
and 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
step 6: the server judges whether the user can successfully log in, if so, the step 7 is carried out, otherwise, the current login operation is terminated;
and 7: the server sends the key negotiation information calculated by the server to the mobile equipment;
and 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
The invention further comprises the following preferred embodiments:
in step 1, the system parameters comprise elliptic curve addition cyclic groups involved in an elliptic curve cryptosystem
Figure BDA0002994609680000031
Group generating element P, groupPrime order q, system master public key PpubAnd a hash function h1And a hash function h2
The system master private key is
Figure BDA0002994609680000032
The system master public key is Ppub=s·P;
Hash function h1Is composed of
Figure BDA0002994609680000033
Hash function h2Is h2:{0,1}*→{0,1}l
Where l represents the security length of a hash map,
Figure BDA0002994609680000034
an integer set representing {1, 2., q-1}, {0, 1}*Representing a string of arbitrary length.
The registration information in step 2 includes individual identification information IDiAnd password PWi
The processed registration information includes personal identity information IDiAnd password blinding information BPWi
The user asymmetric key information comprises a user public key XiUser private key di
The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti
The calculation method of the password blinding information is BPWi=h1(stri||PWi);
The user public key is Xi=xi·P;
The private key of the user is di=xi+sh1(IDi||Xi)mod q
The user equipment authentication information is
Figure BDA0002994609680000035
User equipment authentication information of betai=h1(Xi||di);
Wherein
Figure BDA0002994609680000036
The symbol "|" indicates string concatenation, symbol
Figure BDA0002994609680000037
Representing an exclusive or operation.
And 2, the mobile equipment corresponding to the electric automobile is convenient and fast type networking equipment comprising an intelligent card and a mobile phone.
The information to be registered sent by the server in the step 3 comprises the identity information ID of the serverj
The server asymmetric key information comprises a public key Y of the serverjWith a private key djSaid public key YjPublic and private key d of the serverjAnd the data is saved by the server.
The server public key is Yj=yj·P;
Server private key of dj=yj+s·h1(IDj||Yj)mod q;
Wherein y isjIs a random number
Figure BDA0002994609680000041
Step 4, the login information input by the user comprises identity information
Figure BDA0002994609680000042
And password information
Figure BDA0002994609680000043
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the user
Figure BDA0002994609680000044
Authenticating information with user equipment
Figure BDA0002994609680000045
And comparing user equipment authentication information
Figure BDA0002994609680000046
User equipment authentication information beta stored with the deviceiWhether they are equal;
the calculation method of the public and private key information of the user comprises the following steps:
Figure BDA0002994609680000047
the method for calculating the authentication information of the user equipment comprises the following steps
Figure BDA0002994609680000048
The login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
freshness of login information according to time stamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as 'fresh'; the threshold may be dependent on different network systems;
the user side session key factors are: ri=ri·P;
Signature information
Figure BDA0002994609680000049
The identity blinding information
Figure BDA00029946096800000410
Wherein K is authentication information for the serverK=ri(Yj-h1(IDj||Yj)·Ppub),riIs a random number
Figure BDA00029946096800000411
In step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the user
Figure BDA00029946096800000412
Further utilizes the public key information of the user to verify the signature information viThe validity of (2);
user identity and public key information
Figure BDA00029946096800000413
Wherein, K*For verifying information K*=dj·Ri
The method for verifying the signature information is to verify whether the equation holds:
Figure BDA0002994609680000051
wherein
Figure BDA0002994609680000052
As the information on the identity of the user,
Figure BDA0002994609680000053
is the user public key information.
In step 7, the key negotiation information of the server includes a session key factor R of the serverjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejThe message authentication code MAC is sent to the mobile equipment of the electric vehicle user;
server-side session keyThe key factor is calculated by the formula Rj=rj·P;
The calculation formula of the session key is
Figure BDA0002994609680000054
Where k is a safety parameter, rjIs a random number
Figure BDA0002994609680000055
R is a Diffie-Hellman value of the session factor, and the calculation formula is R ═ Rj·Ri
The calculation formula of the message authentication code MAC is
Figure BDA0002994609680000056
The mobile device locally calculates the session factor R in step 8*Session key sk*And message authentication code MAC*E.g. local message authentication code MAC*If the received message authentication code is consistent with the received message authentication code MAC, the authentication and the session key agreement are successfully completed, otherwise, the key agreement is failed;
locally computing a session factor R*=ri·Rj
The local session key is
Figure BDA0002994609680000057
The local message authentication code is
Figure BDA0002994609680000058
The invention also discloses a system based on the multi-service double-factor authentication method, which comprises a registrable center module, an information registration module, a mobile equipment module and a server module, and is characterized in that:
the registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
electric automobile userThe registration request information is set through the information registration module, the processed registration request information is sent to the registrable center module, the registrable center module calculates the user asymmetric key information and the user equipment information according to the information, the user equipment information is injected into the mobile equipment module corresponding to the electric automobile, and the electric automobile user can use the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
Most of the existing authentication methods applied to a multi-server architecture need to introduce an online trusted third party in the authentication process to assist in realizing identity authentication and key agreement, or are difficult to resist known attacks such as replay attack, user masquerade attack, server spoofing attack, mobile device loss attack, offline password attack and the like.
According to the scheme, mutual authentication and key agreement between the user and different servers can be realized without introducing any online trusted third party; in addition, based on the problems of time stamps, random number blind factors and mathematical difficulties, the method can simultaneously resist known attacks such as replay attack, user masquerade attack, server spoofing attack, mobile equipment loss attack and offline password attack by only two-round communication, and meets the requirements of high security and low overhead of the mobile vehicle user on an authentication scheme.
Drawings
FIG. 1 is a schematic diagram illustrating a mutual authentication and key agreement process of a multi-server two-factor authentication method applicable to a V2G network according to the present invention;
FIG. 2 is a schematic diagram illustrating a registration process of a multi-server dual-factor authentication method applicable to a V2G network according to the present invention;
fig. 3 is a system diagram of multi-server two-factor authentication suitable for V2G network according to the present invention.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
The invention provides a double-factor verification method for multiple servers of a smart grid V2G, which comprises system initialization, user registration, server registration, mutual authentication and key agreement algorithm and offline password updating. The method comprises the following steps, and all the parameter meanings are shown in table 1 in detail.
The invention further comprises the following preferred embodiments:
step 1: and generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, sending the system parameters to a server and an electric vehicle user, and disclosing the system parameters.
The system parameters comprise elliptic curve addition cycle group related to elliptic curve cryptosystem
Figure BDA0002994609680000076
Group generating element P, prime order q of group, and system master public key PpubAnd a hash function h1And a hash function h2
It should be noted that the above setting of the system parameters is a preferred embodiment of the present invention, and it is clear to those skilled in the art that, in the setting of the system parameters in step 1, the disclosed system parameters are only one preferred embodiment, and there are other possibilities of combination of the system parameters.
In step 1, the trusted registry KGC generates a master private key and public system parameters, which specifically include the following:
KGC selects an addition cyclic group with an order of prime number q and a generator P
Figure BDA0002994609680000071
Given a security parameter k, KGC selects two hash functions
Figure BDA0002994609680000072
And h2:{0,1}*→{0,1}lGenerating a system master private key
Figure BDA0002994609680000073
And calculates the system master public key PpubS.p, where l represents the security length of a hash map,
Figure BDA0002994609680000074
an integer set representing {1, 2., q-1}, {0, 1}*Representing a string of arbitrary length.
KGC secretly stores master private key s and public system parameters
Figure BDA0002994609680000075
Step 2: the electric automobile user sets registration information, the registration request information after processing and part of the registration information set by the user are sent to the KGC, the KGC calculates user asymmetric key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
in step 2, the registration information includes a personal identification information IDiAnd password PWi(ii) a The processed registration information comprises password blinding information BPWi(ii) a The user asymmetric key information comprises a user public key XiUser private key di(ii) a The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti
The generation of the user equipment authentication information and the user equipment verification information specifically includes the following contents:
user UiSetting personal identification information IDiAnd password PWiThen randomly selects a character string striComputing password blinding information BPWi=h1(stri||PWi);
User UiRegistration request information IDi,BPWiSending the data to a trusted center KGC;
after receiving the registration information, the trusted center KGC selects a random number
Figure BDA0002994609680000081
Computing a user public key Xi=xiP, user private Key di=xi+sh1(IDi||Xi) mod q, user equipment authentication information
Figure BDA0002994609680000082
Figure BDA0002994609680000083
And user equipment authentication information betai=h1(Xi||di) Where the symbol "|" indicates string concatenation, symbol
Figure BDA0002994609680000084
Representing an exclusive or operation;
trusted center KGC communicates information { alphai,βiSafety injection into user's mobile device, user UiIs named as MDiThe mobile device can be a convenient and fast network-connectable device such as a smart card and a mobile phone;
user UiFollowed by a random string striAlso injected into the mobile device MDiAnd storing the same.
And step 3: the server sets server registration information to be sent to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server.
In step 3, generating the server private key and the server public key specifically includes the following:
server S to be registeredjIdentify server information IDjSending the data to a trusted center KGC;
trusted center KGC receives server SjAfter registering the information, a random number is selected
Figure BDA0002994609680000085
Computing server's public key Yj=yjP, private key d of the serverj=yj+s·h1(IDj||Yj)mod q;
Trusted center KGC stores information dj,YjSending the security information to the server S through a security channelj
And 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
step 4, the login information input by the user comprises identity information
Figure BDA0002994609680000086
And password information
Figure BDA0002994609680000087
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the user
Figure BDA0002994609680000088
Authenticating information with user equipment
Figure BDA0002994609680000089
And comparing user equipment authentication information
Figure BDA00029946096800000810
User equipment authentication information beta stored with the deviceiWhether or not equal.
In step 4, the user equipment authentication specifically includes the following:
user UiEntering identity information in memory
Figure BDA00029946096800000811
And password
Figure BDA00029946096800000812
To mobile device MDiPerforming the following steps;
mobile device MDiCalculating public and private key information of user
Figure BDA00029946096800000813
And user equipment authentication information
Figure BDA00029946096800000814
Determining calculated user equipment authentication information
Figure BDA00029946096800000815
User equipment authentication information beta stored with deviceiWhether they are equal; if equal, MDiThe next steps will be performed, otherwise MDiThe session is rejected.
And 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
the login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
the freshness of the login information is according to the timestamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as newFresh "; the threshold may depend on different network systems.
In step 5, the mobile device sends login request information to the server, which specifically includes the following contents:
mobile device MDiSelecting a random number
Figure BDA0002994609680000091
Computing user-side session key factor Ri=riP, authentication information K ═ r for serveri(Yj-h1(IDj||Yj)·Ppub) Signing information
Figure BDA0002994609680000092
Figure BDA0002994609680000093
And identity blinding information
Figure BDA0002994609680000094
Wherein T isiRepresenting a current timestamp;
mobile device MDiInformation of login request { Ri,vi,bi,TiSending to the server Sj
Server SjAfter receiving the information, the timestamp T is first verifiediWhether the session is fresh or not, if so, carrying out the next step, otherwise, terminating the current session;
step 6: the server judges whether the user can log in successfully or not, if so, the step 7 is carried out, otherwise, the current login operation is terminated.
In step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the user
Figure BDA0002994609680000095
Further utilizes the public key information of the user to verify the signature information viThe validity of (2).
In step 6, the mobile device login server specifically includes the following contents:
server SjCalculates its verification information K*=di·RiIdentity and public key information of a user
Figure BDA0002994609680000096
Then verify the equation
Figure BDA0002994609680000097
Figure BDA0002994609680000098
If yes, the server indicates that the user successfully logs in, and continues to execute the next session key negotiation process, otherwise, the current session is terminated;
and 7: and the server sends the key negotiation information calculated by the server to the mobile equipment.
In step 7, the key agreement information of the server includes a server session key factor RjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejAnd sending the message authentication code MAC to the mobile equipment of the electric automobile user.
In step 7, the key agreement between the mobile device of the electric vehicle user and the server specifically includes the following contents:
server SjSelecting a random number
Figure BDA0002994609680000101
Computing server-side session key factor Rj=rjDiffie-Hellman values R ═ R for P and session key factorsj·RiSession key
Figure BDA0002994609680000102
Figure BDA0002994609680000103
And message authentication code
Figure BDA0002994609680000104
Server SjWill log in response information { RjMAC to user Ui
And 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
In step 8, the mobile device of the electric vehicle user calculates a session key, and verifies the validity of the server message, which specifically includes the following contents:
mobile device MDiObtaining the U sent by the server to the useriAfter the information of (2), the session factor R is calculated locally*=ri·RjSession key
Figure BDA0002994609680000105
And message authentication code
Figure BDA0002994609680000106
Figure BDA0002994609680000107
Determining locally computed MAC*Whether it is equal to the received MAC; if the two are equal, the authentication and the session key negotiation result is completed, otherwise, the key negotiation is failed.
The invention also discloses a system based on the multi-service double-factor authentication method, which comprises a registrable center module, an information registration module, a mobile equipment module and a server module.
The registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
the user of the electric automobile sets registration request information through the information registration module, the processed registration request information is sent to the registrable center module, the registrable center module calculates the asymmetric key information and the user equipment information of the user according to the information, and the user equipment information is sent to the registrable center moduleUser equipment information is injected into the mobile equipment module corresponding to the electric automobile, and the electric automobile user can use the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
Compared with the prior art, the method has the advantages that the method ensures the correctness and the high efficiency of mutual authentication, and can resist known attacks such as replay attack, user impersonation attack, server deception attack, mobile equipment loss attack, offline password attack and the like.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
Figure BDA0002994609680000111
Figure BDA0002994609680000121
TABLE 1

Claims (11)

1. A multi-server double-factor authentication method suitable for a smart grid V2G network is characterized by comprising the following steps:
step 1: generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, and sending the system parameters to a server and an electric vehicle user;
step 2: the electric automobile user sets registration request information, the registration request information after processing is sent to KGC, the KGC calculates user asymmetric secret key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
and step 3: the server sets server registration information and sends the server registration information to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server;
and 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
and 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
step 6: the server judges whether the user can successfully log in, if so, the step 7 is carried out, otherwise, the current login operation is terminated;
and 7: the server sends the key negotiation information calculated by the server to the mobile equipment;
and 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
2. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 1, wherein:
in the step 1, the system parameters comprise elliptic curve addition cyclic groups related to an elliptic curve cryptosystem
Figure FDA0002994609670000014
Group generating element P, prime order q of group, and system master public key PpubAnd a hash function h1And a hash function h2
The system master private key is
Figure FDA0002994609670000011
The system master public key is Ppub=s·P;
The hash function h1Is h1
Figure FDA0002994609670000012
The hash function h2Is h2:{0,1}*→{0,1}l
Where l represents the security length of a hash map,
Figure FDA0002994609670000013
an integer set representing {1, 2., q-1}, {0, 1}*Representing a string of arbitrary length.
3. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 2, wherein:
the registration information in step 2 comprises personal identity information IDiAnd password PWi
The processed registration information includes personal identity information IDiAnd password blinding information BPWi
The user asymmetric key information comprises a user public key XiPrivate key of userdi
The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti
The calculation method of the password blinding information is BPWi=h1(stri||PWi);
The user public key is Xi=xi·P;
The user private key is di=xi+sh1(IDi||Xi)mod q
The user equipment authentication information is
Figure FDA0002994609670000021
The user equipment authentication information is betai=h1(Xi||di);
Wherein
Figure FDA0002994609670000022
The symbol "|" indicates string concatenation, symbol
Figure FDA0002994609670000023
Representing an exclusive or operation.
4. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 1 or 3, wherein:
and in the step 2, the mobile equipment corresponding to the electric automobile is convenient and fast type networking equipment and comprises an intelligent card and a mobile phone.
5. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 4, wherein:
the information to be registered sent by the server in the step 3 comprises the identity information ID of the serverj
The server asymmetric key information comprises a public key Y of the serverjWith a private key djSaid public key YjPublic and private key d of the serverjAnd the data is saved by the server.
The server public key is Yj=yj·P;
The server private key is dj=yj+s·h1(IDj||Yj)mod q;
Wherein y isjIs a random number
Figure FDA0002994609670000024
6. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 5, wherein:
step 4, the login information input by the user comprises identity information
Figure FDA0002994609670000031
And password information PWi *
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the user
Figure FDA0002994609670000032
Authenticating information with user equipment
Figure FDA0002994609670000033
And comparing user equipment authentication information
Figure FDA0002994609670000034
User equipment authentication information beta stored with the deviceiWhether they are equal;
the calculation method of the user public and private key information comprises the following steps:
Figure FDA0002994609670000035
the calculation method of the user equipment authentication information comprises the following steps
Figure FDA0002994609670000036
7. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 6, wherein:
the login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
the freshness of the login information is according to the timestamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as 'fresh'; the threshold may be dependent on different network systems;
the user side session key factors are as follows: ri=ri·P;
The signature information
Figure FDA0002994609670000037
The identity blinding information
Figure FDA0002994609670000038
Wherein K is the authentication information K-r for the serveri(Yj-h1(IDj||Yj)·Ppub),riIs a random number
Figure FDA0002994609670000039
8. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 7, wherein:
in the step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the user
Figure FDA00029946096700000310
Further utilizes the public key information of the user to verify the signature information viThe validity of (2);
identity and public key information of the user
Figure FDA00029946096700000311
Wherein, K*For verifying information K*=dj·Ri
The method for verifying the signature information is to verify whether an equation is established:
Figure FDA0002994609670000041
wherein
Figure FDA0002994609670000042
As the information on the identity of the user,
Figure FDA0002994609670000043
is the user public key information.
9. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 8, wherein:
in step 7, the key agreement information of the server includes a session key factor R of the serverjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejAndthe message authentication code MAC is sent to the mobile equipment of the electric automobile user;
the calculation formula of the server-side session key factor is Rj=rj·P;
The calculation formula of the session key is
Figure FDA0002994609670000044
Where k is a safety parameter, rjIs a random number
Figure FDA0002994609670000045
R is a Diffie-Hellman value of the session factor, and the calculation formula is R ═ Rj·Ri
The calculation formula of the message authentication code MAC is
Figure 1
10. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 9, wherein:
in said step 8, the mobile device locally calculates the session factor R*Session key sk*And message authentication code MAC*E.g. local message authentication code MAC*If the received message authentication code is consistent with the received message authentication code MAC, the authentication and the session key agreement are successfully completed, otherwise, the key agreement is failed;
the local computing session factor R*=ri·Rj
The local session key is
Figure FDA0002994609670000048
The local message authentication code is
Figure FDA0002994609670000046
11. A system using the multi-service two-factor authentication method of any one of claims 1 to 10, comprising a registrable central module, an information registration module, a mobile device module, and a server module, characterized in that:
the registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
the user of the electric automobile sets registration request information through the information registration module and sends the processed registration request information to the registrable center module, the registrable center module calculates user asymmetric key information and user equipment information according to the information and injects the user equipment information into the mobile equipment module corresponding to the electric automobile, and the user of the electric automobile injects the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
CN202110325774.1A 2021-03-26 2021-03-26 Multi-service double-factor authentication method and system suitable for V2G network Pending CN113055394A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110325774.1A CN113055394A (en) 2021-03-26 2021-03-26 Multi-service double-factor authentication method and system suitable for V2G network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110325774.1A CN113055394A (en) 2021-03-26 2021-03-26 Multi-service double-factor authentication method and system suitable for V2G network

Publications (1)

Publication Number Publication Date
CN113055394A true CN113055394A (en) 2021-06-29

Family

ID=76515419

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110325774.1A Pending CN113055394A (en) 2021-03-26 2021-03-26 Multi-service double-factor authentication method and system suitable for V2G network

Country Status (1)

Country Link
CN (1) CN113055394A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242554A (en) * 2021-07-12 2021-08-10 北京电信易通信息技术股份有限公司 Mobile terminal authentication method and system based on certificate-free signature
CN114142992A (en) * 2021-12-10 2022-03-04 重庆邮电大学 Double-factor anonymous authentication and key agreement method oriented to mining production scene
CN115242435A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Multi-factor authentication system and method with verifiable attribute

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103347021A (en) * 2013-07-02 2013-10-09 华东师范大学 Multi-server safety certification method based on passwords capable of being memorized by people
CN105024994A (en) * 2015-05-29 2015-11-04 西北工业大学 Secure certificateless hybrid signcryption method without pairing
US20180176222A1 (en) * 2015-06-30 2018-06-21 Raghav Bhaskar User friendly two factor authentication
CN108965338A (en) * 2018-09-21 2018-12-07 杭州师范大学 The method of three factor authentications and key agreement under environment of multi-server
CN111865948A (en) * 2020-07-09 2020-10-30 南阳理工学院 Peer-to-peer cloud authentication and key agreement method, system and computer storage medium based on anonymous identity

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103347021A (en) * 2013-07-02 2013-10-09 华东师范大学 Multi-server safety certification method based on passwords capable of being memorized by people
CN105024994A (en) * 2015-05-29 2015-11-04 西北工业大学 Secure certificateless hybrid signcryption method without pairing
US20180176222A1 (en) * 2015-06-30 2018-06-21 Raghav Bhaskar User friendly two factor authentication
CN108965338A (en) * 2018-09-21 2018-12-07 杭州师范大学 The method of three factor authentications and key agreement under environment of multi-server
CN111865948A (en) * 2020-07-09 2020-10-30 南阳理工学院 Peer-to-peer cloud authentication and key agreement method, system and computer storage medium based on anonymous identity

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242554A (en) * 2021-07-12 2021-08-10 北京电信易通信息技术股份有限公司 Mobile terminal authentication method and system based on certificate-free signature
CN113242554B (en) * 2021-07-12 2021-09-24 北京电信易通信息技术股份有限公司 Mobile terminal authentication method and system based on certificate-free signature
CN114142992A (en) * 2021-12-10 2022-03-04 重庆邮电大学 Double-factor anonymous authentication and key agreement method oriented to mining production scene
CN115242435A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Multi-factor authentication system and method with verifiable attribute
CN115242435B (en) * 2022-06-13 2023-05-26 中国电子科技集团公司第三十研究所 Multi-factor authentication system and method with verifiable attribute

Similar Documents

Publication Publication Date Title
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
Bagga et al. On the design of mutual authentication and key agreement protocol in internet of vehicles-enabled intelligent transportation system
CN106657124B (en) Anonymous authentication and key agreement optimization authentication method and optimization authentication analysis method based on pseudonym for Internet of things
US8930704B2 (en) Digital signature method and system
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
CN106341232B (en) A kind of anonymous entity discrimination method based on password
CN105959269A (en) ID-based authenticated dynamic group key agreement method
CN113055394A (en) Multi-service double-factor authentication method and system suitable for V2G network
Jiang et al. Two-factor authentication protocol using physical unclonable function for IoV
CN111416715B (en) Quantum secret communication identity authentication system and method based on secret sharing
CN107294725A (en) A kind of three factor authentication methods under environment of multi-server
CN110278088A (en) A kind of SM2 collaboration endorsement method
WO2014069985A1 (en) System and method for identity-based entity authentication for client-server communications
CN110020524A (en) A kind of mutual authentication method based on smart card
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
CN108259486B (en) End-to-end key exchange method based on certificate
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN116074019A (en) Identity authentication method, system and medium between mobile client and server
CN115695007A (en) Lightweight authentication key exchange method suitable for metachrosis electric power transaction
Ma et al. A robust authentication scheme for remote diagnosis and maintenance in 5G V2N
Yongliang et al. Elliptic curve cryptography based wireless authentication protocol
CN113411801A (en) Mobile terminal authentication method based on identity signcryption
CN116599659B (en) Certificate-free identity authentication and key negotiation method and system
CN113055161A (en) Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210629

RJ01 Rejection of invention patent application after publication