[go: up one dir, main page]

WO2013097598A1 - Method, apparatus and system for entity authentication - Google Patents

Method, apparatus and system for entity authentication Download PDF

Info

Publication number
WO2013097598A1
WO2013097598A1 PCT/CN2012/086343 CN2012086343W WO2013097598A1 WO 2013097598 A1 WO2013097598 A1 WO 2013097598A1 CN 2012086343 W CN2012086343 W CN 2012086343W WO 2013097598 A1 WO2013097598 A1 WO 2013097598A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
authentication
result
psk
exclusive
Prior art date
Application number
PCT/CN2012/086343
Other languages
French (fr)
Chinese (zh)
Inventor
杜志强
侯宇
铁满霞
胡亚楠
张国强
李琴
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2013097598A1 publication Critical patent/WO2013097598A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • TECHNICAL FIELD The present application relates to the field of network security applications in information security technologies, and in particular, to an entity authentication method, apparatus, and system.
  • BACKGROUND OF THE INVENTION Resource-limited wireless networks including sensor networks (SN, Sensor Network), magnetic domain network (MFAN, Magnetic Field Identification Network), radio frequency identification (RFID, Radio Frequency Identification) networks, etc., in military, environmental monitoring, forests Fire protection, health care, logistics and other fields have broad application prospects and are playing an increasingly important role in these fields.
  • the present application provides an entity authentication method and apparatus and system for saving computational overhead in an entity authentication process.
  • the application provides an entity identification method, including:
  • Step 1 The entity A sends an authentication request message to the entity B, where the authentication request message includes a result of an exclusive OR operation between the data N1 and the PSK generated by the entity A, and the PSK is a key shared by the entity A and the entity B;
  • Step 2 The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and SON1 Sending to the entity A through the authentication response message;
  • Step 3 The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compares the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. Identifies whether entity B is legal.
  • the application also provides an entity authentication device, including:
  • a request message sending unit configured to send an authentication request message to the entity B, where the authentication request message includes a result SN1 of an exclusive OR operation between the data N1 and the PSK generated by the entity authentication device, where the PSK is shared by the entity authentication device and the entity B.
  • An authentication unit configured to receive an authentication response message sent by the entity B, perform an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compare the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. It is determined whether the entity B is legal.
  • the SON1 is a result obtained by the entity B to perform an exclusive OR operation between the SN1 and the PSK in the received authentication request message, and the XOR operation result is processed by the agreed rule and then XORed again with the PSK.
  • the present application also provides another entity authentication device, including:
  • a request message receiving unit configured to receive an authentication request message sent by the entity A, where the authentication request message includes a result SN1 of the data N1 and the PSK exclusive-generated operation generated by the entity A, and the PSK is shared by the entity A and the entity authentication device.
  • the response message sending unit is configured to perform an exclusive OR operation on the SN1 and the PSK in the authentication request message, process the XOR operation result according to the contract rule, and perform an exclusive OR operation with the PSK to obtain SON1, and send the SON1 to the entity through the authentication response message.
  • the application also provides an entity authentication system, including entity A and entity B, where
  • the entity A sends an authentication request message to the entity B, where the authentication request message includes the result of the X2 and the PSK XOR generated by the entity A, and the PSK is the key shared by the entity A and the entity B;
  • the entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the result of the exclusive OR operation according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and passes the SON1 through the authentication response.
  • the message is sent to entity A;
  • the entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, compares the result of the exclusive OR operation with the result of processing the N1 according to the contract rule, and identifies the entity B according to the comparison result. is it legal.
  • FIG. 1 is a flowchart of a method for entity identification in an embodiment of the present application
  • FIG. 2 is a schematic diagram of a method for entity identification in an embodiment of the present application
  • 3 is a flowchart of an entity authentication method according to another embodiment of the present application
  • FIG. 4 is a structural diagram of an entity authentication apparatus in an embodiment of the present application.
  • FIG. 5 is a structural diagram of an entity authentication apparatus according to another embodiment of the present application. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The entity authentication method, apparatus and system provided by the present application will be described in more detail below with reference to the accompanying drawings and embodiments.
  • the present application provides a lightweight entity identification method, apparatus, and system.
  • the entity authentication method provided by the embodiment of the present application includes the following steps. Step 1: The entity A sends an authentication request message to the entity B, where the authentication request message includes a result SN1 of the data N1 and the PSK exclusive-generated operation generated by the entity A, and the PSK is a key shared by the A and the B;
  • the key is shared between the entity A and the entity B. This embodiment is called a pre-shared key (PSK).
  • PSK pre-shared key
  • the XOR operation mentioned in the embodiment of the present application Both refer to bitwise XOR operations.
  • the data N1 generated by the entity A is a random number generated by the entity A, and of course, the data generated locally by the entity A by other methods.
  • Step 2 The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and SON1 Sending to the entity A through the authentication response message;
  • the entity B after receiving the authentication request message sent by the entity A, the entity B obtains the SN1 in the authentication request message, calculates the SN1 ® PSK, and processes the result of the SNl ® PSK according to the agreed rule, where the contract rule refers to the entity.
  • a and entity B agree on the same operation rules that both parties must use, such as cyclic shift, adding a predetermined bit at a set position or adding an operation with a convention constant, etc.
  • the result of SM ® PSK in this embodiment is 0 "are added, and once again SON1 PSK exclusive oR operation, where O n is the entity a and entity B agreed constant.
  • Step 3 The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compares the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. Identifies whether entity B is legal.
  • the authentication result is the entity B legal. Otherwise, the authentication result is that the entity B is invalid.
  • Entity B and entity A use the same contract rules, then N1 is processed according to the agreed rules, which may be N1 and O n phase force port.
  • the entity authentication method provided by the embodiment of the present application is based on the XOR operation of the symmetric or asymmetric encryption and decryption operation, so that the entity A completes the low overhead authentication of the entity B, and can be applied to the resource-limited network. .
  • This application effectively saves the computational overhead in the entity authentication process and improves the operational efficiency of the authentication process.
  • the entity A resends the authentication request message to the entity B when the authentication response message sent by the entity B is not received within the preset time T1 after the authentication request message is sent;
  • entity A After entity A resends the authentication request message for m times after the preset number of times, and does not receive the authentication response message sent by entity B, entity A considers that the authentication failed.
  • entity A receives the authentication response message returned by entity B, the authentication result can be obtained without considering the authentication failure.
  • step 3 the method further includes:
  • the entity A sends the authentication result of the entity B to the entity B through the first authentication result message; if the entity A determines that the entity B is legal, the authentication result message includes the authentication success information; otherwise, the authentication result message includes the authentication failure information.
  • step 2 the entity B resends the authentication response message to the entity A when the first authentication result message sent by the entity A is not received within the preset time T3 after the authentication response message is sent.
  • the entity B If the entity B does not receive the first authentication result message sent by the entity A after re-sending the authentication response message by the preset number of times q times, the entity B considers that the authentication fails, and if the first authentication result message is received, the authentication result may be obtained. I don't think the authentication failed.
  • the authentication between entities some scenarios only need one-way authentication, and some scenarios require two-way authentication.
  • the two-way authentication to achieve low overhead between entity A and entity B.
  • the data N2 generated by the entity B is XORed with the PSK to obtain the SN2, and the entity B sends the authentication response message to the entity A.
  • the SN2 is included.
  • the data N2 generated by the entity B is a random number generated by the entity B.
  • the entity B can also generate local data by other methods. As shown in FIG. 3, the method further includes:
  • Step 4 The entity A performs an exclusive-OR operation on the SN2 and the PSK in the received authentication response message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON2, and sends the SON2 to the entity B through the authentication response confirmation message. ;
  • Step 5 The entity B receives the authentication response confirmation message sent by the entity A, and performs an exclusive OR operation between the SON2 and the PSK in the authentication response confirmation message, and compares the result of the exclusive OR operation with the result of processing the N2 according to the agreed rule, according to The comparison result identifies whether entity A is legal. Specifically, if the result of the comparison is equal, it is determined that the authentication result is that the entity A is legal, otherwise the authentication result is that the entity B is illegal.
  • the agreed rules in steps 2 and 3 above must be the same, and the conventions in steps 4 and 5 are the same.
  • the rules must be the same.
  • the two conventions are the same, and of course they can be different.
  • the agreed rules in steps 4 and 5 may also be an addition operation with 0 flick.
  • step 2 when the entity B does not receive the authentication response confirmation message sent by the entity A within the preset time T2 after sending the authentication response message, the entity B resends the authentication response message to the entity A; the entity B is preset After the number of retransmissions of p times, the authentication response message sent by entity A has not been received, entity B considers that the authentication failed.
  • the authentication response confirmation message may include an authentication result of the entity A to the entity B, that is, the first authentication result message is included, then T3 is equal to T2, and q is equal to p.
  • step 5 the method further includes:
  • the entity B sends the authentication result of the entity A to the entity A through the second authentication result message; if the entity B determines that the entity A is legal, the authentication result message includes the authentication success information; otherwise, the authentication result message includes the authentication failure information;
  • step 3 the entity A resends the authentication response confirmation message to the entity B when the second authentication result message sent by the entity B is not received within the preset time T4 after the authentication response confirmation message is sent.
  • entity A If entity A does not receive the second authentication result message sent by entity B after re-sending the authentication response confirmation message n times, the entity A considers that the authentication fails.
  • the preset time T1 used by the entity A and the preset time T2 used by the entity B are set by the entity A and the entity B, respectively, and may be the same or different.
  • T4 and T3 set by entity A and entity B may be the same or different.
  • the result of the XOR operation with the PSK that is, if the entity B authenticates the entity A, the result obtained by the entity B through the exclusive OR operation is equal to the data locally generated by the entity A. If entity A is not legal, entity B ignores the received authentication response confirmation message and does not perform key calculation.
  • the operation of the entity B to authenticate the entity A to calculate the session key is optional, and the entity B calculates the session key SK only when it needs to protect the session message with the entity A.
  • entity A and entity B implement mutual authentication between entities based on pre-shared keys.
  • entity A and entity B can also negotiate to identify the session key between the two parties, which provides a guarantee for secure communication between subsequent entities.
  • the present application provides a lightweight entity identification method based entirely on the exclusive OR operation.
  • the efficiency of the exclusive OR operation is much higher than the symmetric or asymmetric encryption and decryption operation. Therefore, the application effectively saves the computational overhead in the entity authentication process.
  • the operation efficiency of the authentication process is improved, and the present application implements two-way authentication between entities based on pre-shared keys, and simultaneously negotiates the session key between the two parties to provide secure communication for subsequent entities. . Therefore, the present application is applicable to a resource-limited network, and has the advantages of low overhead, high computational efficiency, safe operation and the like.
  • an entity discriminating apparatus and system are also provided in the embodiment of the present application. Since the principle of solving the problem is similar to the method of the entity authentication method, the implementation of the device can refer to the implementation of the method, and the method is repeated. I won't go into details here.
  • An entity discriminating device provided by the embodiment of the present application, as shown in FIG. 4, includes:
  • the request message sending unit 401 is configured to send an authentication request message to the entity B, where the authentication request message includes a result SN1 of the data X1 and the PSK exclusive generated by the entity authentication device, and the PSK is shared by the entity authentication device and the entity B. Key
  • the determining unit 402 is configured to receive the authentication response message sent by the entity B, perform an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compare the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison. As a result, it is determined whether the entity B is legal.
  • the SON1 is a result obtained by the entity B to perform an exclusive OR operation between the SN1 and the PSK in the received authentication request message, and the XOR operation result is processed by the agreed rule and then XORed again with the PSK.
  • the request sending unit 401 resends the authentication request message to the entity B when the authentication response message sent by the entity B is not received within the preset time T1 after sending the authentication request message; the device further includes the first The failure determining unit 403 is configured to: when the authentication response message sent by the entity B is not received after the retransmission of the preset number of times m times, the authentication is considered to be unsuccessful.
  • the method further includes: an acknowledgment message sending unit 404, performing an exclusive OR operation on the SN2 and the PSK in the authentication response message, processing the XOR operation result according to the agreed rule, and performing an exclusive OR operation with the PSK to obtain SON2, and SON2 is authenticated.
  • the response confirmation message is sent to the entity B, and the SN2 is a result obtained by the entity B performing an exclusive OR operation on the data N2 generated by itself and the PSK.
  • the confirmation message sending unit 404 resends the authentication response confirmation message to the entity B when the second authentication result message sent by the entity B is not received within the preset time T4 after the authentication response confirmation message is sent;
  • the determining unit 405 is configured to determine that the second authentication result message sent by the entity B has not been received after the re-sending of the authentication response confirmation message by the preset number of times n times, and the authentication is considered to be unsuccessful.
  • the embodiment of the present application further provides another entity authentication device, as shown in FIG. 5, including:
  • the request message receiving unit 501 is configured to receive an authentication request message sent by the entity A, where the authentication request message packet is The result SN1, PSK of the data N1 and the PSK XOR generated locally by the entity A is a key shared by A and the entity discriminating device;
  • the response message sending unit 502 is configured to perform an exclusive OR operation on the SN1 and the PSK in the authentication request message, process the XOR operation result according to the agreed rule, and perform an exclusive OR operation with the PSK to obtain SON1, and send the SON1 through the authentication response message to Entity A.
  • the response message sending unit 502 resends the authentication response message to the entity A when the first authentication result message sent by the entity A is not received within the preset time T3 after the authentication response message is sent; the failure determining unit 503, After the first authentication result message sent by the entity A is not received after the retransmission by the preset number of times q times, the authentication is considered to be unsuccessful.
  • the response message sending unit 502 is further configured to perform an exclusive OR operation of the data N2 generated by the entity discriminating device with the PSK to obtain the SN2, and the authentication response message sent to the entity A further includes the SN2; further comprising:
  • the unit 504 is configured to receive an authentication response confirmation message sent by the entity A, perform an exclusive OR operation on the SON2 and the PSK in the authentication response confirmation message, and compare the result of the exclusive OR operation with the result of processing the N2 according to the agreed rule, according to The comparison result is to determine whether the entity A is legal.
  • SON2 is the result of the XOR of the SN2 and the PSK in the authentication response message received by the entity A, and the XOR operation result is processed by the agreed rule and then XORed with the PSK again.
  • the session key SK, SK N1®N2®PSK, which is the result of the exclusive-OR operation of the SN1 and the PSK in the authentication request message, is calculated.
  • An embodiment of the present application further provides an entity authentication system, including an entity A and an entity B, where
  • the entity A sends an authentication request message to the entity B, where the authentication request message includes the result of the X2 and the PSK XOR generated by the entity A, and the PSK is the key shared by the entity A and the entity B;
  • the entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the result of the exclusive OR operation according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and passes the SON1 through the authentication response.
  • the message is sent to entity A;
  • the entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, compares the result of the exclusive OR operation with the result of processing the N1 according to the contract rule, and identifies the entity B according to the comparison result. is it legal.
  • the entity A may be a reader/writer or an electronic tag in a Radio Frequency Identification (RFID) system.
  • RFID Radio Frequency Identification
  • the entity B is an electronic tag; when the entity A is an electronic tag, , entity B is a reader.
  • the entity A may also be a coordinator or a common node in the MFAN (Magnetic Field Area Network).
  • the entity B is a common node; when the entity A is a common node, , entity B is the coordinator.
  • the present application can also be applied to a Sensor Network (SN) (eg, entity A is a cluster head node, and entity B is a common node).
  • SN Sensor Network
  • entity A is a cluster head node
  • entity B is a common node
  • WPAN Wireless Personal Area Network
  • the present application implements low-overhead entity authentication based on XOR operations, and the field of application of the present application is also very extensive.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the application can be in the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware.
  • the application can be in the form of a computer program product embodied on one or more computer-usable storage interfaces (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, an apparatus and a system for entity authentication are provided in the present invention. The method comprises: an entity A sending an authentication request message to an entity B, wherein the authentication request message includes the result SN1 of XOR operation on PSK and the data N1 generated locally by the entity A, and the PSK is a key shared by the entity A and the entity B; the entity B receiving the authentication request message sent by the entity A, performing XOR operation on the SN1 in the authentication request message and the PSK, and performing XOR operation again on the PSK and the XOR operation result so as to obtain SON1 after processing the XOR operation result according to a convention rule, and then sending the SON1 to the entity A through an authentication response message; and the entity A receiving the authentication response message sent by the entity B and performing XOR operation on the SON1 in the authentication response message and the PSK, and comparing the result obtained by the XOR operation and the result obtained by processing the N1 according to a convention rule, and it is authenticated whether the entity B is legal or not according to the comparison result. According to the invention, calculation cost during the authentication process is effectively saved, and operation efficiency in the authentication process is also improved.

Description

一种实体鉴别方法和装置及系统 本申请要求在 2011年 12月 27日提交中国专利局、 申请号为 201110445523.3、 发明名称为 The present invention claims to be submitted to the Chinese Patent Office on December 27, 2011, the application number is 201110445523.3, and the invention name is
"一种实体鉴别方法和装置及系统"的中国专利申请的优先权,其全部内容通过引用结合在本申 请中。 技术领域 本申请涉及信息安全技术中的网络安全应用领域, 尤其涉及一种实体鉴别方法和装置 及系统。 背景技术 资源受限的无线网络,包括传感器网络( SN, Sensor Network )、磁域网(MFAN, Magnetic Field Area Network ), 射频识别 (RFID , Radio Frequency Identification ) 网络等, 在军事、 环境监测、 森林防火、 健康医疗、 物流等领域有着广阔的应用前景, 并正在这些领域发挥 越来越重要的作用。 由于这类网络在通信时的无线及广播特性, 使其易遭受消息被窃听、 窜改、 伪造, 以及实体被捕获、 复制等攻击, 需要引入低开销的鉴别和消息保密机制来确 保这类网络中实体的合法性和通信消息的保密性以及完整性。 The priority of the Chinese Patent Application, which is incorporated herein by reference. TECHNICAL FIELD The present application relates to the field of network security applications in information security technologies, and in particular, to an entity authentication method, apparatus, and system. BACKGROUND OF THE INVENTION Resource-limited wireless networks, including sensor networks (SN, Sensor Network), magnetic domain network (MFAN, Magnetic Field Identification Network), radio frequency identification (RFID, Radio Frequency Identification) networks, etc., in military, environmental monitoring, forests Fire protection, health care, logistics and other fields have broad application prospects and are playing an increasingly important role in these fields. Due to the wireless and broadcast characteristics of such networks, they are vulnerable to message eavesdropping, tampering, forgery, and entity capture, replication, etc., and need to introduce low-cost authentication and message confidentiality mechanisms to ensure such networks. The legitimacy of the entity and the confidentiality and integrity of the communication message.
但是目前的鉴别方法, 一般基于密码运算, 要求网络中的实体必须预置相应的密码算 法, 否则就无法执行鉴别协议; 而且, 即使实体预置了密码算法, 这类鉴别协议在执行时 也会给网络中的实体造成计算开销, 如基于对称和非对称密码算法的鉴别方法, 都要求实 体进行加解密运算, 从而增加了网络实体在资源方面的负担。 发明内容 本申请提供一种实体鉴别方法和装置及系统, 用以节省实体鉴别过程中的计算开销。 本申请提供一种实体鉴别方法, 包括:  However, the current authentication method is generally based on cryptographic operations, requiring entities in the network to preset the corresponding cryptographic algorithms, otherwise the authentication protocol cannot be executed; and even if the entity presets the cryptographic algorithm, such authentication protocols will also be executed. The computational overhead caused by entities in the network, such as the authentication methods based on symmetric and asymmetric cryptographic algorithms, requires the entity to perform encryption and decryption operations, thereby increasing the resource burden of the network entity. SUMMARY OF THE INVENTION The present application provides an entity authentication method and apparatus and system for saving computational overhead in an entity authentication process. The application provides an entity identification method, including:
步骤 1 , 实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成 的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和实体 B共享的密钥;  Step 1: The entity A sends an authentication request message to the entity B, where the authentication request message includes a result of an exclusive OR operation between the data N1 and the PSK generated by the entity A, and the PSK is a key shared by the entity A and the entity B;
步骤 2 , 实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息发送给实体 A;  Step 2: The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and SON1 Sending to the entity A through the authentication response message;
步骤 3 , 实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果 鉴别实体 B是否合法。 Step 3: The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compares the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. Identifies whether entity B is legal.
本申请还提供一种实体鉴别装置, 包括:  The application also provides an entity authentication device, including:
请求消息发送单元, 用于向实体 B发送鉴别请求消息, 所述鉴别请求消息包含所述实 体鉴别装置本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体鉴别装置和实体 B共享的密钥;  a request message sending unit, configured to send an authentication request message to the entity B, where the authentication request message includes a result SN1 of an exclusive OR operation between the data N1 and the PSK generated by the entity authentication device, where the PSK is shared by the entity authentication device and the entity B. Key
鉴别单元, 用于接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果 鉴别实体 B是否合法, 所述 SON1为实体 B将接收的鉴别请求消息中的 SN1与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到的结果。  An authentication unit, configured to receive an authentication response message sent by the entity B, perform an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compare the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. It is determined whether the entity B is legal. The SON1 is a result obtained by the entity B to perform an exclusive OR operation between the SN1 and the PSK in the received authentication request message, and the XOR operation result is processed by the agreed rule and then XORed again with the PSK.
本申请还提供另一种实体鉴别装置, 包括:  The present application also provides another entity authentication device, including:
请求消息接收单元, 用于接收实体 A发送的鉴别请求消息, 所述鉴别请求消息包含实 体 A本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和所述实体鉴别装 置共享的密钥;  And a request message receiving unit, configured to receive an authentication request message sent by the entity A, where the authentication request message includes a result SN1 of the data N1 and the PSK exclusive-generated operation generated by the entity A, and the PSK is shared by the entity A and the entity authentication device. Key
响应消息发送单元, 用于将所述鉴别请求消息中的 SN1与 PSK异或运算, 将异或运 算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息发 送给实体 A。  The response message sending unit is configured to perform an exclusive OR operation on the SN1 and the PSK in the authentication request message, process the XOR operation result according to the contract rule, and perform an exclusive OR operation with the PSK to obtain SON1, and send the SON1 to the entity through the authentication response message. A.
本申请还提供一种实体鉴别系统, 包括实体 A和实体 B, 其中,  The application also provides an entity authentication system, including entity A and entity B, where
实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和实体 B共享的密钥;  The entity A sends an authentication request message to the entity B, where the authentication request message includes the result of the X2 and the PSK XOR generated by the entity A, and the PSK is the key shared by the entity A and the entity B;
实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过 鉴别响应消息发送给实体 A;  The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the result of the exclusive OR operation according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and passes the SON1 through the authentication response. The message is sent to entity A;
实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异 或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果鉴别实 体 B是否合法。  The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, compares the result of the exclusive OR operation with the result of processing the N1 according to the contract rule, and identifies the entity B according to the comparison result. is it legal.
利用本申请提供的实体鉴别方法和装置及系统, 具有以下有益效果: 基于异或运算实 现了轻量级实体鉴别, 异或运算的效率远高于对称或非对称的加解密运算, 因此, 本申请 有效节省了实体鉴别过程中的计算开销, 并提高了鉴别过程的运行效率。 附图说明 图 1为本申请实施例中实体鉴别方法流程图;  The entity identification method and device and system provided by the application have the following beneficial effects: Lightweight entity identification is implemented based on the exclusive OR operation, and the efficiency of the exclusive OR operation is much higher than the symmetric or asymmetric encryption and decryption operation, therefore, The application effectively saves the computational overhead in the entity authentication process and improves the operational efficiency of the authentication process. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a flowchart of a method for entity identification in an embodiment of the present application;
图 2为本申请实施例中实体鉴别方法示意图; 图 3为本申请另一实施例中实体鉴别方法流程图; 2 is a schematic diagram of a method for entity identification in an embodiment of the present application; 3 is a flowchart of an entity authentication method according to another embodiment of the present application;
图 4为本申请实施例中的实体鉴别装置结构图;  4 is a structural diagram of an entity authentication apparatus in an embodiment of the present application;
图 5为本申请另一实施例中实体鉴别装置结构图。 具体实施方式 下面结合附图和实施例对本申请提供的实体鉴别方法和装置及系统进行更详细地说 明。  FIG. 5 is a structural diagram of an entity authentication apparatus according to another embodiment of the present application. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The entity authentication method, apparatus and system provided by the present application will be described in more detail below with reference to the accompanying drawings and embodiments.
为了解决背景技术中存在的上述技术问题, 本申请提供了一种轻量级的实体鉴别方法 和装置及系统, 如图 1、 图 2所示, 本申请实施例提供的实体鉴别方法包括以下步骤: 步骤 1 , 实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成 的数据 N1与 PSK异或运算的结果 SNl , PSK为 A和 B共享的密钥;  In order to solve the above-mentioned technical problems in the prior art, the present application provides a lightweight entity identification method, apparatus, and system. As shown in FIG. 1 and FIG. 2, the entity authentication method provided by the embodiment of the present application includes the following steps. Step 1: The entity A sends an authentication request message to the entity B, where the authentication request message includes a result SN1 of the data N1 and the PSK exclusive-generated operation generated by the entity A, and the PSK is a key shared by the A and the B;
本申请实施例中, 在鉴别之前, 实体 A和实体 B之间已共享密钥, 本实施例称为预共 享密钥 ( PSK, Pre-Shared key )。  In the embodiment of the present application, before the authentication, the key is shared between the entity A and the entity B. This embodiment is called a pre-shared key (PSK).
这样, 实体 A可以直接利用本地生成的数据进行异或运算: SN1=N1 ® PSK, 其中, 符号 " ®,, 表示逐比特异或运算, 下同。 本申请实施例中提到的异或运算均是指逐比特异 或运算。  In this way, entity A can perform XOR operation directly using locally generated data: SN1=N1 ® PSK, where the symbol "®," represents a bitwise XOR operation, the same as below. The XOR operation mentioned in the embodiment of the present application Both refer to bitwise XOR operations.
优选地, 实体 A本地生成的数据 N1为实体 A产生的一个随机数, 当然, 还可以为实 体 A按其他方法在本地生成的数据。  Preferably, the data N1 generated by the entity A is a random number generated by the entity A, and of course, the data generated locally by the entity A by other methods.
步骤 2, 实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息发送给实体 A;  Step 2: The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and SON1 Sending to the entity A through the authentication response message;
本实施例中,实体 B收到实体 A发送的鉴别请求消息后,获取鉴别请求消息中的 SN1 , 计算 SN1 ®PSK, 将 SNl ® PSK的结果按约定规则进行处理, 其中, 约定规则是指实体 A 和实体 B约定双方须使用的相同的运算规则, 例如循环移位、 在设定位置增加预定比特或 与约定常量进行相加运算等, 优选地, 本实施例中将 SM ®PSK的结果与 0„相加后, 再 次与 PSK异或运算得到 SON1 , 其中 On为实体 A和实体 B约定的常量。 In this embodiment, after receiving the authentication request message sent by the entity A, the entity B obtains the SN1 in the authentication request message, calculates the SN1 ® PSK, and processes the result of the SNl ® PSK according to the agreed rule, where the contract rule refers to the entity. A and entity B agree on the same operation rules that both parties must use, such as cyclic shift, adding a predetermined bit at a set position or adding an operation with a convention constant, etc. Preferably, the result of SM ® PSK in this embodiment is 0 "are added, and once again SON1 PSK exclusive oR operation, where O n is the entity a and entity B agreed constant.
步骤 3 , 实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果 鉴别实体 B是否合法。  Step 3: The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compares the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. Identifies whether entity B is legal.
如果实体 A接收的鉴别响应消息中 SON1与 PSK异或运算的结果,与将 N1按约定规 则处理后的结果相同, 则鉴定结果为实体 B合法, 否则, 鉴别结果为实体 B不合法。  If the result of the XOR operation between the SON1 and the PSK in the authentication response message received by the entity A is the same as the result of processing the N1 according to the convention rule, the authentication result is the entity B legal. Otherwise, the authentication result is that the entity B is invalid.
实体 B与实体 A使用的约定规则相同, 则将 N1按约定规则处理具体可以是将 N1与 On相力口。 Entity B and entity A use the same contract rules, then N1 is processed according to the agreed rules, which may be N1 and O n phase force port.
本申请实施例提供的实体鉴别方法, 基于效率远高于对称或非对称的加解密运算的异 或运算, 从而实现了实体 A完成对实体 B的低开销鉴别, 可以适用于资源受限的网络。 本 申请有效节省了实体鉴别过程中的计算开销, 并提高了鉴别过程的运行效率。  The entity authentication method provided by the embodiment of the present application is based on the XOR operation of the symmetric or asymmetric encryption and decryption operation, so that the entity A completes the low overhead authentication of the entity B, and can be applied to the resource-limited network. . This application effectively saves the computational overhead in the entity authentication process and improves the operational efficiency of the authentication process.
优选地, 步骤 1中, 实体 A在发送鉴别请求消息之后的预设时间 T1 内, 没有收到实 体 B发送的鉴别响应消息时, 向实体 B重新发送鉴别请求消息;  Preferably, in step 1, the entity A resends the authentication request message to the entity B when the authentication response message sent by the entity B is not received within the preset time T1 after the authentication request message is sent;
实体 A在经预设次数 m次重新发送鉴别请求消息后, 仍未收到实体 B发送的鉴别响 应消息时, 实体 A认为鉴别失败。  After entity A resends the authentication request message for m times after the preset number of times, and does not receive the authentication response message sent by entity B, entity A considers that the authentication failed.
如果实体 A收到了实体 B返回的鉴别响应消息,则可以得到鉴别结果而不认为鉴别失 败。  If entity A receives the authentication response message returned by entity B, the authentication result can be obtained without considering the authentication failure.
优选地, 步骤 3中, 进一步包括:  Preferably, in step 3, the method further includes:
实体 A将实体 B的鉴别结果通过第一鉴别结果消息发送给实体 B; 如果实体 A判断 实体 B合法, 则鉴别结果消息中包含鉴别成功信息; 否则, 鉴别结果消息中包含鉴别失败 信息。  The entity A sends the authentication result of the entity B to the entity B through the first authentication result message; if the entity A determines that the entity B is legal, the authentication result message includes the authentication success information; otherwise, the authentication result message includes the authentication failure information.
则步骤 2中, 实体 B在发送鉴别响应消息之后的预设时间 T3内, 未收到实体 A发送 的第一鉴别结果消息时, 向实体 A重新发送鉴别响应消息;  In step 2, the entity B resends the authentication response message to the entity A when the first authentication result message sent by the entity A is not received within the preset time T3 after the authentication response message is sent.
实体 B若经预设次数 q次重新发送鉴别响应消息后,仍未收到实体 A发送的第一鉴别 结果消息时, 实体 B认为鉴别失败, 如果收到第一鉴别结果消息则可以获取鉴别结果而不 认为鉴别失败。  If the entity B does not receive the first authentication result message sent by the entity A after re-sending the authentication response message by the preset number of times q times, the entity B considers that the authentication fails, and if the first authentication result message is received, the authentication result may be obtained. I don't think the authentication failed.
资源受限网络中实体间的鉴别, 有些场景仅需要单向鉴别, 有些场景需要双向鉴别, 优选地,在上述实现单向鉴别的基础上,若要实现实体 A与实体 B之间低开销的双向鉴别, 则步骤 2中, 实体 B接收实体 A发送的鉴别请求消息时, 将实体 B本地生成的数据 N2与 PSK进行异或运算得到 SN2, 则实体 B向实体 A发送的鉴别响应消息中还包括所述 SN2。 优选地, 实体 B本地生成的数据 N2为实体 B产生的一个随机数, 当然, 实体 B还可以按 其他方法生成本地数据。 如图 3所示, 该方法还进一步包括:  In the resource-restricted network, the authentication between entities, some scenarios only need one-way authentication, and some scenarios require two-way authentication. Preferably, on the basis of the above-mentioned one-way authentication, to achieve low overhead between entity A and entity B. In the two-way authentication, in the second step, when the entity B receives the authentication request message sent by the entity A, the data N2 generated by the entity B is XORed with the PSK to obtain the SN2, and the entity B sends the authentication response message to the entity A. The SN2 is included. Preferably, the data N2 generated by the entity B is a random number generated by the entity B. Of course, the entity B can also generate local data by other methods. As shown in FIG. 3, the method further includes:
步骤 4, 实体 A将接收的鉴别响应消息中的 SN2与 PSK异或运算, 将异或运算结果 按约定规则处理后再次与 PSK异或运算得到 SON2, 将 SON2通过鉴别响应确认消息发送 给实体 B;  Step 4: The entity A performs an exclusive-OR operation on the SN2 and the PSK in the received authentication response message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON2, and sends the SON2 to the entity B through the authentication response confirmation message. ;
步骤 5 , 实体 B接收实体 A发送的鉴别响应确认消息, 将所述鉴别响应确认消息中的 SON2与 PSK异或运算, 将异或运算的结果与将 N2按约定规则处理后的结果比较, 根据 比较结果鉴别实体 A是否合法。 具体地, 如果比较的结果为相等, 则确定鉴别结果为实体 A合法, 否则鉴别结果为实体 B不合法。  Step 5: The entity B receives the authentication response confirmation message sent by the entity A, and performs an exclusive OR operation between the SON2 and the PSK in the authentication response confirmation message, and compares the result of the exclusive OR operation with the result of processing the N2 according to the agreed rule, according to The comparison result identifies whether entity A is legal. Specifically, if the result of the comparison is equal, it is determined that the authentication result is that the entity A is legal, otherwise the authentication result is that the entity B is illegal.
本实施例中, 上述步骤 2和步骤 3中的约定规则必须相同, 步骤 4和步骤 5中的约定 规则必须相同, 优选地, 这两个约定规则相同, 当然也可以不同。 优选地, 步骤 4和步骤 5中的约定规则也可以是与 0„进行相加运算。 In this embodiment, the agreed rules in steps 2 and 3 above must be the same, and the conventions in steps 4 and 5 are the same. The rules must be the same. Preferably, the two conventions are the same, and of course they can be different. Preferably, the agreed rules in steps 4 and 5 may also be an addition operation with 0 „.
优选地, 步骤 2中, 实体 B在发送鉴别响应消息之后的预设时间 T2内, 没有收到实 体 A发送的鉴别响应确认消息时, 向实体 A重新发送鉴别响应消息; 实体 B在经预设次 数 p次重新发送后, 仍未收到实体 A发送的鉴别响应确认消息时, 实体 B认为鉴别失败。 进一步优选地,这里鉴别响应确认消息中可以包括实体 A对实体 B的鉴别结果, 即包括上 述第一鉴别结果消息, 则 T3与 T2相等, q与 p相等。  Preferably, in step 2, when the entity B does not receive the authentication response confirmation message sent by the entity A within the preset time T2 after sending the authentication response message, the entity B resends the authentication response message to the entity A; the entity B is preset After the number of retransmissions of p times, the authentication response message sent by entity A has not been received, entity B considers that the authentication failed. Further preferably, the authentication response confirmation message may include an authentication result of the entity A to the entity B, that is, the first authentication result message is included, then T3 is equal to T2, and q is equal to p.
优选地, 步骤 5中, 进一步包括:  Preferably, in step 5, the method further includes:
实体 B将实体 A的鉴别结果通过第二鉴别结果消息发送给实体 A; 如果实体 B判断 实体 A合法, 则鉴别结果消息中包含鉴别成功信息; 否则, 鉴别结果消息中包含鉴别失败 信息;  The entity B sends the authentication result of the entity A to the entity A through the second authentication result message; if the entity B determines that the entity A is legal, the authentication result message includes the authentication success information; otherwise, the authentication result message includes the authentication failure information;
则步骤 3中, 实体 A在发送鉴别响应确认消息后的预设时间 T4内, 未收到实体 B发 送的第二鉴别结果消息时, 向实体 B重新发送鉴别响应确认消息;  In step 3, the entity A resends the authentication response confirmation message to the entity B when the second authentication result message sent by the entity B is not received within the preset time T4 after the authentication response confirmation message is sent.
实体 A若经过预设次数 n次重新发送鉴别响应确认消息后,仍未收到实体 B发送的第 二鉴别结果消息, 则实体 A认为鉴别失败。  If entity A does not receive the second authentication result message sent by entity B after re-sending the authentication response confirmation message n times, the entity A considers that the authentication fails.
上述实体 A使用的预设时间 T1和实体 B使用的预设时间 T2, 由实体 A和实体 B分 别设置, 可以相同也可以不同。 通过增加上述消息超时重传机制, 能够提高本申请通信过 程的容忍丢包能力。 在返回结果的情况下, 实体 A和实体 B设置的 T4和 T3可以相同也 可以不同。 上述出现的预设时间之间没有限定关系, 可以独立设置为不同值, 也可以设置 为相同值,上述出现的预设次数之间也没有限定关系,可以独立设置也可以设置为不同值。  The preset time T1 used by the entity A and the preset time T2 used by the entity B are set by the entity A and the entity B, respectively, and may be the same or different. By increasing the above message timeout retransmission mechanism, the tolerance for packet loss of the communication process of the present application can be improved. In the case of returning results, T4 and T3 set by entity A and entity B may be the same or different. There is no limitation between the preset times mentioned above, and can be set to different values independently or set to the same value. There is no limit between the preset times mentioned above, and can be set independently or set to different values.
优选地, 步骤 3中, 实体 A鉴别实体 B合法时, 实体 A计算与实体 B之间的会话密 钥 SK, SK=N1㊉ N2 ® PSK, N2为实体 A将所述鉴别响应消息中的 SN2与 PSK异或运算 的结果, 即若实体 A鉴别实体 B合法, 实体 A通过该异或运算得到的结果就等于实体 B 本地生成的数据, 如果实体 B不合法, 则忽略鉴别响应消息不进行密钥运算, 该会话密钥 用于保护二者的会话消息, 该计算会话密钥的操作为可选操作, 实体 A仅在需要保护与实 体 B的会话消息时才计算会话密钥 SK。  Preferably, in step 3, when entity A authenticates that entity B is legal, entity A calculates a session key SK, and SK=N1 ten N2 ® PSK, and N2 is entity A, and SN2 in the authentication response message is The result of the PSK exclusive OR operation, that is, if the entity A authenticates the entity B, the result obtained by the entity A by the exclusive OR operation is equal to the data generated locally by the entity B. If the entity B is not legal, the authentication response message is ignored. Operation, the session key is used to protect the session message of the two, the operation of calculating the session key is an optional operation, and the entity A calculates the session key SK only when the session message with the entity B needs to be protected.
步骤 5中, 实体 B鉴别实体 A合法时, 进一步包括: 实体 B计算与实体 A之间的会 话密钥 SK, SK=N1 ®N2 ®PSK, N1为实体 B将所述鉴别请求消息中的 SN1与 PSK异或 运算的结果, 即若实体 B鉴别实体 A合法, 实体 B通过该异或运算得到的结果就等于实 体 A本地生成的数据。 如果实体 A不合法, 则实体 B忽略收到的鉴别响应确认消息不进 行密钥计算。 实体 B鉴别实体 A为合法后的计算会话密钥的操作为可选, 实体 B仅在需 要保护与实体 A的会话消息时才计算会话密钥 SK。  In step 5, when the entity B authenticates the entity A, the method further includes: the entity B calculates the session key SK between the entity A, SK=N1®N2®PSK, and N1 is the entity B to use the SN1 in the authentication request message. The result of the XOR operation with the PSK, that is, if the entity B authenticates the entity A, the result obtained by the entity B through the exclusive OR operation is equal to the data locally generated by the entity A. If entity A is not legal, entity B ignores the received authentication response confirmation message and does not perform key calculation. The operation of the entity B to authenticate the entity A to calculate the session key is optional, and the entity B calculates the session key SK only when it needs to protect the session message with the entity A.
本申请上述实施例实现了基于预共享密钥的实体间的双向鉴别。 同时, 实体 A与实体 B还可协商出鉴别双方之间的会话密钥, 为后续实体间的安全通信提供了保障。 The above embodiments of the present application implement mutual authentication between entities based on pre-shared keys. At the same time, entity A and entity B can also negotiate to identify the session key between the two parties, which provides a guarantee for secure communication between subsequent entities.
本申请完全基于异或运算提供了一种轻量级实体鉴别方法, 异或运算的效率远高于对 称或非对称的加解密运算, 因此, 本申请有效节省了实体鉴别过程中的计算开销, 并提高 了鉴别过程的运行效率, 由于本申请实现了基于预共享密钥的实体间的双向鉴别, 并同时 协商出了鉴别双方之间的会话密钥, 为后续实体间的安全通信提供了保障。 因此本申请是 可适用于资源受限网络的, 且具有低开销、 运算效率高、 运行安全可靠等的优点。  The present application provides a lightweight entity identification method based entirely on the exclusive OR operation. The efficiency of the exclusive OR operation is much higher than the symmetric or asymmetric encryption and decryption operation. Therefore, the application effectively saves the computational overhead in the entity authentication process. The operation efficiency of the authentication process is improved, and the present application implements two-way authentication between entities based on pre-shared keys, and simultaneously negotiates the session key between the two parties to provide secure communication for subsequent entities. . Therefore, the present application is applicable to a resource-limited network, and has the advantages of low overhead, high computational efficiency, safe operation and the like.
基于同一发明构思, 本申请实施例中还提供了一种实体鉴别装置及系统, 由于该系统 解决问题的原理与一种实体鉴别方法方法相似, 因此这些设备的实施可以参见方法的实 施, 重复之处不再赘述。  Based on the same inventive concept, an entity discriminating apparatus and system are also provided in the embodiment of the present application. Since the principle of solving the problem is similar to the method of the entity authentication method, the implementation of the device can refer to the implementation of the method, and the method is repeated. I won't go into details here.
本申请实施例提供的一种实体鉴别装置, 如图 4所示, 包括:  An entity discriminating device provided by the embodiment of the present application, as shown in FIG. 4, includes:
请求消息发送单元 401 , 用于向实体 B发送鉴别请求消息, 所述鉴别请求消息包含所 述实体鉴别装置本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体鉴别装置和 实体 B共享的密钥;  The request message sending unit 401 is configured to send an authentication request message to the entity B, where the authentication request message includes a result SN1 of the data X1 and the PSK exclusive generated by the entity authentication device, and the PSK is shared by the entity authentication device and the entity B. Key
鉴别单元 402,用于接收实体 B发送的鉴别响应消息,将所述鉴别响应消息中的 SON1 与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结 果鉴别实体 B是否合法, 所述 SON1为实体 B将接收的鉴别请求消息中的 SN1与 PSK异 或运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到的结果。  The determining unit 402 is configured to receive the authentication response message sent by the entity B, perform an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compare the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison. As a result, it is determined whether the entity B is legal. The SON1 is a result obtained by the entity B to perform an exclusive OR operation between the SN1 and the PSK in the received authentication request message, and the XOR operation result is processed by the agreed rule and then XORed again with the PSK.
优选地, 所述请求发送单元 401 , 在发送鉴别请求消息之后的预设时间 T1内, 没有收 到实体 B发送的鉴别响应消息时, 向实体 B重新发送鉴别请求消息; 该装置还包括第一失 败认定单元 403 , 用于在经预设次数 m次重新发送后, 仍未收到实体 B发送的鉴别响应消 息时, 认为鉴别失败。  Preferably, the request sending unit 401 resends the authentication request message to the entity B when the authentication response message sent by the entity B is not received within the preset time T1 after sending the authentication request message; the device further includes the first The failure determining unit 403 is configured to: when the authentication response message sent by the entity B is not received after the retransmission of the preset number of times m times, the authentication is considered to be unsuccessful.
优选地, 还包括: 确认消息发送单元 404, 将所述鉴别响应消息中的 SN2与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON2, 将 SON2通过 鉴别响应确认消息发送给实体 B,所述 SN2为实体 B将自身本地生成的数据 N2与 PSK异 或运算得到的结果。  Preferably, the method further includes: an acknowledgment message sending unit 404, performing an exclusive OR operation on the SN2 and the PSK in the authentication response message, processing the XOR operation result according to the agreed rule, and performing an exclusive OR operation with the PSK to obtain SON2, and SON2 is authenticated. The response confirmation message is sent to the entity B, and the SN2 is a result obtained by the entity B performing an exclusive OR operation on the data N2 generated by itself and the PSK.
优选地, 确认消息发送单元 404, 在发送鉴别响应确认消息后的预设时间 T4内, 未收 到实体 B发送的第二鉴别结果消息时, 向实体 B重新发送鉴别响应确认消息; 第二失败认 定单元 405 , 用于确定经过预设次数 n次鉴别响应确认消息重新发送后, 仍未收到实体 B 发送的第二鉴别结果消息, 认为鉴别失败。  Preferably, the confirmation message sending unit 404 resends the authentication response confirmation message to the entity B when the second authentication result message sent by the entity B is not received within the preset time T4 after the authentication response confirmation message is sent; The determining unit 405 is configured to determine that the second authentication result message sent by the entity B has not been received after the re-sending of the authentication response confirmation message by the preset number of times n times, and the authentication is considered to be unsuccessful.
优选地,鉴别单元 402用于在鉴别实体 B合法时,计算与实体 B之间的会话密钥 SK, SK=N1㊉ N2 ®PSK, N2为将所述鉴别响应消息中的 SN2与 PSK异或运算的结果。  Preferably, the authentication unit 402 is configured to calculate a session key SK, SK=N1 ten N2 ® PSK, when the authentication entity B is legal, and the N2 is to perform an exclusive OR operation between the SN2 and the PSK in the authentication response message. the result of.
本申请实施例还提供另一种实体鉴别装置, 如图 5所示, 包括:  The embodiment of the present application further provides another entity authentication device, as shown in FIG. 5, including:
请求消息接收单元 501 , 用于接收实体 A发送的鉴别请求消息, 所述鉴别请求消息包 含实体 A本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为 A和所述实体鉴别装 置共享的密钥; The request message receiving unit 501 is configured to receive an authentication request message sent by the entity A, where the authentication request message packet is The result SN1, PSK of the data N1 and the PSK XOR generated locally by the entity A is a key shared by A and the entity discriminating device;
响应消息发送单元 502, 用于将所述鉴别请求消息中的 SN1与 PSK异或运算,将异或 运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息 发送给实体 A。  The response message sending unit 502 is configured to perform an exclusive OR operation on the SN1 and the PSK in the authentication request message, process the XOR operation result according to the agreed rule, and perform an exclusive OR operation with the PSK to obtain SON1, and send the SON1 through the authentication response message to Entity A.
优选地, 响应消息发送单元 502, 在发送鉴别响应消息之后的预设时间 T3内, 未收到 实体 A发送的第一鉴别结果消息时,向实体 A重新发送鉴别响应消息;失败确定单元 503 , 用于经预设次数 q次重新发送后 , 仍未收到实体 A发送的第一鉴别结果消息时, 认为鉴别 失败。  Preferably, the response message sending unit 502 resends the authentication response message to the entity A when the first authentication result message sent by the entity A is not received within the preset time T3 after the authentication response message is sent; the failure determining unit 503, After the first authentication result message sent by the entity A is not received after the retransmission by the preset number of times q times, the authentication is considered to be unsuccessful.
优选地, 响应消息发送单元 502, 还用于将所述实体鉴别装置本地生成的数据 N2与 PSK异或运算得到 SN2, 向实体 A发送的鉴别响应消息中还包括所述 SN2; 还包括: 鉴别 单元 504,用于接收实体 A发送的鉴别响应确认消息,将所述鉴别响应确认消息中的 SON2 与 PSK异或运算, 将异或运算的结果与将 N2按约定规则处理后的结果比较, 根据比较结 果鉴别实体 A是否合法, SON2为实体 A将接收的鉴别响应消息中的 SN2与 PSK异或运 算, 将异或运算结果按约定规则处理后再次与 PSK异或运算的结果。  Preferably, the response message sending unit 502 is further configured to perform an exclusive OR operation of the data N2 generated by the entity discriminating device with the PSK to obtain the SN2, and the authentication response message sent to the entity A further includes the SN2; further comprising: The unit 504 is configured to receive an authentication response confirmation message sent by the entity A, perform an exclusive OR operation on the SON2 and the PSK in the authentication response confirmation message, and compare the result of the exclusive OR operation with the result of processing the N2 according to the agreed rule, according to The comparison result is to determine whether the entity A is legal. SON2 is the result of the XOR of the SN2 and the PSK in the authentication response message received by the entity A, and the XOR operation result is processed by the agreed rule and then XORed with the PSK again.
优选地, 鉴别单元 504 鉴别实体 A合法时, 计算与实体 A之间的会话密钥 SK, SK=N1 ®N2 ®PSK, N1为将鉴别请求消息中的 SN1与 PSK异或运算的结果。  Preferably, when the authentication unit 504 authenticates that the entity A is legitimate, the session key SK, SK=N1®N2®PSK, which is the result of the exclusive-OR operation of the SN1 and the PSK in the authentication request message, is calculated.
本申请实施例还提供一种实体鉴别系统, 包括实体 A和实体 B, 其中,  An embodiment of the present application further provides an entity authentication system, including an entity A and an entity B, where
实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和实体 B共享的密钥;  The entity A sends an authentication request message to the entity B, where the authentication request message includes the result of the X2 and the PSK XOR generated by the entity A, and the PSK is the key shared by the entity A and the entity B;
实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过 鉴别响应消息发送给实体 A;  The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the result of the exclusive OR operation according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and passes the SON1 through the authentication response. The message is sent to entity A;
实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异 或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果鉴别实 体 B是否合法。  The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, compares the result of the exclusive OR operation with the result of processing the N1 according to the contract rule, and identifies the entity B according to the comparison result. is it legal.
实体 A和实体 B进行鉴别的具体实施方式参见上述实施例的描述, 这里不再详述。 本申请实施例中实体 A可以是射频识别 (Radio Frequency Identification, RFID ) 系统 中的读写器或电子标签, 当实体 A是读写器时, 实体 B是电子标签; 当实体 A是电子标 签时, 实体 B是读写器。 本申请实施例中实体 A还可以是 MFAN ( Magnetic Field Area Network, 磁域网) 中的协调器或普通节点, 当实体 A是协调器时, 实体 B是普通节点; 当实体 A是普通节点时, 实体 B是协调器。 本申请除用于 RFID、 MFAN领域外, 还可以 用于传感器网络( Sensor Network, SN ) (如实体 A为簇头节点, 实体 B为普通节点)、 个 域网 ( Wireless Personal Area Network, WPAN ) (如实体 A为协调器, 实体 B为设备 )等 领域。 For a specific implementation manner in which the entity A and the entity B perform the identification, refer to the description of the foregoing embodiment, and details are not described herein. In the embodiment of the present application, the entity A may be a reader/writer or an electronic tag in a Radio Frequency Identification (RFID) system. When the entity A is a reader/writer, the entity B is an electronic tag; when the entity A is an electronic tag, , entity B is a reader. In the embodiment of the present application, the entity A may also be a coordinator or a common node in the MFAN (Magnetic Field Area Network). When the entity A is a coordinator, the entity B is a common node; when the entity A is a common node, , entity B is the coordinator. In addition to the RFID and MFAN fields, the present application can also be applied to a Sensor Network (SN) (eg, entity A is a cluster head node, and entity B is a common node). The area of the Wireless Personal Area Network (WPAN) (such as the entity A is the coordinator and the entity B is the device).
综上, 本申请基于异或运算了实现了低开销的实体鉴别, 同时本申请的适用领域也非 常广泛。  In summary, the present application implements low-overhead entity authentication based on XOR operations, and the field of application of the present application is also very extensive.
本领域内的技术人员应明白, 本申请的实施例可提供为方法、 系统、 或计算机程序产 品。 因此, 本申请可釆用完全硬件实施例、 完全软件实施例、 或结合软件和硬件方面的实 施例的形式。 而且, 本申请可釆用在一个或多个其中包含有计算机可用程序代码的计算机 可用存储介盾 (包括但不限于磁盘存储器、 CD-ROM、 光学存储器等)上实施的计算机程 序产品的形式。  Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Thus, the application can be in the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the application can be in the form of a computer program product embodied on one or more computer-usable storage interfaces (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer usable program code.
本申请是参照根据本申请实施例的方法、 设备(系统)、 和计算机程序产品的流程图 和 /或方框图来描述的。 应理解可由计算机程序指令实现流程图和 /或方框图中的每一流 程和 /或方框、 以及流程图和 /或方框图中的流程和 /或方框的结合。 可提供这些计算机 程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器 以产生一个机器, 使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用 于实现在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功能的 装置。  The present application is described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each process and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方 式工作的计算机可读存储器中, 使得存储在该计算机可读存储器中的指令产生包括指令装 置的制造品, 该指令装置实现在流程图一个流程或多个流程和 /或方框图一个方框或多个 方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上, 使得在计算机 或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理, 从而在计算机或其他 可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和 /或方框图一个 方框或多个方框中指定的功能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本申请的优选实施例, 但本领域内的技术人员一旦得知了基本创造性概 念, 则可对这些实施例作出另外的变更和修改。 所以, 所附权利要求意欲解释为包括优选 实施例以及落入本申请范围的所有变更和修改。  Although the preferred embodiment of the present application has been described, those skilled in the art can make additional changes and modifications to the embodiments once they are aware of the basic inventive concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然, 本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和 范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内, 则本申请也意图包含这些改动和变型在内。  It will be apparent to those skilled in the art that various modifications and changes can be made in the present application without departing from the spirit and scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the present invention.

Claims

权 利 要 求 Rights request
1、 一种实体鉴别方法, 其特征在于, 包括: 1. An entity authentication method, comprising:
步骤 1 , 实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成 的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和实体 B共享的密钥;  Step 1: The entity A sends an authentication request message to the entity B, where the authentication request message includes a result of an exclusive OR operation between the data N1 and the PSK generated by the entity A, and the PSK is a key shared by the entity A and the entity B;
步骤 2, 实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息发送给实体 A;  Step 2: The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the XOR operation result according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and SON1 Sending to the entity A through the authentication response message;
步骤 3 , 实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果 鉴别实体 B是否合法。  Step 3: The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compares the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. Identifies whether entity B is legal.
2、 如权利要求 1所述的方法, 其特征在于,  2. The method of claim 1 wherein:
步骤 1中, 实体 A在发送鉴别请求消息之后的预设时间 T1内 , 没有收到实体 B发送 的鉴别响应消息时, 向实体 B重新发送鉴别请求消息;  In step 1, when the entity A does not receive the authentication response message sent by the entity B within the preset time T1 after sending the authentication request message, the entity A resends the authentication request message to the entity B;
实体 A在经预设次数 m次重新发送后 , 仍未收到实体 B发送的鉴别响应消息时, 实 体 A认为鉴别失败; 和 /或  After entity A has not received the authentication response message sent by entity B after resending m times after the preset number of times, entity A considers that the authentication failed; and/or
步骤 3中, 进一步包括:  In step 3, the method further includes:
实体 A将实体 B的鉴别结果通过第一鉴别结果消息发送给实体 B;  Entity A sends the identification result of entity B to entity B through the first authentication result message;
则步骤 2中, 实体 B在发送鉴别响应消息之后的预设时间 T3内, 未收到实体 A发送 的第一鉴别结果消息时, 向实体 A重新发送鉴别响应消息;  In step 2, the entity B resends the authentication response message to the entity A when the first authentication result message sent by the entity A is not received within the preset time T3 after the authentication response message is sent.
实体 B若经预设次数 q次重新发送后 , 仍未收到实体 A发送的第一鉴别结果消息时, 实体 B认为鉴别失败。  If entity B does not receive the first authentication result message sent by entity A after resending a predetermined number of times q times, entity B considers that the authentication fails.
3、 如权利要求 1所述的方法, 其特征在于, 步骤 2中, 实体 B收到实体 A发送的鉴 别请求消息时, 还包括:  The method according to claim 1, wherein, in step 2, when the entity B receives the authentication request message sent by the entity A, the method further includes:
将实体 B本地生成的数据 N2与 PSK异或运算得到 SN2, 则实体 B向实体 A发送的 鉴别响应消息中还包括所述 SN2;  The data N2 generated by the entity B is XORed with the PSK to obtain the SN2, and the authentication response message sent by the entity B to the entity A further includes the SN2;
步骤 3中, 实体 A确定实体 B合法时, 还包括:  In step 3, when entity A determines that entity B is legal, it also includes:
步骤 4, 实体 A将所述鉴别响应消息中的 SN2与 PSK异或运算, 将异或运算结果按 约定规则处理后再次与 PSK异或运算得到 SON2, 将 SON2通过鉴别响应确认消息发送给 实体 B;  Step 4: The entity A performs an exclusive-OR operation on the SN2 and the PSK in the authentication response message, processes the XOR operation result according to the agreed rule, and performs an exclusive OR operation with the PSK to obtain SON2, and sends the SON2 to the entity B through the authentication response confirmation message. ;
步骤 5 , 实体 B接收实体 A发送的鉴别响应确认消息, 将所述鉴别响应确认消息中的 SON2与 PSK异或运算, 将异或运算的结果与将 N2按约定规则处理后的结果比较, 根据 比较结果鉴别实体 A是否合法。 Step 5: The entity B receives the authentication response confirmation message sent by the entity A, and performs an exclusive OR operation between the SON2 and the PSK in the authentication response confirmation message, and compares the result of the exclusive OR operation with the result of processing the N2 according to the agreed rule, according to The comparison result identifies whether entity A is legal.
4、 如权利要求 3所述的方法, 其特征在于, 步骤 5中, 进一步包括: The method of claim 3, wherein, in step 5, the method further comprises:
实体 B将实体 A的鉴别结果通过第二鉴别结果消息发送给实体 A;  Entity B sends the authentication result of entity A to entity A through the second authentication result message;
则步骤 3中, 实体 A在发送鉴别响应确认消息后的预设时间 T4内, 未收到实体 B发 送的第二鉴别结果消息时, 向实体 B重新发送鉴别响应确认消息;  In step 3, the entity A resends the authentication response confirmation message to the entity B when the second authentication result message sent by the entity B is not received within the preset time T4 after the authentication response confirmation message is sent.
实体 A若经过预设次数 n次重新发送后 , 仍未收到实体 B发送的第二鉴别结果消息, 则实体 A认为鉴别失败。  If the entity A does not receive the second authentication result message sent by the entity B after the retransmission of the preset number of times, the entity A considers that the authentication fails.
5、 如权利要求 3所述的方法, 其特征在于, 步骤 3中, 实体 A鉴别实体 B合法时, 进一步包括:  The method according to claim 3, wherein, in step 3, when the entity A authenticates the entity B, the method further includes:
实体 A计算与实体 B之间的会话密钥 SK, SK=N1 ®N2 ®PSK, N2为实体 A将所述 鉴别响应消息中的 SN2与 PSK异或运算的结果;  The entity A calculates the session key between the entity B and the entity B. SK, SK=N1 ® N2 ® PSK, and N2 is the entity A. The result of the exclusive-OR operation of the SN2 and the PSK in the authentication response message;
步骤 5中, 实体 B鉴别实体 A合法时, 进一步包括:  In step 5, when entity B authenticates entity A, it further includes:
实体 B计算与实体 A之间的会话密钥 SK, SK=N1 ®N2 ®PSK, Nl为实体 B将所述 鉴别请求消息中的 SN1与 PSK异或运算的结果。  The entity B calculates the session key between the entity A and the entity A. SK, SK=N1 ® N2 ® PSK, and N1 is the result of the exclusive-OR operation of SN1 and PSK in the authentication request message.
6、 如权利要求 1~5任一所述的方法, 其特征在于, 所述按约定规则处理具体为与 On 进行相加运算, On为实体 A和实体 B约定的常量; 6. The method of any one of claims 1-5 claims, characterized in that the process according to the agreed rule specifically to perform an addition operation and O n, O n of the entity A and entity B agreed constant;
所述实体 A本地生成的数据 N1为实体 A产生的一个随机数;  The data N1 generated locally by the entity A is a random number generated by the entity A;
所述实体 B本地生成的数据 N2为实体 B产生的一个随机数。  The data N2 generated locally by the entity B is a random number generated by the entity B.
7、 一种实体鉴别装置, 其特征在于, 包括:  7. An entity authentication device, comprising:
请求消息发送单元, 用于向实体 B发送鉴别请求消息, 所述鉴别请求消息包含所述实 体鉴别装置本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体鉴别装置和实体 B共享的密钥;  a request message sending unit, configured to send an authentication request message to the entity B, where the authentication request message includes a result SN1 of an exclusive OR operation between the data N1 and the PSK generated by the entity authentication device, where the PSK is shared by the entity authentication device and the entity B. Key
鉴别单元, 用于接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果 鉴别实体 B是否合法, 所述 SON1为实体 B将接收的鉴别请求消息中的 SN1与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到的结果。  An authentication unit, configured to receive an authentication response message sent by the entity B, perform an exclusive OR operation on the SON1 and the PSK in the authentication response message, and compare the result of the exclusive OR operation with the result of processing the N1 according to the agreed rule, according to the comparison result. It is determined whether the entity B is legal. The SON1 is a result obtained by the entity B to perform an exclusive OR operation between the SN1 and the PSK in the received authentication request message, and the XOR operation result is processed by the agreed rule and then XORed again with the PSK.
8、 如权利要求 7所述的装置, 其特征在于, 还包括:  8. The apparatus according to claim 7, further comprising:
确认消息发送单元, 将所述鉴别响应消息中的 SN2与 PSK异或运算, 将异或运算结 果按约定规则处理后再次与 PSK异或运算得到 SON2, 将 SON2通过鉴别响应确认消息发 送给实体 B, 所述 SN2为实体 B将自身本地生成的数据 N2与 PSK异或运算得到的结果。  The acknowledgment message sending unit performs an exclusive OR operation on the SN2 and the PSK in the authentication response message, processes the XOR operation result according to the contract rule, and performs an exclusive OR operation with the PSK to obtain SON2, and sends the SON2 to the entity B through the authentication response confirmation message. The SN2 is a result obtained by the entity B performing an exclusive OR operation on the data N2 generated by itself and the PSK.
9、 如权利要求 8所述的装置, 其特征在于,  9. Apparatus according to claim 8 wherein:
所述请求消息发送单元,在发送鉴别请求消息之后的预设时间 T1内,没有收到实体 B 发送的鉴别响应消息时, 向实体 B重新发送鉴别请求消息;  The request message sending unit resends the authentication request message to the entity B when the authentication response message sent by the entity B is not received within the preset time T1 after the authentication request message is sent;
还包括, 第一失败认定单元, 用于在经预设次数 m次重新发送后, 仍未收到实体 B 发送的鉴别响应消息时, 认为鉴别失败; The method further includes: a first failure determining unit, configured to not receive the entity B after resending m times after the preset number of times When the authentication response message is sent, the authentication is considered to have failed;
若确认消息发送单元向实体 B鉴别响应确认消息, 则所述确认消息发送单元, 在发送 鉴别响应确认消息后的预设时间 T4内, 未收到实体 B发送的第二鉴别结果消息时, 向实 体 B重新发送鉴别响应确认消息;  If the acknowledgment message sending unit identifies the response confirmation message to the entity B, the acknowledgment message sending unit does not receive the second authentication result message sent by the entity B within the preset time T4 after sending the authentication response confirmation message. Entity B resends the authentication response confirmation message;
还包括, 第二失败认定单元, 用于确定经过预设次数 n次鉴别响应确认消息重新发送 后, 仍未收到实体 B发送的第二鉴别结果消息, 认为鉴别失败。  The second failure determining unit is configured to determine that after the re-sending of the authentication response confirmation message after the preset number of times, the second authentication result message sent by the entity B is not received, and the authentication is considered to be unsuccessful.
10、如权利要求 8所述的装置, 其特征在于, 鉴别单元,还用于在鉴别实体 B合法时, 计算与实体 B之间的会话密钥 SK, SK=N1 ®N2 ® PSK,N2为将所述鉴别响应消息中的 SN2 与 PSK异或运算的结果。  The device according to claim 8, wherein the authentication unit is further configured to calculate a session key SK, SK=N1®N2® PSK, and N2 when the entity B is authenticated. The result of the XOR operation of the SN2 and the PSK in the authentication response message.
11、 一种实体鉴别装置, 其特征在于, 包括:  11. An entity authentication device, comprising:
请求消息接收单元, 用于接收实体 A发送的鉴别请求消息, 所述鉴别请求消息包含实 体 A本地生成的数据 N1与 PSK异或运算的结果 SN1 , PSK为实体 A和所述实体鉴别装 置共享的密钥;  And a request message receiving unit, configured to receive an authentication request message sent by the entity A, where the authentication request message includes a result SN1 of the data N1 and the PSK exclusive-generated operation generated by the entity A, and the PSK is shared by the entity A and the entity authentication device. Key
响应消息发送单元, 用于将所述鉴别请求消息中的 SN1与 PSK异或运算, 将异或运 算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过鉴别响应消息发 送给实体 A。  The response message sending unit is configured to perform an exclusive OR operation on the SN1 and the PSK in the authentication request message, process the XOR operation result according to the contract rule, and perform an exclusive OR operation with the PSK to obtain SON1, and send the SON1 to the entity through the authentication response message. A.
12、 如权利要求 11所述的装置, 其特征在于, 响应消息发送单元, 在发送鉴别响应消 息之后的预设时间 T3内, 未收到实体 A发送的第一鉴别结果消息时, 向实体 A重新发送 鉴别响应消息;  The device according to claim 11, wherein the response message sending unit sends the first authentication result message sent by the entity A to the entity A within a preset time T3 after the authentication response message is sent. Resending the authentication response message;
还包括, 失败确定单元, 用于经预设次数 q次重新发送后, 仍未收到实体 A发送的第 一鉴别结果消息时, 认为鉴别失败。  And the failure determining unit is configured to: when the first authentication result message sent by the entity A is not received after the retransmission by the preset number of times q times, the authentication is considered to be unsuccessful.
13、 如权利要求 11所述的装置, 其特征在于, 响应消息发送单元, 还用于将所述实体 鉴别装置本地生成的数据 N2与 PSK异或运算得到 SN2,向实体 A发送的鉴别响应消息中 还包括所述 SN2;  The apparatus according to claim 11, wherein the response message sending unit is further configured to perform an exclusive OR operation of the data N2 generated by the entity discriminating device with the PSK to obtain an SN2, and the authentication response message sent to the entity A. Also including the SN2;
还包括, 鉴别单元, 用于接收实体 A发送的鉴别响应确认消息, 将所述鉴别响应确认 消息中的 SON2与 PSK异或运算, 将异或运算的结果与将 N2按约定规则处理后的结果比 较, 根据比较结果鉴别实体 A是否合法, SON2为实体 A将接收的鉴别响应消息中的 SN2 与 PSK异或运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算的结果。  The method further includes: an authentication unit, configured to receive an authentication response confirmation message sent by the entity A, perform an exclusive OR operation on the SON2 and the PSK in the authentication response confirmation message, and perform the result of the exclusive OR operation and the result of processing the N2 according to the agreed rule Comparing, according to the comparison result, it is determined whether the entity A is legal. SON2 is the result that the entity A will perform an exclusive OR operation on the received SN2 and the PSK in the authentication response message, and the XOR operation result is processed by the agreed rule and then XORed with the PSK again.
14、 如权利要求 13所述的装置, 其特征在于, 鉴别单元鉴别实体 A合法时, 计算与 实体 A之间的会话密钥 SK, SK=N1 ®N2 ®PSK, Nl为将所述鉴别请求消息中的 SN1与 PSK异或运算的结果。  The apparatus according to claim 13, wherein when the authenticating unit authenticates that the entity A is legal, the session key SK, SK=N1®N2®PSK, is calculated with the entity A, and the N1 is the authentication request. The result of the XOR operation of SN1 and PSK in the message.
15、 一种实体鉴别系统, 其特征在于, 包括实体 A和实体 B, 其中,  15. An entity authentication system, comprising: entity A and entity B, wherein
实体 A向实体 B发送鉴别请求消息, 所述鉴别请求消息包含实体 A本地生成的数据 Nl与 PSK异或运算的结果 SN1 , PSK为实体 A和实体 B共享的密钥; Entity A sends an authentication request message to entity B, where the authentication request message includes data generated locally by entity A. The result of X2 and PSK XOR operation SN1, PSK is the key shared by entity A and entity B;
实体 B接收实体 A发送的鉴别请求消息, 将所述鉴别请求消息中的 SN1与 PSK异或 运算, 将异或运算结果按约定规则处理后再次与 PSK异或运算得到 SON1 , 将 SON1通过 鉴别响应消息发送给实体 A;  The entity B receives the authentication request message sent by the entity A, and performs an exclusive OR operation on the SN1 and the PSK in the authentication request message, and processes the result of the exclusive OR operation according to the agreed rule, and then performs an exclusive OR operation with the PSK to obtain SON1, and passes the SON1 through the authentication response. The message is sent to entity A;
实体 A接收实体 B发送的鉴别响应消息, 将所述鉴别响应消息中的 SON1与 PSK异 或运算, 将异或运算的结果与将 N1按约定规则处理后的结果比较, 根据比较结果鉴别实 体 B是否合法。  The entity A receives the authentication response message sent by the entity B, and performs an exclusive OR operation on the SON1 and the PSK in the authentication response message, compares the result of the exclusive OR operation with the result of processing the N1 according to the contract rule, and identifies the entity B according to the comparison result. is it legal.
PCT/CN2012/086343 2011-12-27 2012-12-11 Method, apparatus and system for entity authentication WO2013097598A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110445523.3A CN102497273B (en) 2011-12-27 2011-12-27 A kind of method for authenticating entities and apparatus and system
CN201110445523.3 2011-12-27

Publications (1)

Publication Number Publication Date
WO2013097598A1 true WO2013097598A1 (en) 2013-07-04

Family

ID=46189062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/086343 WO2013097598A1 (en) 2011-12-27 2012-12-11 Method, apparatus and system for entity authentication

Country Status (2)

Country Link
CN (1) CN102497273B (en)
WO (1) WO2013097598A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102497273B (en) * 2011-12-27 2018-09-28 西安西电捷通无线网络通信股份有限公司 A kind of method for authenticating entities and apparatus and system
CN104811306B (en) 2014-01-28 2019-07-19 西安西电捷通无线网络通信股份有限公司 Method for authenticating entities, apparatus and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090513A (en) * 2006-06-13 2007-12-19 华为技术有限公司 A way to get a business key
CN101222328A (en) * 2007-12-14 2008-07-16 西安西电捷通无线网络通信有限公司 A Two-way Authentication Method for Entities
CN101340708A (en) * 2007-07-02 2009-01-07 华为技术有限公司 Method, system and device for network switching
CN101925060A (en) * 2010-08-27 2010-12-22 西安西电捷通无线网络通信股份有限公司 Entity identification method and system of energy-constrained network
CN102497273A (en) * 2011-12-27 2012-06-13 西安西电捷通无线网络通信股份有限公司 Method, apparatus and system for entity authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090513A (en) * 2006-06-13 2007-12-19 华为技术有限公司 A way to get a business key
CN101340708A (en) * 2007-07-02 2009-01-07 华为技术有限公司 Method, system and device for network switching
CN101222328A (en) * 2007-12-14 2008-07-16 西安西电捷通无线网络通信有限公司 A Two-way Authentication Method for Entities
CN101925060A (en) * 2010-08-27 2010-12-22 西安西电捷通无线网络通信股份有限公司 Entity identification method and system of energy-constrained network
CN102497273A (en) * 2011-12-27 2012-06-13 西安西电捷通无线网络通信股份有限公司 Method, apparatus and system for entity authentication

Also Published As

Publication number Publication date
CN102497273A (en) 2012-06-13
CN102497273B (en) 2018-09-28

Similar Documents

Publication Publication Date Title
Seshadri et al. SAKE: Software attestation for key establishment in sensor networks
EP2629558B1 (en) Method and system for authenticating entity based on symmetric encryption algorithm
CN106411528B (en) Lightweight authentication key negotiation method based on implicit certificate
EP3208967B1 (en) Entity authentication method and device based on pre-shared key
CN104168267B (en) A kind of identity identifying method of access SIP security protection video monitoring systems
US20160352732A1 (en) System and Method for Continuous Authentication in Internet of Things
CN108347331A (en) The method and apparatus that T_Box equipment is securely communicated with ECU equipment in car networking system
US9047449B2 (en) Method and system for entity authentication in resource-limited network
WO2010135892A1 (en) Method and system of bidirectional authentication based on hash function
CN115442112B (en) PUF-based authentication and key negotiation method and device
WO2014201585A1 (en) Rfid bidirectional authentication method based on asymmetric key and hash function
WO2010135890A1 (en) Bidirectional authentication method and system based on symmetrical encryption algorithm
CN113972999B (en) A method and device for MACSec communication based on PSK
KR101284155B1 (en) authentication process using of one time password
JP2011504332A (en) WAPI Unicast Secret Key Negotiation Method
WO2023036348A1 (en) Encrypted communication method and apparatus, device, and storage medium
WO2012075797A1 (en) Method for secure communications between reader and radio frequency identification, reader and radio frequency identification
WO2013097598A1 (en) Method, apparatus and system for entity authentication
CN118102290A (en) Quantum attack-resistant vehicle-ground authentication method and system based on NTRU public key encryption
CN116456346A (en) A dynamic grouping RFID group tag authentication method
CN112737780B (en) A kind of electronic label ownership transfer method
KR101857048B1 (en) Entity identification method, apparatus and system
CN113141327B (en) An information processing method, device and equipment
CN119136191B (en) Lightweight encryption authentication method and related equipment for wireless sensor networks
CN119136191A (en) Lightweight encryption authentication method and related equipment for wireless sensor networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12862425

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12862425

Country of ref document: EP

Kind code of ref document: A1