CN113055394A - Multi-service double-factor authentication method and system suitable for V2G network - Google Patents
Multi-service double-factor authentication method and system suitable for V2G network Download PDFInfo
- Publication number
- CN113055394A CN113055394A CN202110325774.1A CN202110325774A CN113055394A CN 113055394 A CN113055394 A CN 113055394A CN 202110325774 A CN202110325774 A CN 202110325774A CN 113055394 A CN113055394 A CN 113055394A
- Authority
- CN
- China
- Prior art keywords
- information
- server
- user
- key
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000004364 calculation method Methods 0.000 claims description 13
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000001419 dependent effect Effects 0.000 claims description 2
- 230000006855 networking Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 abstract description 4
- 230000006854 communication Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- General Health & Medical Sciences (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
A multi-server two-factor authentication method suitable for a smart grid V2G network comprises the following steps: 1) generating a main private key and system parameters through a trusted registry KGC; 2) generating user equipment authentication information and user equipment verification information; 3) generating a server private key and a public key; 4) user equipment authentication; 5) the mobile equipment sends login request information to the server; 6) the mobile equipment logs in the server after passing the server authentication; 7) the method comprises the steps that mobile equipment of an electric automobile user authenticates a server and performs key agreement with the server; 8) the mobile device of the electric automobile calculates the session key and verifies the validity of the server message. The invention ensures the correctness and the high efficiency of mutual authentication, and can resist known attacks such as replay attack, user masquerade attack, server deception attack, mobile equipment loss attack, offline password attack and the like.
Description
Technical Field
The invention belongs to the technical field of smart power grids V2G, and particularly relates to a multi-server double-factor authentication method and system based on identity.
Background
The rapid development of the industrial internet of things has great influence on the application of industries such as medical care, transportation and manufacturing, smart power grids and the like. In addition, the access of billions of internet-of-things devices (such as sensors, smart meters, aggregators, and the like) makes the smart grid one of the main drivers of the industrial internet of things. With the rapid development of global electric vehicles, the network mode from Vehicle to Grid (V2G) is regarded as an important component of smart Grid communication, and is receiving more and more attention from the industry and academia. The core idea of the V2G technology is to utilize electric vehicle stored energy as a buffer for the grid and renewable energy. The problems of low power grid efficiency and renewable energy source fluctuation can be solved, waste of redundant electric energy of the electric vehicle can be avoided, and benefits are created for electric vehicle users. Since V2G has a bidirectional communication flow between the electric vehicle and the smart grid, various security attacks are inevitably faced during the wireless internet of things communication. In order to ensure seamless communication between the electric vehicle and the smart grid, it is necessary to ensure privacy of the user and confidentiality of the transmitted data.
Anonymous authentication and key agreement protocols are important components of network secure communications. By implementing an anonymous authentication protocol, two participants can authenticate each other over a common channel and negotiate a temporary session key to enable secure communication in an open network. In an anonymous protocol based on traditional public key cryptographic authentication, two communication parties possess a pair of public and private keys: the system comprises a public key and a private key, wherein the private key is used for generating authentication information, and the public key is used for verifying the legality of the information. In order to solve the problem that certificate management is difficult in an anonymous authentication protocol based on a traditional public key password, scientific researchers propose the anonymous authentication protocol based on identity based on the idea of a public key. In the protocol, the identity (name, telephone number, e-mail address, etc.) of the user, namely the public key of the user, greatly reduces the complexity of storage and maintenance of system legal persons. Considering the high mobility and unpredictability of vehicles in the V2G network, the authentication method based on the group signature and the ring signature needs to form a user group relationship in advance, and needs to introduce a large amount of complex operation operations in signature calculation, so that the authentication method is difficult to adapt to the V2G network authentication with limited resources and unpredictable groups; the registration and authentication method based on the client-server requires the client to register for many times in servers of different regions or service types to obtain diversified services, and the method is also difficult to be applied to highly mobile V2G networks; some existing multi-server authentication methods for V2G networks do not provide two-factor secure authentication of passwords and smart cards.
Aiming at the situation, the invention designs a multi-server two-factor authentication method suitable for a smart grid V2G network. In the method, an authenticated user holds mobile equipment (such as a smart card) matched with a vehicle and can communicate with a server in a network, the user can interact with servers in different regions and different types by using the mobile equipment only by registering once in a trusted registration center so as to realize mutual authentication and key agreement, and a third party is not required to be introduced in the authentication process so as to finish the cross-region and cross-server identity mutual authentication.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a service which simplifies the operation that an authenticated vehicle of a mobile vehicle can be authenticated and key-negotiated with different regions and different types of servers without multiple registrations, and can access a plurality of servers on the premise of ensuring the privacy and information confidentiality of a user.
In order to solve the technical problems, the invention adopts the following technical scheme:
a multi-server double-factor authentication method suitable for a smart grid V2G network is characterized by comprising the following steps:
step 1: generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, and sending the system parameters to a server and an electric vehicle user;
step 2: the electric automobile user sets registration request information, the registration request information after processing is sent to KGC, the KGC calculates user asymmetric secret key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
and step 3: the server sets server registration information and sends the server registration information to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server;
and 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
and 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
step 6: the server judges whether the user can successfully log in, if so, the step 7 is carried out, otherwise, the current login operation is terminated;
and 7: the server sends the key negotiation information calculated by the server to the mobile equipment;
and 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
The invention further comprises the following preferred embodiments:
in step 1, the system parameters comprise elliptic curve addition cyclic groups involved in an elliptic curve cryptosystemGroup generating element P, groupPrime order q, system master public key PpubAnd a hash function h1And a hash function h2;
The system master public key is Ppub=s·P;
Where l represents the security length of a hash map,an integer set representing {1, 2., q-1}, {0, 1}*Representing a string of arbitrary length.
The registration information in step 2 includes individual identification information IDiAnd password PWi;
The processed registration information includes personal identity information IDiAnd password blinding information BPWi;
The user asymmetric key information comprises a user public key XiUser private key di;
The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti;
The calculation method of the password blinding information is BPWi=h1(stri||PWi);
The user public key is Xi=xi·P;
The private key of the user is di=xi+sh1(IDi||Xi)mod q
User equipment authentication information of betai=h1(Xi||di);
And 2, the mobile equipment corresponding to the electric automobile is convenient and fast type networking equipment comprising an intelligent card and a mobile phone.
The information to be registered sent by the server in the step 3 comprises the identity information ID of the serverj;
The server asymmetric key information comprises a public key Y of the serverjWith a private key djSaid public key YjPublic and private key d of the serverjAnd the data is saved by the server.
The server public key is Yj=yj·P;
Server private key of dj=yj+s·h1(IDj||Yj)mod q;
Step 4, the login information input by the user comprises identity informationAnd password information
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the userAuthenticating information with user equipmentAnd comparing user equipment authentication informationUser equipment authentication information beta stored with the deviceiWhether they are equal;
the calculation method of the public and private key information of the user comprises the following steps:
the method for calculating the authentication information of the user equipment comprises the following steps
The login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
freshness of login information according to time stamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as 'fresh'; the threshold may be dependent on different network systems;
the user side session key factors are: ri=ri·P;
Wherein K is authentication information for the serverK=ri(Yj-h1(IDj||Yj)·Ppub),riIs a random number
In step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the userFurther utilizes the public key information of the user to verify the signature information viThe validity of (2);
The method for verifying the signature information is to verify whether the equation holds:
In step 7, the key negotiation information of the server includes a session key factor R of the serverjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejThe message authentication code MAC is sent to the mobile equipment of the electric vehicle user;
server-side session keyThe key factor is calculated by the formula Rj=rj·P;
Where k is a safety parameter, rjIs a random numberR is a Diffie-Hellman value of the session factor, and the calculation formula is R ═ Rj·Ri;
The mobile device locally calculates the session factor R in step 8*Session key sk*And message authentication code MAC*E.g. local message authentication code MAC*If the received message authentication code is consistent with the received message authentication code MAC, the authentication and the session key agreement are successfully completed, otherwise, the key agreement is failed;
locally computing a session factor R*=ri·Rj;
The invention also discloses a system based on the multi-service double-factor authentication method, which comprises a registrable center module, an information registration module, a mobile equipment module and a server module, and is characterized in that:
the registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
electric automobile userThe registration request information is set through the information registration module, the processed registration request information is sent to the registrable center module, the registrable center module calculates the user asymmetric key information and the user equipment information according to the information, the user equipment information is injected into the mobile equipment module corresponding to the electric automobile, and the electric automobile user can use the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
Most of the existing authentication methods applied to a multi-server architecture need to introduce an online trusted third party in the authentication process to assist in realizing identity authentication and key agreement, or are difficult to resist known attacks such as replay attack, user masquerade attack, server spoofing attack, mobile device loss attack, offline password attack and the like.
According to the scheme, mutual authentication and key agreement between the user and different servers can be realized without introducing any online trusted third party; in addition, based on the problems of time stamps, random number blind factors and mathematical difficulties, the method can simultaneously resist known attacks such as replay attack, user masquerade attack, server spoofing attack, mobile equipment loss attack and offline password attack by only two-round communication, and meets the requirements of high security and low overhead of the mobile vehicle user on an authentication scheme.
Drawings
FIG. 1 is a schematic diagram illustrating a mutual authentication and key agreement process of a multi-server two-factor authentication method applicable to a V2G network according to the present invention;
FIG. 2 is a schematic diagram illustrating a registration process of a multi-server dual-factor authentication method applicable to a V2G network according to the present invention;
fig. 3 is a system diagram of multi-server two-factor authentication suitable for V2G network according to the present invention.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
The invention provides a double-factor verification method for multiple servers of a smart grid V2G, which comprises system initialization, user registration, server registration, mutual authentication and key agreement algorithm and offline password updating. The method comprises the following steps, and all the parameter meanings are shown in table 1 in detail.
The invention further comprises the following preferred embodiments:
step 1: and generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, sending the system parameters to a server and an electric vehicle user, and disclosing the system parameters.
The system parameters comprise elliptic curve addition cycle group related to elliptic curve cryptosystemGroup generating element P, prime order q of group, and system master public key PpubAnd a hash function h1And a hash function h2。
It should be noted that the above setting of the system parameters is a preferred embodiment of the present invention, and it is clear to those skilled in the art that, in the setting of the system parameters in step 1, the disclosed system parameters are only one preferred embodiment, and there are other possibilities of combination of the system parameters.
In step 1, the trusted registry KGC generates a master private key and public system parameters, which specifically include the following:
Given a security parameter k, KGC selects two hash functionsAnd h2:{0,1}*→{0,1}lGenerating a system master private keyAnd calculates the system master public key PpubS.p, where l represents the security length of a hash map,an integer set representing {1, 2., q-1}, {0, 1}*Representing a string of arbitrary length.
Step 2: the electric automobile user sets registration information, the registration request information after processing and part of the registration information set by the user are sent to the KGC, the KGC calculates user asymmetric key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
in step 2, the registration information includes a personal identification information IDiAnd password PWi(ii) a The processed registration information comprises password blinding information BPWi(ii) a The user asymmetric key information comprises a user public key XiUser private key di(ii) a The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti;
The generation of the user equipment authentication information and the user equipment verification information specifically includes the following contents:
user UiSetting personal identification information IDiAnd password PWiThen randomly selects a character string striComputing password blinding information BPWi=h1(stri||PWi);
User UiRegistration request information IDi,BPWiSending the data to a trusted center KGC;
after receiving the registration information, the trusted center KGC selects a random numberComputing a user public key Xi=xiP, user private Key di=xi+sh1(IDi||Xi) mod q, user equipment authentication information And user equipment authentication information betai=h1(Xi||di) Where the symbol "|" indicates string concatenation, symbolRepresenting an exclusive or operation;
trusted center KGC communicates information { alphai,βiSafety injection into user's mobile device, user UiIs named as MDiThe mobile device can be a convenient and fast network-connectable device such as a smart card and a mobile phone;
user UiFollowed by a random string striAlso injected into the mobile device MDiAnd storing the same.
And step 3: the server sets server registration information to be sent to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server.
In step 3, generating the server private key and the server public key specifically includes the following:
server S to be registeredjIdentify server information IDjSending the data to a trusted center KGC;
trusted center KGC receives server SjAfter registering the information, a random number is selectedComputing server's public key Yj=yjP, private key d of the serverj=yj+s·h1(IDj||Yj)mod q;
Trusted center KGC stores information dj,YjSending the security information to the server S through a security channelj;
And 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
step 4, the login information input by the user comprises identity informationAnd password information
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the userAuthenticating information with user equipmentAnd comparing user equipment authentication informationUser equipment authentication information beta stored with the deviceiWhether or not equal.
In step 4, the user equipment authentication specifically includes the following:
user UiEntering identity information in memoryAnd passwordTo mobile device MDiPerforming the following steps;
mobile device MDiCalculating public and private key information of userAnd user equipment authentication informationDetermining calculated user equipment authentication informationUser equipment authentication information beta stored with deviceiWhether they are equal; if equal, MDiThe next steps will be performed, otherwise MDiThe session is rejected.
And 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
the login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
the freshness of the login information is according to the timestamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as newFresh "; the threshold may depend on different network systems.
In step 5, the mobile device sends login request information to the server, which specifically includes the following contents:
mobile device MDiSelecting a random numberComputing user-side session key factor Ri=riP, authentication information K ═ r for serveri(Yj-h1(IDj||Yj)·Ppub) Signing information And identity blinding informationWherein T isiRepresenting a current timestamp;
mobile device MDiInformation of login request { Ri,vi,bi,TiSending to the server Sj;
Server SjAfter receiving the information, the timestamp T is first verifiediWhether the session is fresh or not, if so, carrying out the next step, otherwise, terminating the current session;
step 6: the server judges whether the user can log in successfully or not, if so, the step 7 is carried out, otherwise, the current login operation is terminated.
In step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the userFurther utilizes the public key information of the user to verify the signature information viThe validity of (2).
In step 6, the mobile device login server specifically includes the following contents:
server SjCalculates its verification information K*=di·RiIdentity and public key information of a userThen verify the equation If yes, the server indicates that the user successfully logs in, and continues to execute the next session key negotiation process, otherwise, the current session is terminated;
and 7: and the server sends the key negotiation information calculated by the server to the mobile equipment.
In step 7, the key agreement information of the server includes a server session key factor RjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejAnd sending the message authentication code MAC to the mobile equipment of the electric automobile user.
In step 7, the key agreement between the mobile device of the electric vehicle user and the server specifically includes the following contents:
server SjSelecting a random numberComputing server-side session key factor Rj=rjDiffie-Hellman values R ═ R for P and session key factorsj·RiSession key And message authentication code
Server SjWill log in response information { RjMAC to user Ui;
And 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
In step 8, the mobile device of the electric vehicle user calculates a session key, and verifies the validity of the server message, which specifically includes the following contents:
mobile device MDiObtaining the U sent by the server to the useriAfter the information of (2), the session factor R is calculated locally*=ri·RjSession keyAnd message authentication code Determining locally computed MAC*Whether it is equal to the received MAC; if the two are equal, the authentication and the session key negotiation result is completed, otherwise, the key negotiation is failed.
The invention also discloses a system based on the multi-service double-factor authentication method, which comprises a registrable center module, an information registration module, a mobile equipment module and a server module.
The registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
the user of the electric automobile sets registration request information through the information registration module, the processed registration request information is sent to the registrable center module, the registrable center module calculates the asymmetric key information and the user equipment information of the user according to the information, and the user equipment information is sent to the registrable center moduleUser equipment information is injected into the mobile equipment module corresponding to the electric automobile, and the electric automobile user can use the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
Compared with the prior art, the method has the advantages that the method ensures the correctness and the high efficiency of mutual authentication, and can resist known attacks such as replay attack, user impersonation attack, server deception attack, mobile equipment loss attack, offline password attack and the like.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
TABLE 1
Claims (11)
1. A multi-server double-factor authentication method suitable for a smart grid V2G network is characterized by comprising the following steps:
step 1: generating a main private key s and system parameters through a trusted registry KGC, storing the main private key, and sending the system parameters to a server and an electric vehicle user;
step 2: the electric automobile user sets registration request information, the registration request information after processing is sent to KGC, the KGC calculates user asymmetric secret key information and user equipment information according to the information, the user equipment information is injected into mobile equipment corresponding to the electric automobile, and the electric automobile user enables the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
and step 3: the server sets server registration information and sends the server registration information to the KGC, and the KGC calculates server asymmetric key information and sends the server asymmetric key information to the server after receiving the server registration information sent by the server;
and 4, step 4: the user inputs login information, the mobile equipment performs user identity authentication through the login information input by the user, and if the authentication is successful, the step 5 is executed;
and 5: the mobile equipment sends login request information to the server, the server judges whether to enter the step 6 according to the freshness of the login information input by the user, and if not, the current login operation is ended;
step 6: the server judges whether the user can successfully log in, if so, the step 7 is carried out, otherwise, the current login operation is terminated;
and 7: the server sends the key negotiation information calculated by the server to the mobile equipment;
and 8: and the mobile equipment performs key agreement authentication after receiving the key agreement information sent by the server.
2. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 1, wherein:
in the step 1, the system parameters comprise elliptic curve addition cyclic groups related to an elliptic curve cryptosystemGroup generating element P, prime order q of group, and system master public key PpubAnd a hash function h1And a hash function h2;
The system master public key is Ppub=s·P;
3. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 2, wherein:
the registration information in step 2 comprises personal identity information IDiAnd password PWi;
The processed registration information includes personal identity information IDiAnd password blinding information BPWi;
The user asymmetric key information comprises a user public key XiPrivate key of userdi;
The user equipment information includes user equipment authentication information alphaiAuthentication information beta with user equipmenti;
The calculation method of the password blinding information is BPWi=h1(stri||PWi);
The user public key is Xi=xi·P;
The user private key is di=xi+sh1(IDi||Xi)mod q
The user equipment authentication information is betai=h1(Xi||di);
4. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 1 or 3, wherein:
and in the step 2, the mobile equipment corresponding to the electric automobile is convenient and fast type networking equipment and comprises an intelligent card and a mobile phone.
5. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 4, wherein:
the information to be registered sent by the server in the step 3 comprises the identity information ID of the serverj;
The server asymmetric key information comprises a public key Y of the serverjWith a private key djSaid public key YjPublic and private key d of the serverjAnd the data is saved by the server.
The server public key is Yj=yj·P;
The server private key is dj=yj+s·h1(IDj||Yj)mod q;
6. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 5, wherein:
step 4, the login information input by the user comprises identity informationAnd password information PWi *;
The mobile equipment performs user identity authentication and comprises the following steps: calculating the public and private key information of the userAuthenticating information with user equipmentAnd comparing user equipment authentication informationUser equipment authentication information beta stored with the deviceiWhether they are equal;
the calculation method of the user public and private key information comprises the following steps:
7. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 6, wherein:
the login information in step 5 includes: user-side session key factor R calculated by mobile equipmentiSignature information viIdentity blinding information biAnd a time stamp TiWherein the signature information viIdentity blinding information b obtained based on user private key of useriEncrypting the obtained public key based on the server;
the freshness of the login information is according to the timestamp TiMaking a judgment when the time stamp T of the login informationiWhen the time elapsed when the server receives the login information is less than or equal to the set threshold value, the server is regarded as 'fresh'; the threshold may be dependent on different network systems;
the user side session key factors are as follows: ri=ri·P;
8. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 7, wherein:
in the step 6, the server judges whether the user logs in successfully or not and decrypts the user by using the private key of the serverjCalculating the real identity and public key information of the userFurther utilizes the public key information of the user to verify the signature information viThe validity of (2);
The method for verifying the signature information is to verify whether an equation is established:
9. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 8, wherein:
in step 7, the key agreement information of the server includes a session key factor R of the serverjThe session key sk and the message authentication code MAC are used for embedding the authentication information of the server into the session key through Hash operation, embedding the session key into the message authentication code MAC through Hash operation, and enabling the server to use the session key factor R of the server sidejAndthe message authentication code MAC is sent to the mobile equipment of the electric automobile user;
the calculation formula of the server-side session key factor is Rj=rj·P;
Where k is a safety parameter, rjIs a random numberR is a Diffie-Hellman value of the session factor, and the calculation formula is R ═ Rj·Ri;
10. The multi-server two-factor authentication method applicable to the smart grid V2G network according to claim 9, wherein:
in said step 8, the mobile device locally calculates the session factor R*Session key sk*And message authentication code MAC*E.g. local message authentication code MAC*If the received message authentication code is consistent with the received message authentication code MAC, the authentication and the session key agreement are successfully completed, otherwise, the key agreement is failed;
the local computing session factor R*=ri·Rj;
11. A system using the multi-service two-factor authentication method of any one of claims 1 to 10, comprising a registrable central module, an information registration module, a mobile device module, and a server module, characterized in that:
the registrable center module generates a main private key s and system parameters, stores the main private key, and sends the system parameters to the server module and the electric vehicle user;
the user of the electric automobile sets registration request information through the information registration module and sends the processed registration request information to the registrable center module, the registrable center module calculates user asymmetric key information and user equipment information according to the information and injects the user equipment information into the mobile equipment module corresponding to the electric automobile, and the user of the electric automobile injects the random character string striThe data is also injected into the mobile equipment corresponding to the electric automobile;
the server module sets server registration information and sends the server registration information to the registrable center module, and the registrable center module calculates the asymmetric key information of the server module and sends the asymmetric key information to the server module after receiving the registration information of the server module sent by the server module; when a user logs in, the server module judges whether to log in or not according to the freshness of login information, and if the login is successful, the server module sends the calculated key negotiation information to the mobile equipment module;
the mobile equipment module carries out user identity authentication by inputting login information by a user, and sends login request information to the server module if the authentication is successful; if the user logs in successfully, the mobile equipment module receives the key negotiation information sent by the server module and uses the information to carry out key negotiation authentication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110325774.1A CN113055394A (en) | 2021-03-26 | 2021-03-26 | Multi-service double-factor authentication method and system suitable for V2G network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110325774.1A CN113055394A (en) | 2021-03-26 | 2021-03-26 | Multi-service double-factor authentication method and system suitable for V2G network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113055394A true CN113055394A (en) | 2021-06-29 |
Family
ID=76515419
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110325774.1A Pending CN113055394A (en) | 2021-03-26 | 2021-03-26 | Multi-service double-factor authentication method and system suitable for V2G network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113055394A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113242554A (en) * | 2021-07-12 | 2021-08-10 | 北京电信易通信息技术股份有限公司 | Mobile terminal authentication method and system based on certificate-free signature |
CN114142992A (en) * | 2021-12-10 | 2022-03-04 | 重庆邮电大学 | Double-factor anonymous authentication and key agreement method oriented to mining production scene |
CN115242435A (en) * | 2022-06-13 | 2022-10-25 | 中国电子科技集团公司第三十研究所 | Multi-factor authentication system and method with verifiable attribute |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103347021A (en) * | 2013-07-02 | 2013-10-09 | 华东师范大学 | Multi-server safety certification method based on passwords capable of being memorized by people |
CN105024994A (en) * | 2015-05-29 | 2015-11-04 | 西北工业大学 | Secure certificateless hybrid signcryption method without pairing |
US20180176222A1 (en) * | 2015-06-30 | 2018-06-21 | Raghav Bhaskar | User friendly two factor authentication |
CN108965338A (en) * | 2018-09-21 | 2018-12-07 | 杭州师范大学 | The method of three factor authentications and key agreement under environment of multi-server |
CN111865948A (en) * | 2020-07-09 | 2020-10-30 | 南阳理工学院 | Peer-to-peer cloud authentication and key agreement method, system and computer storage medium based on anonymous identity |
-
2021
- 2021-03-26 CN CN202110325774.1A patent/CN113055394A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103347021A (en) * | 2013-07-02 | 2013-10-09 | 华东师范大学 | Multi-server safety certification method based on passwords capable of being memorized by people |
CN105024994A (en) * | 2015-05-29 | 2015-11-04 | 西北工业大学 | Secure certificateless hybrid signcryption method without pairing |
US20180176222A1 (en) * | 2015-06-30 | 2018-06-21 | Raghav Bhaskar | User friendly two factor authentication |
CN108965338A (en) * | 2018-09-21 | 2018-12-07 | 杭州师范大学 | The method of three factor authentications and key agreement under environment of multi-server |
CN111865948A (en) * | 2020-07-09 | 2020-10-30 | 南阳理工学院 | Peer-to-peer cloud authentication and key agreement method, system and computer storage medium based on anonymous identity |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113242554A (en) * | 2021-07-12 | 2021-08-10 | 北京电信易通信息技术股份有限公司 | Mobile terminal authentication method and system based on certificate-free signature |
CN113242554B (en) * | 2021-07-12 | 2021-09-24 | 北京电信易通信息技术股份有限公司 | Mobile terminal authentication method and system based on certificate-free signature |
CN114142992A (en) * | 2021-12-10 | 2022-03-04 | 重庆邮电大学 | Double-factor anonymous authentication and key agreement method oriented to mining production scene |
CN115242435A (en) * | 2022-06-13 | 2022-10-25 | 中国电子科技集团公司第三十研究所 | Multi-factor authentication system and method with verifiable attribute |
CN115242435B (en) * | 2022-06-13 | 2023-05-26 | 中国电子科技集团公司第三十研究所 | Multi-factor authentication system and method with verifiable attribute |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
Bagga et al. | On the design of mutual authentication and key agreement protocol in internet of vehicles-enabled intelligent transportation system | |
CN106657124B (en) | Anonymous authentication and key agreement optimization authentication method and optimization authentication analysis method based on pseudonym for Internet of things | |
US8930704B2 (en) | Digital signature method and system | |
CN101902476B (en) | Method for authenticating identity of mobile peer-to-peer user | |
CN106341232B (en) | A kind of anonymous entity discrimination method based on password | |
CN105959269A (en) | ID-based authenticated dynamic group key agreement method | |
CN113055394A (en) | Multi-service double-factor authentication method and system suitable for V2G network | |
Jiang et al. | Two-factor authentication protocol using physical unclonable function for IoV | |
CN111416715B (en) | Quantum secret communication identity authentication system and method based on secret sharing | |
CN107294725A (en) | A kind of three factor authentication methods under environment of multi-server | |
CN110278088A (en) | A kind of SM2 collaboration endorsement method | |
WO2014069985A1 (en) | System and method for identity-based entity authentication for client-server communications | |
CN110020524A (en) | A kind of mutual authentication method based on smart card | |
CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
CN108259486B (en) | End-to-end key exchange method based on certificate | |
CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
CN116074019A (en) | Identity authentication method, system and medium between mobile client and server | |
CN115695007A (en) | Lightweight authentication key exchange method suitable for metachrosis electric power transaction | |
Ma et al. | A robust authentication scheme for remote diagnosis and maintenance in 5G V2N | |
Yongliang et al. | Elliptic curve cryptography based wireless authentication protocol | |
CN113411801A (en) | Mobile terminal authentication method based on identity signcryption | |
CN116599659B (en) | Certificate-free identity authentication and key negotiation method and system | |
CN113055161A (en) | Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210629 |
|
RJ01 | Rejection of invention patent application after publication |