CN114826728B - Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium - Google Patents
Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114826728B CN114826728B CN202210427330.3A CN202210427330A CN114826728B CN 114826728 B CN114826728 B CN 114826728B CN 202210427330 A CN202210427330 A CN 202210427330A CN 114826728 B CN114826728 B CN 114826728B
- Authority
- CN
- China
- Prior art keywords
- internet
- box
- things
- equipment
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000006870 function Effects 0.000 claims description 64
- 230000036039 immunity Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 abstract description 7
- 238000004590 computer program Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000007547 defect Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 238000012938 design process Methods 0.000 description 2
- 238000007620 mathematical function Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 241001254607 Leander Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the disclosure provides a device authentication method, an internet of things terminal device, electronic equipment and a storage medium, and relates to the field of network security, in particular to the field of device authentication. The method comprises the steps that the terminal equipment of the Internet of things performs multiplication operation on the basis of identification data of the terminal equipment of the Internet of things and a preset target S box to obtain encrypted data, and the encrypted data is sent to gateway equipment; the gateway equipment receives the encrypted data, and decrypts the encrypted data based on a preset target S box to obtain decrypted data; the gateway equipment compares the decrypted data with prestored identification data of the terminal equipment of the Internet of things; and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment. In this way, the problems that the cost is high and the actual application cannot be met in the implementation scheme of the terminal equipment safety access can be solved, the effective calculation can be independently completed without depending on external knowledge under the condition that the terminal equipment resources are limited, and the investment of hardware facilities such as a gateway and the like can be reduced.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular to the field of device authentication.
Background
Terminal equipment in the Internet of things needs to access the Internet and conduct information transfer and interaction based on an Internet protocol. In order to ensure the safety of terminal equipment when accessing to the Internet of things, the most common technical scheme for the safety access of the terminal equipment of the Internet of things at present is that an access gateway is arranged at an Internet entrance, when the terminal equipment of the Internet of things is accessed, the gateway reads identity information of the terminal equipment of the Internet of things, and the validity of the identity of the terminal equipment of the Internet of things is verified through an algorithm.
The scheme mainly adopts hardware modes such as gateway and the like has complex design process and higher laying cost; if the verification is performed at the terminal equipment side, the verification efficiency is reduced due to the limitation of low computing capacity and limited resources such as memory of the terminal equipment, and the practical application cannot be satisfied.
Disclosure of Invention
The disclosure provides a device authentication method, an internet of things terminal device, an electronic device and a storage medium.
According to a first aspect of the present disclosure, there is provided a device authentication method, the method comprising:
the terminal equipment of the Internet of things performs multiplication operation on the basis of the identification data of the terminal equipment of the Internet of things and a preset target S box to obtain encrypted data, and sends the encrypted data to gateway equipment;
the gateway equipment receives the encrypted data, and decrypts the encrypted data based on a preset target S box to obtain decrypted data;
the gateway equipment compares the decrypted data with prestored identification data of the terminal equipment of the Internet of things; and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment.
In some implementations of the first aspect, the target S-box is constructed according to security requirements and a system resource environment of the internet of things device.
In some implementations of the first aspect, when the system resource environment is a resource constrained environment, constructing the target S-box includes:
constructing a boolean function of S (x, y, z, w) = (f 1 (x, y, z, w), f2 (y, z, w, x), f3 (z, w, x, y), f4 (w, x, y, z);
let f1 (x, y, z, w) be the 3 rd order Boolean function according toDefining a preset balance function, determining a balance function f5, and shifting the variable of f5 to obtain functions f6, f7 and f8, wherein the functions f6, f7 and f8 are obtainedWherein n and m are both 4;
combining f5, f6, f7 and f8, and traversing x, y, z, w in the combined functions from 0000 to 1111 to obtain an S box after the independent variables are replaced;
and when the S box after the independent variable is replaced has no repeated value, and algebraic immunity, nonlinearity and differential uniformity meet preset requirements, the S box after the independent variable is replaced is taken as a target S box.
In some implementations of the first aspect, according toThe above preset balance function definition, determining a balance function f5, includes:
according toDefining a preset balance function, and calculating the calculated +.>Is a one-time and non-repeating function as a function of balance;
taking any of the functions of the equilibrium, f5 is obtained.
In some implementations of the first aspect, shifting the variable of f5 to obtain the functions f6, f7, f8 includes:
shifting the variable in f5 left by 1 bit to obtain f6;
shifting the variable in f5 left by 2 bits to obtain f7;
the variable in f5 is shifted left by 3 bits to give f8.
In some implementations of the first aspect, the encrypted data includes a timestamp added by the terminal device of the internet of things;
the gateway equipment determines the time difference with the current time according to the time stamp in the encrypted data;
and when the time difference is smaller than or equal to a preset threshold value, the gateway equipment decrypts the encrypted data based on the target S box to obtain decrypted data.
According to a second aspect of the present disclosure, there is provided an internet of things terminal device, the device comprising:
the encryption module is used for carrying out multiplication operation on the identification data and a preset target S box to obtain encrypted data;
the sending module is used for sending the encrypted data to the gateway equipment so that the gateway equipment decrypts the encrypted data based on a preset target S box to obtain decrypted data, and comparing the decrypted data with the pre-stored identification data of the terminal equipment of the Internet of things, and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment.
In some implementations of the second aspect, the target S-box is constructed according to security requirements and a system resource environment of the internet of things device.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory and a processor, the memory having stored thereon a computer program, the processor implementing the first aspect as described above and the device authentication method in some implementations of the first aspect when the program is executed.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the first aspect as described above, and in some implementations of the first aspect, a device authentication method.
According to the device authentication method, the terminal device of the Internet of things, the electronic device and the storage medium, the terminal device of the Internet of things performs multiplication operation on the basis of the identification data of the terminal device of the Internet of things and a preset target S box to obtain encrypted data, and the encrypted data is sent to gateway equipment; the gateway equipment receives the encrypted data, and decrypts the encrypted data based on a preset target S box to obtain decrypted data; the gateway equipment compares the decrypted data with prestored identification data of the terminal equipment of the Internet of things; and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment. The method introduces the lightweight S box based on mathematical completeness into the identity verification process of the terminal equipment of the Internet of things, and overcomes the defects of multiple hardware equipment configurations, lower efficiency and weak applicability in the prior art. The method can not only independently complete effective calculation without depending on external knowledge under the condition of limited terminal equipment resources, but also reduce the investment of hardware facilities such as gateways and the like.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
fig. 1 is an interactive schematic diagram of a device authentication method provided in an embodiment of the present disclosure;
fig. 2 is a block diagram of an internet of things terminal device provided in an embodiment of the present disclosure;
fig. 3 is a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Terminal equipment in the Internet of things needs to access the Internet and conduct information transfer and interaction based on an Internet protocol. In order to ensure the safety of terminal equipment when accessing to the Internet of things, the most common technical scheme for the safety access of the terminal equipment of the Internet of things at present is that an access gateway is arranged at an Internet entrance, when the terminal equipment of the Internet of things is accessed, the gateway reads identity information of the terminal equipment of the Internet of things, and the validity of the identity of the terminal equipment of the Internet of things is verified through an algorithm. The hardware used in the scheme mainly comprises a sensor, an FPGA card and the like. The basic flow is as follows: the gateway equipment collects and preprocesses the identity information of each perceived terminal equipment, eliminates the information with obvious errors, carries out data normalization, feature extraction and other processes on the identity information, and verifies the validity of the identity information. If so, allowing the device to access the Internet; otherwise, access is denied.
At present, a plurality of implementation schemes for the secure access of the terminal equipment of the internet of things exist. However, the method has the defects that the design process of the scheme mainly comprising hardware modes such as a gateway is complex, and the laying cost is high; if the verification is performed at the terminal equipment side, the verification efficiency is reduced due to the limitation of low computing capacity and limited resources such as memory of the terminal equipment, and the practical application cannot be satisfied. Therefore, when the secure access scheme of the terminal equipment of the internet of things is designed, the characteristics of the terminal equipment of the internet of things must be analyzed, and various demands such as effectiveness, applicability, efficiency and cost are considered.
In order to solve the problems that the existing implementation scheme of the secure access of the terminal equipment of the Internet of things is high in cost and cannot meet the practical application, the disclosure provides an equipment authentication method, the terminal equipment of the Internet of things, electronic equipment and a storage medium, wherein the terminal equipment of the Internet of things performs multiplication operation on identification data and a preset target S box to obtain encrypted data, and the encrypted data is sent to gateway equipment; the gateway equipment receives the encrypted data, and decrypts the encrypted data based on a preset target S box to obtain decrypted data; the gateway equipment compares the decrypted data with prestored identification data of the terminal equipment of the Internet of things; and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment. According to the technical scheme, the S box is introduced into the identity verification process of the Internet of things terminal equipment accessing the Internet, the Internet of things terminal equipment multiplies the identification data of the S box by the S box, the calculation result is transmitted to the gateway equipment, the calculation result is decrypted and compared through the gateway equipment, and whether the Internet of things terminal equipment is allowed to access the Internet is determined. Therefore, the method can independently complete effective calculation without depending on external knowledge under the condition of limited terminal equipment resources, and can reduce the investment of hardware facilities such as gateways and the like.
The technical solutions provided by the embodiments of the present disclosure are described below with reference to the accompanying drawings.
Fig. 1 is an interaction schematic diagram of a device authentication method provided by an embodiment of the present disclosure, where, as shown in fig. 1, the device authentication method may include:
s101: the terminal equipment of the Internet of things performs multiplication operation on the basis of the identification data and a preset target S box to obtain encrypted data, and sends the encrypted data to the gateway equipment.
The identification data may specifically be an identity information value (such as an ID value) of the terminal device of the internet of things and an IP address of the terminal device of the internet of things.
S102: the gateway equipment receives the encrypted data, and decrypts the encrypted data based on a preset target S box to obtain decrypted data.
Specifically, during decryption, the inverse box of the preset target S box may be used to decrypt the encrypted data, so as to obtain decrypted data.
S103: the gateway equipment compares the decrypted data with prestored identification data of the terminal equipment of the Internet of things; and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment.
The pre-stored identification data of the terminal device of the internet of things specifically may include an IP address table of the terminal device of the internet of things and an identity information value of the terminal device of the internet of things.
Specifically, the decrypted data in S102 is the identifier data of the decrypted internet of things terminal device, then S103 compares the identifier data of the decrypted internet of things terminal device with the identifier data of the pre-stored internet of things terminal device, if the identifier data of the decrypted internet of things terminal device can be matched with the identifier data of the pre-stored internet of things terminal device, the comparison is considered to be successful, and if the identifier data of the decrypted internet of things terminal device cannot be matched with the identifier data of the pre-stored internet of things terminal device, the comparison is considered to be failed.
And if the comparison is successful, allowing the Internet of things terminal equipment to access the Internet through the gateway equipment, and if the comparison is unsuccessful, not allowing the Internet of things terminal equipment to access the Internet through the gateway equipment.
In the process of allowing the internet of things terminal equipment to access the internet through the gateway equipment, the gateway equipment can specifically open a channel for data interaction with the internet for the successfully compared internet of things terminal equipment, and establish uplink and downlink communication links between the internet of things terminal equipment and the internet based on the internet of things terminal equipment IP address and the gateway-opened channel for data interaction so as to realize connection between the internet of things terminal equipment and the internet.
It should be noted that, in the technical scheme of the present disclosure, the core is the design and selection of the S box. The S box is constructed by utilizing a mathematical function, so that the S box has better mathematical completeness and a simpler realization circuit.
And because the S box with higher algebra times can provide better protection to resist high-order differential, algebra and cube attacks; s boxes constructed by functions with lower algebraic times occupy smaller areas on hardware, and safety can be realized by increasing the number of rounds; if the algebra number is too low, it is vulnerable. So to ensure that the constructed S-box can fit the actual requirements, in one embodiment, the target S-box may be specifically constructed according to the security requirements and the system resource environment of the internet of things device.
In a specific embodiment, in a resource-constrained environment, a 4×4 lightweight S-box with both input and output of 4 bits may be selected because it balances the requirements of both operating efficiency and security. In particular, in order to adapt to the authentication when the internet terminal equipment is accessed, an S-box with optimal password is constructed.
S (X) = (f) defined by n×m S-boxes 1 (X),…,fm(X)):Where n and m are positive integers, it can be seen that a 4X 4S box is obtained when both n and m are 4.
When the system resource environment is a resource limited environment, constructing the target S-box may specifically include: constructing a boolean function of S (x, y, z, w) = (f 1 (x, y, z, w), f2 (y, z, w, x), f3 (z, w, x, y), f4 (w, x, y, z);
let f1 (x, y, z, w) be the 3 rd order Boolean function according toThe preset balance function definition can be used for finding out a plurality of balance conditions (i.e. f is +.>One is just one time and no repetition), obtaining a balanced function f5 from the functions, and shifting the variables of f5 to obtain functions f6, f7 and f8, wherein n and m are 4, and the process of shifting the variables of f5 to obtain the functions f6, f7 and f8 can specifically shift the variables of f5 to the left by 1 bit, 2 bits and 3 bits to obtain functions f6, f7 and f8 respectively, namely shift the variables in f5 to the left by 1 bit to obtain f6; shifting the variable in f5 left by 2 bits to obtain f7; the variable in f5 is shifted left by 3 bits to give f8.
The forms of f5, f6, f7 and f8 may specifically be:
f5=xyz+a 1 xy+a 2 xz+a 3 xw+a 4 yz+a 5 yw+a 6 zw+a 7 x+a 8 y+a 9 z+a 10 w;
f6=yzw+a 1 yz+a 2 yw+a 3 yx+a 4 zw+a 5 zx+a 6 wx+a 7 y+a 8 z+a 9 w+a 10 x;
f7=zwx+a 1 zw+a 2 zx+a 3 zy+a 4 wx+a 5 wy+a 6 xy+a 7 z+a 8 w+a 9 x+a 10 y;
f8=wxy+a 1 wx+a 2 wy+a 3 wz+a 4 xy+a 5 xz+a 6 yz+a 7 w+a 8 x+a 9 y+a 10 z;
then f5, f6, f7 and f8 can be combined, and x, y, z, w in the combined functions is traversed from 0000 to 1111 (decimal 0-15) to obtain an S box after the independent variables are replaced;
and when the S box after the independent variable is replaced has no repeated value, and algebraic immunity, nonlinearity and differential uniformity meet preset requirements, the S box after the independent variable is replaced is taken as a target S box.
Specifically, the target S-box may be screened according to three important criteria of the S-box:
(1) Algebraic immunity the algebraic immunity of any boolean function f is the minimum number of nonzero functions g that hold gf=0 or g (f+1) =0. Because the S boxes are constructed by adopting mathematical functions and are applied under the condition of limited resources, all S boxes meet algebraic immunity requirements.
(2) Nonlinearity, which is used to determine the ability of an S-box to withstand linear attacks. The upper bound of the nonlinearity of the S-box of the N-ary Boolean function construction is 2N-1-2 (N-2)/2, and the upper bound is only possible when N is an odd number. Since the chosen constructor is a 3-element Boolean function, the nonlinearity of the S-box can reach an upper bound.
(3) Differential uniformity, which is used to represent the ability of the S-box to resist differential analysis, is lower and more desirable. All the obtained 4 x 4S-box differential distribution tables can be constructed, and then the differential uniformity of each S-box can be counted.
Therefore, the condition for selecting the S-box with the best cryptographic quality of 4×4 is that the nonlinearity and differential uniformity are both 4. From the differential distribution table, 32S boxes meet the above requirements, so such S boxes are always available. Further, according to the theory of Leander, there are 16 classes of 4×4S boxes with optimal linear and differential performance in affine equivalent sense:
S-box 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
G0 0,1,2,13,4,7,15,6,8,11,12,9,3,14,10,5
G1 0,1,2,13,4,7,15,6,8,11,14,3,5,9,10,12
G2 0,1,2,13,4,7,15,6,8,11,14,3,10,12,5,9
G3 0,1,2,13,4,7,15,6,8,12,5,3,10,14,11,9
G4 0,1,2,13,4,7,15,6,8,12,9,11,10,14,5,3
G5 0,1,2,13,4,7,15,6,8,12,11,9,10,14,3,5
G6 0,1,2,13,4,7,15,6,8,12,11,9,10,14,5,3
G7 0,1,2,13,4,7,15,6,8,12,14,11,10,9,3,5
G8 0,1,2,13,4,7,15,6,8,14,9,5,10,11,3,12
G9 0,1,2,13,4,7,15,6,8,14,11,3,5,9,10,12
G10 0,1,2,13,4,7,15,6,8,14,11,5,10,9,3,12
G11 0,1,2,13,4,7,15,6,8,14,11,10,5,9,12,3
G12 0,1,2,13,4,7,15,6,8,14,11,10,9,3,12,5
G13 0,1,2,13,4,7,15,6,8,14,12,9,5,11,10,3
G14 0,1,2,13,4,7,15,6,8,14,12,11,3,9,5,10
G15 0,1,2,13,4,7,15,6,8,14,12,11,9,3,10,5
the characteristics and applicability of various 4×4S boxes are different, and the corresponding 4×4S boxes can be flexibly selected for use according to the requirements of a grouping algorithm.
On the basis of the above, it can be further verified whether the obtained 4×4S box has autoreactivity, and the inverse S box of the S box is itself. If the autoreactivity is met, the encryption and decryption process can be completed by using the same S box; otherwise, deducing a corresponding inverse box by using the S box, and respectively using the inverse boxes for encryption and decryption.
In one embodiment, the encrypted data may further include a timestamp added by the terminal device of the internet of things; the gateway equipment determines the time difference with the current time according to the time stamp in the encrypted data; and when the time difference is smaller than or equal to a preset threshold value, the gateway equipment decrypts the encrypted data based on the target S box to obtain decrypted data.
According to the device authentication method, according to the design of the zero knowledge proof thought, the lightweight S box based on mathematical completeness is introduced into the identity authentication process of the terminal device of the Internet of things through the realization of the lightweight block cipher algorithm, and the defects of multiple hardware device configurations, lower efficiency and weak applicability in the prior art are overcome. And because the S box is constructed according to the security requirement and the system resource environment of the Internet of things equipment, the execution efficiency and the security are well balanced. Therefore, the method can independently complete effective calculation without depending on external knowledge under the condition of limited terminal equipment resources, and can reduce the investment of hardware facilities such as gateways and the like. In addition, the problem that the address of the terminal equipment cannot be traced back under the single-packet authentication in the past is solved.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Corresponding to the interaction diagram of the device authentication method shown in fig. 1, fig. 2 shows a block diagram of an internet of things terminal device. As shown in fig. 2, the terminal device of the internet of things may include:
the encryption module can be used for carrying out multiplication operation on the identification data and a preset target S box to obtain encrypted data;
and the sending module is used for sending the encrypted data to gateway equipment, decrypting the encrypted data by the gateway equipment based on the preset target S box to obtain decrypted data, comparing the decrypted data with prestored identification data of the terminal equipment of the Internet of things, and allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment if the comparison is successful.
In one embodiment, the target S box is constructed according to security requirements and a system resource environment of the Internet of things device.
In one embodiment, when the system resource environment is a resource constrained environment, constructing the target S-box includes:
constructing a boolean function of S (x, y, z, w) = (f 1 (x, y, z, w), f2 (y, z, w, x), f3 (z, w, x, y), f4 (w, x, y, z);
let f1 (x, y, z, w) be the 3 rd order Boolean function according toDefining a preset balance function, determining a balance function f5, and shifting the variable of f5 to obtain functions f6, f7 and f8, wherein n and m are both 4;
combining f5, f6, f7 and f8, and traversing x, y, z, w in the combined functions from 0000 to 1111 to obtain an S box after the independent variables are replaced;
and when the S box after the independent variable is replaced has no repeated value, and algebraic immunity, nonlinearity and differential uniformity meet preset requirements, the S box after the independent variable is replaced is used as the target S box.
In one embodiment, the said methodThe above preset balance function definition, determining a balance function f5, includes:
according toDefining a preset balance function, and calculating the calculated +.>Is a one-time and non-repeating function as a function of balance;
taking any one of the functions of the balance, the f5 is obtained.
In one embodiment, shifting the variable of f5 results in the functions f6, f7, f8, including:
shifting the variable in f5 left by 1 bit to obtain f6;
shifting the variable in f5 left by 2 bits to obtain f7;
and shifting the variable in f5 left by 3 bits to obtain f8.
In one embodiment, the encrypted data includes a timestamp added by the terminal device of the internet of things; the gateway equipment is used for determining the time difference with the current time according to the time stamp in the encrypted data, and decrypting the encrypted data based on the target S box to obtain decrypted data when the time difference is smaller than or equal to a preset threshold value.
According to the terminal equipment of the Internet of things, which is designed according to the zero knowledge proof thought, the lightweight S box based on mathematical completeness is introduced into the identity verification process of the terminal equipment of the Internet of things through the lightweight block cipher algorithm, and the defects of multiple hardware equipment configurations, lower efficiency and weak applicability in the prior art are overcome. And because the S box is constructed according to the security requirement and the system resource environment of the Internet of things equipment, the execution efficiency and the security are well balanced. Therefore, the method can independently complete effective calculation without depending on external knowledge under the condition of limited terminal equipment resources, and can reduce the investment of hardware facilities such as gateways and the like. In addition, the problem that the address of the terminal equipment cannot be traced back under the single-packet authentication in the past is solved.
It can be understood that each module in the terminal device of the internet of things shown in fig. 2 has a function of implementing each step at the terminal device of the internet of things in fig. 1, and can achieve the corresponding technical effects thereof, and for brevity description, no further description is provided herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 3 shows a schematic block diagram of an electronic device 300 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 300 comprises a computing unit 301 that may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 302 or loaded from a storage unit 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data required for the operation of the device 300 may also be stored. The computing unit 301, the ROM302, and the RAM303 are connected to each other by a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Various components in device 300 are connected to I/O interface 305, including: an input unit 306 such as a keyboard, a mouse, etc.; an output unit 307 such as various types of displays, speakers, and the like; a storage unit 308 such as a magnetic disk, an optical disk, or the like; and a communication unit 309 such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the device 300 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 301 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 301 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 301 performs the respective methods and processes described above, such as the device authentication method in fig. 1. For example, in some embodiments, the device authentication method of fig. 1 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 308. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 300 via the ROM302 and/or the communication unit 309. When the computer program is loaded into the RAM303 and executed by the computing unit 301, one or more steps of the device authentication method described above may be performed. Alternatively, in other embodiments, the computing unit 301 may be configured to perform the device authentication method of fig. 1 in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (9)
1. A method of device authentication, the method comprising:
the method comprises the steps that the terminal equipment of the Internet of things performs multiplication operation on the basis of identification data of the terminal equipment of the Internet of things and a preset target S box to obtain encrypted data, and the encrypted data is sent to gateway equipment;
the gateway equipment receives the encrypted data, and decrypts the encrypted data based on the preset target S box to obtain decrypted data;
the gateway equipment compares the decryption data with prestored identification data of the terminal equipment of the Internet of things; if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment, wherein,
when the system resource environment is a resource limited environment, constructing the target S box, including:
constructing a boolean function of S (x, y, z, w) = (f 1 (x, y, z, w), f2 (y, z, w, x), f3 (z, w, x, y), f4 (w, x, y, z);
let f1 (x, y, z, w) be the 3 rd order Boolean function according toDefining a preset balance function, determining a balance function f5, and shifting the variable of f5 to obtain functions f6, f7 and f8, wherein n and m are both 4;
combining f5, f6, f7 and f8, and traversing x, y, z, w in the combined functions from 0000 to 1111 to obtain an S box after the independent variables are replaced;
and when the S box after the independent variable is replaced has no repeated value, and algebraic immunity, nonlinearity and differential uniformity meet preset requirements, the S box after the independent variable is replaced is used as the target S box.
2. The method of claim 1, wherein the target S-box is constructed according to security requirements and a system resource environment of the internet of things device.
3. The method according to claim 2, wherein the step ofThe above preset balance function definition, determining a balance function f5, includes:
according toDefining a preset balance function, and calculating the calculated +.>Is a one-time and non-repeating function as a function of balance;
taking any one of the functions of the balance, the f5 is obtained.
4. The method according to claim 2, wherein said shifting the variable of f5 to obtain functions f6, f7, f8 comprises:
shifting the variable in f5 left by 1 bit to obtain f6;
shifting the variable in f5 left by 2 bits to obtain f7;
and shifting the variable in f5 left by 3 bits to obtain f8.
5. The method according to claim 1, wherein the encrypted data includes a timestamp added by the terminal device of the internet of things;
the gateway equipment determines the time difference from the current time according to the time stamp in the encrypted data;
and when the time difference is smaller than or equal to a preset threshold value, the gateway equipment decrypts the encrypted data based on the target S box to obtain decrypted data.
6. An internet of things terminal device, characterized in that the device comprises:
the encryption module is used for multiplying the identification data of the encryption module with a preset target S box to obtain encrypted data, wherein when the system resource environment is a resource limited environment, the target S box is constructed, and the encryption module comprises:
constructing a boolean function of S (x, y, z, w) = (f 1 (x, y, z, w), f2 (y, z, w, x), f3 (z, w, x, y), f4 (w, x, y, z);
let f1 (x, y, z, w) be the 3 rd order Boolean function according toDefining a preset balance function, determining a balance function f5, and shifting the variable of f5 to obtain functions f6, f7 and f8, wherein n and m are both 4;
combining f5, f6, f7 and f8, and traversing x, y, z, w in the combined functions from 0000 to 1111 to obtain an S box after the independent variables are replaced;
when the S box after the independent variable is replaced has no repeated value, and algebraic immunity, nonlinearity and differential uniformity meet preset requirements, the S box after the independent variable is replaced is used as the target S box;
and the sending module is used for sending the encrypted data to gateway equipment so that the gateway equipment decrypts the encrypted data based on the preset target S box to obtain decrypted data, and comparing the decrypted data with prestored identification data of the terminal equipment of the Internet of things, and if the comparison is successful, allowing the terminal equipment of the Internet of things to access the Internet through the gateway equipment.
7. The internet of things terminal device of claim 6, wherein the target S-box is constructed according to security requirements and a system resource environment of the internet of things device.
8. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-5.
9. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210427330.3A CN114826728B (en) | 2022-04-21 | 2022-04-21 | Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210427330.3A CN114826728B (en) | 2022-04-21 | 2022-04-21 | Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826728A CN114826728A (en) | 2022-07-29 |
| CN114826728B true CN114826728B (en) | 2024-03-15 |
Family
ID=82505958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210427330.3A Active CN114826728B (en) | 2022-04-21 | 2022-04-21 | Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826728B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116226259A (en) * | 2023-05-08 | 2023-06-06 | 江苏网进科技股份有限公司 | Method for taking object model as unified standard output interface, electronic equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588233A (en) * | 2008-05-19 | 2009-11-25 | 北京大学深圳研究生院 | AES coprocessor system and AES structure in wireless sensor network node application |
| CN107733634A (en) * | 2017-11-06 | 2018-02-23 | 西南交通大学 | A kind of lightweight chaos authentication encryption method based on displacement coupling |
| CN112511293A (en) * | 2020-09-21 | 2021-03-16 | 中国电子科技集团公司第三十研究所 | S-box parameterization design method based on bit sum operation and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11444748B2 (en) * | 2019-03-29 | 2022-09-13 | Intel Corporation | Ultra-low latency advanced encryption standard |
-
2022
- 2022-04-21 CN CN202210427330.3A patent/CN114826728B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588233A (en) * | 2008-05-19 | 2009-11-25 | 北京大学深圳研究生院 | AES coprocessor system and AES structure in wireless sensor network node application |
| CN107733634A (en) * | 2017-11-06 | 2018-02-23 | 西南交通大学 | A kind of lightweight chaos authentication encryption method based on displacement coupling |
| CN112511293A (en) * | 2020-09-21 | 2021-03-16 | 中国电子科技集团公司第三十研究所 | S-box parameterization design method based on bit sum operation and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| DES的S盒的布尔性质;董军武;;通信技术(第12期);全文 * |
| 张相依 ; 刘硕 ; 唐小宇 ; .适用于电力受限设备的轻量级分组密码算法.电力信息与通信技术.2017,(第08期),全文. * |
| 董军武 ; .DES的S盒的布尔性质.通信技术.2012,(第12期),全文. * |
| 适用于电力受限设备的轻量级分组密码算法;张相依;刘硕;唐小宇;;电力信息与通信技术(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826728A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11784801B2 (en) | Key management method and related device | |
| CN109688098B (en) | Method, device and equipment for secure communication of data and computer readable storage medium | |
| CN112560091B (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| US11824999B2 (en) | Chosen-plaintext secure cryptosystem and authentication | |
| CN111343207B (en) | Multi-node joint encryption data transmission method, equipment and storage medium | |
| US20230342669A1 (en) | Machine learning model update method and apparatus | |
| CN114826733B (en) | File transmission method, device, system, equipment, medium and program product | |
| CN114826728B (en) | Equipment authentication method, internet of things terminal equipment, electronic equipment and storage medium | |
| WO2017006118A1 (en) | Secure distributed encryption system and method | |
| CN110048994A (en) | A kind of communication means and device | |
| US20130145149A1 (en) | Authentication device, authentication method and computer readable medium | |
| CN114785524B (en) | Electronic seal generation method, device, equipment and medium | |
| CN113794706B (en) | Data processing method and device, electronic equipment and readable storage medium | |
| Epishkina et al. | Covert channels parameters evaluation using the information theory statements | |
| CN114338510A (en) | Data forwarding method and system with separated control and forwarding | |
| CN116488919B (en) | Data processing method, communication node and storage medium | |
| CN116094815B (en) | Data encryption processing method and device based on flow self-adaptive control adjustment | |
| EP3562092A1 (en) | Method for generating on-board a cryptographic key using a physically unclonable function | |
| CN108366296A (en) | video encryption method and device | |
| CN116155483A (en) | Block chain signing machine safety design method and signing machine | |
| CN111984613A (en) | Method, device and system for sharing files | |
| CN114520725B (en) | Authentication method, device, equipment and storage medium based on distance constraint protocol | |
| US10298671B2 (en) | Randomization function and its application in load balancing | |
| CN112887097A (en) | Signature method based on SM2 elliptic curve, related device and storage medium | |
| CN115348113B (en) | Man-in-the-middle attack resisting method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |