CN114401514B - Multi-factor identity authentication method facing wireless body area network and related equipment - Google Patents
Multi-factor identity authentication method facing wireless body area network and related equipment Download PDFInfo
- Publication number
- CN114401514B CN114401514B CN202210297901.6A CN202210297901A CN114401514B CN 114401514 B CN114401514 B CN 114401514B CN 202210297901 A CN202210297901 A CN 202210297901A CN 114401514 B CN114401514 B CN 114401514B
- Authority
- CN
- China
- Prior art keywords
- user
- request information
- identity
- timestamp
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 claims description 143
- 238000011084 recovery Methods 0.000 claims description 135
- 230000007774 longterm Effects 0.000 claims description 45
- 238000004364 calculation method Methods 0.000 claims description 32
- 230000004044 response Effects 0.000 claims description 28
- 239000000284 extract Substances 0.000 claims description 16
- 230000002452 interceptive effect Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 21
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- UGAJKWZVPNVCIO-UHFFFAOYSA-N Terminalin Chemical compound O1C(=O)C(C2=3)=C(C4=C(O)C(O)=C(O)C=C4C(=O)O4)C4=C(O)C=3OC(=O)C3=C2C1=C(O)C(OC1=O)=C3C2=C1C=C(O)C(O)=C2O UGAJKWZVPNVCIO-UHFFFAOYSA-N 0.000 description 2
- QTNGLMWAVBOBLJ-UHFFFAOYSA-N Terminaline Natural products C1CC2C(O)C(O)CCC2(C)C2C1C1CCC(C(C)N(C)C)C1(C)CC2 QTNGLMWAVBOBLJ-UHFFFAOYSA-N 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 229930183689 terminalin Natural products 0.000 description 2
- 101100497221 Bacillus thuringiensis subsp. alesti cry1Ae gene Proteins 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008014 freezing Effects 0.000 description 1
- 238000007710 freezing Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The multi-factor identity authentication method facing the wireless body area network realizes three-terminal interactive authentication and negotiation of the user terminal, the gateway node terminal and the body area node terminal under the condition of not transmitting user privacy, and generates session keys of the user terminal and the body area node terminal by using a complex encryption algorithm. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a multi-factor identity authentication method and related devices for a wireless body area network.
Background
Wireless Body Area Networks (WBANs), a very promising Wireless sensor network, are receiving increasing attention due to their foreseeable potential for improving the quality of medical services. For example, through a wireless body area network, medical personnel can obtain physical parameters of a patient from body area sensor nodes worn on the patient and give real-time diagnosis and treatment. However, the openness of wireless body area network communication can undoubtedly lead to illegal intrusion by attackers, which on the one hand can interfere with the diagnosis and treatment of medical personnel and on the other hand can also reveal important and sensitive physiological data of the individual patient. The existing password-based three-factor user identity authentication protocol generally has serious security problems and storage problems, such as: the method has the advantages that the method can not resist the offline password guessing attack based on a smart card or mobile equipment, the offline password guessing attack based on a public channel, the anonymity problem, the forward security problem, the internal user imitation attack, the node capture attack, the session key temporary parameter disclosure attack and the problem that after a large number of users successfully register to the gateway, the gateway node end needs to store the identity identifications and the related verification parameters of the large number of users, the limited storage space of the gateway node end is easily consumed and the like.
Disclosure of Invention
In view of the above, an object of the present application is to provide a multi-factor identity authentication for wireless body area networks and related devices.
Based on the above purpose, the present application provides a multi-factor identity authentication oriented to a wireless body area network, which is applied to a multi-factor identity authentication system including a user end, a gateway node end and a body area node end; the user side stores an intelligent card obtained after the intelligent card is registered to the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the wireless body area network-oriented multi-factor identity authentication method for the wireless body area network comprises the following steps:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body area identity of the body area node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end extracts a current timestamp, and performs recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; in response to the second recovery data set matching the second request information set, generating a third random number, extracting a third timestamp; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Based on the same inventive concept, the application provides a multi-factor identity authentication system, comprising: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body area node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Based on the same inventive concept, the present application further provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform any one of the wireless body area network-oriented multi-factor identity authentication described above.
As can be seen from the above, the multi-factor identity authentication and related devices for wireless body area networks provided by the present application implement three-terminal interactive authentication and negotiation among the user side, the gateway node side, and the body area node side without passing user privacy, and generate session keys of the user side and the body area node side by using a complex encryption algorithm. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only the embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of the multi-factor identity authentication system of the present application.
Fig. 2 is a flowchart of the multi-factor identity authentication method for wireless body area networks according to the present application.
Fig. 3 is a flowchart of a body domain node side registration stage in the multi-factor identity authentication oriented to the wireless body domain network according to the present application.
Fig. 4 is a flowchart of a user side registration phase in the multi-factor identity authentication for wireless body area networks according to the present application.
Fig. 5 is a flowchart of an authentication and negotiation stage in the multi-factor identity authentication oriented to the wireless body area network according to the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to the accompanying drawings in combination with specific embodiments.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present application belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As described in the background art, in a wireless sensor network, a user side may access resources and services deployed in a distributed domain node side through a gateway node side, but information transmitted in the wireless sensor network is subject to various attacks such as tampering, leakage, guessing, and the like, and meanwhile, resources such as computing power, storage capacity, and the like of the gateway node are limited.
In view of the technical problems in the prior art, the present application provides a multi-factor identity authentication method for wireless body area networks, which aims to achieve secure identity authentication with minimum cost. The scheme of the application relates to a multi-factor identity authentication system consisting of three participants; referring to fig. 1, the multi-factor identity authentication system specifically includes: user terminalGateway node endAnd body area node side. The user side is a mobile intelligent device held by a user, such as a mobile phone, a tablet computer, an intelligent watch, a wearable device and the like. The body area node end can be a body area sensor, can be deployed or worn on a body part of a user, and provides resources or services related to the user. Body area sensors are typically low power devices equipped with one or more sensors, memory, processors, radios, power supplies and actuators. And the gateway node end is used as a trusted third party and is responsible for completing the registration of the user end and the registration of the body domain node end, distributing keys to the user end and the body domain node end and establishing a session channel.
The following examples further illustrate the embodiments of the present invention.
First, the present application provides a multi-factor identity authentication method for wireless body area network, which is applied to the user terminal including the user terminal as described in fig. 1Gateway node endAnd body area node endThe multi-factor identity authentication system of (1).
Referring to fig. 2, the multi-factor identity authentication method for a wireless body area network includes the following steps:
step S201, the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; and sending the user pseudo-random identity, the first request information set and the first time stamp to a gateway node end.
Wherein the first request information set includes first request information, second request information, and third request information.
Step S202, the gateway node side extracts a current timestamp, and carries out recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term secret key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; and sending the second request information set and the second timestamp to a body domain node end.
Wherein the first recovery data set comprises a random timestamp function value, the first intermediate verification value, the user public key, and the body domain identity; the second set of request information includes fourth request information, fifth request information, and sixth request information.
Step S203, the body area node end extracts a current timestamp, and carries out recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; and sending the third request information set and the third timestamp to a gateway node end.
Wherein the second recovery data set includes the public key, the second random number, the random timestamp function value, the first intermediate verification value, and the body domain identity; the third set of request information includes fourth request information, fifth request information, and sixth request information.
Step S204, the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; responding to the third recovery data set and the third request information set matching, selecting a new user pseudo-random identity for the user side according to the third recovery data set and the body area secret value, calculating a new first recovery data set according to the new user pseudo-random identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudo-random identity, and sending the fourth request information set to the user side.
Wherein the third recovery data set comprises the body domain identity, the body domain secret value, the encrypted third random number, and the session key; the third set of request information includes eleventh request information, twelfth request information, and thirteenth request information.
Step S205, the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Wherein the fourth recovery data set includes the new first intermediate verification parameters.
The above steps S201 to S205 correspond to the user side in the scheme of the present applicationGateway node endAnd body area node endAuthentication and negotiation phase. Before the authentication and negotiation stage, the method also comprises a system initialization stage and a body domain node end which are executed in advanceA registration phase and a user side registration phase.
The system initialization stage is carried out by a gateway node endExecution aiming at generating relevant parameters of the multi-factor identity authentication system for subsequent steps of registration, authentication and negotiation and the like.
Referring to fig. 3, the body domain node side performs the registration phase for the body domain node sideIdentify self-body domainSending to gateway node sideGateway node sideGiving a security parameter n, gateway node sideSelecting a gateway long-term keyIs a body area node endSelecting a unique Gateway Identity (GID), and storing the GID at the gateway node endAnd discloses the gateway identity GID.
Gateway node sideAs a body area node sideComputing body-domain secret valuesAnd secret the body domain value through a secure channelBack to the body area node. Body area node terminalReceiving gateway node endCommunicated body-domain secret valueThen, the body area secret value is calculatedStored in a secure storage unit.
Referring to fig. 4, the registration phase for the ueFrom the user sideAnd a gateway node sideExecution aiming at identifying the identity of a userAnd a user passwordThe modulus operation is adopted for encryption, and the periodicity of the modulus operation can effectively prevent an attacker from guessing the identity of the userAnd a user passwordThereby avoiding the offline identification of the attacker based on the intelligent card or the mobile equipmentAnd a user passwordGuess attack registration process is carried out to ensure the safety of subsequent authentication and negotiation process.
Specifically, the user terminalReceiving user name input by userAnd user passwordAnd according to the user nameAnd the user passwordCalculating to obtain user secret value:
wherein,for the purpose of the user's secret value,in the form of a user name,for the bit-join operator to be performed,is a user password.
wherein,in the case of a user hash value, the value,in order to perform the hash operation,is 1 to 256 bitsA large prime number in between.
User terminalRandomly generating an initial random numberAccording to the user hash valueAnd generating initial authentication parameters by the initial random number rAnd applying the initial verification parametersAnd sending the data to the gateway node end through a secure channel.
wherein,in order to be the initial authentication parameters,is a first random number that is a random number,。
The gateway node endIs the user sideSelecting a user pseudorandom identityAnd fingerprint key recovery functionAccording to the gateway long-term keyAnd said user pseudo-random identityCalculating a first intermediate verification value:
wherein,for the first intermediate verification value to be the first,in order to be a pseudo-random identity for the user,is the gateway long-term key.
Gateway node sideAccording to the first intermediate verification valueAnd the initial authentication parameterCalculating a first verification parameter:
gateway node sidePseudo-random identity of the userThe fingerprint key recovery functionThe first verification parameterAnd threshold of matching timesStoring in a smart card and transmitting the smart card to the user terminalWherein the threshold value of the number of matching timesIn order to allow the user to attempt authentication in the subsequent steps, in the embodiment of the application, the threshold value of the matching times is adoptedThe maximum value is set to 3 and the initial value to 0.
The user terminalReceiving fingerprint information input by userAccording to the initial verification parametersAnd the first verification parameterRecovering the first intermediate verification valueAt this stepIn step (c), due to the first intermediate verification valueAnd initial verification parametersThe first verification parameter is obtained by carrying out XOR operationThus, initial verification parametersAnd not in plaintext form from the gateway node sideTo the user endThe periodicity of the modular operation directly causes that an attacker cannot effectively acquire parameters related to the calculation of the user name and the user password in the transmission process, and further cannot guess the calculation of the user name and the user password, so that the offline password guessing attack based on the smart card or the mobile equipment is avoided. Furthermore, via the gateway node sidePre-assigned pseudo-random identitiesAnd the use of the hash function avoids the adoption of an elliptic curve public key password algorithm with higher calculation cost, thereby efficiently realizing the anonymity of the user.
User terminalAccording to the fingerprint information input by the userAnd stationThe fingerprint key recovery functionCalculating a second intermediate verification value:
User terminalAccording to the user nameThe user passwordThe first intermediate verification valueAnd the second intermediate verification valueCalculating a second verification parameter:
user terminalAccording to the first intermediate verification valueAnd the user hash valueUpdating the first verification parameter;
user terminalPseudo-random identity of the userThe fingerprint key recovery functionThe updated first verification parameterThe second verification parameterAnd the threshold of the number of matching timesStored in the smart card.
Refer to FIG. 5, which is a user sideGateway node endAnd body area node endAuthentication and negotiation phase.
In particular, the user is towards the user endInputting preset user namePresetting a user passwordAnd biological characteristicsIn the smart card, the smart card verifies the input user-related information, specifically including:
user terminalAccording to the preset user nameAnd the preset user passwordRecovering user hash values:Whereinin order to recover the resulting user hash value,in order to preset the user name,is a preset user password.
User terminalAccording to the user hash valueAnd the first verification parameterRecovering the first intermediate verification value:WhereinIn order to recover the first intermediate verification value obtained,is the first verification parameter.
User terminalAccording to the biological characteristicsAnd the biometric recovery functionRecovering the second intermediate verification value:Wherein, in the process,to recover the second intermediate verification value obtained,is a biological characteristic.
User terminalAccording to the preset user nameThe preset user passwordThe first intermediate verification valueAnd the second intermediate verification valueCalculating a second predetermined verification parameter:Whereina second preset verification parameter.
User terminalIn response to the second preset verification parameterAnd the second verification parameterIf the information is matched, the user-related information is considered to pass verification, and if the information is not matched, the threshold value of the matching times is automatically setPlus 1, let the user try again to enter another group、、And performing identity authentication. If it isThe value exceeds the threshold of the matching timesTerminating the session and freezing the user account until the user endRe-register the user. In the embodiment of the present application,the initial value of the value is 0, after entering the cycle, ifIf the value exceeds 3, the conversation is terminated, and the user account is frozen until the user endRe-register the user.
User terminalAfter the verification of the user related information is passed, in the embodiment of the application, the smart card runs a 1024-bit RSA encryption algorithm system to generate a user public keyAnd the userPrivate keySelecting a first random numberSelecting the body area node end needing to be accessedBody area identification ofExtracting the first time stampAccording to said first intermediate verification valueThe user public keyThe first random numberThe first time stampThe body area identity markAnd said user pseudo-random identityGenerating first request informationThe second request messageAnd third request information:
Wherein,in order to request the information for the first time,in order to request the information for the second time,in order to request the information for the third party,in order to be the public key of the user,is a first random number that is a random number,is a first time stamp of the time stamp,is the identity of the body area,is a pseudo-random identity for the user.
User terminalPseudo-random identity of the userThe first request informationThe second request informationThe third request informationAnd the first time stampSending to gateway node。
Gateway node sideReceiving user terminalThe current timestamp is extracted from the sent informationAnd checking the current time stampFirst time stampWhether the time difference between is less than a time threshold:
Gateway node sideIn response to the current timestampAnd the first time stampThe difference between the two is not more than the preset time thresholdAccording to said user pseudo-random identityThe gateway long-term keyThe first request informationAnd the second request informationRecovering to obtain random time stamp function valueThe first intermediate verification valueThe user public keyAnd the body area identity:
Wherein,is a gateway long-term key that is,to recover the value of the random timestamp function,in order to recover the obtained public key of the user,in order to recover the obtained body area identity,to recover the first intermediate verification value obtained.
Gateway node sideAccording to the pseudo-random identity of the userThe body area identity markThe random timestamp function valueAnd said user public keyCalculating third preset request information:
If the third preset request messageAnd the third request informationMatch, representRecovered body area identityThe random timestamp function valueAnd said user public keyIf it is correct, if the third preset request message isAnd the third request informationAnd if not, the session is terminated.
Gateway node sideResponding to the third preset request informationAnd the third request informationMatching, selecting a second random numberExtracting the second time stampAccording to the gateway long-term keyAnd the body area identityComputing body-domain secret values:
Gateway node sideAccording to the body-domain secret valueThe body area identity markThe user public keyThe second random numberThe random timestamp function valueThe first intermediate verification valueAnd the second time stampGenerating fourth request informationThe fifth request messageAnd sixth request information:
Gateway node sideSending the fourth request informationThe fifth request informationThe sixth request informationAnd the second time stampSending to the body area node side。
Body area node terminalReceiving gateway node endThe current timestamp is extracted from the sent informationResponding with the current timestampAnd the second time stampThe difference between the two is not more than the preset time thresholdAccording to the body-domain secret valueRecovering to obtain the public keyThe second random numberThe random timestamp function valueThe first intermediate verification valueAnd the body area identity:
Body area node terminalAccording to the random time stamp function valueThe second random numberThe body-area secret valueThe body area identity markAnd the second time stampCalculating sixth preset request information:
If the sixth preset request messageAnd the sixth request informationMatching, representing the public key obtained by restoring the body domain node endThe second random numberThe random timestamp function valueThe first intermediate verification valueAnd the body area identityIs correct. If the sixth preset request messageAnd the sixth request informationAnd if not, the session is terminated.
Body area node terminalResponding to the sixth preset request messageAnd the sixth request informationMatching to generate a third random numberExtracting the third time stampAccording to said user public keyFor the third random numberEncrypting to obtain encrypted third random number:
Body area node terminalAccording to the function value of the random time stampThe third random numberThe first intermediate verification valueGenerating session keys:
Session keyAs a bridge for the user side to communicate with the body area node side. Body area node terminalOnly one-time calculation of modular exponentiation encryption is needed to generate session keyRandom number ofThen generating the same session key as the legal user. Attacker even possessing long-term key of gatewayHowever, the RSA factorization problem cannot be overcome effectively, so that the RSA factorization problem cannot be crackedFurther, the node end of the body area can not be recoveredGenerated session keyThereby effectively solving the forward security problem.
Body area node terminalAccording to the body area identityThe second random numberThe encrypted third random numberThe session keyThe body-domain secret valueAnd the third time stampGenerating seventh request informationThe eighth request messageThe ninth request messageThe tenth request message:
Body area node terminalSending the seventh request messageThe eighth request messageThe ninth request messageThe tenth request messageAnd the third time stampSending to gateway node。
Gateway node sideReceiving a body area node sideThe current timestamp is extracted from the transmitted informationResponding with the current timestampAnd the third time stampThe difference between the two is not more than the preset time thresholdAccording to the second random numberThe seventh request informationThe eighth request messageThe gateway long-term keyRecovering to obtain the body domain identityThe body-area secret valueThe encrypted third random numberThe session keyFunction value of (c):
Body area node terminalAccording to the encrypted third random numberThe session keyThe second random numberThe body-domain secret valueAnd the third time stampCalculating ninth preset request information:
If the ninth preset request messageAnd the ninth request informationMatch, show gateway node sideRecovering the obtained body domain identityThe body-domain secret valueThe encrypted third random numberThe session keyIs correct. If the ninth preset request messageAnd the ninth request informationAnd if not, the session is terminated.
Body area node terminalResponding to the ninth preset request informationAnd the ninth request informationMatching according to the tenth request informationThe session keyThe second random numberAnd the body-domain secret valueCalculating encrypted third random number and session key function value:
Gateway node sideSelecting a new user pseudorandom identity for said user sideAccording to said new pseudo-random identity of said userAnd the gateway long-term key Calculating new first intermediate verification parameters:
Wherein,for the new first intermediate authentication parameter(s),a new pseudo-random identity for the user.
Body area node terminalAccording to the new first intermediate verification parameterThe first intermediate verification parameterThe new pseudo-random identityThe encrypted third random numberThe first random numberThe first time stampAnd said encrypted third random number and session key function valueGenerating eleventh request informationThe twelfth request messageAnd thirteenth request information:
Gateway node sideTransmitting the eleventh request messageThe twelfth request informationAnd the thirteenth request informationAnd sending the information to the user side. In this step, the body area node sideNegotiate a session keyThen, the body area node endWill encrypt the third random numberBound simultaneously to the end of the gateway node that sends itInvolving session keysEncrypted third random number and session key function valueAnd gateway node sideTo the user endRelated parameters on the session key. Therefore, legal users can not unilaterally slave the body area node endSending to gateway node sideInvolving session keysAnd gateway node sideTo the user endAbout session keysTaking the body area node end in the related parametersWill further fail to recover the session key and the public channelThe related parameters further fail to model the node end of the body areaTo calculate the correct session key for the next legitimate userFurther, the terminal can not pass through the gateway nodeThe authentication of (1).
User terminalReceiving gateway node endThe above information is transmitted according to the first intermediate verification valueAnd the eleventh request informationRestoring the new first intermediate verification parameters:
User terminalCalculating thirteenth preset request information according to the user private keyResponding to the thirteenth preset request messageAnd the thirteenth request informationIf the data is matched, the user terminalAnd the body area node endSharing session keysAnd completing the multi-factor identity authentication.
As an optional embodiment, the method is provided with the body area node end which is added at any time according to the requirement for adapting the wireless body area networkThe application also supports domain node endDynamically added functionality, newly added body node sideOnly need to communicate with the gateway nodePerforming simple registration, gateway node sideThen the new body area node end is usedAfter identity broadcast, the new body area node endCan be connected with the user terminalAnd carrying out key negotiation.
As an alternative embodiment, to embody the user terminalThe method and the device also support user password updating.
In particular toReferring to fig. 5, in response to the user terminalAnd the body area node endSharing session keysSaid user terminalReceiving a preset user name input by a userPresetting a user passwordAnd biological characteristicsAccording to the preset user nameAnd the preset user passwordComputing user hash values:
Wherein,in the case of a user hash value, the value,in order to preset the user name,in order to preset the user password,for the bit-join operator to be performed,in order to perform the hash operation,is 1 to 256 bitsA large prime number in between.
User terminalAccording to the user hash valueAnd the first verification parameterCalculating a first intermediate verification value:
Wherein,for the first intermediate verification value to be the first,is a first verification parameter
User terminalAccording to the biological characteristicsAnd the biometric recovery functionCalculating a second intermediate verification value:
Wherein,for the second intermediate verification value to be the second,in order to be a biological characteristic,a fingerprint key recovery function.
User terminalAccording to the preset user nameThe preset user passwordThe first intermediate verification valueAnd the second intermediate verification valueCalculating a second predetermined verification parameter:
User terminalIn response to the second verification parameterAnd the second preset verification parameterMatching, said user sideReceiving user input of an updated user passwordAccording to the preset user nameThe update user passwordThe user hash valueThe first intermediate verification valueAnd in the secondInter-verification valueCalculating updated first verification parametersAnd updated second authentication parameters:
Wherein,in order to have a new first authentication parameter,is the new second verification parameter.
User terminalThe first authentication parameter in the smart card is usedThe second verification parameterAnd said user pseudo-random identityReplacing with the updated first verification parameterThe updated second verification parameterAnd said new user pseudo-random identity。
Therefore, the multi-factor identity authentication method facing the wireless body area network realizes the three-terminal interactive authentication and negotiation of the user terminal, the gateway node terminal and the body area node terminal under the condition of not transmitting the privacy of the user, and simultaneously generates the session key of the user terminal and the body area node terminal by using a complex encryption algorithm. By embedding a first intermediate authentication parameter in the calculation of the session keyThe attacker does not have the first intermediate authentication parameter of the userThe previously negotiated session key cannot be recovered by only using other parameters in the transmission process. Therefore, the attack of the temporary parameter leakage of the session key is effectively resisted, and the session key is prevented from being leaked. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.
It should be noted that the method of the embodiment of the present application may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the multiple devices may only perform one or more steps of the method of the embodiment, and the multiple devices interact with each other to complete the method.
It should be noted that the above describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, the application provides a multi-factor identity authentication system.
Referring to fig. 1, the multi-factor identity authentication system includes: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the various modules may be implemented in the same one or more software and/or hardware implementations as the present application.
The apparatus of the foregoing embodiment is used to implement the corresponding multi-factor identity authentication oriented to the wireless body area network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above-mentioned embodiment methods, the present application further provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the wireless body area network-oriented multi-factor identity authentication as described in any of the above embodiments.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to perform the multi-factor identity authentication oriented to the wireless body area network according to any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that the embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the method for authenticating a multi-factor identity for a wireless body area network according to any of the foregoing embodiments, and have the beneficial effects of corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that the embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.
Claims (10)
1. A multi-factor identity authentication method facing wireless body area network is characterized in that the method is applied to a multi-factor identity authentication system comprising a user terminal, a gateway node terminal and a body area node terminal; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the multi-factor identity authentication method facing the wireless body area network comprises the following steps:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body area identity of the body area node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end extracts a current timestamp, and performs recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication;
and the gateway node end selects a gateway long-term key, selects a unique gateway identity for the body domain node end, stores the gateway long-term key and discloses the gateway identity.
2. The wireless body area network-oriented multi-factor identity authentication method of claim 1, further comprising:
the user side receives a user name and a user password input by a user; randomly generating an initial random number, and generating an initial authentication parameter according to the user name, the user password and the initial random number; sending the initial verification parameters to a gateway node end;
the gateway node terminal selects a user pseudo-random identity and a fingerprint key recovery function for the user terminal, calculates a first intermediate verification value according to the gateway long-term key and the user pseudo-random identity, calculates a first verification parameter according to the first intermediate verification value and the initial verification parameter, stores the user pseudo-random identity, the fingerprint key recovery function, the first verification parameter and a matching time threshold value in an intelligent card, and sends the intelligent card to the user terminal;
the user side receives fingerprint information input by a user, recovers a first intermediate verification value according to the initial verification parameter and the first verification parameter, calculates a second intermediate verification value according to the fingerprint information input by the user and the fingerprint key recovery function, and calculates a second verification parameter according to the user name, the user password, the first intermediate verification value and the second intermediate verification value; updating the first authentication parameter according to the first intermediate authentication value and the initial authentication parameter; and storing the user pseudo-random identity, the fingerprint key recovery function, the updated first verification parameter, the second verification parameter and the matching time threshold in a smart card.
3. The wireless body area network-oriented multi-factor identity authentication method of claim 1, wherein the first request information set comprises first request information, second request information and third request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, recovers a user hash value according to the preset user name and the preset user password, recovers a first intermediate verification value according to the user hash value and the first verification parameter, recovers a second intermediate verification value according to the biological characteristics and the biological characteristic recovery function, calculates a second preset verification parameter according to the preset user name, the preset user password, the first intermediate verification value and the second intermediate verification value, generates a user public key, a user private key and a first random number in response to the matching of the second preset verification parameter and the second verification parameter, selects a body area identity of the body area node end needing to be accessed, extracts a first timestamp, extracts a second time stamp according to the first intermediate verification value, the user public key, the second random number and the second verification parameter, And generating first request information, second request information and third request information by the first random number, the first timestamp, the body domain identity identifier and the user pseudo-random identity, and sending the user pseudo-random identity, the first request information, the second request information, the third request information and the first timestamp to a gateway node end.
4. The wireless body area network-oriented multifactor identity authentication method of claim 3, wherein the first recovery data set comprises a random timestamp function value, the first intermediate verification value, the user public key, and the body domain identity; the second set of request information includes fourth request information, fifth request information, and sixth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the gateway node extracts a current timestamp, recovers to obtain a random timestamp function value, the first intermediate verification value, the user public key and the body domain identity according to the user pseudo-random identity, the gateway long-term secret key, the first request information and the second request information in response to the difference between the current timestamp and the first timestamp not being greater than a preset time threshold, calculates third preset request information according to the user pseudo-random identity, the body domain identity, the random timestamp function value and the user public key, generates a second random number in response to the third preset request information being matched with the third request information, extracts a second timestamp, calculates a body domain secret value according to the gateway long-term secret key and the body domain identity, and calculates the body domain secret value according to the body domain secret value and the body domain identity, And generating fourth request information, fifth request information and sixth request information by the user public key, the second random number, the random timestamp function value, the first intermediate verification value and the second timestamp, and sending the fourth request information, the fifth request information, the sixth request information and the second timestamp to a body domain node terminal.
5. The wireless body area network-oriented multi-factor identity authentication method of claim 4, wherein the second recovery data set comprises the public key, the second random number, the random timestamp function value, the first intermediate verification value, and the body area identity; the third set of request information includes seventh request information, eighth request information, ninth request information, and tenth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the body domain node extracts a current timestamp, recovers the public key, the second random number, the random timestamp function value, the first intermediate verification value and the body domain identity according to the body domain secret value in response to the fact that the difference value between the current timestamp and the second timestamp is not larger than a preset time threshold value, calculates sixth preset request information according to the random timestamp function value, the second random number, the body domain secret value, the body domain identity and the second timestamp, generates a third random number in response to the matching of the sixth preset request information and the sixth request information, extracts a third timestamp, encrypts the third random number according to the user public key to obtain an encrypted third random number, and encrypts the third random number according to the random timestamp function value, the third random number, the first intermediate verification value and the body domain identity according to the user public key, And generating a session key by the first intermediate verification value, generating seventh request information, eighth request information, ninth request information and tenth request information according to the body domain identity, the second random number, the encrypted third random number, the session key, the body domain secret value and the third timestamp, and sending the seventh request information, the eighth request information, the ninth request information, the tenth request information and the third timestamp to a gateway node.
6. The wireless body area network-oriented multi-factor identity authentication method of claim 5, wherein the third recovery data set comprises the body area identity, the body area secret value, the encrypted third random number, and the session key; the fourth set of request information includes eleventh request information, twelfth request information, and thirteenth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the gateway node extracts a current timestamp, obtains the body domain identity, the body domain secret value, the encrypted third random number and the session key according to the second random number, the seventh request information, the eighth request information and the gateway long-term key recovery in response to a difference value between the current timestamp and the third timestamp not being greater than a preset time threshold value, calculates ninth preset request information according to the encrypted third random number, the session key, the second random number, the body domain secret value and the third timestamp, calculates a function value of the encrypted third random number and the session key according to the ninth preset request information and the ninth request information in response to matching of the ninth preset request information and the ninth request information, and selects a new user pseudorandom identity for the user terminal according to the tenth request information, the session key, the second random number and the body domain secret value, calculating a new first intermediate authentication parameter according to the new pseudo-random identity of the user and the gateway long-term key, generating eleventh request information, twelfth request information and thirteenth request information according to the new first intermediate authentication parameter, the new pseudo-random identity, the encrypted third random number, the first timestamp, the encrypted third random number and a session key function value, and sending the eleventh request information, the twelfth request information and the thirteenth request information to the user side.
7. The wireless body area network-oriented multi-factor identity authentication method of claim 6, wherein the fourth recovery data set comprises the new first intermediate verification parameter;
then, the multi-factor identity authentication towards the wireless body area network includes:
and the user side recovers the new first intermediate verification parameter according to the first intermediate verification value and the eleventh request message, calculates thirteenth preset request message according to the user private key, and responds to the matching of the thirteenth preset request message and the thirteenth request message, so that the user side and the body domain node side share the session key to complete multi-factor identity authentication.
8. The multi-factor identity authentication method for wireless body area networks according to any of claims 1 to 7, further comprising:
responding to the user side and the body area node side to share the session key, the user side receives a preset user name, a preset user password and biological characteristics input by a user, calculates a user hash value according to the preset user name and the preset user password, calculates a first intermediate verification value according to the user hash value and the first verification parameter, calculates a second intermediate verification value according to the biological characteristics and the biological characteristics recovery function, calculates a second preset verification parameter according to the preset user name, the preset user password, the first intermediate verification value and the second intermediate verification value, responds to the second verification parameter being matched with the second preset verification parameter, the user side receives an updated user password input by the user, and updates the user password, the user hash value, the user password, the second intermediate verification value and the second intermediate verification parameter according to the preset user name, the updated user password, the user hash value, The first and second intermediate authentication values calculate updated first authentication parameters and updated second authentication parameters and replace the first authentication parameters, the second authentication parameters and the user pseudo-random identity in the smart card with the updated first authentication parameters, the updated second authentication parameters and the new user pseudo-random identity.
9. A multi-factor authentication system, comprising: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body area node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210297901.6A CN114401514B (en) | 2022-03-25 | 2022-03-25 | Multi-factor identity authentication method facing wireless body area network and related equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210297901.6A CN114401514B (en) | 2022-03-25 | 2022-03-25 | Multi-factor identity authentication method facing wireless body area network and related equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114401514A CN114401514A (en) | 2022-04-26 |
CN114401514B true CN114401514B (en) | 2022-07-08 |
Family
ID=81234814
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210297901.6A Active CN114401514B (en) | 2022-03-25 | 2022-03-25 | Multi-factor identity authentication method facing wireless body area network and related equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114401514B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117040767B (en) * | 2023-10-10 | 2024-01-23 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Fine-grained multi-terminal identity authentication method based on PUF (physical unclonable function) and related equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018147673A1 (en) * | 2017-02-09 | 2018-08-16 | 에스지에이솔루션즈 주식회사 | Symmetric key-based user authentication method for ensuring anonymity in wireless sensor network environment |
CN113115307A (en) * | 2021-04-12 | 2021-07-13 | 北京邮电大学 | Two-factor identity authentication method oriented to smart home scene |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10104545B2 (en) * | 2016-11-02 | 2018-10-16 | National Chin-Yi University Of Technology | Computer-implemented anonymity authentication method for wireless sensor networks |
-
2022
- 2022-03-25 CN CN202210297901.6A patent/CN114401514B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018147673A1 (en) * | 2017-02-09 | 2018-08-16 | 에스지에이솔루션즈 주식회사 | Symmetric key-based user authentication method for ensuring anonymity in wireless sensor network environment |
CN113115307A (en) * | 2021-04-12 | 2021-07-13 | 北京邮电大学 | Two-factor identity authentication method oriented to smart home scene |
Non-Patent Citations (1)
Title |
---|
面向多网关的无线传感器网络多因素认证协议;王晨宇 等;《计算机学报》;20200430;第43卷(第4期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN114401514A (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110463237B (en) | Method for managing communication between a server and a user equipment | |
Ali et al. | An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring | |
CN109714167B (en) | Identity authentication and key agreement method and equipment suitable for mobile application signature | |
CN105162772B (en) | A kind of internet of things equipment certifiede-mail protocol method and apparatus | |
Chaudhry et al. | An enhanced privacy preserving remote user authentication scheme with provable security | |
Li et al. | A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems | |
US9992017B2 (en) | Encrypting and storing data | |
Xie et al. | Robust anonymous authentication scheme for telecare medical information systems | |
CN110969431B (en) | Secure hosting method, device and system for private key of blockchain digital coin | |
Maitra et al. | An enhanced multi‐server authentication protocol using password and smart‐card: cryptanalysis and design | |
Liu et al. | A secure data backup scheme using multi‐factor authentication | |
Alzahrani | Secure and efficient cloud-based IoT authenticated key agreement scheme for e-health wireless sensor networks | |
US20200195446A1 (en) | System and method for ensuring forward & backward secrecy using physically unclonable functions | |
Chaturvedi et al. | A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme | |
Praveen et al. | Improved Gentry–Halevi's fully homomorphic encryption‐based lightweight privacy preserving scheme for securing medical Internet of Things | |
EP3000216B1 (en) | Secured data channel authentication implying a shared secret | |
Tsai et al. | A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card | |
Giri et al. | A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB mass storage devices | |
Madhusudhan | A secure and lightweight authentication scheme for roaming service in global mobile networks | |
Wu et al. | An enhanced mutual authentication and key agreement scheme for mobile user roaming service in global mobility networks | |
Feiri et al. | Efficient and secure storage of private keys for pseudonymous vehicular communication | |
CN114401514B (en) | Multi-factor identity authentication method facing wireless body area network and related equipment | |
Xu et al. | A computationally efficient authentication and key agreement scheme for multi-server switching in WBAN | |
Chuang et al. | An independent three‐factor mutual authentication and key agreement scheme with privacy preserving for multiserver environment and a survey | |
Mishra et al. | A provably secure content distribution framework for portable DRM systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |