CN113115307A - Two-factor identity authentication method oriented to smart home scene - Google Patents
Two-factor identity authentication method oriented to smart home scene Download PDFInfo
- Publication number
- CN113115307A CN113115307A CN202110386425.0A CN202110386425A CN113115307A CN 113115307 A CN113115307 A CN 113115307A CN 202110386425 A CN202110386425 A CN 202110386425A CN 113115307 A CN113115307 A CN 113115307A
- Authority
- CN
- China
- Prior art keywords
- user
- gateway
- information
- identity
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a two-factor identity authentication method in an intelligent home scene, and belongs to the technical field of information security. The invention comprises the following steps: in the registration stage, a user calculates a random hash value by using a national secret algorithm, and a gateway calculates a secret value for the user according to the hash value; in the authentication and negotiation stage, a user transmits request information containing equipment identity identification to a gateway, after the gateway and the equipment pass verification, the equipment performs elliptic curve multiplication twice to generate a session key, and simultaneously, generated authentication information contains parameters generated by binding self secret values with random parameters through XOR operation; the equipment sends the ciphertext and the authentication information to the user through the gateway, and after the authentication is passed, the user obtains the session key and establishes a session with the equipment. The invention avoids the attack of the internal user to obtain the plaintext identity of the user, can effectively resist the node capture attack and the user counterfeit attack, ensures the correctness of the session key negotiated by each legal user and the equipment, and greatly reduces the consumption of the storage space.
Description
Technical Field
The invention belongs to the technical field of information security, relates to an identity information authentication method, and particularly relates to a two-factor identity authentication method under a wireless sensor network facing a single gateway.
Background
The intelligent Home (Smart Home) connects various devices in the Home such as audio and video devices, lighting systems, curtain control, air conditioner control, security systems, digital cinema systems, audio and video servers, video cabinet systems, network Home appliances and the like together through the Internet of things technology, and provides multiple functions and means such as Home appliance control, lighting control, telephone remote control, indoor and outdoor remote control, anti-theft alarm, environment monitoring, heating and ventilation control, infrared forwarding, programmable timing control and the like. Compared with the common home, the intelligent home has the traditional living function, integrates the functions of building, network communication, information household appliance and equipment automation, provides an all-around information interaction function, and even saves funds for various energy expenses. The smart home is a communication link built through a Wireless Sensor Network (WSNs) to intelligently control home equipment, so that intelligent beautiful life is realized. Furthermore, the intelligent home based on the Internet of things environment comprises a family user, a gateway and a large number of equipment nodes. The family user is mainly responsible for issuing instructions to the gateway and the equipment node according to the living needs of the family user; the gateway is used as an intermediate device of the wireless network and is mainly responsible for realizing the management of the home user and the device node and the required information exchange between the home user and the device node; the equipment nodes can cooperatively monitor the information covered by the home network area, and allow the home user to access the real-time data in the equipment nodes to acquire the state of the intelligent household equipment. The device nodes are typically low-power devices equipped with one or more sensors, memory, processors, radios, power supplies and actuators that may be deployed in any corner of the home as desired by the home user, but are limited in their memory and computing capabilities, and the resources that the device nodes can process and compute are limited. Under a common condition, data sensed by the equipment nodes are transmitted through a household wireless public network, so that the intelligent home under the wireless sensor network is easily attacked by various malicious users in the public network, the intelligent home equipment cannot normally function, and the life quality of people in the intelligent home environment is seriously influenced. Therefore, it is important to provide an identity authentication and key agreement protocol capable of ensuring the safe operation of the smart home environment to verify the legal identity of the user and encrypt the communication content.
Under the intelligent home environment, a complete two-factor identity authentication comprises 3 types of participants: one gateway, one to many home users, and a large number of device nodes. Considering that the computing resources and the storage resources of the device nodes are limited, the identity authentication and key agreement protocol should be lightweight, and meanwhile, the identity authentication and key agreement protocol can resist various known attacks and has ideal properties such as user anonymity and forward security.
The identity authentication process under the intelligent home environment comprises the following steps: in the registration stage, the home user and the equipment node are registered in the gateway to prepare for the subsequent authentication of the home user and the equipment node; in the login and authentication stage, a user wants to access data of a certain equipment node in real time, firstly, an access request is initiated to a gateway, then the gateway authenticates a registered home user, the authentication is passed, the gateway transmits the user request to the equipment node, and the equipment authenticates the gateway; after passing the authentication, the equipment node generates and sends data to the gateway, and the gateway authenticates the equipment node again; and after the authentication is passed, the gateway calculates and sends data to the home user, and finally the home user and the equipment node negotiate a consistent session key. After the authentication phase is over, the user and the device node will use the same session key for encrypting subsequent communications.
Under the intelligent home environment, the existing password-based two-factor remote user identity authentication protocol generally has serious security problems and storage problems: 1) off-line password guessing attacks based on smart cards or mobile devices cannot be resisted. Most authentication protocols have previously been based on the basic assumption that a smart card or mobile device is tamper resistant, i.e. data in the smart card or mobile device is not available to attackers. However, with the development of various attack analysis technologies, it has become a recognized fact that attackers can acquire data in smart cards or mobile devices. Most of the previous protocols are no longer valid under this new assumption. Further in an offline password guessing attack, after an attacker has acquired data in the smart card or mobile device, the user can successfully guess the correct password offline. 2) Off-line password guessing attacks based on the open channel cannot be resisted. The attacker checks the correctness of the guessed password by using the traditional method of guessing the password and further using the parameters which are transmitted by the legal user and the equipment node through the public channel and contain the user password when negotiating the session key, thereby obtaining the password of the user. 3) And (4) anonymous registration. In most of the existing related identity authentication protocols, a legal user needs to submit an identity ID to a registration center, so that identity privacy information of the user is very easy to be acquired by an internal attacker. 4) Forward security issues. The forward security can ensure that even if the system is broken, the former communication content can not be acquired by an attacker, the loss of the broken system can be greatly reduced, and the forward security is an important security attribute in a high-security requirement environment. Such as the recently promulgated TLS1.3 standard and WPA3 standard, require that the user authentication protocol achieve forward security. However, most of the current smart home-oriented user identity authentication protocols cannot effectively meet the security requirement. 5) The internal user counterfeiting attack cannot be effectively resisted. After negotiating a session key with a node, an internal legal user is further converted into an attacker, parameters transmitted to the equipment node by a next user are intercepted through a public channel, and the node is counterfeited and is negotiated with the next legal user to calculate the session key, so that the next user negotiates the session key with the attacker instead of the node. 6) The node capture attack cannot be effectively resisted. Once the key secret parameters are decomposed by an attacker, the key negotiated by the legal user and the decomposed node is completely recovered. 7) Usually, after a large number of users successfully register with the gateway, the gateway needs to store the identity IDs of the large number of users and the related authentication parameters, which is very easy to consume the limited storage space of the gateway. Therefore, in the present day when WSNs are widely applied to high security requirement scenarios, it is necessary to design a two-factor identity authentication method that can solve the above 6 security problems and 1 storage problem.
Disclosure of Invention
The invention provides a two-factor identity authentication method oriented to an intelligent home scene, aiming at solving the problems of safety and storage commonly existing in the two-factor identity authentication in the current intelligent home environment.
The invention provides a two-factor identity authentication method oriented to an intelligent household scene, which comprises the following steps:
step 2, registering equipment nodes and users;
the device node registration comprises: device node SkIdentify the SIDkTransmitted to the gateway through a safety channel, the gateway is SkCalculating a secret value kGS=h(SIDk| x), and sends kGSAnd h (GID | | x) to the device Sk(ii) a Device node SkStoring the secret value k locallyGSAnd a gateway secret value h (GID | | x);
the user registration includes: user UiInput identity IDiAnd password PWiSelecting a random number r, and calculating a hash value HPWi=h(IDi||PWi)mod n0And informationUser UiInformation A0Sending the data to the gateway through a safety channel; the gateway is a user UiCalculating a secret value kGU=h(A0| x), computing informationThen the information A is processed1The SUM is stored in the smart card and sent to the user Ui(ii) a SUM is the number of times that the user tries to verify, and the initial value is 0; user UiAfter receiving the smart card, calculatingCalculating information A2=h(IDi||HPWi||kGU)mod n0Is updated again Smart card storage A1,A2,SUM;n0Is a large prime number of 256 bits;
step 3, the user inputs the identity and the password to the smart card, and the smart card verifies whether the user is a legal user; when the user logs in successfully, according to the equipment node S to be accessedkIdentity SID ofkComputing the request information DIDi,A4,M1,V1Sending the data to a gateway;
first, the smart card selects a random number a, r1,r′1∈[1,n-1]Calculating A4=r1·P,W=r1·X;
Calculating an intermediate parameter V1=h(h(r1||a)||r′1||M1||A4||SIDk) (ii) a n is a recommended value of the SM2 elliptic curve parameter;
step 4, the authentication and key agreement stage includes the following 4 stages:
(1) the gateway calculates and recovers by using x and h (GID | | | x) after receiving the request informationComputing(ii) a If it isAnd V1Equality, the gateway computes the symmetric key kGS=h(SIDk| x), a random number r is selected2∈[1,n-1]Using the SM4 algorithm for h (r)1||a)||GID||A4||r2Encryption generates SM4 ciphertext M2And calculates the information V2=h(SIDk||h(r1||a)||GID||kGS||A4||r2) (ii) a Gateway sends information M2,V2To the device Sk;
(2) Device SkReceiving information M2,V2Then, using the stored kGSDecrypting M2And calculateIf it isAnd V2Equal; device SkSelecting a random number r3Calculating intermediate data A5=r3·P,A6=r3·A4Calculating a session key SK with the user and intermediate data M for authentication3,N3,V3,Y3(ii) a Device sending information M3,N3,V3,Y3To the gateway; SK-h (h (r)1||a)||GID||SIDk||A6);V3=h(A5||h(SK||r2)||kGS));
(3) Gateway receives information M3,N3,V3,Y3Then, the self-stored h (GID | | x) is utilized to calculate the equipment identityAnd recovering the keyCalculating the parametersComparison ofAnd V3If they are equal, the gateway will x.A4As a symmetric key, the SM4 algorithm is used for A5Encrypting to generate ciphertext M4And calculates authentication information V4=h(h(SK||A5)||x·A4) Wherein the secret valueGateway sends information M4,V4Sending the data to a user;
(4) the user is receiving the information M4,V4Thereafter, the ciphertext M is decrypted using the data W calculated at login4RecoveryAnd recovering the informationComparison ofAnd V4If the two are equal, the user receiving equipment node SkShared session key SK, and device node SkA session is established.
Compared with the prior art, the invention has the advantages and positive effects that:
(1) on the user noteIn the registration stage, the plaintext identity is not required to be uploaded to the gateway, and only the random hash value A containing the user identity is used0To the gateway, which cannot directly follow A0The plaintext identity of the user is obtained, so that anonymous registration of a legal user is realized, and the plaintext identity of the user is obtained by internal user attack;
(2) in the authentication and key agreement stage, the equipment node adopts two times of elliptic curve multiplication to generate a session key SK which is the same as a legal user, and an attacker can further obtain a W value of the user and decrypt M even if the attacker has a long-term key and/or a secret value of the gateway4To obtain A5And yet further can intercept A4However, due to the elliptic curve computational Diffie-Hellman problem, an attacker still cannot recover the session key generated by the previous device node; therefore, the invention can effectively solve the problem of forward security;
(3) in the authentication and key agreement stage, the equipment node adopts two times of elliptic curve multiplication to generate a session key SK which is the same as a legal user, and even if an attacker has a secret value k of the equipment nodeGSFurther attackers may intercept A4Further by intercepted N3To obtain A5However, due to the elliptic curve computational Diffie-Hellman puzzle, an attacker still cannot compute A6Furthermore, the session key generated by the previous equipment node cannot be recovered, so that the node capture attack is effectively resisted;
(4) in the authentication and key agreement phase, the device node uses its own secret value kGSBound simultaneously to random data A5,r2Generating intermediate data Y3And the legal user does not have r2Cannot be unilateral from Y3To the secret value k of the device nodeGSFurther, the parameters related to the session key of the next legal user in the public channel cannot be recovered, and the node cannot be counterfeited to calculate the correct session key for the next legal user; therefore, the method of the invention can resist the user counterfeit attack and ensure the correctness of the session key negotiated by each legal user and the equipment node;
(5) the gateway only needs to store the relevant parameters of the gateway without storing a large number of identity IDs (identity) and relevant password verification table items of registered users, thereby greatly reducing the consumption of storage space and simultaneously realizing the effective verification of the legal identities of the users.
Drawings
FIG. 1 is a schematic overall flow chart of the two-factor identity authentication method of the present invention;
FIG. 2 is a flow chart of an implementation of the two-factor identity authentication method of the present invention in the registration phase;
fig. 3 is a flow chart of the implementation of the login and session key agreement process in the two-factor identity authentication method of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
In an intelligent home scene, the limited computing power of equipment nodes and various safety problems which emerge endlessly are main problems to be solved by a two-factor identity authentication method. In order to design a technical scheme capable of solving the six safety problems and one storage problem, the invention considers the following implementation technologies:
1) when a legal user registers in the gateway, only the identity and the password of the user are needed to be applied to the modular operation, and the result is stored in the intelligent card. The periodicity of the modular operation directly causes that an attacker cannot effectively guess the password of the user, thereby avoiding the attack guessing based on the offline password of the smart card or the mobile equipment; the legal user is equal to the family user;
2) when a legal user negotiates a session key with the equipment node, the secure SM4 cryptographic algorithm and the elliptic curve multiplication operation recommended by the SM2 cryptographic algorithm are correctly used, and the identity and password information related to the user are embedded into the message in the public channel. Therefore, an attacker cannot effectively crack a safe national cryptographic algorithm, cannot effectively solve the problem of discrete logarithm difficulty, and further cannot check the correctness of the guessed password by using the parameters in the public channel so as to resist the off-line password guessing attack based on the public channel;
3) when a legal user registers in the gateway, only the random hash value containing the user identity is transmitted to the gateway. The gateway can not obtain the effective plaintext identity of the legal user, so that the anonymous registration of the legal user is realized;
4) based on the elliptic curve computational Diffie-Hellman problem, the equipment node generates the session key the same as that of the legal user by adopting twice elliptic curve multiplication operations. Even if an attacker has a long-term key or a secret value of a gateway or both the long-term key and the secret value, the attacker cannot effectively break through the computational Diffie-Hellman problem of the elliptic curve and further cannot recover the session key generated by the previous equipment node, so that the problem of forward security is effectively solved;
5) after the device node negotiates the session key, the device node binds the secret value of the device node to the parameter containing the session key sent to the gateway and the parameter about the session key sent to the user by the gateway. Therefore, the legal user cannot unilaterally send the parameters containing the session key from the device node to the gateway, and the secret value of the device node is taken from the parameters about the session key sent by the gateway to the user, so that the parameters related to the session key in the public channel cannot be further recovered, the node cannot be counterfeited to calculate the correct session key for the next legal user, and further the authentication of the gateway cannot be passed.
6) Based on the elliptic curve computational Diffie-Hellman problem, the equipment node generates the session key the same as that of the legal user by adopting twice elliptic curve multiplication operations. Even if an attacker has the secret value of the equipment node, the attacker cannot effectively break through the elliptic curve computational Diffie-Hellman problem and further cannot recover the session key generated by the equipment node, so that the node capture attack is effectively resisted.
7) After the user successfully registers in the gateway, the gateway only needs to store the self long-term key x and the secret value h (GID | | | x), and does not additionally store a large number of Identities (IDs) of registered users and related verification table entries for verifying the user password.
In addition, in order to adapt to the smart home scene, the method has the flexible characteristic that the equipment nodes are added at any time according to needs, the method supports the function of dynamic addition of the equipment nodes, newly purchased equipment nodes only need to be simply registered with the gateway, and after the gateway broadcasts the identity of the new equipment nodes, the new equipment nodes can negotiate the secret key with the home user. Meanwhile, in order to embody user friendliness, the method of the invention also supports user password updating.
As shown in fig. 1 and 2, the two-factor identity authentication method oriented to the smart home scene specifically includes 6 steps, which are respectively: system initialization, equipment node and user registration, user login, authentication and key agreement, password updating and dynamic node addition. The symbols used in the following description of the steps and their meanings are shown in Table 1.
TABLE 1 symbol definitions
Based on SM2 algorithm standard issued by the State crypto administration, gateway GWN selects elliptic curve E (F) with prime number domain of 256 bitsq),FqDenotes the prime number field, q is 256, in E (F)q) The upper selection base point P (P ≠ 0), and the long-term secret (private) key x ∈ FqAnd selecting a unique identity GID, calculating a secret value h (GID | | X) and a public key X ═ x.P, and finally saving { X, h (GID | | X) } by the gateway and disclosing the identity GID and the public key X.
In addition, the gateway also needs to be a node S for each devicekSelecting unique identification SIDkStoring it in the device node SkAnd deploy the device nodes to target areas of rooms in the home.
And 2, registering each equipment node and the user.
Step 2.1, device node SkThe registration stage (2) comprises the following R11-R13:
R11:SIDki.e. the device node SkIdentify the SIDkAnd transmitting the information to a gateway GWN through a safety channel.
R12:{h(GID||x),kGSGWN is a device node SkCalculating a secret value kGS=h(SIDk| x), and the secret values h (GID | | x) and k are transmitted through the secure channelGSTo the device node Sk。
R13:SkStorage kGSH (GID | | x) to a secure storage unit.
Step 2.2, user UiThe registration stage (2) comprises the following R21-R23:
R21:A0user UiA to be calculated0And transmitting the information to a gateway GWN through a safety channel.
User UiInput (ID)i,PWi) Computing a secret value h (ID)i||PWi) And a random number r is selected and then calculated as follows:
first computing a hash value HPWi=h(IDi||PWi)mod n0,n0Is 1 to 2 of 256 bits256A large prime number in between;
HPW hash valueiExclusive or with a random number r to obtainInformation A0A string of 256 bits 0 and 1.
R22:A smart card. Gateway GWN stores A calculated as user1The SUM value is sent to the user U by the smart cardi。
GWN receives user UiSent information A0First, user UiCalculating a secret value kGU=h(A0| x), then calculate the dataGWN then sets the parameter A1The SUM is stored in the smart card and sends the smart card to the user Ui. SUM refers to the number of times the user is allowed to attempt authentication, and in the embodiment of the present invention, a maximum value of 3 is set, and an initial value is 0.
R23: after the user receives the smart card, the secret value A is updated1The following are:
A2=h(IDi||HPWi||kGU)mod n0;
Finally, the smart card stores<A1,A2,SUM>。
The periodicity of the modulo operation directly results in that an attacker cannot effectively guess the user's password, thereby avoiding off-line password guessing attacks based on smart cards or mobile devices.
Step 3, logging in by the user, wherein the logging in comprises the following steps of L1-L3:
l1: user UiEnter a user name and passwordIn the smart card, the smart card verifies the input user identity, and firstly calculates:then, compare A2 *And A2If equal, if A2 *=A2If the user identity authentication is passed, the step L2 is carried out continuously; otherwise, the SUM value is automatically increased by 1, and the user tries to input another value againAnd performing identity authentication. If the SUM value exceeds the preset maximum value, terminating the session, and freezing the user account until UiAnd (6) re-registering.
L2: smart card selecting random number a, r1,r′1∈[1,n-1]N is the recommended value of the elliptic curve parameter of the SM2 algorithm, and intermediate data A is calculated4=r1·P,W=r1X, then select the device node S to accesskIdentity SID ofkAnd further calculating:
V1=h(h(r1||a)||r′1||M1||A4||SIDk)
wherein, DIDi、M1、V1Are all intermediate parameters. DIDi,A4,M1,V1For negotiating a session key with the device node.
L3:Ui→GWN:{DIDi,A4,M1,V1The user will request the information DIDi,A4,M1,V1And sending the data to the gateway.
Step 4, authentication and key agreement stage, including V1-V10:
v1: gateway receives user UiThe request information of (2) is calculated as follows by using the secret value x, h (GID | | x) stored in itself:
wherein, the gateway passes the information DID sent by the useri、A4、M1Is recovered toAnd then calculate out The proxy is a random number recovered (or calculated) by the gateway. Then compareAnd V1If yes, indicating that the request information authentication is passed, and continuing to step V2; otherwise, the session is terminated.
V2: GWN selection random number r2∈[1,n-1]Calculating kGS=h(SIDk| x), and k is addedGSAs symmetric key, the SM4 algorithm pair h (r) is used1||a)||GID||A4||r2Encrypt and generate SM4 ciphertext Further calculating authentication information V2=h(SIDk||h(r1||a)||GID||kGS||A4||r2)。
V3:GWN→Sk:{M2,V2The gateway sends the information M2,V2To the device Sk。
V4:SkUsing k of the previously registered storeGSDecrypting M2RecoveryAnd calculate Further comparisonAnd V2If yes, it indicates that the received information authentication is passed and the information recovered by the device is correct, and the process continues to step V5; otherwise, the session is terminated.
V5:SkSelecting a random number r3Then, calculate:
A5=r3·P,A6=r3·A4and U isiIs equal to h (r)1||a)||GID||SIDk||A6) And an
V6:Sk→GWN:{M3,N3,V3,Y3}, device SkSending information M3,N3,V3,Y3To the gateway.
V7: GWN calculates the secret value h (GID | x) stored by itselfCalculating parameters for recoveryThen compareAnd V3If yes, continue to step V8; otherwise, the session is terminated.
When in useAnd V3Equal, the received information of the representative gateway passes the authentication, the gateway calculates the recovered information to be correct,
v8: GWN calculationAnd x.A4As symmetric key, useSM4 Algorithm pair A5Encrypt and generate SM4 ciphertextFurther calculate V4=h(h(SK||A5)||x·A4)。
V9:GWN→Ui:{M4,V4The gateway sends the information M4,V4Sent to user Ui。
further comparisonAnd V4If equal, the receiving device node SkShared session key SK, user and device node SkAnd establishing a session to finish the user identity authentication. Otherwise, the session key generated by the device node is not accepted.
In addition, in order to adapt to the flexible characteristic that the equipment nodes are added at any time according to needs in the intelligent household scene, the method supports the function of dynamic addition of the equipment nodes, newly purchased equipment nodes only need to be simply registered with the gateway, and after the gateway broadcasts the identity of the new equipment nodes, the new equipment nodes can negotiate the secret key with the household user. Meanwhile, in order to embody user friendliness, the method supports user password updating.
And 5: and a password updating phase. User UiCan be locally carried out according to the following steps of U1-U2The new password:
u1: user UiInput deviceTo smart cards, smart card computing Then compare A2 *And A2If equal, continue to step U2; otherwise, the session is terminated.
U2: the smart card accepts the request according to the new password enteredCalculating new parameters:
Step 6: the device nodes are dynamically increased.
In order to meet the requirements of intelligent household life quality, the increase of dynamic equipment nodes is undoubtedly necessary, and a new equipment node S is adoptedtWant to add to the existing household life, StOnly a registration request needs to be initiated to the gateway as in step 2.1. StAfter successful registration, GWN broadcasts StIdentity SID oftTo let other family users know StIdentity SID oft。
Claims (7)
1. A two-factor identity authentication method oriented to an intelligent household scene is characterized by comprising the following steps:
step 1, a gateway selects a secret key X and a base point P, calculates a public key X, and calculates a gateway secret value h (GID | X) by using a national secret algorithm h (·); the GID is the identity of the gateway; the gateway stores X and h (GID | | X) and discloses GID and X;
step 2, registering equipment nodes and users;
when the equipment node is registered, the secret value k calculated for the equipment at the local storage gatewayGSAnd a secret value h (GID | | x) of the gateway;
the user registration includes: user UiInput identity IDiAnd password PWiSelecting a random number r, and calculating a hash value HPWi=h(IDi||PWi)mod n0And informationUser UiInformation A0Sending the data to the gateway through a safety channel; the gateway is a user UiCalculating a secret value kGU=h(A0| x), computing informationThen the information A is processed1The SUM is stored in the smart card and sent to the user Ui(ii) a SUM is the number of times that the user tries to verify, and the initial value is 0; user UiAfter receiving the smart card, calculatingCalculating information A2=h(IDi||HPWi||kGU)mod n0Is updated again Smart card storage A1,A2,SUM;n0Is a large prime number of 256 bits;
step 3, the user inputs the identity and the password to the smart card, and the smart card verifies whether the user is a legal user; when the user logs in successfully, according to the equipment node S to be accessedkIdentity SID ofkComputing the request information DIDi,A4,M1,V1Sending the data to a gateway;
wherein the smart card selects the random number a, r1,r′1∈[1,n-1]Calculating intermediate data A4=r1·P,W=r1X, calculating intermediate dataV1=h(h(r1||a)||r′1||M1||A4||SIDk) (ii) a n is a recommended value of the SM2 elliptic curve parameter;
step 4, the authentication and key agreement stage includes:
(1) the gateway calculates and recovers by using x and h (GID | | | x) after receiving the request informationComputingIf it isAnd V1Equality, the gateway computes the symmetric key kGS=h(SIDk| x), a random number r is selected2∈[1,n-1]Using the SM4 algorithm for h (r)1||a)||GID||A4||r2Encryption generates SM4 ciphertext M2And calculates the information V2=h(SIDk||h(r1||a)||GID||kGS||A4||r2) (ii) a Gateway sends information M2,V2To the device Sk;
(2) Device SkReceive toInformation M2,V2Then, using the stored kGSDecrypting M2And calculateIf it isAnd V2Equal; device SkSelecting a random number r3Calculating intermediate data A5=r3·P,A6=r3·A4Calculating a session key SK with the user and intermediate data M for authentication3,N3,V3,Y3(ii) a Device sending information M3,N3,V3,Y3To the gateway; SK-h (h (r)1||a)||GID||SIDk||A6);V3=h(A5||h(SK||r2)||kGS));
(3) Gateway receives information M3,N3,V3,Y3Then, the self-stored h (GID | | x) is utilized to calculate the equipment identityAnd recovering the secret keyCalculating parametersComparisonAnd V3If the two phases are in phaseEtc. the gateway will x.A4As a symmetric key, the SM4 algorithm is used for A5Encrypting to generate ciphertext M4And calculates authentication information V4=h(h(SK||A5)||x·A4) Wherein the secret valueGateway sends information M4,V4Sending the data to a user;
(4) the user is receiving the information M4,V4Thereafter, the ciphertext M is decrypted using the data W calculated at login4RecoveryAnd recovering informationComparisonAnd V4If the two are equal, the user receiving equipment node SkShared session key SK, and device node SkA session is established.
2. The method according to claim 1, wherein in step 1, the gateway selects an elliptic curve with a prime number field of 256 bits, and selects a base point P on the curve, where P ≠ 0; the public key X is X · P.
3. The method according to claim 1, wherein in step 3, the smart card verifies the inputted user identity by: entering a user identityAnd passwordComputing hash valuesAnd a secret valueThen compare A2 *And A2Whether the identity is equal or not, if so, the identity authentication is passed, and the user login is successful; otherwise, let the user re-inputAnd PWi *Carrying out verification; and if the verification times exceed the set SUM maximum value, terminating the session and freezing the user account.
7. The method of claim 1, wherein the method performs the following operations when the user performs password update:
firstly, a user inputs an identity and a password to a smart card, and the smart card verifies whether the user is a legal user;
after the verification is passed, the smart card receives a password updating request of a user, and calculates new parameters according to an input new password as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110386425.0A CN113115307B (en) | 2021-04-12 | 2021-04-12 | Two-factor identity authentication method oriented to smart home scene |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110386425.0A CN113115307B (en) | 2021-04-12 | 2021-04-12 | Two-factor identity authentication method oriented to smart home scene |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113115307A true CN113115307A (en) | 2021-07-13 |
CN113115307B CN113115307B (en) | 2021-10-26 |
Family
ID=76715704
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110386425.0A Active CN113115307B (en) | 2021-04-12 | 2021-04-12 | Two-factor identity authentication method oriented to smart home scene |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113115307B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114338071A (en) * | 2021-10-28 | 2022-04-12 | 中能电力科技开发有限公司 | Network security identity authentication method based on wind power plant communication |
CN114401514A (en) * | 2022-03-25 | 2022-04-26 | 北京邮电大学 | Multi-factor identity authentication method facing wireless body area network and related equipment |
CN114499854A (en) * | 2022-02-17 | 2022-05-13 | 北京邮电大学 | Identity authentication method and system based on wireless sensor network and electronic equipment |
CN114553413A (en) * | 2022-02-28 | 2022-05-27 | 西安电子科技大学 | Access authentication and key derivation method and system for biological identification identity authentication |
CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
CN114826574A (en) * | 2022-04-19 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | Intelligent household safety communication system and communication method |
CN115297442A (en) * | 2022-08-03 | 2022-11-04 | 中国电信股份有限公司 | Relay communication connection establishment method, storage medium, and electronic device |
WO2024060696A1 (en) * | 2022-09-20 | 2024-03-28 | 贵州电网有限责任公司 | Tee-based smart home remote control method and related apparatus |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107733657A (en) * | 2017-10-24 | 2018-02-23 | 沈阳师范大学 | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method |
CN110022559A (en) * | 2018-01-09 | 2019-07-16 | 中国人民解放军陆军航空兵学院 | A kind of network user authentication method |
CN110234111A (en) * | 2019-06-10 | 2019-09-13 | 北京航空航天大学 | A kind of two-factor authentication key agreement protocol suitable for multiple gateway wireless sensor network |
US20200127991A1 (en) * | 2013-09-10 | 2020-04-23 | Network-1 Technologies, Inc. | Network supporting two-factor authentication for modules with embedded universal integrated circuit cards |
CN111818039A (en) * | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | Three-factor anonymous user authentication protocol method based on PUF in Internet of things |
-
2021
- 2021-04-12 CN CN202110386425.0A patent/CN113115307B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200127991A1 (en) * | 2013-09-10 | 2020-04-23 | Network-1 Technologies, Inc. | Network supporting two-factor authentication for modules with embedded universal integrated circuit cards |
CN107733657A (en) * | 2017-10-24 | 2018-02-23 | 沈阳师范大学 | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method |
CN110022559A (en) * | 2018-01-09 | 2019-07-16 | 中国人民解放军陆军航空兵学院 | A kind of network user authentication method |
CN110234111A (en) * | 2019-06-10 | 2019-09-13 | 北京航空航天大学 | A kind of two-factor authentication key agreement protocol suitable for multiple gateway wireless sensor network |
CN111818039A (en) * | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | Three-factor anonymous user authentication protocol method based on PUF in Internet of things |
Non-Patent Citations (2)
Title |
---|
DING WANG ET AL.: "Measuring Two-Factor Authentication Schemes for Real-Time Data Access in Industrial Wireless Sensor Networks", 《IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS》 * |
王晨宇等: "面向多网关的无线传感器网络多因素认证协议", 《计算机学报》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114338071A (en) * | 2021-10-28 | 2022-04-12 | 中能电力科技开发有限公司 | Network security identity authentication method based on wind power plant communication |
CN114499854A (en) * | 2022-02-17 | 2022-05-13 | 北京邮电大学 | Identity authentication method and system based on wireless sensor network and electronic equipment |
CN114553413A (en) * | 2022-02-28 | 2022-05-27 | 西安电子科技大学 | Access authentication and key derivation method and system for biological identification identity authentication |
CN114553413B (en) * | 2022-02-28 | 2023-10-13 | 西安电子科技大学 | Access authentication and key derivation method and system for biometric identity authentication |
CN114401514A (en) * | 2022-03-25 | 2022-04-26 | 北京邮电大学 | Multi-factor identity authentication method facing wireless body area network and related equipment |
CN114401514B (en) * | 2022-03-25 | 2022-07-08 | 北京邮电大学 | Multi-factor identity authentication method facing wireless body area network and related equipment |
CN114710348A (en) * | 2022-03-31 | 2022-07-05 | 湖北工业大学 | Authorization authentication and key agreement method for user to use household intelligent equipment |
CN114826574A (en) * | 2022-04-19 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | Intelligent household safety communication system and communication method |
CN115297442A (en) * | 2022-08-03 | 2022-11-04 | 中国电信股份有限公司 | Relay communication connection establishment method, storage medium, and electronic device |
CN115297442B (en) * | 2022-08-03 | 2024-04-12 | 中国电信股份有限公司 | Relay communication connection establishment method, storage medium and electronic device |
WO2024060696A1 (en) * | 2022-09-20 | 2024-03-28 | 贵州电网有限责任公司 | Tee-based smart home remote control method and related apparatus |
Also Published As
Publication number | Publication date |
---|---|
CN113115307B (en) | 2021-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113115307B (en) | Two-factor identity authentication method oriented to smart home scene | |
CN111818039B (en) | Three-factor anonymous user authentication protocol method based on PUF in Internet of things | |
Xue et al. | A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture | |
Chen et al. | A robust mutual authentication protocol for wireless sensor networks | |
Sood et al. | A secure dynamic identity based authentication protocol for multi-server architecture | |
Niu et al. | An anonymous key agreement protocol based on chaotic maps | |
CN108965338B (en) | Three-factor identity authentication and key agreement method under multi-server environment | |
Nashwan | AAA-WSN: Anonymous access authentication scheme for wireless sensor networks in big data environment | |
CN110020524B (en) | Bidirectional authentication method based on smart card | |
Cheikhrouhou et al. | A lightweight user authentication scheme for wireless sensor networks | |
Guo et al. | SecFHome: Secure remote authentication in fog-enabled smart home environment | |
CN103763631A (en) | Authentication method, server and television | |
Peyravian et al. | Secure remote user access over insecure networks | |
CN111092717A (en) | Group authentication-based safe and reliable communication method in smart home environment | |
CN111447053A (en) | Data secure transmission method and system based on chaotic logic mapping and RC4 stream cipher | |
Zhu | Flexible and password-authenticated key agreement scheme based on chaotic maps for multiple servers to server architecture | |
Sudhakaran | Energy efficient distributed lightweight authentication and encryption technique for IoT security | |
CN111817850B (en) | Anonymous group authentication method based on industrial Internet of things | |
CN113727296A (en) | Anonymous privacy protection authentication protocol method based on wireless sensor system in intelligent medical treatment | |
CN111277583B (en) | Identity authentication method for monitoring system of mobile cloud computing | |
Gajbhiye et al. | Bluetooth secure simple pairing with enhanced security level | |
CN106230840B (en) | A kind of command identifying method of high security | |
Chuang et al. | An independent three‐factor mutual authentication and key agreement scheme with privacy preserving for multiserver environment and a survey | |
Shmuel et al. | 3D from an image sequence-occlusions and perspective | |
Gupta et al. | Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |