CN117081775A

CN117081775A - Communication encryption method, device and system based on terminal identity authentication

Info

Publication number: CN117081775A
Application number: CN202310538719.XA
Authority: CN
Inventors: 徐思尧; 李妍; 彭明洋; 占聪聪; 张子瑛; 周刚; 张凯
Original assignee: Guangdong Power Grid Co Ltd; Electric Power Research Institute of Guangdong Power Grid Co Ltd
Current assignee: Guangdong Power Grid Co Ltd; Electric Power Research Institute of Guangdong Power Grid Co Ltd
Priority date: 2023-05-12
Filing date: 2023-05-12
Publication date: 2023-11-17

Abstract

The invention discloses a communication encryption method, a device and a system based on terminal identity authentication, wherein the method comprises the steps that a first local gateway obtains first equipment information of a first terminal and receives second equipment information of to-be-accessed equipment sent by a second gateway, so that identity authentication is carried out on the first terminal through comparison of the first equipment information and the second equipment information, if the first terminal identity authentication is successful, the first local gateway receives information data sent by the first terminal and analyzes the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal, and according to the first private key and the second public key, the first local gateway encrypts the information data to obtain encrypted data and sends the encrypted data to the second local gateway corresponding to the second terminal, so that communication safety is ensured.

Description

Communication encryption method, device and system based on terminal identity authentication

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, and a system for encrypting communications based on terminal identity authentication.

Background

In the environment of the internet of things, particularly, the large-scale internet of things (such as an automatic harbor district, a warehouse, a metropolitan area data acquisition system and the like) with high security level is often connected by adopting a special line as a backbone network so as to ensure sufficient flow. In terms of network security, however, such systems mostly only consider the security of the computing center, especially the security of the computing center to the external access boundary, and do not consider the threat from the network aspect of the base-level terminal. Therefore, an attacker only needs to access illegal equipment from a certain subnet, and propagates viruses from the subnet level, so that other equipment is controlled, and data theft or denial of service attack is started from the inside, so that a manager cannot deal with the attack. From the perspective of network security, identity authentication of terminal equipment is needed to realize a relatively complete white list policy, so that access of illegal equipment is discovered fundamentally and timely, and segmented management is formed, and a relatively closed Internet of things network is formed.

At present, the admission control and the communication control of the terminal of the Internet of things mainly relate to the technology of two aspects of terminal admission and network access control. Terminal admittance: such products include two types of terminal access systems and encrypted communication systems.

Terminal admittance system: protection may be by accessing the network or in series in the network (firewall mode). Such products have both terminals and no terminals. A no-terminal mode, wherein the admission of the terminal is identified and controlled mainly through the binding of the MAC address and the IP address; there is a terminal mode that requires the deployment of clients on the terminal to identify and control terminal admission through the identification of the issuing certificate. The design of the product mainly aims at a general information system, a set of terminal access system is deployed in principle on one subnet, the equipment is high in price, a terminal mode is provided, a client is required to be installed on a terminal, however, the computing capacity of the terminal of the Internet of things is weak, an operating system is closed, and the system is mostly not used for supporting the installation of third-party software, so that the system is not applicable to the environment of the Internet of things. And (3) flow monitoring: the control system of the local subnetwork can be constructed through electromagnetic monitoring and flow monitoring, so that the problem equipment can be found out in time. The equipment is designed from a general information system, a product system of the equipment is covered with a flow probe, a firewall monitoring module and the like, and a computing scene is covered with the general information system, an industrial control system and an Internet of things system. However, the price of the products is high, only the computing center layer is often protected, and each regional subnet is difficult to cover; and if a hacker accesses the network in a mode of device replacement, the admission monitoring function of these products can be disabled. Encryption technology: by adopting the traditional public-private key encryption technology, a sender can encrypt by adopting a public key of a receiver, and only the receiver can decrypt by using a private key of the receiver, but the simple application of the encryption technology only ensures the confidentiality of communication, and does not consider the communication integrity and non-repudiation. If a hacker intercepts the channel between transmission and reception, it is completely possible to simulate the sender to retransmit the tampered content, but the receiving end cannot distinguish.

Generally, for terminal identity authentication of the internet of things, only products derived from a general information system exist at present, and the main defects of the terminal authentication are that the terminal is required to be matched and the price is high. However, in the terminal network of the internet of things, the computing capacity of the equipment is weak, and a complete operating system cannot be installed, so that the client is not supported to install proxy software; meanwhile, the overall construction cost of the terminal network is low, and the sum of the prices of network equipment and terminal equipment of the whole network is often not as high as one flow monitoring safety equipment, so that the cost is uneconomical.

Disclosure of Invention

In order to solve the technical problems in the prior art, the invention discloses a communication encryption method, device and system based on terminal identity authentication, which can be directly accessed into the existing network, improve the compatibility, reduce the cost of the identity authentication in the prior art and ensure the safety of communication.

In order to achieve the above object, in a first aspect, the present invention discloses a communication encryption method based on terminal identity authentication, including:

the method comprises the steps that a first local gateway obtains first equipment information of a first terminal, receives second equipment information of equipment to be accessed to a network, sent by a second gateway, and enables identity authentication to be conducted on the first terminal through comparison of the first equipment information and the second equipment information;

If the identity authentication of the first terminal is successful, the first local gateway receives information data sent by the first terminal and analyzes the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal;

and according to the first private key and the second public key, the first local gateway encrypts the information data to obtain encrypted data, and sends the encrypted data to a second local gateway corresponding to the second terminal.

The invention discloses a communication encryption method based on terminal identity authentication, which utilizes a first local gateway to detect a first terminal newly accessed to a network, acquires first equipment information of the first terminal, then compares the first equipment information with second equipment information of equipment to be accessed to the network, which is transmitted by a second gateway, according to the first equipment information, so as to judge whether the first terminal newly accessed to the network is safe, carry out identity authentication on the first terminal, improve the safety of communication, when the first terminal identity authentication is successful, the first local gateway receives information transmitted by the first terminal, analyzes the information, further acquires a private key corresponding to the first terminal and a public key corresponding to the second terminal, encrypts the information according to the private key and the public key, and transmits the encrypted information to the second local gateway corresponding to the second terminal, and the second local gateway can judge whether the received encrypted information is transmitted by the first local gateway according to the private key, thereby ensuring the safety of communication.

As a preferred example, before the receiving the second device information of the terminal to be networked sent by the second gateway, the method specifically includes:

performing security detection on the terminal to be accessed to the network and collecting second equipment information of the terminal to be accessed to the network;

and if the terminal to be accessed to the network passes the security detection, submitting the second equipment information to the second gateway, and issuing the terminal to be accessed to the network by the second gateway to generate a private key and a public key of the terminal to be accessed to the network, sending the public key to a preset LDAP tree, and writing the private key into the terminal to be accessed to the network.

According to the invention, through carrying out security detection on the terminal to be accessed to the network, firstly, the security of network communication is ensured at the source, and then when the terminal to be accessed to the network passes the security detection, the equipment information of the terminal to be accessed to the network is sent to the third gateway, so that the third gateway generates the private key and the public key of the terminal to be accessed to the network, the calculated amount of the first local gateway is reduced, and the performance requirement on the first local gateway is further reduced, thereby reducing the cost.

As a preferred example, the method includes acquiring, at the first local gateway, first device information of a first terminal, and receiving second device information of a terminal to be accessed to a network sent by a second gateway, so as to perform identity authentication on the first terminal by comparing the first device information and the second device information, specifically including:

The first local gateway receives second equipment information of a terminal to be accessed to the network, which is sent by a second gateway; the second device information comprises device fingerprints and device installation information;

the first local gateway detects the first terminal newly accessing the network by carrying out flow monitoring on local flow and obtains first equipment information corresponding to the first terminal;

and according to the first equipment information and the second equipment information, the first local gateway performs comparison through a preset rapid matching algorithm so as to perform identity authentication on the first terminal.

The invention monitors the local flow controlled by the first local gateway, rapidly and accurately determines the first terminal newly accessed to the network, monitors the new terminal by the local gateway, improves the monitoring coverage, timely and comprehensively performs identity authentication of the terminal, acquires the identity information of the first terminal, compares the identity information with the equipment information which is sent by the second gateway and determines the terminal to be accessed to the network, simply and accurately performs identity authentication on the terminal, and simultaneously improves the matching speed by using a rapid matching algorithm in the process of information matching.

As a preferable example, the analyzing the information data so as to obtain the first private key corresponding to the first terminal and the second public key corresponding to the second terminal specifically includes:

The first local gateway analyzes the information to obtain first address information corresponding to the first terminal for sending the information and second address information corresponding to the second terminal for receiving the information; the first address information comprises a first terminal address and a first terminal ID; the second address information comprises a second terminal address and a second terminal ID;

according to the first address information, the first local gateway inquires from the private key management of the first terminal to obtain a first private key corresponding to the first terminal;

and according to the second address information, the first local gateway searches from an LDAP tree preset by the second gateway to obtain a second public key corresponding to the second terminal.

The method and the device acquire the first address information of the first terminal and the second address information of the second terminal corresponding to the received information by analyzing the information sent by the first terminal, so that the public key of the second terminal and the private key of the first terminal are acquired according to the first address information and the second address information, the communication is conveniently encrypted according to the public key and the private key, meanwhile, the public key is acquired to facilitate the decryption of the second terminal, and the private key is acquired to facilitate the second terminal to judge whether the received information is sent by the first terminal or not, thereby ensuring the non-repudiation of the communication and improving the safety of the communication.

As a preferred example, encrypting the information at the first local gateway to obtain encrypted data, and sending the encrypted data to a second local gateway corresponding to the second terminal, which specifically includes:

the first local gateway establishes an asymmetric encryption channel for communication with the second local gateway, generates a first random stream according to the first private key and a preset stream cipher algorithm, and then performs or obtains a ciphertext stream on the first random stream and the information;

according to the ciphertext stream, the first local gateway encrypts the ciphertext stream by using the second public key to obtain the encrypted data;

according to the asymmetric encryption channel, the first local gateway sends the encrypted data and sends the first address information corresponding to the first terminal and the second address information corresponding to the second terminal to the second local gateway in a plaintext sending mode.

According to the invention, the asymmetric encryption channel is established between the local gateways, so that the data encryption in the local gateways is realized, the calculation requirement of the terminal is reduced, meanwhile, the secret key of the sending end is utilized to form the ciphertext stream to encrypt the sent information, the integrity of the data is ensured, the receiving end is convenient to judge the source of the information, the safety of communication is further ensured, the secret key is utilized to encrypt the ciphertext stream, and the receiving end is convenient to decrypt.

In a second aspect, the present invention further provides a communication encryption method based on terminal identity authentication, including:

the second local gateway obtains third equipment information of a second terminal, and receives second equipment information of equipment to be accessed to the network, which is sent by the second gateway, so that identity authentication is performed on the second terminal by comparing the third equipment information with the second equipment information;

if the identity authentication of the second terminal is successful, the second local gateway receives the encrypted data sent by the first local gateway and analyzes the encrypted data to obtain a first public key corresponding to the first terminal and a second private key corresponding to the second terminal; the encrypted data is obtained by encrypting information sent by the first terminal by the first local gateway according to a first private key corresponding to the first terminal and a second public key corresponding to the second terminal;

and according to the second private key and the first public key, the second local gateway decrypts the encrypted data to obtain information data sent by the first terminal, and then the information data is sent to the second terminal.

The invention discloses a communication encryption method based on terminal identity authentication, which utilizes a second local gateway to detect a second terminal newly accessed to a network, acquires third equipment information of the second terminal, compares the third equipment information with second equipment information of equipment to be accessed to the network, which is transmitted by the second gateway, according to the third equipment information, so as to judge whether the second terminal newly accessed to the network is safe, carry out identity authentication on the second terminal, improve the safety of communication, when the second terminal is successful in identity authentication, the second local gateway receives encrypted data transmitted by the first local gateway, decrypts the encrypted data, further obtains a private key corresponding to the second terminal and a public key corresponding to the first terminal, decrypts the encrypted data according to the private key and the public key, transmits the decrypted data to the second terminal, and reduces the calculation requirement of the terminal through decryption operation of the local gateway, and simultaneously utilizes the private key and the public key to carry out asymmetric encryption, thereby improving the encryption efficiency and guaranteeing the safety of communication.

As a preferred example, the second local gateway decrypts the encrypted data to obtain the information data sent by the first terminal, which specifically includes:

the second local gateway receives first address information corresponding to the first terminal and second address information corresponding to the second terminal, which are sent by the first local gateway, searches an LDAP tree preset by the second gateway according to the first address information to obtain a first public key of the first terminal, and inquires from private key management of the second terminal according to the second address information to obtain a second private key of the second terminal;

the second local gateway generates a second random stream according to the first public key and a preset stream cipher algorithm, and then performs or obtains a ciphertext stream on the second random stream and the encrypted data;

and the second local gateway decrypts the ciphertext stream by using the second private key to obtain information data, and reassembles the information data, the first address information and the second address information and sends the information data, the first address information and the second address information to the second terminal.

The invention directly establishes encryption communication between gateways to realize communication proxy between terminals, and simultaneously encrypts by using asymmetric cryptographic technology of public key and private key to improve encryption efficiency, encrypts between gateways, has low requirement on computation performance of terminals, reduces encryption cost, and simultaneously the private key and the public key are completed by the gateway of the upper stage of the local gateway, which can be directly obtained, and the gateway of the upper stage has abundant computation resources, can support high-intensity encryption communication, and improves communication security.

In a third aspect, the invention also provides a communication encryption device based on terminal identity authentication, which comprises a first identity authentication module, an encryption module and a first sending module;

the first identity authentication module is used for acquiring first equipment information of a first terminal by a first local gateway, receiving second equipment information of equipment to be accessed to the network, which is sent by a second gateway, and carrying out identity authentication on the first terminal by comparing the first equipment information with the second equipment information;

the encryption module is used for receiving information data sent by the first terminal by the first local gateway if the identity authentication of the first terminal is successful, and analyzing the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal;

the first sending module is configured to encrypt the information data according to the first private key and the second public key by using the first local gateway to obtain encrypted data, and send the encrypted data to a second local gateway corresponding to the second terminal.

The invention discloses a communication encryption device based on terminal identity authentication, which utilizes a first local gateway to detect a first terminal newly accessed to a network, acquires first equipment information of the first terminal, then compares the first equipment information with second equipment information of equipment to be accessed to the network, which is sent by a second gateway, according to the first equipment information, so as to judge whether the first terminal newly accessed to the network is safe, carry out identity authentication on the first terminal, improve the safety of communication, when the first terminal identity authentication is successful, the first local gateway receives information sent by the first terminal, analyzes the information, further acquires a private key corresponding to the first terminal and a public key corresponding to the second terminal, encrypts the information according to the private key and the public key, and sends the information to the second local gateway corresponding to the second terminal, and the second local gateway can judge whether the received encrypted information is sent by the first local gateway according to the private key, thereby ensuring the safety of communication.

In a fourth aspect, the invention also provides a communication encryption device based on terminal identity authentication, which comprises a second identity authentication module, a decryption module and a second sending module;

the second identity authentication module is used for acquiring third equipment information of a second terminal by a second local gateway, receiving second equipment information of equipment to be accessed to the network, which is sent by the second gateway, and carrying out identity authentication on the second terminal by comparing the third equipment information with the second equipment information;

the decryption module is configured to, if the identity authentication of the second terminal is successful, receive encrypted data sent by the first local gateway by the second local gateway, and parse the encrypted data so as to obtain a first public key corresponding to the first terminal and a second private key corresponding to the second terminal; the encrypted data is obtained by encrypting information sent by the first terminal by the first local gateway according to a first private key corresponding to the first terminal and a second public key corresponding to the second terminal;

the second sending module is configured to decrypt the encrypted data according to the second private key and the first public key, to obtain information data sent by the first terminal, and to send the information data to the second terminal.

The invention discloses a communication encryption device based on terminal identity authentication, which utilizes a second local gateway to detect a second terminal newly accessed to a network, acquires third equipment information of the second terminal, compares the third equipment information with second equipment information of equipment to be accessed to the network, which is sent by the second gateway, according to the third equipment information, so as to judge whether the second terminal newly accessed to the network is safe, carry out identity authentication on the second terminal, improve the safety of communication, when the second terminal identity authentication is successful, the second local gateway receives encrypted data sent by the first local gateway, decrypts the encrypted data, further obtains a private key corresponding to the second terminal and a public key corresponding to the first terminal, decrypts the encrypted data according to the private key and the public key, sends the decrypted data to the second terminal, and reduces the calculation requirement of the terminal through decryption operation of the local gateway, and simultaneously utilizes the private key and the public key to carry out asymmetric encryption, thereby improving the encryption efficiency and guaranteeing the safety of communication.

In a fifth aspect, the present invention further provides a communication encryption system based on terminal identity authentication, which includes a first local gateway, a first terminal, a second gateway, a second local gateway and a second terminal; the first local gateway is used for executing a communication encryption method based on terminal identity authentication according to any one of the first aspect; the first terminal is used for sending information data to the first local gateway; the second gateway is configured to generate a first private key and a first public key of the first terminal and a second private key and a second public key of the second terminal to the first local gateway and the second local network Guan Fasong; the second local gateway is used for executing a communication encryption method based on terminal identity authentication according to any one of the second aspects; the second terminal is used for receiving information data sent by the second local gateway.

Drawings

Fig. 1 is a schematic flow chart of a communication encryption method based on terminal identity authentication according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of another communication encryption method based on terminal identity authentication according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a communication encryption device based on terminal identity authentication according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of another communication encryption device based on terminal identity authentication according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a multi-level internet of things gateway according to another embodiment of the present invention;

fig. 6 is a schematic flow chart of a communication encryption method based on terminal identity authentication according to another embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

The embodiment of the invention provides a communication encryption method based on terminal identity authentication, referring to fig. 1, the specific implementation process of the method mainly comprises steps 101 to 103, and the steps mainly comprise:

step 101: the first local gateway obtains first equipment information of a first terminal, and receives second equipment information of equipment to be accessed to the network, which is sent by a second gateway, so that identity authentication is performed on the first terminal by comparing the first equipment information with the second equipment information.

In this embodiment, before performing this step, it includes: performing security detection on the terminal to be accessed to the network and collecting second equipment information of the terminal to be accessed to the network; and if the terminal to be accessed to the network passes the security detection, submitting the second equipment information to the second gateway, and issuing the terminal to be accessed to the network by the second gateway to generate a private key and a public key of the terminal to be accessed to the network, sending the public key to a preset LDAP tree, and writing the private key into the terminal to be accessed to the network.

In this embodiment, the steps specifically include: the first local gateway receives second equipment information of a terminal to be accessed to the network, which is sent by a second gateway; the second device information comprises device fingerprints and device installation information; the first local gateway detects the first terminal newly accessing the network by carrying out flow monitoring on local flow and obtains first equipment information corresponding to the first terminal; and according to the first equipment information and the second equipment information, the first local gateway performs comparison through a preset rapid matching algorithm so as to perform identity authentication on the first terminal.

According to the embodiment of the invention, the security of network communication is ensured at the source by performing security detection on the terminal to be accessed, then when the terminal to be accessed passes the security detection, the equipment information of the terminal to be accessed is sent to the third gateway, so that the third gateway generates the private key and the public key of the terminal to be accessed, the calculation amount of the first local gateway is reduced, the performance requirement on the first local gateway is further reduced, the cost is reduced, meanwhile, the first local gateway monitors the controlled local flow, the first terminal of a new access network is rapidly and accurately determined, the new terminal is monitored by the local gateway, the coverage of the monitoring is improved, the identity authentication of the terminal is timely and comprehensively performed, the identity information of the first terminal is obtained, the identity authentication is simply and accurately compared with the equipment information of the terminal to be accessed sent by the second gateway, and meanwhile, the matching speed is improved by using a rapid matching algorithm in the process of information matching.

Step 102: if the identity authentication of the first terminal is successful, the first local gateway receives information data sent by the first terminal and analyzes the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal.

In this embodiment, the steps specifically include: the first local gateway analyzes the information to obtain first address information corresponding to a first terminal which sends the information and second address information corresponding to a second terminal which receives the information; the first address information comprises a first terminal address and a first terminal ID; the second address information comprises a second terminal address and a second terminal ID; according to the first address information, the first local gateway inquires from the private key management of the first terminal to obtain a first private key corresponding to the first terminal; and according to the second address information, the first local gateway searches from an LDAP tree preset by the second gateway to obtain a second public key corresponding to the second terminal.

According to the embodiment of the invention, the first address information of the first terminal is obtained by analyzing the information sent by the first terminal, and the second address information of the second terminal corresponding to the information is received, so that the public key of the second terminal and the private key of the first terminal are obtained according to the first address information and the second address information, the subsequent encryption of communication according to the public key and the private key is facilitated, meanwhile, the public key is obtained to facilitate the decryption of the second terminal, the private key is obtained, and the second terminal can conveniently judge whether the received information is sent by the first terminal, so that the non-repudiation of the communication is ensured, and the safety of the communication is improved.

Step 103: and according to the first private key and the second public key, the first local gateway encrypts the information data to obtain encrypted data, and sends the encrypted data to a second local gateway corresponding to the second terminal.

In this embodiment, the steps specifically include: the first local gateway establishes an asymmetric encryption channel for communication with the second local gateway, generates a first random stream according to the first private key and a preset stream cipher algorithm, and further performs or obtains a ciphertext stream on the first random stream and the information data; according to the ciphertext stream, the first local gateway encrypts the ciphertext stream by using the second public key to obtain the encrypted data; according to the asymmetric encryption channel, the first local gateway sends the encrypted data and sends the first address information and the second address information to the second local gateway in a clear text transmission form.

According to the embodiment of the invention, the asymmetric encryption channel is established between the local gateways, so that the encryption of data in the local gateways is realized, the calculation requirement of the terminal is reduced, meanwhile, the secret key of the sending end is utilized to form the ciphertext stream to encrypt the sent information, the integrity of the data is ensured, the receiving end is convenient to judge the source of the information, the safety of communication is further ensured, the secret key is utilized to encrypt the ciphertext stream, and the receiving end is convenient to decrypt.

On the other hand, the embodiment of the present invention provides another communication encryption method based on terminal identity authentication, and the specific implementation flow of the method please refer to fig. 2, which mainly includes steps 201 to 203, wherein the steps mainly include:

step 201: the second local gateway obtains third equipment information of the second terminal, and receives second equipment information of the equipment to be accessed to the network, which is sent by the second gateway, so that identity authentication is performed on the second terminal by comparing the third equipment information with the second equipment information.

In this embodiment, the steps specifically include: the second local gateway receives second equipment information of the terminal to be accessed to the network, which is sent by the second gateway; the second device information comprises device fingerprints and device installation information;

the second local gateway detects the second terminal newly accessing the network by carrying out flow monitoring on the local flow and obtains third equipment information corresponding to the second terminal; and according to the second equipment information and the third equipment information, the first local gateway performs comparison through a preset rapid matching algorithm so as to perform identity authentication on the second terminal.

According to the embodiment of the invention, the second local gateway monitors the local traffic controlled by the second local gateway, the second terminal newly accessing the network is rapidly and accurately determined, meanwhile, the local gateway is used for monitoring the new terminal, the monitored coverage is improved, so that the identity authentication of the terminal is timely and comprehensively performed, the identity information of the second terminal is obtained, the identity information is compared with the equipment information which is sent by the second gateway and determines the terminal to be accessed to the network, the identity authentication of the terminal is simply and accurately performed, and meanwhile, the matching speed is improved by using a rapid matching algorithm in the process of information matching.

Step 202: if the identity authentication of the second terminal is successful, the second local gateway receives the encrypted data sent by the first local gateway and analyzes the encrypted data to obtain a first public key corresponding to the first terminal and a second private key corresponding to the second terminal; the encrypted data is obtained by encrypting information sent by the first terminal by the first local gateway according to a first private key corresponding to the first terminal and a second public key corresponding to the second terminal.

In this embodiment, the steps specifically include: the second local gateway analyzes the information to obtain first address information corresponding to the first terminal for sending the information and second address information corresponding to the second terminal for receiving the information; the first address information comprises a first terminal address and a first terminal ID; the second address information comprises a second terminal address and a second terminal ID; according to the second address information, the second local gateway inquires from the private key management of the second terminal to obtain a second private key corresponding to the second terminal; and according to the first address information, the second local gateway searches from an LDAP tree preset by the second gateway to obtain a first public key corresponding to the first terminal.

According to the embodiment of the invention, the first address information of the first terminal is obtained by analyzing the information sent by the first terminal, and the second address information of the second terminal corresponding to the information is received, so that the private key of the second terminal and the public key of the first terminal are obtained according to the first address information and the second address information, the subsequent decryption of the communication according to the public key and the private key is facilitated, meanwhile, the private key is obtained, the second terminal is facilitated to decrypt, the public key is obtained, the second terminal is facilitated to judge whether the received information is sent by the first terminal, the non-repudiation of the communication is further ensured, and the safety of the communication is improved.

Step 203: and according to the second private key and the first public key, the second local gateway decrypts the encrypted data to obtain information data sent by the first terminal, and then the information data is sent to the second terminal.

In this embodiment, the steps mainly include: the second local gateway receives first address information corresponding to the first terminal and second address information corresponding to the second terminal, which are sent by the first local gateway, searches an LDAP tree preset by a third gateway according to the first address information to obtain a first public key of the first terminal, and inquires from private key management of the second terminal according to the second address information to obtain a second private key of the second terminal; the second local gateway generates a second random stream according to the first public key and a preset stream cipher algorithm, and then performs or obtains a ciphertext stream on the second random stream and the encrypted data; and the second local gateway decrypts the ciphertext stream by using the second private key to obtain information data, and reassembles the information data, the first address information and the second address information and sends the information data, the first address information and the second address information to the second terminal.

The embodiment utilizes the direct establishment of encryption communication between gateways to realize the communication proxy between terminals, simultaneously utilizes the asymmetric encryption technology of public keys and private keys to encrypt, improves the encryption efficiency, encrypts between the gateways, has low requirement on the calculation performance of the terminals, reduces the encryption cost, and simultaneously, the private keys and the public keys are completed by the gateway at the upper level of the local gateway, the local gateway can be directly obtained, the gateway at the upper level has abundant calculation resources, can support high-strength encryption communication, and improves the safety of communication.

The embodiment of the invention also provides a communication encryption device based on terminal identity authentication, and the specific structure of the device is shown in fig. 3, and the device mainly comprises a first identity authentication module 301, an encryption module 302 and a first sending module 303.

The first identity authentication module 301 is configured to obtain first device information of a first terminal by using a first local gateway, and receive second device information of a device to be networked sent by a second gateway, so that identity authentication is performed on the first terminal by comparing the first device information with the second device information.

The encryption module 302 is configured to, if the identity authentication of the first terminal is successful, receive information data sent by the first terminal by using the first local gateway, and parse the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal.

The first sending module 303 is configured to encrypt the information data according to the first private key and the second public key by using the first local gateway to obtain encrypted data, and send the encrypted data to a second local gateway corresponding to the second terminal.

Meanwhile, the embodiment of the invention also provides another communication encryption device based on terminal identity authentication, and the specific structure of the device is shown in fig. 4, and the device mainly comprises a second identity authentication module 401, a decryption module 402 and a second sending module 403.

The second identity authentication module 401 is configured to obtain third device information of a second terminal by using a second local gateway, and receive second device information of a device to be networked sent by the second gateway, so that identity authentication is performed on the second terminal by comparing the third device information with the second device information.

The decryption module 402 is configured to, if the identity authentication of the second terminal is successful, receive encrypted data sent by the first local gateway by the second local gateway, and parse the encrypted data to obtain a first public key corresponding to the first terminal and a second private key corresponding to the second terminal; the encrypted data is obtained by encrypting information sent by the first terminal by the first local gateway according to a first private key corresponding to the first terminal and a second public key corresponding to the second terminal.

The second sending module 403 is configured to decrypt the encrypted data according to the second private key and the first public key, to obtain information data sent by the first terminal, and then send the information data to the second terminal.

In addition to the method and the device, the embodiment of the invention also provides a communication encryption system based on terminal identity authentication, which comprises a first local gateway, a first terminal, a second gateway, a second local gateway and a second terminal; the first local gateway is used for executing a communication encryption method based on terminal identity authentication, provided by the embodiment of the invention; the first terminal is used for sending information data to the first local gateway; the second gateway is configured to generate a first private key and a first public key of the first terminal and a second private key and a second public key of the second terminal to the first local gateway and the second local network Guan Fasong; the second local gateway is used for executing another communication encryption method based on terminal identity authentication provided by the embodiment of the invention; the second terminal is used for receiving information data sent by the second local gateway.

The invention discloses a communication encryption method, a device and a system based on terminal identity authentication, which utilize a first local gateway to detect a first terminal newly accessed to a network, acquire first equipment information of the first terminal, then compare the first equipment information with second equipment information of equipment to be accessed to the network, which is transmitted by a second gateway, according to the first equipment information, so as to judge whether the first terminal newly accessed to the network is safe, authenticate the first terminal, improve the communication safety, and when the first terminal identity authentication is successful, the first local gateway receives the information transmitted by the first terminal, analyzes the information, and further acquires a private key corresponding to the first terminal and a public key corresponding to the second terminal, so that the information is encrypted according to the private key and the public key, and is transmitted to the second local gateway corresponding to the second terminal, and the second local gateway can distinguish whether the received encrypted information is transmitted by the first local gateway according to the private key, thereby guaranteeing the communication safety.

Example two

The embodiment of the invention provides another communication encryption method based on terminal identity authentication, which is implemented based on the multi-stage internet of things gateway provided by the embodiment of the invention, and the specific structure of the multi-stage internet of things gateway is shown in fig. 5, and mainly comprises a terminal management and access total center, an internet of things backbone network, a terminal management and access sub-center and an internet of things terminal access gateway.

In the embodiment of the invention, the terminal management and admittance total center can adopt a B/S system architecture based on a database and is mainly responsible for situation awareness display of admittance information, CA and total LDAP tree. In the aspect of admittance, the total center is provided with a device information base of the whole network, can display a network admittance information analysis chart of the whole network access device, and can issue the admittance policy of the highest level; in the aspect of encryption, the total center is responsible for generating public and private key pairs of all terminals and issuing the public and private key pairs to related sub-centers.

The terminal management and admission management sub-center can adopt a B/S system architecture based on a database, and jurisdiction a sub-network according to the actual service capacity. The subnetwork may be a type of wireless network, or an internet of things network of a sub-area. In principle, no communication takes place between each of the sub-centers. In the aspect of admittance, the branch center receives the flow collection and analysis result sent by the gateway of the terminal admission of the Internet of things, can establish basic device management, and can realize the trusted online, operation monitoring and offline management of the device through the access of an administrator. The branch center can perform mode learning on the reported access information, can send an access instruction to an access gateway of a terminal of the managed Internet of things in combination with manual confirmation, timely isolate the problem equipment, and can comprehensively analyze the information reported by the gateway and other network equipment information to perform access permission processing on specific equipment; in the aspect of encryption, the branch center realizes the RA function, performs certification processing, establishes area LDAP and stores public keys of all terminals.

The access gateway of the terminal of the Internet of things is a hardware device, is mainly deployed in a base layer network and is responsible for access and communication encryption of a physical network device of a zone, and mainly comprises a main control board, a management interface, a flow acquisition and analysis module, an encryption module and a dynamic policy interface, wherein the main control board is realized by adopting raspberry pie and other cheap and low-power PCs. The industrial raspberry pie has high reliability and high expandability, and the management interface can be configured in a self-defined manner during deployment according to the technology adopted by the sub-network under jurisdiction. Currently available are serial port modules (serving network switches, routers, etc.), WIFI modules (manageable wireless routers, industrial APs, etc.), RJ45 network modules (manageable gateway-like devices such as bluetooth gateways, zigbee gateways, etc.). The management interface can send an access control instruction to the administered gateway equipment according to the instruction of the main control board, so as to realize access control management in the subnet; the flow collection and analysis module is used for: is a two standard RJ45 network module and can form a switched transmission so that the whole device can be connected in series between the sub-network and the upper network. The switching process adopts a network bridge mode, and the whole network is transparent. In the transmission process, the recording of the network access information and the heartbeat information of the equipment can be realized according to the rapid matching calculation, and the network access information and the heartbeat information are forwarded to an upper-level distribution center; the encryption module: and the communication is connected to a flow acquisition and analysis module, and the allowed communication is encrypted point to point. In the communication of the outbound gateway, the sender firstly obtains the public key of the receiving end from the managed branch center, and then establishes an asymmetric encryption channel for negotiating the communication key and sending the synchronous time stamp. Then the transmitting end uses the negotiated communication key as key seed, adopts stream cipher algorithm to generate random stream, and finally the random stream and plaintext stream are AND-OR-ed to obtain ciphertext stream, and after encryption is implemented, the ciphertext stream is transmitted; the receiving end also takes the negotiated communication secret key as a secret key seed, adopts a stream cipher algorithm to generate the same random stream, and uses the random stream and the ciphertext stream to carry out AND or to obtain a plaintext stream so as to realize decryption; the dynamic policy interface: is a standard RJ45 network module. The module has two functions, namely information forwarding, and can receive security events generated by other network security devices (such as intrusion detection, flow audit and the like) in the network and forward the security events to the upper level center; and secondly, policy acceptance, the access control policy (confirmed and regulated trusted device list) generated by the upper level hierarchical center can be accepted to be executed (opening the communication function of a certain device or rejecting the certain device from the access list).

The multi-level internet of things gateway provided by the embodiment of the invention can perform (1) equipment identification: in the subnet section, the information is identified by the ARP protocol, by the IP address of the device and the specific network protocol of the device. Such as a generic IPv6 address, MAC address, bluetooth device name, ID of the RFID tag, etc. Establishing a trusted device information base through the information; (2) communication access control: the gateway and the subnet gateway device form management, can issue access control strategies to the subnet gateway, and can lead access of the subnet to the upper network. Access control can be performed according to dynamic policies of the superior level center and other security products of the present level network; (3) encryption management: the gateway is established between the sub-network layer and the upper network, and point-to-point encrypted communication is established. In the communication process, a public key and a private key are adopted to exchange the key seed and time synchronization information of the stream cipher, then the key seed is adopted to generate a key stream, and the key stream and a plaintext are subjected to AND or form a ciphertext stream. The information receiving end also adopts the key stream and the ciphertext stream to perform AND or, so as to obtain the plaintext stream.

Based on the above-mentioned multi-level internet of things gateway, referring to fig. 6, a specific implementation flow of a communication encryption method based on terminal identity authentication provided in the embodiment of the present invention mainly includes steps 601 to 604, where the steps mainly include:

Step 601: and acquiring first equipment information of a first terminal and a second terminal to be accessed to the network through a local gateway, and comparing the first equipment information with second equipment information sent by the second gateway so as to perform identity authentication on the first terminal and the second terminal to be accessed to the network.

In this embodiment, the steps mainly include: the first local gateway and the second local gateway acquire first equipment information of a first terminal and a second terminal, and receive second equipment information of equipment to be accessed to the network, which is sent by the second gateway, so that identity authentication is performed on the first terminal and the second terminal by comparing the first equipment information and the second equipment information.

In this embodiment, the steps specifically include: firstly, when the embodiment of the invention is on line, a purchasing department submits a sample to be purchased and a purchasing detection application to a network access detection laboratory, the network access detection laboratory carries out safety detection on the sample to be purchased and collects network form fingerprints of equipment, and if the product passes the safety detection, the network access detection laboratory feeds back detection results to the purchasing department and submits the network form fingerprints of the equipment. And simultaneously, the terminal management and admittance total center, namely the first gateway, records the fingerprint and sends the fingerprint to the branch center, namely the second gateway provided by the embodiment of the invention, and finally the terminal management and admittance total center is synchronized into the terminal admittance gateway of the Internet of things and the trusted equipment libraries of the local gateways corresponding to the first terminal and the second terminal. The terminal management and admittance total center, namely the first gateway, issues the public key of the equipment to the LDAP tree, writes the private key into the equipment or the equipment proxy, and synchronizes the network access equipment information to the Internet of things terminal admittance gateway, namely the local gateway, of the equipment installation destination through the sub center, namely the second gateway.

In the system, the terminal of the internet of things accesses the gateway, namely the local gateway monitors the local traffic, once the newly-accessed network equipment is found from the traffic, the newly-accessed network equipment is compared according to the equipment fingerprint and the equipment installation information, the equipment is allowed to access the network if the comparison is passed, and if the comparison is not passed, the gateway of the internet of things, namely the second gateway divides the local internet of things into VLAN (virtual local area network) by dividing the local internet of things equipment, and the equipment is transferred out of the local network, so that the function of prohibiting the access to the network is realized.

Step 602: if the identity authentication is successful, the local gateway obtains the information data sent by the first terminal, analyzes the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal, and encrypts the information data according to the first private key and the second public key to send the encrypted information data.

In this embodiment, the steps mainly include: the local gateway obtains first address information corresponding to a first terminal for sending the information and second address information corresponding to a second terminal for receiving the information; according to the first address information, the local gateway obtains a first private key corresponding to the first terminal; and according to the second address information, the local gateway obtains a second public key corresponding to the second terminal.

In this embodiment, the steps specifically include: the first terminal sends information from itself to a local gateway, namely the local Internet of things gateway, the local gateway, namely the local Internet of things gateway, analyzes the plaintext information, analyzes the original equipment address, the original equipment ID, the target equipment address and the target equipment ID, then finds a public key of the target address equipment on an LDAP tree of a general center, namely the first gateway, finds a source address private key in own private key management, carries out digital envelope with the original address private key to ensure the integrity of the information, and encrypts with the target address public key to ensure the confidentiality of the information. And then continuing to send the encrypted message by using the public network line. In the transmitting process, the source address, the source device ID, the target device address and the target device ID are transmitted in a plaintext form.

Step 603: if the identity authentication is successful, the local gateway obtains the information data sent by the first terminal, analyzes the information data to obtain a first private key corresponding to the first terminal and a second public key corresponding to the second terminal, and encrypts the information data according to the first private key and the second public key to send the encrypted information data.

In this embodiment, the steps specifically include: the local gateway obtains first address information corresponding to the first terminal and second address information corresponding to the second terminal, and searches from an LDAP tree preset by a third gateway according to the first address information to obtain a first public key of the first terminal and a second private key of the second terminal.

In this embodiment, the steps specifically include: after receiving the encrypted message, the local gateway where the second terminal is located analyzes the encrypted message, and analyzes the source device address, the source device ID, the target device address and the target device ID, then the digital envelope is checked by using the source device public key on the LDAP tree of the total center, the information is decrypted by using the target device private key in the local private key management, and then the packet is formed again, so that the information data sent by the first terminal is obtained, and the information data is sent to the second terminal in a plaintext form.

The multistage gateway provided by the embodiment of the invention can be deployed in multistage, is compatible with the comprehensive solutions of other security products and technologies, has certain equipment identification and admission behavior judgment capability, can also contain the pre-alarm event of other network security products on the admission information, enables security staff to synthesize information of all parties and make reasonable admission decisions, simultaneously does not need to adjust the design of the network frame and the terminal products of the existing internet of things, and can be accessed to the network by a main center and a sub-center in a server mode, and the gateway is connected to the network in a transparent mode in series and does not influence normal network communication. The invention considers the wired, wifi route/AP/AC, 4G/5GLTE base station, bluetooth gateway, zigbee gateway and the like of the base layer network, wherein the general center and the sub-center in the multi-stage Internet of things gateway adopt the B/S architecture of a general relational database, the calculation power requirement is not high, and the system can also run on a virtual machine, thereby further reducing the price; the gateway is built on a low-power PC such as a raspberry group, and the hardware production cost of the gateway can be reduced to one tenth of that of the existing firewall equipment.

Based on the multi-stage internet of things gateway, the embodiment of the invention directly establishes the encrypted communication between the sender and the receiver, wherein the direct communication is realized by the agents of the two parties through the asymmetric cryptography, and the method is characterized by high efficiency and low requirement on calculation performance; the key addressing is completed by the gateway of both parties and the regional cipher service center, and the regional cipher service center adopts commercial servers, so that the computing resources are abundant, and the high-strength encryption communication can be supported.

The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention, and are not to be construed as limiting the scope of the invention. It should be noted that any modifications, equivalent substitutions, improvements, etc. made by those skilled in the art without departing from the spirit and principles of the present invention are intended to be included in the scope of the present invention.

Claims

1. The communication encryption method based on terminal identity authentication is characterized by comprising the following steps:

2. The method for encrypting communication based on terminal identity authentication according to claim 1, wherein before receiving the second device information of the terminal to be networked sent by the second gateway, the method specifically comprises:

3. The method for encrypting communication based on terminal identity authentication according to claim 1, wherein said first local gateway obtains first device information of a first terminal, and receives second device information of a terminal to be accessed to a network sent by a second gateway, so that identity authentication is performed on said first terminal by comparing said first device information with said second device information data, specifically comprising:

4. The method for encrypting communications based on terminal identity authentication according to claim 2, wherein said parsing said information data to obtain a first private key corresponding to said first terminal and a second public key corresponding to said second terminal comprises:

The first local gateway analyzes the information to obtain first address information corresponding to a first terminal which sends the information and second address information corresponding to a second terminal which receives the information; the first address information comprises a first terminal address and a first terminal ID; the second address information comprises a second terminal address and a second terminal ID;

5. The communication encryption method based on terminal identity authentication according to claim 1, wherein the first local gateway encrypts the information data to obtain encrypted data, and sends the encrypted data to a second local gateway corresponding to the second terminal, specifically comprising:

the first local gateway establishes an asymmetric encryption channel for communication with the second local gateway, generates a first random stream according to the first private key and a preset stream cipher algorithm, and further performs or obtains a ciphertext stream on the first random stream and the information data;

6. The communication encryption method based on terminal identity authentication is characterized by comprising the following steps:

7. The communication encryption method based on terminal identity authentication as set forth in claim 6, wherein the second local gateway decrypts the encrypted data to obtain the information data sent by the first terminal, specifically including:

the second local gateway receives first address information corresponding to the first terminal and second address information corresponding to the second terminal, which are sent by the first local gateway, searches an LDAP tree preset by a third gateway according to the first address information to obtain a first public key of the first terminal, and inquires from private key management of the second terminal according to the second address information to obtain a second private key of the second terminal;

8. The communication encryption device based on terminal identity authentication is characterized by comprising a first identity authentication module, an encryption module and a first sending module;

9. The communication encryption device based on terminal identity authentication is characterized by comprising a second identity authentication module, a decryption module and a second sending module;

10. The communication encryption system based on terminal identity authentication is characterized by comprising a first local gateway, a first terminal, a second gateway, a second local gateway and a second terminal; the first local gateway is configured to perform a communication encryption method based on terminal identity authentication as set forth in any one of claims 1 to 5; the first terminal is used for sending information data to the first local gateway; the second gateway is configured to generate a first private key and a first public key of the first terminal and a second private key and a second public key of the second terminal to the first local gateway and the second local network Guan Fasong; the second local gateway is configured to perform a communication encryption method based on terminal identity authentication as set forth in any one of claims 6 to 7; the second terminal is used for receiving information data sent by the second local gateway.