| CPC H04L 9/3278 (2013.01) [H04L 9/0643 (2013.01); H04L 9/0866 (2013.01)] | 2 Claims |
|
1. A lightweight identity authentication method based on a physical unclonable function, comprising process of device registration and process of device registration based identity authentication, wherein the process of device registration comprises:
sending, by an authentication server, a random challenge string and a temporary identity identifier, which are generated by the authentication server, to a target resource-limited device, further comprises:
generating, by the authentication server, a random challenge string Cj1 and a temporary identity identifier TIDj1 for a j-th resource-limited device, and then
sending, by the authentication server, the random challenge string and the temporary identity identifier to the target resource-limited device, superscripts of the random challenge string Cj1 and the temporary identity identifier TIDj1 representing a round of an identity authentication phase, and subscripts of the random challenge string Cj1 and the temporary identity identifier TIDj1 representing a serial number of the target resource-limited device;
generating, by the target resource-limited device, a corresponding response string, and sending, by the target resource-limited device, the response string to the authentication server, further comprises:
receiving, by the target resource-limited device, the random challenge string Cj1 and the temporary identity identifier TIDj1 sent by the authentication server, saving, by the target resource-limited device, the temporary identity identifier TIDj1, and then utilizing, by the target resource-limited device, the random challenge string Cj1 and a physical unclonable function (PUF) unique to the target resource-limited device to generate the corresponding response string Rj1, i.e., Rj1=PUF(Cj1); and finally,
saving, by the resource-limited device, the random challenge string Cj1 and sending, by the resource-limited device, the response string Rj1 to the authentication server; and
saving, by the authentication server, a corresponding security authentication item for the target resource-limited device according to the random challenge string, the temporary identity identifier and the response string, further comprises:
receiving, by the authentication server, the corresponding string Rj1, and saving, by the authentication server, the corresponding security authentication item {Cj1, Rj1, TIDj1} for the j-th resource-limited device,
wherein the process of identity authentication comprises:
sending, by resource-limited devices, random numbers generated by the resource-limited devices and temporary identity identifiers of the resource-limited devices to the authentication server;
validating, by the resource-limited devices, the authentication server sequentially according to security authentication items retrieved by the authentication server, and validating and saving, by the authentication server, a next round of authentication information to complete one-time bidirectional identity authentication,
generating, by the resource-limited device, a first random number Nd, computing the temporary identity identifier TIDji corresponding to the resource-limited device, and then sending the first random number Nd and the temporary identity identifier TIDji to the authentication server, and a manner of obtaining the temporary identity identifier by the resource-limited device;
receiving, by the authentication server, the first random number Nd and the temporary identity identifier TIDji, retrieving, by the authentication server, whether there is the corresponding security authentication item in a database by means of the temporary identity identifier TIDji, and under the condition that there is the corresponding security authentication item, generating, by the authentication server, a second random number Ns, and utilizing, by the authentication server, the response string in the corresponding authentication item to compute a authentication information V1=h(Rji∥Ns∥Nd), h representing Hash operation, and ∥ being a string connection operator; and finally, sending, by the authentication server, the second random number Ns and the authentication information V1 to the corresponding resource-limited device, and under the condition that there is no corresponding security authentication item, terminating, by the authentication server, this authentication process;
receiving, by the resource-limited device, a message sent by the authentication server, utilizing, by the resource-limited device, the random challenge string Cji and the physical unclonable function to generate the response string Rji of a current round of security identity authentication, then computing, by the resource-limited device, a corresponding authentication information V′1, comparing, by the resource-limited device, whether the authentication information is equal to the corresponding authentication information V1 received and sent by the authentication server, and under the condition that the authentication information is unequal to the corresponding authentication information V1 received and sent by the authentication server, terminating a current round of authentication process; and otherwise, computing, by the resource-limited device, Cji+1=h(Cji∥Rji∥Nd∥Ns), Rji+1=PUF(Cji+1), (Rji+1)*=Rji+1⊕ji+1, and V2=h(Cji+1∥(Rji+1)*), and then sending, by the resource-limited device, (Rji+1)* and V2 to the authentication server;
receiving, by the authentication server, the corresponding message, computing, by the authentication server, Cji+1=h(Cji∥Rji∥Nd∥Ns) and V′2=h(Cji+1∥(Rji+1)*), then comparing, by the authentication server, whether V′2 is equal to V2 received, and under the condition that V′2 is unequal to V2 received, terminating the current round of security V, identity authentication process; and otherwise, computing, by the authentication server, Rji+1=(Rji+1)*⊕Cji+1 and TIDji+1=h(TIDji∥Cji+1), saving and updating, by the authentication server, the security authentication item {Cji+1, Rji+1, TIDji+1} for next authentication; and
in authentication rounds except for the first round of authentication, i.e., i>1, under the condition that the resource-limited device causes termination of the authentication process by the authentication server in step B2 by means of the request authentication information sent in step B1 for the first time, that is, the authentication server does not retrieve the corresponding authentication item by means of the temporary identifier, directly selecting, by the resource-limited device, TIDji−1 as the temporary identity identifier of the current round, generating, by the resource-limited device, a third random number Nd, and then repeating, by the resource-limited device, steps B1 to B4 to complete the authentication process.
|