技术领域Technical Field
本发明涉及电力通信技术领域,尤其涉及一种基于智能电网端到端通信的安全轻量级组认证系统及方法。The present invention relates to the field of power communication technology, and in particular to a secure lightweight group authentication system and method based on smart grid end-to-end communication.
背景技术Background technique
随着技术的不断发展,电力资源与人们的生活密切相关,在现代起着至关重要的作用。但随着需求的增加,电网变得越来越复杂,导致电力系统发生重大变化。如何保证电力的可靠性已成为一个迫切需要解决的问题。与此同时,智能电网的出现导致了电力系统向智能化和现代化的方向发展,这是技术发展达到一定阶段的结果。它可以为电力系统中的相关业务提供全面、实时、高效的灵活处理方法,实现在电力业务中的新应用,并基于电力系统构建复杂的多模态系统。在传统的继电保护业务场景中,电力设备的两端都使用光纤来传输数据。然而,随着越来越多的电源设备被连接,光纤结构的成本高,可扩展性低,而5G无线通信技术的高可靠性和低延迟特性是解决上述问题的关键。With the continuous development of technology, power resources are closely related to people's lives and play a vital role in modern times. However, as demand increases, the power grid has become more and more complex, leading to major changes in the power system. How to ensure the reliability of power has become an urgent problem to be solved. At the same time, the emergence of smart grids has led to the development of power systems in the direction of intelligence and modernization, which is the result of technological development reaching a certain stage. It can provide comprehensive, real-time, efficient and flexible processing methods for related businesses in the power system, realize new applications in the power business, and build complex multimodal systems based on the power system. In traditional relay protection business scenarios, optical fibers are used at both ends of power equipment to transmit data. However, as more and more power equipment is connected, the cost of optical fiber structure is high and the scalability is low, and the high reliability and low latency characteristics of 5G wireless communication technology are the key to solving the above problems.
发明内容Summary of the invention
为了解决上述问题,本发明的目的在于提供一种基于智能电网端到端通信的安全轻量级组认证系统及方法,有效提高智能电网中的端到端通信安全、认证效率,同时减少设备和服务器的计算和通信开销。In order to solve the above problems, the purpose of the present invention is to provide a secure lightweight group authentication system and method based on smart grid end-to-end communication, which effectively improves the end-to-end communication security and authentication efficiency in the smart grid, while reducing the computing and communication overhead of devices and servers.
为实现上述目的,本发明采用以下技术方案:To achieve the above object, the present invention adopts the following technical solutions:
一种基于智能电网端到端通信的安全轻量级组认证系统,包括用户设备、AMF和5G基站;所述用户设备通过5G基站与AMF单元连接;所述AMF将公钥和私钥分发给用户设备,为用户设备提供匿名身份保护,然后通过聚合签名方案对用户设备进行验证,最后通过ECDH协商一个会话密钥。A secure lightweight group authentication system based on end-to-end communication of a smart grid includes a user device, an AMF and a 5G base station; the user device is connected to the AMF unit through the 5G base station; the AMF distributes public keys and private keys to the user device to provide anonymous identity protection for the user device, then verifies the user device through an aggregate signature scheme, and finally negotiates a session key through ECDH.
一种基于智能电网端到端通信的安全轻量级组认证方法,包括以下步骤:A secure lightweight group authentication method based on smart grid end-to-end communication comprises the following steps:
步骤S1:通过输入安全参数K,AMF生成q阶加性循环组G,P是群G的生成器;AMF随机选择作为主密钥,计算系统公钥/>,并选择安全哈希函数:/>,.最后,AMF单元输出系统参数={q,G,P,/>,/>,/>},并秘密保存密钥s;Step S1: By inputting the security parameter K, AMF generates a q-order additive cyclic group G, where P is the generator of group G; AMF randomly selects As the master key, calculate the system public key/> , and select a secure hash function: /> , .Finally, the AMF unit outputs system parameters = {q,G,P,/> ,/> ,/> }, and keep the key s secret;
步骤S2:用户设备首先执行5G-AKA或EAP-AKA协议来完成用户认证,通过AMF保存所有用户设备的真实身份,并存储在用户设备标识列表中,用户设备通过AMF注册其临时身份;Step S2: The user equipment first executes the 5G-AKA or EAP-AKA protocol to complete user authentication, saves the real identities of all user equipment through AMF, and stores them in the user equipment identification list, and the user equipment registers its temporary identity through AMF;
步骤S3:在用户注册完成后,使用他们的临时身份来执行端到端发现,通过上述端到端发现过程相互发现,每个用户最终得到一个端到端会话列表;Step S3: After the user registration is completed, use their temporary identity to perform end-to-end discovery. Through the above end-to-end discovery process, each user Finally, we get a list of end-to-end sessions;
步骤S4:在获得端到端的会话列表之后,用户设备向AMF发送会话请求信息,当AMF接收到所有请求时,它会检查请求信息中的用户身份是否为合法注册身份,如果不是,则它将拒绝端到端会话请求,如果验证成功,AMF将为所有合法用户创建一个端到端组会话,并生成会话标识符。然后AMF形成一个环状结构集/>=/>,/>,...,/>},根据用户身份,/>和/>在逻辑上分别是/>的左右用户,然后AMF广播/>,/>};Step S4: After obtaining the end-to-end session list, the user device sends a session request message to AMF. When AMF receives all requests, it checks whether the user identity in the request message is a legally registered identity. If not, it will reject the end-to-end session request. If the verification is successful, AMF will create an end-to-end group session for all legal users and generate a session identifier. . Then AMF forms a ring structure set/> =/> ,/> ,...,/> }, according to the user identity, /> and/> Logically, they are The left and right users, then AMF broadcast /> ,/> };
步骤S5:用户收到AMF的会话响应消息后,开始相互验证和密钥协商,最后,群组中的用户之间进行安全通信。Step S5: After the user receives the session response message from AMF, mutual authentication and key negotiation begin. Finally, secure communication is performed between users in the group.
进一步的,所述步骤S2具体为:Furthermore, the step S2 is specifically as follows:
步骤S2.1:首先选择一个秘密值/>,计算中间参数/>,临时标识,其中/>为用户私密标识,/>为哈希函数,/>为AMF单元输出的系统参数,然后将{/>}发送到AMF;Step S2.1: First choose a secret value /> , calculate the intermediate parameters/> , temporary identification , where/> It is the user's private identifier. is a hash function, /> The system parameters output by the AMF unit, then {/> }Send to AMF;
步骤S2.2:AMF收到,发送的{/>}后,会算/>并查询用户设备标识列表中是否包含/>.如果没有,则终止执行,否则,将在临时标识索引数据库中保存{/>,/>};AMF生成一个消息/>={/>,/>},其中/>是临时身份有效期;当/>到期时,/>需要再次申请身份授权;AMF随机选择秘密值/>,并计算/>,/>,,发送{/>}到/>;其中,/>、/>均为计算中间过程量;Step S2.2: AMF receives , sent by {/> }, it will be calculated/> And check whether the user equipment identification list contains/> . If not, terminate the execution, otherwise, save {/> in the temporary identification index database ,/> };AMF generates a message/> ={/> ,/> }, where /> Is the validity period of temporary identity; when/> When it expires, /> Need to apply for identity authorization again; AMF randomly selects the secret value/> , and calculate/>, />,,send{ />} to />; Among them, /> 、/> All of them are used to calculate the intermediate process quantity;
步骤S2.3:当接收到{/>}时,计算部分私钥/>,,其中/>为计算中间过程量,以验证公式/>是否成立;如果不成立,则会重新请求私钥的那部分;如果成立,则接受私钥的这一部分;/>随机选择秘密值/>,计算/>,最后设置用户设备公钥/>),和私钥/>);Step S2.3: When Received {/> }, calculate part of the private key/> , , where/> To calculate the intermediate process quantity, to verify the formula/> Is it true? If not, the private key part will be requested again; if true, this part of the private key will be accepted;/> Randomly select a secret value /> , calculate/> , and finally set the user device public key/> ), and private key/> );
进一步的,所述步骤S3具体为:Furthermore, the step S3 is specifically as follows:
首先,用户设备选择随机数/>,计算/>,并生成请求信息/>={/>,/>,/>,/>},其中/>表示时间戳,计算/>,/>,其中/>为计算中间过程量,得到签名/>,最后广播{/>};First, user equipment Select a random number /> , calculate/> , and generate request information/> ={/> ,/> ,/> ,/> }, where /> Indicates timestamp, calculation/> ,/> , where/> To calculate the intermediate process quantity, get the signature/> , and finally broadcast {/> };
相邻用户接收到用户的广播消息后,验证等式/>是否成立;如果该公式成立,则将/>添加到端到端对话列表中,并保存/>;设n个端到端用户/>,/>,...,/>)通过上述端到端发现过程相互发现,每个用户最终得到一个端到端会话列表L=/>,/>,...,/>}。Neighboring users receive After broadcasting the message, verify the equation/> Is it true? If the formula is true, then / > Add to the peer-to-peer conversation list and save/> ; Assume n end-to-end users/> ,/> , ..., /> ) Through the above end-to-end discovery process, each user finally obtains an end-to-end session list L=/> ,/> ,...,/> }.
进一步的,所述步骤S5具体为:Furthermore, the step S5 is specifically as follows:
步骤S5.1:用户设备生成消息/>),并随机选择响应值/>,并计算,/>,/>,其中/>、/>为计算中间过程量,用户设备/>生成签名/>,然后向/>和/>,其中(i+1)mod n表示对i加1后再对n取余的结果,是一个数值结果,发送一个消息/>,/>,/>,/>},其中/>是/>的签名时间,并添加一个时间戳以防止消息被重放;Step S5.1: User equipment Generate Message /> ), and randomly select the response value/> , and calculate ,/> ,/> , where/> 、/> To calculate the intermediate process quantity, the user equipment/> Generate Signature/> , then to/> and/> , where (i+1) mod n represents the result of adding 1 to i and taking the remainder of n, which is a numerical result. A message is sent/> ,/> ,/> ,/> }, where /> Yes/> The signing time and add a timestamp to prevent the message from being replayed;
步骤S5.2:当收到两个相邻用户发送的消息时,它首先验证/>,如果它相等,则继续,并验证/>是否是一个合法注册的身份,如果是,则会验证时间戳是否在指定的时间内,同时如果是,则会验证签名信息/>,/>,验证/>,.如果通过了验证,则/>将计算/>,/>为计算中间过程量,其中(i+1)mod n表示对i加1后再对n取余的结果,是一个数值结果,此时,向其他用户广播消息/>,/>,/>,/>};Step S5.2: When When receiving messages from two adjacent users, it first verifies/> , if it is equal, then continue and verify/> Is it a legally registered identity? If so, it will verify whether the timestamp is within the specified time. If so, it will verify the signature information/> ,/> , verify/> , .If the verification is passed, then/> Will calculate/> ,/> To calculate the intermediate process quantity, (i+1) mod n represents the result of adding 1 to i and then taking the remainder of n, which is a numerical result. At this time, broadcast the message to other users/> ,/> ,/> ,/> };
步骤S5.3:当用户设备收到广播请求时,/>首先验证/>,如果它相等,则继续,并验证/>是否是一个合法注册的身份;如果是,则会验证时间戳是否在指定的时间内;如果验证通过,将等待/>收集剩余的广播消息;当最后接收到的消息数小于n-1,或者该标识不在先前形成的端到端群组中时,/>将退出协商。此时,/>接收端到端群组中的所有签名,并生成聚合签名/>,其中/>,/>;然后验证签名。如果签名被验证,则被接受;否则,它可以对每个接收到的消息进行一次验证以收集正确的签名,或者只是选择放弃该签名;此时,/>将计算会话密钥;群组中的成员已经生成了相同的会话密钥。此时,/>使用会话密钥/>计算/>;然后生成消息/>,/>,/>},其中,/>为计算中间过程量,并将消息发送给AMF;Step S5.3: When the user device When a broadcast request is received, /> First verify /> , if it is equal, then continue and verify/> Is it a legally registered identity? If so, it will verify whether the timestamp is within the specified time; if the verification is successful, it will wait for /> Collect the remaining broadcast messages; when the last received message number is less than n-1, or the identifier is not in the previously formed end-to-end group,/> Will exit negotiation. At this time, /> Receive all signatures in the end-to-end group and generate an aggregate signature/> , where/> ,/> ; Then verify the signature If the signature is verified, it is accepted; otherwise, it can verify it once for each received message to collect the correct signature, or simply choose to discard the signature; at this time, /> The session key will be calculated ;Members in the group have generated the same session key. At this point,/> Using Session Key/> Calculation/> ;Then generate the message/> ,/> ,/> }, where /> To calculate the intermediate process volume and send the message to AMF;
步骤S5.4:当AMF收到已发送的消息时,会验证;如果它在指定的范围内,则AMF将等待/>收集剩余的消息,并验证接收到的哈希值是否相等;如果哈希值相等,则表示群组设备已经建立了一个相等的会话密钥,并且AMF向所有用户发送了一个确认消息;当用户收到确认消息时,用户将开始进行通信;最后,群组中的用户之间进行安全通信。Step S5.4: When the AMF receives the sent message, it verifies ; If it is within the specified range, AMF will wait/> Collect the remaining messages and verify whether the received hash values are equal; if the hash values are equal, it means that the group devices have established an equal session key, and AMF sends a confirmation message to all users; when the user receives the confirmation message, the user will start communicating; finally, secure communication is carried out between users in the group.
进一步的,新用户加入群组,具体如下:Further, new users join the group as follows:
1)首先,从中选择两个用户/>和/>加入新的群组,此时的分组情况为/>和/>;1) First, from Select two users in /> and/> Add a new group. The grouping situation at this time is/> and/> ;
2)和/>重新选择响应值/>,/>,计算/>,/>,/>,和签名值;由于原始组/>的密钥已经被协商过,因此不需要进行身份验证协商;该组的关键字是/>;新的组/>执行上述身份验证过程,最终获得了/>的密钥;2) and/> Reselect the response value /> ,/> , calculate/> ,/> ,/> , and signature value; due to the original group/> The key has already been negotiated, so no authentication negotiation is required; the key for this group is/> ; New group /> Execute the above authentication process and finally obtain/> The key of
3)和/>使用原始密钥/>加密密钥/>,并将其发送给原始组的其他成员;/>和/>将使用密钥/>加密的密钥/>发送给新组的其他成员;3) and/> Use original key/> Encryption Key/> , and send it to other members of the original group; /> and/> The key will be used/> Encrypted key/> Send to other members of the new group;
4)将这两个组合并为,此时新的组密钥是。4) Merge these two groups into , the new group key is .
进一步的,用户离开群组,具体如下:Furthermore, the user leaves the group as follows:
设U=是当前组,而V=/>是离开成员集,其中,此时剩余的成员集可以表示为A=/>;Let U = is the current group, and V=/> is the set of leaving members, where , the remaining member set can be expressed as A=/> ;
1)每个成员检查/>的左成员/>或右成员/>是否已经离开;如果/>或,则/>需要重新选择秘密值,重新计算/>和签名,并将其发送到设置A;1) Each member Check/> The left member of /> or right member/> Have you left? If /> or , then/> You need to reselect the secret value and recalculate /> and sign it, and send it to Setting A;
2)如果成员的邻近成员没有改变,那么/>只是简单地传播他们之前计算的和签名来设置A;2) If a member The neighboring members of have not changed, then/> They simply propagate their previously calculated and signature to set A;
3)在接收到所有值和签名后,每个成员/>验证聚合签名。在验证成功后,相关各方可以使用与以前相同的程序继续计算。3) After receiving all values and after signing, each member/> Verify the aggregate signature. After successful verification, the parties involved can continue the computation using the same procedure as before.
本发明具有如下有益效果:The present invention has the following beneficial effects:
1.本发明实现了身份隐私保护、相互认证和聚合签名,对各种类型的攻击具有抵抗性。实现身份隐私保护、相互认证和聚合签名,有效地抵御了恶意攻击,保证了安全性;1. The present invention realizes identity privacy protection, mutual authentication and aggregate signature, and is resistant to various types of attacks. It realizes identity privacy protection, mutual authentication and aggregate signature, effectively resists malicious attacks and ensures security;
2.本发明使用签名聚合可以减少验证器的工作量,提高验证的效率。2. The present invention uses signature aggregation to reduce the workload of the verifier and improve the efficiency of verification.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明身份验证过程流程图;FIG1 is a flow chart of the identity authentication process of the present invention;
图2为本发明一实施例中通信开销图;FIG2 is a diagram of communication overhead in one embodiment of the present invention;
图3为本发明一实施例中系统架构图。FIG. 3 is a system architecture diagram according to an embodiment of the present invention.
具体实施方式Detailed ways
以下结合附图和具体实施例对本发明做进一步详细说明:The present invention is further described in detail below with reference to the accompanying drawings and specific embodiments:
参考图1-3,本发明提供一种基于智能电网端到端通信的安全轻量级组认证系统,包括用户设备、AMF和5G基站;所述用户设备通过5G基站与AMF单元连接;所述AMF将公钥和私钥分发给用户设备,为用户设备提供匿名身份保护,然后通过聚合签名方案对用户设备进行验证,最后通过ECDH协商一个会话密钥。Referring to Figures 1-3, the present invention provides a secure lightweight group authentication system based on smart grid end-to-end communication, including a user device, an AMF and a 5G base station; the user device is connected to the AMF unit through the 5G base station; the AMF distributes the public key and the private key to the user device, provides anonymous identity protection for the user device, and then verifies the user device through an aggregate signature scheme, and finally negotiates a session key through ECDH.
本发明通信场景包括端到端一对一通信和端到端群组通信,其中AMF负责处理端到端通信过程中的所有事务,所有电力用户设备均配备有PUF模块。The communication scenarios of the present invention include end-to-end one-to-one communication and end-to-end group communication, wherein the AMF is responsible for processing all transactions in the end-to-end communication process, and all power user devices are equipped with a PUF module.
在本实施例中,还提供一种基于智能电网端到端通信的安全轻量级组认证方法,包括以下步骤:In this embodiment, a secure lightweight group authentication method based on smart grid end-to-end communication is also provided, comprising the following steps:
步骤S1:通过输入安全参数K,AMF生成q阶加性循环组G,P是群G的生成器;AMF随机选择作为主密钥,计算系统公钥/>,并选择安全哈希函数:/>,.最后,AMF单元输出系统参数={q,G,P,/>,/>,/>},并秘密保存密钥s;Step S1: By inputting the security parameter K, AMF generates a q-order additive cyclic group G, where P is the generator of group G; AMF randomly selects As the master key, calculate the system public key/> , and select a secure hash function: /> , .Finally, the AMF unit outputs system parameters = {q,G,P,/> ,/> ,/> }, and keep the key s secret;
步骤S2:用户设备首先执行5G-AKA或EAP-AKA协议来完成用户认证,通过AMF保存所有用户设备的真实身份,并存储在用户设备标识列表中,用户设备通过AMF注册其临时身份;Step S2: The user equipment first executes the 5G-AKA or EAP-AKA protocol to complete user authentication, saves the real identities of all user equipment through AMF, and stores them in the user equipment identification list, and the user equipment registers its temporary identity through AMF;
步骤S3:在用户注册完成后,使用他们的临时身份来执行端到端发现,通过上述端到端发现过程相互发现,每个用户最终得到一个端到端会话列表;Step S3: After the user registration is completed, use their temporary identity to perform end-to-end discovery. Through the above end-to-end discovery process, each user Finally, we get a list of end-to-end sessions;
步骤S4:在获得端到端的会话列表之后,用户设备向AMF发送会话请求信息,当AMF接收到所有请求时,它会检查请求信息中的用户身份是否为合法注册身份,如果不是,则它将拒绝端到端会话请求,如果验证成功,AMF将为所有合法用户创建一个端到端组会话,并生成会话标识符。然后AMF形成一个环状结构集/>=/>,/>,...,/>},根据用户身份,/>和/>在逻辑上分别是/>的左右用户,然后AMF广播/>,/>};Step S4: After obtaining the end-to-end session list, the user device sends a session request message to AMF. When AMF receives all requests, it checks whether the user identity in the request message is a legally registered identity. If not, it will reject the end-to-end session request. If the verification is successful, AMF will create an end-to-end group session for all legal users and generate a session identifier. . Then AMF forms a ring structure set/> =/> ,/> ,...,/> }, according to the user identity, /> and/> Logically, they are The left and right users, then AMF broadcast /> ,/> };
步骤S5:用户收到AMF的会话响应消息后,开始相互验证和密钥协商,最后,群组中的用户之间进行安全通信。Step S5: After the user receives the session response message from AMF, mutual authentication and key negotiation begin. Finally, secure communication is performed between users in the group.
在本实施例中,步骤S2具体为:In this embodiment, step S2 is specifically as follows:
步骤S2.1:首先选择一个秘密值/>,计算中间参数/>,临时标识,其中/>为用户私密标识,/>为哈希函数,/>为AMF单元输出的系统参数,然后将{/>}发送到AMF;Step S2.1: First choose a secret value /> , calculate the intermediate parameters/> , temporary identification , where/> It is the user's private identifier. is a hash function, /> The system parameters output by the AMF unit, then {/> }Send to AMF;
步骤S2.2:AMF收到,发送的{/>}后,会算/>并查询用户设备标识列表中是否包含/>.如果没有,则终止执行,否则,将在临时标识索引数据库中保存{,/>};AMF生成一个消息/>={/>,/>},其中/>是临时身份有效期;当/>到期时,需要再次申请身份授权;AMF随机选择秘密值/>,并计算/>,/>,,发送{/>}到/>;其中,/>、/>均为计算中间过程量;Step S2.2: AMF receives , sent by {/> }, it will be calculated/> And check whether the user equipment identification list contains/> If not, the execution is terminated. Otherwise, { ,/> };AMF generates a message/> ={/> ,/> }, where /> Is the validity period of temporary identity; when/> At maturity, Need to apply for identity authorization again; AMF randomly selects the secret value/> , and calculate/>, />,,send{ />} to />; Among them, /> 、/> All of them are used to calculate the intermediate process quantity;
步骤S2.3:当接收到{/>}时,计算部分私钥/>,,其中/>为计算中间过程量,以验证公式/>是否成立;如果不成立,则会重新请求私钥的那部分;如果成立,则接受私钥的这一部分;/>随机选择秘密值/>,计算/>,最后设置用户设备公钥/>),和私钥/>);Step S2.3: When Received {/> }, calculate part of the private key/> , , where/> To calculate the intermediate process quantity, to verify the formula/> Is it true? If not, the private key part will be requested again; if true, this part of the private key will be accepted;/> Randomly select a secret value /> , calculate/> , and finally set the user device public key/> ), and private key/> );
在本实施例中,所述步骤S3具体为:In this embodiment, step S3 is specifically as follows:
首先,用户设备选择随机数/>,计算/>,并生成请求信息/>={/>,/>,,/>},其中/>表示时间戳,计算/>,/>,其中/>为计算中间过程量,得到签名/>,最后广播{/>};First, user equipment Select a random number /> , calculate/> , and generate request information/> ={/> ,/> , ,/> }, where /> Indicates timestamp, calculation/> ,/> , where/> To calculate the intermediate process quantity, get the signature/> , and finally broadcast {/> };
相邻用户接收到用户的广播消息后,验证等式/>是否成立;如果该公式成立,则将/>添加到端到端对话列表中,并保存/>;设n个端到端用户,/>,...,/>)通过上述端到端发现过程相互发现,每个用户最终得到一个端到端会话列表L=/>,/>,...,/>}。Neighboring users receive After broadcasting the message, verify the equation/> Is it true? If the formula is true, then / > Add to peer-to-peer conversation list and save/> ; Assume n end-to-end users ,/> , ..., /> ) Through the above end-to-end discovery process, each user finally obtains an end-to-end session list L=/> ,/> ,...,/> }.
在本实施例中,步骤S5具体为:In this embodiment, step S5 is specifically as follows:
步骤S5.1:用户设备生成消息/>),并随机选择响应值/>,并计算,/>,/>,其中/>、/>为计算中间过程量,用户设备/>生成签名/>,然后向/>和/>,其中(i+1)mod n表示对i加1后再对n取余的结果,是一个数值结果,发送一个消息/>,/>,/>,/>},其中/>是/>的签名时间,并添加一个时间戳以防止消息被重放;Step S5.1: User equipment Generate Message /> ), and randomly select the response value/> , and calculate ,/> ,/> , where/> 、/> To calculate the intermediate process quantity, the user equipment/> Generate Signature/> , then to/> and/> , where (i+1) mod n represents the result of adding 1 to i and taking the remainder of n, which is a numerical result. A message is sent/> ,/> ,/> ,/> }, where /> Yes/> The signing time and add a timestamp to prevent the message from being replayed;
步骤S5.2:当收到两个相邻用户发送的消息时,它首先验证/>,如果它相等,则继续,并验证/>是否是一个合法注册的身份,如果是,则会验证时间戳是否在指定的时间内,同时如果是,则会验证签名信息/>,/>,验证/>,.如果通过了验证,则/>将计算/>,/>为计算中间过程量,其中(i+1)mod n表示对i加1后再对n取余的结果,是一个数值结果,此时,向其他用户广播消息/>,/>,/>,/>};Step S5.2: When When receiving messages from two adjacent users, it first verifies/> , if it is equal, then continue and verify/> Is it a legally registered identity? If so, it will verify whether the timestamp is within the specified time. If so, it will verify the signature information/> ,/> , verify/> , .If the verification is passed, then/> Will calculate/> ,/> To calculate the intermediate process quantity, (i+1) mod n represents the result of adding 1 to i and then taking the remainder of n, which is a numerical result. At this time, broadcast the message to other users/> ,/> ,/> ,/> };
步骤S5.3:当用户设备收到广播请求时,/>首先验证/>,如果它相等,则继续,并验证/>是否是一个合法注册的身份;如果是,则会验证时间戳是否在指定的时间内;如果验证通过,将等待/>收集剩余的广播消息;当最后接收到的消息数小于n-1,或者该标识不在先前形成的端到端群组中时,/>将退出协商。此时,/>接收端到端群组中的所有签名,并生成聚合签名/>,其中/>,/>;然后验证签名。如果签名被验证,则被接受;否则,它可以对每个接收到的消息进行一次验证以收集正确的签名,或者只是选择放弃该签名;此时,/>将计算会话密钥;群组中的成员已经生成了相同的会话密钥。此时,/>使用会话密钥/>计算/>;然后生成消息/>,/>,/>},其中,/>为计算中间过程量,并将消息发送给AMF;Step S5.3: When the user device When a broadcast request is received, /> First verify /> , if it is equal, then continue and verify/> Is it a legally registered identity? If so, it will verify whether the timestamp is within the specified time; if the verification is successful, it will wait for /> Collect the remaining broadcast messages; when the last received message number is less than n-1, or the identifier is not in the previously formed end-to-end group,/> Will exit negotiation. At this time, /> Receive all signatures in the end-to-end group and generate an aggregate signature/> , where/> ,/> ; Then verify the signature If the signature is verified, it is accepted; otherwise, it can verify it once for each received message to collect the correct signature, or simply choose to discard the signature; at this time, /> The session key will be calculated ;Members in the group have generated the same session key. At this point,/> Using Session Key/> Calculation/> ;Then generate the message/> ,/> ,/> }, where /> To calculate the intermediate process volume and send the message to AMF;
步骤S5.4:当AMF收到已发送的消息时,会验证;如果它在指定的范围内,则AMF将等待/>收集剩余的消息,并验证接收到的哈希值是否相等;如果哈希值相等,则表示群组设备已经建立了一个相等的会话密钥,并且AMF向所有用户发送了一个确认消息;当用户收到确认消息时,用户将开始进行通信;最后,群组中的用户之间进行安全通信。Step S5.4: When the AMF receives the sent message, it verifies ; If it is within the specified range, AMF will wait/> Collect the remaining messages and verify whether the received hash values are equal; if the hash values are equal, it means that the group devices have established an equal session key, and AMF sends a confirmation message to all users; when the user receives the confirmation message, the user will start communicating; finally, secure communication is carried out between users in the group.
在本实施例中,新用户加入群组,具体如下:In this embodiment, a new user joins a group as follows:
1)首先,从中选择两个用户/>和/>加入新的群组,此时的分组情况为/>和/>;1) First, from Select two users in /> and/> Add a new group. The grouping situation at this time is/> and/> ;
2)和/>重新选择响应值/>,/>,计算/>,/>,/>,和签名值;由于原始组/>的密钥已经被协商过,因此不需要进行身份验证协商;该组的关键字是/>;新的组/>执行上述身份验证过程,最终获得了/>的密钥;2) and/> Reselect the response value /> ,/> , calculate/> ,/> ,/> , and signature value; due to the original group/> The key has already been negotiated, so no authentication negotiation is required; the key for this group is/> ; New group /> Execute the above authentication process and finally obtain/> The key of
3)和/>使用原始密钥/>加密密钥/>,并将其发送给原始组的其他成员;/>和/>将使用密钥/>加密的密钥/>发送给新组的其他成员;3) and/> Use original key/> Encryption Key/> , and send it to other members of the original group; /> and/> The key will be used/> Encrypted key/> Send to other members of the new group;
4)将这两个组合并为,此时新的组密钥是。4) Merge these two groups into , the new group key is .
在本实施例中,户离开群组,具体如下:In this embodiment, a user leaves a group as follows:
设U=是当前组,而V=/>是离开成员集,其中,此时剩余的成员集可以表示为A=/>;Let U = is the current group, and V=/> is the set of leaving members, where , the remaining member set can be expressed as A=/> ;
1)每个成员检查/>的左成员/>或右成员/>是否已经离开;如果/>或,则/>需要重新选择秘密值,重新计算/>和签名,并将其发送到设置A;1) Each member Check/> The left member of /> or right member/> Have you left? If /> or , then/> You need to reselect the secret value and recalculate /> and sign it, and send it to Setting A;
2)如果成员的邻近成员没有改变,那么/>只是简单地传播他们之前计算的/>和签名来设置A;2) If a member The neighboring members of have not changed, then/> Simply propagate their previously calculated /> and signature to set A;
3)在接收到所有值和签名后,每个成员/>验证聚合签名。在验证成功后,相关各方可以使用与以前相同的程序继续计算。3) After receiving all values and after signing, each member/> Verify the aggregate signature. After successful verification, the parties involved can continue the computation using the same procedure as before.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
以上所述,仅是本发明的较佳实施例而已,并非是对本发明作其它形式的限制,任何熟悉本专业的技术人员可能利用上述揭示的技术内容加以变更或改型为等同变化的等效实施例。但是凡是未脱离本发明技术方案内容,依据本发明的技术实质对以上实施例所作的任何简单修改、等同变化与改型,仍属于本发明技术方案的保护范围。The above is only a preferred embodiment of the present invention, and does not limit the present invention in other forms. Any technician familiar with the profession may use the above disclosed technical content to change or modify it into an equivalent embodiment with equivalent changes. However, any simple modification, equivalent change and modification made to the above embodiment according to the technical essence of the present invention without departing from the technical solution of the present invention still belongs to the protection scope of the technical solution of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410459105.7ACN118075734B (en) | 2024-04-17 | 2024-04-17 | Security lightweight group authentication system and method based on smart grid end-to-end communication |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410459105.7ACN118075734B (en) | 2024-04-17 | 2024-04-17 | Security lightweight group authentication system and method based on smart grid end-to-end communication |
| Publication Number | Publication Date |
|---|---|
| CN118075734Atrue CN118075734A (en) | 2024-05-24 |
| CN118075734B CN118075734B (en) | 2024-08-09 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410459105.7AActiveCN118075734B (en) | 2024-04-17 | 2024-04-17 | Security lightweight group authentication system and method based on smart grid end-to-end communication |
| Country | Link |
|---|---|
| CN (1) | CN118075734B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119182530A (en)* | 2024-11-22 | 2024-12-24 | 国网信息通信产业集团有限公司 | Method and system for lightweight aggregation negotiation and verification of terminal group key |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110149214A (en)* | 2019-06-06 | 2019-08-20 | 西南交通大学 | LTE-R Network Group Authentication Key Agreement Method without Certificate Aggregation Signature |
| US20210111877A1 (en)* | 2019-08-01 | 2021-04-15 | Coinbase, Inc. | Systems and methods for generating signatures |
| CN115280718A (en)* | 2020-03-13 | 2022-11-01 | 国际商业机器公司 | Secure private key distribution between endpoint instances |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110149214A (en)* | 2019-06-06 | 2019-08-20 | 西南交通大学 | LTE-R Network Group Authentication Key Agreement Method without Certificate Aggregation Signature |
| US20210111877A1 (en)* | 2019-08-01 | 2021-04-15 | Coinbase, Inc. | Systems and methods for generating signatures |
| CN115280718A (en)* | 2020-03-13 | 2022-11-01 | 国际商业机器公司 | Secure private key distribution between endpoint instances |
| Title |
|---|
| WEIPING ZUO等: "An Efficient Certificate-Based Aggregate Signature Scheme", 2023 9TH INTERNATIONAL CONFERENCE ON COMPUTER AND COMMUNICATIONS (ICCC), 11 December 2023 (2023-12-11)* |
| 张应辉等: "5G-V2X中基于轨迹预测的安全高效群组切换认证协议", 通信学报, 31 August 2023 (2023-08-31), pages 145 - 152* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119182530A (en)* | 2024-11-22 | 2024-12-24 | 国网信息通信产业集团有限公司 | Method and system for lightweight aggregation negotiation and verification of terminal group key |
| Publication number | Publication date |
|---|---|
| CN118075734B (en) | 2024-08-09 |
| Publication | Publication Date | Title |
|---|---|---|
| CN110581854B (en) | Intelligent terminal safety communication method based on block chain | |
| CN107864198B (en) | A kind of block chain common recognition method based on deep learning training mission | |
| Zhang et al. | BTCAS: A blockchain-based thoroughly cross-domain authentication scheme | |
| TWI744532B (en) | Methods and systems to establish trusted peer-to-peer communications between nodes in a blockchain network | |
| WO2023115850A1 (en) | Consortium blockchain consensus identity authentication method | |
| Liu et al. | Time-bound anonymous authentication for roaming networks | |
| CN101969377B (en) | Zero-knowledge identity authentication method and system | |
| CN111371905A (en) | A cloud computing-based blockchain layered consensus proof architecture and method | |
| CN112118231B (en) | Trusted identity management method based on block chain technology | |
| CN112000941B (en) | Identity authentication method and system for mobile cloud computing | |
| CN109005538A (en) | A message authentication method between unmanned vehicles and multi-mobile edge computing servers | |
| CN111711607B (en) | A blockchain-based trusted loading and verification method for streaming microservices | |
| CN113055394A (en) | Multi-service double-factor authentication method and system suitable for V2G network | |
| CN118075734B (en) | Security lightweight group authentication system and method based on smart grid end-to-end communication | |
| CN116248312A (en) | A lightweight zero-knowledge authentication method for IoT devices | |
| CN106487786A (en) | A kind of cloud data integrity verification method based on biological characteristic and system | |
| CN114866248A (en) | A distributed and trusted identity authentication method and system in edge computing environment | |
| CN117241267B (en) | Quantum group key distribution method applicable to V2I scene based on blockchain | |
| CN116167068B (en) | Block chain-based network edge resource trusted allocation method and system | |
| Luo et al. | An efficient consensus algorithm for blockchain-based cross-domain authentication in bandwidth-constrained wide-area IoT networks | |
| CN117318935A (en) | Key generation method and system for vehicle team, and vehicle team formation method and system | |
| CN110809253B (en) | Certificateless aggregate signature method for vehicle-mounted ad hoc network | |
| CN114463009B (en) | A method for improving the security of large-scale energy node transactions | |
| Zhang et al. | FortunChain: EC-VRF-based scalable blockchain system for realizing state sharding | |
| CN120074835A (en) | Block chain assisted cross-domain identity authentication method and system based on Merkle signature |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20241010 Address after:102200 4th floor, block C, State Grid Smart Grid Research Institute, North District of future science and Technology City, Changping District, Beijing Patentee after:STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Country or region after:China Patentee after:Beijing University of Posts and Telecommunications Patentee after:STATE GRID INFO-TELECOM GREAT POWER SCIENCE AND TECHNOLOGY Co.,Ltd. Patentee after:DALIAN POWER SUPPLY COMPANY, STATE GRID LIAONING ELECTRIC POWER Co.,Ltd. Address before:102200 4th floor, block C, State Grid Smart Grid Research Institute, North District of future science and Technology City, Changping District, Beijing Patentee before:STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Country or region before:China Patentee before:Beijing University of Posts and Telecommunications Patentee before:STATE GRID INFO-TELECOM GREAT POWER SCIENCE AND TECHNOLOGY Co.,Ltd. |