A lightweight authentication method for unmanned systems
By using a physically non-clonable function to generate a private key in the drone node and combining it with pre-set information, the security and real-time issues of identity authentication and key negotiation in drone communication networks are solved, achieving unique binding of drone nodes and efficient and secure communication.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
- Filing Date
- 2023-12-07
- Publication Date
- 2026-06-26
AI Technical Summary
Existing UAV communication network security protocols suffer from high communication load, difficulty in meeting real-time requirements, and security vulnerabilities in ground station key generation centers during UAV node authentication and key negotiation processes, resulting in insufficient communication security for UAV nodes.
Private keys are generated using the Physically Unclonable Function (PUF) in the drone node, and the drone node is uniquely bound using a pre-defined information method, reducing interaction overhead and achieving secure registration, authentication, and communication.
This achieves unique binding of drone nodes, reduces the possibility of private key leakage and copying, reduces the overhead of identity authentication after drone takeoff, and improves computational efficiency and security strength.
Smart Images

Figure CN117675227B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of unmanned aerial vehicle (UAV) communication security technology, and in particular relates to a lightweight authentication method for unmanned systems. Background Technology
[0002] Security concerns regarding communication networks for unmanned systems, primarily focusing on UAV communication networks, have led to current research concentrating on UAV network security protocols. The two most prevalent and widely used solutions are public-key infrastructure (PKI)-based authentication key negotiation protocols and identity-based cryptograph (IBC)-based authentication key negotiation protocols.
[0003] (1) Authentication key negotiation protocol based on public key cryptography
[0004] In 2019, Verma GK et al. proposed a scheme based on short proxy signatures, which can reduce the length of signature data and computational complexity compared to other public key certificate schemes [Verma GK, Singh BB, Kumar N, et al. CB-PS: An Efficient Short Certificate-based Proxy SignatureScheme for UAVs[J]. IEEE Systems Journal, 2019, PP(99)]. In 2020, Nikooghadam M et al. designed a lightweight authentication key negotiation protocol for use in UAV networks in smart city scenarios, but its authentication phase has relatively high time overhead. [Nikooghadam M, HalehAmintoosi, Hafizulislam SK, et al. A provably secure and lightweight authentication scheme for Internet of Drones for smart city surveillance[J]. Journal of Systems Architecture, 2020.]
[0005] (2) Authentication key negotiation protocol based on identity cryptography system
[0006] In 2019, Jangirala S et al. proposed a lightweight access authentication protocol for UAV networks based on temporary credentials. This method uses hash function operations and fuzzy extraction of biometric features to generate temporary credentials, reducing the computational complexity and information volume based on IDs and other information. However, it struggles to cope with various UAV network environments. [Jangirala S, Das AK, Kumar N, et al. TCALAS: Temporal Credential-Based Anonymous LightweightAuthentication Scheme for Internet of Drones Environment[J]. IEEE Transactions on Vehicular Technology, 2019:1-1.] In 2020, Tanveer M et al. proposed a lightweight authentication key negotiation protocol for authenticated management units to access UAV data in UAV networks. This protocol uses the node's real ID, runtime ID, and extracted biometric information to authenticate the management unit's identity and employs lightweight cryptographic algorithms to encrypt communication. [Tanveer M, Zahid AH, Ahmad M, et al. LAKE-IoD: Lightweight Authenticated Key Exchange Protocol for the Internet of DroneEnvironment[J]. IEEE Access, 2020, PP(99):1-1.].
[0007] Unmanned aerial vehicle (UAV) systems have wide applications in many fields. In civilian sectors, UAVs are widely used in security, logistics, agriculture, infrastructure, disaster relief, healthcare, energy, and commerce, among others. However, the application areas, network characteristics, and payload limitations of UAV systems make them vulnerable to attacks, thus ensuring the communication security of UAV nodes is a critical issue.
[0008] To address the challenges posed by unmanned aerial vehicle (UAV) networks—characterized by open communication environments, high information security risks, stringent real-time requirements, and small payloads—Authenticated Key Agreements (AKAs) from the field of cryptography are employed. Currently, the two most prevalent and widely used schemes are authentication key agreement protocols based on Public Key Infrastructure (PKI) and Identity-Based Cryptograph (IBC).
[0009] PKI-based authentication key negotiation protocols are a recognized security protocol widely used in various applications to provide identity authentication and key negotiation services. Since these protocols typically employ public-key cryptography algorithms and rely on digital certificates to prove the legitimacy of the other party's identity, PKI-based protocols require drone nodes to verify certificates with a trusted center. This increases communication load, the number of communication rounds, and latency. This is unacceptable in the real-time requirements of drone networks.
[0010] The advantage of the authentication key negotiation protocol scheme based on the identifier cryptosystem is that the public key is uniquely identified by the identifier, and the private key of each UAV node is generated by a trusted ground station key generation center (KGC), thus enabling the ground station to perform corresponding key escrow functions. However, there is also a potential risk of the ground station key generation center abusing its keys, so it is essential to ensure that the ground station key generation center is secure and trustworthy. Summary of the Invention
[0011] The purpose of this invention is to overcome the problems of existing technologies and disclose a lightweight authentication method for unmanned systems. This invention generates a private key for a UAV node through integrated Physical Unclonable Functions (PUFs) in the UAV node, thereby achieving unique binding of the UAV node. Due to the special operating environment of UAVs, this invention uses a pre-set information method to reduce interaction overhead.
[0012] The objective of this invention is achieved through the following technical solution:
[0013] A lightweight authentication method for unmanned systems, comprising two parts: a ground station and an unmanned aerial vehicle (UAV) node;
[0014] The ground station is configured to: implement secure registration of UAV nodes under a trusted channel, and implement secure authentication and secure communication with UAV nodes under an untrusted channel;
[0015] The drone node is configured to extract its own ID from the physically unclonable function, use it as its private key, and generate a public key to complete the binding between the drone node and the physically unclonable function.
[0016] According to a preferred embodiment, the security registration includes the following steps:
[0017] (1) The ground station generates its own public-private key pair (A, PA), elliptic curve related information E, a string of symmetric keys KEY, and uses a digest algorithm to generate the digest information HA of the ground station, and extracts the identity identifier IDRA from the public key PA;
[0018] (2) The UAV node generates its own public-private key pair (B, PB) using a physically unclonable function and sends the public key PB to the ground station;
[0019] (3) The ground station receives the public key PB of the UAV node, and generates the digest information HB of the UAV node using the digest algorithm based on the public key PB and the generation information, and extracts the identity identifier IDRB from the public key PB.
[0020] (4) The ground station sends its generated public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB to the UAV node;
[0021] (5) The UAV node stores the ground station's public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB;
[0022] (6) The ground station stores its own public-private key pair (A, PA), the public key PB of the UAV node, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB.
[0023] According to a preferred embodiment, the security authentication includes the following steps:
[0024] (1) The UAV node generates a random number r1, elliptic curve related information E, calculates the elliptic curve point R1, and sends it to the ground station along with the identity identifier IDRB.
[0025] (2) The ground station receives the corresponding information, generates an identity identifier IDRB' using the stored information and the same algorithm. If the identity identifiers are consistent, IDRB = IDRB', then it is a secure identity identifier. Ka is calculated using R1 and the locally stored information through the key generation function.
[0026] (3) The ground station generates a random number r2, elliptic curve related information E, calculates the elliptic curve point R2, and sends it to the UAV node along with the identity identifier IDRA.
[0027] (4) When the UAV node receives the corresponding information, it generates an identity identifier IDRA' using the stored information and the same algorithm. If the identity identifiers are consistent, it is a secure identity identifier. Kb is calculated using R2 and the locally stored information through the key generation function.
[0028] (5) Take out the preset number from the storage space, encrypt it with Ka or Kb and send it to the other party. If the other party can decrypt it and compare it correctly, then the authentication is successful.
[0029] According to a preferred embodiment, the secure communication includes:
[0030] (1) The active communication node queries the stored symmetric key through the public key of the passive communication node;
[0031] (2) The active communication node encrypts the transmitted data by querying the obtained symmetric key, and then sends the encrypted information to the passive communication node;
[0032] (3) The passive communication node receives the transmitted data sent from it;
[0033] (4) The passive communication node queries the stored symmetric key through the public key of the active communication node;
[0034] (5) The passive communication node decrypts the data by querying the obtained symmetric key and parses out the received transmission data.
[0035] According to a preferred embodiment, during secure communication, the symmetric key has a preset lifespan. When the stored symmetric key is exhausted, a new symmetric key is requested from the ground station.
[0036] According to a preferred embodiment, during secure communication, either the ground station or the drone can initiate active communication.
[0037] This invention generates a private key for a drone node by integrating physically unclonable functions (PUFs) within the drone node, thus achieving unique binding of the drone node. A physically unclonable function, also known as a "hardware fingerprint," refers to a function that produces a specific response determined by the physical characteristics of a circuit under given input conditions. PUFs originate from specific physical information introduced during chip manufacturing due to process variations and other factors. This physical information is unpredictable and difficult to control during manufacturing; therefore, the output response of a physically unclonable function is unclonable, making it highly suitable for secure authentication of drone nodes.
[0038] Due to the unique operating environment of drones, this invention employs a pre-configured information method to reduce interaction overhead. Compared to digital certificates, pre-configured information requires less storage space. In the drone network environment, the trusted registration phase before takeoff is not time-sensitive; therefore, the necessary initialization work can be completed during this phase. Pre-configured information minimizes the overhead of executing authentication protocols after takeoff.
[0039] The aforementioned main solution of the present invention and its various further alternative solutions can be freely combined to form multiple solutions, all of which are solutions that can be adopted and are claimed by the present invention. Those skilled in the art, after understanding the solution of the present invention, will realize that there are many combinations based on existing technology and common knowledge, all of which are technical solutions to be protected by the present invention, and will not be exhaustively listed here.
[0040] The beneficial effects of this invention are:
[0041] (1) The present invention generates a private key for a drone node by integrating a physically unclonable function in the drone node, so as to achieve a unique binding of the drone node. The corresponding private key does not leave the drone node, which greatly reduces the possibility of being copied and the possibility of private key leakage.
[0042] (2) The present invention can minimize the overhead of executing the identity authentication protocol after the UAV takes off by pre-setting information; the present invention strengthens the security strength and increases the flexibility of the protocol by negotiating and pre-setting information, and improves the computational efficiency. Attached Figure Description
[0043] Figure 1 This is a schematic diagram illustrating the secure registration of the UAV and ground station in the method of this invention;
[0044] Figure 2 This is a schematic diagram illustrating the security authentication and secure communication between the UAV and the ground station in the method of this invention. Detailed Implementation
[0045] The following specific examples illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that, unless otherwise specified, the following embodiments and features described therein can be combined with each other.
[0046] It should be noted that similar labels and letters in the following figures indicate similar items. Therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.
[0047] In the description of this invention, it should be noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," and "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings, or the orientation or positional relationship commonly used when the product of this invention is in use. They are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of this invention. In addition, the terms "first," "second," "third," etc., are only used to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0048] Furthermore, terms such as "horizontal," "vertical," and "sag" do not imply that components must be absolutely horizontal or suspended, but rather that they can be slightly tilted. For example, "horizontal" simply means that its direction is more horizontal relative to "vertical," and does not mean that the structure must be completely horizontal, but can be slightly tilted.
[0049] In the description of this invention, it should also be noted that, unless otherwise explicitly specified and limited, the terms "set," "install," "connect," and "link" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; and they can refer to the internal connection of two components. Those skilled in the art can understand the specific meaning of the above terms in this invention based on the specific circumstances.
[0050] Furthermore, it should be noted that, unless otherwise specified, the structures, connections, positions, power sources, etc. involved in this invention are all things that a person skilled in the art can know without creative effort based on the prior art.
[0051] Example 1:
[0052] refer to Figure 1 and Figure 2 As shown in the figure, a lightweight authentication method for unmanned systems is illustrated, which includes two parts: a ground station and an unmanned aerial vehicle (UAV) node.
[0053] The ground station is configured to: securely register UAV nodes under a trusted channel, and securely authenticate and communicate with UAV nodes under an untrusted channel. The ground station stores its own public-private key pair (A, PA), the UAV node's public key PB, elliptic curve information E, a symmetric key KEY, digest information HA and HB, and identity identifiers IDRA and IDRB.
[0054] The UAV node is configured to extract its own ID from a physically unclonable function (PHF), use it as its private key B, and generate a public key PB, thereby binding the UAV node to the PHF. The public key PB is sent to the ground station for storage; the UAV node's private key B exists only within the UAV node itself. The UAV node stores the ground station's public key PA, elliptic curve information E, a symmetric key KEY, digest information HA and HB, and identity identifiers IDRA and IDRB.
[0055] Preferably, the security registration process is conducted in a secure environment, and the security registration includes the following steps:
[0056] (1) The ground station generates its own public-private key pair (A, PA), elliptic curve related information E, a string of symmetric keys KEY, and uses a digest algorithm to generate the digest information HA of the ground station, and extracts the identity identifier IDRA from the public key PA;
[0057] (2) The UAV node generates its own public-private key pair (B, PB) using a physically unclonable function and sends the public key PB to the ground station;
[0058] (3) The ground station receives the public key PB of the UAV node, and generates the digest information HB of the UAV node using the digest algorithm based on the public key PB and the generation information, and extracts the identity identifier IDRB from the public key PB.
[0059] (4) The ground station sends its generated public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB to the UAV node;
[0060] (5) The UAV node stores the ground station's public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB;
[0061] (6) The ground station stores its own public-private key pair (A, PA), the public key PB of the UAV node, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB.
[0062] Preferably, the security authentication includes the following steps:
[0063] (1) The UAV node generates a random number r1, elliptic curve related information E, calculates the elliptic curve point R1, and sends it to the ground station along with the identity identifier IDRB.
[0064] (2) The ground station receives the corresponding information, generates an identity identifier IDRB' using the stored information and the same algorithm. If the identity identifiers are consistent, IDRB = IDRB', then it is a secure identity identifier. Ka is calculated using R1 and the locally stored information through the key generation function.
[0065] (3) The ground station generates a random number r2, elliptic curve related information E, calculates the elliptic curve point R2, and sends it to the UAV node along with the identity identifier IDRA.
[0066] (4) When the UAV node receives the corresponding information, it generates an identity identifier IDRA' using the stored information and the same algorithm. If the identity identifiers are consistent, it is a secure identity identifier. Kb is calculated using R2 and the locally stored information through the key generation function.
[0067] (5) Take out the preset number from the storage space, encrypt it with Ka or Kb and send it to the other party. If the other party can decrypt it and compare it correctly, then the authentication is successful.
[0068] Preferably, either the ground station or the drone can initiate active communication. The secure communication includes:
[0069] (1) The active communication node queries the stored symmetric key through the public key of the passive communication node;
[0070] (2) The active communication node encrypts the transmitted data by querying the obtained symmetric key, and then sends the encrypted information to the passive communication node;
[0071] (3) The passive communication node receives the transmitted data sent from it;
[0072] (4) The passive communication node queries the stored symmetric key through the public key of the active communication node;
[0073] (5) The passive communication node decrypts the data by querying the obtained symmetric key and parses out the received transmission data.
[0074] Furthermore, in secure communication, symmetric keys have a limited lifespan. If the stored symmetric key is exhausted, a new symmetric key is requested from the ground station.
[0075] This invention generates a drone node private key through an integrated physically unclonable function in the drone node, thereby achieving unique binding of the drone node. The corresponding private key does not leave the drone node, greatly reducing the possibility of copying and leakage. Furthermore, this invention can minimize the overhead of executing the identity authentication protocol after drone takeoff by pre-setting information. This invention strengthens security and increases protocol flexibility and improves computational efficiency by negotiating and pre-setting information simultaneously.
[0076] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A lightweight authentication method for unmanned systems, characterized in that, The lightweight authentication method consists of two parts: a ground station and a drone node. The ground station is configured to: implement secure registration of UAV nodes under a trusted channel, and implement secure authentication and secure communication with UAV nodes under an untrusted channel; The drone node is configured to extract its own ID from the physical unclonable function, use it as its own private key, and generate a public key to complete the binding between the drone node and the physical unclonable function. The secure registration includes the following steps: (1) The ground station generates its own public-private key pair (A, PA), elliptic curve related information E, a string of symmetric keys KEY, and uses a digest algorithm to generate the digest information HA of the ground station, and extracts the identity identifier IDRA from the public key PA; (2) The UAV node generates its own public-private key pair (B, PB) using a physically unclonable function and sends the public key PB to the ground station; (3) The ground station receives the public key PB of the UAV node, and generates the digest information HB of the UAV node using the digest algorithm based on the public key PB and the generation information, and extracts the identity identifier IDRB from the public key PB. (4) The ground station sends its generated public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB to the UAV node; (5) The UAV node stores the ground station's public key PA, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB; (6) The ground station stores its own public-private key pair (A, PA), the public key PB of the UAV node, elliptic curve related information E, a string of symmetric keys KEY, digest information HA and HB, and identity identifiers IDRA and IDRB; The secure communication includes: (1) The active communication node queries the stored symmetric key through the public key of the passive communication node; (2) The active communication node encrypts the transmitted data by querying the obtained symmetric key, and then sends the encrypted information to the passive communication node; (3) The passive communication node receives the transmitted data sent from it; (4) The passive communication node queries the stored symmetric key through the public key of the active communication node; (5) The passive communication node decrypts the data by querying the obtained symmetric key and parses out the received transmitted data; During secure communication, symmetric keys have a preset lifespan. When the stored symmetric key is exhausted, a new symmetric key is requested from the ground station.
2. The lightweight authentication method as described in claim 1, characterized in that, The security authentication includes the following steps: (1) The UAV node generates a random number r1, elliptic curve related information E, calculates the elliptic curve point R1, and sends it to the ground station along with the identity identifier IDRB. (2) The ground station receives the corresponding information and generates an identity identifier IDRB' by storing the information and using the same algorithm. If the identity identifiers are consistent, IDRB = IDRB', then it is a secure identity identifier. Ka is calculated using R1 and locally stored information via a key generation function; (3) The ground station generates a random number r2, elliptic curve related information E, calculates the elliptic curve point R2, and sends it to the UAV node along with the identity identifier IDRA. (4) When the UAV node receives the corresponding information, it generates an identity identifier IDRA' using the stored information and the same algorithm. If the identity identifiers are consistent, it is a secure identity identifier. Kb is calculated using R2 and the locally stored information through the key generation function. (5) Take out the preset number from the storage space, encrypt it with Ka or Kb and send it to the other party. If the other party can decrypt it and compare it correctly, then the authentication is successful.
3. The lightweight authentication method as described in claim 1, characterized in that, During secure communication, ground stations or drones can initiate proactive communication.