技术领域technical field
本发明涉及计算机网络技术领域,尤其涉及一种基于Restful架构的无线传感器网络令牌认证方法。The invention relates to the technical field of computer networks, in particular to a token authentication method for a wireless sensor network based on a Restful framework.
背景技术Background technique
无线传感器网络(WirelessSensorNetworks,WSN)是由一组微型传感器节点以自组织方式构成的无线网络,其目的是协作地感知、采集和处理网路覆盖地理区域中感知对象的信息,并发布给观察者。无线传感器网络中的每个传感器具有一个或多个节点,传感器节点通常是一个微型的嵌入式系统。每个节点来监测自己的感知范围对象,监测特定的行为,使用节点来采集数据,将采集到的数据传送到最近的汇聚节点,随后进入汇聚阶段,从接近节点所采集到的数据进行分析和处理,然后将结果根据需要发送给基站,基站将最终结果传送给观察员。Wireless Sensor Networks (Wireless Sensor Networks, WSN) is a wireless network composed of a group of miniature sensor nodes in a self-organizing manner. . Each sensor in the wireless sensor network has one or more nodes, and the sensor node is usually a miniature embedded system. Each node monitors its own perception range objects, monitors specific behaviors, uses nodes to collect data, and transmits the collected data to the nearest aggregation node, and then enters the aggregation stage to analyze and analyze the data collected from close nodes. Processing, and then sending the results as needed to the base station, which transmits the final result to the observer.
由于传感器网络配置环境一般比较恶劣,加之无线网络本身固有的脆弱性,因而极易受到各种各样的攻击。为保证信息的安全传递,需要有一种机制来验证通信各方身份的合法性。在传统的有线网络中,公钥基础设施有效地解决了这个问题,它通过对数字证书的使用和管理,来提供全面的公钥加密和数字签名服务。通过公钥基础设施,可以将公钥与合法拥有者的身份绑定起来,从而建立并维护一个可信的网络环境。然而,非对称加密体制需要很高的计算、通信和存储开销,这决定了在资源受限的传感器上使用数字签名和公钥证书机制是不可行的。为保证信息的安全传递,需要有一种机制来验证通信各方身份的合法性,必须建立一套综合考虑安全性、效率和性能并进行合理的传感器网络身份认证方案。Due to the poor configuration environment of sensor networks and the inherent vulnerability of wireless networks, they are extremely vulnerable to various attacks. In order to ensure the safe transmission of information, there needs to be a mechanism to verify the legitimacy of the identities of the communicating parties. In the traditional wired network, public key infrastructure effectively solves this problem. It provides comprehensive public key encryption and digital signature services through the use and management of digital certificates. Through the public key infrastructure, the public key can be bound to the identity of the legal owner, thereby establishing and maintaining a trusted network environment. However, asymmetric encryption requires high computation, communication and storage overhead, which makes it infeasible to use digital signature and public key certificate mechanisms on resource-constrained sensors. In order to ensure the safe transmission of information, there needs to be a mechanism to verify the legitimacy of the identities of the communicating parties, and a set of reasonable sensor network identity authentication schemes must be established that comprehensively consider security, efficiency, and performance.
发明内容Contents of the invention
本发明的目的是提供一种基于Restful架构的无线传感器网络令牌认证方法,能有效防止恶意攻击者对数据的破坏,保证无线传感器网络中数据的安全。The purpose of the present invention is to provide a token authentication method for a wireless sensor network based on a Restful architecture, which can effectively prevent malicious attackers from destroying data and ensure the security of data in a wireless sensor network.
本发明采用的技术方案为:一种基于Restful架构的无线传感器网络令牌认证方法,将传感器节点和汇聚节点自组织成为网络,将汇聚节点连接到基于Restful架构的Web服务器,汇聚节点与Web服务器之间采用挑战响应认证,Web服务器与客户端之间采用SSL认证,客户端与汇聚节点之间采用令牌认证,以上所述三种认证均为双向认证,用户通过客户端访问Web服务器获取无线传感器节点的数据。The technical scheme adopted by the present invention is: a wireless sensor network token authentication method based on Restful architecture, which self-organizes sensor nodes and aggregation nodes into a network, connects the aggregation nodes to a Web server based on Restful architecture, and connects the aggregation nodes to the Web server. Challenge-response authentication is used between the Web server and client, SSL authentication is used between the Web server and the client, and token authentication is used between the client and the aggregation node. The above three types of authentication are two-way authentication. data from sensor nodes.
所述的汇聚节点与Web服务器之间的挑战响应认证,包括以下步骤:The challenge response authentication between the described aggregation node and the web server comprises the following steps:
A汇聚节点向Web服务器发起身份注册请求,进入步骤B;The aggregation node A initiates an identity registration request to the web server and enters step B;
BWeb服务器为汇聚节点分配ID,在本地保存汇聚节点的ID信息及与汇聚节点协商得到的认证密钥,并将此ID发送给汇聚节点,进入步骤C;The BWeb server assigns an ID to the sink node, saves the ID information of the sink node and the authentication key negotiated with the sink node locally, and sends the ID to the sink node, and enters step C;
C汇聚节点接收ID信息,向Web服务器发送包含汇聚节点ID信息的认证请求,进入步骤D;The C sink node receives the ID information, sends an authentication request containing the sink node ID information to the Web server, and enters step D;
DWeb服务器在本地查询接收到的ID是否存在,若存在,则生成第一随机数并发送给汇聚节点,同时发送给汇聚节点一组函数算法表,进入步骤E;若不存在,进入步骤H;The DWeb server inquires locally whether the received ID exists, and if it exists, generates a first random number and sends it to the sink node, and at the same time sends a set of function algorithm tables to the sink node, and enters step E; if it does not exist, enters step H;
E汇聚节点采用认证密钥对第一随机数进行加密,并采用函数算法表中的一种算法对加密后的第一随机数再加密,汇聚节点将再加密后的第一随机数以及所选择的加密算法发送给Web服务器,进入步骤F;E The sink node uses the authentication key to encrypt the first random number, and uses an algorithm in the function algorithm table to re-encrypt the encrypted first random number, and the sink node will re-encrypt the first random number and the selected The encryption algorithm is sent to the web server and enters step F;
FWeb服务器采用认证密钥对第一随机数进行加密,采用汇聚节点发送的加密算法对加密后的第一随机数再加密,并判断加密结果与汇聚节点发送的再加密后的第一随机数是否一致,若一致,则通过验证,进入步骤G,否则,验证不通过,进入步骤H;The FWeb server uses the authentication key to encrypt the first random number, uses the encryption algorithm sent by the sink node to re-encrypt the encrypted first random number, and judges whether the encryption result is consistent with the re-encrypted first random number sent by the sink node. Consistent, if consistent, pass the verification and go to step G, otherwise, fail the verification and go to step H;
GWeb服务器与汇聚节点协商得到会话密钥;The GWeb server negotiates with the aggregation node to obtain the session key;
HWeb服务器拒绝接收汇聚节点的数据。The HWeb server refuses to receive data from the sink node.
所述的步骤B和步骤G中,Web服务器与汇聚节点采用DH算法分别生成认证秘钥和会话密钥。In the step B and step G, the Web server and the aggregation node use the DH algorithm to generate the authentication key and the session key respectively.
所述的步骤D中的函数算法表为单向Hash函数算法表。The function algorithm table in the step D is a one-way Hash function algorithm table.
所述的客户端与Web服务器之间的令牌认证,依次包括客户端与Web服务器之间的身份认证和客户端与Web服务器之间的身份注册;The token authentication between the client and the Web server includes successively identity authentication between the client and the Web server and identity registration between the client and the Web server;
客户端与Web服务器之间的身份认证,依次包括以下步骤:The identity authentication between the client and the web server includes the following steps in turn:
A1、客户端向Web服务器发起连接请求,并接收Web服务器返回的第一CA证书以及与第一CA证书相关的信息;A1. The client initiates a connection request to the web server, and receives the first CA certificate returned by the web server and information related to the first CA certificate;
B1、客户端验证Web服务器身份的合法性,并保存Web服务器的公钥;B1. The client verifies the legitimacy of the identity of the Web server, and saves the public key of the Web server;
C1、客户端向Web服务器发送第二CA证书;C1. The client sends the second CA certificate to the Web server;
D1、Web服务器验证客户端身份的合法性,并保存客户端的公钥;D1. The web server verifies the legitimacy of the client's identity and saves the client's public key;
E1、客户端将自身支持的通讯对称密码方案发送给Web服务器;E1. The client sends the communication symmetric encryption scheme supported by itself to the Web server;
F1、Web服务器从接收到的通讯对称密码方案中选择一种密码方案,并将此密码方案采用客户端的公钥加密后发送给客户端;F1. The web server selects a cipher scheme from the received communication symmetric cipher schemes, and encrypts the cipher scheme with the client's public key and sends it to the client;
G1、客户端对接收到的加密后的密码方案解密,获得Web服务器选择的密码方案,确定通话密钥,并将通话密钥采用Web服务器的公钥加密后发送给Web服务器;G1. The client decrypts the received encrypted password scheme, obtains the password scheme selected by the Web server, determines the call key, and sends the call key to the Web server after encrypting it with the public key of the Web server;
H1、Web服务器接收加密后的通话密钥,进行解密,获得通话密钥;H1. The web server receives the encrypted call key, decrypts it, and obtains the call key;
客户端与Web服务器之间的身份注册,依次包括以下步骤:The identity registration between the client and the web server includes the following steps in turn:
A2、客户端向Web服务器发起注册请求,并将注册信息通过SSL安全信道发给Web服务器;A2. The client initiates a registration request to the Web server, and sends the registration information to the Web server through the SSL secure channel;
B2、客户端第一次登录时,Web服务器将用户导向授权页,用户自定义个人数据的访问权限,并通过SSL安全信道发给Web服务器;B2. When the client logs in for the first time, the web server directs the user to the authorization page, and the user defines the access rights of personal data, and sends it to the web server through the SSL secure channel;
C2、Web服务器将用户授权情况存入访问控制列表,根据用户的用户名、密码和当前时间生成临时令牌,并将临时令牌发送给客户端;C2. The web server stores the user authorization status in the access control list, generates a temporary token according to the user name, password and current time of the user, and sends the temporary token to the client;
D2、客户端使用临时令牌向Web服务器发出数据操作请求;D2. The client uses the temporary token to send a data operation request to the Web server;
E2、Web服务器判断临时令牌是否失效,若失效要求客户端重新进行登录操作并生成新的临时令牌发送给客户端作为凭证;若令牌未失效,则回应客户端的请求。E2. The web server judges whether the temporary token is invalid. If it is invalid, the client is required to log in again and generate a new temporary token and send it to the client as a certificate; if the token is not invalid, it responds to the client's request.
所述的步骤C2中,若用户拥有私人汇聚节点,Web服务器也将生成的临时令牌发送给汇聚节点。In step C2, if the user has a private sink node, the web server will also send the generated temporary token to the sink node.
在客户端与汇聚节点之间的令牌认证过程中,用户在购买私人汇聚节点时,获取一个唯一标识编号,Web服务器将此汇聚节点的ID与此标识编号进行绑定。During the token authentication process between the client and the sink node, the user obtains a unique identification number when purchasing a private sink node, and the Web server binds the ID of the sink node to the identification number.
客户端与汇聚节点之间的令牌认证过程,依次包括以下步骤:The token authentication process between the client and the sink node includes the following steps in turn:
A3、客户端向Web服务器发起注册请求,填写私人汇聚节点的ID与标识编号;A3. The client initiates a registration request to the web server, and fills in the ID and identification number of the private aggregation node;
B3、Web服务器接收客户端的注册信息,若发现汇聚节点的ID与标识编号匹配,则承认此汇聚节点为此用户的私人汇聚节点,并在客户端登陆后生成临时令牌时,将临时令牌发送给客户端的同时发送给用户的私人汇聚节点;B3. The web server receives the registration information of the client, and if it finds that the ID of the sink node matches the identification number, it recognizes that the sink node is the private sink node of the user, and when the temporary token is generated after the client logs in, the temporary token will be While sending to the client, it is also sent to the user's private sink node;
C3、用户的私人汇聚节点接收到临时令牌,客户端通过临时令牌与私人汇聚节点进行连接。C3. The user's private sink node receives the temporary token, and the client connects to the private sink node through the temporary token.
本发明将传感器节点和汇聚节点自组织成为网络,将汇聚节点连接到基于Restful架构的Web服务器,汇聚节点与Web服务器之间采用挑战响应认证,Web服务器与客户端之间采用SSL认证,客户端与汇聚节点之间采用令牌认证,以上所述三种认证均为双向认证,用户通过客户端访问Web服务器获取无线传感器节点的数据,本发明所述的基于Restful架构的无线传感器网络令牌认证方法,能有效防止恶意攻击者对数据的破坏,保证无线传感器网络中数据的安全。The present invention self-organizes sensor nodes and convergence nodes into a network, connects the convergence nodes to a Web server based on the Restful architecture, adopts challenge response authentication between the convergence node and the Web server, adopts SSL authentication between the Web server and the client, and adopts SSL authentication between the client and the client. Token authentication is adopted between the aggregation node, the above three authentications are two-way authentication, the user accesses the Web server through the client to obtain the data of the wireless sensor node, the wireless sensor network token authentication based on the Restful architecture of the present invention The method can effectively prevent malicious attackers from destroying data and ensure the security of data in wireless sensor networks.
附图说明Description of drawings
图1为本发明基于Restful架构的无线传感器网络拓扑图;Fig. 1 is a wireless sensor network topology diagram based on the Restful architecture of the present invention;
图2为本发明中汇聚节点与Web服务器之间的挑战响应认证流程图;Fig. 2 is the challenge response authentication flow chart between aggregation node and Web server among the present invention;
图3为本发明中客户端与Web服务器之间的身份认证流程图;Fig. 3 is the flow chart of identity authentication between the client and the Web server in the present invention;
图4为本发明中客户端与Web服务器之间的身份注册流程图;Fig. 4 is the flow chart of identity registration between the client and the Web server in the present invention;
图5为本发明中客户端与汇聚节点之间的令牌认证过程。Fig. 5 is the token authentication process between the client and the sink node in the present invention.
具体实施方式detailed description
本发明所述的一种基于Restful架构的无线传感器网络令牌认证方法,将传感器节点sensor和汇聚节点sinknode自组织成为网络,将汇聚节点sinknode连接到基于Restful架构的Web服务器,汇聚节点sinknode与Web服务器之间采用挑战响应认证,Web服务器与客户端user之间采用SSL认证,客户端user与汇聚节点sinknode之间采用令牌认证,以上所述三种认证均为双向认证,用户通过客户端user访问Web服务器获取无线传感器节点sensor的数据。A kind of wireless sensor network token authentication method based on Restful framework described in the present invention, sensor node sensor and sinknode self-organize into network, connect sinknode to the Web server based on Restful framework, sinknode and Web Challenge response authentication is used between servers, SSL authentication is used between the web server and client user, and token authentication is used between client user and sinknode. The above three authentications are two-way authentication. Access the web server to obtain the data of the wireless sensor node sensor.
REST全称是RepresentationalStateTransfer,即表述性状态转移,指的是一组架构约束条件和原则,如果一个架构符合REST的约束条件和原则,就称其为Restful架构。目前HTTP是唯一与REST相关的实例。The full name of REST is Representational State Transfer, which refers to a set of architectural constraints and principles. If an architecture conforms to the constraints and principles of REST, it is called a Restful architecture. Currently HTTP is the only REST related instance.
Restful架构遵循无状态通信原则。无状态通信原则指的是客户端user和Web服务器交互的过程中各次请求之间是无状态的。REST要求状态要么被放入资源状态中,要么被保存在客户端user上,即Web服务器不能保持除了单次请求之外的任何与其通信的客户端user的通信状态。此种通信状态使得Web服务器的可用空间具有可伸缩性,如果Web服务器需要保持客户端user状态,那么大量的客户端user交互会严重影响Web服务器的内存可用空间(footprint)。为实现无状态通信,基于Restful架构的认证请求应当不依赖于cookie或session,且每一个请求都应当携带某种类型的认证凭证。Restful architecture follows the principle of stateless communication. The principle of stateless communication refers to the fact that each request is stateless during the interaction process between the client user and the web server. REST requires that the state is either put into the resource state or saved on the client user, that is, the web server cannot maintain any communication state with the client user it communicates with except for a single request. This kind of communication state makes the available space of the web server scalable. If the web server needs to maintain the client user state, a large number of client user interactions will seriously affect the available memory space (footprint) of the web server. To achieve stateless communication, authentication requests based on the Restful architecture should not depend on cookies or sessions, and each request should carry some type of authentication credentials.
图1为基于Restful架构的无线传感器网络拓扑图,一个汇聚节点sinknode连接若干传感器节点sensor,传感器节点sensor用于收集测量数据,汇聚节点sinknode主要负责操控传感器节点sensor收集数据、接受所有传感器节点sensor的数据以及与外网连接,可看作网关节点。一个Web服务器可接入大量汇聚节点sinknode,Web服务器用来存储汇聚节点sinknode发送来的测量数据,用户可以通过网页的客户端user登录Web服务器,通过浏览器发送数据操作请求支配节点完成任务或者查看Web服务器中保存的收集数据。若用户拥有私人汇聚节点sinknode,则客户端user可直接与汇聚节点sinknode建立连接而不需要通过Web服务器来查看或操控数据。Figure 1 is a topology diagram of a wireless sensor network based on the Restful architecture. A sinknode is connected to several sensor nodes. Data and connections to the external network can be regarded as gateway nodes. A web server can be connected to a large number of sinknodes. The web server is used to store the measurement data sent by the sinknode. Users can log in to the web server through the client user of the webpage, and send data operation requests through the browser to the dominant node to complete tasks or view Collected data stored in the web server. If the user has a private sinknode, the client user can directly establish a connection with the sinknode without viewing or manipulating data through the web server.
图2为汇聚节点sinknode与Web服务器之间的挑战响应认证流程图,包括以下步骤:Figure 2 is a challenge response authentication flowchart between the sinknode and the web server, including the following steps:
S101:汇聚节点sinknode向Web服务器发起身份注册请求;S101: the sinknode initiates an identity registration request to the web server;
汇聚节点sinknode首次接入传感器网络时,向Web服务器发起身份认证请求,即进行身份注册。When the sinknode connects to the sensor network for the first time, it initiates an identity authentication request to the Web server, that is, performs identity registration.
S102:Web服务器为汇聚节点sinknode分配ID,在本地保存汇聚节点sinknode的ID信息及与汇聚节点sinknode协商得到的认证密钥,并将此ID发送给汇聚节点sinknode;S102: The web server assigns an ID to the sinknode, stores the ID information of the sinknode locally and the authentication key negotiated with the sinknode, and sends the ID to the sinknode;
本实施例中,汇聚节点sinknode进行身份注册时,Web服务器为汇聚节点sinknode分配ID,并在本地保存汇聚节点sinknode的ID信息,同时双方采用DH算法生成认证秘钥,双方各自保存生成的认证秘钥。In this embodiment, when the sinknode performs identity registration, the Web server assigns an ID to the sinknode, and saves the ID information of the sinknode locally, and at the same time, both parties use the DH algorithm to generate an authentication key, and both parties save the generated authentication key. key.
S103:汇聚节点sinknode接收ID信息,向Web服务器发送包含汇聚节点sinknode的ID信息的认证请求;S103: the sinknode receives the ID information, and sends an authentication request including the sinknode ID information to the Web server;
汇聚节点sinknode接收ID信息,再次接入时向服务器发起认证请求,认证请求中包含汇聚节点sinknode的ID。The sinknode of the sinknode receives the ID information, and initiates an authentication request to the server when reconnecting, and the authentication request includes the sinknode ID of the sinknode.
S104:Web服务器在本地查询接收到的ID是否存在,若存在,则生成第一随机数并发送给汇聚节点sinknode,同时发送给汇聚节点sinknode一组函数算法表;若不存在,Web服务器拒绝接收汇聚节点sinknode的数据;S104: The web server inquires locally whether the received ID exists, and if it exists, generates a first random number and sends it to the sinknode, and at the same time sends a set of function algorithm tables to the sinknode; if it does not exist, the web server refuses to receive Aggregation node sinknode data;
本实施例中,Web服务器从本地数据库中查询接收到的汇聚节点sinknode的ID是否存在,若存在,则在内部产生一个随机数返回给汇聚节点sinknode,同时返回给汇聚节点sinknode一组单向Hash函数算法表,单向Hash函数算法表包括MD5、SHA和HMAC等。In this embodiment, the Web server inquires from the local database whether the received ID of the sinknode exists, and if it exists, a random number is generated internally and returned to the sinknode, and a set of one-way Hash is returned to the sinknode at the same time. Function algorithm table, one-way Hash function algorithm table includes MD5, SHA and HMAC, etc.
S105:汇聚节点sinknode采用认证密钥对第一随机数进行加密,并采用函数算法表中的一种算法对加密后的第一随机数再加密,汇聚节点sinknode将再加密后的第一随机数以及所选择的加密算法发送给Web服务器;S105: The sinknode uses the authentication key to encrypt the first random number, and uses an algorithm in the function algorithm table to re-encrypt the encrypted first random number, and the sinknode re-encrypts the first random number And the selected encryption algorithm is sent to the Web server;
本实施例中,汇聚节点sinknode将接收到的第一随机数与注册时生成的认证密钥进行异或运算,选择单向Hash函数算法表中的一种算法对异或后的字符串处理后生成字符串作为应答,并将该字符串以及所选择的加密算法发送给Web服务器。In this embodiment, the sinknode performs an XOR operation on the received first random number and the authentication key generated during registration, and selects an algorithm in the one-way Hash function algorithm table to process the XOR string Generate a string as a response, and send the string and the selected encryption algorithm to the Web server.
S106:Web服务器采用认证密钥对第一随机数进行加密,采用汇聚节点sinknode发送的加密算法对加密后的第一随机数再加密,并判断加密结果与汇聚节点sinknode发送的再加密后的第一随机数是否一致,若一致,则通过验证;否则,验证不通过,Web服务器拒绝接收汇聚节点sinknode的数据;S106: The web server uses the authentication key to encrypt the first random number, uses the encryption algorithm sent by the sinknode to re-encrypt the encrypted first random number, and judges that the encrypted result is consistent with the re-encrypted first random number sent by the sinknode. Whether the random number is consistent, if it is consistent, the verification is passed; otherwise, the verification fails, and the Web server refuses to receive the data from the sinknode;
本实施例中,Web服务器将第一随机数与认证密钥进行异或运算,并采用接收到的汇聚节点sinknode返回的单向Hash函数算法进行处理,将计算结果与汇聚节点sinknode返回的字符串进行比较,若二者相同,则通过认证;否则,验证不通过,Web服务器拒绝接收汇聚节点sinknode的数据。In this embodiment, the Web server performs an XOR operation on the first random number and the authentication key, and uses the received one-way Hash function algorithm returned by the sinknode for processing, and compares the calculation result with the string returned by the sinknode Compare, if the two are the same, the authentication is passed; otherwise, the authentication fails, and the Web server refuses to receive the data of the sinknode.
S107:Web服务器与汇聚节点sinknode协商得到会话密钥;S107: The web server negotiates with the sinknode to obtain the session key;
本实施例中,认证通过后Web服务器和汇聚节点sinknode采用DH算法生成会话秘钥,后续连接以会话秘钥作为加密秘钥,用以满足数据的机密性安全需求。In this embodiment, after passing the authentication, the Web server and the sinknode use the DH algorithm to generate a session key, and the session key is used as an encryption key for subsequent connections to meet data confidentiality security requirements.
所述的客户端user与Web服务器之间的令牌认证,依次包括客户端user与Web服务器之间的身份认证和客户端user与Web服务器之间的身份注册;The token authentication between the client user and the Web server includes the identity authentication between the client user and the Web server and the identity registration between the client user and the Web server;
图3为客户端user与Web服务器之间的认证过程流程图,依次包括以下步骤:Figure 3 is a flowchart of the authentication process between the client user and the Web server, which includes the following steps in turn:
S201:客户端user向Web服务器发起连接请求,并接收Web服务器返回的第一CA证书以及与第一CA证书相关的信息;S201: The client user initiates a connection request to the web server, and receives the first CA certificate and information related to the first CA certificate returned by the web server;
S202:客户端user验证Web服务器身份的合法性,并保存Web服务器的公钥;S202: The client user verifies the legitimacy of the identity of the web server, and saves the public key of the web server;
本实施例中,客户端user验证Web服务器送的第一CA证书是否是由自己信赖的CA中心所签发的。如果不是,客户端user就给用户一个警告消息,警告用户第一CA证书不可信赖,询问用户是否需要继续访问。如果是,客户端user比较第一CA证书里的消息,例如域名和公钥与Web服务器发送的相关消息是否一致,如果是一致的,客户浏览器认可Web服务器的合法身份并保存Web服务器的公钥。In this embodiment, the client user verifies whether the first CA certificate sent by the web server is issued by a trusted CA center. If not, the client user will give the user a warning message, warning the user that the first CA certificate is untrustworthy, and asking the user whether to continue accessing. If so, the client user compares the information in the first CA certificate, such as whether the domain name and public key are consistent with the relevant information sent by the web server. If they are consistent, the client browser recognizes the legal identity of the web server and saves the public key of the web server. key.
S203:客户端user向Web服务器发送第二CA证书;S203: the client user sends the second CA certificate to the web server;
S204:Web服务器验证客户端user身份的合法性,并保存客户端user的公钥;S204: The web server verifies the legitimacy of the identity of the client user, and saves the public key of the client user;
Web服务器验证客户端user的第二CA证书,如果没有通过验证,则拒绝连接;如果通过验证,Web服务器获得客户端user的的公钥。The web server verifies the second CA certificate of the client user, and rejects the connection if it fails the verification; if it passes the verification, the web server obtains the public key of the client user.
S205:客户端user将自身支持的通讯对称密码方案发送给Web服务器;S205: the client user sends the communication symmetric encryption scheme supported by itself to the web server;
S206:Web服务器从接收到的通讯对称密码方案中选择一种密码方案,并将此密码方案采用客户端user的公钥加密后发送给客户端user;S206: The web server selects a cryptographic scheme from the received communication symmetric cryptographic schemes, encrypts the cryptographic scheme with the public key of the client user, and sends it to the client user;
S207:客户端user对接收到的加密后的密码方案解密,获得Web服务器选择的密码方案,确定通话密钥,并将通话密钥采用Web服务器的公钥加密后发送给Web服务器;S207: The client user decrypts the received encrypted password scheme, obtains the password scheme selected by the Web server, determines the call key, and encrypts the call key with the public key of the Web server before sending it to the Web server;
S208:Web服务器接收加密后的通话密钥,进行解密,获得通话密钥;S208: The web server receives the encrypted call key, decrypts it, and obtains the call key;
图4为客户端user与Web服务器之间的注册过程流程图,依次包括以下步骤:Figure 4 is a flow chart of the registration process between the client user and the Web server, which includes the following steps in turn:
S301:客户端user向Web服务器发起注册请求,并将注册信息通过SSL安全信道发给Web服务器;S301: the client user initiates a registration request to the web server, and sends the registration information to the web server through the SSL secure channel;
本实施例中,用户在客户端user向Web服务器发起注册请求,填写相关信息,如用户名、密码等;若用户拥有私人汇聚节点sinknode,需填写相关信息,这里涉及到汇聚节点sinknode与客户端user的认证,在后问汇聚节点sinknode与客户端user的认证过程中会详细说明。用户的信息通过SSL安全信道发给Web服务器。Web服务器保存用户注册信息,注册时用户的用户名不得重复。In this embodiment, the user initiates a registration request to the Web server at the client user, and fills in relevant information, such as user name, password, etc.; if the user has a private sinknode, the relevant information needs to be filled in, which involves the sinknode and the client User authentication will be explained in detail later in the authentication process between sinknode and client user. The user's information is sent to the Web server through the SSL secure channel. The web server saves user registration information, and the user name of the user must not be repeated during registration.
S302:客户端user第一次登录时,Web服务器将用户导向授权页,用户自定义个人数据的访问权限,并通过SSL安全信道发给Web服务器;S302: When the client user logs in for the first time, the web server directs the user to an authorization page, and the user defines the access rights of personal data, and sends it to the web server through the SSL secure channel;
客户端user第一次登录时,若登录密码正确,Web服务器将用户导向授权页,用户自定义个人数据的访问权限,如仅个人可见或全部可见,并将定义的访问权限通过SSL安全信道发给Web服务器;When the client user logs in for the first time, if the login password is correct, the web server will direct the user to the authorization page, and the user can customize the access rights of personal data, such as only the individual can see or all can be seen, and the defined access rights will be sent through the SSL secure channel. to the web server;
S303:Web服务器将用户授权情况存入访问控制列表,根据用户的用户名、密码和当前时间生成的临时令牌Token,并将临时令牌Token发送给客户端user,若用户拥有私人汇聚节点sinknode,Web服务器也将生成临时令牌Token发送给汇聚节点sinknode;S303: The web server stores the user authorization status in the access control list, generates a temporary token Token based on the user's username, password, and current time, and sends the temporary token Token to the client user. If the user has a private sinknode , the web server will also generate a temporary token Token and send it to the sinknode;
访问控制列表是专门用于存储访问权限的列表,若用户A想访问数据用户B的节点数据,则需要向Web服务器发出访问申请,Web服务器收到访问申请首先要查看访问控制列表,若访问控制列表中用户B的访问权限设置为个人可见,则Web服务器返回给用户A无权访问的消息,若用户B的访问权限设置为全部可见,则Web服务器返回给用户A想查看的数据。若用户A无权访问用户B的数据,可以进一步申请访问,由Web服务器向用户B发起申请,等待用户B的回应,若用户B同意访问,用户A可以继续查看用户B的数据。访问控制列表结构如下:The access control list is a list specially used to store access rights. If user A wants to access the node data of data user B, he needs to send an access application to the web server. After receiving the access application, the web server first checks the access control list. If the access permission of user B in the list is set to personal visibility, the web server returns a message that user A has no access permission; if the access permission of user B is set to all visibility, the web server returns the data that user A wants to view. If user A does not have the right to access user B's data, he can further apply for access. The web server initiates an application to user B and waits for user B's response. If user B agrees to access, user A can continue to view user B's data. The access control list structure is as follows:
临时令牌Token由用户名,密码以及系统当前时间为元素,Web服务器生成临时令牌Token,Web服务器将生成的临时令牌Token发送给客户端user。The temporary token Token consists of user name, password and the current system time as elements, the web server generates the temporary token Token, and the web server sends the generated temporary token Token to the client user.
S304:客户端user使用临时令牌Token向Web服务器发出数据操作请求;S304: the client user uses the temporary token Token to send a data operation request to the web server;
客户端user不需要每次连接都进行登录操作,采用临时令牌Token可以和Web服务器进行数据交互。The client user does not need to log in every time the connection is made, and the temporary token Token can be used for data interaction with the Web server.
S305:Web服务器判断临时令牌Token是否失效,若失效要求客户端user重新进行登录操作并生成新的临时令牌Token发送给客户端user作为凭证;若令牌未失效,则回应客户端user的请求。S305: The web server judges whether the temporary token Token is invalid. If it is invalid, the client user is required to log in again and generate a new temporary token Token and send it to the client user as a credential; if the token is not invalid, respond to the client user's request ask.
Web服务器判断临时令牌Token中的用户名与密码是否正确,并获取到临时令牌Token生成时间,与当前时间比照判断临时令牌Token是否失效,若失效,要求客户端user重新进行登录操作并生成新的临时令牌Token发送给客户端user作为凭证;若令牌未失效,则回应客户端user的请求。The web server judges whether the user name and password in the temporary token Token are correct, and obtains the generation time of the temporary token Token, and compares it with the current time to determine whether the temporary token Token is invalid. If it is invalid, the client user is required to log in again and Generate a new temporary token Token and send it to the client user as a credential; if the token is not invalid, respond to the request of the client user.
现有的令牌认证通常采用动态口令技术。动态口令技术是对传统的静态口令技术的改进,用户要拥有一些凭证,如系统颁发的临时令牌Token,且临时令牌Token上的数字是不断变化的,而且与认证的Web服务器是同步的,因此用户登录到系统的口令也是不断地变化的,即所谓的“一次一密”。Existing token authentication usually adopts dynamic password technology. The dynamic password technology is an improvement to the traditional static password technology. The user needs to have some credentials, such as the temporary token Token issued by the system, and the number on the temporary token Token is constantly changing, and it is synchronized with the authenticated Web server , so the password for the user to log in to the system is also constantly changing, which is the so-called "one-time pad".
现有的动态口令技术有两种同步方案:时间同步、事件同步。There are two synchronization schemes in the existing dynamic password technology: time synchronization and event synchronization.
1.时间同步,是指临时令牌Token采用时间作为动态口令的一个种子,Web服务器通过采用时间作为一个种子验证临时令牌Token产生的口令。1. Time synchronization means that the temporary token Token uses time as a seed of the dynamic password, and the Web server uses time as a seed to verify the password generated by the temporary token Token.
2.事件同步,是指临时令牌Token每次产生动态口令时以当前的计数作为一个种子,每次产生完成动态口令后,该计数会自动递增,Web服务器同样采用次数作为验证时的种子。2. Event synchronization means that the temporary token Token uses the current count as a seed each time a dynamic password is generated. After each generation of a dynamic password is completed, the count will automatically increase, and the Web server also uses the number of times as a seed for verification.
临时令牌Token与外界没有任何的数据通讯,Web服务器也保存有临时令牌Token中相同的种子,采用与临时令牌Token中相同的加密算法,得出相同的加密数据,再取得相同的随机密码进行校验。临时令牌Token的随机密码必须和客户的账号等绑定,才能判断出密码是否匹配。Web服务器做认证时,同一个密码只允许校验一次。The temporary token Token does not have any data communication with the outside world, and the web server also saves the same seed in the temporary token Token, adopts the same encryption algorithm as in the temporary token Token, obtains the same encrypted data, and then obtains the same random The password is verified. The random password of the temporary token Token must be bound with the customer's account to determine whether the password matches. When the web server performs authentication, the same password can only be verified once.
令牌认证核心在于算法,其使用相对比较灵活,无需记忆密码,采用双因素认证机制可起到双保险的作用,简单易行;令牌认证是身份认证机制新的发展方向,提供了比传统静态口令更高的安全性,是适应当前信息安全发展特点的一项重要的身份认证技术。The core of token authentication lies in the algorithm, which is relatively flexible to use and does not need to memorize passwords. The two-factor authentication mechanism can play the role of double insurance, which is simple and easy; token authentication is a new development direction of identity authentication mechanism, which provides The higher security of static passwords is an important identity authentication technology that adapts to the characteristics of current information security development.
客户端user与汇聚节点sinknode之间的令牌认证过程中,用户在购买私人汇聚节点sinknode时,获取一个唯一标识编号,Web服务器将此汇聚节点sinknode的ID与此标识编号进行绑定。During the token authentication process between the client user and the sinknode, the user obtains a unique identification number when purchasing a private sinknode, and the web server binds the sinknode ID with this identification number.
图5为客户端user与汇聚节点sinknode之间的令牌认证过程,包括以下步骤:Figure 5 shows the token authentication process between the client user and the sinknode, including the following steps:
S401:客户端user向Web服务器发起注册请求,填写私人汇聚节点sinknode的ID与标识编号;S401: The client user initiates a registration request to the web server, and fills in the ID and identification number of the private sinknode;
S402:Web服务器接收客户端user的注册信息,若发现汇聚节点sinknode的ID与标识编号匹配,则承认此汇聚节点sinknode为此用户的私人汇聚节点sinknode,并在客户端user登陆后生成临时令牌Token时,将临时令牌Token发送给客户端user的同时,发送给用户的私人汇聚节点sinknode;S402: The web server receives the registration information of the client user, and if it finds that the ID of the sinknode matches the identification number, it recognizes that the sinknode is the private sinknode of the user, and generates a temporary token after the client user logs in Token, while sending the temporary token Token to the client user, it is also sent to the user’s private sink node sinknode;
S403:用户的私人汇聚节点sinknode接收到临时令牌Token,客户端user通过临时令牌Token与私人汇聚节点sinknode进行连接。S403: The user's private sink node sinknode receives the temporary token Token, and the client user connects with the private sink node sinknode through the temporary token Token.
至此,无线传感器网络中的多方认证完毕,可以保证整个通信系统中各方的数据安全。So far, the multi-party authentication in the wireless sensor network is completed, which can ensure the data security of all parties in the entire communication system.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510947805.1ACN105516980B (en) | 2015-12-17 | 2015-12-17 | A kind of wireless sensor network token authentication method based on Restful frameworks |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510947805.1ACN105516980B (en) | 2015-12-17 | 2015-12-17 | A kind of wireless sensor network token authentication method based on Restful frameworks |
| Publication Number | Publication Date |
|---|---|
| CN105516980Atrue CN105516980A (en) | 2016-04-20 |
| CN105516980B CN105516980B (en) | 2018-11-13 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510947805.1AActiveCN105516980B (en) | 2015-12-17 | 2015-12-17 | A kind of wireless sensor network token authentication method based on Restful frameworks |
| Country | Link |
|---|---|
| CN (1) | CN105516980B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107577504A (en)* | 2017-07-26 | 2018-01-12 | 河南大学 | A kind of wireless sensor network programming method based on Restful frameworks |
| CN107888615A (en)* | 2017-12-01 | 2018-04-06 | 郑州云海信息技术有限公司 | A kind of safety certifying method of Node registry |
| CN108347330A (en)* | 2017-01-24 | 2018-07-31 | 北京百度网讯科技有限公司 | A kind of method and apparatus of secure communication |
| CN108600156A (en)* | 2018-03-07 | 2018-09-28 | 华为技术有限公司 | A kind of server and safety certifying method |
| CN109462595A (en)* | 2018-11-29 | 2019-03-12 | 甘肃万维信息科技有限责任公司 | Data-interface secure exchange method based on RestFul |
| CN109587249A (en)* | 2018-12-07 | 2019-04-05 | 北京金山云网络技术有限公司 | Information sending, receiving method, device, server, client and storage medium |
| CN110402440A (en)* | 2017-02-27 | 2019-11-01 | J·加斯屈埃尔 | segmented key authentication system |
| CN110581829A (en)* | 2018-06-08 | 2019-12-17 | 中国移动通信集团有限公司 | Communication method and device |
| CN110691358A (en)* | 2019-11-14 | 2020-01-14 | 北京京航计算通讯研究所 | Access control system based on attribute cryptosystem in wireless sensor network |
| JP2020531990A (en)* | 2017-08-29 | 2020-11-05 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Automatic upgrade from one-step authentication to two-step authentication via application programming interface |
| JP2021518006A (en)* | 2018-04-25 | 2021-07-29 | グーグル エルエルシーGoogle LLC | Delayed two-factor authentication in a networked environment |
| CN113836553A (en)* | 2021-09-22 | 2021-12-24 | 北京计算机技术及应用研究所 | Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm |
| JP2022058437A (en)* | 2018-04-25 | 2022-04-12 | グーグル エルエルシー | Delayed two-factor authentication in networked environment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350719A (en)* | 2007-07-18 | 2009-01-21 | 康佳集团股份有限公司 | A new method of identity authentication |
| CN101355555A (en)* | 2007-07-27 | 2009-01-28 | 日立软件工程株式会社 | Authentication system and authentication method |
| US20130086645A1 (en)* | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Oauth framework |
| CN104486325A (en)* | 2014-12-10 | 2015-04-01 | 上海爱数软件有限公司 | Safe login certification method based on RESTful |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350719A (en)* | 2007-07-18 | 2009-01-21 | 康佳集团股份有限公司 | A new method of identity authentication |
| CN101355555A (en)* | 2007-07-27 | 2009-01-28 | 日立软件工程株式会社 | Authentication system and authentication method |
| US20130086645A1 (en)* | 2011-09-29 | 2013-04-04 | Oracle International Corporation | Oauth framework |
| CN104486325A (en)* | 2014-12-10 | 2015-04-01 | 上海爱数软件有限公司 | Safe login certification method based on RESTful |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347330A (en)* | 2017-01-24 | 2018-07-31 | 北京百度网讯科技有限公司 | A kind of method and apparatus of secure communication |
| CN110402440B (en)* | 2017-02-27 | 2024-02-02 | J·加斯屈埃尔 | Segmented key authentication system |
| CN110402440A (en)* | 2017-02-27 | 2019-11-01 | J·加斯屈埃尔 | segmented key authentication system |
| CN107577504A (en)* | 2017-07-26 | 2018-01-12 | 河南大学 | A kind of wireless sensor network programming method based on Restful frameworks |
| JP7100939B2 (en) | 2017-08-29 | 2022-07-14 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Automatic upgrade from one-step verification to two-step verification via application programming interface |
| JP2020531990A (en)* | 2017-08-29 | 2020-11-05 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Automatic upgrade from one-step authentication to two-step authentication via application programming interface |
| CN107888615A (en)* | 2017-12-01 | 2018-04-06 | 郑州云海信息技术有限公司 | A kind of safety certifying method of Node registry |
| CN107888615B (en)* | 2017-12-01 | 2021-07-02 | 郑州云海信息技术有限公司 | A security authentication method for node registration |
| CN108600156B (en)* | 2018-03-07 | 2021-05-07 | 华为技术有限公司 | Server and security authentication method |
| CN108600156A (en)* | 2018-03-07 | 2018-09-28 | 华为技术有限公司 | A kind of server and safety certifying method |
| JP2022058437A (en)* | 2018-04-25 | 2022-04-12 | グーグル エルエルシー | Delayed two-factor authentication in networked environment |
| JP2021518006A (en)* | 2018-04-25 | 2021-07-29 | グーグル エルエルシーGoogle LLC | Delayed two-factor authentication in a networked environment |
| JP7004833B2 (en) | 2018-04-25 | 2022-01-21 | グーグル エルエルシー | Delayed two-factor authentication in a networked environment |
| JP7262565B2 (en) | 2018-04-25 | 2023-04-21 | グーグル エルエルシー | Delayed two-factor authentication in networked environments |
| CN110581829A (en)* | 2018-06-08 | 2019-12-17 | 中国移动通信集团有限公司 | Communication method and device |
| CN109462595A (en)* | 2018-11-29 | 2019-03-12 | 甘肃万维信息科技有限责任公司 | Data-interface secure exchange method based on RestFul |
| CN109587249A (en)* | 2018-12-07 | 2019-04-05 | 北京金山云网络技术有限公司 | Information sending, receiving method, device, server, client and storage medium |
| CN110691358A (en)* | 2019-11-14 | 2020-01-14 | 北京京航计算通讯研究所 | Access control system based on attribute cryptosystem in wireless sensor network |
| CN110691358B (en)* | 2019-11-14 | 2022-10-14 | 北京京航计算通讯研究所 | Access control system based on attribute cryptosystem in wireless sensor network |
| CN113836553A (en)* | 2021-09-22 | 2021-12-24 | 北京计算机技术及应用研究所 | Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm |
| CN113836553B (en)* | 2021-09-22 | 2023-10-20 | 北京计算机技术及应用研究所 | Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm |
| Publication number | Publication date |
|---|---|
| CN105516980B (en) | 2018-11-13 |
| Publication | Publication Date | Title |
|---|---|---|
| CN105516980B (en) | A kind of wireless sensor network token authentication method based on Restful frameworks | |
| US11038682B2 (en) | Communication method, apparatus and system, electronic device, and computer readable storage medium | |
| CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
| TWI439103B (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| Jeong et al. | Integrated OTP-based user authentication scheme using smart cards in home networks | |
| CN101453476B (en) | Cross domain authentication method and system | |
| CN103427998B (en) | The authentication of a kind of Internet data distribution and data ciphering method | |
| EP2984782B1 (en) | Method and system for accessing device by a user | |
| US20080222714A1 (en) | System and method for authentication upon network attachment | |
| Lim et al. | Security issues and future challenges of cloud service authentication | |
| US20170201382A1 (en) | Secure Endpoint Devices | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| JP2016082597A (en) | Computer-based system and computer-based method for establishing a secure session and exchanging encrypted data | |
| EP1706956A2 (en) | Enabling stateless server-based pre-shared secrets | |
| JP2011523520A (en) | Station distributed identification method in network | |
| Zhang et al. | Is today's end-to-end communication security enough for 5g and its beyond? | |
| Ali et al. | A comparative study of authentication methods for wi-fi networks | |
| JP2007318806A (en) | Protecting data traffic in a mobile network environment | |
| KR101572598B1 (en) | Secure User Authentication Scheme against Credential Replay Attack | |
| CN116346440A (en) | Distributed authentication and dynamic key sharing method, system, equipment and medium based on MQTT protocol | |
| Kenioua et al. | A password-based authentication approach for edge computing architectures | |
| Hwang et al. | A new efficient authentication protocol for mobile networks | |
| JP2017139026A (en) | Method and apparatus for reliable authentication and logon | |
| JP2023163173A (en) | Secure reconstruction of private key | |
| CN115865520A (en) | Authentication and access control method with privacy protection in mobile cloud service environment |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |