CN114401514B - Multi-factor identity authentication method facing wireless body area network and related equipment - Google Patents

Multi-factor identity authentication method facing wireless body area network and related equipment Download PDF

Info

Publication number
CN114401514B
CN114401514B CN202210297901.6A CN202210297901A CN114401514B CN 114401514 B CN114401514 B CN 114401514B CN 202210297901 A CN202210297901 A CN 202210297901A CN 114401514 B CN114401514 B CN 114401514B
Authority
CN
China
Prior art keywords
user
request information
identity
timestamp
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210297901.6A
Other languages
Chinese (zh)
Other versions
CN114401514A (en
Inventor
徐国爱
刘凯俊
徐国胜
王晨宇
曹强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202210297901.6A priority Critical patent/CN114401514B/en
Publication of CN114401514A publication Critical patent/CN114401514A/en
Application granted granted Critical
Publication of CN114401514B publication Critical patent/CN114401514B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The multi-factor identity authentication method facing the wireless body area network realizes three-terminal interactive authentication and negotiation of the user terminal, the gateway node terminal and the body area node terminal under the condition of not transmitting user privacy, and generates session keys of the user terminal and the body area node terminal by using a complex encryption algorithm. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.

Description

Multi-factor identity authentication method facing wireless body area network and related equipment
Technical Field
The present application relates to the field of information security technologies, and in particular, to a multi-factor identity authentication method and related devices for a wireless body area network.
Background
Wireless Body Area Networks (WBANs), a very promising Wireless sensor network, are receiving increasing attention due to their foreseeable potential for improving the quality of medical services. For example, through a wireless body area network, medical personnel can obtain physical parameters of a patient from body area sensor nodes worn on the patient and give real-time diagnosis and treatment. However, the openness of wireless body area network communication can undoubtedly lead to illegal intrusion by attackers, which on the one hand can interfere with the diagnosis and treatment of medical personnel and on the other hand can also reveal important and sensitive physiological data of the individual patient. The existing password-based three-factor user identity authentication protocol generally has serious security problems and storage problems, such as: the method has the advantages that the method can not resist the offline password guessing attack based on a smart card or mobile equipment, the offline password guessing attack based on a public channel, the anonymity problem, the forward security problem, the internal user imitation attack, the node capture attack, the session key temporary parameter disclosure attack and the problem that after a large number of users successfully register to the gateway, the gateway node end needs to store the identity identifications and the related verification parameters of the large number of users, the limited storage space of the gateway node end is easily consumed and the like.
Disclosure of Invention
In view of the above, an object of the present application is to provide a multi-factor identity authentication for wireless body area networks and related devices.
Based on the above purpose, the present application provides a multi-factor identity authentication oriented to a wireless body area network, which is applied to a multi-factor identity authentication system including a user end, a gateway node end and a body area node end; the user side stores an intelligent card obtained after the intelligent card is registered to the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the wireless body area network-oriented multi-factor identity authentication method for the wireless body area network comprises the following steps:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body area identity of the body area node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end extracts a current timestamp, and performs recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; in response to the second recovery data set matching the second request information set, generating a third random number, extracting a third timestamp; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Based on the same inventive concept, the application provides a multi-factor identity authentication system, comprising: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body area node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Based on the same inventive concept, the present application further provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform any one of the wireless body area network-oriented multi-factor identity authentication described above.
As can be seen from the above, the multi-factor identity authentication and related devices for wireless body area networks provided by the present application implement three-terminal interactive authentication and negotiation among the user side, the gateway node side, and the body area node side without passing user privacy, and generate session keys of the user side and the body area node side by using a complex encryption algorithm. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only the embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of the multi-factor identity authentication system of the present application.
Fig. 2 is a flowchart of the multi-factor identity authentication method for wireless body area networks according to the present application.
Fig. 3 is a flowchart of a body domain node side registration stage in the multi-factor identity authentication oriented to the wireless body domain network according to the present application.
Fig. 4 is a flowchart of a user side registration phase in the multi-factor identity authentication for wireless body area networks according to the present application.
Fig. 5 is a flowchart of an authentication and negotiation stage in the multi-factor identity authentication oriented to the wireless body area network according to the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to the accompanying drawings in combination with specific embodiments.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present application belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the present application do not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As described in the background art, in a wireless sensor network, a user side may access resources and services deployed in a distributed domain node side through a gateway node side, but information transmitted in the wireless sensor network is subject to various attacks such as tampering, leakage, guessing, and the like, and meanwhile, resources such as computing power, storage capacity, and the like of the gateway node are limited.
In view of the technical problems in the prior art, the present application provides a multi-factor identity authentication method for wireless body area networks, which aims to achieve secure identity authentication with minimum cost. The scheme of the application relates to a multi-factor identity authentication system consisting of three participants; referring to fig. 1, the multi-factor identity authentication system specifically includes: user terminal
Figure DEST_PATH_IMAGE001
Gateway node end
Figure DEST_PATH_IMAGE002
And body area node side
Figure DEST_PATH_IMAGE003
. The user side is a mobile intelligent device held by a user, such as a mobile phone, a tablet computer, an intelligent watch, a wearable device and the like. The body area node end can be a body area sensor, can be deployed or worn on a body part of a user, and provides resources or services related to the user. Body area sensors are typically low power devices equipped with one or more sensors, memory, processors, radios, power supplies and actuators. And the gateway node end is used as a trusted third party and is responsible for completing the registration of the user end and the registration of the body domain node end, distributing keys to the user end and the body domain node end and establishing a session channel.
The following examples further illustrate the embodiments of the present invention.
First, the present application provides a multi-factor identity authentication method for wireless body area network, which is applied to the user terminal including the user terminal as described in fig. 1
Figure 212933DEST_PATH_IMAGE001
Gateway node end
Figure DEST_PATH_IMAGE004
And body area node end
Figure DEST_PATH_IMAGE005
The multi-factor identity authentication system of (1).
Referring to fig. 2, the multi-factor identity authentication method for a wireless body area network includes the following steps:
step S201, the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; and sending the user pseudo-random identity, the first request information set and the first time stamp to a gateway node end.
Wherein the first request information set includes first request information, second request information, and third request information.
Step S202, the gateway node side extracts a current timestamp, and carries out recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term secret key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; and sending the second request information set and the second timestamp to a body domain node end.
Wherein the first recovery data set comprises a random timestamp function value, the first intermediate verification value, the user public key, and the body domain identity; the second set of request information includes fourth request information, fifth request information, and sixth request information.
Step S203, the body area node end extracts a current timestamp, and carries out recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; and sending the third request information set and the third timestamp to a gateway node end.
Wherein the second recovery data set includes the public key, the second random number, the random timestamp function value, the first intermediate verification value, and the body domain identity; the third set of request information includes fourth request information, fifth request information, and sixth request information.
Step S204, the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; responding to the third recovery data set and the third request information set matching, selecting a new user pseudo-random identity for the user side according to the third recovery data set and the body area secret value, calculating a new first recovery data set according to the new user pseudo-random identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudo-random identity, and sending the fourth request information set to the user side.
Wherein the third recovery data set comprises the body domain identity, the body domain secret value, the encrypted third random number, and the session key; the third set of request information includes eleventh request information, twelfth request information, and thirteenth request information.
Step S205, the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
Wherein the fourth recovery data set includes the new first intermediate verification parameters.
The above steps S201 to S205 correspond to the user side in the scheme of the present application
Figure DEST_PATH_IMAGE006
Gateway node end
Figure 300712DEST_PATH_IMAGE002
And body area node end
Figure 283712DEST_PATH_IMAGE005
Authentication and negotiation phase. Before the authentication and negotiation stage, the method also comprises a system initialization stage and a body domain node end which are executed in advance
Figure DEST_PATH_IMAGE007
A registration phase and a user side registration phase.
The system initialization stage is carried out by a gateway node end
Figure DEST_PATH_IMAGE008
Execution aiming at generating relevant parameters of the multi-factor identity authentication system for subsequent steps of registration, authentication and negotiation and the like.
Referring to fig. 3, the body domain node side performs the registration phase for the body domain node side
Figure DEST_PATH_IMAGE009
Identify self-body domain
Figure DEST_PATH_IMAGE010
Sending to gateway node side
Figure DEST_PATH_IMAGE011
Gateway node side
Figure 459347DEST_PATH_IMAGE004
Giving a security parameter n, gateway node side
Figure DEST_PATH_IMAGE012
Selecting a gateway long-term key
Figure DEST_PATH_IMAGE013
Is a body area node end
Figure 352348DEST_PATH_IMAGE005
Selecting a unique Gateway Identity (GID), and storing the GID at the gateway node end
Figure DEST_PATH_IMAGE014
And discloses the gateway identity GID.
Gateway node side
Figure 237127DEST_PATH_IMAGE012
As a body area node side
Figure DEST_PATH_IMAGE015
Computing body-domain secret values
Figure DEST_PATH_IMAGE016
And secret the body domain value through a secure channel
Figure DEST_PATH_IMAGE017
Back to the body area node
Figure DEST_PATH_IMAGE018
. Body area node terminal
Figure 81324DEST_PATH_IMAGE018
Receiving gateway node end
Figure DEST_PATH_IMAGE019
Communicated body-domain secret value
Figure 890011DEST_PATH_IMAGE017
Then, the body area secret value is calculated
Figure DEST_PATH_IMAGE020
Stored in a secure storage unit.
Referring to fig. 4, the registration phase for the ue
Figure 621207DEST_PATH_IMAGE001
From the user side
Figure 817833DEST_PATH_IMAGE001
And a gateway node side
Figure DEST_PATH_IMAGE021
Execution aiming at identifying the identity of a user
Figure DEST_PATH_IMAGE022
And a user password
Figure DEST_PATH_IMAGE023
The modulus operation is adopted for encryption, and the periodicity of the modulus operation can effectively prevent an attacker from guessing the identity of the user
Figure DEST_PATH_IMAGE024
And a user password
Figure 211643DEST_PATH_IMAGE023
Thereby avoiding the offline identification of the attacker based on the intelligent card or the mobile equipment
Figure 292863DEST_PATH_IMAGE024
And a user password
Figure 612986DEST_PATH_IMAGE023
Guess attack registration process is carried out to ensure the safety of subsequent authentication and negotiation process.
Specifically, the user terminal
Figure DEST_PATH_IMAGE025
Receiving user name input by user
Figure 377852DEST_PATH_IMAGE024
And user password
Figure 885057DEST_PATH_IMAGE023
And according to the user name
Figure 629022DEST_PATH_IMAGE022
And the user password
Figure 865968DEST_PATH_IMAGE023
Calculating to obtain user secret value
Figure DEST_PATH_IMAGE026
The calculation mode of the user secret value is as follows:
Figure DEST_PATH_IMAGE027
wherein,
Figure DEST_PATH_IMAGE028
for the purpose of the user's secret value,
Figure 545342DEST_PATH_IMAGE024
in the form of a user name,
Figure DEST_PATH_IMAGE029
for the bit-join operator to be performed,
Figure 320269DEST_PATH_IMAGE023
is a user password.
User terminal
Figure 664663DEST_PATH_IMAGE025
According to the user secret value
Figure 756115DEST_PATH_IMAGE026
Computing a user hash value
Figure DEST_PATH_IMAGE030
The calculation mode of the user hash value is as follows:
Figure DEST_PATH_IMAGE031
wherein,
Figure DEST_PATH_IMAGE032
in the case of a user hash value, the value,
Figure DEST_PATH_IMAGE033
in order to perform the hash operation,
Figure DEST_PATH_IMAGE034
is 1 to 256 bits
Figure DEST_PATH_IMAGE035
A large prime number in between.
User terminal
Figure 871970DEST_PATH_IMAGE025
Randomly generating an initial random number
Figure DEST_PATH_IMAGE036
According to the user hash value
Figure 868614DEST_PATH_IMAGE030
And generating initial authentication parameters by the initial random number r
Figure DEST_PATH_IMAGE037
And applying the initial verification parameters
Figure DEST_PATH_IMAGE038
And sending the data to the gateway node end through a secure channel.
The calculation mode of the initial verification parameter is as follows:
Figure DEST_PATH_IMAGE039
wherein,
Figure 157644DEST_PATH_IMAGE037
in order to be the initial authentication parameters,
Figure DEST_PATH_IMAGE040
is a first random number that is a random number,
Figure DEST_PATH_IMAGE041
the gateway node side
Figure DEST_PATH_IMAGE042
Receiving initial verification parameters sent by the user terminal
Figure 41286DEST_PATH_IMAGE038
The gateway node end
Figure 826577DEST_PATH_IMAGE042
Is the user side
Figure DEST_PATH_IMAGE043
Selecting a user pseudorandom identity
Figure DEST_PATH_IMAGE044
And fingerprint key recovery function
Figure DEST_PATH_IMAGE045
According to the gateway long-term key
Figure DEST_PATH_IMAGE046
And said user pseudo-random identity
Figure DEST_PATH_IMAGE047
Calculating a first intermediate verification value
Figure DEST_PATH_IMAGE048
The first intermediate verification value is calculated in the following manner:
Figure DEST_PATH_IMAGE049
wherein,
Figure 874299DEST_PATH_IMAGE048
for the first intermediate verification value to be the first,
Figure 888391DEST_PATH_IMAGE044
in order to be a pseudo-random identity for the user,
Figure DEST_PATH_IMAGE050
is the gateway long-term key.
Gateway node side
Figure 406966DEST_PATH_IMAGE042
According to the first intermediate verification value
Figure 989257DEST_PATH_IMAGE048
And the initial authentication parameter
Figure DEST_PATH_IMAGE051
Calculating a first verification parameter
Figure DEST_PATH_IMAGE052
The first verification parameter is calculated in the following way:
Figure DEST_PATH_IMAGE053
gateway node side
Figure 242384DEST_PATH_IMAGE042
Pseudo-random identity of the user
Figure 810900DEST_PATH_IMAGE044
The fingerprint key recovery function
Figure 75659DEST_PATH_IMAGE045
The first verification parameter
Figure 953485DEST_PATH_IMAGE052
And threshold of matching times
Figure DEST_PATH_IMAGE054
Storing in a smart card and transmitting the smart card to the user terminal
Figure DEST_PATH_IMAGE055
Wherein the threshold value of the number of matching times
Figure DEST_PATH_IMAGE056
In order to allow the user to attempt authentication in the subsequent steps, in the embodiment of the application, the threshold value of the matching times is adopted
Figure 146438DEST_PATH_IMAGE056
The maximum value is set to 3 and the initial value to 0.
The user terminal
Figure 767912DEST_PATH_IMAGE055
Receiving fingerprint information input by user
Figure DEST_PATH_IMAGE057
According to the initial verification parameters
Figure 683916DEST_PATH_IMAGE037
And the first verification parameter
Figure 952217DEST_PATH_IMAGE052
Recovering the first intermediate verification value
Figure 117619DEST_PATH_IMAGE048
At this stepIn step (c), due to the first intermediate verification value
Figure 152571DEST_PATH_IMAGE048
And initial verification parameters
Figure 47715DEST_PATH_IMAGE037
The first verification parameter is obtained by carrying out XOR operation
Figure 611551DEST_PATH_IMAGE052
Thus, initial verification parameters
Figure DEST_PATH_IMAGE058
And not in plaintext form from the gateway node side
Figure 106993DEST_PATH_IMAGE042
To the user end
Figure 273532DEST_PATH_IMAGE055
The periodicity of the modular operation directly causes that an attacker cannot effectively acquire parameters related to the calculation of the user name and the user password in the transmission process, and further cannot guess the calculation of the user name and the user password, so that the offline password guessing attack based on the smart card or the mobile equipment is avoided. Furthermore, via the gateway node side
Figure 429707DEST_PATH_IMAGE042
Pre-assigned pseudo-random identities
Figure 695603DEST_PATH_IMAGE044
And the use of the hash function avoids the adoption of an elliptic curve public key password algorithm with higher calculation cost, thereby efficiently realizing the anonymity of the user.
User terminal
Figure DEST_PATH_IMAGE059
According to the fingerprint information input by the user
Figure 851909DEST_PATH_IMAGE057
And stationThe fingerprint key recovery function
Figure 618876DEST_PATH_IMAGE045
Calculating a second intermediate verification value
Figure DEST_PATH_IMAGE060
Figure DEST_PATH_IMAGE061
User terminal
Figure 206721DEST_PATH_IMAGE059
According to the user name
Figure 377940DEST_PATH_IMAGE024
The user password
Figure 739651DEST_PATH_IMAGE023
The first intermediate verification value
Figure 44730DEST_PATH_IMAGE048
And the second intermediate verification value
Figure 113181DEST_PATH_IMAGE060
Calculating a second verification parameter
Figure DEST_PATH_IMAGE062
The second verification parameter is calculated in the following manner:
Figure DEST_PATH_IMAGE063
user terminal
Figure 330666DEST_PATH_IMAGE055
According to the first intermediate verification value
Figure 241991DEST_PATH_IMAGE048
And the user hash value
Figure 960548DEST_PATH_IMAGE030
Updating the first verification parameter
Figure 211401DEST_PATH_IMAGE052
The updating mode of the first verification parameter is as follows:
Figure DEST_PATH_IMAGE064
user terminal
Figure 567165DEST_PATH_IMAGE059
Pseudo-random identity of the user
Figure 231364DEST_PATH_IMAGE044
The fingerprint key recovery function
Figure 550350DEST_PATH_IMAGE047
The updated first verification parameter
Figure 858972DEST_PATH_IMAGE052
The second verification parameter
Figure 418260DEST_PATH_IMAGE062
And the threshold of the number of matching times
Figure 976280DEST_PATH_IMAGE054
Stored in the smart card.
Refer to FIG. 5, which is a user side
Figure 302219DEST_PATH_IMAGE059
Gateway node end
Figure DEST_PATH_IMAGE065
And body area node end
Figure 793244DEST_PATH_IMAGE015
Authentication and negotiation phase.
In particular, the user is towards the user end
Figure 710384DEST_PATH_IMAGE059
Inputting preset user name
Figure DEST_PATH_IMAGE066
Presetting a user password
Figure DEST_PATH_IMAGE067
And biological characteristics
Figure DEST_PATH_IMAGE068
In the smart card, the smart card verifies the input user-related information, specifically including:
user terminal
Figure 660760DEST_PATH_IMAGE059
According to the preset user name
Figure DEST_PATH_IMAGE069
And the preset user password
Figure 603440DEST_PATH_IMAGE067
Recovering user hash values
Figure 621074DEST_PATH_IMAGE032
Figure DEST_PATH_IMAGE070
Wherein
Figure 568170DEST_PATH_IMAGE030
in order to recover the resulting user hash value,
Figure 38466DEST_PATH_IMAGE069
in order to preset the user name,
Figure 80109DEST_PATH_IMAGE067
is a preset user password.
User terminal
Figure DEST_PATH_IMAGE071
According to the user hash value
Figure 217829DEST_PATH_IMAGE032
And the first verification parameter
Figure DEST_PATH_IMAGE072
Recovering the first intermediate verification value
Figure DEST_PATH_IMAGE073
Figure DEST_PATH_IMAGE074
Wherein
Figure DEST_PATH_IMAGE075
In order to recover the first intermediate verification value obtained,
Figure 86559DEST_PATH_IMAGE052
is the first verification parameter.
User terminal
Figure 434364DEST_PATH_IMAGE059
According to the biological characteristics
Figure 436955DEST_PATH_IMAGE068
And the biometric recovery function
Figure 429182DEST_PATH_IMAGE045
Recovering the second intermediate verification value
Figure DEST_PATH_IMAGE076
Figure DEST_PATH_IMAGE077
Wherein, in the process,
Figure 170611DEST_PATH_IMAGE076
to recover the second intermediate verification value obtained,
Figure 740132DEST_PATH_IMAGE068
is a biological characteristic.
User terminal
Figure 484097DEST_PATH_IMAGE071
According to the preset user name
Figure DEST_PATH_IMAGE078
The preset user password
Figure DEST_PATH_IMAGE079
The first intermediate verification value
Figure DEST_PATH_IMAGE080
And the second intermediate verification value
Figure 799672DEST_PATH_IMAGE076
Calculating a second predetermined verification parameter
Figure DEST_PATH_IMAGE081
Figure DEST_PATH_IMAGE082
Wherein
Figure 446423DEST_PATH_IMAGE081
a second preset verification parameter.
User terminal
Figure 644186DEST_PATH_IMAGE059
In response to the second preset verification parameter
Figure 50897DEST_PATH_IMAGE081
And the second verification parameter
Figure DEST_PATH_IMAGE083
If the information is matched, the user-related information is considered to pass verification, and if the information is not matched, the threshold value of the matching times is automatically set
Figure 283295DEST_PATH_IMAGE054
Plus 1, let the user try again to enter another group
Figure 867991DEST_PATH_IMAGE078
Figure 553051DEST_PATH_IMAGE079
Figure 29031DEST_PATH_IMAGE068
And performing identity authentication. If it is
Figure 647094DEST_PATH_IMAGE054
The value exceeds the threshold of the matching times
Figure DEST_PATH_IMAGE084
Terminating the session and freezing the user account until the user end
Figure 635648DEST_PATH_IMAGE059
Re-register the user. In the embodiment of the present application,
Figure DEST_PATH_IMAGE085
the initial value of the value is 0, after entering the cycle, if
Figure DEST_PATH_IMAGE086
If the value exceeds 3, the conversation is terminated, and the user account is frozen until the user end
Figure 401479DEST_PATH_IMAGE059
Re-register the user.
User terminal
Figure 25358DEST_PATH_IMAGE059
After the verification of the user related information is passed, in the embodiment of the application, the smart card runs a 1024-bit RSA encryption algorithm system to generate a user public key
Figure DEST_PATH_IMAGE087
And the userPrivate key
Figure DEST_PATH_IMAGE088
Selecting a first random number
Figure DEST_PATH_IMAGE089
Selecting the body area node end needing to be accessed
Figure 904452DEST_PATH_IMAGE018
Body area identification of
Figure DEST_PATH_IMAGE090
Extracting the first time stamp
Figure DEST_PATH_IMAGE091
According to said first intermediate verification value
Figure 329486DEST_PATH_IMAGE048
The user public key
Figure 457979DEST_PATH_IMAGE087
The first random number
Figure 275763DEST_PATH_IMAGE089
The first time stamp
Figure 868418DEST_PATH_IMAGE091
The body area identity mark
Figure 621610DEST_PATH_IMAGE090
And said user pseudo-random identity
Figure 112766DEST_PATH_IMAGE044
Generating first request information
Figure DEST_PATH_IMAGE092
The second request message
Figure DEST_PATH_IMAGE093
And third request information
Figure DEST_PATH_IMAGE094
Figure DEST_PATH_IMAGE095
Wherein,
Figure 671923DEST_PATH_IMAGE092
in order to request the information for the first time,
Figure 696248DEST_PATH_IMAGE093
in order to request the information for the second time,
Figure 354763DEST_PATH_IMAGE094
in order to request the information for the third party,
Figure 848061DEST_PATH_IMAGE087
in order to be the public key of the user,
Figure 883013DEST_PATH_IMAGE089
is a first random number that is a random number,
Figure DEST_PATH_IMAGE096
is a first time stamp of the time stamp,
Figure 263310DEST_PATH_IMAGE090
is the identity of the body area,
Figure DEST_PATH_IMAGE097
is a pseudo-random identity for the user.
User terminal
Figure 623884DEST_PATH_IMAGE059
Pseudo-random identity of the user
Figure 604479DEST_PATH_IMAGE044
The first request information
Figure 911963DEST_PATH_IMAGE092
The second request information
Figure 746818DEST_PATH_IMAGE093
The third request information
Figure 12715DEST_PATH_IMAGE094
And the first time stamp
Figure 887130DEST_PATH_IMAGE096
Sending to gateway node
Figure DEST_PATH_IMAGE098
Gateway node side
Figure 857360DEST_PATH_IMAGE019
Receiving user terminal
Figure 133620DEST_PATH_IMAGE059
The current timestamp is extracted from the sent information
Figure DEST_PATH_IMAGE099
And checking the current time stamp
Figure 649047DEST_PATH_IMAGE099
First time stamp
Figure 338654DEST_PATH_IMAGE096
Whether the time difference between is less than a time threshold
Figure DEST_PATH_IMAGE100
Figure DEST_PATH_IMAGE101
Gateway node side
Figure 96263DEST_PATH_IMAGE019
In response to the current timestamp
Figure 695872DEST_PATH_IMAGE099
And the first time stamp
Figure 100308DEST_PATH_IMAGE091
The difference between the two is not more than the preset time threshold
Figure DEST_PATH_IMAGE102
According to said user pseudo-random identity
Figure 480474DEST_PATH_IMAGE044
The gateway long-term key
Figure DEST_PATH_IMAGE103
The first request information
Figure 339977DEST_PATH_IMAGE092
And the second request information
Figure 794092DEST_PATH_IMAGE093
Recovering to obtain random time stamp function value
Figure DEST_PATH_IMAGE104
The first intermediate verification value
Figure DEST_PATH_IMAGE105
The user public key
Figure DEST_PATH_IMAGE106
And the body area identity
Figure DEST_PATH_IMAGE107
Figure DEST_PATH_IMAGE108
Wherein,
Figure DEST_PATH_IMAGE109
is a gateway long-term key that is,
Figure DEST_PATH_IMAGE110
to recover the value of the random timestamp function,
Figure 540069DEST_PATH_IMAGE106
in order to recover the obtained public key of the user,
Figure 689421DEST_PATH_IMAGE107
in order to recover the obtained body area identity,
Figure DEST_PATH_IMAGE111
to recover the first intermediate verification value obtained.
Gateway node side
Figure DEST_PATH_IMAGE112
According to the pseudo-random identity of the user
Figure 70724DEST_PATH_IMAGE044
The body area identity mark
Figure 113767DEST_PATH_IMAGE107
The random timestamp function value
Figure DEST_PATH_IMAGE113
And said user public key
Figure 702749DEST_PATH_IMAGE106
Calculating third preset request information
Figure DEST_PATH_IMAGE114
Figure DEST_PATH_IMAGE115
If the third preset request message
Figure 260769DEST_PATH_IMAGE114
And the third request information
Figure DEST_PATH_IMAGE116
Match, represent
Figure DEST_PATH_IMAGE117
Recovered body area identity
Figure 930916DEST_PATH_IMAGE107
The random timestamp function value
Figure 890782DEST_PATH_IMAGE113
And said user public key
Figure 135818DEST_PATH_IMAGE106
If it is correct, if the third preset request message is
Figure 384397DEST_PATH_IMAGE114
And the third request information
Figure DEST_PATH_IMAGE118
And if not, the session is terminated.
Gateway node side
Figure 887928DEST_PATH_IMAGE112
Responding to the third preset request information
Figure 905563DEST_PATH_IMAGE114
And the third request information
Figure 321501DEST_PATH_IMAGE118
Matching, selecting a second random number
Figure DEST_PATH_IMAGE119
Extracting the second time stamp
Figure DEST_PATH_IMAGE120
According to the gateway long-term key
Figure DEST_PATH_IMAGE121
And the body area identity
Figure 870425DEST_PATH_IMAGE107
Computing body-domain secret values
Figure DEST_PATH_IMAGE122
Figure DEST_PATH_IMAGE123
Gateway node side
Figure DEST_PATH_IMAGE124
According to the body-domain secret value
Figure DEST_PATH_IMAGE125
The body area identity mark
Figure 177647DEST_PATH_IMAGE107
The user public key
Figure 112105DEST_PATH_IMAGE106
The second random number
Figure DEST_PATH_IMAGE126
The random timestamp function value
Figure DEST_PATH_IMAGE127
The first intermediate verification value
Figure 511994DEST_PATH_IMAGE048
And the second time stamp
Figure 266323DEST_PATH_IMAGE120
Generating fourth request information
Figure DEST_PATH_IMAGE128
The fifth request message
Figure DEST_PATH_IMAGE129
And sixth request information
Figure DEST_PATH_IMAGE130
Figure DEST_PATH_IMAGE131
Gateway node side
Figure 642815DEST_PATH_IMAGE019
Sending the fourth request information
Figure DEST_PATH_IMAGE132
The fifth request information
Figure 962938DEST_PATH_IMAGE129
The sixth request information
Figure 392783DEST_PATH_IMAGE130
And the second time stamp
Figure DEST_PATH_IMAGE133
Sending to the body area node side
Figure 181878DEST_PATH_IMAGE107
Body area node terminal
Figure 191422DEST_PATH_IMAGE107
Receiving gateway node end
Figure 834893DEST_PATH_IMAGE098
The current timestamp is extracted from the sent information
Figure 29114DEST_PATH_IMAGE099
Responding with the current timestamp
Figure 695719DEST_PATH_IMAGE099
And the second time stamp
Figure 882856DEST_PATH_IMAGE133
The difference between the two is not more than the preset time threshold
Figure 646412DEST_PATH_IMAGE100
According to the body-domain secret value
Figure DEST_PATH_IMAGE134
Recovering to obtain the public key
Figure DEST_PATH_IMAGE135
The second random number
Figure DEST_PATH_IMAGE136
The random timestamp function value
Figure 683638DEST_PATH_IMAGE127
The first intermediate verification value
Figure 244064DEST_PATH_IMAGE048
And the body area identity
Figure 329832DEST_PATH_IMAGE107
Figure DEST_PATH_IMAGE137
Body area node terminal
Figure 541370DEST_PATH_IMAGE005
According to the random time stamp function value
Figure 421601DEST_PATH_IMAGE127
The second random number
Figure DEST_PATH_IMAGE138
The body-area secret value
Figure DEST_PATH_IMAGE139
The body area identity mark
Figure 436700DEST_PATH_IMAGE107
And the second time stamp
Figure 450792DEST_PATH_IMAGE120
Calculating sixth preset request information
Figure DEST_PATH_IMAGE140
Figure DEST_PATH_IMAGE141
If the sixth preset request message
Figure 939673DEST_PATH_IMAGE140
And the sixth request information
Figure DEST_PATH_IMAGE142
Matching, representing the public key obtained by restoring the body domain node end
Figure 912177DEST_PATH_IMAGE087
The second random number
Figure DEST_PATH_IMAGE143
The random timestamp function value
Figure 883413DEST_PATH_IMAGE110
The first intermediate verification value
Figure 373301DEST_PATH_IMAGE073
And the body area identity
Figure 169218DEST_PATH_IMAGE107
Is correct. If the sixth preset request message
Figure 781465DEST_PATH_IMAGE140
And the sixth request information
Figure 397254DEST_PATH_IMAGE142
And if not, the session is terminated.
Body area node terminal
Figure 690832DEST_PATH_IMAGE005
Responding to the sixth preset request message
Figure 216623DEST_PATH_IMAGE140
And the sixth request information
Figure 875137DEST_PATH_IMAGE142
Matching to generate a third random number
Figure DEST_PATH_IMAGE144
Extracting the third time stamp
Figure DEST_PATH_IMAGE145
According to said user public key
Figure 102856DEST_PATH_IMAGE135
For the third random number
Figure DEST_PATH_IMAGE146
Encrypting to obtain encrypted third random number
Figure DEST_PATH_IMAGE147
Figure DEST_PATH_IMAGE148
Wherein,
Figure DEST_PATH_IMAGE149
in order to encrypt the third random number,
Figure DEST_PATH_IMAGE150
is a third random number.
Body area node terminal
Figure 121497DEST_PATH_IMAGE005
According to the function value of the random time stamp
Figure 423165DEST_PATH_IMAGE110
The third random number
Figure DEST_PATH_IMAGE151
The first intermediate verification value
Figure 846056DEST_PATH_IMAGE073
Generating session keys
Figure DEST_PATH_IMAGE152
Figure DEST_PATH_IMAGE153
Session key
Figure DEST_PATH_IMAGE154
As a bridge for the user side to communicate with the body area node side. Body area node terminal
Figure 748022DEST_PATH_IMAGE003
Only one-time calculation of modular exponentiation encryption is needed to generate session key
Figure 383403DEST_PATH_IMAGE154
Random number of
Figure DEST_PATH_IMAGE155
Then generating the same session key as the legal user
Figure DEST_PATH_IMAGE156
. Attacker even possessing long-term key of gateway
Figure 680523DEST_PATH_IMAGE109
However, the RSA factorization problem cannot be overcome effectively, so that the RSA factorization problem cannot be cracked
Figure 946419DEST_PATH_IMAGE155
Further, the node end of the body area can not be recovered
Figure 820834DEST_PATH_IMAGE003
Generated session key
Figure DEST_PATH_IMAGE157
Thereby effectively solving the forward security problem.
Body area node terminal
Figure 525485DEST_PATH_IMAGE005
According to the body area identity
Figure 801746DEST_PATH_IMAGE107
The second random number
Figure DEST_PATH_IMAGE158
The encrypted third random number
Figure DEST_PATH_IMAGE159
The session key
Figure 409182DEST_PATH_IMAGE154
The body-domain secret value
Figure DEST_PATH_IMAGE160
And the third time stamp
Figure DEST_PATH_IMAGE161
Generating seventh request information
Figure DEST_PATH_IMAGE162
The eighth request message
Figure DEST_PATH_IMAGE163
The ninth request message
Figure DEST_PATH_IMAGE164
The tenth request message
Figure DEST_PATH_IMAGE165
Figure DEST_PATH_IMAGE166
Body area node terminal
Figure 957844DEST_PATH_IMAGE005
Sending the seventh request message
Figure DEST_PATH_IMAGE167
The eighth request message
Figure DEST_PATH_IMAGE168
The ninth request message
Figure 935027DEST_PATH_IMAGE164
The tenth request message
Figure 331374DEST_PATH_IMAGE165
And the third time stamp
Figure DEST_PATH_IMAGE169
Sending to gateway node
Figure DEST_PATH_IMAGE170
Gateway node side
Figure DEST_PATH_IMAGE171
Receiving a body area node side
Figure 876756DEST_PATH_IMAGE005
The current timestamp is extracted from the transmitted information
Figure DEST_PATH_IMAGE172
Responding with the current timestamp
Figure DEST_PATH_IMAGE173
And the third time stamp
Figure 709451DEST_PATH_IMAGE169
The difference between the two is not more than the preset time threshold
Figure DEST_PATH_IMAGE174
According to the second random number
Figure 83801DEST_PATH_IMAGE089
The seventh request information
Figure 272337DEST_PATH_IMAGE167
The eighth request message
Figure 847674DEST_PATH_IMAGE168
The gateway long-term key
Figure DEST_PATH_IMAGE175
Recovering to obtain the body domain identity
Figure 200290DEST_PATH_IMAGE090
The body-area secret value
Figure 847172DEST_PATH_IMAGE122
The encrypted third random number
Figure DEST_PATH_IMAGE176
The session key
Figure 421372DEST_PATH_IMAGE152
Function value of (c):
Figure DEST_PATH_IMAGE177
wherein,
Figure DEST_PATH_IMAGE178
to encrypt the third random number and the session key function value.
Body area node terminal
Figure 213617DEST_PATH_IMAGE005
According to the encrypted third random number
Figure DEST_PATH_IMAGE179
The session key
Figure 568375DEST_PATH_IMAGE157
The second random number
Figure DEST_PATH_IMAGE180
The body-domain secret value
Figure DEST_PATH_IMAGE181
And the third time stamp
Figure DEST_PATH_IMAGE182
Calculating ninth preset request information
Figure DEST_PATH_IMAGE183
Figure DEST_PATH_IMAGE184
If the ninth preset request message
Figure 399975DEST_PATH_IMAGE183
And the ninth request information
Figure DEST_PATH_IMAGE185
Match, show gateway node side
Figure 890999DEST_PATH_IMAGE042
Recovering the obtained body domain identity
Figure 808139DEST_PATH_IMAGE107
The body-domain secret value
Figure 932084DEST_PATH_IMAGE125
The encrypted third random number
Figure 796135DEST_PATH_IMAGE159
The session key
Figure 203983DEST_PATH_IMAGE154
Is correct. If the ninth preset request message
Figure DEST_PATH_IMAGE186
And the ninth request information
Figure 72451DEST_PATH_IMAGE185
And if not, the session is terminated.
Body area node terminal
Figure 808325DEST_PATH_IMAGE005
Responding to the ninth preset request information
Figure 272805DEST_PATH_IMAGE183
And the ninth request information
Figure DEST_PATH_IMAGE187
Matching according to the tenth request information
Figure DEST_PATH_IMAGE188
The session key
Figure 4000DEST_PATH_IMAGE154
The second random number
Figure DEST_PATH_IMAGE189
And the body-domain secret value
Figure 544834DEST_PATH_IMAGE125
Calculating encrypted third random number and session key function value
Figure DEST_PATH_IMAGE190
Figure DEST_PATH_IMAGE191
Gateway node side
Figure 627060DEST_PATH_IMAGE112
Selecting a new user pseudorandom identity for said user side
Figure DEST_PATH_IMAGE192
According to said new pseudo-random identity of said user
Figure 675656DEST_PATH_IMAGE192
And the gateway long-term key
Figure 464621DEST_PATH_IMAGE109
Figure DEST_PATH_IMAGE193
Calculating new first intermediate verification parameters
Figure 425623DEST_PATH_IMAGE192
Figure DEST_PATH_IMAGE194
Wherein,
Figure 277036DEST_PATH_IMAGE192
for the new first intermediate authentication parameter(s),
Figure DEST_PATH_IMAGE195
a new pseudo-random identity for the user.
Body area node terminal
Figure 880055DEST_PATH_IMAGE005
According to the new first intermediate verification parameter
Figure 461209DEST_PATH_IMAGE192
The first intermediate verification parameter
Figure DEST_PATH_IMAGE196
The new pseudo-random identity
Figure DEST_PATH_IMAGE197
The encrypted third random number
Figure 373540DEST_PATH_IMAGE159
The first random number
Figure DEST_PATH_IMAGE198
The first time stamp
Figure DEST_PATH_IMAGE199
And said encrypted third random number and session key function value
Figure DEST_PATH_IMAGE200
Generating eleventh request information
Figure DEST_PATH_IMAGE201
The twelfth request message
Figure DEST_PATH_IMAGE202
And thirteenth request information
Figure DEST_PATH_IMAGE203
Figure DEST_PATH_IMAGE204
Figure DEST_PATH_IMAGE205
Figure DEST_PATH_IMAGE206
Gateway node side
Figure 882887DEST_PATH_IMAGE112
Transmitting the eleventh request message
Figure DEST_PATH_IMAGE207
The twelfth request information
Figure DEST_PATH_IMAGE208
And the thirteenth request information
Figure DEST_PATH_IMAGE209
And sending the information to the user side. In this step, the body area node side
Figure 758439DEST_PATH_IMAGE005
Negotiate a session key
Figure DEST_PATH_IMAGE210
Then, the body area node end
Figure 538308DEST_PATH_IMAGE003
Will encrypt the third random number
Figure 903430DEST_PATH_IMAGE159
Bound simultaneously to the end of the gateway node that sends it
Figure 119648DEST_PATH_IMAGE117
Involving session keys
Figure DEST_PATH_IMAGE211
Encrypted third random number and session key function value
Figure DEST_PATH_IMAGE212
And gateway node side
Figure 313737DEST_PATH_IMAGE117
To the user end
Figure DEST_PATH_IMAGE213
Related parameters on the session key. Therefore, legal users can not unilaterally slave the body area node end
Figure 462959DEST_PATH_IMAGE003
Sending to gateway node side
Figure 874349DEST_PATH_IMAGE112
Involving session keys
Figure 577863DEST_PATH_IMAGE210
And gateway node side
Figure 608267DEST_PATH_IMAGE117
To the user end
Figure 18519DEST_PATH_IMAGE213
About session keys
Figure 725444DEST_PATH_IMAGE210
Taking the body area node end in the related parameters
Figure 916254DEST_PATH_IMAGE005
Will further fail to recover the session key and the public channel
Figure 609404DEST_PATH_IMAGE210
The related parameters further fail to model the node end of the body area
Figure 513643DEST_PATH_IMAGE005
To calculate the correct session key for the next legitimate user
Figure 1257DEST_PATH_IMAGE210
Further, the terminal can not pass through the gateway node
Figure 679363DEST_PATH_IMAGE098
The authentication of (1).
User terminal
Figure 300837DEST_PATH_IMAGE043
Receiving gateway node end
Figure 951261DEST_PATH_IMAGE098
The above information is transmitted according to the first intermediate verification value
Figure DEST_PATH_IMAGE214
And the eleventh request information
Figure DEST_PATH_IMAGE215
Restoring the new first intermediate verification parameters
Figure 219562DEST_PATH_IMAGE192
Figure DEST_PATH_IMAGE216
User terminal
Figure 650544DEST_PATH_IMAGE043
Calculating thirteenth preset request information according to the user private key
Figure DEST_PATH_IMAGE217
Responding to the thirteenth preset request message
Figure DEST_PATH_IMAGE218
And the thirteenth request information
Figure 528239DEST_PATH_IMAGE209
If the data is matched, the user terminal
Figure DEST_PATH_IMAGE219
And the body area node end
Figure 892224DEST_PATH_IMAGE005
Sharing session keys
Figure 783957DEST_PATH_IMAGE210
And completing the multi-factor identity authentication.
As an optional embodiment, the method is provided with the body area node end which is added at any time according to the requirement for adapting the wireless body area network
Figure 984125DEST_PATH_IMAGE003
The application also supports domain node end
Figure 822768DEST_PATH_IMAGE005
Dynamically added functionality, newly added body node side
Figure 244522DEST_PATH_IMAGE005
Only need to communicate with the gateway node
Figure 635052DEST_PATH_IMAGE019
Performing simple registration, gateway node side
Figure 447150DEST_PATH_IMAGE098
Then the new body area node end is used
Figure 197806DEST_PATH_IMAGE005
After identity broadcast, the new body area node end
Figure 677329DEST_PATH_IMAGE003
Can be connected with the user terminal
Figure 910864DEST_PATH_IMAGE219
And carrying out key negotiation.
As an alternative embodiment, to embody the user terminal
Figure 600472DEST_PATH_IMAGE219
The method and the device also support user password updating.
In particular toReferring to fig. 5, in response to the user terminal
Figure 515338DEST_PATH_IMAGE219
And the body area node end
Figure 724734DEST_PATH_IMAGE005
Sharing session keys
Figure 129170DEST_PATH_IMAGE211
Said user terminal
Figure DEST_PATH_IMAGE220
Receiving a preset user name input by a user
Figure DEST_PATH_IMAGE221
Presetting a user password
Figure DEST_PATH_IMAGE222
And biological characteristics
Figure DEST_PATH_IMAGE223
According to the preset user name
Figure 86500DEST_PATH_IMAGE221
And the preset user password
Figure DEST_PATH_IMAGE224
Computing user hash values
Figure DEST_PATH_IMAGE225
Figure DEST_PATH_IMAGE226
Wherein,
Figure 132953DEST_PATH_IMAGE225
in the case of a user hash value, the value,
Figure DEST_PATH_IMAGE227
in order to preset the user name,
Figure DEST_PATH_IMAGE228
in order to preset the user password,
Figure DEST_PATH_IMAGE229
for the bit-join operator to be performed,
Figure DEST_PATH_IMAGE230
in order to perform the hash operation,
Figure DEST_PATH_IMAGE231
is 1 to 256 bits
Figure DEST_PATH_IMAGE232
A large prime number in between.
User terminal
Figure 570757DEST_PATH_IMAGE220
According to the user hash value
Figure 349357DEST_PATH_IMAGE225
And the first verification parameter
Figure DEST_PATH_IMAGE233
Calculating a first intermediate verification value
Figure DEST_PATH_IMAGE234
Figure DEST_PATH_IMAGE235
Wherein,
Figure 561026DEST_PATH_IMAGE234
for the first intermediate verification value to be the first,
Figure 83275DEST_PATH_IMAGE233
is a first verification parameter
User terminal
Figure 188634DEST_PATH_IMAGE219
According to the biological characteristics
Figure DEST_PATH_IMAGE236
And the biometric recovery function
Figure DEST_PATH_IMAGE237
Calculating a second intermediate verification value
Figure DEST_PATH_IMAGE238
Figure DEST_PATH_IMAGE239
Wherein,
Figure 43195DEST_PATH_IMAGE238
for the second intermediate verification value to be the second,
Figure 929112DEST_PATH_IMAGE223
in order to be a biological characteristic,
Figure 989471DEST_PATH_IMAGE237
a fingerprint key recovery function.
User terminal
Figure 949337DEST_PATH_IMAGE219
According to the preset user name
Figure 210685DEST_PATH_IMAGE227
The preset user password
Figure 459264DEST_PATH_IMAGE228
The first intermediate verification value
Figure 182369DEST_PATH_IMAGE234
And the second intermediate verification value
Figure 465583DEST_PATH_IMAGE238
Calculating a second predetermined verification parameter
Figure DEST_PATH_IMAGE240
Figure DEST_PATH_IMAGE241
Wherein,
Figure DEST_PATH_IMAGE242
is a second preset verification parameter.
User terminal
Figure 193106DEST_PATH_IMAGE220
In response to the second verification parameter
Figure DEST_PATH_IMAGE243
And the second preset verification parameter
Figure DEST_PATH_IMAGE244
Matching, said user side
Figure 273188DEST_PATH_IMAGE220
Receiving user input of an updated user password
Figure DEST_PATH_IMAGE245
According to the preset user name
Figure DEST_PATH_IMAGE246
The update user password
Figure 799984DEST_PATH_IMAGE245
The user hash value
Figure DEST_PATH_IMAGE247
The first intermediate verification value
Figure 514868DEST_PATH_IMAGE234
And in the secondInter-verification value
Figure 977074DEST_PATH_IMAGE238
Calculating updated first verification parameters
Figure DEST_PATH_IMAGE248
And updated second authentication parameters
Figure DEST_PATH_IMAGE249
Figure DEST_PATH_IMAGE250
Wherein,
Figure DEST_PATH_IMAGE251
in order to have a new first authentication parameter,
Figure 403507DEST_PATH_IMAGE249
is the new second verification parameter.
User terminal
Figure 343781DEST_PATH_IMAGE220
The first authentication parameter in the smart card is used
Figure DEST_PATH_IMAGE252
The second verification parameter
Figure DEST_PATH_IMAGE253
And said user pseudo-random identity
Figure DEST_PATH_IMAGE254
Replacing with the updated first verification parameter
Figure DEST_PATH_IMAGE255
The updated second verification parameter
Figure DEST_PATH_IMAGE256
And said new user pseudo-random identity
Figure DEST_PATH_IMAGE257
Therefore, the multi-factor identity authentication method facing the wireless body area network realizes the three-terminal interactive authentication and negotiation of the user terminal, the gateway node terminal and the body area node terminal under the condition of not transmitting the privacy of the user, and simultaneously generates the session key of the user terminal and the body area node terminal by using a complex encryption algorithm. By embedding a first intermediate authentication parameter in the calculation of the session key
Figure DEST_PATH_IMAGE258
The attacker does not have the first intermediate authentication parameter of the user
Figure DEST_PATH_IMAGE259
The previously negotiated session key cannot be recovered by only using other parameters in the transmission process
Figure DEST_PATH_IMAGE260
. Therefore, the attack of the temporary parameter leakage of the session key is effectively resisted, and the session key is prevented from being leaked. In addition, the gateway node end does not need to store a large number of identity identifications and user passwords of registered users, only needs to store relevant parameters of the gateway node end, greatly reduces the consumption of storage space, can also effectively verify the legal identity of the user, and solves the safety problem and the storage problem of multi-factor identity authentication.
It should be noted that the method of the embodiment of the present application may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the multiple devices may only perform one or more steps of the method of the embodiment, and the multiple devices interact with each other to complete the method.
It should be noted that the above describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, the application provides a multi-factor identity authentication system.
Referring to fig. 1, the multi-factor identity authentication system includes: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the various modules may be implemented in the same one or more software and/or hardware implementations as the present application.
The apparatus of the foregoing embodiment is used to implement the corresponding multi-factor identity authentication oriented to the wireless body area network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above-mentioned embodiment methods, the present application further provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the wireless body area network-oriented multi-factor identity authentication as described in any of the above embodiments.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to perform the multi-factor identity authentication oriented to the wireless body area network according to any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that the embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, for storing information may be implemented in any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the method for authenticating a multi-factor identity for a wireless body area network according to any of the foregoing embodiments, and have the beneficial effects of corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the application. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the application are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that the embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present application are intended to be included within the scope of the present application.

Claims (10)

1. A multi-factor identity authentication method facing wireless body area network is characterized in that the method is applied to a multi-factor identity authentication system comprising a user terminal, a gateway node terminal and a body area node terminal; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the multi-factor identity authentication method facing the wireless body area network comprises the following steps:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, and selects a body area identity of the body area node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body domain node end extracts a current timestamp, and performs recovery calculation according to the current timestamp, the second timestamp and the body domain secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side extracts a current timestamp, and performs recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side performs recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; responding to the matching of the fourth recovery data set and the fourth request information set, and then the user side and the body domain node side share the session key to complete multi-factor identity authentication;
and the gateway node end selects a gateway long-term key, selects a unique gateway identity for the body domain node end, stores the gateway long-term key and discloses the gateway identity.
2. The wireless body area network-oriented multi-factor identity authentication method of claim 1, further comprising:
the user side receives a user name and a user password input by a user; randomly generating an initial random number, and generating an initial authentication parameter according to the user name, the user password and the initial random number; sending the initial verification parameters to a gateway node end;
the gateway node terminal selects a user pseudo-random identity and a fingerprint key recovery function for the user terminal, calculates a first intermediate verification value according to the gateway long-term key and the user pseudo-random identity, calculates a first verification parameter according to the first intermediate verification value and the initial verification parameter, stores the user pseudo-random identity, the fingerprint key recovery function, the first verification parameter and a matching time threshold value in an intelligent card, and sends the intelligent card to the user terminal;
the user side receives fingerprint information input by a user, recovers a first intermediate verification value according to the initial verification parameter and the first verification parameter, calculates a second intermediate verification value according to the fingerprint information input by the user and the fingerprint key recovery function, and calculates a second verification parameter according to the user name, the user password, the first intermediate verification value and the second intermediate verification value; updating the first authentication parameter according to the first intermediate authentication value and the initial authentication parameter; and storing the user pseudo-random identity, the fingerprint key recovery function, the updated first verification parameter, the second verification parameter and the matching time threshold in a smart card.
3. The wireless body area network-oriented multi-factor identity authentication method of claim 1, wherein the first request information set comprises first request information, second request information and third request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the user side receives a preset user name, a preset user password and biological characteristics input by a user, recovers a user hash value according to the preset user name and the preset user password, recovers a first intermediate verification value according to the user hash value and the first verification parameter, recovers a second intermediate verification value according to the biological characteristics and the biological characteristic recovery function, calculates a second preset verification parameter according to the preset user name, the preset user password, the first intermediate verification value and the second intermediate verification value, generates a user public key, a user private key and a first random number in response to the matching of the second preset verification parameter and the second verification parameter, selects a body area identity of the body area node end needing to be accessed, extracts a first timestamp, extracts a second time stamp according to the first intermediate verification value, the user public key, the second random number and the second verification parameter, And generating first request information, second request information and third request information by the first random number, the first timestamp, the body domain identity identifier and the user pseudo-random identity, and sending the user pseudo-random identity, the first request information, the second request information, the third request information and the first timestamp to a gateway node end.
4. The wireless body area network-oriented multifactor identity authentication method of claim 3, wherein the first recovery data set comprises a random timestamp function value, the first intermediate verification value, the user public key, and the body domain identity; the second set of request information includes fourth request information, fifth request information, and sixth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the gateway node extracts a current timestamp, recovers to obtain a random timestamp function value, the first intermediate verification value, the user public key and the body domain identity according to the user pseudo-random identity, the gateway long-term secret key, the first request information and the second request information in response to the difference between the current timestamp and the first timestamp not being greater than a preset time threshold, calculates third preset request information according to the user pseudo-random identity, the body domain identity, the random timestamp function value and the user public key, generates a second random number in response to the third preset request information being matched with the third request information, extracts a second timestamp, calculates a body domain secret value according to the gateway long-term secret key and the body domain identity, and calculates the body domain secret value according to the body domain secret value and the body domain identity, And generating fourth request information, fifth request information and sixth request information by the user public key, the second random number, the random timestamp function value, the first intermediate verification value and the second timestamp, and sending the fourth request information, the fifth request information, the sixth request information and the second timestamp to a body domain node terminal.
5. The wireless body area network-oriented multi-factor identity authentication method of claim 4, wherein the second recovery data set comprises the public key, the second random number, the random timestamp function value, the first intermediate verification value, and the body area identity; the third set of request information includes seventh request information, eighth request information, ninth request information, and tenth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the body domain node extracts a current timestamp, recovers the public key, the second random number, the random timestamp function value, the first intermediate verification value and the body domain identity according to the body domain secret value in response to the fact that the difference value between the current timestamp and the second timestamp is not larger than a preset time threshold value, calculates sixth preset request information according to the random timestamp function value, the second random number, the body domain secret value, the body domain identity and the second timestamp, generates a third random number in response to the matching of the sixth preset request information and the sixth request information, extracts a third timestamp, encrypts the third random number according to the user public key to obtain an encrypted third random number, and encrypts the third random number according to the random timestamp function value, the third random number, the first intermediate verification value and the body domain identity according to the user public key, And generating a session key by the first intermediate verification value, generating seventh request information, eighth request information, ninth request information and tenth request information according to the body domain identity, the second random number, the encrypted third random number, the session key, the body domain secret value and the third timestamp, and sending the seventh request information, the eighth request information, the ninth request information, the tenth request information and the third timestamp to a gateway node.
6. The wireless body area network-oriented multi-factor identity authentication method of claim 5, wherein the third recovery data set comprises the body area identity, the body area secret value, the encrypted third random number, and the session key; the fourth set of request information includes eleventh request information, twelfth request information, and thirteenth request information;
then, the method for multi-factor identity authentication for a wireless body area network includes:
the gateway node extracts a current timestamp, obtains the body domain identity, the body domain secret value, the encrypted third random number and the session key according to the second random number, the seventh request information, the eighth request information and the gateway long-term key recovery in response to a difference value between the current timestamp and the third timestamp not being greater than a preset time threshold value, calculates ninth preset request information according to the encrypted third random number, the session key, the second random number, the body domain secret value and the third timestamp, calculates a function value of the encrypted third random number and the session key according to the ninth preset request information and the ninth request information in response to matching of the ninth preset request information and the ninth request information, and selects a new user pseudorandom identity for the user terminal according to the tenth request information, the session key, the second random number and the body domain secret value, calculating a new first intermediate authentication parameter according to the new pseudo-random identity of the user and the gateway long-term key, generating eleventh request information, twelfth request information and thirteenth request information according to the new first intermediate authentication parameter, the new pseudo-random identity, the encrypted third random number, the first timestamp, the encrypted third random number and a session key function value, and sending the eleventh request information, the twelfth request information and the thirteenth request information to the user side.
7. The wireless body area network-oriented multi-factor identity authentication method of claim 6, wherein the fourth recovery data set comprises the new first intermediate verification parameter;
then, the multi-factor identity authentication towards the wireless body area network includes:
and the user side recovers the new first intermediate verification parameter according to the first intermediate verification value and the eleventh request message, calculates thirteenth preset request message according to the user private key, and responds to the matching of the thirteenth preset request message and the thirteenth request message, so that the user side and the body domain node side share the session key to complete multi-factor identity authentication.
8. The multi-factor identity authentication method for wireless body area networks according to any of claims 1 to 7, further comprising:
responding to the user side and the body area node side to share the session key, the user side receives a preset user name, a preset user password and biological characteristics input by a user, calculates a user hash value according to the preset user name and the preset user password, calculates a first intermediate verification value according to the user hash value and the first verification parameter, calculates a second intermediate verification value according to the biological characteristics and the biological characteristics recovery function, calculates a second preset verification parameter according to the preset user name, the preset user password, the first intermediate verification value and the second intermediate verification value, responds to the second verification parameter being matched with the second preset verification parameter, the user side receives an updated user password input by the user, and updates the user password, the user hash value, the user password, the second intermediate verification value and the second intermediate verification parameter according to the preset user name, the updated user password, the user hash value, The first and second intermediate authentication values calculate updated first authentication parameters and updated second authentication parameters and replace the first authentication parameters, the second authentication parameters and the user pseudo-random identity in the smart card with the updated first authentication parameters, the updated second authentication parameters and the new user pseudo-random identity.
9. A multi-factor authentication system, comprising: a multi-factor identity authentication system of a user side, a gateway node side and a body area node side; the user side stores an intelligent card obtained after the intelligent card is registered with the gateway node side, and the intelligent card comprises a first verification parameter, a second verification parameter, a user pseudo-random identity, a biological feature recovery function and a matching frequency threshold value; the gateway node end stores a gateway long-term key, a gateway identity and a body domain secret value calculated for the body domain node end; the body domain node end stores the body domain secret value calculated by the gateway node end for the body domain node end;
the user side is configured to receive a preset user name, a preset user password and biological characteristics input by a user, and selects a body domain identity of the body domain node side needing to be accessed to extract a first timestamp; obtaining a first request information set according to a preset user name, a preset user password, biological characteristics, a body area identity, a first verification parameter, a second verification parameter and a user pseudo-random identity; sending the user pseudo-random identity, the first request information set and the first timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the first timestamp, the user pseudorandom identity, the gateway long-term key and the first request information set to obtain a first recovery data set; in response to the first recovery data set matching the first request information set, generating a second random number, extracting a second timestamp; generating a second request information set according to the first recovery data set, the gateway long-term key, the body domain secret value, the second random number and the second timestamp; sending the second request information set and the second timestamp to a body domain node end;
the body area node end is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the second timestamp and the body area secret value to obtain a second recovery data set; generating a third random number and extracting a third timestamp in response to the second recovery data set matching the second request information set; generating a session key according to the third random number, and generating a third request information set according to the second recovery data set and the session key; sending the third request information set and the third timestamp to a gateway node end;
the gateway node side is configured to extract a current timestamp, and perform recovery calculation according to the current timestamp, the third timestamp, the second request information set and the gateway long-term key to obtain a third recovery data set; in response to the third recovery data set matching the third request information set, selecting a new user pseudorandom identity for the user side according to the third recovery data set and the body-domain secret value, calculating a new first recovery data set according to the new user pseudorandom identity and the gateway long-term secret key, generating a fourth request information set according to the new first recovery data set and the new user pseudorandom identity, and sending the fourth request information set to the user side;
the user side is configured to perform recovery calculation according to the first recovery data set and the fourth request information set to obtain a fourth recovery data set; and responding to the matching of the fourth recovery data set and the fourth request information set, wherein the user side and the body domain node side share the session key to complete multi-factor identity authentication.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 8.
CN202210297901.6A 2022-03-25 2022-03-25 Multi-factor identity authentication method facing wireless body area network and related equipment Active CN114401514B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210297901.6A CN114401514B (en) 2022-03-25 2022-03-25 Multi-factor identity authentication method facing wireless body area network and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210297901.6A CN114401514B (en) 2022-03-25 2022-03-25 Multi-factor identity authentication method facing wireless body area network and related equipment

Publications (2)

Publication Number Publication Date
CN114401514A CN114401514A (en) 2022-04-26
CN114401514B true CN114401514B (en) 2022-07-08

Family

ID=81234814

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210297901.6A Active CN114401514B (en) 2022-03-25 2022-03-25 Multi-factor identity authentication method facing wireless body area network and related equipment

Country Status (1)

Country Link
CN (1) CN114401514B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117040767B (en) * 2023-10-10 2024-01-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Fine-grained multi-terminal identity authentication method based on PUF (physical unclonable function) and related equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018147673A1 (en) * 2017-02-09 2018-08-16 에스지에이솔루션즈 주식회사 Symmetric key-based user authentication method for ensuring anonymity in wireless sensor network environment
CN113115307A (en) * 2021-04-12 2021-07-13 北京邮电大学 Two-factor identity authentication method oriented to smart home scene

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10104545B2 (en) * 2016-11-02 2018-10-16 National Chin-Yi University Of Technology Computer-implemented anonymity authentication method for wireless sensor networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018147673A1 (en) * 2017-02-09 2018-08-16 에스지에이솔루션즈 주식회사 Symmetric key-based user authentication method for ensuring anonymity in wireless sensor network environment
CN113115307A (en) * 2021-04-12 2021-07-13 北京邮电大学 Two-factor identity authentication method oriented to smart home scene

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向多网关的无线传感器网络多因素认证协议;王晨宇 等;《计算机学报》;20200430;第43卷(第4期);全文 *

Also Published As

Publication number Publication date
CN114401514A (en) 2022-04-26

Similar Documents

Publication Publication Date Title
CN110463237B (en) Method for managing communication between a server and a user equipment
Ali et al. An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring
CN109714167B (en) Identity authentication and key agreement method and equipment suitable for mobile application signature
CN105162772B (en) A kind of internet of things equipment certifiede-mail protocol method and apparatus
Chaudhry et al. An enhanced privacy preserving remote user authentication scheme with provable security
Li et al. A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems
US9992017B2 (en) Encrypting and storing data
Xie et al. Robust anonymous authentication scheme for telecare medical information systems
CN110969431B (en) Secure hosting method, device and system for private key of blockchain digital coin
Maitra et al. An enhanced multi‐server authentication protocol using password and smart‐card: cryptanalysis and design
Liu et al. A secure data backup scheme using multi‐factor authentication
Alzahrani Secure and efficient cloud-based IoT authenticated key agreement scheme for e-health wireless sensor networks
US20200195446A1 (en) System and method for ensuring forward & backward secrecy using physically unclonable functions
Chaturvedi et al. A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme
Praveen et al. Improved Gentry–Halevi's fully homomorphic encryption‐based lightweight privacy preserving scheme for securing medical Internet of Things
EP3000216B1 (en) Secured data channel authentication implying a shared secret
Tsai et al. A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card
Giri et al. A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB mass storage devices
Madhusudhan A secure and lightweight authentication scheme for roaming service in global mobile networks
Wu et al. An enhanced mutual authentication and key agreement scheme for mobile user roaming service in global mobility networks
Feiri et al. Efficient and secure storage of private keys for pseudonymous vehicular communication
CN114401514B (en) Multi-factor identity authentication method facing wireless body area network and related equipment
Xu et al. A computationally efficient authentication and key agreement scheme for multi-server switching in WBAN
Chuang et al. An independent three‐factor mutual authentication and key agreement scheme with privacy preserving for multiserver environment and a survey
Mishra et al. A provably secure content distribution framework for portable DRM systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant