CN113472526A - Internet of things equipment line protection method based on security chip - Google Patents

Internet of things equipment line protection method based on security chip Download PDF

Info

Publication number
CN113472526A
CN113472526A CN202110709360.9A CN202110709360A CN113472526A CN 113472526 A CN113472526 A CN 113472526A CN 202110709360 A CN202110709360 A CN 202110709360A CN 113472526 A CN113472526 A CN 113472526A
Authority
CN
China
Prior art keywords
data
key
negotiation
equipment
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110709360.9A
Other languages
Chinese (zh)
Other versions
CN113472526B (en
Inventor
刘畅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing CEC Huada Electronic Design Co Ltd
Original Assignee
Beijing CEC Huada Electronic Design Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing CEC Huada Electronic Design Co Ltd filed Critical Beijing CEC Huada Electronic Design Co Ltd
Priority to CN202110709360.9A priority Critical patent/CN113472526B/en
Publication of CN113472526A publication Critical patent/CN113472526A/en
Application granted granted Critical
Publication of CN113472526B publication Critical patent/CN113472526B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a line protection method of Internet of things equipment based on a security chip, in particular to a method for ensuring the safe transmission of data in a communication pipeline, when the equipment is powered on, the legality of the equipment and a server is confirmed through certificateless asymmetric algorithm bidirectional authentication; after passing the authentication, a session key which has high randomness and can be encrypted once is generated by adopting secondary negotiation; when data is transmitted in the communication pipeline, the session key and the symmetric algorithm are used for encrypting the data and calculating MAC, so that the confidentiality and the integrity of line data are ensured, and the line transmission safety is ensured. The method fully considers the characteristics of simple, efficient and low-power consumption of the Internet of things equipment, does not need to establish a complex key management system, utilizes the high security of an asymmetric algorithm and the rapidity of Hash and the symmetric algorithm, increases the randomness of the key, is particularly suitable for a model of a cloud-pipe-end (server-communication pipeline-equipment end) in the Internet of things, and fully ensures the information security of data in the transmission process from the equipment to the server.

Description

Internet of things equipment line protection method based on security chip
Technical Field
The invention relates to the field of information security of the Internet of things, in particular to a line protection method for equipment of the Internet of things based on a security chip.
Background
With the rapid development of the internet of things and intelligent products, information security issues are receiving increasing attention. Many intelligent products cannot be separated from a 'cloud-pipe-end' mode, namely a cloud (server) -communication pipeline-equipment end, so that a complete security strategy needs to be provided for each link, and the security of data and keys is ensured. In particular implementation, however, the server and the device may always perform key and data filling in a manner isolated from each other by a physical environment, so that security in the communication pipeline is particularly concerned. Since data transmission from the device side to the server side is usually through wireless communication, how to ensure the legality and data security of a transmission object is a key point of technical research. The bidirectional authentication and data protection in the prior art have the following defects:
(1) in the bidirectional authentication, in order to ensure high confidentiality, an asymmetric algorithm is mostly adopted for data protection, complex key management, certificate management and system design are often introduced, but the internet of things equipment is mostly based on communication modes such as LTE Cat-0, Cat-1, M1 and NB, and the internet of things equipment has the characteristics of simple design, low cost, low power consumption (long battery life), low traffic, high efficiency and the like, and is not suitable for introducing a complex key management system;
(2) in the existing scheme of data protection, single negotiation is mostly adopted, for the internet of things equipment with high safety, high efficiency and low power consumption, if asymmetric algorithm negotiation is adopted for data exchange every time, the efficiency is low, the battery loss is large, and if symmetric algorithm negotiation is adopted, the safety is poor, and a more balanced method needs to be found.
Disclosure of Invention
Aiming at the problems of the related art, the invention provides a line protection method with balanced safety and performance, which is not only free from building a complex key management system, realizes the multiplexing of data and methods of authentication and session key negotiation, but also can efficiently generate a session key with high randomness, and performs confidentiality and integrity protection on the data in transmission.
In order to achieve the technical purpose, the invention discloses a line protection method of Internet of things equipment based on a security chip, which is characterized in that the legality authentication of the equipment and a server is realized through certificateless asymmetric algorithm bidirectional authentication, a session key is generated in a secondary negotiation mode after the authentication is passed, wherein the security of the first-stage negotiation is enhanced by using an asymmetric algorithm and is only performed when the equipment is powered on again, the performance loss is reduced by reducing the use frequency, the second-stage negotiation is performed by using a high-efficiency hash algorithm, the session key is obtained by hashing a main key and a random number of the first-stage negotiation, and the randomness of the key is increased, so that the one-time pad is realized. The mode of the secondary negotiation reduces the flow and the power consumption (especially the loss of the service life of a battery) to the maximum extent, and improves the working efficiency of the equipment. When the equipment and the server need to exchange data, the session key is used for encrypting plaintext data and calculating MAC, so that the confidentiality and the integrity of line transmission are ensured. The method specifically comprises the following steps:
(1) in a safe physical environment, a public and private key pair of equipment, an equipment ID and a server public key are preset in a security chip, a server public and private key pair of the server and an equipment public key are preset in the server, and the server binds the equipment public key and the equipment ID.
(2) The method comprises the steps that the device ID of a security chip is obtained at a device end through a security SDK and is sent to a server end for key matching, then the device end generates a random number Rand1, the random number is subjected to SM2 algorithm signature through a device private key, signature text and signature information are sent to the server end, the server uses a device public key to perform SM2 algorithm signature verification, and the signature verification is passed, namely the device passes the authentication; the server generates a random number Rand2, the random number is signed by an SM2 algorithm through a server private key, a signature original text and signature information are sent to the equipment end, the equipment end calls a security SDK to check the signature through the SM2 algorithm through a server public key, and the two-way authentication is completed when the signature passes through the server authentication.
(3) After the two-way authentication is passed, a first-level session key negotiation is carried out when the equipment is powered on every time, the main method is that the equipment end obtains the equipment ID of the security chip through the security SDK and sends the equipment ID to the server end for key matching, then the server generates a random number as a master key MasterKey, the device public key is used for carrying out SM2 algorithm encryption on the MasterKey to obtain Enc, the Enc is returned to the equipment end, the equipment uses the equipment private key to carry out SM2 algorithm decryption through the security SDK to obtain a MasterKey plaintext, and the MasterKey plaintext is stored in an NVM (non-volatile memory) area of the security chip and stored for a long time.
(4) And performing second-stage session key negotiation and one-time pad each time the equipment end and the server end perform data exchange. The method comprises the steps that firstly, a random number Rand3 is generated by an equipment end through a safety SDK, the random number Rand3 is sent to a server through a communication module, the server carries out SM3 Hash operation on MasterKey | | Rand3 to obtain a session key sessionKey after negotiation, and informs the equipment end that the negotiation is completed, at the moment, the equipment end uses the safety SDK to carry out SM3 Hash operation on the MasterKey | | Rand3 to obtain the session key sessionKey after negotiation, and the session key sessionKey is stored in an RAM area of a safety chip and can be stored quickly.
(5) And after the second-stage session key negotiation is generated, carrying out SM4 algorithm encryption and MAC processing on the data before sending the sensitive data, and carrying out SM4 algorithm decryption and MAC removal processing on the data after receiving the sensitive data to obtain a plaintext.
The method has the advantages of fully playing the high security of the asymmetric algorithm and the rapidity of the Hash algorithm and the symmetric algorithm, increasing the randomness of the session key, and balancing the characteristics of high security, high efficiency and low power consumption in the Internet of things equipment. When the equipment is electrified and authenticated, a high-security asymmetric algorithm is adopted for bidirectional authentication and first-level session key agreement, the stored key and the calculation method can be reused for two operations, the two operations are performed periodically, and the performance and flow loss caused by the asymmetric algorithm are reduced by reducing the frequency; when the equipment and the server exchange data, performing second-level session key negotiation, increasing the randomness of the session key based on the first-level session key and the random number, and realizing the one-time pad through high-efficiency hash calculation; and finally, the exchanged data is subjected to efficient symmetric algorithm encryption and MAC addition by using the key negotiated for the second time, so that double protection is realized, and the data is effectively prevented from being leaked and damaged in the transmission process.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings are only one embodiment of the present invention, and those skilled in the art can obtain other drawings without inventive labor.
FIG. 1 is a block diagram of an overall system embodying the present invention
FIG. 2 is a flow chart of mutual authentication according to the present invention
FIG. 3 is a diagram of a one-level negotiation process as described in the present invention
FIG. 4 is a diagram of a two-stage negotiation process as described in the practice of the present invention
FIG. 5 is a diagram illustrating an example of sensitive information interaction according to an embodiment of the present invention
Detailed Description
The technical scheme in the embodiment of the invention is clearly and completely described below with reference to the accompanying drawings. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of methods consistent with certain aspects of the invention, as detailed in the appended claims.
As shown in fig. 1, according to the method for protecting the line of the internet of things device based on the security chip in the embodiment of the present invention, a "cloud-pipe-end" model needs to be satisfied, wherein the MCU and the security chip interact with each other through the security SDK, the whole device and the server end transmit through the communication module, and the device and the server can adopt a physical environment for security, so as to ensure the security of key data filling, so that the line data protection on the communication pipeline needs to be focused.
As shown in fig. 2, the mutual authentication according to the embodiment of the present invention is a basis for subsequent line transmission in order to confirm the validity between the device and the server. Comprises the following steps:
s2001, in a secure physical environment, presetting a public and private device key (PubK ey.dev and prikey.dev), a public and private server key (pubkey.server) and a public and private device id.dev in a secure chip, presetting a public and private server key (pubkey.server and prikey.server) and a public and private device key (pubkey.server) in a server, and binding the public and private device keys with the device ID in the server.
And S2002, acquiring the equipment ID of the security chip at the equipment end through the security SDK, and performing PubKey.
And S2003, calling a security SDK by the device side to generate a random number Rand 1.
And S2004, the equipment side carries out SM2 algorithm signature on the Rand1 by using PriKey.dev to obtain sign.dev, and the ID.dev | | Rand1| | sign.dev is sent to the server through the communication module.
And S2005, performing SM2 algorithm signature verification on Rand1| | | sign.dev by PubKey.dev at the server, and confirming that the equipment is legal after the signature verification is passed.
And S2006, using PrIKey.server of the server to perform SM2 algorithm signature on the Rand2 of the random number generated by the server to obtain sign.sever, and sending the Rand2| | | sign.dev to the equipment through the communication module.
And S2007, the device side performs SM2 algorithm signature verification on Rand2| | | sign.dev through the safety SDK by using PubKey.server, and if the signature verification is passed, the server is confirmed to be legal, and both sides are legal and pass the bidirectional authentication.
As shown in fig. 3, according to the first-stage key agreement described in the embodiment of the present invention, in consideration of the high security but low performance of the asymmetric algorithm, the first-stage key agreement is performed only when the device is powered on, so as to reduce the frequency of use. Comprises the following steps:
s3001, the device side obtains the device ID of the security chip through the security SDK, and performs PubKey.
S3002, the server generates a random number MasterKey, and uses PubKey. dev to encrypt MasterKe y by SM2 algorithm to obtain Enc, and returns the Enc to the equipment end.
And S3003, the equipment side uses the PriKey. dev private key to decrypt the SM2 algorithm through the secure SDK to obtain the MasterKey plaintext, and the MasterKey plaintext is stored in the NVM area of the secure chip and can be stored for a long time.
As shown in fig. 4, in the second-level key agreement according to the embodiment of the present invention, in consideration of high efficiency of the hash algorithm, in order to increase randomness of the key, a random number is added to the key based on the first-level key agreement, and hash calculations are performed at two ends of the server and the device, respectively, so as to implement a fast one-time pad, including the following steps:
s4001, generating a random number Rand3 by the device end through the security SDK.
S4002, sending the random number Rand3 to the server through the communication module, and the server performing SM3 hash operation on the MasterKey | | | Rand3 to obtain the negotiated session key Session Key and informing the device end that the negotiation is completed.
S4003, the device side uses the secure SDK to perform SM3 hash operation on MasterKey | | Rand3 to obtain a negotiated session key sessionKey, and the session key sessionKey is stored in the RAM area of the secure chip, so that rapid storage is realized.
As shown in fig. 5, according to the sensitive information transmission example described in the embodiment of the present invention, assuming that the internet of things device is an intelligent door lock, taking the temporary unlocking password as an example, the specific steps are as follows:
s5001, when the device is powered on and started, the device can perform bidirectional authentication through the network and the server, first-level key agreement is performed after the legality of the two parties is ensured, then, a first-level agreement key is stored in the device, and meanwhile, the same first-level agreement key is also stored in the server.
S5002, the equipment side initiates a request for obtaining the temporary unlocking password, and the server side receives the request of the equipment side.
S5003, after receiving the request of the server for agreeing to apply the unlocking password, the device generates a random number through the security SDK and sends the random number to the server through the network. After the server receives the random number, the two parties start to carry out second-level key agreement.
S5004, after the second-level negotiation is completed, the server generates a temporary password, encrypts the temporary password by using the second-level negotiation key, adds MAC, and transmits the encrypted temporary password back to the equipment end.
S5005, the device side calls the safe SDK, the secondary negotiation key of the device side is used for removing MAC and decrypting the password, and the temporary password plaintext is stored in the safe chip.
S5006, when the temporary password information sent by the server is received by the unlocking person, the temporary password information is input into the equipment end, and the equipment end is compared with the secret key in the equipment end security chip, so that the unlocking can be successfully carried out.
S5007, in this example, the adopted asymmetric algorithm is SM2 algorithm, the speed is 61.4kbps, the hash algorithm is SM3, the speed is 519.3kbps, the symmetric algorithm is SM4, and the speed is 348.9kbps, the asymmetric algorithm and the hash algorithm are selected through measurement, secondary negotiation, and the symmetric algorithm is adopted for data transmission, so that the power consumption is reduced, the efficiency is improved, and the safety is guaranteed in the Internet of things equipment line.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (5)

1. The line protection method of the Internet of things equipment based on the security chip is characterized in that certificateless asymmetric algorithm bidirectional authentication is adopted, a complex key management system does not need to be established, and the legality of the equipment and a server is confirmed by utilizing the high security of the asymmetric algorithm; after the authentication is passed, a session key is generated by adopting a secondary negotiation mode, wherein a high-safety asymmetric algorithm is adopted in the first-stage negotiation, and a high-efficiency Hash algorithm is adopted in the second-stage negotiation, so that a secondary session key with high safety and high randomness is generated; after the key agreement is successful, the data in the communication pipeline is encrypted by adopting a symmetric algorithm, and the data is subjected to double protection of MAC calculation, so that the confidentiality and the integrity of the line data are ensured.
2. The method for protecting the line of the internet-of-things device according to claim 1, wherein the second negotiation mode generates the session key, wherein the first negotiation uses an asymmetric algorithm to generate the master key, the negotiation is performed periodically, the negotiation is performed after the device is powered on and authenticated each time, the master key is stored in the NVM area of the security chip and can be stored for a long time, the second negotiation uses a hash algorithm to generate the session key of the one-time pad, the session key is performed each time before the device and the server exchange data, and the session key is stored in the RAM at a high storage speed, so that the one-time pad with high efficiency and high randomness is realized.
3. The method for protecting the line of the internet-of-things equipment according to claim 1, wherein the first-stage negotiation adopts an asymmetric algorithm, and each time the equipment is powered on, the random number is encrypted by using an equipment public key at the server side in a digital envelope mode, and after the random number is transmitted to the equipment, the ciphertext is decrypted by using a corresponding equipment private key to obtain a main key plaintext, and the main key plaintext is stored in a security chip to complete the first-stage negotiation.
4. The method for protecting the line of the internet-of-things device according to claim 1, wherein the second-level negotiation uses a hash algorithm, the device generates a random number and transmits the random number to the server every time data exchange between the device and the server is required, the two ends use a high-efficiency hash algorithm to obtain a session key based on the first-level master key and the random number, the second-level negotiation is completed, and the negotiated key is used for protecting line data.
5. The method for protecting the line of the internet of things equipment according to claim 1, wherein the double protection of encrypting the data in the communication pipeline by adopting the symmetric algorithm and calculating the MAC of the data is realized by performing symmetric algorithm encryption and MAC processing on the session key data obtained by the secondary negotiation, decrypting the data after receiving the session key data and removing the MAC processing to obtain a plaintext, and the ciphertext transmission ensures that the data content is not leaked and increases the MAC to ensure that the data is not tampered.
CN202110709360.9A 2021-06-25 2021-06-25 Internet of things equipment line protection method based on security chip Active CN113472526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110709360.9A CN113472526B (en) 2021-06-25 2021-06-25 Internet of things equipment line protection method based on security chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110709360.9A CN113472526B (en) 2021-06-25 2021-06-25 Internet of things equipment line protection method based on security chip

Publications (2)

Publication Number Publication Date
CN113472526A true CN113472526A (en) 2021-10-01
CN113472526B CN113472526B (en) 2023-06-30

Family

ID=77872856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110709360.9A Active CN113472526B (en) 2021-06-25 2021-06-25 Internet of things equipment line protection method based on security chip

Country Status (1)

Country Link
CN (1) CN113472526B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660659A (en) * 2021-10-19 2021-11-16 华智生物技术有限公司 Internet of things equipment identity identification method, system, equipment and computer readable medium
CN114172745A (en) * 2022-01-19 2022-03-11 中电华瑞技术有限公司 Internet of things security protocol system
CN114244509A (en) * 2021-12-17 2022-03-25 北京国泰网信科技有限公司 Method for carrying out SM2 one-time pad bidirectional authentication unlocking by using mobile terminal
CN115529138A (en) * 2022-08-29 2022-12-27 中国南方电网有限责任公司 Transformer substation safety communication method and system based on digital authentication technology

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008053279A1 (en) * 2006-11-01 2008-05-08 Danske Bank A/S Logging on a user device to a server
CN104158653A (en) * 2014-08-14 2014-11-19 华北电力大学句容研究中心 Method of secure communication based on commercial cipher algorithm
CN107733747A (en) * 2017-07-28 2018-02-23 国网江西省电力公司上饶供电分公司 Towards the common communication access system of multiple service supporting
CN110944327A (en) * 2019-10-31 2020-03-31 卡斯柯信号(郑州)有限公司 Information security method and device for rail transit zone controller
CN111314072A (en) * 2020-02-21 2020-06-19 北京邮电大学 Extensible identity authentication method and system based on SM2 algorithm
CN111614621A (en) * 2020-04-20 2020-09-01 深圳奇迹智慧网络有限公司 Internet of things communication method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008053279A1 (en) * 2006-11-01 2008-05-08 Danske Bank A/S Logging on a user device to a server
CN104158653A (en) * 2014-08-14 2014-11-19 华北电力大学句容研究中心 Method of secure communication based on commercial cipher algorithm
CN107733747A (en) * 2017-07-28 2018-02-23 国网江西省电力公司上饶供电分公司 Towards the common communication access system of multiple service supporting
CN110944327A (en) * 2019-10-31 2020-03-31 卡斯柯信号(郑州)有限公司 Information security method and device for rail transit zone controller
CN111314072A (en) * 2020-02-21 2020-06-19 北京邮电大学 Extensible identity authentication method and system based on SM2 algorithm
CN111614621A (en) * 2020-04-20 2020-09-01 深圳奇迹智慧网络有限公司 Internet of things communication method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660659A (en) * 2021-10-19 2021-11-16 华智生物技术有限公司 Internet of things equipment identity identification method, system, equipment and computer readable medium
CN113660659B (en) * 2021-10-19 2022-03-04 华智生物技术有限公司 Internet of things equipment identity identification method, system, equipment and computer readable medium
CN114244509A (en) * 2021-12-17 2022-03-25 北京国泰网信科技有限公司 Method for carrying out SM2 one-time pad bidirectional authentication unlocking by using mobile terminal
CN114172745A (en) * 2022-01-19 2022-03-11 中电华瑞技术有限公司 Internet of things security protocol system
CN115529138A (en) * 2022-08-29 2022-12-27 中国南方电网有限责任公司 Transformer substation safety communication method and system based on digital authentication technology

Also Published As

Publication number Publication date
CN113472526B (en) 2023-06-30

Similar Documents

Publication Publication Date Title
CN113472526B (en) Internet of things equipment line protection method based on security chip
CN110380852B (en) Bidirectional authentication method and communication system
CN106789042B (en) Authentication key negotiation method for user in IBC domain to access resources in PKI domain
CN102572817B (en) Method and intelligent memory card for realizing mobile communication confidentiality
CN101640590B (en) Method for obtaining a secret key for identifying cryptographic algorithm and cryptographic center thereof
CN110048849B (en) Multi-layer protection session key negotiation method
CN107612934A (en) A kind of block chain mobile terminal computing system and method based on Secret splitting
CN112804205A (en) Data encryption method and device and data decryption method and device
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN103444123A (en) Shared key establishment and distribution
CN113630248B (en) Session key negotiation method
CN106685969A (en) Hybrid-encrypted information transmission method and transmission system
CN113204760B (en) Method and system for establishing secure channel for software cryptographic module
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN103634266A (en) A bidirectional authentication method for a server and a terminal
CN103905388A (en) Authentication method, authentication device, smart card, and server
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN108809936A (en) A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm
CN114650173A (en) Encryption communication method and system
CN106992866A (en) It is a kind of based on wireless network access methods of the NFC without certificate verification
CN113676448A (en) Off-line equipment bidirectional authentication method and system based on symmetric key
CN116707778A (en) Data hybrid encryption transmission method and device and electronic equipment
CN113839786B (en) Key distribution method and system based on SM9 key algorithm
CN106330430B (en) A kind of third party's method of mobile payment based on NTRU
CN110365482B (en) Data communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant