WO2017190414A1 - Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation - Google Patents

Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation Download PDF

Info

Publication number
WO2017190414A1
WO2017190414A1 PCT/CN2016/088054 CN2016088054W WO2017190414A1 WO 2017190414 A1 WO2017190414 A1 WO 2017190414A1 CN 2016088054 W CN2016088054 W CN 2016088054W WO 2017190414 A1 WO2017190414 A1 WO 2017190414A1
Authority
WO
WIPO (PCT)
Prior art keywords
ticket
network
mobile
mobile device
authentication
Prior art date
Application number
PCT/CN2016/088054
Other languages
French (fr)
Chinese (zh)
Inventor
魏旻
曹志豪
王平
王震
Original Assignee
重庆邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 重庆邮电大学 filed Critical 重庆邮电大学
Publication of WO2017190414A1 publication Critical patent/WO2017190414A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Definitions

  • the invention belongs to the technical field of industrial wireless networks, and relates to a network access authentication mechanism for mobile devices in a WIA-PA industrial wireless network.
  • the WIA-PA Wireless Networks for Industrial Automation Process Automation
  • the WIA-PA Wireless Networks for Industrial Automation Process Automation
  • the WIA-PA is a WIA sub-standard for wireless network systems for industrial process measurement, monitoring and control.
  • the WIA-PA standard has formed a national standard.
  • the characteristics of mobile devices are: they are mobile. When moving and running in the network, they will repeatedly access the network from different access points according to their location. There is no special way for traditional industrial wireless networks to treat mobile devices repeatedly. For example, in the WIA-PA industrial wireless network, once the mobile device leaves a subnet and joins a new subnet again, the same network access process needs to be performed.
  • the security authentication mechanism in the WIA-PA industrial wireless network mainly has the following disadvantages: 1) The mobile device needs to perform the same network access authentication process every time it enters the network, and the process requires the mobile device to perform more with the security manager of the industrial wireless network. The second interaction, especially when the mobile device moves frequently in the network, the network resource overhead is large. 2) When the mobile device joins the network for the first time, the security authentication code for authentication is generally generated by the pre-configured key; in the traditional method, after the mobile device leaves the network, the pre-configured key is not updated, and then Each time the network is connected, the same pre-configuration key is used to generate the same authentication code, which is vulnerable to attack.
  • the object of the present invention is to provide a mobile device network access authentication mechanism in a WIA-PA industrial wireless network, which can solve the shortcomings of the WIA-PA standard for the mobile network repeated network authentication mechanism.
  • the present invention provides the following technical solutions:
  • a network access authentication mechanism for mobile devices in a WIA-PA industrial wireless network wherein the WIA-PA industrial wireless network devices involved in the authentication process include: gateway devices, routing devices, field devices, and mobile devices;
  • the authentication mechanism includes the first network access authentication of the mobile device and the kth (k ⁇ 2) repeated network access authentication of the mobile device; the first network access authentication of the mobile device includes the processing and network authentication of the ticket net and the ticket mobile , and the mobile device is k ( K ⁇ 2)
  • the repeated network access authentication includes the kth (k ⁇ 2) repeated network access authentication process and network access authentication of the mobile device.
  • the first network access authentication of the mobile device includes: the mobile device is authenticated at the gateway device, and after the authentication is successful, the network administrator in the gateway device saves the authentication ID of the mobile device, and the authentication ID is a device long address;
  • the security manager generates Ticket net and Ticket mobile , distributes the Ticket net to all routing devices on the network, and distributes the Ticket mobile to the mobile device.
  • the ticket mobile is encapsulated into a successful response, and the mobile device successfully joins the network and obtains the ticket mobile after receiving the successful response.
  • the format of the successful response command packet is as follows:
  • the command identifier of the success response command packet is 35. If the join succeeds, the execution result returns “SUCCESS”, the mobile device short address subfield value is to be added, and the ticket mobile is valid; if the join fails, the execution result returns “FAILURE”. , the mobile device short address subfield value to be added, Ticket mobile is invalid.
  • the Ticket net and Ticket mobile processing comprising generating Ticket net and the Ticket mobile, Ticket net Ticket mobile and distribution of, and Ticket mobile Ticket net Ticket net update the store and the Ticket mobile.
  • the encrypted ciphertext in the ticket net is the ciphertext encrypted by the authentication ID, and the length is 8 bytes.
  • the key in the ticket mobile is the key of the encryption algorithm in the ticket net , and the length is 16 bytes; the ticket net and the ticket mobile are distributed.
  • the gateway device acts as the parent node to record the standby routing device as its child node in its parent-child relationship information table; the routing device is at the network routing device.
  • the routing device on the network as the parent node records the router device to be accessed as its child node in its parent-child relationship information table.
  • the gateway device queries the parent-child relationship information table, and sends a ticket net distribution command packet to all child node routing devices. After receiving the ticket net distribution command packet and saving the ticket net , the corresponding routing device continues to query the parent-child relationship information table stored by itself. It will be sent to all child nodes Ticket net routing equipment parent-child relationship information table, in order to distribute the Ticket net.
  • the Ticket net distribution command packet is used by the routing device/gateway device to distribute Ticket net .
  • the ticket net distribution command packet format is as follows:
  • the ticket net forwarding command packet command identifier is 33; the ticket net adopts a caching mechanism, which is cached on the network routing device and the gateway device, and the ticket mobile is fixedly stored in the mobile device; and the four update modes of the ticket net and the ticket mobile are provided, the user According to the actual situation, the update mode is 1.
  • the update mode 1 is that the time when the mobile device leaves the network for the first time is t 1 . After a period of time t, the ticket net is automatically updated to the ticket net1 , and the ticket mobile is automatically updated to the corresponding ticket mobile1 .
  • update mode mobile device 2 is repeated for subsequent network views g, g + 1 in the first sub-network, generating a new security manager and Ticket mobile Ticket net, and perform forwarding Ticket net Ticket mobile again,
  • the update mode 3 is to set the maximum lifetime T of the ticket net and the ticket mobile.
  • the routing device and the gateway device in the WIA-PA network automatically clear the ticket net in the cache, and the mobile device simultaneously clears the ticket mobile ;
  • update mode 4 is not updated for Ticket net and Ticket mobile .
  • the first mobile device k repeats the authentication network comprising: a mobile network to be sent to a Ticket mobile routing device, the routing device to decrypt the authentication information obtained Ticket net according Ticket mobile, and comparing the authentication information is consistent If the mobile device obtains the link resource and accesses the network, the routing device forwards the decrypted authentication information to the security manager in the gateway device, and the security manager re-authenticates the authentication information; if the authentication fails, the communication is disconnected. On the mobile device, if the authentication is successful, the network administrator in the gateway device assigns the corresponding authority to the mobile device.
  • the command identifier of the mobile device rejoining the request command packet is 34;
  • the device re-authentication request packet is used by the routing device to forward the device re-authentication request.
  • the format of the device re-authentication request command packet is as follows:
  • the command identifier of the device re-authentication request command packet is 32, and the decrypted authentication ID is used for authentication by the security manager.
  • the invention has the following advantages: 1) improving the effectiveness of the re-entrant authentication of the authenticated mobile device in the WIA-PA industrial wireless network, reducing the number of packet interactions and network resource overhead of the mobile device re-entry authentication; 2) moving The authentication code of the device re-entry authentication changes from static to user-selectable dynamic change mode, which effectively defends against possible replay attacks and effectively improves network security.
  • 1 is a network reference model in which a mobile device moves in a WIA-PA network
  • FIG. 2 is a process diagram of a mobile device joining a WIA-PA network for the first time
  • Figure 3 shows the Ticket net and Ticket mobile formats
  • Figure 4 shows the distribution model of Ticket net and Ticket mobile ;
  • Figure 5 is a diagram of the kth (k ⁇ 2) repeated network access process of the mobile device
  • Figure 6 is a timing diagram of the mobile device security joining network in the WIA-PA standard.
  • the invention provides a mobile device network access authentication mechanism in a WIA-PA industrial wireless network
  • the WIA-PA industrial wireless network devices are: a gateway device, a routing device, a field device and a mobile device; and a mobile device in a WIA-PA industrial wireless network
  • the authentication mechanism improves the re-entry network authentication of the authenticated mobile device, reduces the number of packet exchanges for mobile device re-entry authentication, and reduces network resource overhead.
  • the authentication code of the mobile device re-entry authentication changes from static to user-selectable dynamic change.
  • WIA-PA industrial wireless network mobile network access authentication mechanism includes mobile device first network access authentication and mobile device k (k ⁇ 2) times Repeated network access authentication; mobile device first network access authentication includes ticket net and ticket mobile processing and network access authentication, mobile device k (k ⁇ 2) repeated network access authentication includes mobile device k (k ⁇ 2) repeated network access authentication Process and network access certification.
  • FIG. 1 is a network reference model for a mobile device to move in a WIA-PA network.
  • the network device of the WIA-PA industrial wireless network involved in the present invention includes: a gateway device, a routing device, a field device, and a mobile device.
  • Gateway device responsible for protocol conversion and data mapping between WIA-PA network and other networks, and develops Network Manager (NM) and Security Manager (SM) in the gateway device, where the network administrator uses Manage and monitor the entire network. Security administrators use key management and security authentication for gateway devices, routing devices, field devices, and mobile devices. The detailed functions are described in Table 1.
  • NM Network Manager
  • SM Security Manager
  • Routing device manages and monitors field devices and mobile devices; is responsible for securely aggregating and forwarding data of cluster members and other cluster heads; the management functions that the cluster head is mainly responsible for are completed as shown in Table 2.
  • Field device responsible for obtaining field data and sending it to the cluster head.
  • Mobile device responsible for mobile collection of industrial field data, and the acquired acquired data is sent to the gateway device through the mesh network; it is responsible for collecting data on the site and performing data analysis, making a response suitable for the current demand and giving feedback on the execution result.
  • To the master computer responsible for providing direct data to the operator.
  • the handheld configuration device Before the new mobile device joins the WIA-PA network, the handheld configuration device reads the 64-bit long address of the new mobile device and passes the address to the security manager. The security manager generates a join key KJ (JoinKey) for the new mobile device. The handheld configuration device passes the KJ to the new mobile device.
  • KJ join key
  • a new mobile device with KJ continuously listens for available channels within the network to obtain beacons sent by routing devices on the network.
  • the new mobile device selects a routing device or gateway device that sends a beacon as the cluster head, and completes time synchronization according to the time information in the beacon.
  • the new mobile device generates security information using the long address of the device and KJ, and sends the security information to the cluster head.
  • the cluster head sends a join security request to the mobile device, and after receiving the request, the mobile device sends a security join response to the cluster head.
  • the cluster head then sends a join request with the security information to the NM for the new mobile device.
  • the network manager After receiving the join request, the network manager transmits the security information of the new mobile device to the security manager.
  • the security manager authenticates the security information of the new mobile device. If the authentication fails, the network manager returns a join failure response and disconnects. If the authentication is successful, the network administrator saves the authentication ID of the mobile device, the security manager generates Ticket net and Ticket mobile , and the network administrator returns a successful response.
  • Security managers Ticket net and Ticket mobile management, management include the update Ticket net and generate the Ticket mobile, Ticket net and distribution of Ticket mobile, Ticket net and Ticket mobile storage and Ticket net and the Ticket mobile.
  • Figure 3 shows the Ticket net and Ticket mobile formats, and Ticket net and Ticket mobile are generated by the security manager.
  • the authentication ID is the long address of the mobile device.
  • the mobile device in the WIA-PA industrial wireless network has a globally unique 64-bit long address, and the long address is allocated and set by the manufacturer according to EUI-64.
  • the encrypted ciphertext is the ciphertext encrypted by the authentication ID, and its length is 8 bytes.
  • the encryption key Key is an encryption key for encrypting the authentication ID in Ticket net , and the length is 16 bytes.
  • the distribution model of Ticket net and Ticket mobile is shown in Figure 4.
  • the distribution process of Ticket net and Ticket mobile is as follows:
  • the command identifier for adding a successful response command packet is 35. If the join is successful, the execution result returns "SUCCESS", the mobile device short address subfield value is to be added, and the ticket mobile is valid; if the join fails, the execution result returns "FAILURE”, to be added to the mobile device short address subfield value, and Ticket mobile invalid.
  • This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
  • the gateway device acts as the parent node to record the standby routing device as its child node in its parent-child relationship information table; the routing device is at the network routing device.
  • the routing device on the network as the parent node records the router device to be accessed as its child node in its parent-child relationship information table.
  • the network administrator queries the parent-child relationship information table in the gateway device, and sends a ticket net distribution command packet to all routing devices in the parent-child relationship information table according to the query information, and the ticket net distribution command packet is used by the routing device/gateway device to distribute the ticket.
  • Net Ticket net distribution command packet format is shown in Table 4:
  • the ticket net distribution command packet command identifier is 33. This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
  • the corresponding routing device After receiving the ticket net distribution command packet and saving the ticket net , the corresponding routing device continues to query the parent-child relationship information table stored by itself, and sends the ticket net to all routing devices in the parent-child relationship information table according to the query information. Distribution of Ticket net .
  • Ticket net is distributed n times in the network in the above distribution method.
  • routing devices A, B, and C enter the network at the gateway device
  • routing device G enters the network at routing device A
  • routing device F enters the network at routing device B
  • Routing device E And D enters the network at routing device C.
  • the gateway device queries the routing device that is in the network at the gateway device in the parent-child relationship information table, queries the routing devices A, B, and C, and sends the ticket net distribution command packet to routing devices A, B, and C, and routing devices A and B.
  • And C receives the Ticket net distribution command package and saves the ticket net .
  • the routing device A queries the parent-child relationship information table to obtain the routing device G, sends the ticket net distribution command packet to the routing device G, and the routing device G receives the ticket net distribution command packet and saves the ticket net ;
  • the routing device B queries the parent-child node relationship information.
  • the routing device F is sent, the ticket net distribution command packet is sent to the routing device F, the routing device F receives the ticket net distribution command packet and saves the ticket net ;
  • the routing device C queries the parent-child node relationship information table to obtain the routing devices D and E, and sends Ticket net distributes the command packet to routing devices D and E. Routing devices D and E receive the ticket net distribution command packet and save the ticket net .
  • the distribution path is shown in Figure 4.
  • the selected cluster head distributes Ticket net for the new routing device when it joins the network.
  • Ticket net is cached on the in-network routing device and gateway device, and Ticket mobile is fixedly stored on the mobile device.
  • the technical solution provides four update modes of ticket net and ticket mobile , and the user selects the update mode according to the actual situation:
  • Update mode 1 The time when the mobile device leaves the network for the first time is t 1 . After a period of time t, the ticket net is automatically updated to Ticket net1 , and the ticket mobile is automatically updated to the corresponding Ticket mobile1 . Subsequent updates repeat the process.
  • Update mode 2 After the mobile device repeats the network g times, the value of g is selected according to the network size. When the g+1th network is entered, the security manager generates a new ticket net and ticket mobile , and executes the ticket net again. And the distribution process of Ticket mobile .
  • Update mode 3 Set the maximum lifetime T of the ticket net and the ticket mobile. After the maximum lifetime T, the routing device and the gateway device in the WIA-PA network automatically clear the ticket net , and the mobile device also clears the ticket mobile . When the mobile device enters the network for the next time, the mobile device enters the network for the first time.
  • Update Mode 4 Does not update Ticket net and Ticket mobile .
  • the update mode 4 is adopted in the message analysis in the technical solution.
  • the mobile device After receiving the successful response, the mobile device successfully joins the network and obtains the ticket mobile .
  • the ticket net is sent to all the in-network routing devices, and the network routing device caches the ticket net .
  • the mobile device k (k ⁇ 2) repeated network access process is shown in Figure 5, the mobile device k (k ⁇ 2) repeated network access needs to go through the following steps:
  • the mobile device continuously monitors available channels in the network to obtain beacons sent by the network routing device or the gateway device;
  • the mobile device selects one of the routing devices or the gateway device that sends the beacon as the cluster head, and completes the time synchronization according to the time information in the beacon;
  • the mobile device sends a mobile device re-join request to the selected cluster head, and the mobile device joins the request command packet again for sending the join request when the mobile device repeatedly enters the network, and the mobile device joins the request command packet format definition as shown in Table 5:
  • This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
  • the cluster head After receiving the mobile device re-join request, the cluster head decrypts the ticket net according to the Key in the ticket mobile to obtain the authentication ID and compares it with the authentication ID in the ticket mobile . If not, the network is rejected. If the same, the The link resource is allocated, the network is accessed, and the device re-authentication request is sent to the network administrator.
  • the device re-authentication request command packet is used by the routing device to forward the device re-authentication request.
  • the format of the device re-authentication request command packet is as shown in Table 6:
  • the command identifier of the device re-authentication request command packet is 32.
  • the decrypted authentication ID is used for authentication by the security manager.
  • This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
  • the network manager forwards the device re-authentication request to the security manager
  • the security manager obtains the authentication ID after receiving the device re-authentication request, and compares the authentication ID with the authentication ID stored by the network administrator. If the same, the network administrator is notified to read the UAO (User) by using the remote read attribute service. Requests for Application Object, User Application Objects, if they are different, do not respond.
  • UAO User Application Object
  • the cluster head waits for the network administrator to read the UAO (User Application Object) request by using the remote read attribute service, and if the request is not received after a certain period of time, the mobile device is actively disconnected; Upon receipt of the request after a period of time, the security manager assigns the appropriate permissions to the mobile device.
  • UAO User Application Object
  • the packet cost analysis of the mobile device accession process is divided into three parts: the first part is the WIA-PA standard mobile device incoming network packet overhead; the second part is the WIA-PA mobile device incoming network authentication mechanism message overhead in the technical solution; the third part For the comparison and analysis of message overhead.
  • Figure 6 is a timing diagram of the mobile device security joining network in the WIA-PA standard.
  • the total packet traffic of the mobile device for the first time is A bytes.
  • the number of join request command packets, join response command packets, and ACKs that are required to be added to the network during the request process is m 1 times.
  • the total number of packets received by the mobile device is 0 bytes.
  • the number of packets exchanged in the configuration phase of the mobile device security in the WIA-PA standard is equal to the number of packets exchanged in the configuration phase of the first time in the network. Therefore, no calculation is made here.
  • the number of times the command packet is forwarded in the network is m i , then
  • Table 8 can be obtained according to the command package defined in the technical solution:
  • the mobile device join request and the mobile device re-join request are equal to the number of times the mobile device join request forwarding in the WIA-PA standard is forwarded in the network.
  • the total cost of the first network access packet of the mobile device in the technical solution is B bytes (the interaction of the mobile device in the WIA-PA standard in the configuration phase of the mobile network)
  • the number of interaction packets in the configuration phase of the mobile device is equal to the first time in the network solution, so the calculation is not performed here.
  • the number of times the request command packet, the success response command packet, and the ACK are forwarded in the mesh network are m 1 .
  • the number of routing devices on the network is n (where n is the number of routing devices in the network, and n is generally fixed after the network is deployed), then
  • the ticket net distributes the packet overhead C bytes.
  • the total cost of the mobile device k times to re-enter the network packet is y bytes, and when the i-th network is accessed, the number of times the command packet is forwarded in the network is m i , then
  • the mobile device network access authentication and the WIA-PA standard mobile device network access authentication packet overhead are shown in Table 9.
  • the network reference model of the mobile device moving in the WIA-PA network in FIG. 1 is analyzed. It can be obtained from FIG. 1 that the value of m 1 is 2, and if the value of mi is 1, then:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a mobile device network-access authentication mechanism in WIA-PA wireless networks for industrial automation, falling within the technical field of wireless networks for industrial automation. The devices, in WIA-PA wireless networks for industrial automation, involved in the authentication process comprise: a gateway device, a routing device, a field device and a mobile device. The authentication mechanism contains the first network-access authentication of the mobile device and the kth (k ≥ 2) repeated network-access authentication of the mobile device. The first network-access authentication of the mobile device contains the processing and network-access authentication of a Ticketnet and a Ticketmobile, and the kth (k ≥ 2) repeated network-access authentication of the mobile device contains the kth (k ≥ 2) repeated network-access authentication flow and network-access authentication of the mobile device. By means of the mechanism, the validity of the network-access re-authentication of an authenticated mobile device is improved, and the number of times of message interaction and network resource overheads of the network-access re-authentication of the mobile device are reduced. An authentication code of the network-access re-authentication of the mobile device is changed into a user-selectable dynamic change mode from a static mode, effective defense is performed on a possible replay attack, etc., and the security of a network is effectively improved.

Description

一种WIA-PA工业无线网络中移动设备入网认证机制Mobile device network access authentication mechanism in WIA-PA industrial wireless network 技术领域Technical field
本发明属于工业无线网络技术领域,涉及一种WIA-PA工业无线网络中移动设备入网认证机制。The invention belongs to the technical field of industrial wireless networks, and relates to a network access authentication mechanism for mobile devices in a WIA-PA industrial wireless network.
背景技术Background technique
工业无线网络WIA(Wireless Networks for Industrial Automation)技术是我国具有自主知识产权的高可靠、超低功耗的智能多跳无线传感器网络技术,该技术提供一种自组织、自治愈的智能路由机制,能够针对应用条件和环境的动态变化,保持网络性能的高可靠性和强稳定性。WIA-PA(Wireless Networks for Industrial Automation Process Automation)标准是WIA子标准,用于工业过程测量、监视与控制的无线网络系统,目前WIA-PA标准已形成国家标准。Industrial Wireless Network WIA (Wireless Networks for Industrial Automation) technology is a highly reliable, ultra-low power intelligent multi-hop wireless sensor network technology with independent intellectual property rights in China. This technology provides a self-organizing and self-healing intelligent routing mechanism. It maintains high reliability and stability of network performance for dynamic changes in application conditions and environments. The WIA-PA (Wireless Networks for Industrial Automation Process Automation) standard is a WIA sub-standard for wireless network systems for industrial process measurement, monitoring and control. Currently, the WIA-PA standard has formed a national standard.
近年来,在工业物联网逐步应用的背景下,传统的固定节点已经不能满足工业应用的需求,工业物联网对移动性的支持迫在眉睫。大量移动设备如手持抄表设备、现场可移动冷风机、手持巡检设备、移动加湿器等进入面向智能制造领域的工业无线网络。In recent years, in the context of the gradual application of industrial Internet of Things, traditional fixed nodes can no longer meet the needs of industrial applications, and industrial Internet of Things's support for mobility is imminent. A large number of mobile devices, such as handheld meter reading devices, on-site mobile cooling fans, handheld inspection devices, mobile humidifiers, etc., enter industrial wireless networks for intelligent manufacturing.
基于WIA-PA工业无线网络的应用场景不断增加,如基于WIA-PA的智能抄表系统。在该智能抄表系统中需要使用移动设备进行抄表,移动设备进行抄表的同时伴随着移动设备的多次重复入网问题。Application scenarios based on WIA-PA industrial wireless networks are increasing, such as smart meter reading systems based on WIA-PA. In the smart meter reading system, it is necessary to use a mobile device for meter reading, and the mobile device performs meter reading accompanied by multiple repeated network access problems of the mobile device.
移动设备的特点为:具有移动性,在网络中移动和运行时,会根据所处的位置,从不同的接入点反复入网。传统的工业无线网络对待移动设备的重复入网,没有特别的方法。如WIA-PA工业无线网络中,移动设备一旦离开一个子网,再次加入一个新的子网时候,需要执行相同的入网过程。The characteristics of mobile devices are: they are mobile. When moving and running in the network, they will repeatedly access the network from different access points according to their location. There is no special way for traditional industrial wireless networks to treat mobile devices repeatedly. For example, in the WIA-PA industrial wireless network, once the mobile device leaves a subnet and joins a new subnet again, the same network access process needs to be performed.
目前,WIA-PA工业无线网络中安全认证机制主要存在以下不足:1)移动设备在每次入网时,需要执行相同的入网认证过程,该过程需要移动设备与工业无线网络的安全管理者进行多次交互,特别是移动设备在网络中移动频繁时,网络资源开销大。2)移动设备在第一次加入网络时,一般通过预配置的密钥生成用于认证的安全认证码;传统方法中,移动设备在离开网络后,对预配置密钥并不进行更新,之后每次入网一般都采用相同的预配置密钥生成相同的认证码,易受到攻击。 At present, the security authentication mechanism in the WIA-PA industrial wireless network mainly has the following disadvantages: 1) The mobile device needs to perform the same network access authentication process every time it enters the network, and the process requires the mobile device to perform more with the security manager of the industrial wireless network. The second interaction, especially when the mobile device moves frequently in the network, the network resource overhead is large. 2) When the mobile device joins the network for the first time, the security authentication code for authentication is generally generated by the pre-configured key; in the traditional method, after the mobile device leaves the network, the pre-configured key is not updated, and then Each time the network is connected, the same pre-configuration key is used to generate the same authentication code, which is vulnerable to attack.
发明内容Summary of the invention
有鉴于此,本发明的目的在于提供一种WIA-PA工业无线网络中移动设备入网认证机制,该机制能够解决WIA-PA标准中对移动设备重复入网认证机制存在的不足。In view of this, the object of the present invention is to provide a mobile device network access authentication mechanism in a WIA-PA industrial wireless network, which can solve the shortcomings of the WIA-PA standard for the mobile network repeated network authentication mechanism.
为达到上述目的,本发明提供如下技术方案:In order to achieve the above object, the present invention provides the following technical solutions:
一种WIA-PA工业无线网络中移动设备入网认证机制,在该认证过程中涉及的WIA-PA工业无线网络设备包括:网关设备、路由设备、现场设备和移动设备;A network access authentication mechanism for mobile devices in a WIA-PA industrial wireless network, wherein the WIA-PA industrial wireless network devices involved in the authentication process include: gateway devices, routing devices, field devices, and mobile devices;
该认证机制包含移动设备第一次入网认证和移动设备第k(k≥2)次重复入网认证;移动设备第一次入网认证包含Ticketnet和Ticketmobile的处理和入网认证,移动设备第k(k≥2)次重复入网认证包含移动设备第k(k≥2)次重复入网认证流程和入网认证。The authentication mechanism includes the first network access authentication of the mobile device and the kth (k ≥ 2) repeated network access authentication of the mobile device; the first network access authentication of the mobile device includes the processing and network authentication of the ticket net and the ticket mobile , and the mobile device is k ( K≥2) The repeated network access authentication includes the kth (k≥2) repeated network access authentication process and network access authentication of the mobile device.
进一步,所述移动设备第一次入网认证包括:移动设备在网关设备处认证,认证成功后,网关设备中网络管理者保存该移动设备的认证ID,此认证ID是设备长地址;网关设备中安全管理者生成Ticketnet和Ticketmobile,分发Ticketnet给在网所有路由设备,分发Ticketmobile给该移动设备。Further, the first network access authentication of the mobile device includes: the mobile device is authenticated at the gateway device, and after the authentication is successful, the network administrator in the gateway device saves the authentication ID of the mobile device, and the authentication ID is a device long address; The security manager generates Ticket net and Ticket mobile , distributes the Ticket net to all routing devices on the network, and distributes the Ticket mobile to the mobile device.
进一步,移动设备认证成功后,Ticketmobile封装到加入成功响应中,移动设备收到加入成功响应后成功入网并获取Ticketmobile,加入成功响应命令包格式如下表:Further, after the mobile device is successfully authenticated, the ticket mobile is encapsulated into a successful response, and the mobile device successfully joins the network and obtains the ticket mobile after receiving the successful response. The format of the successful response command packet is as follows:
14字节14 bytes 1字节1 byte 1字节1 byte 2字节2 bytes 24字节24 bytes
网络层包头Network layer header 命令标识符=35Command identifier = 35 执行结果Results of the 待加入设备短地址To be added to the device short address Ticketmobile Ticket mobile
其中加入成功响应命令包的命令标识符为35,如果加入成功,则执行结果返回“SUCCESS”,待加入移动设备短地址子域值、Ticketmobile有效;如果加入失败,则执行结果返回“FAILURE”,待加入移动设备短地址子域值、Ticketmobile无效。The command identifier of the success response command packet is 35. If the join succeeds, the execution result returns “SUCCESS”, the mobile device short address subfield value is to be added, and the ticket mobile is valid; if the join fails, the execution result returns “FAILURE”. , the mobile device short address subfield value to be added, Ticket mobile is invalid.
进一步,所述Ticketnet和Ticketmobile的处理包含Ticketnet和Ticketmobile的生成、Ticketnet和Ticketmobile的分发、Ticketnet和Ticketmobile的存储与Ticketnet和Ticketmobile的更新。Further, the Ticket net and Ticket mobile processing comprising generating Ticket net and the Ticket mobile, Ticket net Ticket mobile and distribution of, and Ticket mobile Ticket net Ticket net update the store and the Ticket mobile.
进一步,Ticketnet中加密密文为认证ID加密后的密文,其长度为8字节,Ticketmobile中Key为Ticketnet中加密算法的密钥,长度为16字节;Ticketnet和Ticketmobile分发:在WIA-PA工业无线网络中,路由设备在网关设备处入网时,网关设备作为父节点在其父子节点关系信息表中记录待入网路由设备为其子节点;路由设备于在网路由设备处入网时,在网路由设备作为父节点在其父子节点关系信息表中记录待入网路由设备为其子节点。网关设备查询父子节点关系信息表,并发送Ticketnet 分发命令包给所有子节点路由设备,相应路由设备收到Ticketnet分发命令包并保存Ticketnet后,继续查询自身存储的父子节点关系信息表,将Ticketnet发送给父子节点关系信息表中的所有子节点路由设备,以此进行Ticketnet的分发。Further, the encrypted ciphertext in the ticket net is the ciphertext encrypted by the authentication ID, and the length is 8 bytes. The key in the ticket mobile is the key of the encryption algorithm in the ticket net , and the length is 16 bytes; the ticket net and the ticket mobile are distributed. In the WIA-PA industrial wireless network, when the routing device enters the network at the gateway device, the gateway device acts as the parent node to record the standby routing device as its child node in its parent-child relationship information table; the routing device is at the network routing device. When the network is connected to the network, the routing device on the network as the parent node records the router device to be accessed as its child node in its parent-child relationship information table. The gateway device queries the parent-child relationship information table, and sends a ticket net distribution command packet to all child node routing devices. After receiving the ticket net distribution command packet and saving the ticket net , the corresponding routing device continues to query the parent-child relationship information table stored by itself. It will be sent to all child nodes Ticket net routing equipment parent-child relationship information table, in order to distribute the Ticket net.
Ticketnet分发命令包用于路由设备/网关设备分发Ticketnet,Ticketnet分发命令包格式如下表:The Ticket net distribution command packet is used by the routing device/gateway device to distribute Ticket net . The ticket net distribution command packet format is as follows:
14字节14 bytes 1字节1 byte 8字节8 bytes
网络层包头Network layer header 命令标识符=33Command identifier = 33 Ticketnet Ticket net
其中Ticketnet转发命令包命令标识符为33;Ticketnet采用缓存机制,缓存于在网路由设备和网关设备,Ticketmobile在移动设备中固定存储;提供四种Ticketnet和Ticketmobile的更新模式,用户根据实际情况自选更新模式,更新模式1为移动设备在第一次离开网络的时间为t1,经过一段时间t后,Ticketnet自动更新到Ticketnet1,同时Ticketmobile自动更新到对应的Ticketmobile1,后续更新重复该过程,更新模式2为移动设备重复入网g次以后,在第g+1次入网时,安全管理者生成新的Ticketnet和Ticketmobile,再次执行Ticketnet和Ticketmobile的转发过程,更新模式3为设立Ticketnet和Ticketmobile最大存活时间T,超过最大存活时间T后,WIA-PA网络中的路由设备和网关设备自动清除缓存中Ticketnet,移动设备同时清除Ticketmobile;在下一次入网时,采用移动设备第一次入网认证过程,更新模式4为对Ticketnet和Ticketmobile不更新。The ticket net forwarding command packet command identifier is 33; the ticket net adopts a caching mechanism, which is cached on the network routing device and the gateway device, and the ticket mobile is fixedly stored in the mobile device; and the four update modes of the ticket net and the ticket mobile are provided, the user According to the actual situation, the update mode is 1. The update mode 1 is that the time when the mobile device leaves the network for the first time is t 1 . After a period of time t, the ticket net is automatically updated to the ticket net1 , and the ticket mobile is automatically updated to the corresponding ticket mobile1 . this process was repeated a subsequent update, the update mode mobile device 2 is repeated for subsequent network views g, g + 1 in the first sub-network, generating a new security manager and Ticket mobile Ticket net, and perform forwarding Ticket net Ticket mobile again, The update mode 3 is to set the maximum lifetime T of the ticket net and the ticket mobile. After the maximum survival time T, the routing device and the gateway device in the WIA-PA network automatically clear the ticket net in the cache, and the mobile device simultaneously clears the ticket mobile ; When using the mobile device for the first time into the network authentication process, update mode 4 is not updated for Ticket net and Ticket mobile .
进一步,所述移动设备第k(k≥2)次重复入网认证包括:待入网的移动设备发送Ticketmobile给路由设备,路由设备根据Ticketmobile解密Ticketnet得认证信息,并比对认证信息是否一致,若一致则移动设备获得链路资源,接入网络,然后,路由设备将解密后的认证信息转发给网关设备中安全管理者,安全管理者再次认证该认证信息;若认证失败,则断开移动设备,若认证成功,网关设备中网络管理者给移动设备分配相应的权限。Further, the first mobile device k (k≥2) repeats the authentication network comprising: a mobile network to be sent to a Ticket mobile routing device, the routing device to decrypt the authentication information obtained Ticket net according Ticket mobile, and comparing the authentication information is consistent If the mobile device obtains the link resource and accesses the network, the routing device forwards the decrypted authentication information to the security manager in the gateway device, and the security manager re-authenticates the authentication information; if the authentication fails, the communication is disconnected. On the mobile device, if the authentication is successful, the network administrator in the gateway device assigns the corresponding authority to the mobile device.
进一步,在移动设备第k(k≥2)次重复入网过程中,定义了两种命令包,即移动设备再次加入请求命令包和设备再认证请求命令包格;移动设备再次加入请求命令包用于移动设备发送再次加入请求,移动设备再次加入请求命令包格式如下表:Further, in the k (k ≥ 2) repeated network access process of the mobile device, two command packets are defined, that is, the mobile device rejoins the request command packet and the device re-authentication request command packet; the mobile device joins the request command packet again. After the mobile device sends a re-join request, the mobile device joins the request command packet format again as follows:
14字节14 bytes 1字节1 byte 24字节24 bytes
网络层包头Network layer header 命令标识符=34Command identifier = 34 Ticketmobile Ticket mobile
其中移动设备再次加入请求命令包的命令标识符为34; The command identifier of the mobile device rejoining the request command packet is 34;
设备再认证请求包用于路由设备转发设备再认证请求,设备再认证请求命令包格式如下表:The device re-authentication request packet is used by the routing device to forward the device re-authentication request. The format of the device re-authentication request command packet is as follows:
14字节14 bytes 1字节1 byte 8字节8 bytes
网络层包头Network layer header 命令标识符=32Command identifier = 32 解密后的认证IDDecrypted authentication ID
其中设备再认证请求命令包的命令标识符为32,解密后的认证ID用于安全管理者的认证。The command identifier of the device re-authentication request command packet is 32, and the decrypted authentication ID is used for authentication by the security manager.
本发明的有益效果在于:1)提升了WIA-PA工业无线网络中已认证移动设备再入网认证的有效性,减少了移动设备再入网认证的报文交互次数及网络资源开销;2)将移动设备再入网认证的认证码由静态变为用户可选的动态变化模式,对可能的重放攻击等进行有效防御,有效提升了网络的安全性。The invention has the following advantages: 1) improving the effectiveness of the re-entrant authentication of the authenticated mobile device in the WIA-PA industrial wireless network, reducing the number of packet interactions and network resource overhead of the mobile device re-entry authentication; 2) moving The authentication code of the device re-entry authentication changes from static to user-selectable dynamic change mode, which effectively defends against possible replay attacks and effectively improves network security.
附图说明DRAWINGS
为了使本发明的目的、技术方案和有益效果更加清楚,本发明提供如下附图进行说明:In order to make the objects, technical solutions and advantageous effects of the present invention more clear, the present invention provides the following drawings for explanation:
图1为移动设备在WIA-PA网络中移动的网络参考模型;1 is a network reference model in which a mobile device moves in a WIA-PA network;
图2为移动设备第一次加入WIA-PA网络过程图;2 is a process diagram of a mobile device joining a WIA-PA network for the first time;
图3为Ticketnet和Ticketmobile格式;Figure 3 shows the Ticket net and Ticket mobile formats;
图4为Ticketnet和Ticketmobile的分发模型;Figure 4 shows the distribution model of Ticket net and Ticket mobile ;
图5为移动设备第k(k≥2)次重复入网过程图;Figure 5 is a diagram of the kth (k ≥ 2) repeated network access process of the mobile device;
图6为WIA-PA标准中移动设备安全加入网络时序图。Figure 6 is a timing diagram of the mobile device security joining network in the WIA-PA standard.
具体实施方式detailed description
本发明提供了一种WIA-PA工业无线网络中移动设备入网认证机制,涉及的WIA-PA工业无线网络设备有:网关设备、路由设备、现场设备和移动设备;WIA-PA工业无线网络中移动设备入网认证机制提升了已认证移动设备再入网认证的有效性,减少移动设备再入网认证的报文交互次数,减少网络资源开销;移动设备再入网认证的认证码由静态变为用户可选的动态变化模式,对可能的重放攻击等进行有效防御,有效提升网络的安全性;WIA-PA工业无线网络中移动设备入网认证机制包含移动设备第一次入网认证和移动设备第k(k≥2)次重复入网认证;移动设备第一次入网认证包含Ticketnet和Ticketmobile的处理和入网认证,移动设备第k(k≥2)次重复入网认证包含移动设备第k(k≥2)次重复入网认证流程和入网认证。The invention provides a mobile device network access authentication mechanism in a WIA-PA industrial wireless network, and the WIA-PA industrial wireless network devices are: a gateway device, a routing device, a field device and a mobile device; and a mobile device in a WIA-PA industrial wireless network The authentication mechanism improves the re-entry network authentication of the authenticated mobile device, reduces the number of packet exchanges for mobile device re-entry authentication, and reduces network resource overhead. The authentication code of the mobile device re-entry authentication changes from static to user-selectable dynamic change. Mode, effective defense against possible replay attacks, etc., effectively improve network security; WIA-PA industrial wireless network mobile network access authentication mechanism includes mobile device first network access authentication and mobile device k (k ≥ 2) times Repeated network access authentication; mobile device first network access authentication includes ticket net and ticket mobile processing and network access authentication, mobile device k (k ≥ 2) repeated network access authentication includes mobile device k (k ≥ 2) repeated network access authentication Process and network access certification.
下面将结合附图,对本发明的优选实施例进行详细的描述。 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
图1为移动设备在WIA-PA网络中移动的网络参考模型,如图1所示,本发明涉及的WIA-PA工业无线网络的网络设备有:网关设备、路由设备、现场设备和移动设备。FIG. 1 is a network reference model for a mobile device to move in a WIA-PA network. As shown in FIG. 1 , the network device of the WIA-PA industrial wireless network involved in the present invention includes: a gateway device, a routing device, a field device, and a mobile device.
网关设备:负责WIA-PA网络与其他网络的协议转换与数据映射,同时在网关设备内开发网络管理者(Network Manager,NM)和安全管理者(Security Manager,SM),其中网络管理者用于管理和监测全网,安全管理者用于网关设备、路由设备、现场设备和移动设备的密钥管理与安全认证,详细的功能介绍如表1所示。Gateway device: Responsible for protocol conversion and data mapping between WIA-PA network and other networks, and develops Network Manager (NM) and Security Manager (SM) in the gateway device, where the network administrator uses Manage and monitor the entire network. Security administrators use key management and security authentication for gateway devices, routing devices, field devices, and mobile devices. The detailed functions are described in Table 1.
表1 网关设备功能介绍Table 1 Introduction to gateway device features
Figure PCTCN2016088054-appb-000001
Figure PCTCN2016088054-appb-000001
路由设备(簇首):管理和监测现场设备和移动设备;负责安全地聚合及转发簇成员和其他簇首的数据;簇首主要负责完成的管理功能如表2。Routing device (cluster head): manages and monitors field devices and mobile devices; is responsible for securely aggregating and forwarding data of cluster members and other cluster heads; the management functions that the cluster head is mainly responsible for are completed as shown in Table 2.
表2 路由设备管理功能介绍Table 2 Introduction to routing device management functions
Figure PCTCN2016088054-appb-000002
Figure PCTCN2016088054-appb-000002
现场设备(簇成员):负责获取现场数据并发送到簇首。Field device (cluster member): Responsible for obtaining field data and sending it to the cluster head.
移动设备(簇成员):负责移动采集工业现场数据,将采集的获取的数据经过网状网络发送到网关设备;负责现场采集数据并进行数据分析,做出适合当前需求的响应并将执行结果反馈到主控计算机;负责为操作人员提供直接的数据信息。Mobile device (cluster member): responsible for mobile collection of industrial field data, and the acquired acquired data is sent to the gateway device through the mesh network; it is responsible for collecting data on the site and performing data analysis, making a response suitable for the current demand and giving feedback on the execution result. To the master computer; responsible for providing direct data to the operator.
1、移动设备第一入网认证1. Mobile device first network authentication
移动设备第一次加入WIA-PA网络的过程如图2所示。移动设备第一次加入WIA-PA工业无线网络时需要经历如下步骤:The process of joining a mobile device to the WIA-PA network for the first time is shown in Figure 2. When a mobile device joins the WIA-PA industrial wireless network for the first time, it needs to go through the following steps:
(1)在新移动设备加入WIA-PA网络之前,手持配置设备读取新移动设备的64位长地址,并将该地址传给安全管理者。安全管理者为该新移动设备生成加入密钥KJ(JoinKey)。手持配置设备将该KJ传给该新移动设备。(1) Before the new mobile device joins the WIA-PA network, the handheld configuration device reads the 64-bit long address of the new mobile device and passes the address to the security manager. The security manager generates a join key KJ (JoinKey) for the new mobile device. The handheld configuration device passes the KJ to the new mobile device.
(2)具有KJ的新移动设备持续监听网络内的可用信道以获得在网的路由设备发出的信标。(2) A new mobile device with KJ continuously listens for available channels within the network to obtain beacons sent by routing devices on the network.
(3)新移动设备选择一个发出信标的路由设备或网关设备作为簇首,根据信标内的时间信息完成时间同步。(3) The new mobile device selects a routing device or gateway device that sends a beacon as the cluster head, and completes time synchronization according to the time information in the beacon.
(4)新移动设备利用设备的长地址和KJ生成安全信息,并将安全信息发送给簇首。簇首发送加入安全请求给该移动设备,移动设备收到请求后,发送安全加入响应给簇首。然后,簇首为该新移动设备发出一个带其安全信息的加入请求给NM。(4) The new mobile device generates security information using the long address of the device and KJ, and sends the security information to the cluster head. The cluster head sends a join security request to the mobile device, and after receiving the request, the mobile device sends a security join response to the cluster head. The cluster head then sends a join request with the security information to the NM for the new mobile device.
(5)网络管理者接收到加入请求后,将新移动设备的安全信息传送给安全管理者。安全管理者认证该新移动设备的安全信息。如果认证失败,则网络管理者返回加入失败响应,断开连接。如果认证成功,网络管理者保存该移动设备的认证ID,安全管理者生成Ticketnet和Ticketmobile,网络管理者返回加入成功响应。(5) After receiving the join request, the network manager transmits the security information of the new mobile device to the security manager. The security manager authenticates the security information of the new mobile device. If the authentication fails, the network manager returns a join failure response and disconnects. If the authentication is successful, the network administrator saves the authentication ID of the mobile device, the security manager generates Ticket net and Ticket mobile , and the network administrator returns a successful response.
安全管理者对Ticketnet和Ticketmobile进行管理,管理包含Ticketnet和Ticketmobile的生成、Ticketnet和Ticketmobile的分发、Ticketnet和Ticketmobile的存储与Ticketnet和Ticketmobile的更新。Security managers Ticket net and Ticket mobile management, management include the update Ticket net and generate the Ticket mobile, Ticket net and distribution of Ticket mobile, Ticket net and Ticket mobile storage and Ticket net and the Ticket mobile.
1)Ticketnet和Ticketmobile的生成1) Generation of Ticket net and Ticket mobile
图3所示为Ticketnet和Ticketmobile格式,Ticketnet和Ticketmobile由安全管理者生成。认证ID为移动设备长地址,WIA-PA工业无线网络中移动设备有一个全球惟一的64位长地址,长地址由厂商按照EUI-64分配并设置。Figure 3 shows the Ticket net and Ticket mobile formats, and Ticket net and Ticket mobile are generated by the security manager. The authentication ID is the long address of the mobile device. The mobile device in the WIA-PA industrial wireless network has a globally unique 64-bit long address, and the long address is allocated and set by the manufacturer according to EUI-64.
Ticketnet中,加密密文为对认证ID加密后的密文,其长度为8字节。Ticketmobile 中,加密密钥Key为Ticketnet中对认证ID加密的加密密钥,长度为16字节。In Ticket net , the encrypted ciphertext is the ciphertext encrypted by the authentication ID, and its length is 8 bytes. In Ticket mobile , the encryption key Key is an encryption key for encrypting the authentication ID in Ticket net , and the length is 16 bytes.
2)Ticketnet和Ticketmobile的分发2) Distribution of Ticket net and Ticket mobile
Ticketnet和Ticketmobile的分发模型如图4,Ticketnet和Ticketmobile的分发过程如下:The distribution model of Ticket net and Ticket mobile is shown in Figure 4. The distribution process of Ticket net and Ticket mobile is as follows:
A)移动设备被认证成功后,网络管理者返回加入成功响应,加入成功响应命令包格式如表3:A) After the mobile device is successfully authenticated, the network administrator returns a successful response, and the format of the successful response command packet is as shown in Table 3:
表3 加入成功响应命令包格式Table 3 Adding a successful response command packet format
14字节14 bytes 1字节1 byte 1字节1 byte 2字节2 bytes 24字节24 bytes
网络层包头Network layer header 命令标识符=35Command identifier = 35 执行结果Results of the 待加入设备短地址To be added to the device short address Ticketmobile Ticket mobile
其中加入成功响应命令包的命令标识符为35。如果加入成功,则执行结果返回“SUCCESS”,待加入移动设备短地址子域值、Ticketmobile有效;如果加入失败,则执行结果返回“FAILURE”,待加入移动设备短地址子域值、Ticketmobile无效。本命令包为非分段包,网络层包头字节数为14字节;The command identifier for adding a successful response command packet is 35. If the join is successful, the execution result returns "SUCCESS", the mobile device short address subfield value is to be added, and the ticket mobile is valid; if the join fails, the execution result returns "FAILURE", to be added to the mobile device short address subfield value, and Ticket mobile invalid. This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
B)加入成功响应经过B、F路由设备到移动设备,移动设备收到加入成功响应后成功加入网络并获取TicketmobileB) adding a successful response through the B, F routing device to the mobile device, the mobile device successfully joins the network and obtains the ticket mobile after receiving the successful response;
C)WIA-PA工业无线网络中,路由设备在网关设备处入网时,网关设备作为父节点在其父子节点关系信息表中记录待入网路由设备为其子节点;路由设备于在网路由设备处入网时,在网路由设备作为父节点在其父子节点关系信息表中记录待入网路由设备为其子节点。网络管理者查询网关设备中的父子节点关系信息表,并依据查询信息发送Ticketnet分发命令包给父子节点关系信息表中所有的路由设备,Ticketnet分发命令包用于路由设备/网关设备分发Ticketnet,Ticketnet分发命令包格式如表4:C) In the WIA-PA industrial wireless network, when the routing device enters the network at the gateway device, the gateway device acts as the parent node to record the standby routing device as its child node in its parent-child relationship information table; the routing device is at the network routing device. When the network is connected to the network, the routing device on the network as the parent node records the router device to be accessed as its child node in its parent-child relationship information table. The network administrator queries the parent-child relationship information table in the gateway device, and sends a ticket net distribution command packet to all routing devices in the parent-child relationship information table according to the query information, and the ticket net distribution command packet is used by the routing device/gateway device to distribute the ticket. Net , Ticket net distribution command packet format is shown in Table 4:
表4 Ticketnet分发命令包格式Table 4 Ticket net distribution command packet format
14字节14 bytes 1字节1 byte 8字节8 bytes
网络层包头Network layer header 命令标识符=33Command identifier = 33 Ticketnet Ticket net
其中Ticketnet分发命令包命令标识符为33。本命令包为非分段包,网络层包头字节数为14字节。The ticket net distribution command packet command identifier is 33. This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
相应路由设备收到Ticketnet分发命令包并保存Ticketnet后,继续查询自身存储的父子节点关系信息表,并依据查询信息将Ticketnet发送给父子节点关系信息表中所有的路由设备,以此进行Ticketnet的分发。Ticketnet以上述分发方式在网络中的分发次数为n次。After receiving the ticket net distribution command packet and saving the ticket net , the corresponding routing device continues to query the parent-child relationship information table stored by itself, and sends the ticket net to all routing devices in the parent-child relationship information table according to the query information. Distribution of Ticket net . Ticket net is distributed n times in the network in the above distribution method.
Ticketnet分发的具体方法如下:该网络组网时,路由设备A、B和C在网关设备处入网,路由设备G在路由设备A处入网,路由设备F在路由设备B处入网,路由设备E和D在路由设备C处入网。网关设备在父子节点关系信息表中备查询在网关 设备处入网的路由设备,查询得到路由设备A、B和C,发送Ticketnet分发命令包给路由设备A、B和C,路由设备A、B和C收到Ticketnet分发命令包并保存Ticketnet。路由设备A查询自身父子节点关系信息表得到路由设备G,发送Ticketnet分发命令包给路由设备G,路由设备G收到Ticketnet分发命令包并保存Ticketnet;路由设备B查询自身父子节点关系信息表得到路由设备F,发送Ticketnet分发命令包给路由设备F,路由设备F收到Ticketnet分发命令包并保存Ticketnet;路由设备C查询自身父子节点关系信息表得到路由设备D和E,发送Ticketnet分发命令包给路由设备D和E,路由设备D和E收到Ticketnet分发命令包并保存Ticketnet,分发路径如图4所示。The specific method of ticket net distribution is as follows: When the network is networked, routing devices A, B, and C enter the network at the gateway device, routing device G enters the network at routing device A, and routing device F enters the network at routing device B. Routing device E And D enters the network at routing device C. The gateway device queries the routing device that is in the network at the gateway device in the parent-child relationship information table, queries the routing devices A, B, and C, and sends the ticket net distribution command packet to routing devices A, B, and C, and routing devices A and B. And C receives the Ticket net distribution command package and saves the ticket net . The routing device A queries the parent-child relationship information table to obtain the routing device G, sends the ticket net distribution command packet to the routing device G, and the routing device G receives the ticket net distribution command packet and saves the ticket net ; the routing device B queries the parent-child node relationship information. The routing device F is sent, the ticket net distribution command packet is sent to the routing device F, the routing device F receives the ticket net distribution command packet and saves the ticket net ; the routing device C queries the parent-child node relationship information table to obtain the routing devices D and E, and sends Ticket net distributes the command packet to routing devices D and E. Routing devices D and E receive the ticket net distribution command packet and save the ticket net . The distribution path is shown in Figure 4.
若有新的路由设备加入网络,则在新路由设备加入网络过程中,其选定的簇首为其分发TicketnetIf a new routing device joins the network, the selected cluster head distributes Ticket net for the new routing device when it joins the network.
3)Ticketnet和Ticketmobile的存储3) Storage of Ticket net and Ticket mobile
Ticketnet缓存于在网路由设备和网关设备,Ticketmobile固定存储于移动设备。Ticket net is cached on the in-network routing device and gateway device, and Ticket mobile is fixedly stored on the mobile device.
4)Ticketnet和Ticketmobile的更新4) Updates to Ticket net and Ticket mobile
本技术方案提供四种Ticketnet和Ticketmobile的更新模式,用户根据实际情况自选更新模式:The technical solution provides four update modes of ticket net and ticket mobile , and the user selects the update mode according to the actual situation:
更新模式1:记移动设备在第一次离开网络的时间为t1,经过一段时间t后,Ticketnet自动更新到Ticketnet1,同时Ticketmobile自动更新到对应的Ticketmobile1。后续更新重复该过程。Update mode 1: The time when the mobile device leaves the network for the first time is t 1 . After a period of time t, the ticket net is automatically updated to Ticket net1 , and the ticket mobile is automatically updated to the corresponding Ticket mobile1 . Subsequent updates repeat the process.
更新模式2:在移动设备重复入网g次以后,其中g的取值依据网络规模而选定,在第g+1次入网时,安全管理者生成新的Ticketnet和Ticketmobile,再次执行Ticketnet和Ticketmobile的分发过程。Update mode 2: After the mobile device repeats the network g times, the value of g is selected according to the network size. When the g+1th network is entered, the security manager generates a new ticket net and ticket mobile , and executes the ticket net again. And the distribution process of Ticket mobile .
更新模式3:设定Ticketnet和Ticketmobile最大存活时间T,超过最大存活时间T后,WIA-PA网络中的路由设备和网关设备自动清除Ticketnet,移动设备同时清除Ticketmobile。移动设备在下一次入网时,采用移动设备第一次入网过程入网。Update mode 3: Set the maximum lifetime T of the ticket net and the ticket mobile. After the maximum lifetime T, the routing device and the gateway device in the WIA-PA network automatically clear the ticket net , and the mobile device also clears the ticket mobile . When the mobile device enters the network for the next time, the mobile device enters the network for the first time.
更新模式4:对Ticketnet和Ticketmobile不更新。Update Mode 4: Does not update Ticket net and Ticket mobile .
本技术方案中报文分析中采用了更新模式4。The update mode 4 is adopted in the message analysis in the technical solution.
(6)移动设备收到加入成功响应后成功加入网络并获取Ticketmobile(6) After receiving the successful response, the mobile device successfully joins the network and obtains the ticket mobile .
(7)采用Ticketnet的分发过程将Ticketnet发送到所有在网路由设备,在网路由设备缓存Ticketnet(7) Using the ticket net distribution process, the ticket net is sent to all the in-network routing devices, and the network routing device caches the ticket net .
2、移动设备第k(k≥2)次重复入网过程 2. The kth (k ≥ 2) repeated network access process of the mobile device
移动设备第k(k≥2)次重复入网过程如图5所示,移动设备第k(k≥2)次重复入网需要经历如下步骤:The mobile device k (k ≥ 2) repeated network access process is shown in Figure 5, the mobile device k (k ≥ 2) repeated network access needs to go through the following steps:
(1)移动设备持续监听网络内的可用信道,获得在网路由设备或者网关设备发出的信标;(1) The mobile device continuously monitors available channels in the network to obtain beacons sent by the network routing device or the gateway device;
(2)移动设备选择发出信标的其中一个路由设备或者网关设备作为簇首,根据信标内的时间信息完成时间同步;(2) The mobile device selects one of the routing devices or the gateway device that sends the beacon as the cluster head, and completes the time synchronization according to the time information in the beacon;
(3)移动设备向选定的簇首发出移动设备再次加入请求,移动设备再次加入请求命令包用于移动设备重复入网时发送加入请求,移动设备再次加入请求命令包格式定义如表5:(3) The mobile device sends a mobile device re-join request to the selected cluster head, and the mobile device joins the request command packet again for sending the join request when the mobile device repeatedly enters the network, and the mobile device joins the request command packet format definition as shown in Table 5:
表5 移动设备再次加入请求命令包格式Table 5 Mobile device joins the request command packet format again
14字节14 bytes 1字节1 byte 24字节24 bytes
网络层包头Network layer header 命令标识符=34Command identifier = 34 Ticketmobile Ticket mobile
其中,移动设备再次加入请求的命令标识符为34。本命令包为非分段包,网络层包头字节数为14字节;The mobile device rejoins the requested command identifier 34. This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
(4)收到移动设备再次加入请求后,簇首根据Ticketmobile中的Key解密Ticketnet得到认证ID并与Ticketmobile中的认证ID进行比对,若不相同,拒绝入网,若相同,则预先分配链路资源,接入网络,并发送设备再认证请求给网络管理者,设备再认证请求命令包用于路由设备转发设备再认证请求,设备再认证请求命令包格式定义如表6:(4) After receiving the mobile device re-join request, the cluster head decrypts the ticket net according to the Key in the ticket mobile to obtain the authentication ID and compares it with the authentication ID in the ticket mobile . If not, the network is rejected. If the same, the The link resource is allocated, the network is accessed, and the device re-authentication request is sent to the network administrator. The device re-authentication request command packet is used by the routing device to forward the device re-authentication request. The format of the device re-authentication request command packet is as shown in Table 6:
表6 设备再认证请求命令包格式Table 6 Device re-authentication request command packet format
14字节14 bytes 1字节1 byte 8字节8 bytes
网络层包头Network layer header 命令标识符=32Command identifier = 32 解密后的认证IDDecrypted authentication ID
其中,设备再认证请求命令包的命令标识符为32。解密后的认证ID用于安全管理者的认证。本命令包为非分段包,网络层包头字节数为14字节;The command identifier of the device re-authentication request command packet is 32. The decrypted authentication ID is used for authentication by the security manager. This command packet is a non-segmented packet, and the number of bytes in the network layer header is 14 bytes.
(5)网络管理者收到设备再认证请求后转发给安全管理者;(5) The network manager forwards the device re-authentication request to the security manager;
(6)安全管理者收到设备再认证请求后获取认证ID,将此认证ID与网络管理者存储的认证ID进行比对,若相同,则通知网络管理者利用远程读属性服务读UAO(User Application Object,用户应用对象)的请求,若不同,则不做任何响应。(6) The security manager obtains the authentication ID after receiving the device re-authentication request, and compares the authentication ID with the authentication ID stored by the network administrator. If the same, the network administrator is notified to read the UAO (User) by using the remote read attribute service. Requests for Application Object, User Application Objects, if they are different, do not respond.
(7)簇首等待网络管理者利用远程读属性服务读UAO(User Application Object,用户应用对象)的请求,若在一段时间后未收到该请求,则主动断开该移动设备;若 在一段时间后收到该请求,则安全管理者分配相应的权限给该移动设备。(7) The cluster head waits for the network administrator to read the UAO (User Application Object) request by using the remote read attribute service, and if the request is not received after a certain period of time, the mobile device is actively disconnected; Upon receipt of the request after a period of time, the security manager assigns the appropriate permissions to the mobile device.
3、移动设备入网过程报文开销分析3. Analysis of packet overhead of mobile devices entering the network
移动设备入网过程报文开销分析分为三部分:第一部分为WIA-PA标准中移动设备入网报文开销;第二部分为本技术方案中WIA-PA移动设备入网认证机制报文开销;第三部分为报文开销对比与分析。The packet cost analysis of the mobile device accession process is divided into three parts: the first part is the WIA-PA standard mobile device incoming network packet overhead; the second part is the WIA-PA mobile device incoming network authentication mechanism message overhead in the technical solution; the third part For the comparison and analysis of message overhead.
(1)WIA-PA标准中移动设备入网报文开销(1) Mobile device network access packet overhead in the WIA-PA standard
图6为WIA-PA标准中移动设备安全加入网络时序图。Figure 6 is a timing diagram of the mobile device security joining network in the WIA-PA standard.
参考WIA-PA标准可得表7:Refer to the WIA-PA standard for Table 7:
表7 WIA-PA标准中定义的包字节数Table 7 Number of packet bytes defined in the WIA-PA standard
包类型Package type 字节数(字节)Number of bytes (bytes)
加入请求命令包Join request command packet 2828
加入响应命令包Add response command packet 2626
ACKACK 55
移动设备第一次入网总报文开销为A字节,加入请求过程中需要的加入请求命令包、加入响应命令包和ACK在网络中转发的次数为m1次,则The total packet traffic of the mobile device for the first time is A bytes. The number of join request command packets, join response command packets, and ACKs that are required to be added to the network during the request process is m 1 times.
A=(28+5+26)×2+m1(28+26+5+5)=118+64m1 A=(28+5+26)×2+m 1 (28+26+5+5)=118+64m 1
移动设备k次入网总报文开销为x字节(WIA-PA标准中移动设备安全入网中配置阶段的交互的报文数与本技术方案中移动设备第一次入网中配置阶段交互报文数相等,故此处不做计算),第i次入网时,命令包在网络中转发次数为mi,则
Figure PCTCN2016088054-appb-000003
 The total number of packets received by the mobile device is 0 bytes. The number of packets exchanged in the configuration phase of the mobile device security in the WIA-PA standard is equal to the number of packets exchanged in the configuration phase of the first time in the network. Therefore, no calculation is made here. When the i-th network is accessed, the number of times the command packet is forwarded in the network is m i , then
Figure PCTCN2016088054-appb-000003
(2)本技术方案中移动设备入网认证机制报文开销(2) Packet overhead of the mobile device access network authentication mechanism in the technical solution
根据本技术方案中定义的命令包整理可得表8:Table 8 can be obtained according to the command package defined in the technical solution:
表8 本技术方案中定义的命令包的字节数Table 8 Bytes of the command packet defined in this technical solution
命令包类型Command packet type 字节数(字节)Number of bytes (bytes)
移动设备再次加入请求命令包The mobile device joins the request command packet again 3939
设备再认证请求命令包Device re-authentication request command packet 23twenty three
加入成功响应命令包Join the successful response command packet 4242
Ticketnet转发命令包Ticket net forwarding command package 23twenty three
本技术方案中移动设备加入请求和移动设备再次加入请求与WIA-PA标准中移动设备加入请求转发在网络中转发次数对应相等。In the technical solution, the mobile device join request and the mobile device re-join request are equal to the number of times the mobile device join request forwarding in the WIA-PA standard is forwarded in the network.
根据图2和图5所描述的移动设备入网过程可以得到:本技术方案中移动设备第一次入网报文总开销为B字节(WIA-PA标准中移动设备安全入网中配置阶段的交互 的报文数与本技术方案中移动设备第一次入网中配置阶段交互报文数相等,故此处不做计算),加入请求命令包、加入成功响应命令包和ACK在网状网络中转发的次数为m1次,在网路由设备数为n(其中n为在网路由设备数,在网络布置好以后n一般为定值),则According to the network access process of the mobile device, as shown in FIG. 2 and FIG. 5, the total cost of the first network access packet of the mobile device in the technical solution is B bytes (the interaction of the mobile device in the WIA-PA standard in the configuration phase of the mobile network) The number of interaction packets in the configuration phase of the mobile device is equal to the first time in the network solution, so the calculation is not performed here. The number of times the request command packet, the success response command packet, and the ACK are forwarded in the mesh network are m 1 . Second, the number of routing devices on the network is n (where n is the number of routing devices in the network, and n is generally fixed after the network is deployed), then
B=(28+26+5)×2+(28+42+5×2)m1=118+80m1 B=(28+26+5)×2+(28+42+5×2)m 1 =118+80m 1
Ticketnet分发的报文开销C字节,由Ticketnet的分发过程可得Ticketnet在网络中分发次数为n次,则C=23n。本技术方案中移动设备第二次入网的报文开销为D字节,则D=39+23m2The ticket net distributes the packet overhead C bytes. The Ticket net distribution process can be used to distribute the ticket net in the network for n times, then C=23n. In the technical solution, the packet cost of the second access of the mobile device to the network is D bytes, and D=39+23m 2 .
本技术方案中移动设备k次重复入网报文总开销为y字节,第i次入网时,命令包在网络中转发次数为mi,则In the technical solution, the total cost of the mobile device k times to re-enter the network packet is y bytes, and when the i-th network is accessed, the number of times the command packet is forwarded in the network is m i , then
Figure PCTCN2016088054-appb-000004
Figure PCTCN2016088054-appb-000004
(3)报文开销对比与分析(3) Comparison and analysis of message expenses
本技术方案中移动设备入网认证与WIA-PA标准中移动设备入网认证报文开销对比如表9所示。In the technical solution, the mobile device network access authentication and the WIA-PA standard mobile device network access authentication packet overhead are shown in Table 9.
表9 报文开销对比Table 9 Comparison of message costs
Figure PCTCN2016088054-appb-000005
Figure PCTCN2016088054-appb-000005
令Y为WIA-PA标准中移动设备入网报文开销与本技术方案中移动设备入网报文开销之差,即:Y=x-y,则Let Y be the difference between the overhead of the mobile device's incoming message in the WIA-PA standard and the overhead of the mobile device's incoming message in the technical solution, that is, Y=x-y.
Figure PCTCN2016088054-appb-000006
Figure PCTCN2016088054-appb-000006
因为mi≥1(i≥2),可得:Since m i ≥ 1 ( i ≥ 2), we can get:
Figure PCTCN2016088054-appb-000007
Figure PCTCN2016088054-appb-000007
令X=120k-120-16m1-23n,则Y≥X。当X≥0时可得Y≥0,即本技术方案中移动设备入网认证机制的入网报文开销比WIA-PA标准中移动设备入网认证机制报文开销少,即X=120k-120-16m1-23n≥0,可得
Figure PCTCN2016088054-appb-000008
Let X = 120k-120-16m 1 -23n, then Y ≥ X. When X ≥ 0, Y ≥ 0 is obtained, that is, the cost of the incoming message of the mobile device network authentication mechanism in the technical solution is less than that of the mobile device network authentication mechanism in the WIA-PA standard, that is, X=120k-120-16m 1 - 23n ≥ 0, available
Figure PCTCN2016088054-appb-000008
即当
Figure PCTCN2016088054-appb-000009
时,本技术方案中移动设备入网认证机制的入网报文开销比WIA-PA标准中移动设备入网认证机制报文开销少。Ie
Figure PCTCN2016088054-appb-000009
The cost of the incoming packet of the mobile device network authentication mechanism in this technical solution is less than that of the mobile device network authentication mechanism in the WIA-PA standard.
以图1中所述移动设备在WIA-PA网络中移动的网络参考模型进行分析,从图1中可以得到:m1的值为2,若mi的值为1,则:The network reference model of the mobile device moving in the WIA-PA network in FIG. 1 is analyzed. It can be obtained from FIG. 1 that the value of m 1 is 2, and if the value of mi is 1, then:
Figure PCTCN2016088054-appb-000010
Figure PCTCN2016088054-appb-000010
因为k为自然数,故当k≥3时,Y>0,则本技术方案中移动设备入网认证机制的报文开销比WIA-PA标准中移动设备入网认证机制的报文开销少。Y随k增加而线性增加,则随着k值的增加(即重复入网次数的增加),本技术方案中移动设备入网认证机制相对于WIA-PA标准中移动设备入网认证机制的优势会进一步的增大。Because k is a natural number, when k≥3, Y>0, the packet overhead of the mobile device network authentication mechanism in the technical solution is less than the packet overhead of the mobile device network authentication mechanism in the WIA-PA standard. Y increases linearly with the increase of k, and as the value of k increases (that is, the number of repeated network accesses increases), the advantages of the mobile device network authentication mechanism in the technical solution relative to the WIA-PA standard mobile device network access authentication mechanism will further increase. .
最后说明的是,以上优选实施例仅用以说明本发明的技术方案而非限制,尽管通过上述优选实施例已经对本发明进行了详细的描述,但本领域技术人员应当理解,可以在形式上和细节上对其作出各种各样的改变,而不偏离本发明权利要求书所限定的范围。 It is to be understood that the above-described preferred embodiments are only illustrative of the technical solutions of the present invention, and are not intended to be limiting, although the present invention has been described in detail by the foregoing preferred embodiments, those skilled in the art Various changes are made in the details without departing from the scope of the invention as defined by the appended claims.

Claims (7)

  1. 一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:在该认证过程中涉及的WIA-PA工业无线网络设备包括:网关设备、路由设备、现场设备和移动设备;A mobile device network access authentication mechanism in a WIA-PA industrial wireless network, characterized in that: the WIA-PA industrial wireless network device involved in the authentication process comprises: a gateway device, a routing device, a field device and a mobile device;
    该认证机制包含移动设备第一次入网认证和移动设备第k(k≥2)次重复入网认证;移动设备第一次入网认证包含Ticketnet(网络中的票据)和Ticketmobile(移动设备中的票据)的处理和入网认证,移动设备第k(k≥2)次重复入网认证包含移动设备第k(k≥2)次重复入网认证流程和入网认证。The authentication mechanism includes the first network access authentication of mobile devices and the kth (k ≥ 2) repeated network access authentication of mobile devices; the first network access authentication of mobile devices includes Ticket net (tickets in the network) and Ticket mobile (in mobile devices). For the processing and network access authentication of the ticket, the kth (k ≥ 2) repeated network access authentication of the mobile device includes the kth (k ≥ 2) repeated network access authentication process and the network access authentication of the mobile device.
  2. 根据权利要求1所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:所述移动设备第一次入网认证包括:移动设备在网关设备处认证,认证成功后,网关设备中网络管理者保存该移动设备的认证ID;网关设备中安全管理者生成Ticketnet和Ticketmobile,分发Ticketnet给在网所有路由设备,分发Ticketmobile给该移动设备。The network access authentication mechanism of the mobile device in the WIA-PA industrial wireless network according to claim 1, wherein the first network authentication of the mobile device comprises: the mobile device is authenticated at the gateway device, and after the authentication succeeds, the gateway device The network administrator saves the authentication ID of the mobile device; the security manager in the gateway device generates the ticket net and the ticket mobile , distributes the ticket net to all the routing devices on the network, and distributes the ticket mobile to the mobile device.
  3. 根据权利要求1所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:所述移动设备第k(k≥2)次重复入网认证包括:待入网的移动设备发送Ticketmobile给路由设备,路由设备根据Ticketmobile解密Ticketnet得认证信息,并比对认证信息是否一致,若一致则移动设备获得链路资源,接入网络,然后,路由设备将解密后的认证信息转发给网关设备中安全管理者,安全管理者再次认证该认证信息;若认证失败,则断开移动设备,若认证成功,网关设备中网络管理者给移动设备分配相应的权限。The mobile device network access authentication mechanism in the WIA-PA industrial wireless network according to claim 1, wherein the k (k≥2) repeated network access authentication of the mobile device comprises: the mobile device to be connected to the network sends the Ticket mobile. to the routing device, the routing device to decrypt the authentication information obtained Ticket net according Ticket mobile, than is consistent and authentication information, if the mobile device to obtain a consistent link resources, an access network, and then forwards the authentication information to the routing device decrypting The security manager in the gateway device authenticates the authentication information again; if the authentication fails, the mobile device is disconnected. If the authentication is successful, the network administrator in the gateway device allocates the corresponding authority to the mobile device.
  4. 根据权利要求2所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:移动设备认证成功后,Ticketmobile封装到加入成功响应中,移动设备收到加入成功响应后成功入网并获取Ticketmobile,加入成功响应命令包格式如下表:The network access authentication mechanism of the mobile device in the WIA-PA industrial wireless network according to claim 2, wherein after the mobile device is successfully authenticated, the Ticket mobile is encapsulated into a successful response, and the mobile device successfully joins the network after receiving the successful response. And get Ticket mobile , join the successful response command packet format as follows:
    14字节14 bytes 1字节1 byte 1字节1 byte 2字节2 bytes 24字节24 bytes 网络层包头Network layer header 命令标识符=35Command identifier = 35 执行结果Results of the 待加入设备短地址To be added to the device short address Ticketmobile Ticket mobile
    其中加入成功响应命令包的命令标识符为35,如果加入成功,则执行结果返回“SUCCESS”,待加入移动设备短地址子域值、Ticketmobile有效;如果加入失败,则执行结果返回“FAILURE”,待加入移动设备短地址子域值、Ticketmobile无效。The command identifier of the success response command packet is 35. If the join succeeds, the execution result returns “SUCCESS”, the mobile device short address subfield value is to be added, and the ticket mobile is valid; if the join fails, the execution result returns “FAILURE”. , the mobile device short address subfield value to be added, Ticket mobile is invalid.
  5. 根据权利要求4所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:所述Ticketnet和Ticketmobile的处理包含Ticketnet和Ticketmobile的生成、Ticketnet和Ticketmobile的转发、Ticketnet和Ticketmobile的存储与Ticketnet和Ticketmobile的更新。According to one WIA-PA industrial wireless network of claim 4 in a mobile network authentication mechanisms apparatus as claimed in claim wherein: said processing and Ticket mobile Ticket net comprises generating Ticket net and the Ticket mobile, and forwarding Ticket mobile Ticket net of , Ticket net and Ticket mobile storage and Ticket net and Ticket mobile updates.
  6. 根据权利要求5所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:Ticketnet中加密密文为对认证ID加密后的密文,其长度为8字节,Ticketmobile 中Key为Ticketnet中加密算法的密钥,长度为16字节;Ticketnet和Ticketmobile分发,在WIA-PA工业无线网络中,路由设备在网关设备处入网时,网关设备作为父节点在父子节点关系信息表中记录待入网路由设备为子节点;路由设备于在网路由设备处入网时,在网路由设备在父子节点关系信息表中记录待入网路由设备为子节点;网络管理者查询网关设备中的父子节点关系信息表,并依据查询信息发送Ticketnet分发命令包给其所有子节点路由设备,相应路由设备收到Ticketnet分发命令包并保存Ticketnet后,继续查询自身存储的父子节点关系信息表,并依据查询信息将Ticketnet发送给父子节点关系信息表中的所有子节点路由设备,以此进行Ticketnet的分发;Ticketnet分发命令包用于路由设备/网关设备分发Ticketnet,Ticketnet分发命令包格式如下表:The network access authentication mechanism for a mobile device in a WIA-PA industrial wireless network according to claim 5, wherein the encrypted ciphertext in the ticket net is a ciphertext encrypted with an authentication ID, and the length is 8 bytes, and Ticket mobile The key is the key of the encryption algorithm in the ticket net , and the length is 16 bytes; the ticket net and the ticket mobile are distributed. In the WIA-PA industrial wireless network, when the routing device enters the network at the gateway device, the gateway device acts as the parent node in the parent and child. The node relationship information table records that the routing device to be accessed is a child node; when the routing device enters the network at the network routing device, the network routing device records the device to be accessed as a child node in the parent-child relationship information table; the network manager queries the gateway. The parent-child relationship information table in the device sends the ticket net distribution command packet to all its child node routing devices according to the query information. After receiving the ticket net distribution command packet and saving the ticket net , the corresponding routing device continues to query the parent and child nodes stored in the device. information table, and based on the query information will be sent to all sub-Ticket net parent-child relationship information table Point routing device, in order to distribute the Ticket net; Ticket net distribution device command packets for routing / gateway device the distribution Ticket net, Ticket net dispensing command packet format is as follows:
    14字节14 bytes 1字节1 byte 8字节8 bytes 网络层包头Network layer header 命令标识符=33Command identifier = 33 Ticketnet Ticket net
    其中Ticketnet转发命令包命令标识符为33;Ticketnet采用缓存机制,缓存于在网路由设备和网关设备,Ticketmobile在移动设备中固定存储;提供四种Ticketnet和Ticketmobile的更新模式,用户根据实际情况自选更新模式,更新模式1为移动设备在第一次离开网络的时间为t1,经过一段时间t后,Ticketnet自动更新到Ticketnet1,同时Ticketmobile自动更新到对应的Ticketmobile1,后续更新重复该过程,更新模式2为移动设备重复入网g次以后,在第g+1次入网时,安全管理者生成新的Ticketnet和Ticketmobile,再次执行Ticketnet和Ticketmobile的转发过程,更新模式3为设立Ticketnet和Ticketmobile最大存活时间T,超过最大存活时间T后,WIA-PA网络中的路由设备和网关设备自动清除缓存中Ticketnet,移动设备同时清除Ticketmobile;在下一次入网时,采用移动设备第一次入网认证过程,更新模式4为对Ticketnet和Ticketmobile不更新。The ticket net forwarding command packet command identifier is 33; the ticket net adopts a caching mechanism, which is cached on the network routing device and the gateway device, and the ticket mobile is fixedly stored in the mobile device; and the four update modes of the ticket net and the ticket mobile are provided, the user According to the actual situation, the update mode is 1. The update mode 1 is that the time when the mobile device leaves the network for the first time is t 1 . After a period of time t, the ticket net is automatically updated to the ticket net1 , and the ticket mobile is automatically updated to the corresponding ticket mobile1 . this process was repeated a subsequent update, the update mode mobile device 2 is repeated for subsequent network views g, g + 1 in the first sub-network, generating a new security manager and Ticket mobile Ticket net, and perform forwarding Ticket net Ticket mobile again, The update mode 3 is to set the maximum lifetime T of the ticket net and the ticket mobile. After the maximum survival time T, the routing device and the gateway device in the WIA-PA network automatically clear the ticket net in the cache, and the mobile device simultaneously clears the ticket mobile ; When using the mobile device for the first time into the network authentication process, update mode 4 is not updated for Ticket net and Ticket mobile .
  7. 根据权利要求3所述的一种WIA-PA工业无线网络中移动设备入网认证机制,其特征在于:在移动设备第k(k≥2)次重复入网过程中,定义了两种命令包,即移动设备再次加入请求命令包和设备再认证请求命令包;移动设备再次加入请求命令包用于移动设备发送再次加入请求,移动设备再次加入请求命令包格式如下表:The mobile device network access authentication mechanism in the WIA-PA industrial wireless network according to claim 3, characterized in that: in the k (k ≥ 2) repeated network access process of the mobile device, two command packets are defined, that is, mobile The device joins the request command packet and the device re-authentication request command packet again; the mobile device joins the request command packet again for the mobile device to send the re-join request, and the mobile device joins the request command packet format as follows:
    14字节14 bytes 1字节1 byte 24字节24 bytes 网络层包头Network layer header 命令标识符=34Command identifier = 34 Ticketmobile Ticket mobile
    其中移动设备再次加入请求命令包的命令标识符为34;The command identifier of the mobile device rejoining the request command packet is 34;
    设备再认证请求包用于路由设备转发设备再认证请求,设备再认证请求命令包格式如下表: The device re-authentication request packet is used by the routing device to forward the device re-authentication request. The format of the device re-authentication request command packet is as follows:
    14字节14 bytes 1字节1 byte 8字节8 bytes 网络层包头Network layer header 命令标识符=32Command identifier = 32 解密后的认证IDDecrypted authentication ID
    其中设备再认证请求命令包的命令标识符为32,解密后的认证ID用于安全管理者的认证。 The command identifier of the device re-authentication request command packet is 32, and the decrypted authentication ID is used for authentication by the security manager.
PCT/CN2016/088054 2016-05-06 2016-07-01 Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation WO2017190414A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610298169.9 2016-05-06
CN201610298169.9A CN105744524B (en) 2016-05-06 2016-05-06 Mobile device networking authentication method in a kind of WIA-PA industry wireless network

Publications (1)

Publication Number Publication Date
WO2017190414A1 true WO2017190414A1 (en) 2017-11-09

Family

ID=56288279

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/088054 WO2017190414A1 (en) 2016-05-06 2016-07-01 Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation

Country Status (2)

Country Link
CN (1) CN105744524B (en)
WO (1) WO2017190414A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318258A (en) * 2023-03-10 2023-06-23 广东金朋科技有限公司 Networking method of PLC (programmable logic controller) equipment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106780167B (en) * 2016-11-24 2020-06-26 杭州领点科技有限公司 Party information service platform and method
DE102017106777A1 (en) * 2017-03-29 2018-10-04 Endress+Hauser Conducta Gmbh+Co. Kg Method for operating a field device of automation technology and an operating unit for performing the method
CN108737169A (en) * 2018-05-08 2018-11-02 重庆邮电大学 A kind of isomery industrial network central fusion management method based on SDN

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150472A (en) * 2007-10-22 2008-03-26 华为技术有限公司 Authentication method, authentication server and terminal in WIMAX
CN101516090A (en) * 2008-02-20 2009-08-26 华为技术有限公司 Network authentication communication method and mesh network system
US20110200026A1 (en) * 2002-11-25 2011-08-18 Fujitsu Limited Apparatus, method, and medium for self-organizing multi-hop wireless access networks
CN103888940A (en) * 2012-12-19 2014-06-25 中国科学院沈阳自动化研究所 Multi-level encryption and authentication type WIA-PA network handheld device communication method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9439067B2 (en) * 2011-09-12 2016-09-06 George Cherian Systems and methods of performing link setup and authentication
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN105530224B (en) * 2014-09-30 2019-01-25 中国电信股份有限公司 The method and apparatus of terminal authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110200026A1 (en) * 2002-11-25 2011-08-18 Fujitsu Limited Apparatus, method, and medium for self-organizing multi-hop wireless access networks
CN101150472A (en) * 2007-10-22 2008-03-26 华为技术有限公司 Authentication method, authentication server and terminal in WIMAX
CN101516090A (en) * 2008-02-20 2009-08-26 华为技术有限公司 Network authentication communication method and mesh network system
CN103888940A (en) * 2012-12-19 2014-06-25 中国科学院沈阳自动化研究所 Multi-level encryption and authentication type WIA-PA network handheld device communication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG, XUAN: "Research and Implementation of Security Communication Protocol Stack for the WIA-PA Network", CHINA MASTER'S THESES FULL-TEXT DATABASE;ELECTRONIC TECHNOLOGY & INFORMATION SCIENCE, 15 December 2010 (2010-12-15), pages 48, ISSN: 1674-0246 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318258A (en) * 2023-03-10 2023-06-23 广东金朋科技有限公司 Networking method of PLC (programmable logic controller) equipment
CN116318258B (en) * 2023-03-10 2023-10-10 广东金朋科技有限公司 Networking method of PLC (programmable logic controller) equipment

Also Published As

Publication number Publication date
CN105744524B (en) 2019-03-22
CN105744524A (en) 2016-07-06

Similar Documents

Publication Publication Date Title
WO2021203733A1 (en) Power edge gateway device and device-based sensor data uplink storage method
Shang et al. Named data networking of things
US20200059976A1 (en) IoT DEVICE CONNECTIVITY, DISCOVERY, AND NETWORKING
US9154330B2 (en) Method and device of link aggregation and method and system for transceiving MAC frames
US7672459B2 (en) Key distribution and caching mechanism to facilitate client handoffs in wireless network systems
WO2017190414A1 (en) Mobile device network-access authentication mechanism in wia-pa wireless networks for industrial automation
US20070081477A1 (en) Virtual LAN override in a multiple BSSID mode of operation
US20150149767A1 (en) Method and system for authenticating the nodes of a network
WO2020114336A1 (en) Information synchronization method, authentication method and device
Li et al. A mobile phone based WSN infrastructure for IoT over future internet architecture
CN110651447B (en) Privacy preserving message blinding
US20120257565A1 (en) Mobile network traffic management
Mori Secure caching scheme by using blockchain for information-centric network-based wireless sensor networks
WO2021135950A1 (en) Data management method and system, associated subsystem and computer readable medium
US10334509B2 (en) System and method of ANQP querying using a common ANQP group version
Wang et al. A secure IPv6 address configuration scheme for a MANET
CN106937280A (en) The authentication method of sensor node and sensor node accessing mobile communication network
WO2020238149A1 (en) Small base station access method and apparatus, device, system, and storage medium
Wang et al. FSDM: Floodless service discovery model based on Software-Defined Network
KR101267415B1 (en) A Mutual Authentication Scheme with Key Agreement for Industrial Wireless Network and the method thereof
Raja et al. Internet of things: A research-oriented introductory
Chakraborty et al. An IPv6 based hierarchical address configuration scheme for smart grid
US20190238447A1 (en) Systems and Methods Implementing an Autonomous Network Architecture and Protocol
Li et al. A research on IPv6 address auto-configuration for IoT
US11917407B2 (en) Key matching for EAPOL handshake using distributed computing

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16900936

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16900936

Country of ref document: EP

Kind code of ref document: A1