Research on security access authentication mechanism of intelligent sensor based on non-interactive zero-knowledge proof method

Abstract

In order to study the standard security access authentication mechanism of intelligent sensing terminals of massive power Internet of Things, In order to study the standard secure access authentication mechanism of intelligent sensing terminal of massive power Internet of Things, a new privacy protection method widely used in block chain is proposed to prove identity. The traditional power IoT cloud-side interaction security access MQTT protocol still has a lot of room for adaptation and optimization. First, the proposed non-interactive zero-knowledge proof identity authentication method reduces the time of traditional standard secure access authentication process; Second, it reduced the computing resources consumed in a large number of intelligent sensors access authentication. The comparison results show that, the access authentication time of this method is 30% $\sim$ 50% less than that of the traditional secure access authentication process. The computing resources consumed during authentication are reduced by 20% to 30% compared with traditional security and secrecy mechanisms.

Keywords

Standardized security access authentication mechanism non-interactive zero-knowledge proof MQTT

1. Introduction

As the core technology and basic support of network and information security, password is an important strategic resource to protect national security and fundamental interests. The exploration of new power system password application mechanism in the energy and power industry to help achieve the goal of “double carbon” is the basic premise for the security and stable operation of the power grid. Therefore, it is important to strengthen the password security application mechanism, promote new power system Internet technology innovation, and promote the energy green transformation to a deeper level [1].

The zero-knowledge proof mechanism is an encryption method proposed for the MQTT protocol specification. Since the MQTT specification does not directly address the possibility of active session hijacking, this attack allows an adversary to take over a session by simply (re)establishing a connection using the eavesdropper’s client ID. The MQTT specification attempts to weaken the vector of this instant attack by implementing channel security through Transport Layer Security (TLS) or by securing the entire network through a private virtual network (VPN) [2, 3]. Although the MQTT protocol provides room for custom authentication and even addresses ID session-based protocol-intrinsic authentication through simple username passwords or through ACLs, these client ID-based approaches have many drawbacks in terms of client management and security, and all require agents to keep shared keys between different clients and agents. In response to the above problems of low real-time and large consumption of computing resources of traditional encryption algorithms in the power IoT [4, 5, 6, 7], it is urgent to explore the unified standard mechanism of cryptography application in the fusion of cryptography technology and new power system.

In this paper, we propose a fully anonymous identification scheme based on Schnorr Non-Interactive Zero Knowledge Proof (Schnorr NIZKP) [8, 9] by making full use of the well-known cryptographic properties for encryption. This approach first eliminates the need for the service Broker to keep the session confidential, and allows the client ID of the session to be exposed. It also allows the real session to be completely anonymous, so that the service Broker needs only minimal prior knowledge of the terminal. Secondly, in the endpoint application of power IoT, only a small amount of storage space and computational resources of the endpoint device are consumed while the normal operation of the endpoint can be guaranteed. Finally, without introducing any new complex concepts, it is only necessary to combine the zero-knowledge authentication password application mechanism with the current Internet of Things access protocol MQTT5.0 protocol protocol, which is deeply penetrated into the new power system, without additional extension of MQTT protocol to improve the target security attributes.

In this paper, by constructing a new encryption mechanism based on the interactive zero knowledge proof, avoid the MQTT session hijacked in the power of things, don’t need to any network security is verified based on proxy, channel security or predefined access control list (ACL) password authentication mechanisms such as authenticity, realized in new type of power system network security at the same time, Reduce resource consumption, improve transmission speed, improve the quality and efficiency of the new power system. This paper is divided into four main sections, describing the theoretical basis of non-interactive zero-knowledge proofs in Section 2, conducting experimental comparison arguments in Section 3, and concluding and discussing in Section 4.

2. Theoretical foundation

Having a priori knowledge of non-interactive zero-knowledge proofs can help us better understand the novel encryption mechanism based on non-interactive zero-knowledge proofs. The non-interactive zero-knowledge based mechanism is an encryption method proposed for the MQTT protocol specification, which is described in this section from two aspects, namely, zero-knowledge proof and MQTT protocol specification.

Zero-Knowledge Proof (ZKP) was proposed by Shafi Goldwasser, Silvio Micali, and Charles Rackoff in 1989 [10], and it refers to the situation where the provers do not need or provide less useful information to the verifiers to convince the verifiers that that an assertion is correct. Zero-knowledge proofs are characterized by completeness, reliability, and zero-knowledge. The more commonly used zero-knowledge proof mechanism is a knowledge proof mechanism based on discrete logarithm puzzles (Schnorr-based interactive authentication mechanism) proposed by German mathematician and cryptographer Claus-Peter Schnorr in 1991, and the interactive Schnorr zero-knowledge proof mechanism flows as follows:

The proving party (Prover) claims to have the value of a key x. By using the interactive Schnorr zero-knowledge encryption technique, it is possible to prove to the verifier (Verifier) that it has the value of the key x without exposing the value of x.

Prover:

Choose a dense value r uniformly at random;

Generate the public key $\mbox{PK}=\text{x}\ast\text{G}$ .

$\displaystyle\mbox{R}=\text{r}\ast\text{G};$

Send to Verifier R;

Verifier:

A randomly selected random number, c, is sent to the provers.

Prover: Compute $\mbox{z}=\mbox{r}+\text{c}\ast\text{x}$ and respond z to the verifier.

Verifier: Prove that $\text{z}\ast\text{G}?=\mbox{R}+\text{C}\ast\text{PK}$ ;

Repeat the above iterative process and prove the possession of key x by successful verification each time; if there is one verification failure, it is not possible to prove the possession of key x. Due to the discrete logarithm problem on elliptic curves, it is impossible to contact x through $\mbox{X}=\text{x}\ast\text{G}$ knowing X and G. Therefore, the private key x is guaranteed to be private while proving to the verifier that it possesses x.

2.1 Non-interactive zero-knowledge proofs

In the new power system, the encrypted transmission mechanism based on zero-knowledge proof can allow end devices to effectively ensure the secure transmission of data without revealing their own information. However, the use of zero-knowledge proof-based encrypted transmission mechanism for MQTT protocol by end devices brings the following problems: (1) frequent interactive verification between provers and verifiers consumes a large amount of CPU resources and takes up a large amount of storage space, which can seriously affect the operation of normal tasks in end devices; (2) iterative verification between provers and verifiers can be performed only after a certain number of message passing, and if there is one interaction verification failure then all previous verifications are invalid, resulting in a waste of resources, a large verification overhead, and low communication efficiency. If only a small amount of data is communicated between the terminal and the server, the verification overhead of the zero-knowledge proof-based encryption mechanism is much larger than the communication.

To address the problem of inefficient communication due to frequent interactions of zero-knowledge proofs, literature [11] proposed an improved Schnorr zero-knowledge proof system to reduce the number of verification rounds for the verifier by increasing the randomness of sending parameters in each round, but the method severely degrades the performance of the terminal used in each round of verification. In the literature [12], a non-interactive zero-knowledge proof mechanism is proposed and the feasibility of non-interaction is demonstrated to address the performance degradation of the verification terminal per round. The non-interactive zero-knowledge proof is based on the zero-knowledge proof mechanism, which effectively reduces the verification frequency of both sides of communication while ensuring that the terminal device has high performance usage and improves communication efficiency. The non-interactive zero-knowledge proof process is as follows:

Provider:

$\mbox{m}=\mbox{H}({\mbox{g}\left|{\left|\mbox{V}\right|}\right|\mbox{A}\left|{% \left|{\mbox{UserID}}\right|}\right|\mbox{OtherInfo}})$ , UserID is the unique identifier of the authenticator, while OtherInfo is optional data,hash function H should be a secure password hash function. The hash function H outputs a subgroup of length not less than q-order.

Prover:

Calculate $\mbox{r}=\mbox{x}-\text{a}\ast\text{m mod q}$ , send r to verifier

Provider:

Verify that $\text{X}==\text{g}^{\text{r}}\ast\text{A}^{\mbox{c}}\text{ mod p}$ ;

(p, q are two large prime numbers; $\mbox{Zp}^{\ast}$ : a multiplicative group of integers modulo p; Gq: a subgroup of $\mbox{Zp}^{\ast}$ of prime order; g: a generator of Gq; H: a secure cryptographic hash function)

2.2 MQTT protocol

MQTT protocol is a message transfer protocol widely used in the Internet of Things. Based on publisher-subscriber mode, this protocol carries out data transmission between the client and server. MQTT protocol has been officially launched by OASIS in 2017, MQTT Version 5.0 [13]. MQTT is a lightweight transport protocol, which is easy to use, open specification, occupies less space resources and has low performance overhead. It is suitable for use on resource-constrained Internet of Things terminal devices. MQTT clients can act as both publishers and subscribers for publishing and subscribing to certain specific topics. The MQTT server, also known as a proxy, is mainly used to receive subscriptions from clients about topics and messages from clients, and to publish the corresponding topic messages to clients according to their subscriptions to different topics.

An MQTT topic in the form of a file path can be said, for example: /v1/devices/GatewayId/topo/MQTT topic. MQTT connections mainly exist between the client and the proxy server, MQTT connections are not generally made between the client and the client. MQTT ensures the reliability of message delivery protocol through three different levels of message quality of Service (QoS): QoS 0: messages can be delivered at most once. QoS 1: The message is transmitted at least once. QoS 2: Send message only once.

MQTT requires a pre-established TCP connection between the client and the proxy server and through the heartbeat mechanism to ensure the connection between the client and the proxy server. The protocol uses Keep Alive to specify the maximum connection idle time (T). When the client detects that the connection idle time exceeds T, it must send a heartbeat message PINGREQ to the proxy server. After receiving the heartbeat request, the proxy server returns a heartbeat response PINGRESP. If the proxy server does not receive the heartbeat request within 1.5T, it will disconnect and send a will message to the subscriber. At the same time, if the client does not receive a heartbeat response, PINGRESP, after a certain amount of time, the connection is disconnected. Sending heartbeat messages when the connection is idle can reduce network requests and weaken the dependence on bandwidth.

2.3 MQTT protocol security

The issue of secure transmission in the MQTT protocol needs to be considered by the user, the security of the protocol can be implemented in layers in the network transmission and the protocol needs to ensure secure services in terms of authentication, authorization, access control and data integrity. The MQTT specification is aware of the problem of session hijacking and replay attacks during the transmission. First, an MQTT client can use a CONNECT Packet containing username and password fields to accomplish authentication, and authentication credentials are sent in plaintext [14]. Second, MQTT clients can also connect to a session by using the client ID at the time of proxy registration, and the client authenticates to the proxy using the SSL certificate sent by the server. Finally, authorization in MQTT restricts access to the proxy resources based on the information provided by the client. However, these security measures and mechanisms largely mitigate the security issues during transmission and consume high resource overhead when the client uses SSL for authentication. By verifying the security of the data transmission channel or network environment, in the channel and network environment are safe premise, to ensure the security of data transmission.

The non-interactive zero-knowledge proof-based endpoint authentication mechanism proposed in this paper solves the aforementioned replay attacks and resource consumption problems. The main idea of this mechanism is to select the client ID as a group element $\mbox{y}\in\mbox{Gq}$ . In the notation of the multiplication group, the client selects $\mbox{y}=\mbox{g}^{\mbox{x}}$ and $\mbox{x}\leftarrow\mbox{Z}_{\mbox{R}}\mbox{Z}_{\mbox{q}}$ . To avoid replay attacks, the proxy provides a variable n to the client as public data for non-interactive zero-knowledge proofs. Only the client can provide proof $({\mbox{t},\mbox{s}})$ with the challenge provided in the same network connection. The agent continues to execute CONNACK with reason code 0x00 (success), which in all cases disconnects with DISCONNECT and some reason code, such as 0x83 (implementation-specific error). In this way, the client provides an anonymous identity each time it establishes a new connection.

Figure 1.

Encryption time required for different encryption methods.

3. Experiments

In order to verify the non-interactive zero-knowledge proof encryption for MQTT protocol encryption has less bandwidth resources, short data encryption time, high transmission efficiency, using analog software MQTT.fx client to send MQTT message, open source emqx as the server agent, MQTT.fx send different encryption MQTT messages, by collecting the MQTT bandwidth, delay, packet rate in transmission, to verify the non-interactive zero-knowledge proof superiority.

The experimental environment is mainly a software environment, where the open source server-side agent emqx and patheon network environment are deployed in Ubuntu 20.04 environment, and the MQTT.fx client is installed in Windows 10 system. The network environment is the lab’s LAN with a bandwidth of 1 Mbps, and the network parameters such as bandwidth, latency and packet loss rate during transmission are obtained by using the iperf command on the server side.

Figure 1 shows the time performance results for encrypting data using three different encryption methods: login password, SSL encryption, and non-interactive zero-knowledge encryption. According to the figure below, it is clear that (1) as the message body size of the MQTT protocol packet increases, the data encryption time remains the same for login password and increases for SSL encryption and non-interactive zero-knowledge encryption, and the encryption operation takes more time. (2) The time required for SSL encryption is longer than that required for non-interactive zero-knowledge encryption because SSL encryption requires client-side agents and server-side agents to establish public and private keys in advance, and also requires certificates from third-party notary authorities, and the encryption process is complex, and the encryption and decryption processes take more time. (3) Non-interactive zero-knowledge encryption process takes less time than SSL encryption time, the encryption effect is better than login name password method, and the security of data transmission is higher.

Figure 2.

Transmission time required for different encryption methods.

Figure 3.

Network bandwidth required for login name password method.

Figure 4.

Network bandwidth required for non-interactive zero-knowledge encryption method.

Figure 5.

Network bandwidth required for SSL encryption method.

Figures 2–5 shows the encryption of data in three different encryption methods, and the network bandwidth resources and packet loss when the encrypted data is transmitted in the network channel. The content and length of the encrypted MQTT protocol message body are the same during transmission, with a message body length of 10 KB, and only the encryption method used to encrypt the data is different. The encrypted MQTT message data is transmitted in the same network environment in patheon with 30 seconds of transmission time bandwidth and packet loss status. As can be seen in Fig. 2, the transmission time for the login name password encryption method remains the same as the length of the MQTT protocol message body increases. The non-interactive zero-knowledge encryption method and SSL encryption method have longer transmission time as the message body length increases. The comparison in Figs 3 and 4 shows that the encryption method using login password and non-interactive zero-knowledge proof takes up less network bandwidth resources in network transmission, while Fig. 5 indicates that the data using SSL encryption takes up higher network bandwidth resources and is prone to cause network congestion. (2) In the complex network environment, the encryption method of login name password has a low packet loss rate, and the SSL encryption method and the non-interactive zero-knowledge encryption method have a high packet loss rate. Therefore, in the complex network communication environment, the non-interactive zero-knowledge encryption method can consume less network bandwidth resources and lower packet loss rate while protecting the security of message data.

4. Conclusion

The non-interactive zero-knowledge proof encryption mechanism proposed in this paper adapts and optimizes the MQTT protocol, a new power system IoT access protocol for deep penetration and convergence, to achieve authentication without login username password, without processing ACLs containing clientID sessions and without any additional special processing of the communication channel, only the underlying network protocol contains the correct source address and destination address to ensure the security of MQTT sessions, it effectively avoids the hijacking attack in the MQTT session, provides some reference experience for the power grid password application security mechanism, provides the development and transformation space for helping the “double carbon” goal of wind power, solar energy and other safe and stable operation of various clean and green energy power generation, and is an effective way to promote the construction of new power system. At present, this paper only discusses the session hijacking problem in the MQTT protocol in general scenarios, and has not yet taken into account the impact of multiple complex network events, which will be followed by an in-depth study of the MQTT protocol security application mechanism in special scenarios.

Footnotes

Acknowledgments

The authors acknowledge the State Grid Shanxi Electric Power Company Science and Technology Project Research (No. 52053022000D).

References

Wang

. Full-scene network security protection system based on ubiquitous power Internet of things.International Journal of Communication Systems. 2022; 35(5).

Park

Chang-Seop

. Security Architecture and Protocols for Secure MQTT-SN. IEEE Access. 2021; 8.

Nai-Wei

. A Secure IoT Firmware Update Framework Based on MQTT Protocol.Information Systems Architecture And Teconology. 2020; 1050: 187–198.

Aida

Majid

. A lightweight hierarchical authentication scheme for internet of things.Journal Of Ambient Intelligence And Humanize. 2019; 10(7): 2607–2619.

Aimaschana

Chavee

Panita

. Authorization Mechanism for MQTT-based Internet of Things. IEEE International Conference on Communications. 2016. pp. 23–27.

Yue

Feng

Wenjun

Jiaru

Shuguang

. Wireless traffic prediction with scalable gaussian process: Framework, algorithms, and verification.IEEE Journal on Selected Areas in Communications. 2019; 37(6): 1291–1306.

Yue

Feng

Wenjun

. Scalable learning paradigms for data-driven wireless communication.IEEE Communications Magazine. 2020; 58(10): 81–87.

Groth

Jens

. Short Non-interactive Zero-Knowledge Proofs. 16th International Conference on the Theory and Application of Cryptology and Information Security. Vol. 6477. 2010. pp. 341–358.

Martin-Fernandez

Caballero-Gil

. Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things.Sensors. 2016; 16(1).

10.

Huixin

. A Survey of Noninteractive Zero Knowledge Proof System and Its Applications. Scientific World Journal. 2014.

11.

Peng

. Batch zero-knowledge proof and verification and its applications.ACM Transactions On Information And System Security. 2007; 10(2).

12.

Abdolmaleki

Behzad,

. Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically. ACM SIGSAC Conference on Computer and Communications Security. 2020. pp. 1987–2005.

13.

Mileva

Aleksandra

. Comprehensive analysis of MQTT 5.0 susceptibility to network covert channels. Computers & Security. 2021; 104.

14.

Katsikeas

ï¼ŽLightweight & secure industrial IoT communications via the MQ telemetry transport protocol. 2017 IEEE Symposium on Computers and Communications (ISCC). 2017. pp. 1193–1200.