[go: up one dir, main page]

CN120582799B - A cross-domain multi-mode trusted authentication method for highly dynamic networks - Google Patents

A cross-domain multi-mode trusted authentication method for highly dynamic networks

Info

Publication number
CN120582799B
CN120582799B CN202511095918.3A CN202511095918A CN120582799B CN 120582799 B CN120582799 B CN 120582799B CN 202511095918 A CN202511095918 A CN 202511095918A CN 120582799 B CN120582799 B CN 120582799B
Authority
CN
China
Prior art keywords
node
public key
pseudonym
key
calculate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202511095918.3A
Other languages
Chinese (zh)
Other versions
CN120582799A (en
Inventor
底晓强
李锦青
祁晖
何熊文
刘旭
解男男
刘文懋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changchun University of Science and Technology
Original Assignee
Changchun University of Science and Technology
Filing date
Publication date
Application filed by Changchun University of Science and Technology filed Critical Changchun University of Science and Technology
Priority to CN202511095918.3A priority Critical patent/CN120582799B/en
Publication of CN120582799A publication Critical patent/CN120582799A/en
Application granted granted Critical
Publication of CN120582799B publication Critical patent/CN120582799B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to the technical field of air-sky-land-sea integrated network security, and discloses a cross-domain multimode trusted authentication method of a high-dynamic network, which comprises the steps of initializing elliptic curve parameters and main and public keys in a cooperative manner by a trusted institution and a key generation center; the trusted authority generates a pseudonym with a validity period for the node according to the random number, the key generation center generates a partial key, and the node is complemented locally to form a certificate-free complete key pair. The sender can complete signature by only one dot multiplication, the receiver completes verification by three dot multiplication, and compares message hashes by means of a blockchain intelligent contract, and a legal/malicious node list is maintained in real time, so that conditional privacy protection, unlink, traceability and instant revocation are realized. Experimental results show that the method has the advantages of about 7ms of calculation cost, 184bytes of communication, and low contract average time delay of less than 0.35s under 300TPS concurrency, and has high safety and low resource consumption.

Description

Cross-domain multimode trusted authentication method for high-dynamic network
Technical Field
The invention relates to the technical field of air-sky-land-sea integrated network security, in particular to a cross-domain multimode trusted authentication method of a high-dynamic network.
Background
With the continuous promotion of space, air, land and ocean integrated network construction, the number of various nodes of the space, air, land and ocean is continuously increased, the network plays an important role in realizing global coverage, situation awareness and multi-platform cooperation, and the security challenges are increasingly highlighted. Wherein the node itself may generate malicious behavior due to benefit driving, such as deliberately broadcasting false situation information or resource status, leading to global network misjudgment or collaborative failure. Therefore, in the communication process of the air-sky-sea integrated network, it is necessary to ensure the authenticity and credibility of the message transmission.
Digital signature technology has been widely used in the security scenario of the internet of things as one of the main means for ensuring trusted secure communication between nodes. However, there is a problem of high certificate maintenance costs in traditional public key infrastructure-based signature schemes, and there is a problem of key escrow in identity-based signature schemes. To overcome the above problems, a certificate-less signature technique is proposed. Different from the two schemes, the scheme based on the certificate-free signature technology does not need to use a public key certificate, and the user private key is generated by the user and a semi-trusted third party entity together, so that the key escrow problem and the overhead problem of the certificate are effectively solved, and the scheme is widely applied to various scenes such as the Internet of things. This technique ensures that the message is not tampered with maliciously during transmission by verifying the signature, however such a verification process cannot be directly linked to the behavior of the node itself. If the node itself deliberately sends an error message and sends the error message to the receiver, the receiver cannot determine the authenticity of the message, and cannot verify the untrustworthy behavior of the node.
Disclosure of Invention
The invention provides a cross-domain multimode trusted authentication method of a high dynamic network to solve the problems.
The technical scheme II is that the cross-domain multimode trusted authentication method of the high dynamic network comprises a trusted mechanism, a key generation center and nodes, and is characterized by comprising the following steps of S1, generating respective private keys and public parameters by the trusted mechanism and the key generation center, and publishing the public parameters.
S2, the trusted authority selects random numbers for each node, calculates a pseudonym, and sends the pseudonym to the corresponding node and the key generation center, wherein each node comprises a sender node and a receiver node, and the pseudonym comprises a first component, a second component and a valid period.
And S3, after the key generation center receives the pseudonym sent by the trusted authority, checking whether the validity period of the pseudonym is still in the validity period, if so, generating a first part of private keys and a first part of public keys, sending the first part of private keys and the first part of public keys to the corresponding nodes together with the pseudonym, and otherwise, discarding the pseudonym.
And S4, after each node receives the data packet containing the pseudonym, the first part private key and the first part public key, verifying the validity of the first part private key, generating a second part private key and a second part public key when verification passes, combining the second part private key and the first part private key with the first part public key to obtain a complete private key and a complete public key, and otherwise discarding the data packet.
And S5, when the sender node needs to send the message, the sender node generates a digital signature and sends the digital signature together with the message, wherein the digital signature is calculated based on the random number, the pseudonym, the complete public key, the message to be sent and the time stamp.
And S6, after receiving the data packet containing the pseudonym, the complete public key, the message, the digital signature and the timestamp, the receiver node performs timeliness inspection on the timestamp, and when the inspection passes, the digital signature is verified to confirm the integrity of the message and the identity of the sender, otherwise, the data packet is discarded.
And S7, the receiver node performs correctness verification on the content of the message by calling an intelligent contract deployed in the blockchain, updates a legal node list and a malicious node list on the blockchain in real time according to a verification result, marks the sender node as a malicious node when verification fails, and synchronizes the sender node to the whole network.
Further, the S1 is specifically S11 is a selected elliptic curveSetting a groupOrder of groupAnd generating a meta
S12, the trusted authority TA selects random numbersAs a master private key of the system, and calculates a corresponding master public key as
S13, selecting random number by key generation centerAs a private key and calculates the corresponding public key as
S14, selecting a first, a second and a third anti-collision safety hash functions:
S15, publishing the public parameters
Further, the step S2 specifically includes S21 that the trusted authority is each nodeRespectively selecting random numbers, wherein,Representing the sequence number of the node.
S22, based on the generatorCalculate the first component
S23, system-based master public keyCalculating a shared curve point
S24, setting the validity period of the pseudonymAnd calculate a second pseudonymous componentWherein, the method comprises the steps of,For the true identity of the node,As the master private key of the system,As a first anti-collision secure hash function,Representing a bitwise exclusive or operation.
S25, combining to obtain node pseudonymsAnd respectively send to the corresponding nodes through the secure channelsAnd a key generation center.
Further, in the step S3, a part of private key is generated and sent to the corresponding node, specifically, S31, the key generation center is the nodeSelecting random numbers
S32 based on random numberCalculate a first partial public key
S33 based on node pseudonymsFirst part public keyKey generation center public keyPseudonym expiration dateCalculating hash coefficientsWherein, the method comprises the steps of,Is a second collision-resistant secure hash function.
S34, calculating a first part private key of the nodeWherein, the method comprises the steps of,As a private key of the key generation center,Is a group order. S35, will beTo the corresponding node
Further, the S4 specifically includes S41, nodeReception ofAfter that, the hash coefficient is calculatedAnd verify the equationIf not, discarding the data packet.
S42, selecting random numberAnd calculates a second partial public key
S43. based onAndAgain, the hash coefficients are calculated
S44, calculating the combined public key component
S45, determining node complete private keyComplete public key
Further, the step S5 specifically includes the step S51 of the sender nodeSelecting random numbersAnd calculates a temporary public key
S52 based on sender nodeIs a pseudonym of (2)Complete public keyTemporary public keyMessage to be sentTime stampCalculating hash coefficients, wherein,Is a third collision-resistant secure hash function.
S53, according to the hash coefficientGenerating signature scalarWherein, the method comprises the steps of,Is a group order.
S54 based on temporary public keySignature scalarObtaining a signatureAnd willTransmitting to a receiver node
Further, the S6 specifically includes S61, a receiver nodeJudging a time stampWhether the data packet is within the effective time window or not, and discarding the data packet if the data packet is not satisfied.
S62 when the time stampWhen valid, based on pseudonyms of sender nodesFirst part public keyKey generation center public keyExpiration dateCalculating hash coefficients
S63. pseudonym based on sender nodePublic key of the second partKey generation center public keyExpiration date of kanaCalculating hash coefficients
S64. pseudonym based on sender nodeComplete public keyTemporary public keyMessageTime stampCalculating hash coefficients
S65, verifying elliptic curve equationIf the equation is satisfied, the digital signature is valid and receives the message, otherwise, the data packet is discarded.
Further, the step S7 specifically includes the step S71 of the receiver node calling VERIFYMESSAGE functions in the intelligent contract to verify the message to be verifiedPseudonym of sender nodeAs parameter input, contract internal calculationAnd putting the saidComparing with the hash value of the real event pre-stored in the contract state, and outputting the Boolean value
S72, the receiver node continues to call the intelligent contractFunction of sending node addressAs input, whenAnd if not already existing in the legal node list, adding the sender node into the legal node list.
And S73, writing a list updating result and verification transaction into a blockchain ledger, and synchronizing the legal node list and the malicious node list by all nodes in the blockchain network so as to realize the node reputation state consistent with the whole network.
The invention has the beneficial effects that compared with the prior art, the cross-domain multimode trusted authentication method of the high dynamic network has the following beneficial effects that 1, the cross-domain multimode trusted authentication method of the high dynamic network has the advantages that a node is designed to realize 'reversible analysis by a trusted mechanism by using a pseudonym communication by using a pseudonym mechanism driven by a random number', the pseudonym is continuously updated along with the validity period and the random number, an attacker cannot associate different sessions and can not reversely push out the true identity, and only the T trusted mechanism can restore the true identity once by a main private key when the node is suspected to be bad, so that the effects of conditional privacy protection, non-interlinkability, traceability and non-repudiation are realized.
2. According to the cross-domain multimode trusted authentication method of the high dynamic network, a whole-course elliptic curve certificate-free signature replaces a bilinear pair, a sending end can sign only by one point multiplication, a receiving end needs three point multiplication and five hash times in a signature verification and message verification link, compared with a similar scheme, the calculation and communication cost is obviously reduced, and the identity verification, the content verification and the node reputation judgment are ensured while the lightweight characteristic is maintained.
3. According to the cross-domain multimode trusted authentication method of the high dynamic network, the centralized invalidation and the tampering risk are avoided by updating and writing the message hash comparison and the node black-and-white list into the blockchain intelligent contract, and under a 300 concurrency scene, the average delay of the contract is lower than 0.3 seconds, the throughput is about 200TPS, so that the high efficiency and stability of the scheme in the space-day-earth-sea integrated distributed environment are verified.
Drawings
FIG. 1 is a schematic overall flow chart of the method of the present invention.
FIG. 2 is a schematic diagram of timing interactions provided by the method of the present invention.
Fig. 3 is a schematic diagram of pseudonym generation, partial key generation and key generation processes provided by the method of the present invention.
Fig. 4 is a schematic diagram of a signature generation and signature verification process provided by the method of the present invention.
Fig. 5 is a diagram of experimental results of signature process overhead, verification process overhead and total computation overhead provided by the method of the present invention.
Fig. 6 is a diagram of experimental results of communication overhead provided by the method of the present invention.
Fig. 7 is a graph of experimental results of maximum delay, minimum delay and average delay of intelligence at different concurrency degrees provided by the method of the present invention.
Fig. 8 is a graph of throughput and latency results for the intelligence provided by the method of the present invention at approximately different concurrencies.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description.
Referring to fig. 1-3, fig. 1 is an overall flow diagram provided by the method of the present invention, fig. 2 is a timing sequence interaction diagram provided by the method of the present invention, fig. 3 is a process diagram of pseudonym generation, partial key generation and key generation provided by the method of the present invention, the present invention provides a cross-domain multimode trusted authentication method of a high dynamic network, and a system is provided, which comprises a trusted mechanism, a key generation center and nodes, wherein the method comprises the following steps that S1, the trusted mechanism and the key generation center generate respective private keys and public parameters, and publish the public parameters.
S2, the trusted authority selects random numbers for each node, calculates a pseudonym, and sends the pseudonym to the corresponding node and the key generation center, wherein each node comprises a sender node and a receiver node, and the pseudonym comprises a first component, a second component and a valid period.
And S3, after the key generation center receives the pseudonym sent by the trusted authority, checking whether the validity period of the pseudonym is still in the validity period, if so, generating a first part of private keys and a first part of public keys, sending the first part of private keys and the first part of public keys to the corresponding nodes together with the pseudonym, and otherwise, discarding the pseudonym.
And S4, after each node receives the data packet containing the pseudonym, the first part private key and the first part public key, verifying the validity of the first part private key, generating a second part private key and a second part public key when verification passes, combining the second part private key and the first part private key with the first part public key to obtain a complete private key and a complete public key, and otherwise discarding the data packet.
And S5, when the sender node needs to send the message, the sender node generates a digital signature and sends the digital signature together with the message, wherein the digital signature is calculated based on the random number, the pseudonym, the complete public key, the message to be sent and the time stamp.
And S6, after receiving the data packet containing the pseudonym, the complete public key, the message, the digital signature and the timestamp, the receiver node performs timeliness inspection on the timestamp, and when the inspection passes, the digital signature is verified to confirm the integrity of the message and the identity of the sender, otherwise, the data packet is discarded.
And S7, the receiver node performs correctness verification on the content of the message by calling an intelligent contract deployed in the blockchain, updates a legal node list and a malicious node list on the blockchain in real time according to a verification result, marks the sender node as a malicious node when verification fails, and synchronizes the sender node to the whole network.
Furthermore, in order to establish a unified and safe cryptography foundation in an air-sky-sea integrated network, the system initialization stage is cooperatively completed by a trusted mechanism and a key generation center, wherein the two parties firstly select elliptic curvesDetermining the order asIs a cyclic group of (a)And its generation elementThe trusted authority then independently generates a system master private keyAnd calculates the master public keyWhile the key generation center independently generates the private keyAnd calculates the public keyOn the basis, three kinds of anti-collision safety hash functions are selected togetherAnd willAs a public parameter. By keying the master private keyWith private keyThe trust root on which the subsequent false name generation, the certificate-free signature and other operations depend is formed, and all key information is prevented from being owned by any single entity. The S1 is specifically that S11 is selected elliptic curveSetting a groupOrder of groupAnd generating a meta
S12, the trusted authority TA selects random numbersAs a master private key of the system, and calculates a corresponding master public key as
S13, selecting random number by key generation centerAs a private key and calculates the corresponding public key as
S14, selecting a first, a second and a third anti-collision safety hash functions:
S15, publishing the public parameters
Furthermore, in order to protect the true identity of the node in the air-sky-land-sea integrated network, the true identity of the node needs to be hidden, that is, a corresponding pseudonym is generated through the true identity, and the node in the pseudonym generation stageIs based on the true identity of the node by a trusted authorityThe method comprises the steps of generating a pseudonym, realizing recovery of the true identity of a malicious node while protecting the identity privacy of the node, namely realizing conditional privacy protection, and enabling any other node to be incapable of calculating the true identity of the node because only a trusted authority has a main private key. The S2 specifically comprises S21 that the trusted authority is each nodeRespectively selecting random numbers, wherein,Representing the sequence number of the node.
S22, based on the generatorCalculate the first component
S23, system-based master public keyCalculating a shared curve point
S24, setting the validity period of the pseudonymAnd calculate a second pseudonymous componentWherein, the method comprises the steps of,For the true identity of the node,As the master private key of the system,As a first anti-collision secure hash function,Representing a bitwise exclusive or operation.
S25, combining to obtain node pseudonymsAnd respectively send to the corresponding nodes through the secure channelsAnd a key generation center.
Further, in order to enable the network node to obtain the key material strongly bound with the pseudonym without holding the certificate, the key generating center firstly checks the validity period of the pseudonym after receiving the pseudonym issued by the trusted authority, and if the validity period is still in the validity period, the key generating center is the corresponding nodeSelecting random numbersComputing a first partial public keyAnd by pseudonymKey generation center public keyKana validity periodObtaining hash coefficients for inputSubsequently, the key generation center uses the private key itselfGenerating a first partial private key of a nodeAnd willAnd the key is sent to the node through a secure channel, so that not only is it ensured that any third party cannot deduce the complete private key only by virtue of the pseudonym, but also the key is tightly bound with the pseudonym and the validity period. In the step S3, a part of private key is generated and sent to the corresponding node, specifically S31, the key generation center is the nodeSelecting random numbers
S32 based on random numberCalculate a first partial public key
S33 based on node pseudonymsFirst part public keyKey generation center public keyPseudonym expiration dateCalculating hash coefficientsWherein, the method comprises the steps of,Is a second collision-resistant secure hash function.
S34, calculating a first part private key of the nodeWherein, the method comprises the steps of,As a private key of the key generation center,Is a group order.
S35, will beTo the corresponding node
Further, to thoroughly eliminate the risk of key escrow and ensure exclusive control of the node over its own private key, the nodeSent at the receiving key generating centerAfter the data packet, firstly, the same hash coefficient is used for verifying the equationAfter verification, the node locally selects a random number to calculate a second part of public keyAnd calculate from thisThereby generating a combined public key componentTo this point, the node willWith self-holdingSplit to complete private keyAnd corresponding complete public keyTherefore, two parts of the complete private key are respectively mastered in the key generation center and the node itself, so that autonomy and non-repudiation of node signature are ensured, and an attack path of any single entity for forging or replacing the key is effectively blocked. The S4 specifically comprises S41, namely a nodeReception ofAfter that, the hash coefficient is calculatedAnd verify the equationIf not, discarding the data packet.
S42, selecting random numberAnd calculates a second partial public key
S43. based onAndAgain, the hash coefficients are calculated
S44, calculating the combined public key component
S45, determining node complete private keyComplete public key
Further, referring to FIG. 4, FIG. 4 is a schematic diagram of signature generation and signature verification process provided by the method of the present invention, wherein the sender node is configured to implement lightweight and non-repudiated identity and content binding before actually sending a service messageFirstly, selecting a one-time random numberAnd calculates a temporary public keyThen, obtaining the hash coefficientAnd generates a signature scalar therefromFinally, a digital signature is formedAnd willThe whole is sent to the receiver node. The process can issue a signature only by one elliptic curve point multiplication, ensures that each message signature is unique and can be prevented from replaying through a random number and a time stamp, and simultaneously ensures that the undeniability and privacy protection of the signature coexist by binding a pseudonym with a complete private key. The S5 specifically comprises S51, a sender nodeSelecting random numbersAnd calculates a temporary public key
S52 based on sender nodeIs a pseudonym of (2)Complete public keyTemporary public keyMessage to be sentTime stampCalculating hash coefficients, wherein,Is a third collision-resistant secure hash function.
S53, according to the hash coefficientGenerating signature scalarWherein, the method comprises the steps of,Is a group order.
S54 based on temporary public keySignature scalarObtaining a signatureAnd willTransmitting to a receiver node
Furthermore, to realize the instant, low-cost and double-guarantee identity and content verification of the incoming message at the node of the receiving party, the nodeUpon receipt ofAfter that, first to timestampPerforming window verification to resist replay, and after verification, calculating binding coefficients by using the pseudonym of the sender and the first and second partial public keys thereofAndRe-calculating hash coefficientsThen verify the core equationIf the equation is satisfied, the unique control of the complete private key of the sender and the non-falsification of the message content are simultaneously confirmed, otherwise, the data packet is immediately discarded and the subsequent processing is blocked, so that the signature verification under the high dynamic network environment is completed under the condition that only three elliptic curve point multiplication and three hash operations are needed. The S6 specifically comprises S61, a receiver nodeJudging a time stampWhether the data packet is within the effective time window or not, and discarding the data packet if the data packet is not satisfied.
S62 when the time stampWhen valid, based on pseudonyms of sender nodesFirst part public keyKey generation center public keyExpiration dateCalculating hash coefficients
S63. pseudonym based on sender nodePublic key of the second partKey generation center public keyExpiration date of kanaCalculating hash coefficients
S64. pseudonym based on sender nodeComplete public keyTemporary public keyMessageTime stampCalculating hash coefficients
S65, verifying elliptic curve equationIf the equation is satisfied, the digital signature is valid and receives the message, otherwise, the data packet is discarded.
Further, in order to eliminate the single point failure of centralized verification and synchronize the message authenticity and the node credit state in the whole network, the receiver node calls the blockchain intelligent contract after finishing signature verification, which is generated by calculating the message hash by VERIFYMESSAGE functions and comparing with the real event hash on the chainAnd then immediately callFunction basisAnd if the verification fails, the sender node is moved out of the white list and added into the black list, and otherwise, the sender node is registered or reserved. All verification results and list changes are written into the blockchain along with the transaction and broadcast through consensus, so that end-to-end decentralization message verification that data is not tamperable, publicly auditable and less than 0.3 seconds is realized. The S7 specifically comprises S71 that a receiver node calls VERIFYMESSAGE functions in the intelligent contract to verify the message to be verifiedPseudonym of sender nodeAs parameter input, contract internal calculationAnd putting the saidComparing with the hash value of the real event pre-stored in the contract state, and outputting the Boolean value
S72, the receiver node continues to call the intelligent contractFunction of sending node addressAs input, whenAnd if not already existing in the legal node list, adding the sender node into the legal node list.
And S73, writing a list updating result and verification transaction into a blockchain ledger, and synchronizing the legal node list and the malicious node list by all nodes in the blockchain network so as to realize the node reputation state consistent with the whole network.
In order to further verify the effect of the scheme of the present invention, please refer to fig. 5-8, fig. 5 is an experimental result diagram of signature process overhead, verification process overhead and total computation overhead provided by the method of the present invention, fig. 6 is an experimental result diagram of communication overhead provided by the method of the present invention, fig. 7 is an experimental result diagram of maximum delay, minimum delay and average delay provided by the method of the present invention at about different concurrency, and fig. 8 is a throughput and delay result diagram provided by the method of the present invention at about different concurrency.
In fig. 5, the experimental result shows that the signature phase of the method is about 2ms, the verification phase is about 5ms, and the total is about 7ms, which is reduced by 83% compared with the total consumption of 41ms of the ECA frame, and is reduced by about 20% -25% compared with the lightweight schemes such as AEP and REL, and the verification that the proposed certificateless ECC process can obviously improve the end-to-end execution efficiency while guaranteeing the security attribute.
In fig. 6, in terms of the message interaction size, the data packet sent by the scheme of the invention is only 184bytes, is equal to the optimal baseline AEP, saves 35% compared with the main stream BBAS framework, saves 66% compared with the ECA scheme introducing certificates, and shows that the message structure of the one-time encapsulation of the pseudonym and the complete public key can compress the link load on the premise of not sacrificing the verification information, and especially accords with the strict constraint of the space-day-earth-sea heterogeneous link on the bandwidth.
In fig. 7, in the on-chain environment simulating 50-300TPS concurrency, the average delay of the intelligent contract in the scheme is always kept below 0.35s, the minimum delay approaches 0s, and the maximum delay does not increase linearly with load for more than 1.1s. The result illustrates that the message Ha Xibi pair and list update logic, after being implemented in Solidity, can maintain sub-second level responses under existing federation chain underlying consensus mechanisms.
In fig. 8, as the concurrency increases from 50TPS to about 230TPS, the contract throughput linearly climbs and stabilizes at around 200TPS, while the corresponding delay only increases smoothly to about 0.35s, after which the load continues to rise, the throughput and delay curves tend to saturate but no significant jitter, verifying the stability and scalability of the contract at high loads. The comprehensive throughput-time delay performance further proves that the design on the write-in chain of message verification and node reputation maintenance gets rid of the bottleneck of a central server and meets the double requirements of space-earth Hiroad on high concurrency and low time delay of a network.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (8)

1.一种高动态网络的跨域多模可信认证方法,提供一系统包括可信机构、密钥生成中心及节点,其特征在于,所述方法包括以下步骤:S1:可信机构和密钥生成中心生成各自的私钥及公共参数,并公布所述公共参数;S2:可信机构为每一节点选取随机数并计算假名,再将假名发送给对应节点和密钥生成中心;所述每一节点包括发送方节点和接收方节点;所述假名包括第一分量、第二分量及有效期限;S3:密钥生成中心接收可信机构发送的假名后,检查该假名的有效期限是否仍处于有效期,若是,则生成第一部分私钥及第一部分公钥,连带假名一并发送给对应节点,否则丢弃该假名;S4:每一节点在接收到包含所述假名、第一部分私钥及第一部分公钥的数据包后,验证所述第一部分私钥的合法性,验证通过时,生成第二部分私钥及第二部分公钥,并与所述第一部分私钥和所述第一部分公钥组合得到完整私钥和完整公钥,否则丢弃所述数据包;S5:当发送方节点需要发送消息时,所述发送方节点生成数字签名并连同所述消息一并发送,其中所述数字签名基于随机数、假名、完整公钥、待发送的消息及时间戳计算得到;S6:接收方节点在接收到包含假名、完整公钥、消息、数字签名及时间戳的数据包后,对所述时间戳进行时效性检验;在检验通过时,对所述数字签名进行验证以确认消息完整性及发送方身份,否则丢弃所述数据包;S7:接收方节点通过调用部署于区块链的智能合约对所述消息的内容进行正确性验证,并依据验证结果实时更新区块链上的合法节点列表与恶意节点列表;当验证失败时将发送方节点标记为恶意节点并同步至全网。1. A cross-domain multi-mode trusted authentication method for a highly dynamic network, providing a system including a trusted institution, a key generation center and a node, characterized in that the method comprises the following steps: S1: the trusted institution and the key generation center generate their own private keys and public parameters, and publish the public parameters; S2: the trusted institution selects a random number for each node and calculates a pseudonym, and then sends the pseudonym to the corresponding node and the key generation center; each node includes a sending node and a receiving node; the pseudonym includes a first component, a second component and an expiration date; S3: after receiving the pseudonym sent by the trusted institution, the key generation center checks whether the expiration date of the pseudonym is still within the validity period, and if so, generates a first part private key and a first part public key, and sends them together with the pseudonym to the corresponding node, otherwise discards the pseudonym; S4: after receiving a data packet containing the pseudonym, the first part private key and the first part public key, each node verifies the legitimacy of the first part private key, and generates a second part public key when the verification is successful. Part of the private key and the second part of the public key, and combine them with the first part of the private key and the first part of the public key to obtain the complete private key and the complete public key, otherwise the data packet is discarded; S5: When the sending node needs to send a message, the sending node generates a digital signature and sends it together with the message, wherein the digital signature is calculated based on a random number, a pseudonym, a complete public key, the message to be sent and a timestamp; S6: After receiving the data packet containing the pseudonym, the complete public key, the message, the digital signature and the timestamp, the receiving node performs a timeliness check on the timestamp; when the check passes, the digital signature is verified to confirm the message integrity and the identity of the sender, otherwise the data packet is discarded; S7: The receiving node verifies the correctness of the content of the message by calling the smart contract deployed on the blockchain, and updates the list of legitimate nodes and the list of malicious nodes on the blockchain in real time according to the verification result; when the verification fails, the sending node is marked as a malicious node and synchronized to the entire network. 2.根据权利要求1所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S1具体为:S11:选定椭圆曲线,设定群,群的阶和生成元;S12:可信机构TA选择随机数作为系统的主私钥,并计算对应的主公钥为;S13:密钥生成中心选择随机数作为私钥,并计算对应的公钥为;S14:选择第一、第二及第三抗碰撞安全哈希函数:;S15:公布公共参数2. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 1, characterized in that said S1 is specifically: S11: selecting an elliptic curve , set group , the order of the group and generators ; S12: Trusted institution TA selects random number As the system's master private key, and calculate the corresponding master public key as ; S13: The key generation center selects a random number As the private key, and calculate the corresponding public key as ; S14: Select the first, second and third collision-resistant secure hash functions: ; S15: Publish public parameters . 3.根据权利要求2所述的一种高动态网络的跨域多模可信认证方法,其特征在于:所述S2具体包括:S21:可信机构为每一节点分别选取随机数,其中,表示节点的序号;S22:基于生成元,计算第一分量;S23:基于系统的主公钥,计算共享曲线点;S24:设定假名有效期限,并计算第二假名分量;其中,为节点真实身份,为系统的主私钥,为第一抗碰撞安全哈希函数,表示按位异或运算;S25:组合得到节点假名,并通过安全信道分别发送给对应节点与密钥生成中心。3. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 2, characterized in that: said S2 specifically includes: S21: the trusted institution is each node Select random numbers respectively ,in, Indicates the sequence number of the node; S22: based on the generator , calculate the first component ; S23: Based on the system's master public key , calculate shared curve points ; S24: Set the validity period of the pseudonym , and calculate the second pseudonym component ;in, is the real identity of the node, is the system's master private key, is the first collision-resistant secure hash function, Indicates bitwise XOR operation; S25: Combine to get the node pseudonym and sent to the corresponding nodes through secure channels and key generation center. 4.根据权利要求3所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S3中,生成部分私钥并发送给对应节点,具体为:S31:密钥生成中心为节点选取随机数;S32:基于随机数,计算第一部分公钥;S33:基于节点假名、第一部分公钥、密钥生成中心公钥及假名有效期限,计算哈希系数;其中,为第二抗碰撞安全哈希函数;S34:计算节点第一部分私钥;其中,为密钥生成中心的私钥,为群阶;S35:将发送给对应节点4. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 3, characterized in that in said S3, a partial private key is generated and sent to the corresponding node, specifically: S31: the key generation center is the node Pick a random number ; S32: Based on random number , calculate the first part of the public key ; S33: Based on node pseudonym 、The first part of the public key , key generation center public key and the validity period of the pseudonym , calculate the hash coefficient ;in, The second collision-resistant secure hash function; S34: Calculate the first part of the node private key ;in, The private key of the key generation center, For group level; S35: Send to the corresponding node . 5.根据权利要求4所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S4具体包括:S41:节点接收后,计算哈希系数,并验证等式是否成立,若不成立则丢弃该数据包;S42:选取随机数,并计算第二部分公钥;S43:基于,再次计算哈希系数;S44:计算组合公钥分量;S45:确定节点完整私钥及完整公钥5. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 4, characterized in that said S4 specifically comprises: S41: Node take over Then calculate the hash coefficient , and verify the equation Is it true? If not, discard the data packet; S42: Select a random number , and calculate the second part of the public key ; S43: Based on and , calculate the hash coefficient again ; S44: Calculate the combined public key components ; S45: Determine the node's complete private key and the complete public key . 6.根据权利要求5所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S5具体包括:S51:发送方节点选取随机数,并计算临时公钥 ;S52:基于发送方节点的假名、完整公钥、临时公钥、待发送的消息及时间戳计算哈希系数,其中,为第三抗碰撞安全哈希函数;S53:根据所述哈希系数生成签名标量;其中,为群阶;S54:基于临时公钥和签名标量得到签名,并将发送给接收方节点6. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 5, characterized in that said S5 specifically comprises: S51: the sender node Pick a random number , and calculate the temporary public key ; S52: Based on the sender node pseudonym , complete public key , temporary public key , messages to be sent and timestamp Calculating the hash coefficient ,in, is a third collision-resistant secure hash function; S53: according to the hash coefficient Generate signed scalar ;in, is the group order; S54: based on temporary public key and signed scalars Get a signature , and Sent to the receiving node . 7.根据权利要求6所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S6具体包括:S61:接收方节点判断时间戳是否处于有效时间窗口内,若不满足则丢弃所述数据包;S62:当时间戳有效时,基于发送方节点的假名、第一部分公钥、密钥生成中心公钥及有效期限,计算哈希系数;S63:基于发送方节点的假名、第二部分公钥、密钥生成中心公钥及假名的有效期限,计算哈希系数;S64:基于发送方节点的假名、完整公钥、临时公钥、消息及时间戳,计算哈希系数;S65:验证椭圆曲线等式是否成立;若等式成立,则数字签名有效并接收消息,否则丢弃所述数据包。7. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 6, characterized in that said S6 specifically comprises: S61: the receiving node Determine timestamp Is it within the valid time window? If not, the data packet is discarded. S62: When the timestamp When valid, based on the pseudonym of the sender node 、The first part of the public key , key generation center public key and validity period , calculate the hash coefficient ; S63: Pseudonym based on the sender node , the second part of the public key , key generation center public key and the validity period of the pseudonym , calculate the hash coefficient ; S64: Pseudonym based on the sender node , complete public key , temporary public key ,information and timestamp , calculate the hash coefficient ; S65: Verify elliptic curve equality Is it true? If the equality is true, the digital signature is valid and the message is received, otherwise the data packet is discarded. 8.根据权利要求7所述的一种高动态网络的跨域多模可信认证方法,其特征在于,所述S7具体包括:S71:接收方节点调用智能合约中的verifyMessage函数,将待验证的消息及发送方节点的假名作为参数传入;合约内部计算并将所述与合约状态中预先存储的真实事件哈希值进行比对,输出布尔值;S72:接收方节点继续调用智能合约中的函数,将发送方节点地址及作为输入,当时,将发送方节点从合法节点列表中移除并添加至恶意节点列表;否则,若发送方节点尚未存在于合法节点列表中,则将其加入合法节点列表;S73:列表更新结果及验证交易被写入区块链账本,区块链网络中的全部节点同步所述合法节点列表与恶意节点列表,以实现全网一致的节点信誉状态。8. A cross-domain multi-mode trusted authentication method for a highly dynamic network according to claim 7, characterized in that said S7 specifically comprises: S71: the receiving node calls the verifyMessage function in the smart contract and sends the message to be verified and the pseudonym of the sending node Passed in as a parameter; calculated within the contract And the Compare with the real event hash value pre-stored in the contract state and output a Boolean value ; S72: The receiving node continues to call the smart contract Function, the sender node address and As input, when When the sender node is detected, the sender node is removed from the legal node list and added to the malicious node list; otherwise, if the sender node does not exist in the legal node list, it is added to the legal node list; S73: the list update result and verification transaction are written into the blockchain ledger, and all nodes in the blockchain network synchronize the legal node list and the malicious node list to achieve a consistent node reputation status across the entire network.
CN202511095918.3A 2025-08-06 A cross-domain multi-mode trusted authentication method for highly dynamic networks Active CN120582799B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202511095918.3A CN120582799B (en) 2025-08-06 A cross-domain multi-mode trusted authentication method for highly dynamic networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202511095918.3A CN120582799B (en) 2025-08-06 A cross-domain multi-mode trusted authentication method for highly dynamic networks

Publications (2)

Publication Number Publication Date
CN120582799A CN120582799A (en) 2025-09-02
CN120582799B true CN120582799B (en) 2025-09-30

Family

ID=

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827584A (en) * 2023-03-01 2023-09-29 电子科技大学 A blockchain-based method for certificate-less anonymous cross-domain authentication of IoT devices
CN120200750A (en) * 2025-05-26 2025-06-24 长春工业大学 Secure communication system and method for vehicle-mounted ad hoc network based on NTRU lattice cryptographic system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827584A (en) * 2023-03-01 2023-09-29 电子科技大学 A blockchain-based method for certificate-less anonymous cross-domain authentication of IoT devices
CN120200750A (en) * 2025-05-26 2025-06-24 长春工业大学 Secure communication system and method for vehicle-mounted ad hoc network based on NTRU lattice cryptographic system

Similar Documents

Publication Publication Date Title
Perrig et al. Secure Broadcast Communication: In Wired and Wireless Networks
US8397062B2 (en) Method and system for source authentication in group communications
Karbasi et al. A post-quantum end-to-end encryption over smart contract-based blockchain for defeating man-in-the-middle and interception attacks
Szalachowski (Short paper) towards more reliable bitcoin timestamps
CN102170352A (en) Method of using ECDSA with winternitz one time signature
CN110852745A (en) Block chain distributed dynamic network key automatic updating method
CN115378604B (en) An identity authentication method for edge computing terminal devices based on reputation value mechanism
Mu et al. An identity privacy scheme for blockchain‐based on edge computing
CN120582799B (en) A cross-domain multi-mode trusted authentication method for highly dynamic networks
Chandrasekhar et al. A trapdoor hash-based mechanism for stream authentication
CN116015670B (en) Method for preventing BGP man-in-the-middle attacks based on certificateless ordered aggregate signature
Bergadano et al. Individual authentication in multiparty communications
Yang et al. A source authentication scheme based on message recovery digital signature for multicast
CN120582799A (en) A cross-domain multi-mode trusted authentication method for highly dynamic networks
CN112423295B (en) Lightweight security authentication method and system based on block chain technology
Chen et al. Threshold identity authentication signature: Impersonation prevention in social network services
Ding et al. Equipping smart devices with public key signatures
Rösler et al. Interoperability between messaging services secure–implementation of encryption
Li et al. A novel security scheme supported by certificateless digital signature and blockchain in named data networking
Dowling et al. Cryptography is rocket science
CN120602223B (en) Cross-domain authentication method for Internet of Vehicles based on blockchain and certificateless ECC
Guo et al. A practical and UC-secure decentralized key management and authentication scheme based on blockchain for VNDN
CN110855690B (en) IBC-based secure BGP (Border gateway protocol) implementation method
Boyd et al. A Tutorial Introduction to Authentication and Key Establishment
CN114726958B (en) Authentication method, device, electronic device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant