CN112953923A - Safe network access method and device based on secret key updating - Google Patents

Safe network access method and device based on secret key updating Download PDF

Info

Publication number
CN112953923A
CN112953923A CN202110150484.8A CN202110150484A CN112953923A CN 112953923 A CN112953923 A CN 112953923A CN 202110150484 A CN202110150484 A CN 202110150484A CN 112953923 A CN112953923 A CN 112953923A
Authority
CN
China
Prior art keywords
network
application
key
key information
network access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110150484.8A
Other languages
Chinese (zh)
Inventor
骆观庆
郑凛
王琳
任后文
詹宏强
戴柏基
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jixiang Technology Co Ltd
Original Assignee
Guangzhou Jixiang Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jixiang Technology Co Ltd filed Critical Guangzhou Jixiang Technology Co Ltd
Priority to CN202110150484.8A priority Critical patent/CN112953923A/en
Publication of CN112953923A publication Critical patent/CN112953923A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application discloses a secure network access method and device based on secret key updating. According to the technical scheme provided by the embodiment of the application, the network access permission message is analyzed through the terminal equipment of the internet of things to obtain the application fresh value and the network fresh value, the network session key and the application session key are correspondingly generated, the network session key is in service communication with the network server based on the network session key, the application session key is in service communication with the application server based on the application session key, the original network key information and the original application key information are deleted, the network session key is used as new network key information, and the application session key is used as new application key information and used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.

Description

Safe network access method and device based on secret key updating
Technical Field
The embodiment of the application relates to the technical field of communication networks, in particular to a secure network access method and device based on secret key updating.
Background
At present, with the rapid development of the technology of the internet of things, the number of devices of the internet of things is also greatly increased. In the application of low-power-consumption wide area network (LPWAN), the characteristic that the coverage range is far is utilized, and large-scale and large-connection Internet of things terminal equipment can be accessed in a certain area range. Generally, when accessing an internet of things system, the internet of things devices send an access request to a base station, and the access request is demodulated by the base station and then forwarded to a network server, and the network server performs access authentication. And returning a corresponding network access permission message to the terminal equipment of the Internet of things through the network access authentication so as to complete the network access authentication process. In order to guarantee the communication safety of the network access authentication process, corresponding application key information is used for encrypting communication information, and a corresponding session key is generated through the application key information, so that the subsequent service interaction between the terminal equipment of the internet of things and the application server is realized, and the safe operation of the system service is guaranteed.
However, in the network access authentication process, the application key information of the terminal device of the internet of things is fixed, and once the application key information is leaked, the security of the network access process is affected, so that the operation of system services is affected.
Disclosure of Invention
The embodiment of the application provides a secure network access method and device based on secret key updating, which can improve the security and communication robustness of the network access process of terminal equipment of the Internet of things and optimize system service operation.
In a first aspect, an embodiment of the present application provides a secure network access method based on key update, including:
the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things;
the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information;
the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
Further, before the network server verifies the network access request based on the pre-stored network key information, the method further includes:
and the network server judges the validity of the network access request based on the equipment fresh value, and if the network access request is judged to be valid, a detection flow of the network access request is triggered.
Further, the network server verifies the network access request based on the pre-stored network key information, including:
the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
and carrying out MIC calculation based on the prestored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
Further, the analyzing, by the internet of things terminal device, the network access permission message to obtain the application freshness value and the network freshness value includes:
and the terminal equipment of the Internet of things analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information.
Further, correspondingly generating the network session key and the application session key includes:
extracting the pre-stored network ID, generating the network session key based on the network key information, the device fresh value, the network fresh value and the network ID, and generating the application session key based on the network ID, the device fresh value, the application fresh value and the application key information.
Further, the network access request further includes key update type information, and the key update type information is single update information or periodic update information.
Further, the network server periodically issues the updated application fresh value and the updated network fresh value to the internet of things terminal device based on the periodic update information, and updates the application session key and the network session key.
In a second aspect, an embodiment of the present application provides a secure network access device based on key update, including:
the request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a memory and one or more processors;
the memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the rekeying-based secure networking method of the first aspect.
In a fourth aspect, embodiments of the present application provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the method for secure network entry based on key renewal according to the first aspect.
According to the method and the device, the network key information and the application key information are stored in the terminal device of the Internet of things in advance, the network access request is encrypted by the terminal device of the Internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the device freshness value of the terminal device of the Internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.
Drawings
Fig. 1 is a flowchart of a secure network access method based on key update according to an embodiment of the present application;
fig. 2 is a network access flow chart of an internet of things terminal device in the first embodiment of the present application;
fig. 3 is a schematic structural diagram of a secure network access device based on key update according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, specific embodiments of the present application will be described in detail with reference to the accompanying drawings. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some but not all of the relevant portions of the present application are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The safe network access method based on the key updating aims to improve the security and the communication robustness of the network access process of the terminal equipment of the Internet of things through the cyclic updating of the session key, and the technical problem that the fixed setting of the session key is easily attacked and acquired, so that the system service is influenced is solved. Compared with the traditional secure network access method based on key updating, the method considers that the terminal device of the internet of things is usually deployed in a place which can be accessed or obtained by an attacker, and the session key can be revealed through various attacks. Therefore, the system network typically specifies the uniqueness of the session keys of the terminal devices of the internet of things to minimize the impact of key leakage. Therefore, even if the session key of the terminal equipment of the Internet of things is leaked, other nodes cannot be influenced. However, although the session key is used for various security mechanisms (such as authentication, encryption, integrity check, and the like), the session key has no relevant update setting, and in some cases, the terminal device of the internet of things may only use the fixed session key and cannot be updated during the use period. Once the session key is revealed by network attack, the network access and service processing of the terminal device of the internet of things are affected, and based on the method, the secure network access method based on key updating is provided to solve the problem of session key updating of the terminal device of the internet of things.
The first embodiment is as follows:
fig. 1 is a flowchart of a security network access method based on key update according to an embodiment of the present disclosure, where the security network access method based on key update provided in this embodiment may be executed by a security network access device based on key update, the security network access device based on key update may be implemented in a software and/or hardware manner, and the security network access device based on key update may be formed by two or more physical entities or may be formed by one physical entity. Generally, the key update-based secure network access device may be an internet of things system.
The following description will be given by taking the key update based secure network access device as an example of a main body of the key update based secure network access method. Referring to fig. 1, the secure network access method based on key update specifically includes:
s110, storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises a device fresh value of the terminal equipment of the Internet of things;
s120, the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
s130, the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and the pre-stored application key information, and uses the application key information to encrypt and transmit the application fresh value to the network server;
s140, the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
s150, the Internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the Internet of things terminal equipment at the next time.
According to the embodiment of the application, the network access security of the terminal equipment of the Internet of things is improved through a double-key updating security network access mechanism. The network key information and the application key information have the same attribute, the lengths of the network key information and the application key information are the same, the network key information and the application key information cannot be derived from public information of the equipment nodes, and other equipment nodes cannot be shared. The network key information and the application key information are stored in the corresponding terminal equipment of the internet of things in advance, the network key information is stored in the network server in advance, and the application key information is stored in the application server in advance for safe communication of a subsequent network access process.
Further, when the terminal equipment of the internet of things is authenticated by network access, network access authentication is mainly performed through an initialized network access mode and a non-initialized network access mode. When the network access mode is initialized, the network key information and the application key information both exist in the terminal equipment of the internet of things in advance, the network key information is stored by the network server, the application key information is stored by the application server, and the network key information and the application key information are used for generating a network session key and an application session key subsequently besides being used for encryption communication.
Specifically, the initialized network access mode is a mode in which the terminal device of the internet of things executes a network access request for the first time, as shown in fig. 2, when the terminal device of the internet of things performs network access authentication in the initialized network access mode, the network access request is generated first, the network access request includes an application identification code, a device identification code and a device freshness value, the application identification code and the device identification code are unique identification information, and the format conforms to the IEEE EUI-64 address space format. The device freshness value is a random number generated by the terminal device of the internet of things, and the network server records and updates the device freshness value of each piece of internet of things device during each networking authentication so as to judge the validity of the networking request. After the network access request is generated based on the application identification code, the equipment identification code and the equipment freshness, the terminal equipment of the internet of things encrypts the network access request by using the prestored network key information and uploads the network access request to the corresponding base station. One end of the base station demodulates the network access request and sends the demodulated network access request to the network server. The network server decrypts the network access request through the prestored network key information. And the validity judgment and verification of the network access request are carried out.
And the network server judges the validity of the network access request based on the equipment fresh value, and triggers a detection process of the network access request if the network access request is judged to be valid. It can be understood that, because the network server records and updates the device fresh value for each piece of internet of things device during each networking authentication, when the network server detects that the device fresh value is the same as the device fresh value in the previous corresponding internet of things device networking request, it indicates that the currently received networking request is repeated, and the network server ignores the message, so that the attack of repeated networking can be effectively prevented.
Further, after the validity judgment of the network access request is completed, the network server verifies the network access request based on the pre-stored network key information. Wherein, the verification process of the network access request comprises:
s1201, the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
s1202, carrying out MIC calculation based on the pre-stored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
Specifically, the MIC calculation formula of the network access request is as follows:
cmac=aes128_cmac(NwkKey,AppEui|DevEui|DevNonce|...)
MIC=cmac[0..3]
wherein, NwkKey is network key information, AppEui is an application identification code, DevEui is an equipment identification code, and DevNonce is an equipment fresh value. And obtaining a corresponding MIC value based on the MIC calculation, comparing the corresponding preset value according to the MIC value, and performing identity authentication on the terminal equipment of the Internet of things to judge whether the identity is valid or not.
And after the verification is passed, the terminal equipment of the Internet of things is allowed to be authorized to access the network, and the network server generates a network session key by using the network key information and transmits the network ID and the equipment freshness value to the application server. Specifically, the network session key is expressed as:
Nwk_SKey=ase128_encrypt(NwkKey,Session_Type_Nwk|NwkNonce|NetID|DevNonce|...)
wherein Nwk _ SKey is a network Session key, NwkKey is network key information, Session _ Type _ Nwk is key update Type information, nwknequence is a network freshness value, NetID is a network ID, and DevNonce is a device freshness value.
Further, the application server generates the application session key after receiving the network ID and the device freshness value from the network server. The application session key is represented as:
App_SKey=ase128_encrypt(AppKey,Session_Type_Nwk|AppNonce|NetID|DevNonce|...)
wherein, App _ SKey is an application Session key, App key is application key information, Session _ Type _ Nwk is key update Type information, App nonce is an application freshness value, NetID is a network ID, and DevNonce is an equipment freshness value.
It should be noted that the network fresh value and the application fresh value are both a random number used for identifying the network access authentication, so as to avoid repeated generation of the application session key and the network session key.
After the application server generates the application session key, the application fresh value is encrypted by using the application key information and then sent to the network server. And, since the web server does not have application key information, the web server cannot decrypt the message of the application layer. After receiving the application fresh value from the application server, the network server generates a network access permission message based on the application fresh value and the network fresh value of the network server. And after the network access permission message is encrypted by using the network key information, the network access permission message is forwarded to the corresponding terminal equipment of the Internet of things through the base station.
Further, the terminal device of the internet of things receives the decrypted network access permission message and then extracts the corresponding parameters to generate a network session key and an application session key. The internet of things terminal equipment analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information. Further, when the network session key and the application session key are generated, the network session key is generated based on the network key information, the device fresh value, the network fresh value, and the network ID by extracting the pre-stored network ID, and the application session key is generated based on the network ID, the device fresh value, the application fresh value, and the application key information. It can be understood that, according to the pre-stored network ID, the network key information, the device fresh value, the application key information, and the received network fresh value and the application fresh value, the network session key and the application session key are correspondingly generated by referring to the manner in which the network server generates the network session key and the manner in which the application server generates the application session key, so that the terminal device of the internet of things succeeds in network entry.
After the internet of things terminal device successfully accesses the network, when the newly generated network session key and the application session are used for communication, the internet of things terminal device and the server delete corresponding network key information and application key information. In order to prevent the key from being possibly leaked to an attacker in the future, when the terminal device of the internet of things is accessed to the network next time (namely, in the non-initialized network access mode), the network session key and the application session key are used for replacing the original network key information and the original application key information respectively, and the network access authentication is performed by referring to the initialized network access mode. By analogy, the network session key and the application session key of each network access authentication are correspondingly updated to new network key information and application key information, so that the session key can be updated in real time, and the security of the network access process is further ensured.
In one embodiment, the network access request further includes key update type information, where the key update type information is single update information or periodic update information. It will be appreciated that the single update message indicates to the network server to update the session key only once during a single access procedure. And the periodic updating information indicates the network server to periodically update the session key in a network access process. Specifically, the network server periodically issues the updated application fresh value and the updated network fresh value to the internet of things terminal device based on the periodic update information, and updates the application session key and the network session key. Referring to the network access updating process, after the network server returns the network access permission message to the terminal of the internet of things, the session key is further periodically updated. At the moment, the network server generates a new network session key according to the newly generated network fresh value, and the due server generates an application session key according to the newly generated application fresh value. And then the network fresh value and the application fresh value are sent to the terminal equipment of the Internet of things through the network server, so that the terminal equipment of the Internet of things generates a new network session key and an application session key according to the newly received network fresh value and application fresh value, and the periodic updating of the session key is completed. By periodically updating the session key, the security of network access and service communication of the terminal equipment of the Internet of things can be further ensured, and the operation of system services is optimized.
In one embodiment, the network server and the application server may further update the session key according to the key usage time limit of the terminal device of the internet of things, and when the session key reaches the set usage time limit, the application server updates the application session key correspondingly, and the network server updates the network session key correspondingly, and updates the application session key and the network session key to the corresponding terminal device of the internet of things.
The network key information and the application key information are stored in the terminal equipment of the internet of things in advance, the network access request is encrypted by the terminal equipment of the internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the equipment freshness value of the terminal equipment of the internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.
Example two:
based on the foregoing embodiment, fig. 3 is a schematic structural diagram of a secure network access device based on key update according to a second embodiment of the present application. Referring to fig. 3, the secure network access apparatus based on key update provided in this embodiment specifically includes: a request module 21, a first generation module 22, a second generation module 23, a permission module 24 and an update module 25.
The request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
The network key information and the application key information are stored in the terminal equipment of the internet of things in advance, the network access request is encrypted by the terminal equipment of the internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the equipment freshness value of the terminal equipment of the internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the system service operation is optimized
The device for secure network access based on key update provided in the second embodiment of the present application can be used to execute the method for secure network access based on key update provided in the first embodiment of the present application, and has corresponding functions and beneficial effects.
Example three:
an embodiment of the present application provides an electronic device, and with reference to fig. 4, the electronic device includes: a processor 31, a memory 32, a communication module 33, an input device 34, and an output device 35. The number of processors in the electronic device may be one or more, and the number of memories in the electronic device may be one or more. The processor, memory, communication module, input device, and output device of the electronic device may be connected by a bus or other means.
The memory 32 is a computer readable storage medium, and can be used for storing software programs, computer executable programs, and modules, such as program instructions/modules corresponding to the key update based secure network entry method according to any embodiment of the present application (for example, the request module, the first generation module, the second generation module, the permission module, and the update module in the key update based secure network entry device). The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to use of the device, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The communication module 33 is used for data transmission.
The processor 31 executes various functional applications and data processing of the device by running software programs, instructions and modules stored in the memory, that is, the above-mentioned secure network access method based on key update is realized.
The input device 34 may be used to receive entered numeric or character information and to generate key signal inputs relating to user settings and function controls of the apparatus. The output device 35 may include a display device such as a display screen.
The electronic device provided above can be used to execute the method for secure network access based on key update provided in the first embodiment above, and has corresponding functions and advantages.
Example four:
embodiments of the present application further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a key renewal-based secure network entry method, where the key renewal-based secure network entry method includes: the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things; the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server; the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
Storage medium-any of various types of memory devices or storage devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDR RAM, SRAM, EDO RAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a first computer system in which the program is executed, or may be located in a different second computer system connected to the first computer system through a network (such as the internet). The second computer system may provide program instructions to the first computer for execution. The term "storage medium" may include two or more storage media residing in different locations, e.g., in different computer systems connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
Of course, the storage medium provided in the embodiments of the present application contains computer-executable instructions, and the computer-executable instructions are not limited to the above-described security network access method based on key update, and may also perform related operations in the security network access method based on key update provided in any embodiment of the present application.
The device, the storage medium, and the electronic device for secure network access based on key update provided in the foregoing embodiments may execute the method for secure network access based on key update provided in any embodiment of the present application, and reference may be made to the method for secure network access based on key update provided in any embodiment of the present application without detailed technical details described in the foregoing embodiments.
The foregoing is considered as illustrative of the preferred embodiments of the invention and the technical principles employed. The present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the claims.

Claims (10)

1. A secure network access method based on key update is characterized by comprising the following steps:
the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things;
the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information;
the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
2. The rekeying-based secure network entry method according to claim 1, wherein before the network server verifies the network entry request based on the pre-stored network key information, the method further comprises:
and the network server judges the validity of the network access request based on the equipment fresh value, and if the network access request is judged to be valid, a detection flow of the network access request is triggered.
3. The method according to claim 1, wherein the network server verifies the network access request based on the pre-stored network key information, and comprises:
the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
and carrying out MIC calculation based on the prestored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
4. The method for secure network entry based on key update of claim 1, wherein the parsing, by the internet of things terminal device, the network entry permission message to obtain the application freshness value and the network freshness value comprises:
and the terminal equipment of the Internet of things analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information.
5. The method for secure network entry based on key update of claim 1, wherein the generating the network session key and the application session key correspondingly comprises:
extracting the pre-stored network ID, generating the network session key based on the network key information, the device fresh value, the network fresh value and the network ID, and generating the application session key based on the network ID, the device fresh value, the application fresh value and the application key information.
6. The method for secure network entry based on key update of claim 1, wherein the network entry request further includes key update type information, and the key update type information is single update information or periodic update information.
7. The secure network access method based on key update of claim 6, wherein the network server periodically sends the updated application fresh value and the updated network fresh value to the terminal device of the internet of things based on the periodic update information to update the application session key and the network session key.
8. A device for secure network access based on key update, comprising:
the request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
9. An electronic device, comprising:
a memory and one or more processors;
the memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the rekeying-based secure networking method of any of claims 1-7.
10. A storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the rekeying-based secure networking method of any of claims 1-7.
CN202110150484.8A 2021-02-03 2021-02-03 Safe network access method and device based on secret key updating Pending CN112953923A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110150484.8A CN112953923A (en) 2021-02-03 2021-02-03 Safe network access method and device based on secret key updating

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110150484.8A CN112953923A (en) 2021-02-03 2021-02-03 Safe network access method and device based on secret key updating

Publications (1)

Publication Number Publication Date
CN112953923A true CN112953923A (en) 2021-06-11

Family

ID=76243346

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110150484.8A Pending CN112953923A (en) 2021-02-03 2021-02-03 Safe network access method and device based on secret key updating

Country Status (1)

Country Link
CN (1) CN112953923A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1732281A1 (en) * 2005-06-08 2006-12-13 Research In Motion Limited Virtual private network for real-time data
CN102006595A (en) * 2010-12-07 2011-04-06 东南大学 Key management method of wireless sensor network
CN102230805A (en) * 2011-06-30 2011-11-02 福建慧翰信息技术有限公司 System and method for dynamic update of path reservation and planning result thereof
CN107104932A (en) * 2016-02-23 2017-08-29 中兴通讯股份有限公司 Key updating method, apparatus and system
CN107819574A (en) * 2017-11-10 2018-03-20 国网河南省电力公司鹤壁供电公司 A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies
CN110602706A (en) * 2019-09-27 2019-12-20 中移物联网有限公司 Network access method, terminal and server
CN110912871A (en) * 2019-10-31 2020-03-24 全球能源互联网研究院有限公司 Method and system for preventing network access attack of low-power-consumption Internet of things
US20200288312A1 (en) * 2017-04-19 2020-09-10 Orange Communication system and method
CN112073115A (en) * 2020-09-02 2020-12-11 东方红卫星移动通信有限公司 Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1732281A1 (en) * 2005-06-08 2006-12-13 Research In Motion Limited Virtual private network for real-time data
CN102006595A (en) * 2010-12-07 2011-04-06 东南大学 Key management method of wireless sensor network
CN102230805A (en) * 2011-06-30 2011-11-02 福建慧翰信息技术有限公司 System and method for dynamic update of path reservation and planning result thereof
CN107104932A (en) * 2016-02-23 2017-08-29 中兴通讯股份有限公司 Key updating method, apparatus and system
US20200288312A1 (en) * 2017-04-19 2020-09-10 Orange Communication system and method
CN107819574A (en) * 2017-11-10 2018-03-20 国网河南省电力公司鹤壁供电公司 A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies
CN110602706A (en) * 2019-09-27 2019-12-20 中移物联网有限公司 Network access method, terminal and server
CN110912871A (en) * 2019-10-31 2020-03-24 全球能源互联网研究院有限公司 Method and system for preventing network access attack of low-power-consumption Internet of things
CN112073115A (en) * 2020-09-02 2020-12-11 东方红卫星移动通信有限公司 Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server

Similar Documents

Publication Publication Date Title
US9935954B2 (en) System and method for securing machine-to-machine communications
WO2019184736A1 (en) Access authentication method and device, and server
CN108418691B (en) Dynamic network identity authentication method based on SGX
CN113691502B (en) Communication method, device, gateway server, client and storage medium
TW201832121A (en) Authorization server, authorization method and computer program product thereof
CN113411190B (en) Key deployment, data communication, key exchange and security reinforcement method and system
CN109618334B (en) Control method and related equipment
CN108322416B (en) Security authentication implementation method, device and system
WO2018119623A1 (en) Method of unlocking electronic lock device, and client and electronic lock device thereof
Chom Thungon et al. A lightweight authentication and key exchange mechanism for IPv6 over low‐power wireless personal area networks‐based Internet of things
Chen et al. A full lifecycle authentication scheme for large-scale smart IoT applications
CN109451504B (en) Internet of things module authentication method and system
TWI827906B (en) Message transmitting system, user device and hardware security module for use therein
CN113965425B (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
KR102381038B1 (en) Techniques for secure authentication of the controlled devices
KR20190040443A (en) Apparatus and method for creating secure session of smart meter
CN115473655B (en) Terminal authentication method, device and storage medium for access network
Zhou et al. Perils and mitigation of security risks of cooperation in mobile-as-a-gateway IoT
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN112953923A (en) Safe network access method and device based on secret key updating
US11461478B2 (en) Mobile network core component for managing security keys
Jia et al. A Critique of a Lightweight Identity Authentication Protocol for Vehicular Networks.
KR20170111809A (en) Bidirectional authentication method using security token based on symmetric key
CN201663659U (en) Front end of conditional access system and scriber management system
KR101490638B1 (en) Method of authenticating smart card, server performing the same and system performint the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210611

RJ01 Rejection of invention patent application after publication