CN112953923A - Safe network access method and device based on secret key updating - Google Patents
Safe network access method and device based on secret key updating Download PDFInfo
- Publication number
- CN112953923A CN112953923A CN202110150484.8A CN202110150484A CN112953923A CN 112953923 A CN112953923 A CN 112953923A CN 202110150484 A CN202110150484 A CN 202110150484A CN 112953923 A CN112953923 A CN 112953923A
- Authority
- CN
- China
- Prior art keywords
- network
- application
- key
- key information
- network access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000004891 communication Methods 0.000 claims abstract description 38
- 230000015654 memory Effects 0.000 claims description 20
- 230000006855 networking Effects 0.000 claims description 9
- 230000000737 periodic effect Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 4
- 238000001514 detection method Methods 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 20
- 239000002609 medium Substances 0.000 description 10
- 238000012795 verification Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000012120 mounting media Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application discloses a secure network access method and device based on secret key updating. According to the technical scheme provided by the embodiment of the application, the network access permission message is analyzed through the terminal equipment of the internet of things to obtain the application fresh value and the network fresh value, the network session key and the application session key are correspondingly generated, the network session key is in service communication with the network server based on the network session key, the application session key is in service communication with the application server based on the application session key, the original network key information and the original application key information are deleted, the network session key is used as new network key information, and the application session key is used as new application key information and used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.
Description
Technical Field
The embodiment of the application relates to the technical field of communication networks, in particular to a secure network access method and device based on secret key updating.
Background
At present, with the rapid development of the technology of the internet of things, the number of devices of the internet of things is also greatly increased. In the application of low-power-consumption wide area network (LPWAN), the characteristic that the coverage range is far is utilized, and large-scale and large-connection Internet of things terminal equipment can be accessed in a certain area range. Generally, when accessing an internet of things system, the internet of things devices send an access request to a base station, and the access request is demodulated by the base station and then forwarded to a network server, and the network server performs access authentication. And returning a corresponding network access permission message to the terminal equipment of the Internet of things through the network access authentication so as to complete the network access authentication process. In order to guarantee the communication safety of the network access authentication process, corresponding application key information is used for encrypting communication information, and a corresponding session key is generated through the application key information, so that the subsequent service interaction between the terminal equipment of the internet of things and the application server is realized, and the safe operation of the system service is guaranteed.
However, in the network access authentication process, the application key information of the terminal device of the internet of things is fixed, and once the application key information is leaked, the security of the network access process is affected, so that the operation of system services is affected.
Disclosure of Invention
The embodiment of the application provides a secure network access method and device based on secret key updating, which can improve the security and communication robustness of the network access process of terminal equipment of the Internet of things and optimize system service operation.
In a first aspect, an embodiment of the present application provides a secure network access method based on key update, including:
the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things;
the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information;
the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
Further, before the network server verifies the network access request based on the pre-stored network key information, the method further includes:
and the network server judges the validity of the network access request based on the equipment fresh value, and if the network access request is judged to be valid, a detection flow of the network access request is triggered.
Further, the network server verifies the network access request based on the pre-stored network key information, including:
the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
and carrying out MIC calculation based on the prestored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
Further, the analyzing, by the internet of things terminal device, the network access permission message to obtain the application freshness value and the network freshness value includes:
and the terminal equipment of the Internet of things analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information.
Further, correspondingly generating the network session key and the application session key includes:
extracting the pre-stored network ID, generating the network session key based on the network key information, the device fresh value, the network fresh value and the network ID, and generating the application session key based on the network ID, the device fresh value, the application fresh value and the application key information.
Further, the network access request further includes key update type information, and the key update type information is single update information or periodic update information.
Further, the network server periodically issues the updated application fresh value and the updated network fresh value to the internet of things terminal device based on the periodic update information, and updates the application session key and the network session key.
In a second aspect, an embodiment of the present application provides a secure network access device based on key update, including:
the request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a memory and one or more processors;
the memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the rekeying-based secure networking method of the first aspect.
In a fourth aspect, embodiments of the present application provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the method for secure network entry based on key renewal according to the first aspect.
According to the method and the device, the network key information and the application key information are stored in the terminal device of the Internet of things in advance, the network access request is encrypted by the terminal device of the Internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the device freshness value of the terminal device of the Internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.
Drawings
Fig. 1 is a flowchart of a secure network access method based on key update according to an embodiment of the present application;
fig. 2 is a network access flow chart of an internet of things terminal device in the first embodiment of the present application;
fig. 3 is a schematic structural diagram of a secure network access device based on key update according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, specific embodiments of the present application will be described in detail with reference to the accompanying drawings. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some but not all of the relevant portions of the present application are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The safe network access method based on the key updating aims to improve the security and the communication robustness of the network access process of the terminal equipment of the Internet of things through the cyclic updating of the session key, and the technical problem that the fixed setting of the session key is easily attacked and acquired, so that the system service is influenced is solved. Compared with the traditional secure network access method based on key updating, the method considers that the terminal device of the internet of things is usually deployed in a place which can be accessed or obtained by an attacker, and the session key can be revealed through various attacks. Therefore, the system network typically specifies the uniqueness of the session keys of the terminal devices of the internet of things to minimize the impact of key leakage. Therefore, even if the session key of the terminal equipment of the Internet of things is leaked, other nodes cannot be influenced. However, although the session key is used for various security mechanisms (such as authentication, encryption, integrity check, and the like), the session key has no relevant update setting, and in some cases, the terminal device of the internet of things may only use the fixed session key and cannot be updated during the use period. Once the session key is revealed by network attack, the network access and service processing of the terminal device of the internet of things are affected, and based on the method, the secure network access method based on key updating is provided to solve the problem of session key updating of the terminal device of the internet of things.
The first embodiment is as follows:
fig. 1 is a flowchart of a security network access method based on key update according to an embodiment of the present disclosure, where the security network access method based on key update provided in this embodiment may be executed by a security network access device based on key update, the security network access device based on key update may be implemented in a software and/or hardware manner, and the security network access device based on key update may be formed by two or more physical entities or may be formed by one physical entity. Generally, the key update-based secure network access device may be an internet of things system.
The following description will be given by taking the key update based secure network access device as an example of a main body of the key update based secure network access method. Referring to fig. 1, the secure network access method based on key update specifically includes:
s110, storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises a device fresh value of the terminal equipment of the Internet of things;
s120, the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
s130, the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and the pre-stored application key information, and uses the application key information to encrypt and transmit the application fresh value to the network server;
s140, the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
s150, the Internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the Internet of things terminal equipment at the next time.
According to the embodiment of the application, the network access security of the terminal equipment of the Internet of things is improved through a double-key updating security network access mechanism. The network key information and the application key information have the same attribute, the lengths of the network key information and the application key information are the same, the network key information and the application key information cannot be derived from public information of the equipment nodes, and other equipment nodes cannot be shared. The network key information and the application key information are stored in the corresponding terminal equipment of the internet of things in advance, the network key information is stored in the network server in advance, and the application key information is stored in the application server in advance for safe communication of a subsequent network access process.
Further, when the terminal equipment of the internet of things is authenticated by network access, network access authentication is mainly performed through an initialized network access mode and a non-initialized network access mode. When the network access mode is initialized, the network key information and the application key information both exist in the terminal equipment of the internet of things in advance, the network key information is stored by the network server, the application key information is stored by the application server, and the network key information and the application key information are used for generating a network session key and an application session key subsequently besides being used for encryption communication.
Specifically, the initialized network access mode is a mode in which the terminal device of the internet of things executes a network access request for the first time, as shown in fig. 2, when the terminal device of the internet of things performs network access authentication in the initialized network access mode, the network access request is generated first, the network access request includes an application identification code, a device identification code and a device freshness value, the application identification code and the device identification code are unique identification information, and the format conforms to the IEEE EUI-64 address space format. The device freshness value is a random number generated by the terminal device of the internet of things, and the network server records and updates the device freshness value of each piece of internet of things device during each networking authentication so as to judge the validity of the networking request. After the network access request is generated based on the application identification code, the equipment identification code and the equipment freshness, the terminal equipment of the internet of things encrypts the network access request by using the prestored network key information and uploads the network access request to the corresponding base station. One end of the base station demodulates the network access request and sends the demodulated network access request to the network server. The network server decrypts the network access request through the prestored network key information. And the validity judgment and verification of the network access request are carried out.
And the network server judges the validity of the network access request based on the equipment fresh value, and triggers a detection process of the network access request if the network access request is judged to be valid. It can be understood that, because the network server records and updates the device fresh value for each piece of internet of things device during each networking authentication, when the network server detects that the device fresh value is the same as the device fresh value in the previous corresponding internet of things device networking request, it indicates that the currently received networking request is repeated, and the network server ignores the message, so that the attack of repeated networking can be effectively prevented.
Further, after the validity judgment of the network access request is completed, the network server verifies the network access request based on the pre-stored network key information. Wherein, the verification process of the network access request comprises:
s1201, the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
s1202, carrying out MIC calculation based on the pre-stored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
Specifically, the MIC calculation formula of the network access request is as follows:
cmac=aes128_cmac(NwkKey,AppEui|DevEui|DevNonce|...)
MIC=cmac[0..3]
wherein, NwkKey is network key information, AppEui is an application identification code, DevEui is an equipment identification code, and DevNonce is an equipment fresh value. And obtaining a corresponding MIC value based on the MIC calculation, comparing the corresponding preset value according to the MIC value, and performing identity authentication on the terminal equipment of the Internet of things to judge whether the identity is valid or not.
And after the verification is passed, the terminal equipment of the Internet of things is allowed to be authorized to access the network, and the network server generates a network session key by using the network key information and transmits the network ID and the equipment freshness value to the application server. Specifically, the network session key is expressed as:
Nwk_SKey=ase128_encrypt(NwkKey,Session_Type_Nwk|NwkNonce|NetID|DevNonce|...)
wherein Nwk _ SKey is a network Session key, NwkKey is network key information, Session _ Type _ Nwk is key update Type information, nwknequence is a network freshness value, NetID is a network ID, and DevNonce is a device freshness value.
Further, the application server generates the application session key after receiving the network ID and the device freshness value from the network server. The application session key is represented as:
App_SKey=ase128_encrypt(AppKey,Session_Type_Nwk|AppNonce|NetID|DevNonce|...)
wherein, App _ SKey is an application Session key, App key is application key information, Session _ Type _ Nwk is key update Type information, App nonce is an application freshness value, NetID is a network ID, and DevNonce is an equipment freshness value.
It should be noted that the network fresh value and the application fresh value are both a random number used for identifying the network access authentication, so as to avoid repeated generation of the application session key and the network session key.
After the application server generates the application session key, the application fresh value is encrypted by using the application key information and then sent to the network server. And, since the web server does not have application key information, the web server cannot decrypt the message of the application layer. After receiving the application fresh value from the application server, the network server generates a network access permission message based on the application fresh value and the network fresh value of the network server. And after the network access permission message is encrypted by using the network key information, the network access permission message is forwarded to the corresponding terminal equipment of the Internet of things through the base station.
Further, the terminal device of the internet of things receives the decrypted network access permission message and then extracts the corresponding parameters to generate a network session key and an application session key. The internet of things terminal equipment analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information. Further, when the network session key and the application session key are generated, the network session key is generated based on the network key information, the device fresh value, the network fresh value, and the network ID by extracting the pre-stored network ID, and the application session key is generated based on the network ID, the device fresh value, the application fresh value, and the application key information. It can be understood that, according to the pre-stored network ID, the network key information, the device fresh value, the application key information, and the received network fresh value and the application fresh value, the network session key and the application session key are correspondingly generated by referring to the manner in which the network server generates the network session key and the manner in which the application server generates the application session key, so that the terminal device of the internet of things succeeds in network entry.
After the internet of things terminal device successfully accesses the network, when the newly generated network session key and the application session are used for communication, the internet of things terminal device and the server delete corresponding network key information and application key information. In order to prevent the key from being possibly leaked to an attacker in the future, when the terminal device of the internet of things is accessed to the network next time (namely, in the non-initialized network access mode), the network session key and the application session key are used for replacing the original network key information and the original application key information respectively, and the network access authentication is performed by referring to the initialized network access mode. By analogy, the network session key and the application session key of each network access authentication are correspondingly updated to new network key information and application key information, so that the session key can be updated in real time, and the security of the network access process is further ensured.
In one embodiment, the network access request further includes key update type information, where the key update type information is single update information or periodic update information. It will be appreciated that the single update message indicates to the network server to update the session key only once during a single access procedure. And the periodic updating information indicates the network server to periodically update the session key in a network access process. Specifically, the network server periodically issues the updated application fresh value and the updated network fresh value to the internet of things terminal device based on the periodic update information, and updates the application session key and the network session key. Referring to the network access updating process, after the network server returns the network access permission message to the terminal of the internet of things, the session key is further periodically updated. At the moment, the network server generates a new network session key according to the newly generated network fresh value, and the due server generates an application session key according to the newly generated application fresh value. And then the network fresh value and the application fresh value are sent to the terminal equipment of the Internet of things through the network server, so that the terminal equipment of the Internet of things generates a new network session key and an application session key according to the newly received network fresh value and application fresh value, and the periodic updating of the session key is completed. By periodically updating the session key, the security of network access and service communication of the terminal equipment of the Internet of things can be further ensured, and the operation of system services is optimized.
In one embodiment, the network server and the application server may further update the session key according to the key usage time limit of the terminal device of the internet of things, and when the session key reaches the set usage time limit, the application server updates the application session key correspondingly, and the network server updates the network session key correspondingly, and updates the application session key and the network session key to the corresponding terminal device of the internet of things.
The network key information and the application key information are stored in the terminal equipment of the internet of things in advance, the network access request is encrypted by the terminal equipment of the internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the equipment freshness value of the terminal equipment of the internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the operation of system services is optimized.
Example two:
based on the foregoing embodiment, fig. 3 is a schematic structural diagram of a secure network access device based on key update according to a second embodiment of the present application. Referring to fig. 3, the secure network access apparatus based on key update provided in this embodiment specifically includes: a request module 21, a first generation module 22, a second generation module 23, a permission module 24 and an update module 25.
The request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
The network key information and the application key information are stored in the terminal equipment of the internet of things in advance, the network access request is encrypted by the terminal equipment of the internet of things by using the network key information, the network access request is uploaded to the network server, and the network access request comprises the equipment freshness value of the terminal equipment of the internet of things; the network server verifies the network access request based on prestored network key information, responds to the network access request after the network access request passes verification, generates a network session key corresponding to the terminal equipment of the Internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to the application server; the application server generates an application session key based on the network ID, the equipment fresh value, the application fresh value of the application server and prestored application key information, and encrypts and transmits the application fresh value to the network server by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the terminal equipment of the internet of things analyzes the network access permission message to obtain an application fresh value and a network fresh value, correspondingly generates a network session key and an application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the terminal equipment of the internet of things at the next time. By adopting the technical means, the security and the communication robustness of the network access process of the terminal equipment of the Internet of things can be realized by updating the session key, and the system service operation is optimized
The device for secure network access based on key update provided in the second embodiment of the present application can be used to execute the method for secure network access based on key update provided in the first embodiment of the present application, and has corresponding functions and beneficial effects.
Example three:
an embodiment of the present application provides an electronic device, and with reference to fig. 4, the electronic device includes: a processor 31, a memory 32, a communication module 33, an input device 34, and an output device 35. The number of processors in the electronic device may be one or more, and the number of memories in the electronic device may be one or more. The processor, memory, communication module, input device, and output device of the electronic device may be connected by a bus or other means.
The memory 32 is a computer readable storage medium, and can be used for storing software programs, computer executable programs, and modules, such as program instructions/modules corresponding to the key update based secure network entry method according to any embodiment of the present application (for example, the request module, the first generation module, the second generation module, the permission module, and the update module in the key update based secure network entry device). The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to use of the device, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The communication module 33 is used for data transmission.
The processor 31 executes various functional applications and data processing of the device by running software programs, instructions and modules stored in the memory, that is, the above-mentioned secure network access method based on key update is realized.
The input device 34 may be used to receive entered numeric or character information and to generate key signal inputs relating to user settings and function controls of the apparatus. The output device 35 may include a display device such as a display screen.
The electronic device provided above can be used to execute the method for secure network access based on key update provided in the first embodiment above, and has corresponding functions and advantages.
Example four:
embodiments of the present application further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a key renewal-based secure network entry method, where the key renewal-based secure network entry method includes: the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things; the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server; the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information; the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things; the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
Storage medium-any of various types of memory devices or storage devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDR RAM, SRAM, EDO RAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a first computer system in which the program is executed, or may be located in a different second computer system connected to the first computer system through a network (such as the internet). The second computer system may provide program instructions to the first computer for execution. The term "storage medium" may include two or more storage media residing in different locations, e.g., in different computer systems connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
Of course, the storage medium provided in the embodiments of the present application contains computer-executable instructions, and the computer-executable instructions are not limited to the above-described security network access method based on key update, and may also perform related operations in the security network access method based on key update provided in any embodiment of the present application.
The device, the storage medium, and the electronic device for secure network access based on key update provided in the foregoing embodiments may execute the method for secure network access based on key update provided in any embodiment of the present application, and reference may be made to the method for secure network access based on key update provided in any embodiment of the present application without detailed technical details described in the foregoing embodiments.
The foregoing is considered as illustrative of the preferred embodiments of the invention and the technical principles employed. The present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the claims.
Claims (10)
1. A secure network access method based on key update is characterized by comprising the following steps:
the method comprises the steps that network key information and application key information are stored in the terminal equipment of the Internet of things in advance, the terminal equipment of the Internet of things uses the network key information to encrypt a network access request, and the network access request is uploaded to a network server and contains an equipment fresh value of the terminal equipment of the Internet of things;
the network server verifies the network access request based on the prestored network key information, responds to the network access request after the network access request is verified, generates a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sends the network ID and the equipment fresh value to an application server;
the application server generates an application session key based on the network ID, the device fresh value, the application fresh value of the application server and prestored application key information, and transmits the application fresh value to the network server in an encrypted manner by using the application key information;
the network server generates a network access permission message based on the application fresh value and the network fresh value, encrypts the network access permission message by using the network key information and transmits the network access permission message to the terminal equipment of the Internet of things;
the internet of things terminal equipment analyzes the network access permission message to obtain the application fresh value and the network fresh value, correspondingly generates the network session key and the application session key, performs service communication with the network server based on the network session key, performs service communication with the application server based on the application session key, deletes the original network key information and the original application key information, uses the network session key as new network key information, uses the application session key as new application key information, and is used for network access authentication of the internet of things terminal equipment at the next time.
2. The rekeying-based secure network entry method according to claim 1, wherein before the network server verifies the network entry request based on the pre-stored network key information, the method further comprises:
and the network server judges the validity of the network access request based on the equipment fresh value, and if the network access request is judged to be valid, a detection flow of the network access request is triggered.
3. The method according to claim 1, wherein the network server verifies the network access request based on the pre-stored network key information, and comprises:
the network server extracts the device fresh value, the device identification code and the application identification code contained in the network access request;
and carrying out MIC calculation based on the prestored network key information, the equipment fresh value, the equipment identification code and the application identification code to obtain a corresponding MIC value, and verifying the identity of the terminal equipment of the Internet of things based on the MIC value.
4. The method for secure network entry based on key update of claim 1, wherein the parsing, by the internet of things terminal device, the network entry permission message to obtain the application freshness value and the network freshness value comprises:
and the terminal equipment of the Internet of things analyzes the network access permission message by using the network key information to obtain the network fresh value and the encrypted application fresh value, and decrypts the application fresh value by using the application key information.
5. The method for secure network entry based on key update of claim 1, wherein the generating the network session key and the application session key correspondingly comprises:
extracting the pre-stored network ID, generating the network session key based on the network key information, the device fresh value, the network fresh value and the network ID, and generating the application session key based on the network ID, the device fresh value, the application fresh value and the application key information.
6. The method for secure network entry based on key update of claim 1, wherein the network entry request further includes key update type information, and the key update type information is single update information or periodic update information.
7. The secure network access method based on key update of claim 6, wherein the network server periodically sends the updated application fresh value and the updated network fresh value to the terminal device of the internet of things based on the periodic update information to update the application session key and the network session key.
8. A device for secure network access based on key update, comprising:
the request module is used for storing network key information and application key information in the terminal equipment of the Internet of things in advance, encrypting a network access request by using the network key information through the terminal equipment of the Internet of things, and uploading the network access request to a network server, wherein the network access request comprises an equipment fresh value of the terminal equipment of the Internet of things;
the first generation module is used for verifying the network access request based on prestored network key information through the network server, responding to the network access request after the network access request is verified, generating a network session key corresponding to the terminal equipment of the internet of things based on the network key information, the equipment fresh value, the network fresh value of the network server and the network ID, and sending the network ID and the equipment fresh value to an application server;
a second generating module, configured to generate, by the application server, an application session key based on the network ID, the device freshness value, the application freshness value of the application server, and pre-stored application key information, and encrypt and transmit the application freshness value to the network server using the application key information;
the permission module is used for generating a network access permission message based on the application fresh value and the network fresh value through the network server, encrypting the network access permission message by using the network key information and transmitting the network access permission message to the terminal equipment of the Internet of things;
the updating module is configured to analyze the network access permission message through the internet of things terminal device to obtain the application fresh value and the network fresh value, generate the network session key and the application session key correspondingly, perform service communication with the network server based on the network session key, perform service communication with the application server based on the application session key, delete the original network key information and the original application key information, use the network session key as new network key information, use the application session key as new application key information, and use the application session key for next network access authentication of the internet of things terminal device.
9. An electronic device, comprising:
a memory and one or more processors;
the memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the rekeying-based secure networking method of any of claims 1-7.
10. A storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the rekeying-based secure networking method of any of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110150484.8A CN112953923A (en) | 2021-02-03 | 2021-02-03 | Safe network access method and device based on secret key updating |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110150484.8A CN112953923A (en) | 2021-02-03 | 2021-02-03 | Safe network access method and device based on secret key updating |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112953923A true CN112953923A (en) | 2021-06-11 |
Family
ID=76243346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110150484.8A Pending CN112953923A (en) | 2021-02-03 | 2021-02-03 | Safe network access method and device based on secret key updating |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112953923A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1732281A1 (en) * | 2005-06-08 | 2006-12-13 | Research In Motion Limited | Virtual private network for real-time data |
CN102006595A (en) * | 2010-12-07 | 2011-04-06 | 东南大学 | Key management method of wireless sensor network |
CN102230805A (en) * | 2011-06-30 | 2011-11-02 | 福建慧翰信息技术有限公司 | System and method for dynamic update of path reservation and planning result thereof |
CN107104932A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | Key updating method, apparatus and system |
CN107819574A (en) * | 2017-11-10 | 2018-03-20 | 国网河南省电力公司鹤壁供电公司 | A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies |
CN110602706A (en) * | 2019-09-27 | 2019-12-20 | 中移物联网有限公司 | Network access method, terminal and server |
CN110912871A (en) * | 2019-10-31 | 2020-03-24 | 全球能源互联网研究院有限公司 | Method and system for preventing network access attack of low-power-consumption Internet of things |
US20200288312A1 (en) * | 2017-04-19 | 2020-09-10 | Orange | Communication system and method |
CN112073115A (en) * | 2020-09-02 | 2020-12-11 | 东方红卫星移动通信有限公司 | Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server |
-
2021
- 2021-02-03 CN CN202110150484.8A patent/CN112953923A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1732281A1 (en) * | 2005-06-08 | 2006-12-13 | Research In Motion Limited | Virtual private network for real-time data |
CN102006595A (en) * | 2010-12-07 | 2011-04-06 | 东南大学 | Key management method of wireless sensor network |
CN102230805A (en) * | 2011-06-30 | 2011-11-02 | 福建慧翰信息技术有限公司 | System and method for dynamic update of path reservation and planning result thereof |
CN107104932A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | Key updating method, apparatus and system |
US20200288312A1 (en) * | 2017-04-19 | 2020-09-10 | Orange | Communication system and method |
CN107819574A (en) * | 2017-11-10 | 2018-03-20 | 国网河南省电力公司鹤壁供电公司 | A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies |
CN110602706A (en) * | 2019-09-27 | 2019-12-20 | 中移物联网有限公司 | Network access method, terminal and server |
CN110912871A (en) * | 2019-10-31 | 2020-03-24 | 全球能源互联网研究院有限公司 | Method and system for preventing network access attack of low-power-consumption Internet of things |
CN112073115A (en) * | 2020-09-02 | 2020-12-11 | 东方红卫星移动通信有限公司 | Lora-based low-orbit satellite Internet of things registration security verification method, Internet of things terminal, network server and user server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9935954B2 (en) | System and method for securing machine-to-machine communications | |
WO2019184736A1 (en) | Access authentication method and device, and server | |
CN108418691B (en) | Dynamic network identity authentication method based on SGX | |
CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
TW201832121A (en) | Authorization server, authorization method and computer program product thereof | |
CN113411190B (en) | Key deployment, data communication, key exchange and security reinforcement method and system | |
CN109618334B (en) | Control method and related equipment | |
CN108322416B (en) | Security authentication implementation method, device and system | |
WO2018119623A1 (en) | Method of unlocking electronic lock device, and client and electronic lock device thereof | |
Chom Thungon et al. | A lightweight authentication and key exchange mechanism for IPv6 over low‐power wireless personal area networks‐based Internet of things | |
Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
CN109451504B (en) | Internet of things module authentication method and system | |
TWI827906B (en) | Message transmitting system, user device and hardware security module for use therein | |
CN113965425B (en) | Access method, device and equipment of Internet of things equipment and computer readable storage medium | |
KR102381038B1 (en) | Techniques for secure authentication of the controlled devices | |
KR20190040443A (en) | Apparatus and method for creating secure session of smart meter | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
Zhou et al. | Perils and mitigation of security risks of cooperation in mobile-as-a-gateway IoT | |
CN113872986B (en) | Power distribution terminal authentication method and device and computer equipment | |
CN112953923A (en) | Safe network access method and device based on secret key updating | |
US11461478B2 (en) | Mobile network core component for managing security keys | |
Jia et al. | A Critique of a Lightweight Identity Authentication Protocol for Vehicular Networks. | |
KR20170111809A (en) | Bidirectional authentication method using security token based on symmetric key | |
CN201663659U (en) | Front end of conditional access system and scriber management system | |
KR101490638B1 (en) | Method of authenticating smart card, server performing the same and system performint the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210611 |
|
RJ01 | Rejection of invention patent application after publication |