LIGHTWEIGHT IDENTITY AUTHENTICATION METHOD BASED ON PHYSICAL UNCLONABLE FUNCTION

Abstract

The present disclosure belongs to an identity authentication technology in network security field, and relates to a lightweight identity authentication method. The method utilizes lightweight operations of the physical unclonable function, Hash operation, XOR operation, etc. for bidirectional authentication between an authentication server and an Internet of Things resource-limited device, and particularly utilizes uniqueness of an integrated circuit (IC) physical microstructure created by the physical unclonable function in the resource-limited device in a manufacturing process to design an engineering-implementable information desynchronization recovery mechanism of two authentication parties by optimizing an interaction mode of input challenge and output response of the physical unclonable function, thereby solving the problem that the same lightweight identity authentication type solution cannot ensure forward security and resist desynchronization attack, further reducing resource cost for an identity authentication process, and effectively improving security and operation efficiency of identity authentication of the Internet of Things resource-limited device.

Claims

1. A lightweight identity authentication method based on a physical unclonable function, comprising process of device registration and process of device registration based identity authentication, wherein the process of device registration comprises: sending, by an authentication server, a random challenge string and a temporary identity identifier, which are generated by the authentication server, to a target resource-limited device; generating, by the target resource-limited device, a corresponding response string, and sending, by the target resource-limited device, the response string to the authentication server; and saving, by the authentication server, a corresponding security authentication item for the target resource-limited device according to the random challenge string, the temporary identity identifier and the response string, wherein the process of identity authentication comprises: sending, by resource-limited devices, random numbers generated by the resource-limited devices and temporary identity identifiers of the resource-limited devices to the authentication server; and then, validating, by the resource-limited devices, the authentication server sequentially according to security authentication items retrieved by the authentication server, and validating and saving, by the authentication server, a next round of authentication information to complete one-time bidirectional identity authentication.

2. The lightweight identity authentication method based on a physical unclonable function of claim 1, wherein the sending, by an authentication server further comprises: generating, by the authentication server, a random challenge string C.sub.j.sup.1 and a temporary identity identifier TID.sub.j.sup.1 for a j-th resource-limited device, and then sending, by the authentication server, the random challenge string and the temporary identity identifier to the target resource-limited device, superscripts of the random challenge string C.sub.j.sup.1 and the temporary identity identifier TID.sub.j.sup.1 representing a round of an identity authentication phase, and subscripts of the random challenge string C.sub.j.sup.1 and the temporary identity identifier TID.sub.j.sup.1 representing a serial number of the target resource-limited device.

3. The lightweight identity authentication method based on a physical unclonable function of claim 2, wherein the generating, by the target resource-limited device further comprises: receiving, by the target resource-limited device, the random challenge string C.sub.j.sup.1 and the temporary identity identifier TID.sub.j.sup.1 sent by the authentication server, saving, by the target resource-limited device, the temporary identity identifier TID.sub.j.sup.1, and then utilizing, by the target resource-limited device, the random challenge string C.sub.j.sup.1 and a physical unclonable function (PUF) unique to the target resource-limited device to generate the corresponding response string R.sub.j.sup.1, i.e., R.sub.j.sup.1=PUF(C.sub.j.sup.1); and finally, saving, by the resource-limited device, the random challenge string C.sub.j.sup.1, and sending, by the resource-limited device, the response string R.sub.j.sup.1 to the authentication server.

4. The lightweight identity authentication method based on a physical unclonable function of claim 3, wherein the saving, by the authentication server further comprises: receiving, by the authentication server, the corresponding string R.sub.j.sup.1, and saving, by the authentication server, the corresponding security authentication item {C.sub.j.sup.1,R.sub.j.sup.1,TID.sub.j.sup.1} for the j-th resource-limited device.

5. The lightweight identity authentication method based on a physical unclonable function of claim 4, wherein the process of identity authentication further comprises: generating, by the resource-limited device, a first random number N.sub.d, computing the temporary identity identifier TID.sub.j.sup.i corresponding to the resource-limited device, and then sending the first random number N.sub.d and the temporary identity identifier TID.sub.j.sup.i to the authentication server, and a manner of obtaining the temporary identity identifier by the resource-limited device; receiving, by the authentication server, the first random number N.sub.d and the temporary identity identifier TID.sub.j.sup.i, retrieving, by the authentication server, whether there is the corresponding security authentication item in a database by means of the temporary identity identifier TID.sub.j.sup.i, and under the condition that there is the corresponding security authentication item, generating, by the authentication server, a second random number N.sub.s, and utilizing, by the authentication server, the response string in the corresponding authentication item to compute a authentication information V.sub.1=h(R.sub.j.sup.i∥N.sub.s∥N.sub.d), h representing Hash operation, and ∥ being a string connection operator; and finally, sending, by the authentication server, the second random number N.sub.s and the authentication information V.sub.1 to the corresponding resource-limited device, and under the condition that there is no corresponding security authentication item, terminating, by the authentication server, this authentication process; receiving, by the resource-limited device, a message sent by the authentication server, utilizing, by the resource-limited device, the random challenge string C.sub.j.sup.i and the physical unclonable function to generate the response string R.sub.j.sup.i of a current round of security identity authentication, then computing, by the resource-limited device, a corresponding authentication information V′.sub.1, comparing, by the resource-limited device, whether the authentication information is equal to the corresponding authentication information V.sub.1 received and sent by the authentication server, and under the condition that the authentication information is unequal to the corresponding authentication information V.sub.1 received and sent by the authentication server, terminating a current round of authentication process; and otherwise, computing, by the resource-limited device, C.sub.j.sup.i+1=h(C.sub.j.sup.i∥R.sub.j.sup.i∥N.sub.d∥N.sub.s), R.sub.j.sup.i+1=PUF(C.sub.j.sup.i+1), (R.sub.j.sup.i+1)*=R.sub.j.sup.i+1 ⊕C.sub.j.sup.i+1, and V.sub.2=h(C.sub.j.sup.i+1∥(R.sub.j.sup.i+1)*), and then sending, by the resource-limited device, (R.sub.j.sup.i+1)* and V.sub.2 to the authentication server; receiving, by the authentication server, the corresponding message, computing, by the authentication server, C.sub.j.sup.i+1=h(C.sub.j.sup.i∥R.sub.j.sup.i∥N.sub.d∥N.sub.s) and V′.sub.2=h(C.sub.j.sup.i+1∥(R.sub.j.sup.i+1)*), then comparing, by the authentication server, whether V′.sub.2 is equal to V.sub.2 received, and under the condition that V′.sub.2 is unequal to V.sub.2 received, terminating the current round of security identity authentication process; and otherwise, computing, by the authentication server, R.sub.j.sup.i+1=(R.sub.j.sup.i+1)*⊕C.sub.j.sup.i+1 and TID.sub.j.sup.i+1=h(TID.sub.j.sup.i∥C.sub.j.sup.i+1), saving and updating, by the authentication server, the security authentication item {C.sub.j.sup.i+1,R.sub.j.sup.i+1,TID.sub.j.sup.i+1} for next authentication; and in authentication rounds except for the first round of authentication, i.e., i>1, under the condition that the resource-limited device causes termination of the authentication process by the authentication server in step B2 by means of the request authentication information sent in step B1 for the first time, that is, the authentication server does not retrieve the corresponding authentication item by means of the temporary identifier, directly selecting, by the resource-limited device, TID.sub.j.sup.i−1 as the temporary identity identifier of the current round, generating, by the resource-limited device, a third random number N.sub.d, and then repeating, by the resource-limited device, steps B1 to B4 to complete the authentication process.

6. The lightweight identity authentication method based on a physical unclonable function of claim 5, wherein the manner of obtaining the temporary identity identifier by the resource-limited device further comprises: when the identity authentication process is carried out for the first time, i.e., i=1, directly obtaining the temporary identity identifier TID.sub.j.sup.1 from a memory of the resource-limited device; and when the identity authentication process is not carried out for the first time, i.e., i>1, obtaining the temporary identity identifier TID.sub.j.sup.i=h(TID.sub.j.sup.i−1∥C.sub.j.sup.i) by a second temporary identity identifier TID.sub.j.sup.i−1 in a previous round of authentication and the challenge string C.sub.j.sup.i of the current round by means of Hash operation, and then sending, by the resource-limited device, the first random number N.sub.d and the temporary identity identifier TID.sub.j.sup.i to the authentication server.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0019] FIG. 1 is a data interaction diagram of a registration process of a resource-limited device of the present disclosure on an authentication server;

[0020] FIG. 2 is a data interaction diagram of bidirectional identity authentication between the resource-limited device and an authentication server; and

[0021] FIG. 3 is a system frame diagram of the present disclosure.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0022] In order to make the objectives, technical solutions and technical effects of the present disclosure clearer, the present disclosure will be further described in detail below in combination with the drawings of the description.

[0023] A lightweight identity authentication method based on a physical unclonable function specifically includes two processes of device registration and identity authentication.

[0024] As shown in FIG. 1, the process of data interaction of a device registration phase of the lightweight identity authentication method based on a physical unclonable function of the present disclosure mainly achieves that a resource-limited device is registered in an authentication server through Internet and a gateway, and identity authentication secret information between the resource-limited device and the authentication server, i.e., a challenge-response pair, C and R, of the physical unclonable function on the corresponding resource-limited device, is initialized and synchronized, and the registration process carries out data interaction between the resource-limited device and the authentication server by means of a security channel, a detailed process is shown in FIG. 2, which includes as follows:

[0025] step A1: generate, by the authentication server, a random challenge string C.sub.j.sup.1 and a temporary identity identifier TID.sub.j.sup.1 for a j-th resource-limited device, and then send, by the authentication server, the random challenge string and the temporary identity identifier to the target resource-limited device, superscripts of C.sub.j.sup.1 TID.sub.j.sup.1 and representing a round of an identity authentication phase, and subscripts of C.sub.j.sup.1 and TID.sub.j.sup.1 representing a serial number of the target resource-limited device;

[0026] step A2: receive, by the target resource-limited device, C.sub.j.sup.1 and TID.sub.j.sup.1 sent by the authentication server, save, by the target resource-limited device, TID.sub.j.sup.1, and then utilize, by the target resource-limited device, C.sub.j.sup.1 and a physical unclonable function (PUF) unique to the target resource-limited device to generate a corresponding response string R.sub.j.sup.1, i.e., R.sub.j.sup.1=PUF(C.sub.j.sup.1); and finally, save, by the resource-limited device, C.sub.j.sup.1, and send, by the resource-limited device, the response string R.sub.j.sup.1 to the authentication server; and

[0027] step A3: receive, by the authentication server, the response string R.sub.j.sup.1, and save, by the authentication server, the corresponding security authentication item {C.sub.j.sup.1,R.sub.j.sup.1,TID.sub.j.sup.1} for the j-th resource-limited device.

[0028] As shown in FIGS. 2 and 3, the identity authentication process is carried out on the basis that the authentication server completes the registration process for the resource-limited device, which includes:

[0029] step B1: generate, by the resource-limited device, a random number N.sub.d, compute the temporary identity identifier TID.sub.j.sup.i of the resource-limited device, and then send N.sub.d and TID.sub.j.sup.i to the authentication server;

[0030] the manner of obtaining the temporary identity identifier by the resource-limited device is divided into the following two conditions: (1) when the identity authentication process is carried out for the first time, i.e., i=1, directly obtain TID.sub.j.sup.1 from a memory of the resource-limited device; and (2) when the identity authentication process is not carried out for the first time, i.e., i>1, obtain the temporary identity identifier TID.sub.j.sup.i=h(TID.sub.j.sup.i−1∥C.sub.j.sup.i) by a temporary identity identifier TID.sub.j.sup.i−1 in a previous round of authentication and the challenge string C.sub.j.sup.i of the current round by means of Hash operation, h representing Hash operation, and being a string connection operator, and then send, by the resource-limited device, N.sub.d and TID.sub.j.sup.i to the authentication server;

[0031] step B2, receive, by the authentication server, N.sub.d and TID.sub.j.sup.i, retrieve, by the authentication server, whether there is the corresponding security authentication item in a database by means of TID.sub.j.sup.i, and under the condition that there is the corresponding security authentication item, generate, by the authentication server, a random number N.sub.s, and utilize, by the authentication server, the response string in the corresponding authentication item to compute authentication information V.sub.1=h(R.sub.j.sup.i∥N.sub.s∥N.sub.d), and finally, send, by the authentication server, N.sub.s and V.sub.1 to the corresponding resource-limited device, and under the condition that there is no corresponding security authentication item, terminate, by the authentication server, this authentication process;

[0032] step B3, receive, by the resource-limited device, a message sent by the authentication server, utilize, by the resource-limited device, the challenge string C.sub.j.sup.i and the physical unclonable function to generate a response string R.sub.j.sup.i of a current round of security identity authentication, then compute, by the resource-limited device, corresponding authentication information V′.sub.1, compare, by the resource-limited device, whether the authentication information is equal to V.sub.1 received and sent by the authentication server, and under the condition that the authentication information is unequal to V.sub.1 received and sent by the authentication server, terminate a current round of authentication process; and otherwise, compute, by the resource-limited device, C.sub.j.sup.i+1=h(C.sub.j.sup.i∥R.sub.j.sup.i∥N.sub.d∥N.sub.s), R.sub.j.sup.i+1=PUF(C.sub.j.sup.i+1), (R.sub.j.sup.i+1)*=R.sub.j.sup.i+1⊕C.sub.j.sup.i+1, and V.sub.2=h(C.sub.j.sup.i+1∥(R.sub.j.sup.i+1)*), and then send, by the resource-limited device, (R.sub.j.sup.i+1)* and V.sub.2 to the authentication server;

[0033] step B4, receive, by the authentication server, the corresponding message, compute, by the authentication server, C.sub.j.sup.i+1=h(C.sub.j.sup.i∥R.sub.j.sup.i∥N.sub.d∥N.sub.s) and V′.sub.2=h(C.sub.j.sup.i+1∥(R.sub.j.sup.i+1)*), then compare, by the authentication server, whether V′.sub.2 is equal to V.sub.2 received, and under the condition that V′.sub.2 is unequal to V.sub.2 received, terminate the current round of security identity authentication process; and otherwise, compute, by the authentication server, R.sub.j.sup.i+1=(R.sub.j.sup.i+1)*⊕C.sub.j.sup.i+1 and TID.sub.j.sup.i+1=h(TID.sub.j.sup.i∥C.sub.j.sup.i+1), save and update, by the authentication server, the security authentication item {C.sub.j.sup.i+1,R.sub.j.sup.i+1,TID.sub.j.sup.i+1} for next authentication; and

[0034] step B5, in authentication rounds except for the first round of authentication, i.e., i>1, under the condition that the resource-limited device causes termination of the authentication process by the authentication server in step B2 by means of the request authentication information sent in step B1 for the first time, that is, the authentication server does not retrieve the corresponding authentication item by means of the temporary identifier, directly select, by the resource-limited device, TID.sub.j.sup.i−1 as the temporary identity identifier of the current round, generate, by the resource-limited device, a new random number N.sub.d, and then repeat, by the resource-limited device, steps B1 to B4 to complete the authentication process.

[0035] The present disclosure simultaneously saves current authentication round and previous authentication items of each of the resource-limited devices at an authentication server side, i.e., {C.sub.j.sup.i,R.sub.j.sup.i,TID.sub.j.sup.i} and {C.sub.j.sup.i−1,R.sub.j.sup.i−1,TID.sub.j.sup.i−1}, and stores the challenge string C.sub.j.sup.i−1 of the previous round, the temporary identity identifier TID.sub.j.sup.i−1 and the challenge string C.sub.j.sup.i of the current round in the resource-limited device. The problem of authentication information synchronization loss caused by spontaneous loss or malicious blocking of the authentication messages may be effectively solved by using the above differentiation manner to distinguish storage of authentication messages at an authentication server side and a resource-limited device side in combination with bidirectional authentication steps from B1 to B5, such that DoS attack caused by synchronization loss may be effectively ensured while storage, computation and communication resource cost of the resource-limited device is reduced.

[0036] In order to validate the security of the identity authentication method of the present disclosure, the security of the method of the present disclosure is validated by means of a security protocol analysis tool, automated validation of Internet security-sensitive protocols and applications (AVISPA), the method of the present disclosure is simulated by means of an AVISPA background analysis tool, an on-the-fly model-checker (OFMC), and the security of the method of the present disclosure is proved by a result.

[0037] The method of the present disclosure is compared with other methods of the same type, which include:

[0038] method 1, which sees literature: A. Esfahani et al., “A lightweight authentication mechanism for M2M communication in industrial IoT environment,” IEEE Int. Things J., vol. 6, no. 1, pp. 288-296, August 2017;

[0039] method 2, which sees literature: S. Kardas et al., “Puf-enhanced offline RFID security and privacy,” J. Netw. Comput. Appl., vol. 35, no. 6, pp. 2059-2067, November 2012;

[0040] method 3, which sees literature: M. Akgun and M. U. Caglayan, “Providing destructive privacy and scalability in RFID systems using PUFs,” Ad Hoc Netw., vol. 32, pp. 32-42, September 2015; and

[0041] method 4, which sees literature: P. Gope et al., “Lightweight and practical anonymous authentication protocol for RFID systems using physical unclonable functions,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 11, pp. 2831-2843, 2018.

[0042] The method of the present disclosure compares with the methods above in terms of security, operation efficiency, usability, etc., and comparison results are as follows:

TABLE-US-00001 TABLE 1 Comparison of the Required Security Properties (SP) Solution name SP1 SP2 SP3 SP4 SP5 Method 1 Presence Absence Absence Absence — Method 2 Presence Presence Presence Absence Absence Method 3 Presence Presence Presence Absence — Method 4 Presence Presence Presence Presence Limited Method of the Presence Presence Presence Presence Presence present disclosure SP1: bidirectional authentication; SP2: untraceability; SP3: unclonability; SP4: forward security; and SP5: resistance to DoS attacks

[0043] Table 1 shows comparison results of security properties between the method of the present disclosure and other methods of the same type, where the solution of the present disclosure satisfies the basic security function required for identity authentication, and method 4 has limited defense against DoS attack. Several “synchronous pairs” are pre-stored in the authentication server and the resource-limited device in method 4, one “synchronous pair” is consumed every time the authentication server and the resource-limited device are subjected to the DoS attack, and therefore, the DoS attack may not be resisted after the “synchronous pairs” are consumed. In addition, it pre-stores a large number of “synchronous pairs” in the resource-limited device and the authentication server in method 4, which may additionally increase storage cost of the resource-limited device.

TABLE-US-00002 TABLE 2 Comparison of the Computational Cost RESOURCE- AUTHENTICATION SOLUTION NAME LIMITED DEVICE SERVER METHOD 1 7H + RNG 6H + RNG METHOD 2 5H + 2P + RNG 4H + RNG METHOD 3 4H + 2P + RNG 4H + RNG METHOD 4 5H + 2P + RNG 5H + RNG METHOD OF THE 4H + 2P + RNG 4H + RNG PRESENT DISCLOSURE

[0044] Table 2 shows comparison results of computational cost between the method of the present disclosure and other methods of the same type, where H represents Hash operation, P represents a physical unclonable function, and RNG represents a random number generator. With the method of the present disclosure as an example, the resource-limited device side needs to perform four times of Hash operation, two times of physical unclonable function operation and one time of random number generation in order to complete a round of identity authentication. It may be seen from table 2 that the computational cost of the present disclosure is less than or equal to that of other solutions of the same type.

TABLE-US-00003 TABLE 3 Comparison of the Other Cost STORAGE COST OF RESOURCE- TOTAL SYNCHRONOUS SOLUTION LIMITED COMMUNICATION RECOVERY NAME DEVICE COST COMPLEXITY METHOD 1 384-bit 1024-bit — METHOD 2 768-bit 1480-bit — METHOD 3 512-bit 896-bit — METHOD 4 128 + n * 832-bit O(N) 64-bit METHOD OF 384-bit 768-bit O(1) THE PRESENT DISCLOSURE

[0045] Table 3 shows comparison results of other cost needing to be focused between the method of the present disclosure and other methods of the same type, which includes storage cost, communication cost and synchronous recovery complexity of the resource-limited device. It may be seen from tables 1, 2 and 3 that the present disclosure effectively reduces computational and communication cost of two communication parties while improving authentication security.

[0046] The present disclosure has the beneficial effects as follows:

[0047] the present disclosure utilizes lightweight operations of the PUF, the Hash operation, XOR operation, etc. to achieve bidirectional authentication between the authentication server and the Internet of Things resource-limited device, and particularly utilizes uniqueness of an integrated circuit (IC) physical microstructure created by the PUF (IC) in the resource-limited device in a manufacturing process to design an engineering-implementable information desynchronization recovery mechanism of two authentication parties by optimizing an interaction mode of input (challenge) and output (response) of the PUF, thereby effectively solving the problem that the same type of lightweight identity authentication solution may not effectively ensure forward security and resist desynchronization attack, further reducing resource cost of the resource-limited device for an identity authentication process, and effectively improving security and operation efficiency of identity authentication of the Internet of Things resource-limited device.

[0048] It will be apparent to those skilled in the art that various modifications and variations can be made to the structure of the disclosure without departing from the scope or spirit of the disclosure. In view of the foregoing, it is intended that the present disclosure cover modifications and variations of this disclosure provided they fall within the scope of the following claims and their equivalents.

LIGHTWEIGHT IDENTITY AUTHENTICATION METHOD BASED ON PHYSICAL UNCLONABLE FUNCTION

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/0866

ELECTRICITY

Classification Explorer

H04L2209/805

ELECTRICITY

Classification Explorer

H04L9/3236

ELECTRICITY

Classification Explorer

H04L9/0643

ELECTRICITY

Classification Explorer

H04L9/3278

ELECTRICITY

International classification

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/06

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Abstract

Claims

Description