零信任中基于PUF的物联网抗机器学习攻击身份认证

摘要/Abstract

摘要： 为构建高扩展物联网系统，边缘计算作为一种新兴的去中心化计算模式被引入物联网场景.零信任架构可以很好契合模糊边界的云边端系统，满足持续的动态认证并提升安全性.在频繁的认证需求下，物理不可克隆函数因其轻量化和不可克隆的特点常被用作生成设备的硬件指纹身份.物理不可克隆函数利用硬件工艺的随机因素，生成唯一且不可预测的挑战响应对.如果攻击者在持续的认证中收集到大量的明文挑战响应对，就能建模预测接下来的响应输出而完成机器学习攻击.提出了一种基于物理不可克隆函数的认证解决方案(PAMLCA)，针对抗机器学习攻击进行隐私保护增强，通过不经意伪随机函数技术实现挑战响应对盲化传输.方案整体结构为静态与持续结合的多层动态验证方案，能够在会话中控制隐含信任域.通过安全性分析和性能对比，证明了PAMLCA较其他相关方案能够提供更好的安全性、功能、通信和计算成本.

关键词: 物联网, 零信任, 身份认证, 物理不可克隆函数, 隐私保护

Abstract: To enable scalable IoT systems, edge computing, as a new decentralized model, is introduced into IoT scenarios. Zero trust architecture (ZTA) is wellsuited for cloudedgeend systems with blurred boundaries, offering continuous dynamic authentication and improved security. Due to their lightweight and unclonable properties, physical unclonable functions (PUFs) are often used to generate hardware fingerprint identities for devices. PUFs exploit inherent randomness introduced during hardware fabrication processes to generate unique and nonpredictable challengeresponse pairs. If an attacker collects many plaintext CRPs during continuous authentication, he may model and predict future responses, enabling machine learning attacks. This paper proposes a PUFbased authentication solution (PAMLCA). It enhances privacy protection against machine learning attacks by leveraging oblivious pseudorandom function techniques to obfuscate CRP transmission. The solution combines static and continuous multilayer dynamic verification protocols, limiting implicit trust domains within a session. Security analysis and performance comparisons demonstrate that PAMLCA offers better security, functionality, communication, and computational efficiency compared to other related solutions.

Key words: Internet of things, zero trust, identity authentication, physical unclonable function, privacy preservation

中图分类号:

TP309.2

司雪鸽, 贾洪勇, 曾俊杰, 李云聪, . 零信任中基于PUF的物联网抗机器学习攻击身份认证[J]. 信息安全研究, 2026, 12(1): 33-.

参考文献

［1］Nalbandian S. A survey on Internet of things: Applications and challenges［C］ Proc of the 2015 Int Congress on Technology, Communication and Knowledge (ICTCK). Piscataway, NJ: IEEE, 2015: 165169［2］Kong L, Tan J, Huang J, et al. Edgecomputingdriven Internet of things: A survey［J］. ACM Computing Surveys, 2022, 55(8): 141［3］Stafford V. Zero trust architecture［EBOL］. 2020 ［20251211］. https:tsapps.nist.govpublicationget_pdf.cfm?pub_id=930420［4］Casacuberta S, Hesse J, Lehmann A. SoK: Oblivious pseudorandom functions［C］ Proc of the 7th IEEE European Symp on Security and Privacy (EuroS&P). Piscataway, NJ: IEEE, 2022: 625646［5］Freedman M J, Ishai Y, Pinkas B, et al. Keyword search and oblivious pseudorandom functions［C］ Proc of the 2nd Theory of Cryptography Conference. Berlin:Springer, 2005: 303324［6］Azad M A, Abdullah S, Arshad J, et al. Verify and trust: A multidimensional survey of zerotrust security in the age of IoT［J］. Internet of Things, 2024,27: 101227［7］DeCusatis C, Liengtiraphan P, Sager A, et al. Implementing zero trust cloud networks with transport access control and first packet authentication［C］ Proc of the 2016 IEEE Int Conf on Smart Cloud (SmartCloud). Piscataway, NJ: IEEE, 2016: 510［8］Lukaseder T, Halter M, Kargl F. Contextbased access control and trust scores in zero trust campus networks［COL］ Proc of the SICHERHEIT 2020 ［20251211］. https:dl.gi.deitemsf67b267356c24b0e8e8dad59c8080114［9］Bhattacharjya S, Saiedian H. Anovel simplified framework to secure IoT communications［COL］ Proc of the 7th Int Conf on Information Systems Security and Privacy. 2021: 399406 ［20251211］. https:www.academia.edu127801913A_Novel_Simplified_Framework_to_Secure_IoT_Communications［10］Gai K, She Y, Zhu L, et al. A blockchainbased access control scheme for zero trust crossorganizational data sharing［J］. ACM Trans on Internet Technology, 2023, 23(3): 125［11］Bamasag O O, YoucefToumi K. Towards continuous authentication in Internet of things based on secret sharing scheme［C］ Proc of the Workshop on Embedded Systems Security. New York: ACM, 2015: 18［12］Chen D, Zhang N, Qin Z, et al. S2M: A lightweight acoustic fingerprintsbased wireless device authentication protocol［J］. IEEE Internet of Things Journal, 2016, 4(1): 88100［13］Shah S W, Syed N F, Shaghaghi A, et al. LCDA: Lightweight continuous devicetodevice authentication for a zero trust architecture (ZTA)［J］. Computers & Security, 2021, 108: 102351［14］Meng L, Huang D, An J, et al. A continuous authentication protocol without trust authority for zero trust architecture［J］. China Communications, 2022, 19(8): 198213［15］Aman M N, Chua K C, Sikdar B. Mutual authentication in IoT systems using physical unclonable functions［J］. IEEE Internet of Things Journal, 2017, 4(5): 13271340［16］Chatterjee U, Govindan V, Sadhukhan R, et al. Building PUF based authentication and key exchange protocol for IoT without explicit CRPs in verifier database［J］. IEEE Trans on Dependable and Secure Computing, 2019, 16(3): 424437［17］Suganthi S D, Anitha R, Sureshkumar V, et al. End to end light weight mutual authentication scheme in IoTbased healthcare environment［J］. Journal of Reliable Intelligent Environments, 2020, 6: 313［18］Liu Z, Guo C, Wang B. A physically secure, lightweight threefactor and anonymous user authentication protocol for IoT［J］. IEEE Access, 2020, 8: 195914195928［19］Subramani J, Maria A, Rajasekaran A S, et al. Lightweight privacy and confidentiality preserving anonymous authentication scheme for WBANs［J］. IEEE Trans on Industrial Informatics, 2021, 18(5): 34843491［20］Babaei A, Schiele G. Physical unclonable functions in the Internet of things: State of the art and open challenges［J］. Sensors, 2019, 19(14): 3208［21］Li S, Zhang T, Yu B, et al. A provably secure and practical PUFbased endtoend mutual authentication and key exchange protocol for IoT［J］. IEEE Sensors Journal, 2021, 21(4): 54875501

[1]	贾洋, 李昂, 周永霞, . 基于异构密码机的多层级高强度的应用身份认证系统设计[J]. 信息安全研究, 2025, 11(E2): 245-.
[2]	熊开智, 宿建波, 蒋超, 秦耕, . 电力行业零信任体系下基于可信代理的身份认证技术[J]. 信息安全研究, 2025, 11(E1): 124-.
[3]	屈伟, 宋林涛, 晋钢, 王鹏, 吴潇, . 视频物联网端到端安全体系规划与建设实践[J]. 信息安全研究, 2025, 11(E1): 215-.
[4]	尹春勇, 王珊, . 基于联邦学习和注意力机制的物联网入侵检测模型[J]. 信息安全研究, 2025, 11(9): 788-.
[5]	侯思祖, 沈昱孛, . 面向配电网资源受限设备的轻量级隐式证书方案研究[J]. 信息安全研究, 2025, 11(9): 845-.
[6]	钱永傲, 邓涛, 马赟, 周纯杰, 燕葵, 张卫平, . 基于边云协同的油气生产物联网入侵检测系统设计[J]. 信息安全研究, 2025, 11(9): 868-.
[7]	柳亚男, 曹磊, 张正, 李戈, 邱硕, 王苏豪, . 车联网V2N中的轻量级双向认证与密钥协商[J]. 信息安全研究, 2025, 11(8): 753-.
[8]	王雄, 王文博, 刘昂, 许盛伟, 王志强, 张泽昊, . 一种基于PUF的远程医疗身份认证与密钥协商协议[J]. 信息安全研究, 2025, 11(7): 626-.
[9]	曲爱妍, 符天枢, 张宏军, . 基于区块链的生物特征信息共享方案研究与实现[J]. 信息安全研究, 2025, 11(5): 402-.
[10]	郭回, 马骏臣, 吴礼发, . 基于设备WiFi重连流量的隐蔽智能摄像头检测方法[J]. 信息安全研究, 2025, 11(2): 173-.
[11]	胡丽娜, 蒋凯元, 姜静, . 关键信息基础设施系统安全防护前沿技术研究[J]. 信息安全研究, 2025, 11(12): 1075-.
[12]	王雄, 李伟麟, 王志强, 付成龙, 张泽昊, 王文博, . 无线医疗传感器网络中基于PUF的轻量级匿名认证协议[J]. 信息安全研究, 2025, 11(12): 1134-.
[13]	赵云, 宋好好, . 基于5G应用的零信任数据安全中台的设计与实现[J]. 信息安全研究, 2024, 10(E2): 77-.
[14]	李姝, 夏颖, 韦有涛, . 零信任安全技术在新型电力系统数字化转型中的应用思考[J]. 信息安全研究, 2024, 10(E2): 97-.
[15]	杨玲, . 电子政务外网网络安全挑战与应对策略[J]. 信息安全研究, 2024, 10(E2): 114-.