Distributed iot device authentication method based on lightweight message
By utilizing the unique physical characteristics of PUF, an IoT device authentication method based on lightweight messaging and a distributed architecture solves the problem of low efficiency in large-scale IoT device authentication, achieving an efficient and reliable authentication process suitable for scenarios such as smart cities and industrial IoT.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUANGZHOU JIXIANG TECH CO LTD
- Filing Date
- 2025-05-30
- Publication Date
- 2026-06-26
AI Technical Summary
Existing IoT device authentication mechanisms are inefficient in large-scale terminal device scenarios. Asymmetric encryption is computationally complex and involves large data transmission volumes, resulting in a time-consuming authentication process that affects the response speed and resource consumption of IoT systems, thus limiting their application in large-scale scenarios.
A distributed IoT device authentication method based on lightweight messages is adopted. It utilizes the unique physical properties of Physically Unclonable Functions (PUFs) to encapsulate the transmission authentication process in a concise and efficient manner. By leveraging the uniqueness of PUFs and combining them with a distributed architecture design, the amount of data transmitted is reduced and complex asymmetric encryption operations are avoided, thereby improving authentication efficiency.
In large-scale IoT device authentication scenarios, it significantly improves authentication efficiency, reduces system load and resource consumption, enhances the real-time performance and scalability of IoT systems, and ensures fast and stable network access, making it suitable for large-scale application scenarios such as smart cities and industrial IoT.
Smart Images

Figure CN120710679B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of Internet of Things (IoT) communication technology, and in particular to a distributed IoT device authentication method based on lightweight messaging. Background Technology
[0002] In the Internet of Things (IoT) field, device authentication is a crucial step in ensuring network security and trusted data transmission. Existing IoT device authentication mechanisms generally employ asymmetric encryption technology between terminal devices and authentication devices, and data transmission is based on standard communication formats. While asymmetric encryption offers high security, it also involves high computational complexity and relatively large amounts of communication data.
[0003] In applications involving large numbers of terminal devices, this traditional authentication method reveals significant efficiency issues. Each terminal device requires complex asymmetric encryption calculations and transmits large amounts of authentication data, resulting in a lengthy authentication process that struggles to quickly authenticate a large number of terminal devices. This not only affects the response speed of the IoT system but also increases system load and resource consumption, limiting the widespread application of IoT technology in large-scale scenarios. Therefore, a more efficient solution suitable for authenticating large numbers of terminal devices is urgently needed. Summary of the Invention
[0004] Based on this, the purpose of this application is to provide a distributed IoT device authentication method based on lightweight messages, so as to improve the efficiency of IoT device authentication and meet the needs of rapid authentication of large-scale IoT devices.
[0005] The distributed IoT device authentication method based on lightweight messages described in this application includes the following steps:
[0006] In response to an authentication request command, the terminal device obtains a device identifier, a PUF identifier, and a preset authentication request identifier; it then concatenates the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part into a first lightweight message and sends it to the authentication service device; wherein, the terminal device has a built-in PUF hardware module; the device identifier and the PUF identifier uniquely identify the terminal device and the PUF hardware module, respectively;
[0007] The authentication service device parses the first lightweight message. If the authentication request identifier is obtained, it requests PUF fingerprint information from the security management center based on the device identifier and the PUF identifier. The PUF fingerprint information includes PUF challenge information and a first hash value, which is obtained based on the first PUF response information. The device calculates the first verification information corresponding to the first hash value. It then concatenates the preset challenge information identifier as the message type part and the PUF challenge information as the message payload part into a second lightweight message and sends it to the terminal device.
[0008] The terminal device parses the second lightweight message. If the challenge information identifier is obtained, the PUF challenge information is input to the PUF hardware module to obtain the second PUF response information. The second verification information corresponding to the second PUF response information is calculated. The third lightweight message is concatenated with the preset response information identifier as the message type part and the second verification information as the message payload part and sent to the authentication service device.
[0009] The authentication service device parses the third lightweight message. If it obtains the response information identifier, it determines whether the second verification information matches the first verification information. If they match, it determines that the terminal device has passed authentication and sends the authentication success result to the security management center. The security management center sets the binding status in the binding record corresponding to the device identifier and the PUF identifier to the authentication success status. If they do not match, it determines that the terminal device has failed authentication and sends the authentication failure result to the security management center. The security management center clears the binding record corresponding to the device identifier and the PUF identifier.
[0010] This application's embodiments introduce a lightweight messaging mechanism to encapsulate and transmit key information in the authentication process in a concise and efficient manner, significantly reducing data transmission volume and communication overhead. This enables faster transmission of authentication messages across the network, effectively shortening data transmission time during the authentication process. Simultaneously, by utilizing the unique physical properties of Physically Unclonable Functions (PUFs) for authentication, complex asymmetric encryption operations are avoided, reducing computational resource consumption by terminal devices and authentication service devices, and improving authentication efficiency. Furthermore, the distributed architecture design allows authentication service devices to more rationally allocate authentication tasks and collaborate with the security management center to complete the authentication process, further enhancing authentication speed. In large-scale IoT device authentication scenarios, this application achieves a significant improvement in authentication efficiency, reduces system load and resource consumption, enhances the real-time performance and scalability of IoT systems, and ensures that large-scale terminal devices can quickly and stably access the network, providing a solid guarantee for the efficient operation of IoT technology in large-scale application scenarios such as smart cities and industrial IoT.
[0011] To better understand and implement this application, the following detailed description is provided in conjunction with the accompanying drawings. Attached Figure Description
[0012] Figure 1 This is a flowchart illustrating the distributed IoT device authentication method based on lightweight messages, as described in an embodiment of this application.
[0013] Figure 2 This is a schematic diagram illustrating the steps of the authentication service device performing communication verification on the terminal device's messages in an embodiment of this application;
[0014] Figure 3 This is a schematic diagram illustrating the steps of the authentication service device in determining the local cache in an embodiment of this application;
[0015] Figure 4 This is a schematic diagram illustrating the steps of determining cache priority and cache validity period for the authentication service device in this application embodiment. Detailed Implementation
[0016] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings. Wherein, when the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements.
[0017] It should be understood that the embodiments described below do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without inventive effort are within the scope of protection of this application.
[0018] The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The singular forms “a,” “the,” and “the” used in this application are also intended to include the plural forms unless the context clearly indicates otherwise. Furthermore, in the description of this application, unless otherwise stated, “a plurality” means two or more. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more associated listed items, for example, A and / or B, which can represent: A alone, A and B together, and B alone; the character “ / ” generally indicates that the preceding and following objects are in an “or” relationship.
[0019] It should be understood that although the terms first, second, third, etc., may be used in this application to describe various information, this information should not be limited to these terms, and these terms are only used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence, nor should they be construed as indicating or implying relative importance. Those skilled in the art can understand the specific meaning of the above terms in this application according to the specific circumstances. Depending on the context, the word "if" as used in this application can be interpreted as "when," "when," or "in response to determination."
[0020] In the Internet of Things (IoT) field, device authentication is a crucial step in ensuring network security and trusted data transmission. Existing IoT device authentication mechanisms generally employ asymmetric encryption technology between terminal devices and authentication devices, and data transmission is based on standard communication formats. While asymmetric encryption offers high security, it also involves high computational complexity and relatively large amounts of communication data.
[0021] In applications involving large numbers of terminal devices, this traditional authentication method reveals significant efficiency issues. Each terminal device requires complex asymmetric encryption calculations and transmits large amounts of authentication data, resulting in a lengthy authentication process that struggles to quickly authenticate a large number of terminal devices. This not only affects the response speed of the IoT system but also increases system load and resource consumption, limiting the widespread application of IoT technology in large-scale scenarios. Therefore, a more efficient solution suitable for authenticating large numbers of terminal devices is urgently needed.
[0022] To address this, the technical concept of this application utilizes the characteristics of Physically Unclonable Functions (PUFs) combined with a lightweight message transmission method to implement a distributed IoT device authentication method. PUFs possess unique physical characteristics; the response information generated by each PUF hardware module is unique and cannot be cloned, and can be used for device identification and authentication. By encapsulating key information in the authentication process into lightweight messages for transmission, the amount of data transmitted is reduced, lowering communication overhead.
[0023] Please refer to Figure 1 The distributed IoT device authentication method based on lightweight messages described in this application includes the following steps:
[0024] S101: In response to the authentication request instruction, the terminal device obtains the device identifier, the PUF identifier, and a preset authentication request identifier; it concatenates the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part into a first lightweight message and sends it to the authentication service device; wherein, the terminal device has a built-in PUF hardware module; the device identifier and the PUF identifier uniquely identify the terminal device and the PUF hardware module, respectively;
[0025] S102: The authentication service device parses the first lightweight message. If the authentication request identifier is obtained, it requests PUF fingerprint information from the security management center based on the device identifier and the PUF identifier. The PUF fingerprint information includes PUF challenge information and a first hash value, which is obtained based on the first PUF response information. The device calculates the first verification information corresponding to the first hash value. The device concatenates the preset challenge information identifier as the message type part and the PUF challenge information as the message payload part into a second lightweight message and sends it to the terminal device.
[0026] S103: The terminal device parses the second lightweight message. If the challenge information identifier is obtained, the PUF challenge information is input to the PUF hardware module to obtain the second PUF response information. The second verification information corresponding to the second PUF response information is calculated. The third lightweight message is concatenated with the preset response information identifier as the message type part and the second verification information as the message payload part and sent to the authentication service device.
[0027] S104: The authentication service device parses the third lightweight message. If the response information identifier is obtained, it determines whether the second verification information matches the first verification information. If they match, the terminal device is determined to be authenticated successfully, and an authentication success result is sent to the security management center. The security management center sets the binding status in the binding record corresponding to the device identifier and the PUF identifier to the authentication success status. If they do not match, the terminal device is determined to be authenticated unsuccessfully, and an authentication failure result is sent to the security management center. The security management center clears the binding record corresponding to the device identifier and the PUF identifier.
[0028] This application's embodiments introduce a lightweight messaging mechanism to encapsulate and transmit key information in the authentication process in a concise and efficient manner, significantly reducing data transmission volume and communication overhead. This enables faster transmission of authentication messages across the network, effectively shortening data transmission time during the authentication process. Simultaneously, by utilizing the unique physical properties of Physically Unclonable Functions (PUFs) for authentication, complex asymmetric encryption operations are avoided, reducing computational resource consumption by terminal devices and authentication service devices, and improving authentication efficiency. Furthermore, the distributed architecture design allows authentication service devices to more rationally allocate authentication tasks and collaborate with the security management center to complete the authentication process, further enhancing authentication speed. In large-scale IoT device authentication scenarios, this application achieves a significant improvement in authentication efficiency, reduces system load and resource consumption, enhances the real-time performance and scalability of IoT systems, and ensures that large-scale terminal devices can quickly and stably access the network, providing a solid guarantee for the efficient operation of IoT technology in large-scale application scenarios such as smart cities and industrial IoT.
[0029] In step S101, the terminal device responds to the authentication request instruction by obtaining the device identifier, the PUF identifier, and a preset authentication request identifier; it uses the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part, concatenates them into a first lightweight message, and sends it to the authentication service device; wherein, the terminal device has a built-in PUF hardware module; the device identifier and the PUF identifier uniquely identify the terminal device and the PUF hardware module, respectively.
[0030] A device identifier is a specific set of information used to uniquely identify a terminal device. It can be a string of numbers, letters, or a combination thereof, similar to a device's "ID number." In an Internet of Things (IoT) system, each terminal device has a unique device identifier so that authentication service devices and other relevant components can accurately identify the device.
[0031] A PUF identifier is used to uniquely identify the PUF hardware module installed within a terminal device. The PUF hardware module generates responses based on the device's physical characteristics. Different PUF hardware modules have different physical characteristics, therefore a PUF identifier is needed to distinguish them and ensure that the corresponding PUF hardware module can be correctly associated during the authentication process.
[0032] The PUF hardware module is a hardware component based on physically unclonable function technology. It leverages unavoidable physical differences in device manufacturing processes, such as differences in transistor threshold voltages and circuit resistance, to generate a unique response when specific challenge information is input. This response information is unclonable, providing a reliable security foundation for device authentication. In this embodiment, the PUF hardware module registers the PUF challenge information and the corresponding generated response information (i.e., the first PUF response information) to the security management center during the production registration phase.
[0033] An authentication request identifier is a pre-defined identifier used in message transmission to indicate that the purpose of the message is to initiate an authentication request.
[0034] Lightweight messages refer to messages that encapsulate key information from the authentication process in a concise and efficient manner. In this embodiment, lightweight messages use a custom format. Compared to traditional authentication methods that use different message formats and transmit large amounts of data, lightweight messages in this embodiment significantly reduce data transmission volume and communication overhead. In this embodiment, the structure of a lightweight message includes at least a message type section and a message payload section.
[0035] In this step, after receiving the authentication request instruction, the terminal device retrieves the device identifier, PUF identifier, and a preset authentication request identifier from its own storage or configuration information. Then, following a predetermined message format, it concatenates the authentication request identifier as the message type part, and the device identifier and PUF identifier as the message payload part, to form a first lightweight message. The message type part identifies the purpose of the message, while the message payload carries the key information required for authentication. After concatenation, the terminal device sends the first lightweight message to the authentication service device to initiate the authentication process.
[0036] In one embodiment, step S101, where the terminal device uses the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part to concatenate a first lightweight message and send it to the authentication service device, includes:
[0037] In step S1011, the terminal device obtains the first total message length information based on the sum of the first message length information of the message payload, the second message length information of the message type, and the third message length information of the preset message length; and concatenates the authentication request identifier as the message type, the device identifier and the PUF identifier as the message payload, and the first total message length information as the message length to obtain the first lightweight message.
[0038] The message length section records the length information of the entire message. In this embodiment, the message length section is a fixed-length field in the lightweight message structure. Therefore, the fixed message length information (i.e., the third message length information) of the message length section can be predetermined for subsequent calculation of the total message length.
[0039] The first message total length information is the sum of the first message length information of the message payload section, the second message length information of the message type section, and the third message length information of the preset message length section. This information is used to determine the length of the entire first lightweight message.
[0040] In this step, the terminal device first calculates the sum of the length of the message payload (device identifier and PUF identifier) (first message length information), the length of the message type (authentication request identifier) (second message length information), and the length of the preset message length (third message length information) to obtain the first total message length information. Then, the terminal device uses the authentication request identifier as the message type, the device identifier and PUF identifier as the message payload, and the first total message length information as the message length, and concatenates these parts to form the first lightweight message.
[0041] Step S102, the step of the authentication service device parsing the first lightweight message, includes:
[0042] In step S1021, if the authentication service device parses and obtains the total length information of the first message, it determines the parsing termination bit of the first lightweight message based on the total length information of the first message; when the parsing termination bit is reached, it is determined that the parsing of the first lightweight message is completed.
[0043] When parsing the first lightweight message, if the authentication service device successfully obtains the total length information of the first message, it determines the parsing termination bit of the first lightweight message based on this length information. When the parsing reaches this termination bit, the authentication service device determines that the first lightweight message has been successfully parsed.
[0044] In summary, this embodiment transmits the total message length information by introducing a message length portion when the terminal device concatenates the first lightweight message, and uses this total message length information to determine the parsing termination bit when the authentication service device parses the message, thus achieving accurate parsing of the lightweight message. This scheme ensures the integrity and correctness of the message during transmission, avoiding authentication failures or other problems caused by message parsing errors. Furthermore, the lightweight message design reduces the amount of data in the message, improves message transmission efficiency, and lowers communication overhead, making the entire authentication process more efficient and reliable.
[0045] In one embodiment, step S103, where the terminal device uses a preset response information identifier as the message type part and the second verification information as the message payload part to concatenate a third lightweight message and send it to the authentication service device, includes:
[0046] In step S1031, the terminal device obtains the second total message length information based on the sum of the fourth message length information of the message payload, the fifth message length information of the message type, and the third message length information of the preset message length; and concatenates the message type, the message length, and the message payload with the preset response information identifier as the message type, the second verification information as the message payload, and the second total message length information as the message length to obtain the third lightweight message.
[0047] In this step, the terminal device first calculates the sum of the length of the message payload (second verification information) (fourth message length information), the length of the message type (preset response information identifier) (fifth message length information), and the length of the preset message length (third message length information) to obtain the second message total length information. Then, the terminal device uses the preset response information identifier as the message type, the second verification information as the message payload, and the second message total length information as the message length, and concatenates these parts to form the third lightweight message.
[0048] Step S104, the step of the authentication service device parsing the third lightweight message, includes:
[0049] In step S1041, if the authentication service device parses and obtains the total length information of the second message, it determines the parsing termination bit of the third lightweight message based on the total length information of the second message; when the parsing termination bit is reached, it is determined that the parsing of the third lightweight message is complete.
[0050] In this step, when the authentication service device parses the third lightweight message, if it successfully obtains the total length information of the second message, it determines the parsing termination bit of the third lightweight message based on this length information. When this termination bit is reached, the authentication service device determines that the parsing of the third lightweight message has been completed.
[0051] In summary, this embodiment achieves accurate parsing of lightweight messages by introducing a message length portion (total length information of the second message) when the terminal device concatenates the third lightweight message, and using this length information to determine the parsing termination bit when the authentication service device parses the message. This scheme ensures the integrity and correctness of the message during transmission, avoiding authentication failures or other problems caused by message parsing errors. Furthermore, the lightweight message design reduces the amount of data in the message, improves message transmission efficiency, and lowers communication overhead, making the entire authentication process more efficient and reliable.
[0052] For step S102, the authentication service device parses the first lightweight message. If the authentication request identifier is obtained, it requests PUF fingerprint information from the security management center based on the device identifier and the PUF identifier. The PUF fingerprint information includes PUF challenge information and a first hash value. The first hash value is obtained based on the first PUF response information. The device calculates the first verification information corresponding to the first hash value. The device uses the preset challenge information identifier as the message type part and the PUF challenge information as the message payload part to concatenate them into a second lightweight message and send it to the terminal device.
[0053] Among them, PUF fingerprint information is a collection of key information related to a specific PUF hardware module stored in the security management center. It includes PUF challenge information and the first hash value.
[0054] PUF challenge information is specific input data used to incentivize the PUF hardware module to generate a response. In this embodiment, the PUF challenge information and the corresponding first PUF response information are pre-registered in the security management center.
[0055] The first hash value is calculated using a hash algorithm based on the first PUF response information generated by the PUF hardware module during the production registration phase. This hash algorithm can map data of arbitrary length to a fixed-length hash value, exhibiting irreversibility and collision resistance, and is commonly used for data integrity verification and identity authentication. In one embodiment, the first hash value is obtained by calculating the combined value of the first PUF response information and the PUF challenge information using the SM3 cryptographic hash algorithm.
[0056] The first verification information is obtained by the authentication service device through further processing of the first hash value in the PUF fingerprint information obtained from the security management center using a specific algorithm or rule. This first verification information is used to compare with the verification information subsequently generated by the terminal device to verify the terminal device's identity.
[0057] The challenge information identifier is a pre-defined identifier used to indicate in message transmission that the message carries PUF challenge information.
[0058] In this step, after receiving the first lightweight message, the authentication service device parses it. By checking the message type section, if it determines that it is an authentication request identifier, it requests the corresponding PUF fingerprint information from the security management center based on the device identifier and PUF identifier in the message payload section. Upon receiving the request, the security management center searches for and returns the corresponding PUF fingerprint information based on the device identifier and PUF identifier, including PUF challenge information and a first hash value calculated based on the first PUF response information. After receiving the PUF fingerprint information, the authentication service device calculates the first verification information corresponding to the first hash value. Then, according to a predetermined message format, it concatenates the challenge information identifier as the message type section and the PUF challenge information as the message payload section into a second lightweight message, and sends this message to the terminal device for response.
[0059] In one embodiment, before step S102, where the authentication service device uses a preset challenge information identifier as the message type part and the PUF challenge information as the message payload part to concatenate a second lightweight message and send it to the terminal device, the process includes:
[0060] In step S1022, the authentication service device obtains the third message total length information based on the sum of the sixth message length information of the message payload, the seventh message length information of the message type, and the third message length information of the preset message length; and concatenates the message type, the message length, and the message payload with the preset challenge information identifier as the message type, the PUF challenge information as the message payload, and the third message total length information as the message length to obtain the second lightweight message.
[0061] In this step, the authentication service device first calculates the sum of the length of the message payload (PUF challenge information) (sixth message length information), the length of the message type (preset challenge information identifier) (seventh message length information), and the length of the preset message length (third message length information) to obtain the total length of the third message. Then, the authentication service device uses the preset challenge information identifier as the message type, the PUF challenge information as the message payload, and the total length of the third message as the message length, and concatenates these parts to form the second lightweight message.
[0062] Step S103, the step of parsing the second lightweight message by the terminal device, includes:
[0063] In step S1032, if the terminal device parses and obtains the total length information of the third message, it determines the parsing termination bit of the second lightweight message based on the total length information of the third message; when the parsing termination bit is reached, it is determined that the parsing of the second lightweight message is complete.
[0064] When parsing the second lightweight message, if the terminal device successfully obtains the total length information of the third message, it will determine the parsing termination bit of the second lightweight message based on this length information. When the terminal device reaches this termination bit, it determines that the second lightweight message has been successfully parsed.
[0065] This embodiment introduces a message length portion (total message length information) when the authentication service device concatenates the second lightweight message, and uses this length information to determine the parsing termination bit when the terminal device parses the message, thus achieving accurate parsing of the lightweight message. This scheme ensures the integrity and correctness of the message during transmission, avoiding authentication failures or other problems caused by message parsing errors. Simultaneously, the lightweight message design reduces the message data volume, improves message transmission efficiency, and lowers communication overhead, making the entire authentication process more efficient and reliable.
[0066] Please refer to Figure 2 In one embodiment, step S101, in which the terminal device uses the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part to concatenate a first lightweight message and send it to the authentication service device, includes:
[0067] In step S1012, the terminal device calculates first communication verification information based on the message type section and the message payload section using a preset communication encryption algorithm; uses the first communication verification information as the message verification section; and concatenates the message type section, the message payload section, and the message verification section to obtain the first lightweight message.
[0068] The communication encryption algorithm is used to encrypt data. It converts raw data into ciphertext through specific mathematical operations to ensure the security and integrity of the data during transmission and prevent data theft or tampering. In this embodiment, the terminal device and the authentication service device use the same communication encryption algorithm to calculate communication verification information.
[0069] The message verification section is the part of the message used to verify whether the message has been tampered with during transmission. The receiver can use this information to check the integrity of the message.
[0070] In this step, the terminal device calculates first communication verification information based on the message type section (authentication request identifier) and the message payload section (device identifier and PUF identifier) using a preset communication encryption algorithm, and uses this first communication verification information as the message verification section. Then, the terminal device concatenates the message type section, message payload section, and message verification section to form a first lightweight message, and sends it to the authentication service device.
[0071] Before step S102, where the authentication service device requests PUF fingerprint information from the security management center based on the device identifier and the PUF identifier, the procedure includes:
[0072] Step S10201: The authentication service device calculates the second communication verification information based on the message type unit and the message payload unit using the communication encryption algorithm, and determines whether the second communication verification information matches the first communication verification information.
[0073] Step S10202: If a match is found, request PUF fingerprint information from the security management center based on the device identifier and the PUF identifier;
[0074] If the second communication verification information matches the first communication verification information, it means that the first lightweight message has not been tampered with during transmission. The authentication service device requests the corresponding PUF fingerprint information from the security management center based on the device identifier and PUF identifier in the message payload.
[0075] In step S10203, if there is a mismatch, the authentication service device generates verification error information; it concatenates a fourth lightweight message with a preset error identifier as the message type part and the verification error information as the message payload part, and then sends it to the terminal device; after parsing the error identifier and the verification error information, the terminal device regenerates the first lightweight message and sends it to the authentication service device.
[0076] The error identifier is an identifier used to identify the message type. In this embodiment, it is used to identify the verification error information generated by the authentication service device so that the terminal device can quickly identify that the message is about a verification error.
[0077] In this step, if the second communication verification information does not match the first communication verification information, it indicates that the first lightweight message may have been tampered with during transmission, and the authentication service device generates verification error information. Then, the authentication service device uses a preset error identifier as the message type part and the verification error information as the message payload part to concatenate a fourth lightweight message and sends it to the terminal device. After parsing the error identifier and the verification error information, the terminal device regenerates the first lightweight message and sends it to the authentication service device.
[0078] In summary, this embodiment verifies message integrity by introducing a message verification unit into the message and using a communication encryption algorithm to calculate communication verification information. The authentication service device compares its self-calculated second communication verification information with the first communication verification information sent by the terminal device to accurately determine whether the message has been tampered with during transmission. When the verification passes, the authentication service device continues the subsequent authentication process; when the verification fails, the authentication service device generates verification error information and notifies the terminal device, which then regenerates and resends the message. This scheme effectively ensures the security and integrity of message transmission, avoiding authentication errors or security risks caused by message tampering.
[0079] It should be noted that in this embodiment, the terminal device and the authentication service device communicate using lightweight messages, following the same message format, message concatenation rules, and message parsing rules. The lightweight message includes at least a message type section and a message payload section, and can be flexibly expanded with other sections as needed; for example, in the above embodiment, a message length section and a message verification section were also added.
[0080] Please refer to Figure 3 In one embodiment, after step S102, where the authentication service device parses the first lightweight message, the process includes:
[0081] In step S102a, if the authentication service device parses and obtains the authentication request identifier, it determines whether the device identifier and the PUF fingerprint information corresponding to the PUF identifier exist in the local cache; if they exist, it determines whether the cached PUF fingerprint information is within the validity period; if it is within the validity period, the authentication service device obtains the device identifier and the PUF fingerprint information corresponding to the PUF identifier from the local cache.
[0082] The local cache is a memory area or database in the authentication service device used to temporarily store PUF fingerprint information, aiming to reduce the number of interactions with the security management center and improve authentication efficiency.
[0083] The validity period is a time range set for PUF fingerprint information. After the time range is exceeded, the PUF fingerprint information is considered invalid and needs to be obtained again.
[0084] In this step, after parsing the first lightweight message, if the authentication service device obtains the authentication request identifier, it checks whether the PUF fingerprint information corresponding to the device identifier and PUF identifier in the request is already stored in its local cache. If it exists, it further determines whether the PUF fingerprint information is valid. If it is valid, the authentication service device directly retrieves the PUF fingerprint information from its local cache, avoiding communication overhead with the security management center and improving authentication efficiency. The purpose of this step is to optimize the authentication process using a caching mechanism and reduce unnecessary network interactions.
[0085] In step S102b, if the device identifier and the PUF fingerprint information corresponding to the PUF identifier do not exist, or exist but are not within the validity period, the authentication service device generates a PUF fingerprint information acquisition request based on the device identifier and the PUF identifier, and sends the PUF fingerprint information acquisition request to the security management center.
[0086] If the PUF fingerprint information corresponding to the device identifier and PUF identifier in the request does not exist in the local cache, or if it exists but has expired, the authentication service device generates a PUF fingerprint information retrieval request based on the device identifier and PUF identifier, and sends the request to the security management center. The purpose of this step is to obtain the latest PUF fingerprint information through interaction with the security management center in the event of a cache miss or information expiration, thereby ensuring the accuracy and security of authentication.
[0087] In summary, this embodiment improves the efficiency of the authentication process by introducing a local caching mechanism in the authentication service device to manage PUF fingerprint information. When valid and corresponding PUF fingerprint information exists in the local cache, the authentication service device can directly retrieve it from the local cache, avoiding frequent interactions with the security management center and reducing network communication overhead and response time. Simultaneously, setting an expiration date for the cached PUF fingerprint information ensures the accuracy and security of the fingerprint information used, avoiding authentication errors or security risks caused by using expired information. When no valid information is available in the local cache, the authentication service device can promptly request new PUF fingerprint information from the security management center, ensuring the smooth progress of the authentication process.
[0088] Please refer to Figure 4 In one embodiment, before step S102a, where the authentication service device determines whether the cached PUF fingerprint information is within its validity period, the method further includes the step of:
[0089] Step S102a1: The authentication service device counts the access frequency of the terminal device and determines the frequency range corresponding to the access frequency; the frequency range includes a high frequency range, a medium frequency range, and a low frequency range.
[0090] Among them, access frequency refers to the number of times a terminal device sends an authentication request to the authentication service device per unit of time, which is used to measure the activity level of the terminal device.
[0091] Frequency range is a series of intervals divided according to access frequency, including high frequency range, medium frequency range and low frequency range, used to distinguish the access activity of terminal devices.
[0092] In this step, the authentication service device will count the number of times the terminal device accesses the device within a certain period of time, thereby calculating the access frequency of the terminal device. Then, according to the preset classification criteria, it will determine the frequency range to which the access frequency belongs, that is, whether it is in the high frequency range, mid frequency range, or low frequency range.
[0093] Step S102a2: Determine the cache priority and cache validity period of the PUF fingerprint information corresponding to the terminal device according to the frequency range; wherein, the priority of the high frequency range, the mid frequency range and the low frequency range are from high to low, and the corresponding cache validity period is from long to short.
[0094] Among them, cache priority is a parameter used to determine the storage order and retention time of PUF fingerprint information in the local cache. The higher the priority, the longer the cache retention time or the more priority the storage location.
[0095] The cache validity period refers to the maximum time that PUF fingerprint information can be used in the local cache. After this time, the cached information is considered invalid.
[0096] In this step, the authentication service device assigns corresponding cache priorities and cache validity periods to the PUF fingerprint information corresponding to the terminal device based on the frequency range determined in step S102a1. Specifically, the PUF fingerprint information corresponding to terminal devices in the high-frequency range has the highest cache priority and the longest cache validity period; the PUF fingerprint information corresponding to terminal devices in the mid-frequency range has the next highest cache priority and a correspondingly shorter cache validity period; and the PUF fingerprint information corresponding to terminal devices in the low-frequency range has the lowest cache priority and the shortest cache validity period.
[0097] Step S102a3: encrypt and cache the PUF fingerprint information corresponding to the terminal device locally according to the cache priority, and determine the validity period of the PUF fingerprint information as the cache validity period.
[0098] Encrypted caching refers to encrypting PUF fingerprint information before caching it locally to prevent information leakage or tampering.
[0099] In this step, the authentication service device encrypts the PUF fingerprint information corresponding to the terminal device and caches it in local storage according to the cache priority determined in step S102a2. Simultaneously, the cache validity period determined in step S102a2 is used as the validity period of the PUF fingerprint information; that is, within this validity period, the PUF fingerprint information is considered valid and usable for authentication.
[0100] In summary, this embodiment achieves reasonable allocation and management of local cache resources by statistically analyzing the access frequency of terminal devices and dividing the frequency range, and then determining the cache priority and cache validity period of the PUF fingerprint information corresponding to the terminal device based on the frequency range. For terminal devices with high access frequency, a higher cache priority and a longer cache validity period are given, enabling these devices to quickly retrieve PUF fingerprint information from the local cache during subsequent authentication processes, improving authentication efficiency, reducing the number of interactions with the security management center, and lowering network communication overhead. Conversely, for terminal devices with low access frequency, a lower cache priority and a shorter cache validity period are given, preventing the local cache from being occupied by information from inactive devices for extended periods and improving cache space utilization. Simultaneously, encrypted caching ensures the security of PUF fingerprint information in the local cache, preventing information leakage. This scheme comprehensively considers multiple factors such as authentication efficiency, cache resource utilization, and data security, achieving an efficient and secure authentication process.
[0101] In one embodiment, after step S102a3, where the authentication service device encrypts and caches the PUF fingerprint information corresponding to the terminal device locally according to the cache priority, the following steps are included:
[0102] In step S102a4, the authentication service device monitors the network status between itself and the security management center. If the network status is abnormal, the validity period of the cached PUF fingerprint information is extended according to the duration of the abnormal network status. If the network status is normal, the validity period of the cached PUF fingerprint information is not extended.
[0103] The network status describes the network connection between the authentication service device and the security management center, including indicators such as network connectivity, stability, and bandwidth. In this embodiment, the focus is primarily on whether the network is normally connected and whether there are any anomalies, such as network interruptions, excessive latency, or severe packet loss.
[0104] The duration of network status anomalies refers to the length of time from the detection of the anomaly to the end of the anomaly (restoration to normal).
[0105] In this step, the authentication service device continuously monitors the network status between itself and the security management center. If an abnormal network status is detected, the authentication service device records the duration of the abnormality and extends the validity period of the cached PUF fingerprint information based on that duration. This is to ensure the continuity of the authentication process, even if a network anomaly prevents timely retrieval of new PUF fingerprint information from the security management center, allowing the use of locally cached, extended-expiration PUF fingerprint information. Conversely, if the network status is normal, the authentication service device does not extend the validity period of the cached PUF fingerprint information but manages it according to preset rules.
[0106] In summary, this embodiment enhances the adaptability and reliability of the authentication system in unstable network environments by monitoring the network status between the authentication service device and the security management center and dynamically adjusting the validity period of the cached PUF fingerprint information based on the duration of network anomalies. Extending the validity period of PUF fingerprint information during network anomalies avoids authentication interruptions caused by the inability to obtain new information in a timely manner, ensuring the authentication process can continue and improving the system's fault tolerance. When the network is normal, maintaining the original cache validity period management strategy allows for the rational use of cache resources. This solution achieves stable operation of the authentication system under network fluctuations, ensuring the efficiency and security of the authentication service.
[0107] For step S103, the terminal device parses the second lightweight message. If the challenge information identifier is obtained, the PUF challenge information is input to the PUF hardware module to obtain the second PUF response information. The second verification information corresponding to the second PUF response information is calculated. The third lightweight message is concatenated with the preset response information identifier as the message type part and the second verification information as the message payload part and sent to the authentication service device.
[0108] The second PUF response information is the response information generated by the PUF hardware module based on its unique physical characteristics after the terminal device inputs the received PUF challenge information into the PUF hardware module.
[0109] The second verification information is the information used for authentication verification calculated based on the second PUF response information. Its calculation method corresponds to that of the first verification information to ensure accurate matching and verification during subsequent authentication processes.
[0110] The response information identifier is a pre-defined identifier used in message transmission to indicate that the message carries the terminal device's response information to the PUF challenge information.
[0111] In this step, after receiving the second lightweight message, the terminal device parses it. By checking the message type section, if it determines that it contains a challenge information identifier, it inputs the PUF challenge information from the message payload section to the built-in PUF hardware module. The PUF hardware module generates a second PUF response message based on the challenge information. The terminal device calculates the second verification information corresponding to the second PUF response message. Then, according to a predetermined message format, it concatenates the response information identifier as the message type section and the second verification information as the message payload section to form a third lightweight message, which is then sent to the authentication service device for authentication result determination.
[0112] In one embodiment, after the authentication service device parses the lightweight message sent by the terminal device, it includes:
[0113] If no preset request identifier is parsed, the lightweight message from the terminal device will not be responded to; the preset request identifier includes an authentication request identifier and a response information identifier;
[0114] After the terminal device parses the lightweight message sent by the authentication service device, it includes:
[0115] If no preset authentication identifier is parsed and obtained, the lightweight message of the authentication service device will not be responded to; the preset authentication identifier includes a challenge information identifier and an error identifier.
[0116] As can be seen from any embodiment of this application, when the authentication service device or terminal device parses the received lightweight message, it focuses on parsing the message type section. By determining whether the message type section contains a valid preset identifier, such as an authentication request identifier, response information identifier, challenge information identifier, and error identifier, it determines the current stage of authentication and then performs corresponding processing operations. If the authentication service device or terminal device parses the message type section of the lightweight message and the parsing result is empty or contains other data without a preset identifier, i.e., no valid identifier is obtained, then no response is performed. The purpose of this design is to ensure that both parties only perform subsequent operations when they receive a message that conforms to the authentication process specifications through accurate identification of preset identifiers, effectively avoiding the processing of invalid messages, reducing system resource consumption, improving authentication efficiency, and enhancing system security.
[0117] In summary, lightweight messaging is a core component of the technical solution of this application. Lightweight messaging adopts a layered design, including at least a message type section and a message payload, and can further be extended to include a message verification section, resulting in a clear and concise message structure. The message type section, as a key field, identifies the specific type and function of the message and is the basis for message parsing and response. Through the preset identifier in the message type section, authentication service devices and terminal devices can quickly and accurately identify the message type, thereby determining the current stage of authentication and performing corresponding processing operations. This efficient identification mechanism greatly improves authentication efficiency and reduces unnecessary communication overhead. Furthermore, lightweight messaging can also be combined with various security mechanisms, such as message integrity protection and timestamp mechanisms, to ensure the security and integrity of the message during transmission.
[0118] This application reduces the complexity and overhead of the authentication process by optimizing the message format and interaction flow. The lightweight message design fully considers the characteristics and needs of the IoT environment, enabling this solution to operate efficiently on resource-constrained devices. Specifically, compared to asymmetric encrypted communication, this application avoids the complex processes of public key distribution, storage, and verification, eliminates the need for additional information such as signatures in messages, and avoids the overhead of multi-round handshake protocols, thus reducing message structure complexity. Compared to symmetric encrypted communication, this application utilizes PUF characteristics for authentication, eliminating the need for explicit transmission and management of keys and avoiding the additional overhead of key distribution. Simultaneously, the layered message format and optimized interaction flow designed in this application ensure message integrity and authentication effectiveness while reducing redundant information in messages, thereby improving message processing efficiency.
[0119] In one embodiment, the first hash value is a hash value obtained by calculating the combination value of the first PUF response information and the PUF challenge information using the SM3 cryptographic hash algorithm;
[0120] Step S102, where the authentication service device uses a preset challenge information identifier as the message type part and the PUF challenge information as the message payload part to concatenate a second lightweight message and send it to the terminal device, further includes:
[0121] The authentication service device obtains a random number, uses a preset challenge information identifier as the message type part, and the random number and the PUF challenge information as the message payload part, concatenates them into a second lightweight message, and sends it to the terminal device.
[0122] Step S102, where the authentication service device calculates the first verification information corresponding to the first hash value, includes:
[0123] The authentication service device extracts the first N bits of the first hash value to obtain the first response hash value; it uses the SM3 cryptographic hash algorithm to calculate the first hash value of the XOR value of the first response hash value and the random number, and extracts the first N bits of the first hash value to obtain the first verification information; where N is a positive integer;
[0124] Step S103, which involves the terminal device calculating the second verification information corresponding to the second PUF response information, includes:
[0125] The terminal device uses the SM3 cryptographic hash algorithm to calculate the second hash value of the combination of the PUF response information and the PUF challenge information, and extracts the first N bits of the second hash value to obtain the second response hash value; it also uses the SM3 cryptographic hash algorithm to calculate the second hash value of the XOR value of the second response hash value and the random number, and extracts the first N bits of the second hash value to obtain the second verification information.
[0126] Among them, the SM3 cryptographic hash algorithm is a cryptographic hash algorithm standard released by the State Cryptography Administration of China. It is used to convert input data of arbitrary length into hash values of fixed length and has security characteristics such as collision resistance and second preimage resistance.
[0127] Random numbers are random or pseudo-random data generated by authentication service equipment to enhance the security of the authentication process.
[0128] The XOR value refers to the result of performing a bitwise XOR operation on two binary data.
[0129] This embodiment achieves secure verification and dynamic authentication of PUF response information by introducing the SM3 cryptographic hash algorithm, random numbers, and XOR operations. The authentication service device and the terminal device use the same processing flow: SM3 hash calculation, random number XOR, and truncating the first N bits to generate verification information, ensuring the uniqueness and consistency of the verification information. The application of the SM3 algorithm guarantees the security and collision resistance of the hash value, the introduction of random numbers enhances the dynamism of the authentication process and its resistance to replay attacks, and the XOR operation further obfuscates the data, increasing the difficulty of cracking. The overall technical solution, through the synergistic effect of cryptographic algorithms and dynamic factors, forms a secure and reliable PUF authentication mechanism, providing a solid guarantee for the identity verification of terminal devices.
[0130] For step S104, the authentication service device parses the third lightweight message. If the response information identifier is obtained, it determines whether the second verification information matches the first verification information. If they match, it determines that the terminal device has passed authentication and sends the authentication success result to the security management center. The security management center sets the binding status in the binding record corresponding to the device identifier and the PUF identifier to the authentication success status. If they do not match, it determines that the terminal device has failed authentication and sends the authentication failure result to the security management center. The security management center clears the binding record corresponding to the device identifier and the PUF identifier.
[0131] The security management center maintains a binding record between device identifiers and PUF identifiers. This record records the correspondence between the device identifier of each terminal device and the PUF identifier of its internal PUF hardware module, as well as authentication status and other information. Through this binding record, the security management center can perform unified management and monitoring of IoT devices.
[0132] The binding status in the binding record indicates the current authentication status of the device identifier and the PUF identifier, typically showing "authentication successful," "unauthenticated," or "authentication failed." When authentication is successful, the binding status is set to "authentication successful," indicating that the terminal device and its PUF hardware module have been authenticated and are legitimate and trustworthy devices. When authentication fails, the security management center will clear the binding record, effectively removing the binding relationship between the device identifier and the PUF identifier from the system, indicating that the device cannot be authenticated and may pose a security risk.
[0133] In this step, after receiving the third lightweight message, the authentication service device parses it. By checking the message type section, if it determines that it is a response information identifier, it obtains the second verification information from the message payload section and matches it with the previously calculated first verification information. If the second verification information matches the first verification information, it means that the response information generated by the terminal device's PUF hardware module meets expectations, and the authentication service device determines that the terminal device has passed authentication. Subsequently, the authentication service device sends the authentication success result to the security management center. After receiving the authentication success result, the security management center sets the binding status in the binding record corresponding to the device identifier and PUF identifier to the authentication success status, allowing the terminal device to access and communicate normally in the IoT system. If the second verification information does not match the first verification information, it means that the terminal device's authentication has failed, the authentication service device determines that the terminal device's authentication has failed, and sends the authentication failure result to the security management center. After receiving the authentication failure result, the security management center clears the binding record corresponding to the device identifier and PUF identifier to prevent the terminal device from accessing the system in an unauthorized state.
[0134] The above embodiments are merely illustrative of several implementation methods of this application, and their descriptions are relatively specific and detailed, but they should not be construed as limiting the scope of the invention patent. It should be noted that those skilled in the art can make several modifications and improvements without departing from the concept of this application, and this application also intends to include these modifications and variations.
Claims
1. A distributed IoT device authentication method based on lightweight messaging, characterized in that, Includes the following steps: In response to an authentication request command, the terminal device obtains a device identifier, a PUF identifier, and a preset authentication request identifier; it then concatenates the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part into a first lightweight message and sends it to the authentication service device; wherein, the terminal device has a built-in PUF hardware module; the device identifier and the PUF identifier uniquely identify the terminal device and the PUF hardware module, respectively; The authentication service device parses the first lightweight message. If the authentication request identifier is obtained, it requests PUF fingerprint information from the security management center based on the device identifier and the PUF identifier. The PUF fingerprint information includes PUF challenge information and a first hash value, which is obtained based on the first PUF response information. The device calculates the first verification information corresponding to the first hash value. It then concatenates the preset challenge information identifier as the message type part and the PUF challenge information as the message payload part into a second lightweight message and sends it to the terminal device. The terminal device parses the second lightweight message. If the challenge information identifier is obtained, the PUF challenge information is input to the PUF hardware module to obtain the second PUF response information. The second verification information corresponding to the second PUF response information is calculated. The third lightweight message is concatenated with the preset response information identifier as the message type part and the second verification information as the message payload part and sent to the authentication service device. The authentication service device parses the third lightweight message. If it obtains the response information identifier, it determines whether the second verification information matches the first verification information. If they match, it determines that the terminal device has passed authentication and sends the authentication success result to the security management center. The security management center sets the binding status in the binding record corresponding to the device identifier and the PUF identifier to the authentication success status. If they do not match, it determines that the terminal device has failed authentication and sends the authentication failure result to the security management center. The security management center clears the binding record corresponding to the device identifier and the PUF identifier.
2. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, The step of the terminal device concatenating the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part into a first lightweight message and sending it to the authentication service device includes: The terminal device obtains the first total message length information based on the sum of the first message length information of the message payload, the second message length information of the message type, and the third message length information of the preset message length; and concatenates the first lightweight message using the authentication request identifier as the message type, the device identifier and the PUF identifier as the message payload, and the first total message length information as the message length. The step of the terminal device using a preset response information identifier as the message type part and the second verification information as the message payload part to concatenate a third lightweight message and send it to the authentication service device includes: The terminal device obtains the second total message length information based on the sum of the fourth message length information of the message payload, the fifth message length information of the message type, and the third message length information of the preset message length; and concatenates the message type, the message length, and the message payload with the preset response information identifier as the message type, the second verification information as the message payload, and the second total message length information as the message length to obtain the third lightweight message.
3. The distributed IoT device authentication method based on lightweight messaging according to claim 2, characterized in that, The steps of the authentication service device parsing the first lightweight message include: If the authentication service device parses and obtains the total length information of the first message, it determines the parsing termination bit of the first lightweight message based on the total length information of the first message; when the parsing termination bit is reached, it determines that the parsing of the first lightweight message is complete. The steps of the authentication service device parsing the third lightweight message include: If the authentication service device parses and obtains the total length information of the second message, it determines the parsing termination bit of the third lightweight message based on the total length information of the second message; when the parsing termination bit is reached, it determines that the parsing of the third lightweight message is complete.
4. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, Before the step of the authentication service device concatenating a second lightweight message with a preset challenge information identifier as the message type part and the PUF challenge information as the message payload part, and then sending it to the terminal device, the following steps are included: The authentication service device obtains the third message total length information based on the sum of the sixth message length information of the message payload, the seventh message length information of the message type, and the third message length information of the preset message length; and concatenates the message type, the message length, and the message payload with the preset challenge information identifier as the message type, the PUF challenge information as the message payload, and the third message total length information as the message length to obtain the second lightweight message; The steps of the terminal device parsing the second lightweight message include: If the terminal device parses and obtains the total length information of the third message, it determines the parsing termination bit of the second lightweight message based on the total length information of the third message; when the parsing termination bit is reached, it determines that the parsing of the second lightweight message is complete.
5. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, The step of the terminal device concatenating the authentication request identifier as the message type part, the device identifier, and the PUF identifier as the message payload part into a first lightweight message and sending it to the authentication service device includes: The terminal device calculates first communication verification information based on the message type section and the message payload section using a preset communication encryption algorithm; uses the first communication verification information as the message verification section; and concatenates the message type section, the message payload section, and the message verification section to obtain the first lightweight message. Before the step of the authentication service device requesting PUF fingerprint information from the security management center based on the device identifier and the PUF identifier, the following steps are included: The authentication service device calculates the second communication verification information based on the message type unit and the message payload unit using the communication encryption algorithm, and determines whether the second communication verification information matches the first communication verification information. If a match is found, the PUF fingerprint information is requested from the security management center based on the device identifier and the PUF identifier. If there is a mismatch, the authentication service device generates a verification error message; it concatenates the preset error identifier as the message type part and the verification error message as the message payload part to obtain a fourth lightweight message and sends it to the terminal device; after parsing the error identifier and the verification error message, the terminal device regenerates the first lightweight message and sends it to the authentication service device.
6. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, After the authentication service device parses the first lightweight message, the following steps are included: If the authentication service device parses and obtains the authentication request identifier, it determines whether the device identifier and the PUF fingerprint information corresponding to the PUF identifier exist in the local cache; if they exist, it determines whether the cached PUF fingerprint information is within its validity period; if it is within its validity period, the authentication service device obtains the device identifier and the PUF fingerprint information corresponding to the PUF identifier from the local cache. If the device identifier and the PUF fingerprint information corresponding to the PUF identifier do not exist, or exist but are not within the validity period, the authentication service device generates a PUF fingerprint information acquisition request based on the device identifier and the PUF identifier, and sends the PUF fingerprint information acquisition request to the security management center.
7. The distributed IoT device authentication method based on lightweight messaging according to claim 6, characterized in that, Before the authentication service device determines whether the cached PUF fingerprint information is within its validity period, the following step is also included: The authentication service device counts the access frequency of terminal devices and determines the frequency range corresponding to the access frequency; the frequency range includes a high frequency range, a medium frequency range, and a low frequency range. The cache priority and cache validity period of the PUF fingerprint information corresponding to the terminal device are determined according to the frequency range; wherein, the priority of the high frequency range, the mid frequency range and the low frequency range are from high to low, and the corresponding cache validity period is from long to short. The PUF fingerprint information corresponding to the terminal device is encrypted and cached locally according to the cache priority, and the validity period of the PUF fingerprint information is determined as the cache validity period.
8. The distributed IoT device authentication method based on lightweight messages according to claim 6, characterized in that, After the authentication service device encrypts and caches the PUF fingerprint information corresponding to the terminal device locally according to the cache priority, the following steps are included: The authentication service device monitors the network status between itself and the security management center. If the network status is abnormal, the validity period of the cached PUF fingerprint information is extended according to the duration of the abnormality. If the network status is normal, the validity period of the cached PUF fingerprint information is not extended.
9. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, The first hash value is obtained by using the SM3 cryptographic hash algorithm to calculate the combined value of the first PUF response information and the PUF challenge information; The step of the authentication service device using a preset challenge information identifier as the message type part and the PUF challenge information as the message payload part to concatenate a second lightweight message and send it to the terminal device further includes: The authentication service device obtains a random number, uses a preset challenge information identifier as the message type part, and the random number and the PUF challenge information as the message payload part, concatenates them into a second lightweight message, and sends it to the terminal device. The steps by which the authentication service device calculates the first verification information corresponding to the first hash value include: The authentication service device extracts the first N bits of the first hash value to obtain the first response hash value; it uses the SM3 cryptographic hash algorithm to calculate the first hash value of the XOR value of the first response hash value and the random number, and extracts the first N bits of the first hash value to obtain the first verification information; where N is a positive integer; The steps for the terminal device to calculate the second verification information corresponding to the second PUF response information include: The terminal device uses the SM3 cryptographic hash algorithm to calculate the second hash value of the combination of the PUF response information and the PUF challenge information, and extracts the first N bits of the second hash value to obtain the second response hash value; it also uses the SM3 cryptographic hash algorithm to calculate the second hash value of the XOR value of the second response hash value and the random number, and extracts the first N bits of the second hash value to obtain the second verification information.
10. The distributed IoT device authentication method based on lightweight messaging according to claim 1, characterized in that, After the authentication service device parses the lightweight message sent by the terminal device, it includes: If no preset request identifier is parsed, the lightweight message from the terminal device will not be responded to; the preset request identifier includes an authentication request identifier and a response information identifier; After the terminal device parses the lightweight message sent by the authentication service device, it includes: If no preset authentication identifier is parsed and obtained, the lightweight message of the authentication service device will not be responded to; the preset authentication identifier includes a challenge information identifier and an error identifier.