Method and system for secure login of smart home device based on ndn

Abstract

The application relates to the technical field of smart home, in particular to a smart home device security login method and system based on NDN, which comprises the following steps: a smart home device generates a key pair based on an NTRU algorithm, submits a device certificate chain to a home gateway, generates a dynamic name prefix, and synchronizes a certificate chain hash to a blockchain network; an interest package is constructed, and the certificate chain is verified through a hybrid verification path; a router calculates a real-time trust value based on device behavior time sequence data, if the real-time trust value is greater than a preset threshold value, a quantum hybrid encryption data package is returned, otherwise, infrared light coding secondary authentication is triggered; when a device is migrated to a new gateway, the historical trust value and the certificate chain of the device are acquired, and weighted evaluation is carried out in combination with the real-time trust value, if the evaluation result is higher than a migration trust threshold value, authentication is quickly completed, otherwise, infrared light coding secondary authentication is triggered. Therefore, the problems of an inefficient certificate verification mechanism and inaccurate device trust evaluation in the prior art are solved.

Description

Technical Field

[0001] This invention relates to the field of smart home network security technology, specifically to a secure login method and system for smart home devices based on NDN. Background Technology

[0002] With the rapid development of IoT technology, the number of smart home devices has increased dramatically, making home network environments increasingly complex. Traditional TCP / IP-based network architectures have exposed numerous security vulnerabilities in smart home scenarios, such as susceptibility to device authentication attacks and data transmission vulnerability to eavesdropping and tampering. Furthermore, how to quickly and securely complete authentication when smart home devices migrate between different gateways is a pressing issue that needs to be addressed.

[0003] Named Data Networking (NDN), as an emerging future network architecture, is content-centric and effectively improves content retrieval efficiency and transmission performance by naming and routing content data. Applying NDN to the smart home field offers a new approach to solving the aforementioned problems. However, current NDN-based smart home device login methods still have shortcomings, such as inefficient certificate verification mechanisms and inaccurate device trust assessments, failing to fully meet the stringent security and reliability requirements of smart home devices. Summary of the Invention

[0004] This application provides a secure login method and system for smart home devices based on NDN, in order to solve the problems of inefficient certificate verification mechanisms and inaccurate device trust assessment in the prior art.

[0005] The first aspect of this application provides a secure login method for smart home devices based on NDN, comprising: a smart home device generating a key pair based on the NTRU algorithm, with the private key securely stored by the device and the public key embedded in the device certificate chain, and submitting the device certificate chain to a home gateway; after verifying the validity of the device certificate chain, the home gateway generates a dynamic naming prefix, stores the certificate chain, and synchronizes the certificate chain hash to the blockchain network; the device constructs an interest packet with a digital signature using the dynamic naming prefix, and after receiving the interest packet, the edge NDN router verifies the certificate chain through a hybrid verification path; the router calculates a real-time trust value based on the device's behavior time-series data, and if the real-time trust value is greater than a preset threshold, it returns a quantum hybrid encrypted data packet; otherwise, it triggers infrared light coding secondary authentication; when the device is migrated to a new gateway, the new gateway obtains the device's historical trust value and certificate chain through the blockchain network, and performs a weighted evaluation by combining the historical trust value with the real-time trust value. If the evaluation result is higher than the migration trust threshold, authentication is completed quickly; otherwise, infrared light coding secondary authentication is triggered.

[0006] Preferably, the historical trust value is combined with the real-time trust value for a weighted evaluation, including:

[0007] The historical trust value and the real-time trust value are weighted and calculated. The formula for the weighted calculation is as follows:

[0008] T 综合 =0.6T 历史 +0.4T 实时

[0009] Among them, T 历史 T represents the average historical trust value recorded by the blockchain. 实时 The real-time trust value calculated for the current gateway;

[0010] If the weighted calculation result is higher than the migration trust threshold preset by the new gateway, then the original network's partial authentication permission level will be used; otherwise, infrared optical encoding secondary authentication will be triggered.

[0011] Preferably, the infrared light coding secondary authentication specifically includes: the gateway generating a random number sequence and transmitting the encoded infrared light signal at a specific frequency through an infrared transmitter; the device receiving and decoding the infrared light signal to obtain the random number sequence, and encrypting and signing it using a private key; the device returning the encrypted signature through an NDN interest packet, and the gateway verifying the signature using the device's public key; if the verification is successful, the secondary authentication is completed.

[0012] Preferably, the device migration includes: the new gateway requiring the device to submit a migration request interest packet with a digital signature; verifying the migration request interest packet, calling the device certificate chain public key stored in the blockchain for matching, and if the device identity is consistent with the original network registration information, then performing weighted evaluation authentication.

[0013] Preferably, the hybrid verification path includes: firstly querying the local certificate cache of the edge NDN router, which is stored in SRAM; if the local certificate cache is not found, initiating a certificate query request to the pre-configured blockchain light node, which uses a lightweight proof of MerklePatriciaTrie for certificate query; and verifying whether the certificate chain root certificate matches the master certificate public key pre-stored in the home gateway.

[0014] Preferably, the local certificate cache size is ≤15KB, the lightweight proof size of MerklePatriciaTrie is ≤600 bytes, and the blockchain light node cache of certificate revocation status uses a Bloom filter with a false positive rate of ≤0.05%.

[0015] Preferably, the router calculates the real-time trust value based on device behavior time-series data, and the formula for the real-time trust value is:

[0016]

[0017] Where α is the attenuation factor, N successF represents the number of successful interactions. abnormal For abnormal request frequency, Where β is the historical trust value, γ is the successful interaction coefficient, δ is the abnormal request coefficient, and R is the environmental risk coefficient. env It is an environmental risk factor.

[0018] Preferably, the dynamic naming prefix is ​​updated periodically by the home gateway every 15-30 minutes. The dynamic naming prefix includes the spatial domain, device type, and unique identification information.

[0019] The second aspect of this application provides a secure login system for smart home devices based on NDN, comprising: a generation module for generating a key pair based on the NTRU algorithm, wherein the private key is securely stored by the device and the public key is embedded in the device certificate chain, and the device certificate chain is submitted to the home gateway; a storage module for generating a dynamic naming prefix after the home gateway verifies the validity of the device certificate chain, storing the certificate chain, and synchronizing the certificate chain hash to the blockchain network; a verification module for constructing an interest packet with a digital signature using the dynamic naming prefix, and verifying the certificate chain through a hybrid verification path after the edge NDN router receives the interest packet; a calculation module for calculating a real-time trust value based on the device's behavior time-series data, and returning a quantum hybrid encrypted data packet if the real-time trust value is greater than a preset threshold, otherwise triggering infrared light coding secondary authentication; and an authentication module for obtaining the device's historical trust value and certificate chain through the blockchain network when the device is migrated to a new gateway, and performing a weighted evaluation of the historical trust value and the real-time trust value, and quickly completing authentication if the evaluation result is higher than the migration trust threshold, otherwise triggering infrared light coding secondary authentication.

[0020] A third aspect of this application provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor. The processor executes the program to perform a secure login method for a smart home device based on NDN as described in the above embodiments.

[0021] Therefore, this application has the following beneficial effects:

[0022] In this embodiment, the NTRU algorithm is used to generate key pairs and embed the public key into the device certificate chain. After verification by the home gateway, the certificate chain hash is synchronized to the blockchain, providing a reliable basis for verification. The edge NDN router adopts a hybrid verification path, prioritizing the query of the local SRAM certificate cache. If a cache miss occurs, lightweight proofs from blockchain light nodes are used to obtain information. Combined with a Bloom filter to cache certificate revocation status, the false positive rate is low, significantly improving certificate verification efficiency. For device trust assessment, the router calculates real-time trust values ​​based on device behavior time-series data, considering factors such as attenuation factors and the number of successful interactions. During device migration, the new gateway performs a weighted assessment by combining historical trust values ​​obtained from the blockchain with real-time trust values, making the assessment more accurate and comprehensive. Simultaneously, dynamic naming prefix periodic updates and the construction of interest packets with digital signatures ensure device login and migration security. Different authentication strategies are adopted based on real-time trust values, flexibly adapting to different security requirements and comprehensively improving the security, efficiency, and reliability of smart home device login. Thus, the problems of inefficient certificate verification mechanisms and inaccurate device trust assessment in existing technologies are solved.

[0023] Additional aspects and advantages of this application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this application. Attached Figure Description

[0024] The above and / or additional aspects and advantages of this application will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, wherein:

[0025] Figure 1 This is a flowchart illustrating a secure login method for smart home devices based on NDN, according to an embodiment of this application.

[0026] Figure 2 This is a schematic diagram of the structure of a smart home device security login system based on NDN provided in an embodiment of this application;

[0027] Figure 3 This is a schematic diagram of the structure of an electronic device provided according to an embodiment of this application. Detailed Implementation

[0028] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0029] The following description, with reference to the accompanying drawings, illustrates a secure login method and system for smart home devices based on NDN (Network Node Protocol). Addressing the inefficiency of certificate verification mechanisms mentioned in the background section, this application provides a secure login method for smart home devices based on NDN. In this method, a key pair is generated using the NTRU algorithm, and the public key is embedded into the device certificate chain. After verification by the home gateway, the certificate chain hash is synchronized to the blockchain, providing a reliable basis for verification. The edge NDN router employs a hybrid verification path, prioritizing queries to the local SRAM certificate cache. If a cache miss occurs, lightweight proofs from blockchain light nodes are used to obtain information. Combined with a Bloom filter to cache certificate revocation status, the false positive rate is low, significantly improving certificate verification efficiency. For device trust assessment, the router calculates a real-time trust value based on device behavior time-series data, considering factors such as attenuation factors and the number of successful interactions. During device migration, the new gateway performs a weighted assessment by combining historical trust values ​​obtained from the blockchain with the real-time trust value, making the assessment more accurate and comprehensive. Meanwhile, dynamic naming prefix periodic updates and digitally signed interest packet construction ensure secure device login and migration. Different authentication strategies are adopted based on real-time trust values, flexibly adapting to various security needs and scenarios, comprehensively improving the security, efficiency, and reliability of smart home device login. This solves the problems of inefficient certificate verification mechanisms and inaccurate device trust assessment in existing technologies.

[0030] Figure 1 This is a flowchart illustrating a secure login method for smart home devices based on NDN, provided in an embodiment of this application.

[0031] like Figure 1 As shown, this NDN-based secure login method for smart home devices includes the following steps:

[0032] In step S101, the smart home device generates a key pair based on the NTRU algorithm. The private key is securely stored by the device, the public key is embedded in the device certificate chain, and the device certificate chain is submitted to the home gateway.

[0033] The NTRU algorithm is a lattice-based public-key encryption algorithm. The key pair consists of a private key and a public key. The private key is securely stored by the device and is used for operations such as encrypting and signing data. The public key is embedded in the device certificate chain and can be publicly used to verify signatures and encrypt data. The device certificate chain is a chain of multi-level certificates, containing device-related information and signatures of certificates at each level, used to prove the legitimacy of the device's identity. The public key embedded in it can ensure the authenticity and relevance of the public key.

[0034] It is understood that the key pair generated by the NTRU algorithm in this application embodiment utilizes its efficient encryption characteristics to adapt to the resource-constrained characteristics of smart home devices. The secure storage of the private key ensures that the device identity is unique and cannot be forged, while the public key embedded in the certificate chain binds the key to the device identity. The process of submitting the certificate chain to the home gateway is not only the first declaration of the device's legality, but also provides the original basis for subsequent gateway verification, dynamic naming allocation, and blockchain evidence storage.

[0035] In step S102, after the home gateway verifies the validity of the device certificate chain, it generates a dynamic naming prefix, stores the certificate chain, and synchronizes the certificate chain hash to the blockchain network.

[0036] The dynamic naming prefix is ​​updated periodically by the home gateway every 15-30 minutes. The dynamic naming prefix includes the spatial domain, device type, and unique identification information.

[0037] It is understood that in this embodiment, the home gateway verifies the validity of the device certificate chain, ensuring the legitimate identity of the access device and intercepting illegal devices at the source; it generates a dynamic naming prefix, which provides a unique and dynamically updated network identifier for the device, enhancing the security of the identity identifier; storing the certificate chain facilitates quick local query and verification, while synchronizing the certificate chain hash to the blockchain network, leveraging the immutability of the blockchain, permanently preserves the integrity and authenticity of the certificate chain, providing trusted data support for subsequent cross-gateway verification, device migration, and other scenarios, while simultaneously achieving distributed storage and traceability of the certificate chain, improving the security and reliability of the entire login system.

[0038] It's important to note that the dynamic naming prefix has a clear hierarchy and distinctiveness. The spatial domain (e.g., / livingroom / bedroom) precisely locates the physical position of the device, the device type (e.g., / camera / lock) clearly distinguishes the device's functional attributes, and the unique identification information (e.g., the hash value of the device's unique serial number) ensures the uniqueness of each device within the network. This structured naming method not only facilitates rapid device identification and routing in the NDN network but also allows for intuitive judgment of basic device information during device interactions, providing a basis for access control policy formulation. Furthermore, the periodic updates every 15-30 minutes significantly reduce the risk of malicious interception and reuse of the naming prefix. Even if prefix information is accidentally leaked, the automatic updates within a short timeframe can promptly cut off the imitation paths of unauthorized devices, further strengthening device identity security at the identification layer. This, combined with certificate chain verification and blockchain notarization mechanisms, constructs a multi-layered security protection system.

[0039] In step S103, the device constructs an interest packet with a digital signature using a dynamic naming prefix. After receiving the interest packet, the edge NDN router verifies the certificate chain through a hybrid verification path.

[0040] Interest packets can be data packets used to request data in an NDN network. Devices use dynamic naming prefixes to construct digitally signed interest packets containing relevant device identification information, which are used to request services or data from the network. The digital signature ensures the authenticity and integrity of the interest packets.

[0041] It is understood that in this embodiment, the device uses a dynamic naming prefix to construct a digitally signed interest packet. This not only ensures the timeliness and security of the device's identity by relying on the uniqueness and periodic update characteristics of the dynamic naming prefix, but also guarantees the authenticity and integrity of the interest packet through the digital signature, preventing tampering or forgery. After receiving the packet, the edge NDN router verifies the certificate chain through a hybrid verification path. It prioritizes querying the local SRAM cache to improve verification efficiency. If a match is missed, it uses the lightweight proof of the blockchain light node to obtain information. Combined with the immutability of the blockchain, it ensures the validity of the certificate chain. This approach reduces network transmission overhead and ensures the accuracy of verification, thereby building a security barrier at the device request stage. This lays a reliable foundation for subsequent trust assessment and authentication decisions, effectively improving the security and efficiency of the entire login process.

[0042] Specifically, the interest packet is named / {spatial domain} / {device type} / auth / {device fingerprint} / {timestamp}. The {device fingerprint} is generated by hashing hardware identifiers such as IMEI and MAC address using SHA-384, ensuring uniqueness without exposing the original information. The {timestamp} is accurate to milliseconds and valid for ±3 seconds, preventing replay attacks and avoiding malicious interception and reuse of the interest packet. The digital signature is generated by encrypting the interest packet name and payload with the device's private key. The edge NDN router decrypts and verifies the signature using the device certificate chain public key, and a matching verification ensures that the interest packet has not been tampered with and its origin is authentic.

[0043] In this embodiment, the hybrid verification path includes: firstly querying the local certificate cache of the edge NDN router, which is stored in SRAM; if the local certificate cache is not found, a certificate query request is initiated to the pre-configured blockchain light node, which uses a lightweight proof of MerklePatriciaTrie for the certificate query; and verifying whether the certificate chain root certificate matches the master certificate public key pre-stored in the home gateway.

[0044] Among them, the local certificate cache capacity is ≤15KB, the lightweight proof size of MerklePatriciaTrie is ≤600 bytes, and the cache of certificate revocation status by blockchain light nodes adopts a Bloom filter with a false positive rate of ≤0.05%.

[0045] Understandably, this application embodiment prioritizes querying the certificate cache stored in the local SRAM of the edge NDN router, leveraging the high-speed read / write characteristics of SRAM to achieve rapid certificate retrieval, significantly improving the verification efficiency of frequently accessed devices. When the local cache misses, a query is initiated to the blockchain light node, employing MerklePatriciaTrie lightweight proof. This reduces data transmission while ensuring the authenticity of the certificate chain through the immutability of the blockchain. Finally, the matching of the root certificate of the certificate chain with the public key of the master certificate pre-stored in the home gateway is verified, forming a three-layer verification mechanism of "efficient local query + distributed blockchain storage + authoritative root certificate verification." This reduces network load and response latency, and eliminates the risk of forged certificates passing verification through multi-layer verification, providing efficient and reliable proof of the device's identity legitimacy.

[0046] Specifically, the local certificate cache size is limited to ≤15KB, which satisfies the need to store certificates from frequently accessed devices while avoiding excessive cache size that consumes too many edge router resources. A precise caching strategy ensures fast retrieval of commonly used certificates, further optimizing verification response speed. The lightweight proof size of MerklePatriciaTrie is ≤600 bytes, significantly reducing data transmission during certificate lookup, minimizing network bandwidth usage, and making cross-node verification more efficient. This is particularly suitable for low-bandwidth communication scenarios between devices and edge nodes, and blockchain light nodes in smart home networks. The blockchain light node uses a Bloom filter to cache certificate revocation status with a false positive rate of ≤0.05%. This quickly filters revoked certificates, reduces invalid verification operations, and keeps the probability of incorrect judgments extremely low, ensuring verification accuracy while avoiding efficiency losses caused by frequent queries of the complete revocation list. These fine-tuned parameters achieve an optimal balance between efficiency, resource consumption, and security in the hybrid verification path, allowing the advantages of the three-layer verification mechanism to be fully realized.

[0047] In step S104, the router calculates a real-time trust value based on the device behavior time-series data. If the real-time trust value is greater than a preset threshold, it returns a quantum hybrid encrypted data packet; otherwise, it triggers infrared light coding secondary authentication.

[0048] The real-time trust value reflects the current level of trustworthiness of the device and is used to determine which authentication strategy to adopt. The preset threshold can be specifically defined, such as 70.

[0049] It is understood that the router in this application calculates a real-time trust value based on device behavior time-series data, comprehensively reflecting the current trust level of the device through multiple factors, and uses this as the basis for selecting authentication strategies: when the real-time trust value is greater than a preset threshold, a quantum hybrid encrypted data packet is returned, relying on high-security encryption technology to ensure data transmission; otherwise, infrared light coding secondary authentication is triggered, enhancing security through additional verification. This dynamically adaptable authentication mechanism not only adopts differentiated protection strategies for devices with different trust levels, ensuring efficient communication for highly trusted devices, but also strengthens verification for low-trust devices. It improves the security of the login process while also considering efficiency, and can adjust the protection level in real time through changes in trust value, forming a dynamic security barrier, effectively balancing the needs of security and convenience in smart home scenarios.

[0050] In this embodiment, the router calculates a real-time trust value based on device behavior time-series data. The formula for the real-time trust value is:

[0051]

[0052] Where α is the attenuation factor, N success F represents the number of successful interactions. abnormal For abnormal request frequency, Where β is the historical trust value, γ is the successful interaction coefficient, δ is the abnormal request coefficient, and R is the environmental risk coefficient. env It is an environmental risk factor.

[0053] Specifically, assuming there is a smart camera in the home network, the gateway (router) needs to calculate its real-time trust value to determine whether to grant it "cloud recording and uploading" permissions.

[0054] Initial values: α = 0.6, β = 2, γ = 3, δ = 1.5

[0055] Device trust value steadily increases: N success =10, F abnormal =0, R env =1

[0056] Substitute into the formula to calculate:

[0057] Therefore, with a trust value of 42.5, which is relatively high (assuming a threshold of 30 would grant access), the gateway directly allows the camera to upload recordings because it has a "clean history + current compliant behavior + safe environment," and is thus judged as a "trusted device."

[0058] In this embodiment of the application, the infrared light coding secondary authentication specifically includes: the gateway generating a random number sequence and sending the encoded infrared light signal at a specific frequency through an infrared transmitter; the device receiving and decoding the infrared light signal to obtain the random number sequence and encrypting and signing it using a private key; the device returning the encrypted signature through an NDN interest packet; the gateway verifying the signature using the device's public key; and the secondary authentication is completed if the verification is successful.

[0059] It is understood that in this application embodiment, infrared optical encoding secondary authentication forms a security closed loop through infrared signal interaction and encrypted signature verification between the gateway and the device. It utilizes the physical characteristics of infrared signals to reduce the risk of interception, and combines the one-time use of random numbers and the unforgeability of asymmetric encryption to provide additional verification for low-trust devices or non-compliant devices, effectively preventing imitation and unauthorized access, and strengthening the login security level.

[0060] Specifically, the gateway generates a 128-bit random number sequence, which is transmitted via an infrared transmitter at an industrial standard frequency of 38kHz. This frequency is commonly used in infrared communication, ensuring signal transmission stability and reducing interference with infrared signals from other household appliances. The infrared light signal uses Manchester encoding to convert the binary random number into a light pulse sequence. Each data bit corresponds to two pulse cycles, and high-low level transitions ensure accurate decoding by the device, avoiding misreading due to signal attenuation or noise. After receiving the signal, the device not only needs to correctly decode the random number sequence but also complete the private key encryption and signing within 5 seconds. The private key encryption process uses a combination of the NTRU algorithm and SHA-256 hashing to generate a 1024-bit digital signature, preserving the lightweight nature of the key while preventing signature tampering through hash operations. In the NDN interest packet returned by the device, the signature information is encapsulated in a dedicated signature field, forming an association verification with the interest packet naming prefix. During verification, the gateway first matches the legality of the naming prefix, then calls the public key in the device certificate chain to decrypt the signature, and compares the decryption result with the original random number sequence.

[0061] In step S105, when a device is migrated to a new gateway, the new gateway obtains the device's historical trust value and certificate chain through the blockchain network. The historical trust value is combined with the real-time trust value for weighted evaluation. If the evaluation result is higher than the migration trust threshold, authentication is completed quickly; otherwise, infrared light coding secondary authentication is triggered.

[0062] Among them, the migration trust threshold can be a threshold value preset by the new gateway to determine whether authentication is completed quickly during device migration.

[0063] Understandably, in this embodiment of the application, when a device is migrated to a new gateway, the new gateway leverages the immutability of blockchain to obtain the device's historical trust value and certificate chain, weighting these with the real-time trust value to form a comprehensive judgment on the device's trustworthiness. If the evaluation result is higher than the migration trust threshold, rapid authentication reduces redundant verification steps and improves the convenience of using the device across gateways; if the threshold is not reached, infrared light coding secondary authentication is triggered, using additional security checks to prevent potential risks. This mechanism utilizes blockchain to achieve reliable traceability and sharing of device trust information, and balances security and efficiency in migration scenarios through dynamic evaluation, ensuring that trusted devices can quickly access the new network while strengthening the control of risky devices, thus guaranteeing the overall security of the smart home cross-gateway environment.

[0064] In this embodiment of the application, device migration includes: the new gateway requiring the device to submit a migration request interest packet with a digital signature; verifying the migration request interest packet, calling the device certificate chain public key stored in the blockchain for matching, and if the device identity is consistent with the original network registration information, performing weighted evaluation authentication.

[0065] It is understood that the embodiments of this application ensure the authenticity and integrity of migration requests through digital signatures, and realize cross-gateway trusted verification of device identities by using public keys stored on the blockchain, thereby eliminating the risk of forged migration requests from the source; weighted evaluation is only performed after identity is confirmed to be consistent, which not only ensures the accuracy of the evaluation object, but also avoids invalid processing of illegal devices, further improving the security and efficiency of device migration authentication, and providing rigorous pre-verification guarantee for trusted migration of cross-gateway devices.

[0066] In this embodiment of the application, the weighted evaluation of historical trust values ​​combined with real-time trust values ​​includes: weighting the historical trust values ​​and real-time trust values, wherein the formula for weighted calculation is:

[0067] T 综合 =0.6T 历史 +0.4T 实时

[0068] Among them, T 历史 T represents the average historical trust value recorded by the blockchain. 实时 The real-time trust value calculated for the current gateway;

[0069] If the weighted calculation result is higher than the migration trust threshold preset by the new gateway, then the original network's partial authentication permission level will be used; otherwise, infrared optical encoding secondary authentication will be triggered.

[0070] Among them, the migration trust threshold can be a threshold value preset by the new gateway to determine whether authentication is completed quickly during device migration.

[0071] It is understood that the embodiments of this application calculate a weighted average of historical trust values ​​and real-time trust values, which can comprehensively assess the credibility of a device based on its past performance and current status. If the result is higher than the migration trust threshold, the original network's authentication permission level is retained, enabling quick login after device migration and improving convenience. If the threshold is not reached, infrared optical encoding secondary authentication is triggered, strengthening security through additional verification. This approach simplifies the migration process of trusted devices by utilizing historical trust, while also preventing potential risks through secondary authentication, balancing security and efficiency in device migration scenarios and ensuring the reliability and flexibility of cross-gateway login.

[0072] This application provides a secure login method for smart home devices based on NDN. It utilizes the NTRU algorithm to generate key pairs and embeds the public key into the device certificate chain. After verification by the home gateway, the certificate chain hash is synchronized to the blockchain, providing a reliable basis for verification. The edge NDN router employs a hybrid verification path, prioritizing queries to the local SRAM certificate cache. If a cache miss occurs, lightweight proofs from blockchain light nodes are used to obtain information. Combined with a Bloom filter to cache certificate revocation status, the false positive rate is low, significantly improving certificate verification efficiency. For device trust assessment, the router calculates a real-time trust value based on device behavior time-series data, considering factors such as attenuation factors and the number of successful interactions. During device migration, the new gateway performs a weighted assessment combining historical trust values ​​obtained from the blockchain with the real-time trust value, making the assessment more accurate and comprehensive. Simultaneously, dynamic naming prefix periodic updates and the construction of interest packets with digital signatures ensure secure device login and migration. Different authentication strategies are adopted based on the real-time trust value, flexibly adapting to different security requirements and comprehensively improving the security, efficiency, and reliability of smart home device login. This solves the problems of inefficient certificate verification mechanisms and inaccurate device trust assessment in existing technologies.

[0073] The following example illustrates the secure login method for NDN-based smart home devices. Taking the process of a certain brand of smart camera connecting to a home network and migrating to a new gateway as an example, the practical application of the NDN-based secure login method for smart home devices will be explained in detail:

[0074] Initial device login process:

[0075] Key generation and certificate submission (step S101): The smart camera generates a key pair based on the NTRU algorithm. The private key is stored in the device's built-in security chip, and the public key is embedded in a certificate chain consisting of the manufacturer's root certificate, the device model certificate, and the device's individual certificate. After the device starts up, it submits this certificate chain to the home gateway. The certificate chain contains identification information such as the camera's MAC address and serial number.

[0076] Gateway Verification and Information Synchronization (Step S102): After receiving the certificate chain, the home gateway verifies the signature validity of each level of certificate. Upon confirmation, it generates a dynamic naming prefix: / livingroom / camera / auth / 8f7d3e... / 1620000000000 (where 8f7d3e... is the device fingerprint obtained by hashing the device's MAC address using SHA-384, and 1620000000000 is the timestamp), and updates it every 20 minutes. Simultaneously, the gateway stores the certificate chain and synchronizes its hash value a1b2c3... to the blockchain network.

[0077] Interest Packet Construction and Certificate Verification (Step S103): The camera constructs an interest packet with a digital signature using a dynamic naming prefix and requests the "cloud video upload" service. The digital signature of the interest packet is generated by encrypting the naming and payload parts with the device's private key. After receiving the packet, the edge NDN router first queries its local 15KB SRAM certificate cache. Since this is the first access, it misses the cache. Therefore, it queries the blockchain light node and obtains the certificate chain information through a lightweight proof of MerklePatriciaTrie (within 600 bytes). Finally, it verifies that the root certificate of the certificate chain matches the manufacturer's certificate public key pre-stored in the gateway, thus completing the certificate verification.

[0078] Trust Assessment and Authentication Response (Step S104): The router calculates a real-time trust value based on the camera's behavioral time-series data, obtaining a real-time trust value of 29.5. Since the preset threshold is 30, the real-time trust value is slightly low, triggering infrared optical encoding secondary authentication. The gateway generates a 128-bit random number sequence and transmits it via a 38kHz infrared transmitter using Manchester encoding. After receiving and decoding, the camera generates a 1024-bit digital signature within 5 seconds using its private key (NTRU algorithm combined with SHA-256 hash) and returns it via an NDN interest packet. The gateway verifies that the signature matches the original random number using its device public key, completing the secondary authentication and allowing the camera to upload video recordings.

[0079] Equipment relocation process

[0080] When the camera is brought to the new home and connected to the new gateway:

[0081] Migration Request and Authentication: The new gateway requires cameras to submit migration request interest packets with digital signatures. During verification, it calls the public key of the certificate chain stored on the blockchain to confirm that the device identity is consistent with the original network registration information.

[0082] Trust-Weighted Assessment and Authentication: The new gateway obtains the historical average trust value T of the cameras from the blockchain. historγ =75, combined with the currently calculated real-time trust value T realtime=65, calculated using the weighted formula T = 0.4 × 75 + 0.6 × 65 = 30 + 39 = 69. If the new gateway's preset migration trust threshold is 60, and the evaluation result 69 is higher than the threshold, authentication is completed quickly, and the original network's "720P video upload" permission is retained; if the threshold is set to 70, infrared light coding secondary authentication is triggered, and access is only allowed after passing the authentication.

[0083] In summary, a multi-stage collaborative secure login mechanism is formed by generating a key pair using the NTRU algorithm and submitting a certificate chain containing the public key. After verification by the home gateway, a dynamic naming prefix is ​​generated and the certificate chain hash is synchronized to the blockchain. Certificate verification is completed using the hybrid verification path of the edge NDN router. Then, the real-time trust value is used to determine whether to trigger infrared light coding secondary authentication. When migrating to a new gateway, the new gateway verifies the device identity through the blockchain and determines the authentication method by combining historical and real-time trust value weighted evaluation.

[0084] Next, referring to the accompanying drawings, we describe the NDN-based smart home device secure login system proposed according to the embodiments of this application.

[0085] This application provides an NDN-based secure login system for smart home devices, such as... Figure 2 As shown, the NDN-based smart home device security login system 10 includes: a generation module 100, a storage module 200, a verification module 300, a calculation module 400, and an authentication module 500.

[0086] The system comprises the following modules: Generation module 100 generates a key pair for smart home devices based on the NTRU algorithm. The private key is securely stored by the device, and the public key is embedded in the device's certificate chain. The device's certificate chain is then submitted to the home gateway. Storage module 200 generates a dynamic naming prefix, stores the certificate chain, and synchronizes the certificate chain hash to the blockchain network after the home gateway verifies the validity of the device's certificate chain. Verification module 300 constructs a digitally signed interest packet using the dynamic naming prefix. After receiving the interest packet, the edge NDN router verifies the certificate chain through a hybrid verification path. Calculation module 400 calculates a real-time trust value based on the device's behavior time-series data. If the real-time trust value is greater than a preset threshold, a quantum hybrid encrypted data packet is returned; otherwise, infrared light coding secondary authentication is triggered. Authentication module 500 is used when a device is migrated to a new gateway. The new gateway obtains the device's historical trust value and certificate chain through the blockchain network. The historical trust value is combined with the real-time trust value for a weighted evaluation. If the evaluation result is higher than the migration trust threshold, authentication is quickly completed; otherwise, infrared light coding secondary authentication is triggered.

[0087] It should be noted that the foregoing explanation of the NDN-based smart home device secure login method embodiment also applies to the NDN-based smart home device secure login system of this embodiment, and will not be repeated here.

[0088] This application proposes an NDN-based secure login system for smart home devices. It utilizes the NTRU algorithm to generate key pairs and embeds the public key into the device certificate chain. After verification by the home gateway, the certificate chain hash is synchronized to the blockchain, providing a reliable basis for verification. The edge NDN router employs a hybrid verification path, prioritizing queries to the local SRAM certificate cache. If a cache miss occurs, lightweight proofs from blockchain light nodes are used to obtain information. Combined with a Bloom filter to cache certificate revocation status, the system achieves a low false positive rate, significantly improving certificate verification efficiency. For device trust assessment, the router calculates a real-time trust value based on device behavior time-series data, considering factors such as attenuation factors and the number of successful interactions. During device migration, the new gateway performs a weighted assessment combining historical trust values ​​obtained from the blockchain with the real-time trust value, resulting in a more accurate and comprehensive evaluation. Furthermore, dynamic naming prefix periodic updates and the construction of interest packets with digital signatures ensure secure device login and migration. Different authentication strategies are adopted based on the real-time trust value, flexibly adapting to different security requirements and comprehensively improving the security, efficiency, and reliability of smart home device login. This solves the problems of inefficient certificate verification mechanisms and inaccurate device trust assessment in existing technologies.

[0089] Figure 3 A schematic diagram of the structure of an electronic device provided in an embodiment of this application. The electronic device may include:

[0090] The memory 301, the processor 302, and the computer program stored on the memory 301 and capable of running on the processor 302.

[0091] When the processor 302 executes the program, it implements the NDN-based smart home device secure login method provided in the above embodiments.

[0092] Furthermore, electronic devices also include:

[0093] Communication interface 303 is used for communication between memory 301 and processor 302.

[0094] The memory 301 is used to store computer programs that can run on the processor 302.

[0095] The memory 301 may include high-speed RAM (Random Access Memory) and may also include non-volatile memory, such as at least one disk storage.

[0096] If the memory 301, processor 302, and communication interface 303 are implemented independently, then the communication interface 303, memory 301, and processor 302 can be interconnected via a bus to complete communication between them. The bus can be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, or an EISA (Extended Industry Standard Architecture) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 3 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0097] Optionally, in a specific implementation, if the memory 301, processor 302, and communication interface 303 are integrated on a single chip, then the memory 301, processor 302, and communication interface 303 can communicate with each other through an internal interface.

[0098] Processor 302 may be a CPU (Central Processing Unit), an ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of this application.

[0099] In the description of this specification, the references to "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this application. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.

[0100] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this application, "multiple" means at least two, such as two, three, etc., unless otherwise explicitly specified.

[0101] Any process or method description in the flowchart or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing custom logic functions or processes, and the scope of the preferred embodiments of this application includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functions involved, as should be understood by those skilled in the art to which embodiments of this application pertain.

[0102] It should be understood that various parts of this application can be implemented using hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented using software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.

[0103] Those skilled in the art will understand that all or part of the steps of the methods described in the above embodiments can be implemented by a program instructing related hardware, and the program can be stored in a computer-readable storage medium. When executed, the program includes one or a combination of the steps of the method embodiments.

[0104] Although embodiments of this application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting this application. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of this application.

Claims

1. A secure login method for smart home devices based on NDN, characterized in that, Includes the following steps: Smart home devices generate key pairs based on the NTRU algorithm. The private key is securely stored by the device, and the public key is embedded in the device certificate chain. The device certificate chain is then submitted to the home gateway. After verifying the validity of the device certificate chain, the home gateway generates a dynamic naming prefix, stores the certificate chain, and synchronizes the certificate chain hash to the blockchain network. The device constructs digitally signed interest packets using a dynamic naming prefix. After receiving the interest packets, the edge NDN router verifies the certificate chain through a hybrid verification path. This hybrid verification path includes: firstly querying the edge NDN router's local certificate cache, which is stored in SRAM; if the local certificate cache is not found, initiating a certificate query request to a pre-configured blockchain light node, which uses a lightweight proof of MerklePatriciaTrie for certificate lookup; and verifying whether the root certificate of the certificate chain matches the pre-stored master certificate public key on the home gateway. The local certificate cache size is ≤15KB, the lightweight proof of MerklePatriciaTrie size is ≤600 bytes, and the blockchain light node uses a Bloom filter for caching certificate revocation status, with a false positive rate ≤0.05%. The router calculates a real-time trust value based on device behavior time-series data. If the real-time trust value is greater than a preset threshold, it returns a quantum hybrid encrypted data packet; otherwise, it triggers infrared light coding secondary authentication. When a device is migrated to a new gateway, the new gateway obtains the device's historical trust value and certificate chain through the blockchain network. The historical trust value is combined with the real-time trust value for a weighted evaluation. If the evaluation result is higher than the migration trust threshold, authentication is completed quickly; otherwise, infrared light coding secondary authentication is triggered.

2. The secure login method for smart home devices based on NDN according to claim 1, characterized in that, The historical trust value is combined with the real-time trust value for a weighted evaluation, including: The historical trust value and the real-time trust value are weighted and calculated. The formula for the weighted calculation is as follows: ； in, The average historical trust value recorded by the blockchain. The real-time trust value calculated for the current gateway; If the weighted calculation result is higher than the migration trust threshold preset by the new gateway, then the original network's partial authentication permission level will be used; otherwise, infrared optical encoding secondary authentication will be triggered.

3. The secure login method for smart home devices based on NDN according to claim 1, characterized in that, Infrared optical coding secondary authentication specifically includes: The gateway generates a random number sequence and transmits the encoded infrared light signal at a specific frequency via an infrared transmitter. The device receives and decodes infrared light signals to obtain a random number sequence, which is then encrypted and signed using a private key. The device returns an encrypted signature via NDN interest packets. The gateway verifies the signature using the device's public key. If the verification is successful, the secondary authentication is completed.

4. The secure login method for smart home devices based on NDN according to claim 1, characterized in that, Equipment migration includes: The new gateway requires devices to submit migration request interest packets with digital signatures; The migration request interest packet is verified by calling the public key of the device certificate chain stored on the blockchain for matching. If the device identity matches the original network registration information, a weighted evaluation and authentication is performed.

5. The secure login method for smart home devices based on NDN according to claim 1, characterized in that, The router calculates the real-time trust value based on device behavior time-series data. The formula for the real-time trust value is: ； in, As the attenuation factor, Number of successful interactions For abnormal request frequency, Historical trust value, The success rate of the interaction is determined by the coefficient. For abnormal requests, For environmental risk coefficient, It is an environmental risk factor.

6. The secure login method for smart home devices based on NDN according to claim 1, characterized in that, The dynamic naming prefix is ​​updated periodically by the home gateway every 15-30 minutes. The dynamic naming prefix includes the spatial domain, device type, and unique identification information.

7. A system for a secure login method for smart home devices based on NDN, applicable to any one of claims 1-6, characterized in that, include: The generation module is used by smart home devices to generate key pairs based on the NTRU algorithm. The private key is securely stored by the device, the public key is embedded in the device certificate chain, and the device certificate chain is submitted to the home gateway. The storage module is used by the home gateway to generate a dynamic naming prefix after verifying the validity of the device certificate chain, store the certificate chain, and synchronize the certificate chain hash to the blockchain network. The verification module is used by the device to construct digitally signed interest packets using a dynamic naming prefix. After receiving the interest packets, the edge NDN router verifies the certificate chain through a hybrid verification path. The hybrid verification path includes: firstly querying the edge NDN router's local certificate cache, which is stored in SRAM; if the local certificate cache is not found, initiating a certificate query request to a pre-configured blockchain light node, which uses a lightweight proof of MerklePatriciaTrie for certificate query; and verifying whether the root certificate of the certificate chain matches the public key of the master certificate pre-stored in the home gateway. The local certificate cache size is ≤15KB, the lightweight proof of MerklePatriciaTrie size is ≤600 bytes, and the blockchain light node uses a Bloom filter for caching certificate revocation status, with a false positive rate of ≤0.05%. The calculation module is used by the router to calculate the real-time trust value based on the device behavior time-series data. If the real-time trust value is greater than the preset threshold, it returns a quantum hybrid encrypted data packet; otherwise, it triggers infrared light coding secondary authentication. The authentication module is used when a device is migrated to a new gateway. The new gateway obtains the device's historical trust value and certificate chain through the blockchain network. The historical trust value is combined with the real-time trust value for a weighted evaluation. If the evaluation result is higher than the migration trust threshold, authentication is completed quickly; otherwise, infrared light coding secondary authentication is triggered.

8. An electronic device, characterized in that, include: A memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement a secure login method for an NDN-based smart home device as claimed in any one of claims 1-6.

Images