一种基于SGX的工业物联网身份认证协议

doi:10.3969/j.issn.1671-1122.2021.06.001

摘要/Abstract

摘要：

工业物联网广泛应用于制造、物流、石油和航空等领域,为现代工业的生产运营带来了革命性的机遇。但由于工业物联网通信信道的开放性和终端设备的资源有限性,数据和控制指令传输的安全性、实时性及高效性变得尤为重要。因此,专门设计一种适用于工业物联网的认证协议十分重要。目前,大部分认证协议不能很好地抵抗来自内部的特权用户攻击,且没有实现终端节点的不可追踪性,因此,文章设计了一种基于SGX技术的工业物联网认证协议。该协议采用SGX存储主密钥,同时借助SGX内存保密的特点实现机密计算。该协议可以有效抵抗特权用户攻击和终端节点的追踪攻击。最后,文章通过AVISPA仿真工具和非形式化安全分析证明了协议的安全性,并通过性能对比分析和NS3仿真证明了协议具有更好的实用性及先进性。

关键词: 工业物联网安全, 认证协议, 机密计算, 特权用户攻击

Abstract:

Industrial internet of things is widely used in manufacturing, logistics, petroleum, aviation and other fields, which brings revolutionary opportunities for the production and operation of modern industry. However, due to the openness of the communication channel of the industrial Internet of things and the limited resources of the terminal equipment, the security, real-time and high efficiency of data and control instruction transmission are particularly important. Therefore, a secure and efficient authentication scheme for industrial Internet of things is indispensable. In recent years, most of the authentication schemes are vulnerable to privileged user attacks and terminal equipment tracking attacks. This paper designs an authentication scheme based on SGX for industrial Internet of things. The scheme uses SGX to store the master key and realizes the confidential computing by the characteristics of SGX memory confidentiality, which can effectively resist the privileged user attacks and the terminal equipment tracking attacks. Finally, the AVISPA simulation tool and the formal security analysis prove that the proposed scheme has more comprehensive security. The performance comparison and NS3 simulation prove that the scheme has better practicability and advanced nature.

Key words: industrial internet of things security, authentication scheme, confidential computing, privileged user attacks

中图分类号:

TP309

刘忻, 郭振斌, 宋宇宸. 一种基于SGX的工业物联网身份认证协议[J]. 信息网络安全, 2021, 21(6): 1-10.

LIU Xin, GUO Zhenbin, SONG Yuchen. An Authentication Scheme Based on SGX for Industrial Internet of Things[J]. Netinfo Security, 2021, 21(6): 1-10.

图/表 16

图1

表1

表2

图2

图3

图4

图5

图6

表3

表4

表5

表6

表7

表8

图7

图8

参考文献 20

[1]	HUSSAIN S, ULLAH I, KHATTAK H, et al. A Lightweight and Provable Secure Identity-based Generalized Proxy Signcryption(IBGPS) Scheme for Industrial Internet of Things(IIoT)[EB/OL]., 2021-01-18.
[2]	ZHANG Meng. Risk Analysis and Countermeasure Research of Industrial Internet of Things Security[J]. China Compute Review, 2017(4):42-50.
	张猛. 工业物联网安全风险分析及对策研究[J].中国工业评论, 2017(4):42-50.
[3]	TURKANOVIĆ M, BRUMEN B, HOELBL M. A Novel User Authentication And Key Agreement Scheme for Heterogeneous Ad Hoc Wireless Sensor Networks, Based on the Internet of Things notion[J]. Ad Hoc Neweorks, 2014,20(2):96-112.
[4]	TAI Weiliang, CHANG Yafen, LI Weihan. An IoT Notion-based Authentication and Key Agreement Scheme Ensuring User Anonymity for Heterogeneous[J]. Ad Hoc Wireless Sensor Networks, 2017,34(2):133-141.
[5]	ELDEFRAWY M H, FERRARI N, GIDLUND M. Dynamic User Authentication Protocol for Industrial IoT without Timestamping[EB/OL]. , 2019-07-11.
[6]	LI Xiong, NIU Jianwei, BHUIYAN M, et al. A Robust ECC-Based Provable Secure Authentication Protocol with Privacy Preserving for Industrial Internet of Things[J]. IEEE Transactions on Industrial Informatics, 2018,14(8):3599-3609. doi: 10.1109/TII.9424 URL
[7]	PALIWAL S. Hash-based Conditional Privacy Preserving Authentication and Key Exchange Protocol Suitable for Industrial Internet of Things[EB/OL]. , 2019-09-16.
[8]	KARATI A, ISLAM S H, KARUPPIAH M. Provably Secure and Lightweight Certificateless Signature Scheme for IIoT Environments[J]. IEEE Transactions on Industrial Informatics, 2018,14(8):3701-3711. doi: 10.1109/TII.9424 URL
[9]	ZHANG Bo, ZHU Tianqing, HU Cengyu, et al. Cryptanalysis of a Lightweight Certificateless Signature Scheme for IIOT Environments[EB/OL]. , 2018-11-27.
[10]	JANGIRALA S, KUMAR D A, MOHAMMAD W, et al. Anonymous Lightweight Chaotic Map-based Authenticated Key Agreement Protocol for Industrial Internet of Things[J]. IEEE Transactions on Dependable & Secure Computing, 2020,17(6):1133-1146.
[11]	AMIN R, BISWAS G P. A Secure Light Weight Scheme for User Authentication and Key Agreement in Multi-gateway Based Wireless Sensor Networks[EB/OL]. , 2021-01-10.
[12]	HADLINGTON L, POPOVAC M, JANICKE H. Exploring the Role of Work Identity and Work Locus of Control in Information Security Awareness[J]. Computers & Security, 2019,81(1):41-48. doi: 10.1016/j.cose.2018.10.006 URL
[13]	WANG Juan, FAN Chengyang, CHENG Yueqiang, et al. Analysis and Research on SGX Technology[J]. Journal of Software, 2018,29(9):2778-2798.
	王鹃, 樊成阳, 程越强, 等. SGX技术的分析和研究[J]. 软件学报, 2018,29(9):2778-2798.
[14]	YANG Zheng, HE Jun, TIAN Yangguang, et al. Faster Authenticated Key Agreement with Perfect Forward Secrecy for Industrial Internet-of-things[J]. IEEE Transactions on Industrial Informatics, 2020,16(10):6584-6596. doi: 10.1109/TII.9424 URL
[15]	SHIM K A. A Practical Multi-user Broadcast Authentication Scheme in Wireless Sensor Networks[J]. IEEE Transactions on Information Forensics & Security, 2017,12(7):1545-1554.
[16]	CHEN Chienming, XIANG Bing, WU Tsuyang, et al. An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks[EB/OL]. , 2018-07-02.
[17]	LIU Xin. Research on Authentication Scheme for Wireless Sensor Networks[D]. Lanzhou: Lanzhou University, 2019.
	刘忻. 基于无线传感器网络的身份认证协议的研究[D]. 兰州:兰州大学, 2019.
[18]	FAR H A N, BAYAT M, DAS A K, et al. LAPTAS: Lightweight Anonymous Privacy-preserving Three-factor Authentication Scheme for WSN-based IIoT[J]. Wireless Networks, 2021,27(4):1-24. doi: 10.1007/s11276-020-02437-6 URL
[19]	MO Jiaqing, CHEN Hang. A Lightweight Secure User Authentication and Key Agreement Protocol for Wireless Sensor Networks[EB/OL]. , 2019-12-16.
[20]	LUO Hanguang, WEN Guangjun, SU Jian. Lightweight Three Factor Scheme for Real-time Data Access in Wireless Sensor Networks[J]. Wireless Networks, 2020,26(2):955-970. doi: 10.1007/s11276-018-1841-x URL

操作	能耗
计算1 ms时间	$3.0\text{V}\times 8.0\text{mA}\times 1\text{ms}=0.024\text{mJ}$
发送1 bit数据	$3.0\text{V}\times 17.4\text{mA}\times \frac{1\text{bit}}{250\text{Kbps}}\approx 0.00021\text{mJ}$
接收1 bit数据	$3.0\text{V}\times 19.7\text{mA}\times \frac{1\text{bit}}{250\text{Kbps}}\approx 0.00024\text{mJ}$

符号	计算类型	用户运算时间/ms	ISN运算时间/ms
${{T}_{m}}$	点乘运算	20.23	2450
${{T}_{R}}$	生物特征模糊提取	20.23	2450
${{T}_{S}}$	对称加/解密运算	0.12	3.5
${{T}_{H}}$	哈希函数运算、$HMa{{c}_{k}}$运算、$Ve{{r}_{k}}$运算	0.03	8

安全性质	文献[18]协议	文献[19]协议	文献[20]协议	本文协议
特权用户攻击	Y	N	N	Y
追踪攻击	Y	N	Y	Y
在线猜测攻击	N	Y	Y	Y
重放攻击	N	Y	Y	Y
节点捕获攻击	Y	N	Y	Y

协议	用户开销	GWN开销	ISN开销	总开销/ms
文献[18]	$9{{T}_{H}}\text{+}{{T}_{R}}\text{+2}{{T}_{m}}$	$10{{T}_{H}}\text{+2}{{T}_{m}}$	$5{{T}_{H}}$	5080.69
文献[19]	$13{{T}_{H}}\text{+}{{T}_{R}}\text{+4}{{T}_{m}}$	$10{{T}_{H}}\text{+}{{T}_{S}}$	$5{{T}_{H}}\text{+2}{{T}_{m}}\text{+}{{T}_{S}}$	5128.54
文献[20]	$11{{T}_{H}}\text{+}{{T}_{R}}$	$11{{T}_{H}}$	$5{{T}_{H}}$	148.56
本文	$11{{T}_{H}}\text{+}{{T}_{R}}$	$14{{T}_{H}}$	$6{{T}_{H}}$	180.56

协议	用户开销/bit		GWN开销/bit		ISN开销/bit		总开销/bit
协议	发送	接收	发送	接收	发送	接收	总开销/bit
文献[18]	960	640	1440	1440	480	800	2880
文献[19]	992	704	1216	1504	512	512	2720
文献[20]	512	352	864	864	352	512	1728
本文	640	320	800	960	320	480	1760