A lightweight identity authentication and key agreement method for smart medical treatment

By employing a lightweight authentication and key negotiation method based on elliptic curve cryptography, combined with gateway-assisted third-party authentication and fuzzy biometric extraction, the problems of high computational overhead and insufficient security in smart healthcare systems are solved. This method achieves efficient and secure authentication and key negotiation, adaptable to the deployment of resource-constrained medical sensor nodes and mobile terminals.

CN122394801APending Publication Date: 2026-07-14NANKAI UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANKAI UNIV
Filing Date
2026-03-09
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing smart healthcare systems, identity authentication and key negotiation methods suffer from high computational and communication overhead, slow protocol response, insufficient anti-attack capabilities, and limited deployment applicability, making it difficult to meet the real-time monitoring and remote diagnosis and treatment needs of resource-constrained medical sensor nodes and mobile terminals.

Method used

We adopt a lightweight authentication and key negotiation method based on elliptic curve cryptography. Through a gateway node-assisted third-party authentication architecture, combined with biometric fuzzy extraction and pseudo-identity protection mechanisms, we use a random number-driven session key generation method to reduce computation and communication overhead and improve security and real-time performance.

Benefits of technology

It significantly reduces the system's computational and communication overhead, improves the protocol's execution efficiency and security, effectively resists attacks, adapts to the deployment needs of resource-constrained medical sensor nodes and mobile terminals, and meets the real-time and security requirements of smart healthcare environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394801A_ABST
    Figure CN122394801A_ABST
Patent Text Reader

Abstract

The application discloses a lightweight identity authentication and key agreement method for smart medical treatment, and through designing an efficient identity authentication and session key agreement mechanism, the application significantly reduces the calculation complexity and communication overhead while ensuring security. The method combines lightweight cryptographic technologies such as random numbers, hash functions and symmetric ciphers to realize bidirectional identity authentication and secure session key agreement among multiple participants, and effectively provides forward security, known key security and session key untraceability. Even if part of the long-term key is leaked, the historical communication content cannot be restored, thereby improving the overall security and robustness of the system. The application has the advantages of simple implementation, low deployment cost, strong applicability and the like, and can be widely applied to smart medical treatment remote diagnosis and treatment, wearable health monitoring and medical Internet of Things and the like, and has good application prospect and popularization value.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of Internet of Things (IoT) technology, and in particular to a lightweight identity authentication and key negotiation method for smart healthcare. Background Technology

[0002] With the development of smart healthcare and medical IoT technologies, remote monitoring systems deploy sensor nodes at the patient's end and interact with the user terminal via a gateway to achieve real-time collection, transmission, and analysis of the patient's vital signs. These systems typically operate in open wireless network environments, where medical data is at risk of being eavesdropped on, tampered with, or forged during transmission. Therefore, secure communication channels need to be established through identity authentication and key negotiation mechanisms.

[0003] In existing smart healthcare systems, identity authentication technology has evolved from single-factor authentication to multi-factor authentication. Early technologies primarily relied on passwords for identity verification, subsequently incorporating smart cards, biometrics, and other authentication factors to enhance security. In cryptography, symmetric encryption algorithms and public-key cryptography are widely used for authentication and key negotiation. Among these, elliptic curve cryptography, due to its short key length and high computational efficiency, has become a commonly used security technology foundation in resource-constrained sensor networks.

[0004] Furthermore, in existing smart healthcare remote diagnostic systems, communication between user terminals, gateways, and sensor nodes often relies on open wireless networks. Medical data is vulnerable to security attacks such as eavesdropping, tampering, replay attacks, and impersonation during transmission, making it difficult to effectively guarantee patient privacy and the security of diagnostic data. Simultaneously, medical sensor nodes are typically located in resource-constrained environments, and existing authentication and key negotiation methods generally suffer from high computational complexity and communication overhead, failing to meet the real-time and low-energy consumption requirements of smart healthcare scenarios. Moreover, some existing solutions have inadequate designs in identity authentication and key management mechanisms, making it difficult to simultaneously achieve bidirectional identity authentication and secure session key negotiation among multiple participants, and failing to effectively provide security guarantees such as forward security, known key security, and key untraceability. In long-term operation, if keys are leaked or attacked, historical communication content may be recovered, significantly degrading the overall system security.

[0005] In smart healthcare environments, while existing authentication and key negotiation methods can achieve secure communication between users, gateways, and sensor nodes to a certain extent, they still have several technical shortcomings. Due to the limited resources of numerous sensor nodes and mobile terminals in smart healthcare systems, existing solutions struggle to balance security, efficiency, and scalability when facing application scenarios involving real-time monitoring, remote diagnosis and treatment, and high-frequency data transmission. Therefore, existing methods remain significantly inadequate in ensuring the confidentiality, integrity, and availability of patient data, and cannot fully meet the demands of smart healthcare environments for lightweight, efficient, and secure authentication and key negotiation mechanisms. Existing authentication and key negotiation methods suffer from the following technical drawbacks:

[0006] (1) High computational and communication overhead: Existing protocols usually require multiple rounds of elliptic curve operations and message exchange, especially in the process of bidirectional authentication and session key negotiation between users, gateways and sensor nodes, the computational and communication burden is heavy.

[0007] (2) Insufficient security or limited resistance to attacks: Some existing solutions do not fully consider forward security, temporary random number leakage, sensor node capture attacks and identity impersonation attacks.

[0008] (3) Slow protocol response speed and insufficient real-time performance: Multiple rounds of interaction and complex encryption operations result in high delays in identity authentication and key negotiation.

[0009] (4) Limited deployment and applicability: Existing solutions have high hardware resource requirements and are difficult to deploy widely on low-power sensors or mobile terminals. Summary of the Invention

[0010] To address the shortcomings of existing technologies, the main objective of this invention is to solve the problems of high computational overhead, slow protocol response, insufficient anti-attack capabilities, and limited deployment applicability of existing identity authentication and key negotiation methods in smart healthcare environments. This invention proposes a lightweight authentication and key negotiation method for smart healthcare environments, which reduces computational and communication overhead while ensuring security, and enables secure interaction between users, gateways, and sensor nodes, thereby improving the security, stability, and deployability of smart healthcare remote diagnostic systems.

[0011] The technical solution adopted in this invention is:

[0012] A lightweight identity authentication and key negotiation method for smart healthcare includes the following steps:

[0013] Step S1: System Initialization and Entity Registration

[0014] In a smart healthcare environment, gateway nodes and sensor devices Through the registration center Perform offline secure registration at the registration center. Store registration information in the gateway node. This is to support subsequent communication authentication;

[0015] Among them, gateway node As a user and sensor devices The core nodes for communication between them need to go through the registry center. Register, Registration Center Further for gateway nodes Assign a unique parent key And randomly generate a 1024-bit key. Used for gateway nodes and users Authentication between them, ultimately, the gateway node Will The information is stored in its memory; among which, This is a shared key between the gateway and the user. A unique identifier for sensor devices; This is a shared key between the gateway and the sensor devices;

[0016] Step S2: User Registration

[0017] In this step, the user With sensor devices The mutual authentication process between them first requires users In the registration center To complete the registration process, please follow these steps:

[0018] (1) User terminal operation: user First, enter your account information into the registration center. Registration Center The device generates false identity information for the user and transmits the false identity information to the registration center through a secure channel. ;

[0019] (2) Registration Center Processing: Registration Center After receiving a user registration request, the calculated user information parameters are stored in the smart card. In the middle, finally, the smart card Transmitted to the user via a secure channel ;

[0020] (3) Local computation by the user: user Received from the registry center After obtaining the parameters, update the user information parameters and... Information stored in smart card In the middle, complete the user registration process;

[0021] Step S3: Local User Login Verification

[0022] First, users smart card Insert the device and enter its identification identifier. ,password and bioinformatics Next, the device uses data stored on the smart card. Calculate random numbers from the information in the data. And based on bioinformatics Generate biometric keys Then, the device calculates the false identity. pseudo-code and verification parameters and the calculated verification parameters Verification parameters stored in the smart card The system compares the results; if they match, the user authentication is successful and the user is legitimate; otherwise, the login fails.

[0023] Step S4: Authentication between the user and the gateway

[0024] After receiving the information from the user, the gateway first verifies the timestamp. Freshness, check Whether it is valid, Represents the current local time of the gateway. This represents the maximum allowed time deviation. Then, the gateway calculates the authentication intermediate value generated by the user. and using the gateway's private key Calculate temporary public key parameters and random numbers Finally, the gateway calculates the false identity. By comparing false identities Does this equate to a fake identity? To verify users The legitimacy;

[0025] Step S5: Identity authentication between the gateway and the sensor

[0026] Sensor devices Upon receiving a message from the gateway, first check the timestamp. Freshness, verification , Represents the current local time of the gateway. This represents the maximum allowed time deviation, and then the sensor node's private key is used. Decrypting the shared point parameters of an elliptic curve and the temporary public key parameters Decrypt to obtain , This represents a decryption operation. A unique identifier representing a sensor device. This represents the shared key between the gateway and the sensor devices. This represents the decrypted information. and Representing a random number, the temporary session verification parameters are then calculated. And verify the temporary session verification parameters. Is it related to temporary session parameters? equal;

[0027] Step S6: Authentication and key establishment between the sensor and the user

[0028] After receiving a message from the sensor node, the user first checks the timestamp. Freshness, verification , Represents the current local time of the gateway. This represents the maximum permissible time deviation. Then, the user decrypts the encrypted authentication response sent by the sensor node. ,get , This represents a decryption operation. Represents a random number. This represents the encapsulated information and verifies the random number verification parameters. Is it the same as the original random number? If they are equal, the user generates a session key. And calculate user verification information By comparing user authentication information Is it consistent with the user authentication information generated by the original sensor node? The validity of the sensor node is verified by equality. If the verification passes, the session key is used. In users and sensor nodes A successful connection was established between them.

[0029] Furthermore, in step S1 of the present invention, when the sensor device is... Before deployment to the system, the registry center For each sensor device Assign a unique identifier Meanwhile, the registration center gateway node and sensor devices Generate and select a secret key between them. and will Stored in sensing devices In memory.

[0030] Furthermore, in step S2 of this invention, the specific user registration process is as follows:

[0031] (1) User terminal operation: user First, enter their identity identifier. ,password and biometric information Next, the device generates a random number. And calculate fuzzy extraction parameters through algorithms. , Algorithms for generating biometric information. and This represents a secret value extracted from biometrics. To protect user privacy, the device generates a pseudo-identity for the user. and pseudo-codes , respectively and These false identity information It will be transmitted to the registration center via a secure channel;

[0032] (2) Registration Center Processing: After receiving a user registration request, the registration center first processes the request for the gateway node. and users Generate a shared key between them Then calculate the parameters. Next, the registration center Will Stored in the gateway node In, at the same time, the parameters Stored in smart card In the middle, finally, the smart card Transmitted to the user via a secure channel ;

[0033] (3) Local computation by the user: user Received from the registry center After obtaining the parameters, the local parameters used to verify the user password and random number are first calculated. and according to the provided password and biometric keys Update parameters Get the updated parameters Then, the user calculates the verification parameters. and will Store to smart card In the middle, complete the user registration process.

[0034] Furthermore, in step S3 of the present invention, if the verification passes, the following operations are performed: first, the parameters are calculated. Then, the temporary public key parameters are calculated using the elliptic curve cryptography algorithm. and Next, calculate the authentication median. Generate a random number and timestamp And calculate the user-generated dynamic authentication parameters. Obfuscation parameters used to hide user-generated random numbers and user-generated gateway verification information Finally, the message Send to the gateway node via a public channel and through the gateway node With sensor nodes Establish a session key.

[0035] Furthermore, in step S4 of this invention, if the verification passes, the gateway node... Generate random numbers and timestamp And calculate the temporary session parameters generated by the gateway node. Next, the gateway node Calculate public key parameters based on temporary elliptic curves Sharing point parameters with elliptic curves and messages And through encrypted calculation, an encrypted message containing random numbers and identity information is obtained. Ultimately, the gateway will send the message. Transmitted to sensor nodes via public channel .

[0036] Furthermore, in step S5 of this invention, if the verification passes, it indicates that... Valid, then the sensor node generates random numbers. and timestamp And calculate the session key. After generating the session key, the sensor node... Encryption is performed, and an encryption authentication response is obtained. and generate verification information. ,in, A unique identifier representing a sensor device. Representative on the message After the hash encryption operation, the sensor node finally sends the message. Sent to users via public channels.

[0037] The technical effects achieved by this invention are:

[0038] The present invention is based on elliptic curve cryptography, multi-factor authentication and optimized protocol flow. It achieves efficient design of authentication and session key negotiation for users, gateways and sensor nodes, while taking into account the needs of security and resource-constrained environments.

[0039] This invention addresses the challenges of limited resources for users, gateways, and sensor nodes in smart healthcare environments, the high degree of communication openness, and the high sensitivity of patient data. It employs a lightweight authentication and key negotiation mechanism based on elliptic curve cryptography, significantly reducing system computation and communication overhead while ensuring communication security. By introducing a gateway-assisted three-party authentication architecture, complex public key operations are centralized on the computationally powerful gateway node. Sensor nodes only need to perform lightweight operations such as hashing and symmetric encryption, effectively improving the protocol's operational efficiency and practical deployability in medical sensor networks. This solves the problems of high authentication overhead and difficulty in meeting real-time monitoring requirements in existing technologies.

[0040] Furthermore, this invention achieves multi-layered protection for user privacy and communication keys by combining fuzzy biometric extraction, pseudo-identity protection mechanisms, and a session key generation method involving multiple random numbers. Since each session generates an independent and unpredictable session key, and identity information is always used in calculations as a pseudo-identity during authentication, this invention effectively resists impersonation attacks, replay attacks, temporary random number leakage attacks, and node capture attacks, significantly improving the system's security and robustness during long-term operation. In summary, this invention outperforms existing smart healthcare identity authentication and key negotiation schemes in terms of security, efficiency, and practicality, and better meets the application needs of smart healthcare remote monitoring and diagnosis scenarios. Attached Figure Description

[0041] Figure 1 This is a flowchart of the lightweight identity authentication and key negotiation method for smart healthcare proposed in this invention. Detailed Implementation

[0042] The technical solution of the present invention will be further described below with reference to the accompanying drawings.

[0043] This invention proposes a lightweight authentication and key negotiation method for smart healthcare environments. It uses Elliptic Curve Cryptography (ECC) to encrypt critical information (user identity, sensor device identity, gateway node identity, etc.) during communication, achieving secure and efficient communication between users, gateways, and sensor nodes. The method mainly comprises four stages: initialization and entity registration, user registration, local user login verification, and identity authentication. Implementing this method involves four entities: a registration center, users, gateway nodes, and sensor nodes.

[0044] For details, please see the appendix. Figure 1 The method of the present invention is implemented through the following steps:

[0045] Step S1: System Initialization and Entity Registration

[0046] In a smart healthcare environment, the gateway node of this invention and sensor devices Through the registration center Perform offline security registration. (Register the sensor device.) Before deployment to the system, the registry center For each sensor device Assign a unique identifier Meanwhile, the registration center gateway node and sensor devices Generate and select a secret key between them. and will Stored in sensor devices In memory. Furthermore, the registry center. This information is also stored on the gateway node. This is to support subsequent communication authentication.

[0047] Gateway Node As a user and sensor devices The core node for communication between them also needs to go through the registry center. Register. Registration Center Further for gateway nodes Assign a unique parent key And randomly generate a 1024-bit key. Used for gateway nodes and users Authentication between them. Ultimately, the gateway node... Will The information is stored in its memory.

[0048] Step S2: User Registration

[0049] In this stage, users With sensor devices The mutual authentication process between them first requires users In the registration center Complete the registration process. The specific steps are as follows:

[0050] (1) User terminal operation: user First, enter their identity identifier. ,password and biometric information Next, the device generates a random number. And calculate fuzzy extraction parameters through algorithms. .in, Represents a biometric key. This represents auxiliary reconstruction parameters. To protect user privacy, the device generates a pseudo-identity for the user. and pseudo-codes , respectively and ,in This represents a hash operation. These are pseudo-identity information. It will be transmitted to the registration center via a secure channel.

[0051] (2) Registration Center Processing: Registration Center Upon receiving a user registration request, the first step is to process the gateway node. and Generate a shared key between them Then calculate the parameters. Next, the registration center. Will Stored in the gateway node In, at the same time, the parameters Stored in smart card In the middle. Finally, the smart card. Transmitted to the user via a secure channel .

[0052] (3) Local computation by the user: user Received from the registry center After obtaining the parameters, the local parameters used to verify the user password and random number are first calculated. and according to the provided password and biometric keys Update parameters Get the updated parameters Subsequently, the user calculates verification parameters generated based on the pseudo-identity and biometric key. and will Store to smart card In the middle, complete the user registration process.

[0053] Step S3: Local User Login Verification

[0054] After completing registration, users can log in. First, the user... smart card Insert the device and enter its identification identifier. ,password and biometric information Next, the device uses data stored on the smart card. Calculate random numbers from the information in the data. , Local parameters used for verifying user passwords and random numbers, and based on biometric information. Generate biometric keys The device then calculates the false identity. pseudo-code as well as The calculated verification parameters generated based on the pseudo-identity and biometric key will be used. Verification parameters stored in the smart card The comparison is performed. If they match, the user authentication was successful and the user is legitimate; otherwise, the login failed.

[0055] If the verification passes, the device continues to perform the following operations, first calculating... Then, the elliptic curve cryptography algorithm is used to calculate... and ,in and These are temporary public key parameters generated based on elliptic curve scalar multiplication. is a generator (base point) on an elliptic curve. The system provides publicly available elliptic curve parameter points; next, it calculates the user-generated authentication intermediate values. The device generates a random number. and timestamp And calculate the user-generated dynamic authentication parameters. Obfuscation parameters used to hide user-generated random numbers and user-generated gateway verification information Finally, the device sends the authentication request message from the user to the gateway node. Send to the gateway node via a public channel and through the gateway node With sensor nodes Establish a session key.

[0056] The authentication phase in the method of this invention includes authentication between the user and the gateway, authentication between the gateway and the sensor, and authentication and key establishment between the sensor and the user. Specifically:

[0057] Step S4: Authentication between the user and the gateway

[0058] After receiving the information from the user, the gateway first verifies the timestamp. Freshness, check Is it true or false? Then, the gateway calculates. and using the gateway's private key calculate and random numbers Furthermore, the gateway calculates the false authentication information. By comparison Does this equate to a fake identity? To verify users The gateway node verifies the validity of the data. If the verification passes, the gateway node... Generate random numbers and timestamp And calculate the temporary session parameters generated by the gateway node. Next, the gateway node. Calculate public key parameters based on temporary elliptic curves Sharing point parameters with elliptic curves and messages And through encrypted calculation, an encrypted message containing random numbers and identity information is obtained. Ultimately, the gateway will send the message. Transmitted to sensor nodes via public channel .

[0059] Step S5: Identity authentication between the gateway and the sensor

[0060] sensor nodes Upon receiving a message from the gateway, first check the timestamp. Freshness, verification Then, using the sensor node's private key. Decrypting the shared point parameters of an elliptic curve and the temporary public key parameters Decrypt to obtain Next, the temporary session verification parameters generated by the gateway node are calculated. and verify Whether or not They are equal. If the verification passes, it means the gateway node... Legal. Afterwards, the sensor node... Generate random numbers and timestamp And calculate the session key. Generate session key Afterwards, the sensor nodes... Encryption is performed to obtain the encrypted authentication response sent by the sensor node to the user. and generate verification information. Finally, the sensor node will send the message. Sent to users via public channels.

[0061] Step S6: Authentication and key establishment between the sensor and the user

[0062] The user receives data from the sensor node. After receiving the message, first check the timestamp. Freshness, verification Then, the user decrypts. ,get And verify the random number verification parameters. Is it the same as the original random number? If they are equal, then the user... Generate session key And calculate verification information By comparing the user authentication information generated by the sensor nodes. Is it consistent with the user authentication information generated by the original sensor node? The validity of the sensor node is verified by checking its equality. If the verification passes, the session key is used. In users and sensor nodes A successful connection was established between them.

[0063] Based on the above implementation methods, this invention addresses the scenario of remote monitoring and diagnosis in smart healthcare by constructing a lightweight authentication and key negotiation method based on elliptic curve cryptography. This method, through the introduction of a pseudo-identity mechanism, fuzzy biometric extraction, random number-driven session key generation, and a three-party collaborative authentication mechanism involving the user, gateway, and sensor, significantly reduces computational and communication overhead while ensuring high security. It effectively adapts to the characteristics of smart healthcare environments, such as limited device resources, high real-time requirements, and complex security threats.

[0064] First, in the embodiments of the present invention, a pseudo-identity mechanism is introduced, which is a lightweight third-party authentication and key negotiation mechanism based on elliptic curve cryptography.

[0065] This invention employs Elliptic Curve Cryptography (ECC) to construct a three-party authentication and key negotiation process between users, gateways, and sensor nodes. Secure authentication and session key establishment are achieved through a small number of elliptic curve multiplication operations. While ensuring resistance to impersonation attacks, man-in-the-middle attacks, and replay attacks, it effectively reduces the computational burden on sensor nodes and improves the overall protocol execution efficiency.

[0066] Secondly, in the embodiments of the present invention, a multi-factor authentication mechanism combining fuzzy extraction of biometric features and protection against false identities is incorporated.

[0067] This invention combines user passwords, biometric information, and random numbers, generating stable key material through a fuzzy extraction algorithm. It also introduces pseudo-identity and pseudo-password mechanisms to avoid direct exposure of plaintext identity information throughout the authentication and communication process. This design offers significant advantages in preventing user privacy leaks and resisting smart card theft attacks and offline dictionary attacks.

[0068] Third, in the embodiments of the present invention, the random number-driven session key generation is a secure session key generation method based on random numbers and hash chains.

[0069] This invention generates session keys by introducing multiple random numbers (user random numbers, gateway random numbers, and sensor random numbers) and combining them with a secure hash function, ensuring that the key for each communication session is unique and unpredictable. This mechanism effectively guarantees forward security of the session key, security of known keys, and untraceability of the key, preventing attackers from deducing future communication content through historical keys.

[0070] Fourth, in the embodiments of the present invention, the "user-gateway-sensor" three-party collaborative authentication mechanism is based on gateway-assisted computation offloading and security coordination.

[0071] To address the issue of limited resources in medical sensor nodes, this invention introduces a gateway node as a secure computing and communication coordination center. The gateway undertakes the main tasks of public key calculation and authentication management, allowing sensor nodes to perform only lightweight operations such as symmetric encryption and hashing, thereby significantly improving the deployability and stability of the protocol in real-world smart healthcare environments.

[0072] Although existing technologies can achieve identity authentication and key negotiation between multiple entities to a certain extent, they usually have problems such as multiple rounds of interaction, large computation and communication overhead, and difficulty in fully protecting against some security weaknesses (such as sensor capture attacks, random number leakage, and identity impersonation). Therefore, their applicability is still limited in smart medical remote monitoring scenarios with limited resources and high real-time requirements.

[0073] The following objectives and effects are achieved through the embodiments of the present invention:

[0074] (1) Reduce computation and communication overhead and improve efficiency: By optimizing the protocol process, reducing multi-round interactions and using lightweight elliptic curve operations, the present invention can significantly reduce the computation and communication load of sensor nodes and mobile terminals, reduce energy consumption, and accelerate the speed of identity authentication and session key generation, thus meeting the real-time requirements of smart medical remote monitoring.

[0075] (2) Enhance anti-attack capabilities and improve security: The introduction of forward security protection, random parameter generation mechanism and two-way authentication can effectively resist man-in-the-middle attacks, impersonation attacks, sensor node capture attacks and random number leakage attacks, ensuring the confidentiality, integrity and availability of sensitive patient data during transmission.

[0076] (3) Improve protocol response speed and real-time performance: By simplifying interaction steps and optimizing key negotiation process, fast authentication and session key establishment are achieved, enabling the system to respond quickly in high-frequency data scenarios such as real-time monitoring and remote diagnosis and treatment, and supporting real-time clinical decision-making.

[0077] (4) Improve system deployability and applicability: Design a lightweight solution that is adaptable to resource-constrained sensor nodes and mobile terminals, so that the protocol can be widely deployed on low-power, low-computing-power devices, ensuring the compatibility and scalability of various devices in the smart medical environment.

[0078] (5) Comprehensive security and operability: Through multi-factor authentication, elliptic curve encryption and intelligent key management, this invention ensures high security while making the protocol easy to deploy and operate, providing an efficient, secure and scalable identity authentication and key negotiation solution for smart medical systems.

[0079] It should be further noted that the above embodiments are merely for understanding the technical solution of the present invention and are not intended to limit the scope of protection of the present invention. Any obvious adjustments and modifications made to the technical solution of the present invention that fall within the inventive concept should also fall within the scope of protection of the present invention.

Claims

1. A lightweight identity authentication and key negotiation method for smart healthcare, characterized in that, Includes the following steps: Step S1: System Initialization and Entity Registration In a smart healthcare environment, gateway nodes and sensor devices Through the registration center Perform offline secure registration at the registration center. Store registration information in the gateway node. This is to support subsequent communication authentication; Among them, gateway node As a user and sensor devices The core nodes for communication between them need to go through the registry center. Register, Registration Center Further for gateway nodes Assign a unique parent key And randomly generate a 1024-bit key. Used for gateway nodes and users Authentication between them, ultimately, the gateway node Will The information is stored in its memory; among which, This is a shared key between the gateway and the user. A unique identifier for sensor devices; This is a shared key between the gateway and the sensor devices; Step S2: User Registration In this step, the user With sensor devices The mutual authentication process between them first requires users In the registration center To complete the registration process, please follow these steps: (1) User terminal operation: user First, enter your account information into the registration center. Registration Center The device generates false identity information for the user and transmits this false identity information to the registration center via a secure channel. ; (2) Registration Center Processing: Registration Center After receiving a user registration request, the calculated user information parameters are stored in the smart card. In the middle, finally, the smart card Transmitted to the user via a secure channel ; (3) Local computation by the user: user Received from the registry center After obtaining the parameters, update the user information parameters and... Information stored in smart card In the middle, complete the user registration process; Step S3: Local User Login Verification First, users smart card Insert the device and enter its identification identifier. ,password and bioinformatics Next, the device uses data stored on the smart card. Calculate random numbers from the information in the data. And based on bioinformatics Generate biometric keys Then, the device calculates the false identity. pseudo-code and verification parameters and the calculated verification parameters Verification parameters stored in the smart card The system compares the results; if they match, the user authentication is successful and the user is legitimate; otherwise, the login fails. Step S4: Authentication between the user and the gateway After receiving the information from the user, the gateway first verifies the timestamp. Freshness, check Whether it is valid, Represents the current local time of the gateway. This represents the maximum allowed time deviation. Then, the gateway calculates the authentication intermediate value generated by the user. and using the gateway's private key Calculate temporary public key parameters and random numbers Finally, the gateway calculates the false identity. By comparing false identities Does this equate to a fake identity? To verify users The legitimacy; Step S5: Identity authentication between the gateway and the sensor Sensor devices Upon receiving a message from the gateway, first check the timestamp. Freshness, verification , Represents the current local time of the gateway. This represents the maximum allowed time deviation, and then the sensor node's private key is used. Decrypting the shared point parameters of an elliptic curve and the temporary public key parameters Decrypt to obtain , This represents a decryption operation. A unique identifier representing a sensor device. This represents the shared key between the gateway and the sensor devices. This represents the decrypted information. and Representing a random number, the temporary session verification parameters are then calculated. And verify the temporary session verification parameters. Is it related to temporary session parameters? equal; Step S6: Authentication and key establishment between the sensor and the user After receiving a message from the sensor node, the user first checks the timestamp. Freshness, verification , Represents the current local time of the gateway. This represents the maximum permissible time deviation. Then, the user decrypts the encrypted authentication response sent by the sensor node. ,get , This represents a decryption operation. Represents a random number. This represents the encapsulated information and verifies the random number verification parameters. Is it the same as the original random number? If they are equal, the user generates a session key. And calculate user verification information By comparing user authentication information Is it consistent with the user authentication information generated by the original sensor node? The validity of the sensor node is verified by equality. If the verification passes, the session key is used. In users and sensor nodes A successful connection was established between them.

2. The lightweight identity authentication and key negotiation method for smart healthcare according to claim 1, characterized in that, the steps are as follows: In S1, the sensor device Before deployment to the system, the registry center For each sensor device Assign a unique identifier Meanwhile, the registration center gateway node and sensor devices Generate and select a secret key between them. and will Stored in sensing devices In memory.

3. The lightweight identity authentication and key negotiation method for smart healthcare according to claim 1, characterized in that, In step S2, the specific user registration process is as follows: (1) User terminal operation: user First, enter their identity identifier. ,password and biometric information Next, the device generates a random number. And calculate using a fuzzy extraction algorithm , Algorithms for generating biometric information. and This represents a secret value extracted from biometrics. To protect user privacy, the device generates a pseudo-identity for the user. and pseudo-codes , respectively and These false identity information It will be transmitted to the registration center via a secure channel; (2) Registration Center Processing: After receiving a user registration request, the registration center first processes the request for the gateway node. and users Generate a shared key between them Then calculate the parameters. Next, the registration center Will Stored in the gateway node In, at the same time, the parameters Stored in smart card In the middle, finally, the smart card Transmitted to the user via a secure channel ; (3) Local computation by the user: user Received from the registry center After obtaining the parameters, the local parameters used to verify the user password and random number are first calculated. and according to the provided password and biometric keys Update parameters To obtain the updated parameters Then, the user calculates the verification parameters. and will Store to smart card In the middle, complete the user registration process.

4. The lightweight identity authentication and key negotiation method for smart healthcare according to claim 1, characterized in that, In step S3, if the verification passes, continue with the following operations: first calculate the parameters. Then, the temporary public key parameters are calculated using the elliptic curve cryptography algorithm. and Next, calculate the authentication median. Generate a random number and timestamp And calculate the user-generated dynamic authentication parameters. Obfuscation parameters used to hide user-generated random numbers and user-generated gateway verification information Finally, the message Send to the gateway node via a public channel and through the gateway node With sensor nodes Establish a session key.

5. The lightweight identity authentication and key negotiation method for smart healthcare according to claim 1, characterized in that, In step S4, if the verification passes, the gateway node... Generate random numbers and timestamp And calculate the temporary session parameters generated by the gateway node. Next, the gateway node Calculate public key parameters based on temporary elliptic curves Sharing point parameters with elliptic curves and messages And through encrypted calculation, an encrypted message containing random numbers and identity information is obtained. Ultimately, the gateway will send the message. Transmitted to sensor nodes via public channel .

6. The lightweight identity authentication and key negotiation method for smart healthcare according to claim 1, characterized in that, In step S5, if the verification passes, it means... Valid, then the sensor node generates random numbers. and timestamp And calculate the session key. After generating the session key, the sensor node... Encryption is performed, and an encryption authentication response is obtained. and generate verification information. ,in, A unique identifier representing a sensor device. Representative on the message After the hash encryption operation, the sensor node finally sends the message. Sent to users via public channels.