WO2011131085A1 - Method, system, terminal, destination access node and access controller for low-overhead sensor network access control - Google Patents

Method, system, terminal, destination access node and access controller for low-overhead sensor network access control Download PDF

Info

Publication number
WO2011131085A1
WO2011131085A1 PCT/CN2011/072454 CN2011072454W WO2011131085A1 WO 2011131085 A1 WO2011131085 A1 WO 2011131085A1 CN 2011072454 W CN2011072454 W CN 2011072454W WO 2011131085 A1 WO2011131085 A1 WO 2011131085A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
access
node
message
authentication
Prior art date
Application number
PCT/CN2011/072454
Other languages
French (fr)
Chinese (zh)
Inventor
宋起柱
杜志强
铁满霞
李琴
曹军
王文俭
陶洪波
Original Assignee
国家无线电监测中心检测中心
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国家无线电监测中心检测中心, 西安西电捷通无线网络通信股份有限公司 filed Critical 国家无线电监测中心检测中心
Publication of WO2011131085A1 publication Critical patent/WO2011131085A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the invention belongs to the field of wireless network security application in information security technology, and in particular relates to a low-cost sensor network access control method, system, terminal, destination access node and access controller. Background technique
  • the wireless sensor network consists of a large number of nodes with perceptual capabilities, and self-assembles the network in an ad-hoc manner to provide users with data collection, processing, and transmission services.
  • the access control mechanism is used to protect the sensor network data, prohibit unauthorized users from accessing, and control the access rights of legitimate users. It is one of the basic security services of the sensor network.
  • the access controller for the case where the access controller is required to participate online, after the destination access node in the sensor network receives the user's access request, the user identity is authenticated, and usually through the sensor.
  • the other nodes in the network forward the user's authentication information to the access controller, and the access controller authenticates the identity of the user, and forwards the authentication result and the corresponding authorization information to the destination access node through the intermediate node, thereby implementing the network.
  • User access control The sensor network access control method will cause a large amount of communication overhead for the forwarding node in the network when a large number of users frequently access the network. For a sensor network with strictly restricted node resources, this method will quickly exhaust some network nodes. Resources, greatly affect the cost of use and life of the network. Sensor network users are often resource-constrained, such as laptops, PDAs, and so on. Summary of the invention
  • the present invention proposes that no sensing is required.
  • Other nodes in the network participate in the authentication process, low-cost sensor network access control methods, systems, terminals, destination access nodes, and access controllers.
  • the invention provides a low-cost sensor network access control method, which comprises the following steps:
  • the destination access node in the sensor network receives the user authentication request message sent by the user User;
  • the destination access node DN sends a user authentication response message to the user User according to the user authentication request message;
  • the access controller AC receives the node authentication request message sent by the user user, and the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
  • the access controller AC sends a node authentication response message to the user User according to the authentication result
  • the destination access node DN receives an access request message sent by the user Us er, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
  • the destination access node performs authorization management on the user User according to the access request message and sends an access request response message to the user User.
  • the invention also provides a low-overhead sensor network access control system, including a destination access node and an access controller, wherein:
  • the destination access node DN is configured to receive a user authentication request message sent by the user ser, and send a user authentication response message to the user User according to the user authentication request message;
  • the access controller AC is configured to receive a node authentication request message sent by the user User, where the node authentication request message is configured by the user user in combination with the user authentication response message sent by the destination access node, and sends a node authentication to the user User according to the authentication result.
  • the destination access node is further configured to receive an access request message sent by the user User, where the access request message is configured by the user User according to a node authentication response message received from the access controller AC;
  • the access request message authorizes the user User and sends a visit A request response message is sent to the user User.
  • the present invention also provides a low-overhead sensor network access control system, the low-overhead sensor network access control system including a user User, a destination access node DN, and an access controller AC; the user User sends to the destination access node a user authentication request message; the destination access node DN sends a user authentication response message to the user User after receiving the user authentication request message; and the user user sends a node authentication request message to the access controller according to the authentication response message of the destination access node DN.
  • the access controller AC sends a node authentication response message to the user User according to the authentication result; the user user constructs an access request message according to the node authentication response message received from the access controller AC, and sends the message to the destination access node.
  • the destination access node performs authorization management on the access request of the user User and sends an access request response message to the user User.
  • the present invention also provides a low-overhead sensor network access terminal, including:
  • a user authentication request message sending unit configured to send a user authentication request message to the destination access node DN in the sensor network
  • a user authentication response message receiving unit configured to receive the destination access node, and send a user authentication response message to the user U s e r according to the user authentication request message;
  • a node authentication request message sending unit configured to send a node authentication request message to the access controller AC, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
  • a node authentication response message receiving unit configured to receive, by the access controller, a node authentication response message to the user User according to the authentication result
  • An access request message sending unit configured to send the accessed request message to the destination access node, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
  • the access request response message receiving unit is configured to receive an access request response message that is authorized and managed by the destination access node according to the access request message.
  • the present invention also provides a destination access node in a low overhead sensor network access control system for:
  • the node authentication response message generating process is: the access controller AC receives a node authentication request message sent by the user User, and the node authentication request message is a user authentication response message sent by the user user in conjunction with the destination access node Constructed; and sending a node authentication response message to the user User according to the authentication result.
  • the present invention also provides an access controller for a low overhead sensor network access control system for:
  • the advantages of the present invention are as follows:
  • the present invention provides a low-overhead sensor network access control method, system, terminal, destination access node, and access controller, which are forwarded by the user in the process of authenticating the user in the sensor network in the sensor network. Accessing the authentication information between the node and the access controller, and then authorizing the user by the destination access node, does not require other nodes in the sensor network to participate in the authentication process, thereby avoiding nodes in the network from forwarding between the user and the destination access node.
  • the communication overhead is generated by the authentication information, which effectively saves the resources of the node and realizes a lightweight and efficient access control. Especially for a sensor network with frequent access by a large number of users, the lifetime of the network can be increased and the use cost can be reduced.
  • FIG. 1 is a flowchart of a low-overhead sensor network access control method provided by the present invention. Detailed ways
  • the present invention provides a low-overhead sensor network access control method, in a protocol.
  • a key is shared between the user User and the access controller AC, between the destination access node DN and the access controller AC.
  • the method comprises the following steps:
  • the destination access node sends a user authentication response message to the user User;
  • the access controller AC sends a node authentication response message to the user User according to the authentication result
  • the user User constructs an access request message according to the node authentication response message received from the access controller AC, and sends the message to the destination access node.
  • the destination access node performs authorization management on the user User according to the access request message, and sends an access request response message to the user U s e r if it is legal.
  • step 1) The specific implementation of the above step 1) is:
  • the user User first sends a user authentication request message to the destination access node DN in the sensor network, which contains the query generated by the user User.
  • the query can take many forms, such as a random number generated by the system.
  • step 2) is:
  • the destination access node After receiving the authentication request of the user User, the destination access node generates an inquiry N 2 and calculates ETfEQ ⁇ DN, NJ by using the shared key K AC , DN with the access controller AC, and then NJ
  • E is a symmetric encryption algorithm
  • " is expressed as a concatenation setting, the same below.
  • step 3 is:
  • the user User After receiving the user authentication response message of the destination access node DN, the user User first determines whether the inquiry in the message is an inquiry selected by the user, and if not, directly discards the response message; if yes, using the access controller AC
  • ID DN is the identity of the destination access node
  • H is a one-way hash function, the same below.
  • step 4 The specific implementation of step 4) above is:
  • the access controller AC After receiving the node authentication request message of the user U ser, the access controller AC first determines the cancellation according to M1. The integrity of the message, if not complete, discard the message; if complete, use the shared key K AC between the destination access node and the DN to decrypt the ET 1 if decrypted and sent by the user User in step 3) ⁇ is not equal, access controller AC construction node authentication response message ⁇
  • the key K AC , User decrypts ET 2 , and if the decryption is not equal to the one sent by the user User in step 3), the authentication is terminated; if the decrypted result is equal to that sent by the user User in step 3), the controller is accessed.
  • the AC generates a session key K D s violent between the user User and the destination access node DN, and queries the access control list ACL according to the identity of the user User, and obtains the access control information ACL USstruct of the user User, together with the access period T V of the user.
  • step 5 The specific implementation of the above step 5) is:
  • the user After receiving the node authentication response message sent by the controller AC, the user first determines whether the inquiry is an inquiry selected by itself, and if not, discards the response message; if yes, determines the integrity of the message according to the MIC 2 , if not, Discard the message; if complete, the user User judges the validity of the destination access node according to the value of Res (DN).
  • Q User ), and calculates the message authentication code MIC 3 H (K D ser ,ET 3
  • MIC 3 is sent to the destination access node ⁇ .
  • step 6 The specific implementation of the above step 6) is:
  • the destination access node After receiving the access request of the user User, the destination access node first decrypts the ET 3 and obtains the session key K D szzi, and judges the message integrity according to the MIC 3 ; if not, terminates the access; if complete, uses the K D sêt Decryption ET 5, after determining the decrypted inquiry N 2 whether the object of access node DN their choice inquiry N 2, if not, terminate the access; After if reconfirmed decryption ET 5 obtained ID US "whether to request access to a user User The identity, if not, terminates the access; if yes, records the current time T c , the time from T c to (Tc + Tv) is the user user's access validity period, the user can only access the network data during this validity period.
  • IR ⁇ calculates the message authentication code MIC 4 H (K D ser , ET 6 ), constructs the access request response message ET 6
  • MIC 4 is sent to the user User.
  • K D s lively decrypt ET 6 to judge whether the decrypted query ⁇ is the one selected by the user N 3 , if not, lost The message is discarded; if so, the user User saves the response data R DN .
  • the access request and response data between the subsequent user User and the destination access node are protected by K DN , uslicit.
  • the present invention also provides a low-overhead sensor network access control system, which includes a user User, a destination access node, and an access controller AC; the user User sends a user authentication request message to the destination access node, and the destination access node DN receives After the user authentication request message is sent, the user authentication response message is sent to the user User; the user response is combined with the authentication response message of the destination access node to construct the node authentication request message to the access controller AC; the access controller AC sends the user authentication message according to the authentication result.
  • a low-overhead sensor network access control system which includes a user User, a destination access node, and an access controller AC; the user User sends a user authentication request message to the destination access node, and the destination access node DN receives After the user authentication request message is sent, the user authentication response message is sent to the user User; the user response is combined with the authentication response message of the destination access node to construct the node authentication request message to the access controller AC; the access controller AC sends the user authentication message
  • the user User constructs an access request message according to the node authentication response message received from the access controller AC, and sends the access request message to the destination access node DN; the destination access node DN authorizes the access request of the user U ser and sends an access request response.
  • the message is given to the user U ser.
  • the invention also provides a low-overhead sensor network access control system, including a destination access node and an access controller, wherein:
  • the destination access node DN is configured to receive a user authentication request message sent by the user Us er, and send a user authentication response message to the user user according to the user authentication request message;
  • the access controller AC is configured to receive a node authentication request message sent by the user User, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node; The authentication result sends a node authentication response message to the user User;
  • the destination access node ⁇ is further configured to receive an access request message sent by the user User, where The access request message is constructed by the user User according to the node authentication response message received from the access controller AC; and authorizing the user User according to the access request message and sending an access request response message to the User U ser.
  • the destination access node ⁇ the user authentication response message sent to the user Us er is formed as follows:
  • the destination access node After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates using the shared key K AC , DN with the access controller AC. And sending the
  • the access controller AC receives the node authentication request message sent by the user User, and is formed as follows:
  • the user User After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC.
  • MICi sending it to the access controller AC, where 1 is the identity of the destination access node , H is a one-way hash function.
  • the access controller AC sends a node authentication response message to the user User according to the authentication result, which is formed as follows:
  • the access controller AC After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K Ae with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message.
  • the access controller AC uses the key K Ae , Usstruct shared with the user User to decrypt the ET 2 , if obtained after decryption The result is equal to that sent by the user User, and the access controller AC generates a session key K D ser between the user User and the destination access node, and queries the access control list ACL according to the identity of the user User.
  • the access controller AC successfully authenticates the destination access node DN, and the H is a one-way hash function.
  • the access request message received by the destination access node DN is formed as follows: after the user User receives the node authentication response message of the access controller AC, after determining that the query ⁇ is the query selected by the user User According to the MIC 2 , the integrity of the message is judged; when the message is complete, the user User judges the validity of the destination access node according to Res (DN).
  • the destination access node is further used to:
  • the query N 2 obtained after determining the decryption is After accessing the query N 2 selected by the node DN, it is confirmed that the ID US obtained after decrypting the ET 5 is the identity of the user U ser requesting access, and when the identity of the user U ser requesting access is recorded, the current time is recorded.
  • T c confirming that the time from T c to (Tc+Tv) is the access period of the user User, the user can only access the network data during the validity period, and the destination access node determines the user User according to the ACL US
  • IR ⁇ calculation message authentication code MIC 4 H (K D ser , ET 6 ) , constructing the access request response message ET 6
  • MIC 4 is sent to the user User.
  • the present invention also provides a low-overhead sensor network access terminal, including:
  • a user authentication request message sending unit configured to send a user authentication request message to the destination access node DN in the sensor network
  • a user authentication response message receiving unit configured to receive the destination access node, and send a user authentication response message to the user U s e r according to the user authentication request message;
  • a node authentication request message sending unit configured to send a node authentication request message to the access controller AC, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
  • a node authentication response message receiving unit configured to receive, by the access controller AC, a node authentication response message to the user User according to the authentication result;
  • An access request message sending unit configured to send the accessed request message to the destination access node, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
  • the access request response message receiving unit is configured to receive an access request response message that is authorized and managed by the destination access node according to the access request message.
  • the user authentication request message sending unit sends a user authentication request message to the destination access node in the sensor network, and includes an inquiry ⁇ generated by the user U s e r .
  • the user authentication response message receiving unit receives the user authentication response message sent by the destination access node to the user User according to the user authentication request message, and is formed as follows:
  • I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm.
  • the node authentication request message sending unit, the node authentication request message sent to the access controller AC, is formed as follows:
  • the user User After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC.
  • ⁇ 1 is sent to the access controller AC, where ID DN is the identity of the destination access node, and H is a one-way hash function.
  • the node authentication response message receiving unit, the received access controller AC sends a node authentication response message to the user User according to the authentication result, and is formed as follows:
  • the access controller AC receives the node authentication request message sent by the user User, and uses the shared key K AC between the destination access node DN and the destination access node DN after determining that the message is complete according to the MlC it message carried in the message.
  • ⁇ DN equal ET 1 results in the decrypted user user transmitted in step 3
  • the access request message sending unit the accessed request message sent to the destination access node, is formed as follows:
  • IQ User), calculating the message authentication code MIC 3 H (K D ser , ET 3
  • MIC 3 is sent to the destination access node ⁇ .
  • the access request response message receiving unit the received access request response message that the destination access node receives and manages the user User according to the access request message, is formed as follows:
  • the destination access node DN After receiving the access request of the user User, the destination access node DN decrypts the ET 3 and obtains the session key K DN; USER . After determining the complete message according to the MIC 3 , the K DSstay decrypt ET 5 is used to determine the decryption.
  • N 2 is the query N 2 selected by the destination access node DN, and then confirms the ID US obtained after decrypting the ET 5pillar is the identity of the user User requesting access, and when the identity of the user User requesting access is recorded, the current record is recorded.
  • MIC 4 is sent to the user User.
  • the low-cost sensor network access terminal provided by the present invention further includes:
  • the request response message processing unit is configured to judge the message integrity according to the MIC 4 after the user User receives the request response message, and use the K D s mecanic decrypt ET 6 to determine the decrypted query when the request corresponding message is complete.
  • Whether it is the query N 3 selected by the user User.
  • the user User saves the response data R DN , and the access request and response data between the subsequent user User and the destination access node ⁇ utilize the K DN , us clearlyprotected.
  • the invention provides a destination access node (also referred to as a sensor) in a low-cost sensor network access control system for:
  • the node authentication response message generating process is: the access controller AC receives a node authentication request message sent by the user User, and the node authentication request message is a user authentication response message sent by the user user in conjunction with the destination access node Constructed; and sending a node authentication response message to the user User according to the authentication result.
  • the destination access node ⁇ the user authentication response message sent to the user Us er is formed as follows:
  • the destination access node After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates ETfE G ⁇ Nj using the shared key K AC , DN with the access controller AC, The N 2
  • I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm, and the identifier is generated by the user U ser carried in the user authentication request message.
  • the invention provides an access controller of a low overhead sensor network access control system, which is used for:
  • the authentication result sends a node authentication response message to the user User, so that the user user constructs an access request message sent to the destination access node according to the node authentication response message, and the destination access node refers to the user according to the access request message.
  • User performs authorization management.
  • the node authentication request message sent by the user user received by the access controller is formed as follows:
  • the user User After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC.
  • MICi sending it to the access controller AC, where 1 is the identity of the destination access node , H is a one-way hash function, and "II" is a tandem setting;
  • the node authentication response message sent by the access controller to the user User according to the authentication result is formed as follows:
  • the access controller AC After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K Ae with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message.
  • the access controller AC uses the key K Ae , Usstruct shared with the user User to decrypt the ET 2 , if obtained after decryption The result is equal to that sent by the user User, and the session controller K D ser between the user User and the destination access node DN is generated by the access controller AC, and the access control list ACL is queried according to the identity of the user User.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, system, terminal, destination access node and an access controller for low-overhead sensor network access control solves the problem of requiring online participation of the access controller and consuming network node resources in the prior art. The method includes the following steps that: 1) a Destination access Node (DN) in a sensor network receives a user authentication request message sent by a user; 2) the DN, according to the user authentication request message, sends a user authentication response message to the user; 3) an Access Controller (AC) receives a node authentication request message sent by the user, wherein the node authentication request message is constructed by the user according to the user authentication response message sent by the DN; 4) the AC, according to a authentication result, sends a node authentication response message to the user; 5) the DN receives an access request message sent by the user, wherein the access request message is constructed by the user according to the node authentication response message received from the AC; 6) the DN, according to the access request message, performs authorization management on the user and sends an access request response message to the user.

Description

一种低开销的传感器网络访问控制方法、 ***、 终端、 目的 访问节点及访问控制器 本申请要求在 201 0年 4月 22 日 提交中 国 专利局、 申请号为 201 01 0153096. 7 , 发明名称为 "一种低开销的传感器网络访问控制方法及系 统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 Low-overhead sensor network access control method, system, terminal, destination access node and access controller The application is submitted to the Chinese Patent Office on April 22, 2010, and the application number is 201 01 0153096. The priority of a Chinese patent application for "a low-cost sensor network access control method and system" is incorporated herein by reference. Technical field
本发明属信息安全技术中的无线网络安全应用领域, 尤其涉及一种低开 销的传感器网络访问控制方法、 ***、 终端、 目的访问节点及访问控制器。 背景技术  The invention belongs to the field of wireless network security application in information security technology, and in particular relates to a low-cost sensor network access control method, system, terminal, destination access node and access controller. Background technique
无线传感器网络由大量具有感知能力的节点构成, 以 ad-hoc方式自组成 网, 为用户提供数据的收集、 处理、 传输等服务。 访问控制机制用于保护传 感器网络数据, 禁止非法用户的访问, 控制合法用户的访问权限, 是传感器 网络的基本安全服务之一。  The wireless sensor network consists of a large number of nodes with perceptual capabilities, and self-assembles the network in an ad-hoc manner to provide users with data collection, processing, and transmission services. The access control mechanism is used to protect the sensor network data, prohibit unauthorized users from accessing, and control the access rights of legitimate users. It is one of the basic security services of the sensor network.
现有的传感器网络访问控制方法中, 对于要求有访问控制器在线参与的 情形, 在传感器网络中的目的访问节点收到用户的访问请求后, 即展开对用 户身份的认证, 并且通常是通过传感器网络中其他的节点转发用户的认证信 息至访问控制器, 由访问控制器对用户的身份进行认证, 并将认证结果以及 相应的授权信息再经过中间节点转发至目的访问节点, 以此实现对网络用户 的访问控制。 这种传感器网络访问控制方法, 在有大量用户频繁访问网络时 将造成网络中转发节点产生大量的通信开销, 对于节点资源严格受限的传感 器网络, 这种方法将很快耗尽某些网络节点的资源, 极大影响网络的使用成 本和寿命。 而传感器网络用户通常情况下是资源受限的, 如笔记本电脑、 PDA 等。 发明内容  In the existing sensor network access control method, for the case where the access controller is required to participate online, after the destination access node in the sensor network receives the user's access request, the user identity is authenticated, and usually through the sensor. The other nodes in the network forward the user's authentication information to the access controller, and the access controller authenticates the identity of the user, and forwards the authentication result and the corresponding authorization information to the destination access node through the intermediate node, thereby implementing the network. User access control. The sensor network access control method will cause a large amount of communication overhead for the forwarding node in the network when a large number of users frequently access the network. For a sensor network with strictly restricted node resources, this method will quickly exhaust some network nodes. Resources, greatly affect the cost of use and life of the network. Sensor network users are often resource-constrained, such as laptops, PDAs, and so on. Summary of the invention
为了解决背景技术中存在的上述技术问题, 本发明提出一种不需要传感 器网络中的其他节点参与认证过程的、 低开销的传感器网络访问控制方法、 ***、 终端、 目的访问节点及访问控制器。 In order to solve the above technical problems existing in the background art, the present invention proposes that no sensing is required. Other nodes in the network participate in the authentication process, low-cost sensor network access control methods, systems, terminals, destination access nodes, and access controllers.
本发明的技术解决方案是:  The technical solution of the present invention is:
本发明提供了一种低开销的传感器网络访问控制方法, 包括以下步骤: The invention provides a low-cost sensor network access control method, which comprises the following steps:
1 )传感器网络中的目的访问节点匪接收用户 User发送的用户认证请求 消息; 1) The destination access node in the sensor network receives the user authentication request message sent by the user User;
2 )所述目的访问节点 DN根据所述用户认证请求消息, 向所述用户 User发 送用户认证响应消息;  2) the destination access node DN sends a user authentication response message to the user User according to the user authentication request message;
3 )访问控制器 AC接收所述用户 User发送的节点认证请求消息, 所述节点 认证请求消息是所述用户 User结合所述目的访问节点 DN发送的用户认证响应 消息构造的;  The access controller AC receives the node authentication request message sent by the user user, and the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
4 )所述访问控制器 AC根据认证结果向所述用户 User发送节点认证响应消 息;  4) the access controller AC sends a node authentication response message to the user User according to the authentication result;
5 )所述目的访问节点 DN接收所述用户 Us er发送的访问请求消息, 所述访 问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构 造的;  5) The destination access node DN receives an access request message sent by the user Us er, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
6 )所述目的访问节点匪根据所述访问请求消息对所述用户 User进行授权 管理并发送访问请求响应消息给所述用户 User。  6) The destination access node performs authorization management on the user User according to the access request message and sends an access request response message to the user User.
本发明还提供了一种低开销的传感器网络访问控制***, 包括目的访问 节点和访问控制器, 其中:  The invention also provides a low-overhead sensor network access control system, including a destination access node and an access controller, wherein:
所述目的访问节点 DN , 用于接收用户 Us er发送的用户认证请求消息, 并 根据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息; 所述访问控制器 AC , 用于接收所述用户 User发送的节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目的访问节点匪发送的用户 认证响应消息构造的; 并根据认证结果向所述用户 User发送节点认证响应消 息;  The destination access node DN is configured to receive a user authentication request message sent by the user ser, and send a user authentication response message to the user User according to the user authentication request message; the access controller AC is configured to receive a node authentication request message sent by the user User, where the node authentication request message is configured by the user user in combination with the user authentication response message sent by the destination access node, and sends a node authentication to the user User according to the authentication result. Response message
所述目的访问节点匪还用于接收所述用户 User发送的访问请求消息, 所 述访问请求消息是所述用户 Us er根据从访问控制器 AC收到的节点认证响应消 息构造的; 并根据所述访问请求消息对所述用户 User进行授权管理并发送访 问请求响应消息给所述用户 U s e r。 The destination access node is further configured to receive an access request message sent by the user User, where the access request message is configured by the user User according to a node authentication response message received from the access controller AC; The access request message authorizes the user User and sends a visit A request response message is sent to the user User.
本发明还提供了一种低开销的传感器网络访问控制***, 所述低开销的 传感器网络访问控制***包括用户 User、 目的访问节点 DN以及访问控制器 AC; 所述用户 User向目的访问节点匪发送用户认证请求消息; 所述目的访问节点 DN收到用户认证请求消息后向用户 User发送用户认证响应消息; 所述用户 User结合目的访问节点 DN的认证响应消息构造节点认证请求消息发送给访问 控制器 AC; 所述访问控制器 AC根据认证结果向用户 User发送节点认证响应消 息; 所述用户 User根据从访问控制器 AC收到的节点认证响应消息构造访问请 求消息发送给目的访问节点匪; 所述目的访问节点匪对用户 User的访问请求 进行授权管理并发送访问请求响应消息给用户 User。  The present invention also provides a low-overhead sensor network access control system, the low-overhead sensor network access control system including a user User, a destination access node DN, and an access controller AC; the user User sends to the destination access node a user authentication request message; the destination access node DN sends a user authentication response message to the user User after receiving the user authentication request message; and the user user sends a node authentication request message to the access controller according to the authentication response message of the destination access node DN. The access controller AC sends a node authentication response message to the user User according to the authentication result; the user user constructs an access request message according to the node authentication response message received from the access controller AC, and sends the message to the destination access node. The destination access node performs authorization management on the access request of the user User and sends an access request response message to the user User.
本发明还提供一种低开销的传感器网络访问终端, 包括:  The present invention also provides a low-overhead sensor network access terminal, including:
用户认证请求消息发送单元, 用于向传感器网络中的目的访问节点 DN发 送用户认证请求消息;  a user authentication request message sending unit, configured to send a user authentication request message to the destination access node DN in the sensor network;
用户认证响应消息接收单元, 用于接收所述目的访问节点匪根据所述用 户认证请求消息, 向所述用户 U s e r发送用户认证响应消息;  a user authentication response message receiving unit, configured to receive the destination access node, and send a user authentication response message to the user U s e r according to the user authentication request message;
节点认证请求消息发送单元, 用于向访问控制器 AC发送节点认证请求消 息, 所述节点认证请求消息是所述用户 User结合所述目的访问节点 DN发送的 用户认证响应消息构造的;  a node authentication request message sending unit, configured to send a node authentication request message to the access controller AC, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
节点认证响应消息接收单元, 用于接收所述访问控制器 AC根据认证结果 向所述用户 User发送节点认证响应消息;  a node authentication response message receiving unit, configured to receive, by the access controller, a node authentication response message to the user User according to the authentication result;
访问请求消息发送单元, 用于向所述目的访问节点匪发送所访问请求消 息, 所述访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证 响应消息构造的;  An access request message sending unit, configured to send the accessed request message to the destination access node, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
访问请求响应消息接收单元, 用于接收所述目的访问节点匪根据所述访 问请求消息对所述用户 User进行授权管理并发送的访问请求响应消息。  The access request response message receiving unit is configured to receive an access request response message that is authorized and managed by the destination access node according to the access request message.
本发明还提供一种低开销的传感器网络访问控制***中的目的访问节 点, 用于:  The present invention also provides a destination access node in a low overhead sensor network access control system for:
接收用户 Us er发送的用户认证请求消息,并根据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息; 接收所述用户 User发送的访问请求消息, 所述访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构造的; 并根据所述访问 请求消息对所述用户 User进行授权管理并发送访问请求响应消息给所述用户 User ; Receiving a user authentication request message sent by the user ser, and sending a user authentication response message to the user User according to the user authentication request message; Receiving an access request message sent by the user User, where the access request message is configured by the user user according to a node authentication response message received from the access controller AC; and performing the user user according to the access request message. Authorizing management and sending an access request response message to the user User;
节点认证响应消息生成过程为: 所述访问控制器 AC接收所述用户 User发 送的节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目 的访问节点匪发送的用户认证响应消息构造的; 并根据认证结果向所述用户 User发送节点认证响应消息。  The node authentication response message generating process is: the access controller AC receives a node authentication request message sent by the user User, and the node authentication request message is a user authentication response message sent by the user user in conjunction with the destination access node Constructed; and sending a node authentication response message to the user User according to the authentication result.
本发明还提供一种低开销的传感器网络访问控制***的访问控制器, 用 于:  The present invention also provides an access controller for a low overhead sensor network access control system for:
接收用户 User发送的节点认证请求消息, 所述节点认证请求消息是所述 用户 User结合所述目的访问节点匪发送的用户认证响应消息构造的; 并根据 认证结果向所述用户 Us er发送节点认证响应消息, 以供用户 Us er根据所述节 点认证响应消息构造向访问目的节点发送的访问请求消息, 并由目的访问节 点根据所述访问请求消息对所述用户 User进行授权管理。  Receiving a node authentication request message sent by the user User, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node, and sending the node authentication to the user User according to the authentication result. Responding to the message, for the user User to construct an access request message sent to the access destination node according to the node authentication response message, and the destination access node performs authorization management on the user User according to the access request message.
本发明的优点是: 本发明提出一种低开销的传感器网络访问控制方法、 ***、 终端、 目的访问节点及访问控制器, 在传感器网络中的目的访问节点 认证用户的过程中, 由用户转发目的访问节点和访问控制器之间的认证信息, 然后由目的访问节点对用户进行授权管理, 不需要传感器网络中的其他节点 参与认证过程, 从而避免网络中的节点因转发用户和目的访问节点间的认证 信息而产生通信开销, 有效节约了节点的资源, 实现一种轻量级和高效的访 问控制, 尤其对于存在大量用户频繁访问的传感器网络, 能够增加网络的寿 命, 降低使用成本。 附图说明  The advantages of the present invention are as follows: The present invention provides a low-overhead sensor network access control method, system, terminal, destination access node, and access controller, which are forwarded by the user in the process of authenticating the user in the sensor network in the sensor network. Accessing the authentication information between the node and the access controller, and then authorizing the user by the destination access node, does not require other nodes in the sensor network to participate in the authentication process, thereby avoiding nodes in the network from forwarding between the user and the destination access node. The communication overhead is generated by the authentication information, which effectively saves the resources of the node and realizes a lightweight and efficient access control. Especially for a sensor network with frequent access by a large number of users, the lifetime of the network can be increased and the use cost can be reduced. DRAWINGS
图 1为本发明所提供的低开销的传感器网络访问控制方法的流程图。 具体实施方式  FIG. 1 is a flowchart of a low-overhead sensor network access control method provided by the present invention. Detailed ways
参见图 1 , 本发明提供了一种低开销的传感器网络访问控制方法, 在协议 运行前, 用户 User和访问控制器 AC之间、 目的访问节点 DN和访问控制器 AC之 间均已共享密钥, 根据本发明的优选实施例, 该方法包括以下步骤: Referring to FIG. 1, the present invention provides a low-overhead sensor network access control method, in a protocol. Before the operation, a key is shared between the user User and the access controller AC, between the destination access node DN and the access controller AC. According to a preferred embodiment of the present invention, the method comprises the following steps:
1 )用户 User向传感器网络中的目的访问节点 DN发送用户认证请求消息; 1) The user User sends a user authentication request message to the destination access node DN in the sensor network;
2 ) 目的访问节点匪向用户 User发送用户认证响应消息; 2) The destination access node sends a user authentication response message to the user User;
3 )用户 User结合目的访问节点匪的用户认证响应消息构造节点认证请求 消息发送给访问控制器 AC;  3) the user user combined with the user authentication response message of the destination access node to construct a node authentication request message is sent to the access controller AC;
4 )访问控制器 AC根据认证结果向用户 User发送节点认证响应消息; 4) The access controller AC sends a node authentication response message to the user User according to the authentication result;
5 )用户 User根据从访问控制器 AC收到的节点认证响应消息构造访问请求 消息发送给目的访问节点匪; 5) The user User constructs an access request message according to the node authentication response message received from the access controller AC, and sends the message to the destination access node.
6) 目的访问节点匪根据所述访问请求消息对用户 User进行授权管理, 若 合法则发送访问请求响应消息给用户 U s e r。  6) The destination access node performs authorization management on the user User according to the access request message, and sends an access request response message to the user U s e r if it is legal.
上述步骤 1 ) 的具体实现方式是:  The specific implementation of the above step 1) is:
用户 User首先向传感器网络中的目的访问节点 DN发送用户认证请求消 息, 其中包含用户 User产生的询问 。 该询问 可以有多种形式, 比如可以是 ***产生的一个随机数。  The user User first sends a user authentication request message to the destination access node DN in the sensor network, which contains the query generated by the user User. The query can take many forms, such as a random number generated by the system.
上述步骤 2 ) 的具体实现方式是:  The specific implementation of step 2) above is:
目的访问节点匪收到用户 User的认证请求后,产生询问 N2, 并利用与访问 控制器 AC之间的共享密钥 KAC,DN计算 ETfEQ^DN, NJ ,然后将 NJ |N2| |ET^为认证 响应消息发送给用户 User。 其中 E为一种对称加密算法, "| |" 表示为串联设 置, 下同。 After receiving the authentication request of the user User, the destination access node generates an inquiry N 2 and calculates ETfEQ^DN, NJ by using the shared key K AC , DN with the access controller AC, and then NJ |N 2 | ET^ is sent to the user User for the authentication response message. Where E is a symmetric encryption algorithm, "| |" is expressed as a concatenation setting, the same below.
上述步骤 3 ) 的具体实现方式是:  The specific implementation of step 3 above is:
用户 User收到目的访问节点 DN的用户认证响应消息后, 首先判断消息中 的询问 是否是自己选择的询问, 若不是, 直接丟弃该响应消息; 若是, 则利 用与访问控制器 AC之间的共享密钥 KA ser计算 ET2=E (KAC,user, NJ , 计算消息完整 性鉴别码 MId=H (KA ser, I I IDDN I I EL I I ET2) , 构造节点认证请求消息 NJ |IDDN| IETJ |ET2| IMIC^发送给访问控制器 AC。 其中 IDDN是目的访问节点匪的 身份标识, H为一种单向哈希函数, 下同。 After receiving the user authentication response message of the destination access node DN, the user User first determines whether the inquiry in the message is an inquiry selected by the user, and if not, directly discards the response message; if yes, using the access controller AC The shared key K A ser calculates ET 2 =E (K AC , u ser , NJ , calculates the message integrity authentication code MId=H (K A ser , II ID DN II EL II ET 2 ), constructs a node authentication request message NJ |ID DN | IETJ |ET 2 | IMIC^ is sent to the access controller AC. ID DN is the identity of the destination access node, and H is a one-way hash function, the same below.
上述步骤 4 ) 的具体实现方式是:  The specific implementation of step 4) above is:
访问控制器 AC收到用户 U s e r的节点认证请求消息后,首先根据 Ml 判断消 息的完整性, 若不完整, 丟弃该消息; 若完整, 利用与目的访问节点匪之间 的共享密钥 KAC,DN解密 ET1 若解密后得到的 与用户 User在步骤 3) 中发送的^ 不相等, 访问控制器 AC构造节点认证响应消息^| I IDDN| |Res (DN) I |MIC2发送给 用户 User, 其中, Res (DN)=Fai lure, 表示访问控制器 AC对目的访问节点匪鉴 别失败,其中 MICHUKAOr, |IDDN| |Res(DN));若解密后得到的^与用户 User 在步骤 3) 中发送的 相等, 访问控制器 AC利用与用户 User共享的密钥 KAC,User解 密 ET2, 若解密后得到的 与用户 User在步骤 3)中发送的 不相等, 终止鉴别; 若解密后得到的 与用户 User在步骤 3) 中发送的 相等, 访问控制器 AC生成 用户 User和目的访问节点 DN间的会话密钥 KD s„, 并根据用户 User的身份标识 查询访问控制列表 ACL, 获得用户 User的访问控制信息 ACLUS„, 连同 User的访 问期限 TV, 利用 KAC,DN计算 ET3=E(KAC,DN, IDJ |KDN, J ITVI |ACLUSER) , 并利用 KAC,USER 计 算 ET4=E(KAC,Us„,KD ser) , 计 算 消 息 鉴 别 码 MIC2=H (KAC,User, N! I I IDDN I I Res (DN) I |ET3| I ET4) , 构造节点认证响应消 息 NJ I IDDN| I Res (DN) I |ET3| |ET4| |MIC2发送给用户 User , 其中 Res (DN)=True表示 访问控制器 AC对目的访问节点 DN鉴别成功。 After receiving the node authentication request message of the user U ser, the access controller AC first determines the cancellation according to M1. The integrity of the message, if not complete, discard the message; if complete, use the shared key K AC between the destination access node and the DN to decrypt the ET 1 if decrypted and sent by the user User in step 3) ^ is not equal, access controller AC construction node authentication response message ^| I ID DN | | Res (DN) I | MIC 2 is sent to user User, where Res (DN) = Fai lure, indicating access controller AC pair The destination access node 匪 authentication fails, where MICHUKAOr, |ID DN | |Res(DN)); if the decrypted ^ is equal to the user User sent in step 3), the access controller AC utilizes the secret shared with the user User. The key K AC , User decrypts ET 2 , and if the decryption is not equal to the one sent by the user User in step 3), the authentication is terminated; if the decrypted result is equal to that sent by the user User in step 3), the controller is accessed. The AC generates a session key K D s „ between the user User and the destination access node DN, and queries the access control list ACL according to the identity of the user User, and obtains the access control information ACL US „ of the user User, together with the access period T V of the user. , using K AC , DN to calculate ET 3 =E(K AC , DN , IDJ | K DN , J ITVI | ACL USER ) , and use K AC , USER to calculate ET 4 = E (K AC , Us „, K D ser ), calculate the message authentication code MIC 2 =H (K AC , User , N! II ID DN II Res (DN) I |ET 3 | I ET 4 ) , Construct Node Authentication Response Message NJ I ID DN | I Res (DN) I |ET 3 | |ET 4 | |MIC 2 Send to User User, where Res (DN)=True indicates that the access controller AC successfully authenticates the destination access node DN.
上述步骤 5 ) 的具体实现方式是:  The specific implementation of the above step 5) is:
用户 User收到访问控制器 AC发送的节点认证响应消息后, 首先判断询问 是否是自己选择的询问, 若不是, 丟弃该响应消息; 若是, 根据 MIC2判断消 息的完整性, 若不完整, 丟弃该消息; 若完整, 用户 User才艮据 Res (DN)的取值 判断目的访问节点匪的合法性, 若 Res (DN)=Failure, 表示目的访问节点匪非 法, 用户 User终止访问; 若 Res (DN)=True, 表示目的访问节点 DN合法, 用户 User解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及用户 User自己的访问请求 Qus„利用刚才解密后获得的、 与目的访问节点间的会话密 钥 KDMser 计 算 ET5=E(KDMser,N2| |N3| |QUser) , 计 算 消 息 鉴 别 码 MIC3=H (KD ser,ET3| |ET5) , 构造访问请求消息 ΕΤ3| |ET5| |MIC3发送给目的访问节 点匪。 After receiving the node authentication response message sent by the controller AC, the user first determines whether the inquiry is an inquiry selected by itself, and if not, discards the response message; if yes, determines the integrity of the message according to the MIC 2 , if not, Discard the message; if complete, the user User judges the validity of the destination access node according to the value of Res (DN). If Res (DN)=Failure, the destination access node is illegal, and the user User terminates the access; Res (DN)=True, indicating that the destination access node DN is legal, the user User decrypts the ET 4 in the message, generates the query N 3 , together with the query N 2 of the destination access node DN and the user User's own access request Q us „ The obtained session key K DMser with the destination access node calculates ET 5 =E(K DMser , N 2 | |N 3 | |Q User ), and calculates the message authentication code MIC 3 =H (K D ser ,ET 3 | | ET 5 ) , Construct an access request message ΕΤ 3 | |ET 5 | |MIC 3 is sent to the destination access node匪.
上述步骤 6 ) 的具体实现方式是:  The specific implementation of the above step 6) is:
目的访问节点匪收到用户 User的访问请求后, 首先解密 ET3, 获得会话密 钥 KD s„,才艮据 MIC3判断消息完整性, 若不完整, 终止访问; 若完整, 利用 KD s„ 解密 ET5 , 判断解密后得到的询问 N2是否是目的访问节点 DN自己选择的询问 N2 , 若不是, 终止访问; 若是, 再确认解密 ET5后获得的 IDUS„是否请求访问的用户 User的身份标识, 若不是, 终止访问; 若是, 记录当前时刻 Tc, 从 Tc到(Tc+Tv) 这段时间即为用户 User的访问有效期, 用户只能在此有效期内访问网络数据。 然后, 目的访问节点匪根据 ACLUS„判断用户 User的访问请求 Qus„是否合法, 若 不合法, 终止访问; 若合法, 生成应答数据 RDN , 连同 N3利用 KD s„计算 ET6=E (KD ser, N3 | I R丄 计算消息鉴别码 MIC4=H (KD ser, ET6) , 构造访问请求响应 消息 ET6 | | MIC4发送给用户 User。 用户 User收到请求响应消息后, 首先根据 MIC4 判断消息完整性, 若不完整, 丟弃该消息; 若完整, 利用 KD s„解密 ET6 , 判断 解密得到的询问^是否自己选择的询问 N3 , 若不是, 丟弃该消息; 若是, 用户 User保存应答数据 RDN。 后续用户 User与目的访问节点匪之间的访问请求和应 答数据均利用 KDN, us„加以保护。 After receiving the access request of the user User, the destination access node first decrypts the ET 3 and obtains the session key K D s „, and judges the message integrity according to the MIC 3 ; if not, terminates the access; if complete, uses the K D s „ Decryption ET 5, after determining the decrypted inquiry N 2 whether the object of access node DN their choice inquiry N 2, if not, terminate the access; After if reconfirmed decryption ET 5 obtained ID US "whether to request access to a user User The identity, if not, terminates the access; if yes, records the current time T c , the time from T c to (Tc + Tv) is the user user's access validity period, the user can only access the network data during this validity period. The destination access node determines whether the user user's access request Q us is legal according to the ACL US „, if it is not legal, terminates the access; if it is legal, generates the response data R DN , together with N 3 uses K D s „ calculates ET 6 =E (K D ser , N 3 | IR丄 calculates the message authentication code MIC 4 = H (K D ser , ET 6 ), constructs the access request response message ET 6 | | MIC 4 is sent to the user User. User User receives the request response message After that, firstly, according to the MIC 4, the message integrity is judged. If it is not complete, the message is discarded; if it is complete, use K D s „ decrypt ET 6 to judge whether the decrypted query ^ is the one selected by the user N 3 , if not, lost The message is discarded; if so, the user User saves the response data R DN . The access request and response data between the subsequent user User and the destination access node are protected by K DN , us „.
本发明还提供了一种低开销的传感器网络访问控制***, 该***包括用 户 User、 目的访问节点匪以及访问控制器 AC; 用户 User向目的访问节点匪发 送用户认证请求消息; 目的访问节点 DN收到用户认证请求消息后向用户 User 发送用户认证响应消息; 用户 Us er结合目的访问节点匪的认证响应消息构造 节点认证请求消息发送给访问控制器 AC; 访问控制器 AC根据认证结果向用户 User发送节点认证响应消息; 用户 User根据从访问控制器 AC收到的节点认证 响应消息构造访问请求消息发送给目的访问节点 DN; 目的访问节点 DN对用户 U s e r的访问请求进行授权管理并发送访问请求响应消息给用户 U s e r。  The present invention also provides a low-overhead sensor network access control system, which includes a user User, a destination access node, and an access controller AC; the user User sends a user authentication request message to the destination access node, and the destination access node DN receives After the user authentication request message is sent, the user authentication response message is sent to the user User; the user response is combined with the authentication response message of the destination access node to construct the node authentication request message to the access controller AC; the access controller AC sends the user authentication message according to the authentication result. a node authentication response message; the user User constructs an access request message according to the node authentication response message received from the access controller AC, and sends the access request message to the destination access node DN; the destination access node DN authorizes the access request of the user U ser and sends an access request response. The message is given to the user U ser.
本发明还提供了一种低开销的传感器网络访问控制***, 包括目的访问 节点和访问控制器, 其中:  The invention also provides a low-overhead sensor network access control system, including a destination access node and an access controller, wherein:
所述目的访问节点 DN , 用于接收用户 Us er发送的用户认证请求消息, 并 根据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息;  The destination access node DN is configured to receive a user authentication request message sent by the user Us er, and send a user authentication response message to the user user according to the user authentication request message;
所述访问控制器 AC , 用于接收所述用户 User发送的节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目的访问节点匪发送的用户 认证响应消息构造的; 并根据认证结果向所述用户 User发送节点认证响应消 息;  The access controller AC is configured to receive a node authentication request message sent by the user User, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node; The authentication result sends a node authentication response message to the user User;
所述目的访问节点匪还用于接收所述用户 User发送的访问请求消息, 所 述访问请求消息是所述用户 Us er根据从访问控制器 AC收到的节点认证响应消 息构造的; 并根据所述访问请求消息对所述用户 User进行授权管理并发送访 问请求响应消息给所述用户 U s e r。 The destination access node 匪 is further configured to receive an access request message sent by the user User, where The access request message is constructed by the user User according to the node authentication response message received from the access controller AC; and authorizing the user User according to the access request message and sending an access request response message to the User U ser.
所述目的访问节点匪, 向所述用户 Us er发送的用户认证响应消息, 按照 以下方式形成:  The destination access node 匪, the user authentication response message sent to the user Us er is formed as follows:
所述目的访问节点匪收到用户 User发送的用户认证请求后, 产生询问 N2, 并利用与所述访问控制器 AC之间的共享密钥 KAC,DN计算
Figure imgf000010_0001
, 将 | |N2| IEL作为用户认证响应消息发送给用户 User, 其中, E为对称加密算法, 所述 是所述用户认证请求消息中携带的用户 U s e r产生的询问 ^。 After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates using the shared key K AC , DN with the access controller AC.
Figure imgf000010_0001
And sending the | |N 2 | IEL as a user authentication response message to the user User, where E is a symmetric encryption algorithm, and the inquiry is generated by the user U ser carried in the user authentication request message.
所述访问控制器 AC, 接收的所述用户 User发送的节点认证请求消息, 按 照以下方式形成:  The access controller AC receives the node authentication request message sent by the user User, and is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判 断消息中携带的询问 是用户 User选择的询问后, 利用与所述访问控制器 AC 之间 的共享密钥 KA ser计算 ET2=E (KAC,user, NJ , 并计算消 息鉴别码
Figure imgf000010_0002
|IDDN| I EL I |ET2) , 构 造 节 点 认 证 请 求 消 息 | |IDDN| |ET2| |MICi并发送给所述访问控制器 AC的, 其中, 1 是目的访 问节点匪的身份标识, H为单向哈希函数。 After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC. Ser calculates ET 2 =E (K AC , u ser , NJ , and calculates the message authentication code
Figure imgf000010_0002
|ID DN | I EL I |ET 2 ) , constructing a node authentication request message | |ID DN | |ET 2 | |MICi and sending it to the access controller AC, where 1 is the identity of the destination access node , H is a one-way hash function.
所述访问控制器 AC, 根据认证结果向所述用户 User发送的节点认证响应 消息, 按照以下方式形成:  The access controller AC sends a node authentication response message to the user User according to the authentication result, which is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息后, 在根 据消息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的 共享密钥 KAe,DN解密 ET1 在解密后得到的结果与用户 User发送的 相等时, 由所 述访问控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得到 的结果与所述用户 User发送的 相等,则由访问控制器 AC生成用户 User和目的 访问节点匪间的会话密钥 KD ser, 并根据所述用户 User的身份标识查询访问控 制列表 ACL, 获得所述用户 User的访问控制信息 ACLUS„, 连同 User的访问期限 T" 利用 KAC,DN计算 ET3=E (KAC,DN, IDUSER| |KD SER| ITVI |ACLUSER) , 并利用 KAC,USER计算 ET4=E (KAC,uSER, KD SER) , 计 算 消 息 鉴 别 码 MIC2=H (KAC,User, I I IDDN I I Res (DN) I |ET3| I ET4) , 构造节点认证响应消 息 | I IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, 1 是所述目 的访问节点匪的身份标识, Res (DN)=True表示所述访问控制器 AC对所述目的 访问节点 DN鉴别成功, 所述 H为单向哈希函数。 After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K Ae with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. When the result obtained by the DN decryption ET 1 is equal to that sent by the user User, the access controller AC uses the key K Ae , Us „ shared with the user User to decrypt the ET 2 , if obtained after decryption The result is equal to that sent by the user User, and the access controller AC generates a session key K D ser between the user User and the destination access node, and queries the access control list ACL according to the identity of the user User. The access control information ACL US „ of the user User, together with the access period T of the user, is calculated using K AC , DN ET 3 = E (K AC , DN , ID USER | | K D SER | ITVI | ACL USER ) and utilized K AC , USER calculates ET 4 =E (K AC , u SER , K D SER ) , calculates the message authentication code MIC 2 =H (K AC , User , II ID DN II Res (DN) I |ET 3 | I ET 4 ), construct node authentication response message | I ID DN | |Res (DN) I |ET 3 | |ET 4 | |MIC 2 is sent to the user User, where 1 is the identity of the destination access node, Res (DN)=True The access controller AC successfully authenticates the destination access node DN, and the H is a one-way hash function.
所述目的访问节点 DN接收到的所述访问请求消息, 按照以下方式形成: 所述用户 User收到所述访问控制器 AC的节点认证响应消息后, 在判断询 问^是用户 User选择的询问后, 根据 MIC2判断消息的完整性; 在消息完整时, 用户 User根据 Res (DN)判断目的访问节点匪的合法性, 在 Res (DN) =True时, 用 户 User解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及用户 User的访问请求 Qus„利用所述解密后获得的、 与目的访问节点间的会话密钥 KDMser计算 ET5=E(KD ser,N2| |N3| IQJ ,计算消息鉴别码 MIC3=H (KD ser, ΕΤ31 |ΕΤ5) , 构造访问请求消息 ΕΤ3| |ET5| |MIC3发送给目的访问节点匪。 The access request message received by the destination access node DN is formed as follows: after the user User receives the node authentication response message of the access controller AC, after determining that the query ^ is the query selected by the user User According to the MIC 2 , the integrity of the message is judged; when the message is complete, the user User judges the validity of the destination access node according to Res (DN). When Res (DN) = True, the user User decrypts the ET 4 in the message, and generates inquiry N 3, together with the query object access node DN N 2 and access the user's request user Q us "session key K DMser between the decryption using the acquired, and the destination access node calculation ET 5 = E (K D ser , N 2 | | N 3 | IQJ , calculate the message authentication code MIC 3 = H (K D ser , ΕΤ 3 1 | ΕΤ 5 ) , construct the access request message ΕΤ 3 | | ET 5 | | MIC 3 is sent to the destination access node bandit.
所述目的访问节点匪进一步用于:  The destination access node is further used to:
收到用户 User的访问请求后, 解密 ET3, 获得会话密钥 KD s„, 在根据 MIC3 判断消息完整后, 利用 KD s„解密 ET5, 在判断解密后得到的询问 N2是目的访问 节点 DN选择的询问 N2后, 再确认解密 ET5后获得的 IDUS„是否是请求访问的用户 U s e r的身份标识, 在是请求访问的用户 U s e r的身份标识时, 记录当前时刻 Tc , 确认从 Tc到(Tc+Tv)这段时间即为用户 User的访问有效期,用户只能在此有效期 内访问网络数据, 所述目的访问节点匪根据 ACLUS„判断所述用户 User的访问请 求 Qus„是否合法, 在合法情况, 生成应答数据 RDN, 连同 N3利用 KD s„计算 ET6=E(KD ser,N3| IR丄 计算消息鉴别码 MIC4=H(KD ser,ET6) , 构造访问请求响应 消息 ET6| |MIC4发送给用户 User。 After receiving the access request of the user User, decrypting the ET 3 and obtaining the session key K D s „, after determining that the message is complete according to the MIC 3 , using K D s „ decrypt ET 5 , the query N 2 obtained after determining the decryption is After accessing the query N 2 selected by the node DN, it is confirmed that the ID US obtained after decrypting the ET 5 is the identity of the user U ser requesting access, and when the identity of the user U ser requesting access is recorded, the current time is recorded. T c , confirming that the time from T c to (Tc+Tv) is the access period of the user User, the user can only access the network data during the validity period, and the destination access node determines the user User according to the ACL US The access request Q us is legal, in the legal case, the response data R DN is generated, together with N 3 using K D s „calculate ET 6 =E(K D ser , N 3 | IR丄 calculation message authentication code MIC 4 =H (K D ser , ET 6 ) , constructing the access request response message ET 6 | | MIC 4 is sent to the user User.
本发明还提供一种低开销的传感器网络访问终端, 包括:  The present invention also provides a low-overhead sensor network access terminal, including:
用户认证请求消息发送单元, 用于向传感器网络中的目的访问节点 DN发 送用户认证请求消息;  a user authentication request message sending unit, configured to send a user authentication request message to the destination access node DN in the sensor network;
用户认证响应消息接收单元, 用于接收所述目的访问节点匪根据所述用 户认证请求消息, 向所述用户 U s e r发送用户认证响应消息;  a user authentication response message receiving unit, configured to receive the destination access node, and send a user authentication response message to the user U s e r according to the user authentication request message;
节点认证请求消息发送单元, 用于向访问控制器 AC发送节点认证请求消 息, 所述节点认证请求消息是所述用户 User结合所述目的访问节点 DN发送的 用户认证响应消息构造的; 节点认证响应消息接收单元, 用于接收所述访问控制器 AC根据认证结果 向所述用户 User发送节点认证响应消息; a node authentication request message sending unit, configured to send a node authentication request message to the access controller AC, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN; a node authentication response message receiving unit, configured to receive, by the access controller AC, a node authentication response message to the user User according to the authentication result;
访问请求消息发送单元, 用于向所述目的访问节点匪发送所访问请求消 息, 所述访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证 响应消息构造的;  An access request message sending unit, configured to send the accessed request message to the destination access node, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
访问请求响应消息接收单元, 用于接收所述目的访问节点匪根据所述访 问请求消息对所述用户 User进行授权管理并发送的访问请求响应消息。  The access request response message receiving unit is configured to receive an access request response message that is authorized and managed by the destination access node according to the access request message.
所述用户认证请求消息发送单元, 向传感器网络中的目的访问节点匪发 送用户认证请求消息中, 包含用户 U s e r产生的询问 ^。  The user authentication request message sending unit sends a user authentication request message to the destination access node in the sensor network, and includes an inquiry ^ generated by the user U s e r .
所述用户认证响应消息接收单元, 接收所述目的访问节点匪根据所述用 户认证请求消息, 向所述用户 User发送的用户认证响应消息, 按照以下方式 形成:  The user authentication response message receiving unit receives the user authentication response message sent by the destination access node to the user User according to the user authentication request message, and is formed as follows:
目的访问节点匪收到用户 User发送的用户认证请求后, 产生询问 N2, 并利 用与所述访问控制器 AC之间的共享密钥 KAC,DN计算 EL=E (KAC; DN, NJ ,侧 | Ν2 | I EL 作为用户认证响应消息发送给用户 User , 其中, E为对称加密算法。 After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates EL=E (K AC; DN , NJ by using the shared key K AC , DN with the access controller AC; , side | Ν 2 | I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm.
所述节点认证请求消息发送单元, 向访问控制器 AC发送的节点认证请求 消息, 按照以下方式形成:  The node authentication request message sending unit, the node authentication request message sent to the access controller AC, is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判 断消息中携带的询问 是用户 User选择的询问后, 利用与所述访问控制器 AC 之间 的共享密钥 KA ser计算 ET2=E (KAC, user, NJ , 并计算消 息鉴别码 MId=H (ΚΛο, υ^, Μ | IDDN | I EL I | ET2) , 构 造 节 点 认 证 请 求 消 息 | | IDDN | I EL I | ET2 | ^1 发送给所述访问控制器 AC , 其中, IDDN是目的访问节 点匪的身份标识, H为单向哈希函数。 After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC. Ser calculates ET 2 =E (K AC , u ser , NJ , and calculates the message authentication code MId=H (ΚΛο, υ^, Μ | ID DN | I EL I | ET 2 ), constructs the node authentication request message | | ID DN | I EL I | ET 2 | ^1 is sent to the access controller AC, where ID DN is the identity of the destination access node, and H is a one-way hash function.
所述节点认证响应消息接收单元, 接收的所述访问控制器 AC根据认证结 果向所述用户 User发送节点认证响应消息, 按照以下方式形成:  The node authentication response message receiving unit, the received access controller AC sends a node authentication response message to the user User according to the authentication result, and is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息, 在根据 消息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的共 享密钥 KAC,DN解密 ET1 在解密后得到的结果与用户 User在步骤 3 ) 中发送的 ^相 等时, 由所述访问控制器 AC利用与所述用户 User共享的密钥 KAe,User解密 ET2, 若 解密后得到的结果 与所述用户 User在步骤 3)中发送的 相等, 则由访问控制 器 AC生成用户 User和目的访问节点匪间的会话密钥 KD ser, 并根据所述用户 User的身份标识查询访问控制列表 ACL, 获得所述用户 User的访问控制信息 ACLUser , 连 同 User 的 访 问 期 限 Τν , 利 用 KAC,DN 计 算 ET3=E (KAC,DN, IDuSer I I KDN,user I I TV I I ACLUSER) , 并利用 KAC, 118„计算 ET4=E (KAC, USER , KDN,USER) , 计算消
Figure imgf000013_0001
| IDDN| I Res (DN) I I ET31 |ET4) ,构造节点认证响 应消息 | |IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, 1 是 所述目的访问节点匪的身份标识, Res (DN) =True表示所述访问控制器 AC对所 述目的访问节点 DN鉴别成功, 所述 H为单向哈希函数。 The access controller AC receives the node authentication request message sent by the user User, and uses the shared key K AC between the destination access node DN and the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. when decrypting ^ DN equal ET 1 results in the decrypted user user transmitted in step 3), the access controller AC by the user using the user shared key K Ae, user decryption ET 2, if The result obtained after decryption is equal to that sent by the user User in step 3), and the session controller K D ser between the user User and the destination access node is generated by the access controller AC, and according to the identity of the user User Identifying the ACL of the query access control list, obtaining the access control information ACL User of the user User , together with the access period Τ ν of the User, calculating ET 3 =E (KAC, DN, IDu S er IIK D N, user with K AC , DN IIT V II ACL USER ) , and use K AC , 11 8 „calculate ET 4 =E (K AC , USER , K DN , USER )
Figure imgf000013_0001
ID DN | I Res (DN) II ET 3 1 | ET 4 ) , Construct Node Authentication Response Message | |ID DN | |Res (DN) I |ET 3 | |ET 4 | |MIC 2 is sent to the user User, where 1 is the identity of the destination access node, and Res (DN) = True indicates that the access controller AC successfully authenticates the destination access node DN, and the H is a one-way hash function.
所述访问请求消息发送单元, 向所述目的访问节点匪发送的所访问请求 消息, 按照以下方式形成:  The access request message sending unit, the accessed request message sent to the destination access node, is formed as follows:
所述用户 User收到所述访问控制器 AC的节点认证响应消息后, 在判断询 问^是用户 User选择的询问后, 根据 MIC2判断消息的完整性; 在消息完整时, 用户 User根据 Res (DN)判断目的访问节点匪的合法性, 在 Res (DN) =True时, 用 户 User解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及用户 User的访问请求 Qus„利用所述解密后获得的、 与目的访问节点间的会话密钥 KDMser计算 ET5=E (KD ser,N2| |N3| IQUser) ,计算消息鉴别码 MIC3=H (KD ser,ET3| |ET5) , 构造访问请求消息 ΕΤ3| |ET5| |MIC3发送给目的访问节点匪。 After receiving the node authentication response message of the access controller AC, the user User determines the integrity of the message according to the MIC 2 after determining that the inquiry is the inquiry selected by the user User; when the message is complete, the user User is according to Res ( DN) judges the validity of the destination access node ,, when Res (DN) = True, the user User decrypts the ET 4 in the message, generates the query N 3 , together with the query N 2 of the destination access node DN and the access request Q of the user User us "after the decryption obtained by using, with the session key K DMser between the access node calculation purposes ET 5 = E (K D ser , N 2 | | N 3 | IQ User), calculating the message authentication code MIC 3 = H (K D ser , ET 3 | | ET 5 ) , constructs an access request message ΕΤ 3 | | ET 5 | | MIC 3 is sent to the destination access node 匪.
所述访问请求响应消息接收单元, 接收的所述目的访问节点匪根据所述 访问请求消息对所述用户 User进行授权管理并发送的访问请求响应消息, 按 照以下方式形成:  The access request response message receiving unit, the received access request response message that the destination access node receives and manages the user User according to the access request message, is formed as follows:
目的访问节点 DN收到用户 User的访问请求后, 解密 ET3, 获得会话密钥 KDN;USER, 在根据 MIC3判断消息完整后, 利用 KD S„解密 ET5, 在判断解密后得到的 询问 N2是目的访问节点 DN选择的询问 N2后,再确认解密 ET5后获得的 IDUS„是否是 请求访问的用户 User的身份标识, 在是请求访问的用户 User的身份标识时, 记录当前时刻 Tc, 确认从 Tc到(Tc+Tv)这段时间即为用户 User的访问有效期, 用 户只能在此有效期内访问网络数据, 所述目的访问节点 DN根据 ACL^^'j断所述 用户 User的访问请求 Qus„是否合法, 在合法情况, 生成应答数据 RDN, 连同 N3利 用 KD ser计算 ET6=E(KD ser,N3| |R丄 计算消息鉴别码 MIC4=H(KD ser,ET6) , 构造访 问请求响应消息 ET6 | | MIC4发送给用户 User。 After receiving the access request of the user User, the destination access node DN decrypts the ET 3 and obtains the session key K DN; USER . After determining the complete message according to the MIC 3 , the K DS „ decrypt ET 5 is used to determine the decryption. N 2 is the query N 2 selected by the destination access node DN, and then confirms the ID US obtained after decrypting the ET 5 „ is the identity of the user User requesting access, and when the identity of the user User requesting access is recorded, the current record is recorded. time T c, T c to confirm from (Tc + Tv) during this time period is the user access to the user, a user can only access the network data within this period, access to the destination node DN the ACL ^^ 'j are oFF accessing said user user requests Q us "is legitimate, in legal cases, generates a response data R DN, calculated ET 6 = E (K D ser together with N 3 using the K D ser, N 3 | | R Shang calculate the message authentication code MIC 4 =H(K D ser , ET 6 ) , construction visit The request request response message ET 6 | | MIC 4 is sent to the user User.
本发明提供的一种低开销的传感器网络访问终端还包括:  The low-cost sensor network access terminal provided by the present invention further includes:
请求响应消息处理单元, 用于在用户 Us er收到请求响应消息后,根据 MIC4 判断消息完整性, 在所述请求相应消息完整时, 利用 KD s„解密 ET6 , 判断解密 得到的询问 ^是否是用户 User选择的询问 N3 , 在是用户 User选择的询问 N3时, 用户 User保存应答数据 RDN , 后续用户 User与目的访问节点匪之间的访问请求 和应答数据均利用 KDN, us„加以保护。 The request response message processing unit is configured to judge the message integrity according to the MIC 4 after the user User receives the request response message, and use the K D s „ decrypt ET 6 to determine the decrypted query when the request corresponding message is complete. ^ Whether it is the query N 3 selected by the user User. When it is the query N 3 selected by the user User, the user User saves the response data R DN , and the access request and response data between the subsequent user User and the destination access node 利用 utilize the K DN , us „protected.
本发明提供的一种低开销的传感器网络访问控制***中的目的访问节点 (也可以称为传感器), 用于:  The invention provides a destination access node (also referred to as a sensor) in a low-cost sensor network access control system for:
接收用户 Us er发送的用户认证请求消息,并根据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息;  Receiving a user authentication request message sent by the user Us er, and sending a user authentication response message to the user User according to the user authentication request message;
接收所述用户 User发送的访问请求消息, 所述访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构造的; 并根据所述访问 请求消息对所述用户 User进行授权管理并发送访问请求响应消息给所述用户 User ;  Receiving an access request message sent by the user User, where the access request message is configured by the user user according to a node authentication response message received from the access controller AC; and performing the user user according to the access request message. Authorizing management and sending an access request response message to the user User;
节点认证响应消息生成过程为: 所述访问控制器 AC接收所述用户 User发 送的节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目 的访问节点匪发送的用户认证响应消息构造的; 并根据认证结果向所述用户 User发送节点认证响应消息。  The node authentication response message generating process is: the access controller AC receives a node authentication request message sent by the user User, and the node authentication request message is a user authentication response message sent by the user user in conjunction with the destination access node Constructed; and sending a node authentication response message to the user User according to the authentication result.
所述目的访问节点匪, 向所述用户 Us er发送的用户认证响应消息, 按照 以下方式形成:  The destination access node 匪, the user authentication response message sent to the user Us er is formed as follows:
所述目的访问节点匪收到用户 User发送的用户认证请求后, 产生询问 N2 , 并利用与所述访问控制器 AC之间的共享密钥 KAC,DN计算 ETfE G^^ Nj , 将 | N2 | I EL作为用户认证响应消息发送给用户 User , 其中, E为对称加密算法, 所述 是所述用户认证请求消息中携带的用户 U s e r产生的询问 。 After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates ETfE G^^ Nj using the shared key K AC , DN with the access controller AC, The N 2 | I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm, and the identifier is generated by the user U ser carried in the user authentication request message.
本发明提供的一种低开销的传感器网络访问控制***的访问控制器, 用 于:  The invention provides an access controller of a low overhead sensor network access control system, which is used for:
接收用户 User发送的节点认证请求消息, 所述节点认证请求消息是所述 用户 User结合所述目的访问节点匪发送的用户认证响应消息构造的; 并根据 认证结果向所述用户 User发送节点认证响应消息, 以供用户 User根据所述节 点认证响应消息构造向目的访问节点发送的访问请求消息, 并由目的访问节 点根据所述访问请求消息对所述用户 User进行授权管理。 Receiving a node authentication request message sent by the user User, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node; The authentication result sends a node authentication response message to the user User, so that the user user constructs an access request message sent to the destination access node according to the node authentication response message, and the destination access node refers to the user according to the access request message. User performs authorization management.
所述访问控制器接收的所述用户 User发送的节点认证请求消息, 按照以 下方式形成:  The node authentication request message sent by the user user received by the access controller is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判 断消息中携带的询问 是用户 User选择的询问后, 利用与所述访问控制器 AC 之间 的共享密钥 KA ser计算 ET2=E (KAC,user, NJ , 并计算消 息鉴别码
Figure imgf000015_0001
|IDDN| I EL I |ET2) , 构 造 节 点 认 证 请 求 消 息 | |IDDN| |ET2| |MICi并发送给所述访问控制器 AC的, 其中, 1 是目的访 问节点匪的身份标识, H为单向哈希函数, "I I" 表示为串联设置; After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is an inquiry selected by the user, and uses the shared key K A with the access controller AC. Ser calculates ET 2 =E (K AC , u ser , NJ , and calculates the message authentication code
Figure imgf000015_0001
|ID DN | I EL I |ET 2 ) , constructing a node authentication request message | |ID DN | |ET 2 | |MICi and sending it to the access controller AC, where 1 is the identity of the destination access node , H is a one-way hash function, and "II" is a tandem setting;
所述访问控制器根据认证结果向所述用户 User发送的节点认证响应消 息, 按照以下方式形成:  The node authentication response message sent by the access controller to the user User according to the authentication result is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息后, 在根 据消息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的 共享密钥 KAe,DN解密 ET1 在解密后得到的结果与用户 User发送的 相等时, 由所 述访问控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得到 的结果与所述用户 User发送的 相等,则由访问控制器 AC生成用户 User和目的 访问节点 DN间的会话密钥 KD ser, 并根据所述用户 User的身份标识查询访问控 制列表 ACL, 获得所述用户 User的访问控制信息 ACLUS„, 连同 User的访问期限 T" 利用 KAC,DN计算 ET3=E(KAC,DN, IDUSER| |KD SER| ITVI |ACLUSER) , 并利用 KAC,USER计算 ET4=E (KAC,user,KD ser) , 计 算 消 息 鉴 别 码 MIC2=H (KAC,User, I I IDDN I I Res (DN) I |ET3| I ET4) , 构造节点认证响应消 息 | I IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, 1 是所述目 的访问节点匪的身份标识, Res (匪) =True表示所述访问控制器 AC对所述目的 访问节点 DN鉴别成功, 所述 H为单向哈希函数, Ί , 表示为串联设置。 After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K Ae with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. When the result obtained by the DN decryption ET 1 is equal to that sent by the user User, the access controller AC uses the key K Ae , Us „ shared with the user User to decrypt the ET 2 , if obtained after decryption The result is equal to that sent by the user User, and the session controller K D ser between the user User and the destination access node DN is generated by the access controller AC, and the access control list ACL is queried according to the identity of the user User. accessing said user user control information ACL US ", together with the duration of the visit of user T" using K AC, DN calculated ET 3 = E (K AC, DN, ID uSER | | K D SER | ITVI | ACL uSER), and using K AC , USER calculates ET 4 =E (K AC , u ser , K D ser ), calculates the message authentication code MIC 2 =H (K AC , User , II ID DN II Res (DN) I |ET 3 | I ET 4), the configuration of the node authentication response message | I ID DN | | Res ( DN) I | ET 3 | | ET 4 | | MIC 2 to send the User User, where 1 is the identity of the destination access node, Res (匪) = True indicates that the access controller AC successfully authenticates the destination access node DN, and the H is a one-way hash function. Ί , expressed as a series setting.

Claims

权 利 要 求 书 Claim
1、 一种低开销的传感器网络访问控制方法, 其特征在于, 包括以下步骤: A low-overhead sensor network access control method, comprising the steps of:
1 )传感器网络中的目的访问节点匪接收用户 User发送的用户认证请求消 息; 1) The destination access node in the sensor network receives the user authentication request message sent by the user User;
2 )所述目的访问节点匪根据所述用户认证请求消息, 向所述用户 Us er发送 用户认证响应消息;  2) the destination access node sends a user authentication response message to the user Us er according to the user authentication request message;
3 )访问控制器 AC接收所述用户 User发送的节点认证请求消息, 所述节点认 证请求消息是所述用户 User结合所述目的访问节点 DN发送的用户认证响应消息 构造的;  The access controller AC receives the node authentication request message sent by the user user, and the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node DN;
4 ) 所述访问控制器 AC根据认证结果向所述用户 User发送节点认证响应消 息;  4) the access controller AC sends a node authentication response message to the user User according to the authentication result;
5 )所述目的访问节点 DN接收所述用户 Us er发送的访问请求消息, 所述访问 请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构造 的;  5) The destination access node DN receives an access request message sent by the user Us er, where the access request message is constructed by the user user according to a node authentication response message received from the access controller AC;
6 )所述目的访问节点 DN根据所述访问请求消息对所述用户 User的访问请求 进行授权管理并发送访问请求响应消息给所述用户 User。  6) The destination access node DN performs authorization management on the access request of the user User according to the access request message, and sends an access request response message to the user User.
2、 根据权利要求 1所述的低开销的传感器网络访问控制方法, 其特征在于: 所述步骤 1 ) 的具体实现方式是:  2. The low-cost sensor network access control method according to claim 1, wherein: the specific implementation manner of the step 1) is:
所述目的访问节点匪接收所述用户 Us er发送的用户认证请求消息, 所述用 户认证请求消息包含用户 User产生的询问  The destination access node receives a user authentication request message sent by the user Us er, where the user authentication request message includes an inquiry generated by the user User
所述步骤 2 ) 的具体实现方式是:  The specific implementation of the step 2) is:
目的访问节点匪收到用户 User发送的用户认证请求后,产生询问 N2 , 并利用 与所述访问控制器 AC之间的共享密钥 KAC,D †算密文 EL=E (KAC; DN, NJ ,侧 | Ν2 | I EL 作为用户认证响应消息发送给用户 User , 其中, E为对称加密算法, 所述 " | | " 表示为串联设置。 After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and uses the shared key K AC , D with the access controller AC to calculate the ciphertext EL=E (K AC; DN , NJ , side | Ν 2 | I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm, and the "| | " is represented as a serial setting.
3、 根据权利要求 2所述的低开销的传感器网络访问控制方法, 其特征在于: 所述步骤 3 ) 的具体实现方式是:  The low-cost sensor network access control method according to claim 2, wherein: the specific implementation manner of the step 3) is:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判断 消息中携带的询问 是用户 U s e r选择的询问后,利用与所述访问控制器 AC之间的 共 享 密 钥 KAe,Us„ 计 算
Figure imgf000017_0001
, 并 计 算 消 息 鉴 别 码
Figure imgf000017_0002
|IDDN| I EL I |ET2) , 构 造 节 点 认 证 请 求 消 息 | |IDDN| IELI |ET2| ^1 发送给所述访问控制器 AC, 其中, IDDN是目的访问节点 DN的身份标识, H为单向哈希函数。 After the user User receives the user authentication response message sent by the destination access node, the user determines The inquiry carried in the message is the shared key K Ae , Us „ calculated with the access controller AC after the inquiry selected by the user U ser
Figure imgf000017_0001
And calculate the message authentication code
Figure imgf000017_0002
|ID DN | I EL I |ET 2 ) , constructing a node authentication request message | |ID DN | IELI |ET 2 | ^1 is sent to the access controller AC, where ID DN is the identity of the destination access node DN , H is a one-way hash function.
4、 根据权利要求 3所述的低开销的传感器网络访问控制方法, 其特征在于: 所述步骤 4 ) 的具体实现方式是:  The low-cost sensor network access control method according to claim 3, wherein: the specific implementation manner of the step 4) is:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息, 在根据消 息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的共享密 钥 KAC,DN解密 ET1 在解密后得到的结果与用户 User在步骤 3) 中发送的 相等时, 由所述访问控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得 到的结果与所述用户 User在步骤 3) 中发送的 相等, 则由访问控制器 AC生成用 户 User和目的访问节点 DN间的会话密钥 KDMs„, 并根据所述用户 User的身份标识 查询访问控制列表 ACL, 获得所述用户 User的访问控制信息 ACLUS„, 连同 User的 访问期限 Tv, 利用 KAC,DN计算 ET3=E(KAC,DN, IDJ |KDN,J |TV| |ACLUser) , 并利用 KAC,User 计 算 ET4=E(KAC,Us„,KD ser) , 计 算 消 息 鉴 别 码 MICH1U I |IDDN| |Res(DN) I |ET3| |ET4) , 构造节 点认证响应 消 息 | I IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, IDDN是所述目的 访问节点匪的身份标识, Res (匪) =True表示所述访问控制器 AC对所述目的访问 节点匪鉴别成功。 The access controller AC receives the node authentication request message sent by the user User, and uses the shared key K AC between the destination access node DN and the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. When the result obtained by the DN decryption ET 1 after decryption is equal to that sent by the user User in step 3), the access controller AC uses the key K Ae , Us „ decrypted by the user User to decrypt the ET 2 , if The result obtained after decryption is equal to that sent by the user User in step 3), and the session controller K DMs between the user User and the destination access node DN is generated by the access controller AC, and according to the identity of the user User Identifying the ACL of the query access control list, obtaining the access control information ACL US „ of the user User, together with the access period T v of the user, calculating ET 3 =E(K AC , DN , IDJ |K DN , J by using K AC , DN |T V | |ACL User ) , and use K AC , User to calculate ET 4 =E(K AC , Us „,K D ser ), calculate the message authentication code MICH1U I |ID DN | |Res(DN) I |ET 3 | |ET 4 ) , Construct Node Authentication Response Message | I ID DN | |Res (DN) I |ET 3 | |ET 4 | |MIC 2 Send to The user User, where ID DN is the identity of the destination access node, and Res (匪) = True indicates that the access controller AC successfully authenticates the destination access node.
5、 根据权利要求 4所述的低开销的传感器网络访问控制方法, 其特征在于: 所述步骤 5 ) 的具体实现方式是:  The low-cost sensor network access control method according to claim 4, wherein: the specific implementation manner of the step 5) is:
所述用户 User收到所述访问控制器 AC发送的节点认证响应消息后, 在判断 询问 是用户 User选择的询问后, 根据 MIC2判断消息的完整性; 在消息完整时, 用户 User根据 Res (DN)判断目的访问节点匪的合法性, 在目的访问节点匪合法 时, 用户 User解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及 用户 User的访问请求 Qus„利用所述解密后获得的、 与目的访问节点间的会话密钥 KDMser计算 ET5=E(KD ser,N2| |N3| IQJ , 计算消息鉴别码 MIC3=H (KD ser, ΕΤ31 |ΕΤ5) , 构造访问请求消息 ET3| |ET5| |MIC3发送给目的访问节点匪。 After receiving the node authentication response message sent by the access controller AC, the user User determines the integrity of the message according to the MIC 2 after determining that the inquiry is the inquiry selected by the user User; when the message is complete, the user User is according to Res ( DN) judges the legitimacy of the destination access node, when the destination access node is legal, the user User decrypts the ET 4 in the message, generates the query N 3 , together with the query N 2 of the destination access node DN and the access request Qus of the user User 计算 Calculate ET 5 =E (K D ser , N 2 | |N 3 | IQJ , calculate the message authentication code MIC 3 =H (K D ) using the session key K DMser obtained after decryption and the destination access node Ser , ΕΤ 3 1 |ΕΤ 5 ) , Constructing an access request message ET 3 | |ET 5 | |MIC 3 is sent to the destination access node.
6、 根据权利要求 5所述的低开销的传感器网络访问控制方法, 其特征在于: 所述步骤 6 ) 的具体实现方式是:  The low-cost sensor network access control method according to claim 5, wherein: the specific implementation manner of the step 6) is:
目的访问节点匪收到用户 User的访问请求后,解密 ET3,获得会话密钥 KD ser, 在根据 MIC3判断消息完整后, 利用 KD s„解密 ET5, 在判断解密后得到的询问 N2是 目的访问节点匪选择的询问 N2后, 再确认解密 ET5后获得的 IDUS„是否是请求访问 的用户 User的身份标识, 在确认是请求访问的用户 User的身份标识时, 记录当 前时刻 Tc, 确认从 Tc到(Tc+Tv)这段时间即为用户 User的访问有效期, 用户只能在 此有效期内访问网络数据, 所述目的访问节点匪才艮据 ACLUS„判断所述用户 User的 访问请求 Qus„是否合法, 在合法情况, 生成应答数据 RDN, 连同 N3利用 KD s„计算 ET6=E (KD ser,N3| IR丄 计算消息鉴别码 MIC4=H(KD ser,ET6) , 构造访问请求响应消 息 ET6| |MIC4发送给用户 User。 After receiving the access request of the user User, the destination access node decrypts the ET 3 and obtains the session key K D ser . After the message is completed according to the MIC 3 , the KD s „ decrypt ET 5 is used to determine the decrypted query. N 2 is the query N 2 selected by the destination access node, and then confirms that the ID US obtained after decrypting the ET 5 is the identity of the user User requesting access, and when the identity of the user User requesting access is confirmed, the record is recorded. At the current time T c , it is confirmed that the time from T c to (Tc+Tv) is the access period of the user User, and the user can only access the network data during the validity period, and the destination access node is determined according to the ACL US „ Whether the access request Qus of the user User is legal, in the legal case, the response data R DN is generated, and together with N 3 , K D s is used to calculate ET 6 =E (K D ser , N 3 | IR丄 calculation message authentication code MIC 4 = H (K D ser , ET 6 ), constructing an access request response message ET 6 | | MIC 4 is sent to the user User.
7、 根据权利要求 6所述的低开销的传感器网络访问控制方法, 其特征在于: 所述低开销的传感器网络访问控制方法还包括以下步骤:  The low-overhead sensor network access control method according to claim 6, wherein the low-overhead sensor network access control method further comprises the following steps:
7) 所述用户 User收到请求响应消息后, 根据 MIC4判断消息完整性, 在所述 请求响应消息完整时,利用 KD s„解密 ET6,判断解密得到的询问 N3是否是用户 User 选择的询问 N3, 在是用户 User选择的询问 N3时, 用户 User保存应答数据 RDN, 后续 用户 User与目的访问节点 DN之间的访问请求和应答数据均利用 KD s„加以保护。 7) After receiving the request response message, the user User judges the message integrity according to the MIC 4 , and when the request response message is complete, uses K D s „ decrypt ET 6 to determine whether the decrypted query N 3 is the user User. The selected query N 3 , when it is the query N 3 selected by the user User, the user User saves the response data R DN , and the access request and response data between the subsequent user User and the destination access node DN are protected by K D s „.
8、 一种低开销的传感器网络访问控制***, 其特征在于, 包括目的访问节 点和访问控制器, 其中:  8. A low overhead sensor network access control system, comprising: a destination access node and an access controller, wherein:
所述目的访问节点 DN, 用于接收用户 User发送的用户认证请求消息, 并根 据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息;  The destination access node DN is configured to receive a user authentication request message sent by the user, and send a user authentication response message to the user user according to the user authentication request message;
所述访问控制器 AC, 用于接收所述用户 User发送的节点认证请求消息, 所 述节点认证请求消息是所述用户 User结合所述目的访问节点匪发送的用户认证 响应消息构造的; 并根据认证结果向所述用户 User发送节点认证响应消息; 所述目的访问节点匪还用于接收所述用户 User发送的访问请求消息, 所述 访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构 造的; 并根据所述访问请求消息对所述用户 User进行授权管理并发送访问请求 响应消息给所述用户 User。 The access controller AC is configured to receive a node authentication request message sent by the user User, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node; The authentication result sends a node authentication response message to the user User. The destination access node is further configured to receive an access request message sent by the user User, where the access request message is received by the user User according to the access controller AC. And the node authentication response message is configured; and authorizing the user user according to the access request message and sending an access request A response message is sent to the user User.
9、 根据权利要求 8所述的低开销的传感器网络访问控制***, 其特征在于, 所述目的访问节点匪, 向所述用户 User发送的用户认证响应消息, 按照以下方 式形成:  The low-overhead sensor network access control system according to claim 8, wherein the destination access node 匪, the user authentication response message sent to the user User, is formed as follows:
所述目的访问节点匪收到用户 User发送的用户认证请求后, 产生询问 N2, 并 利用与所述访问控制器 AC之间的共享密钥 KAC,DN计算 EL=E (KAC;DN, NJ ,侧 |Ν2| I EL 作为用户认证响应消息发送给用户 User, 其中, E为对称加密算法, 所述 是所 述用户认证请求消息中携带的用户 U s e r产生的询问 N i。 After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates EL=E (K AC; DN by using the shared key K AC , DN with the access controller AC; , NJ, side | Ν 2 | I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm, and the query is N i generated by the user U ser carried in the user authentication request message.
10、根据权利要求 9所述的低开销的传感器网络访问控制***,其特征在于, 所述访问控制器 AC, 接收的所述用户 User发送的节点认证请求消息, 按照以下 方式形成:  The low-overhead sensor network access control system according to claim 9, wherein the access controller AC receives the node authentication request message sent by the user User, and is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判断 消息中携带的询问 是用户 U s e r选择的询问后,利用与所述访问控制器 AC之间的 共 享 密 钥 KAe,Us„ 计 算
Figure imgf000019_0001
, 并 计 算 消 息 鉴 别 码
Figure imgf000019_0002
| IDDN| I EL I |ET2) , 构 造 节 点 认 证 请 求 消 息 | | IDDN| |ET2| |MICi并发送给所述访问控制器 AC, 其中, IDDN是目的访问节 点匪的身份标识, H为单向哈希函数, 所述 "I I" 表示为串联设置。 After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is the inquiry selected by the user U ser, and uses the shared key K with the access controller AC. Ae , Us „ Calculation
Figure imgf000019_0001
And calculate the message authentication code
Figure imgf000019_0002
ID DN | I EL I | ET 2 ) , constructing a node authentication request message | | ID DN | |ET 2 | |MICi and sending it to the access controller AC, where ID DN is the identity of the destination access node , H is a one-way hash function, and the "II" is represented as a tandem setting.
11、 根据权利要求 10所述的低开销的传感器网络访问控制***, 其特征在 于, 所述访问控制器 AC, 根据认证结果向所述用户 User发送的节点认证响应消 息, 按照以下方式形成:  The low-overhead sensor network access control system according to claim 10, wherein the access controller AC sends a node authentication response message to the user User according to the authentication result, which is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息后, 在根据 消息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的共享 密钥 KA ^解密 ET1 在解密后得到的结果与用户 User发送的 相等时, 由所述访问 控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得到的结果与 所述用户 User发送的 相等,则由访问控制器 AC生成用户 User和目的访问节点 DN 间的会话密钥 KD ser, 并根据所述用户 User的身份标识查询访问控制列表 ACL, 获 得所述用户 User的访问控制信息 ACLUS„, 连同 User的访问期限 Tv, 利用 KAC,DN计算 ET3=E (KAC,DN, IDuSer I I KDN,user I I TV I I ACLUSER) , 并利用 KAC, 118„计算 ET4=E (KAC, USER , KDN,USER) , 计 算消
Figure imgf000020_0001
| IDDN| I Res (DN) I |ET3| |ET4) ,构造节点认证响应消 息^| |IDDN| |Res(DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, IDDN是所述目 的访问节点匪的身份标识, Res (DN) =True表示所述访问控制器 AC对所述目的访 问节点匪鉴别成功。 After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K A with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. ^ When the decrypted ET 1 obtains a result equal to that sent by the user User, the access controller AC uses the key K Ae , Us „ shared with the user User to decrypt the ET 2 , if the result is obtained after decryption Having the same as that sent by the user User, the access controller AC generates a session key K D ser between the user User and the destination access node DN, and queries the access control list ACL according to the identity of the user User to obtain the User User's access control information ACL US „, along with User's access period T v , using K AC , DN to calculate ET 3 =E (KAC, DN, IDu S er IIK D N, user IIT V II ACL USER ), and use K AC , 11 8 „Calculate ET 4 =E (K AC , USER , K DN , USER ), Calculation
Figure imgf000020_0001
| ID DN | I Res (DN ) it | ET 3 | | ET 4), configured node authentication response message ^ | | ID DN | | Res (DN) I | ET 3 | | ET 4 | | MIC 2 is sent to the User User, where ID DN is the identity of the destination access node, and Res (DN) = True indicates that the access controller AC successfully authenticates the destination access node.
12、 根据权利要求 11所述的低开销的传感器网络访问控制***, 其特征在 于, 所述目的访问节点 DN接收到的所述访问请求消息, 按照以下方式形成:  The low-overhead sensor network access control system according to claim 11, wherein the access request message received by the destination access node DN is formed as follows:
所述用户 User收到所述访问控制器 AC的节点认证响应消息后, 在判断询问 是用户 User选择的询问后, 根据 MIC2判断消息的完整性; 在消息完整时, 用户 User根据 Res (DN)判断目的访问节点匪的合法性, 在 Res (DN) =True时, 用户 User 解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及用户 User的访 问请求 Qus„利用所述解密后获得的、 与目的访问节点间的会话密钥 KD s„计算 ET5=E (KD ser,N2| |N3| IQJ , 计算消息鉴别码 MIC3=H(KD ser,ET3| |ΕΤ5) , 构造访问 请求消息 ET3| |ET5| |MIC3发送给目的访问节点 DN。 After receiving the node authentication response message of the access controller AC, the user User determines the integrity of the message according to the MIC 2 after determining that the inquiry is the inquiry selected by the user User; when the message is complete, the user User according to the Res (DN) Determining the legitimacy of the destination access node, when Res (DN) = True, the user User decrypts the ET 4 in the message, generates the query N 3 , together with the query N 2 of the destination access node DN and the access request Qus of the user User „Using the session key K D s obtained between the decrypted and the destination access node to calculate ET 5 =E (K D ser , N 2 | |N 3 | IQJ , calculating the message authentication code MIC 3 =H ( K D ser , ET 3 | |ΕΤ 5 ) , constructs an access request message ET 3 | |ET 5 | |MIC 3 is sent to the destination access node DN.
13、 根据权利要求 12所述的低开销的传感器网络访问控制***, 其特征在 于, 所述目的访问节点 DN进一步用于:  13. The low-overhead sensor network access control system according to claim 12, wherein the destination access node DN is further configured to:
收到用户 User的访问请求后, 解密 ET3, 获得会话密钥 KD s„, 在根据 MIC3判 断消息完整后, 利用 KD s„解密 ET5, 在判断解密后得到的询问 N2是目的访问节点 DN选择的询问 N2后, 再确认解密 ET5后获得的 IDUS„是否是请求访问的用户 User的 身份标识, 在是请求访问的用户 User的身份标识时, 记录当前时刻 Tc, 确认从 Tc 到(Tc+Tv)这段时间即为用户 Us er的访问有效期, 用户只能在此有效期内访问网 络数据, 所述目的访问节点匪根据 ACLUser判断所述用户 User的访问请求 Qus„是否 合法,在合法情况,生成应答数据 RDN,连同 N3利用 KD s„计算 ET6=E(KDMs„,N3| |RDN) , 计算消息鉴别码 MIC4=H (KD ser,ET6) ,构造访问请求响应消息 ET6| |MIC4发送给用户After receiving the access request of the user User, decrypting the ET 3 and obtaining the session key K D s „, after determining that the message is complete according to the MIC 3 , using K D s „ decrypt ET 5 , the query N 2 obtained after determining the decryption is After accessing the query N 2 selected by the node DN, it is confirmed that the ID US obtained after decrypting the ET 5 is the identity of the user User requesting access, and when the identity of the user User requesting the access is recorded, the current time T c is recorded. , confirming that the time from T c to (Tc+Tv) is the access validity period of the user Us, the user can only access the network data during the validity period, and the destination access node determines the access of the user User according to the ACL User Request Q us „ is legal, in the legal case, generate response data R DN , together with N 3 use K D s „calculate ET 6 =E(K DMs „, N 3 | |R DN ), calculate message authentication code MIC 4 = H (K D ser , ET 6 ), constructs an access request response message ET 6 | | MIC 4 is sent to the user
Us6r。 Us6r.
14、 一种低开销的传感器网络访问终端, 其特征在于, 包括:  14. A low-overhead sensor network access terminal, comprising:
用户认证请求消息发送单元, 用于向传感器网络中的目的访问节点 DN发送 用户认证请求消息;  a user authentication request message sending unit, configured to send a user authentication request message to the destination access node DN in the sensor network;
用户认证响应消息接收单元, 用于接收所述目的访问节点匪根据所述用户 认证请求消息, 向所述用户 U s e r发送用户认证响应消息; a user authentication response message receiving unit, configured to receive the destination access node, according to the user Sending a user authentication response message to the user U ser;
节点认证请求消息发送单元, 用于向访问控制器 AC发送节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目的访问节点匪发送的用户认 证响应消息构造的;  a node authentication request message sending unit, configured to send a node authentication request message to the access controller AC, where the node authentication request message is constructed by the user user in combination with the user authentication response message sent by the destination access node;
节点认证响应消息接收单元, 用于接收所述访问控制器 AC根据认证结果向 所述用户 U s e r发送节点认证响应消息;  a node authentication response message receiving unit, configured to receive, by the access controller, a node authentication response message to the user U s e r according to the authentication result;
访问请求消息发送单元, 用于向所述目的访问节点匪发送所访问请求消息, 所述访问请求消息是所述用户 Us er根据从访问控制器 AC收到的节点认证响应消 息构造的;  An access request message sending unit, configured to send the access request message to the destination access node, where the access request message is configured by the user Us er according to a node authentication response message received from the access controller AC;
访问请求响应消息接收单元, 用于接收所述目的访问节点匪根据所述访问 请求消息对所述用户 User进行授权管理并发送的访问请求响应消息。  The access request response message receiving unit is configured to receive an access request response message that is authorized and managed by the destination access node according to the access request message.
15、 根据权利要求 14所述的低开销的传感器网络访问终端, 其特征在于, 所述用户认证请求消息发送单元, 向传感器网络中的目的访问节点匪发送 用户认证请求消息中, 包含用户 User产生的询问 , 所述用户认证响应消息接收 单元, 接收所述目的访问节点匪根据所述用户认证请求消息, 向所述用户 User 发送的用户认证响应消息, 按照以下方式形成:  The low-overhead sensor network access terminal according to claim 14, wherein the user authentication request message sending unit sends a user authentication request message to the destination access node in the sensor network, including the user User generated. The user authentication response message receiving unit receives the user authentication response message sent by the destination access node to the user User according to the user authentication request message, and is formed as follows:
目的访问节点匪收到用户 User发送的用户认证请求后,产生询问 N2, 并利用 与所述访问控制器 AC之间的共享密钥 KAC,DN计算 EL=E (KAC;DN, NJ ,侧 |Ν2| 乍为 用户认证响应消息发送给用户 User, 其中, E为对称加密算法; After receiving the user authentication request sent by the user User, the destination access node generates an inquiry N 2 and calculates EL=E (K AC; DN , NJ by using the shared key K AC , DN with the access controller AC; , side | Ν 2 | 发送 is sent to the user User response response message, where E is a symmetric encryption algorithm;
所述节点认证请求消息发送单元, 向访问控制器 AC发送的节点认证请求消 息, 按照以下方式形成:  The node authentication request message sending unit sends a node authentication request message to the access controller AC, which is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判断 消息中携带的询问 是用户 U s e r选择的询问后,利用与所述访问控制器 AC之间的 共 享 密 钥 KAe,Us„ 计 算 ET^EG^u^Nj , 并 计 算 消 息 鉴 别 码 MId=H (ΚΛο,υ^,Μ |IDDN| I EL I |ET2) , 构 造 节 点 认 证 请 求 消 息 |IDDN| IELI |ET2| ^1 发送给所述访问控制器 AC, 其中, 1 是目的访问节点 匪的身份标识, H为单向哈希函数, 所述 "I I" 表示为串联设置; After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is the inquiry selected by the user U ser, and uses the shared key K with the access controller AC. Ae , Us „ Calculate ET^EG^u^Nj and calculate the message authentication code MId=H (ΚΛο,υ^,Μ |ID DN | I EL I |ET 2 ), construct node authentication request message|ID DN | IELI |ET 2 | ^1 is sent to the access controller AC, where 1 is the identity of the destination access node, H is a one-way hash function, and the "II" is represented as a serial setting;
所述节点认证响应消息接收单元, 接收的所述访问控制器 AC根据认证结果 向所述用户 User发送节点认证响应消息, 按照以下方式形成: The node authentication response message receiving unit receives the access controller AC according to the authentication result. Sending a node authentication response message to the user User is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息, 在根据消 息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的共享密 钥 KA ^解密 EL, 在解密后得到的结果与用户 User在步骤 3 ) 中发送的 相等时, 由所述访问控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得 到的结果 与所述用户 User在步骤 3 )中发送的 相等, 则由访问控制器 AC生成用 户 User和目的访问节点 DN间的会话密钥 KDMs„, 并根据所述用户 User的身份标识 查询访问控制列表 ACL, 获得所述用户 User的访问控制信息 ACLUS„, 连同 User的 访问期限 TV, 利用 KAC,DN计算 ET3=E(KAC,DN, IDJ |KDN,J ITVI |ACLUSER) , 并利用 KAC,USER 计 算 ET4=E(KAC,User,KD ser) , 计 算 消 息 鉴 别 码 MICH1U I |IDDN| |Res(DN) I |ET3| |ET4) , 构造节 点认证响应 消 息 | I IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, IDDN是所述目的 访问节点匪的身份标识, Res (匪) =True表示所述访问控制器 AC对所述目的访问 节点匪鉴别成功; The access controller AC receives the node authentication request message sent by the user User, and uses the shared key K A ^ between the destination access node DN and the MlC it message according to the message. Decrypting EL, when the result obtained after decryption is equal to that sent by user User in step 3), the access controller AC decrypts ET 2 with the key K Ae , Us „ shared with the user User, if decrypted The result obtained after is equal to that sent by the user User in step 3), the session key K DMs between the user User and the destination access node DN is generated by the access controller AC, and according to the identity of the user User query access control lists ACL, obtaining the user user access control information ACL US ", along with the duration of the visit user of T V, using the K AC, DN calculate ET 3 = E (K AC, DN, IDJ | K DN, J ITVI |ACL USER ) , and calculate the ET 4 =E(K AC , User ,K D ser ) using K AC , USER , and calculate the message authentication code MICH1U I |ID DN | |Res(DN) I |ET 3 | |ET 4 ), construct node authentication response message | I ID DN | |Res (DN) I |ET 3 | |ET 4 | |MIC 2 is sent to the User User, where ID DN is the identity of the destination access node, and Res (匪) = True indicates that the access controller AC successfully authenticates the destination access node;
所述访问请求消息发送单元, 向所述目的访问节点 DN发送的所访问请求消 息, 按照以下方式形成:  The access request message sending unit, the accessed request message sent to the destination access node DN, is formed as follows:
所述用户 User收到所述访问控制器 AC的节点认证响应消息后, 在判断询问 是用户 User选择的询问后, 根据 MIC2判断消息的完整性; 在消息完整时, 用户 User根据 Res (DN)判断目的访问节点匪的合法性, 在 Res (DN) =True时, 用户 User 解密消息中的 ET4, 产生询问 N3, 连同目的访问节点 DN的询问 N2以及用户 User的访 问请求 Qus„利用所述解密后获得的、 与目的访问节点间的会话密钥 KD s„计算 ET5=E (KD ser,N2| |N3| IQJ , 计算消息鉴别码 MIC3=H(KD ser,ET3| |ΕΤ5) , 构造访问 请求消息 ET3| |ET5| |MIC3发送给目的访问节点 DN; After receiving the node authentication response message of the access controller AC, the user User determines the integrity of the message according to the MIC 2 after determining that the inquiry is the inquiry selected by the user User; when the message is complete, the user User according to the Res (DN) Determining the legitimacy of the destination access node, when Res (DN) = True, the user User decrypts the ET 4 in the message, generates the query N 3 , together with the query N 2 of the destination access node DN and the access request Qus of the user User „Using the session key K D s obtained between the decrypted and the destination access node to calculate ET 5 =E (K D ser , N 2 | |N 3 | IQJ , calculating the message authentication code MIC 3 =H ( K D ser , ET 3 | | ΕΤ 5 ) , constructing an access request message ET 3 | | ET 5 | | MIC 3 is sent to the destination access node DN;
所述访问请求响应消息接收单元, 接收的所述目的访问节点匪根据所述访 问请求消息对所述用户 User进行授权管理并发送的访问请求响应消息, 按照以 下方式形成:  The access request response message receiving unit, the received access request response message that the destination access node receives and manages the user User according to the access request message, is formed as follows:
目的访问节点匪收到用户 User的访问请求后,解密 ET3,获得会话密钥 KD ser, 在根据 MIC3判断消息完整后, 利用 KD s„解密 ET5, 在判断解密后得到的询问 N2是 目的访问节点匪选择的询问 N2后, 再确认解密 ET5后获得的 IDUS„是否是请求访问 的用户 User的身份标识, 在是请求访问的用户 User的身份标识时, 记录当前时 刻 Tc , 确认从 Tc到(Tc+Tv)这段时间即为用户 User的访问有效期, 用户只能在此有 效期内访问网络数据, 所述目的访问节点匪才艮据 ACLUS„判断所述用户 Us er的访问 请求 Qus„是否合法, 在合法情况, 生成应答数据 RDN , 连同 N3利用 KD s„计算 ET6=E (KD ser, N3 | I R丄 计算消息鉴别码 MIC4=H (KD ser, ET6) , 构造访问请求响应消 息 ET6 | | MIC4发送给用户 User。 After receiving the access request of the user User, the destination access node decrypts the ET 3 and obtains the session key K D ser . After the message is completed according to the MIC 3 , the KD s „ decrypt ET 5 is used to determine the decrypted query. N 2 is After the destination access node selects the query N 2 , it confirms the ID US obtained after decrypting the ET 5 „ is the identity of the user User requesting access, and records the current time T c when it is the identity of the user User requesting access. , confirming that the period from T c to (Tc+Tv) is the access period of the user User, the user can only access the network data during the validity period, and the destination access node determines the user Us according to the ACL US Er access request Q us „ is legal, in the legal case, generate response data R DN , together with N 3 use K D s „calculate ET 6 =E (K D ser , N 3 | IR丄 calculate message authentication code MIC 4 = H (K D ser , ET 6 ), constructs an access request response message ET 6 | | MIC 4 is sent to the user User.
16、 根据权利要求 15所述的低开销的传感器网络访问终端, 其特征在于, 还包括:  The low-overhead sensor network access terminal according to claim 15, further comprising:
请求响应消息处理单元, 用于在用户 Us er收到请求响应消息后, 根据 MIC4 判断消息完整性, 在所述请求相应消息完整时, 利用 KD s„解密 ET6 , 判断解密得 到的询问^是否是用户 User选择的询问 N3 , 在是用户 Us er选择的询问 N3时, 用户 User保存应答数据 RDN , 后续用户 User与目的访问节点匪之间的访问请求和应答 数据均利用 KDN, us„加以保护。 The request response message processing unit is configured to judge the message integrity according to the MIC 4 after the user User receives the request response message, and use the K D s „ decrypt ET 6 to judge the decrypted query when the request corresponding message is complete. ^ Whether it is the query N 3 selected by the user User, when the user N er selects the query N 3 , the user User saves the response data R DN , and the access request and response data between the subsequent user User and the destination access node 利用 utilize K DN , us „protected.
17、 一种低开销的传感器网络访问控制***中的目的访问节点, 用于: 接收用户 User发送的用户认证请求消息, 并根据所述用户认证请求消息, 向所述用户 User发送用户认证响应消息;  A destination access node in a low-cost sensor network access control system, configured to: receive a user authentication request message sent by a user, and send a user authentication response message to the user User according to the user authentication request message. ;
接收所述用户 User发送的访问请求消息, 所述访问请求消息是所述用户 User根据从访问控制器 AC收到的节点认证响应消息构造的; 并根据所述访问请 求消息对所述用户 User进行授权管理并发送访问请求响应消息给所述用户 User ;  Receiving an access request message sent by the user User, where the access request message is configured by the user user according to a node authentication response message received from the access controller AC; and performing the user user according to the access request message. Authorizing management and sending an access request response message to the user User;
节点认证响应消息生成过程为: 所述访问控制器 AC接收所述用户 User发送 的节点认证请求消息, 所述节点认证请求消息是所述用户 User结合所述目的访 问节点匪发送的用户认证响应消息构造的; 并根据认证结果向所述用户 User发 送节点认证响应消息。  The node authentication response message generating process is: the access controller AC receives a node authentication request message sent by the user User, and the node authentication request message is a user authentication response message sent by the user user in conjunction with the destination access node Constructed; and sending a node authentication response message to the user User according to the authentication result.
18、 根据权利要求 17所述的低开销的传感器网络访问控制***中的目的访 问节点, 其特征在于,  18. The destination access node in a low overhead sensor network access control system according to claim 17, wherein:
所述目的访问节点匪, 向所述用户 Us er发送的用户认证响应消息, 按照以 下方式形成: The destination access node 匪, the user authentication response message sent to the user Us er, according to The following way is formed:
所述目的访问节点 DN收到用户 User发送的用户认证请求后, 产生询问 N2, 并 利用与所述访问控制器 AC之间的共享密钥 KAC,DN计算 EL=E (KAC; DN, NJ ,侧 | Ν2 | I EL 作为用户认证响应消息发送给用户 User , 其中, E为对称加密算法, 所述 是所 述用户认证请求消息中携带的用户 User产生的询问 , " I I " 表示为串联设置。 After receiving the user authentication request sent by the user User, the destination access node DN generates an inquiry N 2 and calculates EL=E (K AC; DN by using the shared key K AC , DN with the access controller AC; , NJ, side | Ν 2 | I EL is sent to the user User as a user authentication response message, where E is a symmetric encryption algorithm, and the inquiry is generated by the user User carried in the user authentication request message, and "II" indicates Set for the series.
19、 一种低开销的传感器网络访问控制***的访问控制器, 用于: 接收用户 User发送的节点认证请求消息, 所述节点认证请求消息是所述用 户 User结合所述目的访问节点匪发送的用户认证响应消息构造的; 并根据认证 结果向所述用户 User发送节点认证响应消息, 以供用户 User根据所述节点认证 响应消息构造向目的访问节点发送的访问请求消息, 并由目的访问节点根据所 述访问请求消息对所述用户 User进行授权管理。  The access controller of the low-cost sensor network access control system is configured to: receive a node authentication request message sent by the user User, where the node authentication request message is sent by the user user in conjunction with the destination access node The user authentication response message is configured to send a node authentication response message to the user User according to the authentication result, so that the user user constructs an access request message sent to the destination access node according to the node authentication response message, and is configured by the destination access node according to the The access request message performs authorization management on the user User.
20、 根据权利要求 19所述的低开销的传感器网络访问控制***的访问控制 器, 其特征在于:  20. The access controller of the low overhead sensor network access control system of claim 19, wherein:
所述访问控制器接收的所述用户 User发送的节点认证请求消息, 按照以下 方式形成:  The node authentication request message sent by the user user received by the access controller is formed as follows:
所述用户 User收到所述目的访问节点匪发送的用户认证响应消息后, 判断 消息中携带的询问 是用户 U s e r选择的询问后,利用与所述访问控制器 AC之间的 共 享 密 钥 KAe,Us„ 计 算
Figure imgf000024_0001
, 并 计 算 消 息 鉴 别 码
Figure imgf000024_0002
| IDDN | I EL I | ET2) , 构 造 节 点 认 证 请 求 消 息 | | IDDN | | ET2 | | MICi并发送给所述访问控制器 AC的, 其中, IDDN是目的访问 节点匪的身份标识, H为单向哈希函数, " I I " 表示为串联设置; After receiving the user authentication response message sent by the destination access node, the user User determines that the inquiry carried in the message is the inquiry selected by the user U ser, and uses the shared key K with the access controller AC. Ae , Us „ Calculation
Figure imgf000024_0001
And calculate the message authentication code
Figure imgf000024_0002
ID DN | I EL I | ET 2 ) , constructing a node authentication request message | | ID DN | | ET 2 | | MICi and sending it to the access controller AC, where ID DN is the identity of the destination access node Identification, H is a one-way hash function, and "II" is a tandem setting;
所述访问控制器根据认证结果向所述用户 User发送的节点认证响应消息, 按照以下方式形成:  The node authentication response message sent by the access controller to the user User according to the authentication result is formed as follows:
所述访问控制器 AC收到所述用户 User发送的节点认证请求消息后, 在根据 消息中携带的 MlC it息判断消息完整后,利用与所述目的访问节点 DN之间的共享 密钥 KA ^解密 ET1 在解密后得到的结果与用户 User发送的 相等时, 由所述访问 控制器 AC利用与所述用户 User共享的密钥 KAe,Us„解密 ET2, 若解密后得到的结果与 所述用户 User发送的 相等,则由访问控制器 AC生成用户 User和目的访问节点 DN 间的会话密钥 KD ser, 并根据所述用户 User的身份标识查询访问控制列表 ACL, 获 得所述用户 User的访问控制信息 ACLUS„, 连同 User的访问期限 Tv, 利用 KAC,DN计算 ET3=E (KAC,DN, IDuSer I I KDN,user I I TV I I ACLUSER) , 并利用 KAC, 118„计算 ET4=E (KAC, USER , KDN,USER) , 计 算消
Figure imgf000025_0001
| IDDN| I Res (DN) I |ET3| |ET4) ,构造节点认证响应消 息^| |IDDN| |Res (DN) I |ET3| |ET4| |MIC2发送给所述用户 User, 其中, IDDN是所述目 的访问节点匪的身份标识, Res (DN) =True表示所述访问控制器 AC对所述目的访 问节点匪鉴别成功。 After receiving the node authentication request message sent by the user User, the access controller AC uses the shared key K A with the destination access node DN after determining that the message is complete according to the MlC it message carried in the message. ^ When the decrypted ET 1 obtains a result equal to that sent by the user User, the access controller AC uses the key K Ae , Us „ shared with the user User to decrypt the ET 2 , if the result is obtained after decryption Equivalent to the user User, the user controller and the destination access node DN are generated by the access controller AC. The session key K D ser , and querying the access control list ACL according to the identity of the user User, obtaining the access control information ACL US „ of the user User, together with the access period T v of the user , using K AC , DN Calculate ET 3 =E (KAC, DN, IDu S er IIK D N, user IIT V II ACL USER ) and use K AC , 11 8 „ to calculate ET 4 =E (K AC , USER , K DN , USER ), Calculation elimination
Figure imgf000025_0001
| ID DN | I Res (DN ) it | ET 3 | | ET 4), configured node authentication response message ^ | | ID DN | | Res (DN) I | ET 3 | | ET 4 | | MIC 2 is sent to the User User, where ID DN is the identity of the destination access node, and Res (DN) = True indicates that the access controller AC successfully authenticates the destination access node.
PCT/CN2011/072454 2010-04-22 2011-04-06 Method, system, terminal, destination access node and access controller for low-overhead sensor network access control WO2011131085A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010101530967A CN101902462B (en) 2010-04-22 2010-04-22 Sensor network access control method and system with low expenditure
CN201010153096.7 2010-04-22

Publications (1)

Publication Number Publication Date
WO2011131085A1 true WO2011131085A1 (en) 2011-10-27

Family

ID=43227664

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/072454 WO2011131085A1 (en) 2010-04-22 2011-04-06 Method, system, terminal, destination access node and access controller for low-overhead sensor network access control

Country Status (2)

Country Link
CN (1) CN101902462B (en)
WO (1) WO2011131085A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902462B (en) * 2010-04-22 2013-03-13 国家无线电监测中心检测中心 Sensor network access control method and system with low expenditure
CN102404726B (en) * 2011-11-18 2014-06-04 重庆邮电大学 Distributed control method for information of accessing internet of things by user
CN104580207B (en) * 2015-01-04 2019-03-19 华为技术有限公司 Retransmission method, device and the transponder of authentication information in Internet of Things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060087423A1 (en) * 2004-08-30 2006-04-27 International Business Machines Corporation Transmission between a sensor and a controller in a wireless sensor network
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
CN101296249A (en) * 2008-04-03 2008-10-29 东南大学 Media access control method for wireless sensor network
CN101902462A (en) * 2010-04-22 2010-12-01 国家无线电监测中心检测中心 Sensor network access control method and system with low expenditure

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155024A (en) * 2006-09-29 2008-04-02 湖南大学 Effective key management method and its operation method for sensor network with clustering structure
JP2009075020A (en) * 2007-09-22 2009-04-09 Konica Minolta Medical & Graphic Inc Radiographic image reading apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060087423A1 (en) * 2004-08-30 2006-04-27 International Business Machines Corporation Transmission between a sensor and a controller in a wireless sensor network
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
CN101296249A (en) * 2008-04-03 2008-10-29 东南大学 Media access control method for wireless sensor network
CN101902462A (en) * 2010-04-22 2010-12-01 国家无线电监测中心检测中心 Sensor network access control method and system with low expenditure

Also Published As

Publication number Publication date
CN101902462A (en) 2010-12-01
CN101902462B (en) 2013-03-13

Similar Documents

Publication Publication Date Title
CN110035433B (en) Verification method and device adopting shared secret key, public key and private key
WO2019137490A1 (en) Authentication method and device using shared key, public key, and private key
TWI610577B (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (1)
JP5414898B2 (en) Security access control method and system for wired LAN
TWI645724B (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (2)
WO2013087039A1 (en) Secure data transmission method, device and system
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
WO2016141856A1 (en) Verification method, apparatus and system for network application access
TWI307608B (en)
WO2006131061A1 (en) Authentication method and corresponding information transmission method
JP4824086B2 (en) Authentication method for wireless distributed system
WO2007143312A2 (en) Proactive credential distribution
WO2011134395A1 (en) Authentication method and device, authentication centre and system
JP2013545367A (en) Authentication of access terminal identification information in roaming networks
TW201220793A (en) Method and apparatus for binding subscriber authentication and device authentication in communication systems
WO2009089764A1 (en) A system and method of secure network authentication
WO2011022915A1 (en) Method and system for pre-shared-key-based network security access control
WO2006024216A1 (en) A method for implementing certificating and a system thereof
JP7337912B2 (en) Non-3GPP device access to core network
WO2008009232A1 (en) A method system and device for determining the mobile ip key and notifying the mobile ip type
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
WO2007147354A1 (en) Method and system for retrieving service key
US9143482B1 (en) Tokenized authentication across wireless communication networks
WO2011131085A1 (en) Method, system, terminal, destination access node and access controller for low-overhead sensor network access control
WO2007041933A1 (en) An updating method of controlled secret keys and the apparatus thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11771538

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 110213

122 Ep: pct application non-entry in european phase

Ref document number: 11771538

Country of ref document: EP

Kind code of ref document: A1