WO2019221419A1 - Module de sécurité matérielle - Google Patents

Module de sécurité matérielle Download PDF

Info

Publication number
WO2019221419A1
WO2019221419A1 PCT/KR2019/005039 KR2019005039W WO2019221419A1 WO 2019221419 A1 WO2019221419 A1 WO 2019221419A1 KR 2019005039 W KR2019005039 W KR 2019005039W WO 2019221419 A1 WO2019221419 A1 WO 2019221419A1
Authority
WO
WIPO (PCT)
Prior art keywords
electronic device
security module
communication
iot
hardware security
Prior art date
Application number
PCT/KR2019/005039
Other languages
English (en)
Korean (ko)
Inventor
박현주
박한나
Original Assignee
주식회사 시옷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시옷 filed Critical 주식회사 시옷
Publication of WO2019221419A1 publication Critical patent/WO2019221419A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/10Current supply arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to a hardware security module. More specifically, the present invention relates to a hardware security module that provides security services in an IoT service system using Laura communication.
  • the hardware security module is a module that can process not only a large amount of information but also a self-processing by having a processor and a memory having a predetermined computing function.
  • the hardware security module has been used in various fields in areas where user's personal information security is required due to the advantage that confidential information stored in the inside is not leaked. More specifically, since the hardware security module generates its own security key and stores the generated security key securely inside without leaking to the outside, it can maximize security when used as a digital signature means. For example, it may be used as an electronic signature means in the process of making a payment in a mobile device.
  • LoRa communication technology has recently emerged. Lora is an abbreviation of Long Range and LoRa communication can be regarded as one of the large-scale low power long distance wireless communication technologies. Unlike conventional smart device connection environments that require high-speed, broadband networks, LoRa communication can send and receive small-scale data at low power by placing a chip on an electronic device without a separate base station or relay device. In addition, LoRa communication can provide users and developers with interoperability suitable for the Internet needs such as security, two-way communication, network mobility, localization service, and the Internet of Things (IoT) based on LoRa communication. Service systems are becoming commercially available.
  • IoT Internet of Things
  • the technical problem to be solved by the present invention is to provide a hardware security module that can be applied to the security technology without changing hardware and software in the IoT (IoT) service system based on the Laura communication network including all hardware devices of low specifications The purpose.
  • IoT IoT
  • Another object of the present invention is to provide a hardware security module capable of end-to-end encryption in an IoT service system based on a Laura communication network.
  • Another object of the present invention is to provide a hardware security module applicable to a low power wide area wireless network (LPWAN).
  • LPWAN low power wide area wireless network
  • the hardware security module may include an access port connected to an IoT electronic device, a communication interface for transmitting and receiving data from the IoT electronic device through a LoRa communication network, and encrypting data transmitted and received by the communication interface.
  • a processor that decrypts the processor, wherein the processor includes a plug-in manager that installs a security plug-in in the IoT electronic device to transmit and receive encrypted data as the IoT electronic device and the connection port are physically connected.
  • the processor may perform encryption using at least one of ARIA, Secure Hash Algorithm (SHA), and End-to-End encryption (end to end encryption) encryption communication scheme for transmitting and receiving data to and from the IoT electronic device. It may further include wealth.
  • ARIA Secure Hash Algorithm
  • SHA Secure Hash Algorithm
  • End-to-End encryption end to end encryption
  • the processor may include a device authentication unit configured to authenticate the IoT electronic device and a device connection manager configured to manage a connection through a LoRa communication network of the IoT electronic device that has been authenticated by the device authentication unit. It may further include.
  • the processor may further include a server manager configured to manage an external server connected to the IoT electronic device through a LoRa communication network.
  • the communication interface may further include a communication converter configured to convert communication data transmitted by the IoT electronic device into LoRa communication data.
  • the type of communication module embedded in the IoT electronic device further comprises any one or more of a secure Lora (LoRa) communication unit, a secure serial communication unit and a secure LPWAN communication unit, the secure Lora (LoRa) communication unit, Data transmitted and received through at least one of a secure serial communication unit and a secure LPWAN communication unit through a LoRa communication network may be encrypted or decrypted by the processor.
  • a secure Lora (LoRa) communication unit a secure serial communication unit and a secure LPWAN communication unit
  • LoRa communication network may be encrypted or decrypted by the processor.
  • the communication interface may further include a secure Ethernet communication unit and a Power Over Ethernet port for Ethernet communication.
  • the communication interface receives encrypted data from the device authentication server for transmitting an authentication code to the IoT electronic device through a LoRa communication network
  • the processor receives the encrypted data received by the communication interface.
  • the device authentication unit may perform authentication of the IoT electronic device based on the data decrypted by the processor.
  • connection port may be an IC card or a port based on a universal serial bus (USB) standard.
  • USB universal serial bus
  • a security technology can be applied to a LoRa communication network including all low-end hardware devices without changing hardware and software, and the time and cost associated with applying the security technology through a change in hardware and software can be avoided. There is a saving effect.
  • the hardware security module can further provide a more secure LoRa network-based IoT service system by using end-to-end encryption.
  • an electronic device having various communication modules may be applied to an IoT service system based on a LoRa communication network.
  • FIG. 1 is a diagram illustrating a configuration of a Laura communication network-based IoT system to which a hardware security module according to an embodiment of the present invention can be applied.
  • FIG. 2 is a diagram schematically illustrating a configuration of a hardware security module according to an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating a method of authenticating an IoT electronic device by a hardware security module according to an embodiment of the present invention using a Laura communication network.
  • IoT is an abbreviation of the Internet of Things (IoT), and refers to a physical network in which an object equipped with a sensor and a communication chip can automatically send and receive real-time data without human intervention.
  • IoT devices with built-in sensors or communications
  • the Internet of Things (IoT) is based on Bluetooth, near field communication (NFC), sensor data, and low power wide area wireless communication technologies.
  • the Internet of Things (IoT) and Machine-to-Machine (M2M) radios can be implemented using a LoRa communication network, one of the low power wide area wireless communication technologies, and millions of wireless sensor nodes can be connected to the gateway.
  • IoT Internet of Things
  • M2M Machine-to-Machine
  • FIG. 1 is a diagram illustrating a configuration of an IoT service system 10 based on a Laura communication network 200 to which a hardware security module may be applied according to an embodiment of the present invention.
  • the IoT service system 10 based on the Laura communication network 300 is for processing a plurality of sensors and a large amount of asynchronous processes.
  • 200, a LoRa communication network 300, a LoRa repeater 350, a LoRa server 400, and an external server 500 may be included.
  • the IoT electronic device 200 is a device to which the Internet of Things (IoT) technology is applied and may be a low power electronic device capable of operating for a long time with battery power. Accordingly, the IoT electronic device 200 may be provided with a low power wireless communication module such as a LoRa communication module to conserve power.
  • a low power wireless communication module such as a LoRa communication module to conserve power.
  • the IoT electronic device 200 may be connected to a plurality of sensor devices, and the data specified through the sensor device according to the request of the external server 500 may be transferred to the external server 500 through the LoRa communication network 300. ) Can be sent.
  • the IoT electronic device 200 controls the activation state of the sensor device according to a predetermined time, and acquires terminal specific information (eg, serial number, ID, etc.) and sensor data from the sensor device while the sensor device is activated. Receives and transmits to the external server 500 through the LoRa communication network 300, and receives the setting data for setting the sensor device from the external server 500 to the IoT electronic device 200.
  • terminal specific information eg, serial number, ID, etc.
  • the IoT electronic device 200 since the IoT electronic device 200 uses the LoRa communication network 300 capable of broadband communication, the IoT electronic device 200 may include an electronic device requiring far communication than an electronic device disposed in a specific building or space.
  • the LoRa communication network 300 includes a LoRa base station (not shown) and a LoRa repeater 350. It may be made of various Internet communication relay devices such as LoRa server (400).
  • the external server 500 may provide an IoT application installed in a user terminal (not shown) using the IoT service system 10, and accordingly, a user may use the IoT electronic device 200 using the LoRa communication network 300. ) Can be controlled.
  • FIG. 2 is a diagram schematically illustrating a configuration of a hardware security module 100 according to an embodiment of the present invention.
  • the software configuration of the hardware security module 100 may include a communication interface 110, a processor 120, and a connection port 130.
  • the access port 130 provided in the hardware security module 100 may be physically connected to the IoT electronic device 200 to install a security plug-in.
  • the connection port 130 may be formed of an IC card or a port of various Universal Serial Bus (USB) standards, and thus may be physically connected to various kinds of IoT electronic devices 200.
  • USB Universal Serial Bus
  • the security plug-in provided by the hardware security module 100 is a component of each of the IoT service system 10 based on the LoRa communication network 300 to transmit and receive data securely based on the LoRa communication network 300. It is a program that provides security functions. According to an embodiment, the security plug-in is embedded software in the IoT electronic device 200 to which the communication interface 110 is secured through an access port of the LoRa communication network 300 or the hardware security module 100. It can be installed in the form.
  • the IoT electronic device 200 may perform functions provided by the communication interface 110 and the processor 120 of the hardware security module 100 through the security plug-in, and the hardware security module 100 will be described below.
  • the functions performed by each of the components are performed through the components of the IoT service system 10 based on the LoRa communication network 300 (eg, the IoT electronic device 200, the LoRa server, and an external server). Can be.
  • the communication interface 110 of the hardware security module may exchange communication data with the IoT service system 10 based on the LoRa communication network 300 and the LoRa communication network 300.
  • a schedule capable of wireless communication with the IoT service system 10 based on the LoRa communication network 300 through the communication interface 110 is provided.
  • the security plug-in for security of the IoT electronic device 200 may be installed within the range, or may be connected to the IoT electronic device 200 through the access port 130 to set and release the security of the IoT electronic device 200.
  • the processor 120 of the hardware security module 100 controls the overall functions of the hardware security module 100 and at least can provide security services in the IoT service system 10 based on the LoRa communication network 300. It may include one computing device.
  • the computing device may be, for example, a general-purpose central computing unit (CPU), a programmable device device (CPLD, FPGA), a custom semiconductor computing unit (ASIC), or a microcontroller chip implemented for a specific purpose.
  • the processor 120 may encrypt or decrypt data transmitted and received by the communication interface 110.
  • the processor 120 may install a security plug-in in the IoT electronic device 200 when the connection port 130 of the hardware security module 100 is physically connected.
  • the management unit 121 may be included.
  • the processor 120 may include an encryption unit 123 that encrypts and decrypts data transmitted and received by the IoT electronic device 200 to the IoT service system 10 based on the LoRa communication network 300.
  • the encryption unit 123 may perform encryption using at least one of ARIA, Secure Hash Algorithm (SHA), and End-to-End encryption (end to end encryption) encryption communication scheme.
  • the encryption unit 123 may encrypt any information transmitted or received by the IoT electronic device 200 with each component of the IoT service system 10 based on the LoRa communication network 300.
  • the security plug-in provided by the processor 120 of the hardware security module 100 uses an end-to-end encryption scheme
  • the IoT electronic device 200 may move to a LoRa server 400.
  • the encrypted request information for using the communication network can be transmitted.
  • the encryption unit 123 provides an ARIA encryption communication method, which is a national standard 128-bit block encryption algorithm, so that the IoT service system 10 encrypts information more efficiently using the LoRa communication network 300. Or SHA encryption, another national standard 160-bit block encryption algorithm, to encrypt information.
  • the encryption unit 123 may provide various national standard algorithms to each component of the IoT service system 10 that can provide an information security service using a LoRa communication network.
  • a lightweight encryption communication scheme may be provided in consideration of hardware and software capabilities of the IoT electronic device 200.
  • the processor 120 of the hardware security module 100 may include a device authenticator 125 that performs authentication of the IoT electronic device 200 to install a security plug-in.
  • the device authenticator 127 may perform authentication of the IoT electronic device 200 using the device authentication server 600, and a detailed description of a method of performing authentication will be described later.
  • the processor 120 of the hardware security module 100 may include a device connection manager 127 that manages a connection through a LoRa communication network of IoT electronic devices 200 that have been authenticated by the device authenticator 127. have. This is the case where the hardware security module 100 is applied to the LoRa server 400 or the external server 500, and the IoT electronic device 200 uses the LoRa communication network 300 to provide a LoRa server. When accessing the 400 or the external server 500, the device connection manager 127 may check an authentication code of the IoT electronic device 200 to control the access of the device through the LoRa communication network 300. have.
  • the processor 120 of the hardware security module 100 is connected to the LoRa server 400 and the external server 500 connected through the LoRa communication network 300. It may include a server management unit 129 for managing).
  • the server manager 129 may be executed in each server device to manage whether the LoRa server 400 and the external server 500 use the IoT service system 10 using a correct encryption communication method. Can be.
  • the server manager 129 analyzes the information received by the IoT electronic device 200 from the external server 500, the external server 500 is authenticated communication security based on the LoRa communication network 300 If the server is not authenticated, the access of the server can be controlled.
  • the communication interface 110 uses the LoRa communication data as communication data transmitted by the IoT electronic device 200. It may include a communication conversion unit 111 to convert.
  • the hardware security module 100 of the hardware security module 100 may be used to use the IoT service system 10 based on the LoRa communication network 300.
  • a security plug-in based on a LoRa network provided by the processor 120 may be installed. Accordingly, the IoT electronic device 200 may exchange information by using the communication converter 111 provided by the hardware security module 100.
  • the communication conversion unit 111 may convert the serial communication data into LoRa communication data.
  • the communication conversion unit 111 transmits low power broadband wireless communication (LPWAN) data similar to the LoRa communication of the IoT electronic device 200
  • the communication conversion unit 111 may convert the data into LoRa communication data, thereby causing IoT electronics.
  • the device 200 may be provided with a security service regardless of a specific specification for using the IoT service system 10 based on the LoRa communication network 300.
  • the communication interface 110 of the hardware security module 100 is secured according to the type of communication module built in the IoT electronic device 200.
  • the communication unit 113, the secure serial communication unit 115, and the secure LPWAN communication unit 117 may be included.
  • data transmitted and received through the secure LoRa communication unit 113, the secure serial communication unit 115, and the secure LPWAN communication unit 117 and the LoRa communication network 300 may be encrypted or decrypted by the processor 120. Can be.
  • the communication interface 110 may include a secure Ethernet communication unit 119 for Ethernet communication
  • the hardware security module 100 may include a PoE port (Power Over Ethernet port).
  • PoE Power Over Ethernet port
  • the PoE is a technology for transmitting a data signal and power at the same time, in the case of the IoT electronic device 200 to receive the LoRa communication data and power for operating the device at the same time through the PoE port. have.
  • the communication interface 110 of the hardware security module 100 includes various communication modules and physical communication ports, it is related to the specification of each component of the LoRa communication network 300 based IoT service system 10. The same security service can be provided without.
  • the security service can be selectively applied to the IoT electronic device 200 desired by the user, so that the user can enjoy a more secure IoT service.
  • FIG 3 is a flowchart illustrating a method of authenticating the IoT electronic device 200 using the LoRa communication network by the hardware security module 100 according to an embodiment of the present invention.
  • the hardware security module 100 encrypts the authentication code request signal (S110). This is a step of encrypting the authentication code request signal itself. Since the authentication code request signal includes information on the IoT electronic device 200 to be described later, the authentication code request signal itself is encrypted for security reasons.
  • the hardware security module 100 relays a procedure for issuing an authentication code for authenticating the IoT electronic device 200 from the device authentication server 600. That is, the hardware security module 100 receives the authentication code from the device authentication server 600 and transmits the authentication code to the IoT electronic device 200. According to an embodiment, the hardware security module 100 relays the IoT electronic device 200 and the device authentication server 600 device in cooperation with a terminal capable of installing an application, and the authentication code signed by the IoT electronic device 200. To receive and store it.
  • the authentication code request signal encrypted by the hardware security module 100 may include at least one of a message type, a message length, a serial number, a gateway ID, a unique ID, and a password of the IoT electronic device 200.
  • the message type is a value set in the first byte of every request signal or response signal is a value that identifies what type of authentication code request signal.
  • the message type is a type of signal. That is, the value is set in the first byte of the authentication code request signal, the type of the signal can be distinguished according to the set value.
  • the message length is the total message size minus the message type and the message length.
  • the authentication code request signal includes various other information including the message type and the message length, and the message length corresponds to the size and message length corresponding to the message type in the size, that is, the size of all information included in the authentication code request signal. It may be the size minus the size. For example, if the size of the message type is 1 byte, the size of the message length itself is 4 bytes, and the size of the entire message is 85 bytes, the message length may be 80 bytes. Here, the size of the entire message is the size of the authentication code request signal.
  • the serial number is a unique number of the IoT electronic device 200.
  • Each IoT electronic device 200 capable of short-range wireless communication or wired communication with the hardware security module 100 includes one unique number.
  • the hardware security module 100 may receive and store a serial number that is a unique number of the IoT electronic device 200 before encrypting the authentication code request signal. Accordingly, the hardware security module 100 may generate an authentication code request signal including a stored serial number.
  • the gateway ID is an ID of a gateway that performs short-range wireless communication or wired communication with the IoT electronic device 200. That is, in the present invention, the gateway ID may be a LoRa repeater 200 ID, and the IoT electronic device 200 stores the signed authentication code received from the device authentication server 600 and then uses the gateway. Certified by According to an embodiment, the gateway may be installed for each region. For example, the gateway may be installed in a specific building, and the IoT electronic device 200 needs to be authenticated by the gateway in order to communicate with the gateway in the specific building. Accordingly, the gateway ID may be an ID of a gateway that communicates with the IoT electronic device 200 in a space where the IoT electronic device 200 will be used.
  • the unique ID is an ID of a chip mounted in the IoT electronic device 200.
  • the unique ID is information generated by the IoT electronic device 200 and is a result of hashing a result of applying a salt to a serial number of the IoT electronic device 200 in which the chip is mounted.
  • Each IoT electronic device 200 has a serial number which is a unique number, and the salt may be a value set by the user so that the relationship between the serial number and the unique ID is not exposed.
  • the application of the salt is to perform a logical operation with the serial number on a user-specified value, for example, the salt value '1234'.
  • Unique ID is the result of hashing the result of the logical operation of the salt value and the serial number.
  • the logical operation may be at least one of and, or, xor, and nand.
  • the IoT electronic device 200 password is a value to be input when storing the signed authentication code received by the IoT electronic device 200 in the step of transmitting an authentication code storage response signal, which will be described later.
  • the IoT electronic device 200 may store the signed authentication code by inputting the same password as the password of the IoT electronic device 200 included in the authentication code request signal when the signed authentication code is stored.
  • the hardware security module 100 transmits an encrypted authentication code request signal to the device authentication server 600 (S120).
  • the device authentication server 600 decrypts the encrypted authentication code request signal received from the hardware security module 100 (S130). Accordingly, the device authentication server 600 may recognize that the signal transmitted by the hardware security module 100 is a signal for requesting an authentication code through a message type included in the authentication code request signal.
  • the device authentication server 600 generates an authentication code including some information from the authentication code request signal transmitted from the hardware security module 100 (S140). According to an embodiment of the present disclosure, the device authentication server 600 is a server of an authority that is qualified to generate an authentication code. The device authentication server 600 may generate an authentication code, and detailed description of specific information included in the authentication code will be described later.
  • the authentication code generated by the device authentication server 600 is signed to generate a signed authentication code (S150). According to an embodiment, since the authentication code itself generated by the device authentication server 600 may be duplicated, the device authentication server 600 may sign the authentication code.
  • the signed authentication code may mean that the device authentication server 600 directly generates an authentication code, and signing the authentication code by the device authentication server 600 may mean that the authentication code includes signature-related data.
  • the device authentication server 600 encrypts the signed authentication code (S160).
  • the device authentication server 600 may encrypt the authentication code signed by an encryption algorithm included in the authentication code, and the signed authentication code may be encrypted and managed for security.
  • the hardware security module 100 receives an encrypted signed authentication code from the device authentication server 600 (S170). In addition, in addition to the signed authentication code, the hardware security module 100 may also receive a result code, an authentication code size, and a password of the IoT electronic device 200 taking the hash.
  • the result code may be a value indicating whether the device authentication server 600 device has received the encrypted authentication code request signal from the hardware security module 100 without error.
  • the authentication code size may mean the size of the authentication code itself, for example, the size of the authentication code may be 1000 bytes.
  • the password of the IoT electronic device 200 taking the hash is a result of taking a hash function on the password of the IoT electronic device 200 described above. 600 may transmit.
  • the hardware security module 100 decrypts the encrypted signed authentication code (S180). Since the authentication code itself includes an encryption algorithm that is information of how the authentication code is encrypted, the signed authentication code encrypted using the encryption algorithm can be decrypted.
  • the hardware security module 100 After decrypting the signed authentication code, the hardware security module 100 checks the signed authentication code and transmits an authentication code storage request signal to the IoT electronic device 200 (S190). The process of verifying the signed authentication code may be performed by the hardware security module 100 by comparing the information included in the authentication code with the information included in the authentication code request signal. For example, since both the authentication code request signal and the authentication code include a unique ID, the hardware security module 100 may check whether the unique IDs are the same.
  • the authentication code storage request signal is a message type, message length, authentication code size, authentication code, IoT electronic device 200 information request command information, IoT electronic device 200 password, hashed IoT electronic device 200 password , And session IDs.
  • the message type is a value set to the first byte of every request signal or response signal and identifies a type of the authentication code request signal.
  • the message type is a type of signal. That is, the value is set in the first byte of the authentication code request signal, the type of the signal can be distinguished according to the set value.
  • the message length is the total message size minus the message type and the message length.
  • the authentication code request signal includes various other information including the message type and the message length, and the message length corresponds to the size and message length corresponding to the message type in the size, that is, the size of all information included in the authentication code request signal. It may be the size minus the size. For example, if the size of the message type is 1 byte, the size of the message length itself is 4 bytes, and the size of the entire message is 85 bytes, the message length may be 80 bytes. Here, the size of the entire message is the size of the authentication code request signal.
  • the authentication code size refers to the capacity of the certificate itself.
  • the authentication code size may be 1000 bytes, and the authentication code is an authentication code generated by the device authentication server 600.
  • the IoT electronic device 200 information request command information is obtained by the hardware security module 100 taking a hash by logically calculating a client type and an arbitrary value previously stored in the hardware security module 100. That is, the IoT electronic device 200 information request command information is Hash (client type
  • the random value is a random number randomly generated by the current time or the hardware security module 100. Taking a value or taking a hash function means doing a hash. Taking a hash by logically computing a first value and a second value or taking a hash function means doing a hash (first value
  • the IoT electronic device 200 password is a value to be input when storing the signed authentication code received by the IoT electronic device 200 in the step of transmitting an authentication code storage response signal, which will be described later.
  • the IoT electronic device 200 may store the signed authentication code by inputting the same password as the password of the IoT electronic device 200 included in the authentication code request signal when the signed authentication code is stored.
  • the password of the IoT electronic device 200 taking the hash is a result of taking the hash function on the password of the IoT electronic device 200.
  • the session ID is an ID calculated by applying the hash function to the result of the logical operation of the hardware security module 100 by using the transaction ID, the serial number, the client type, and an arbitrary value.
  • the random value is a time at which the session ID is generated or a random number randomly generated by the hardware security module 100.
  • the IoT electronic device 200 stores the signed authentication code received and transmits the authentication code storage response signal to the hardware security module 100 (S191).
  • the authentication code storage response signal may include a message type, a message length, and a result code.
  • the message type is a value set in the first byte of every request signal or response signal and identifies a type of the authentication code request signal.
  • the message type may be a signal type. That is, the value is set in the first byte of the authentication code storage response signal, the type of the signal can be distinguished according to the set value.
  • the message length is the message size minus the message type and the message length from the total message size, where size is the size.
  • the authentication code store response signal includes a variety of other information, including the message type and the message length.
  • the message length is the size of all information included in the authentication code store response signal, that is, the size and message length corresponding to the message type in the size. It may mean the size minus the size corresponding to. For example, if the size of the message type is 1 byte, the size of the message length itself is 4 bytes, and the size of the entire message is 85 bytes, the message length may be 80 bytes.
  • the size of the entire message is the size of the authentication code storage response signal.
  • the result code is a code indicating whether the authentication code was saved without error. For example, if the result code is 0, this may mean that the authentication code is stored in the IoT electronic device 200 without error.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

Un mode de réalisation de la présente invention concerne un module de sécurité matérielle comprenant : un port de connexion à connecter à un dispositif électronique IoT ; une interface de communication permettant de transmettre et de recevoir des données en direction/en provenance du dispositif électronique IoT en fonction d'un réseau de communication LoRa ; et un processeur permettant de chiffrer ou de déchiffrer les données transmises et reçues par l'interface de communication, le processeur comprenant une unité de gestion d'extension qui installe, dans le dispositif électronique IoT, un module d'extension de sécurité permettant de transmettre et de recevoir les données chiffrées lorsque le dispositif électronique IoT et le port de connexion sont physiquement connectés. Un mode de réalisation de la présente invention concerne un module de sécurité matérielle comprenant : un port de connexion à connecter à un dispositif électronique IoT ; une interface de communication permettant de transmettre et de recevoir des données en direction/en provenance du dispositif électronique IoT en fonction d'un réseau de communication LoRa ; et un processeur permettant de chiffrer ou de déchiffrer les données transmises et reçues par l'interface de communication, le processeur comprenant une unité de gestion d'extension qui installe, dans le dispositif électronique IoT, un module d'extension de sécurité permettant de transmettre et de recevoir les données chiffrées lorsque le dispositif électronique IoT et le port de connexion sont physiquement connectés.
PCT/KR2019/005039 2018-05-16 2019-04-26 Module de sécurité matérielle WO2019221419A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2018-0056002 2018-05-16
KR1020180056002A KR102135710B1 (ko) 2018-05-16 2018-05-16 하드웨어 보안 모듈

Publications (1)

Publication Number Publication Date
WO2019221419A1 true WO2019221419A1 (fr) 2019-11-21

Family

ID=68540573

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/005039 WO2019221419A1 (fr) 2018-05-16 2019-04-26 Module de sécurité matérielle

Country Status (2)

Country Link
KR (1) KR102135710B1 (fr)
WO (1) WO2019221419A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654858A (zh) * 2020-04-30 2020-09-11 广东电网有限责任公司 一种符合国家商密标准的LoRa通信模块
CN112631177A (zh) * 2020-12-13 2021-04-09 贵州省通信产业服务有限公司 一种基于硬件加密传输的农业数据采集装置

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102433640B1 (ko) * 2021-11-30 2022-08-18 주식회사 시옷 대용량 데이터의 보안 처리 시스템
KR102613077B1 (ko) * 2022-05-31 2023-12-11 한전케이디엔주식회사 전력계통 등록 장치의 인증 방법 및 장치

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150117226A (ko) * 2014-04-09 2015-10-19 (주) 아이씨티케이 인증 장치 및 방법
KR20170130904A (ko) * 2016-05-20 2017-11-29 에스케이텔레콤 주식회사 단말 장치와 서비스 서버 간의 연결 설정 방법 및 이를 위한 장치
KR20170135103A (ko) * 2016-05-30 2017-12-08 주식회사 알티캐스트 IoT 환경에서 P2P 데이터 보안 서비스 제공 방법 및 장치
KR101836211B1 (ko) * 2016-12-16 2018-03-09 주식회사 시옷 전자 기기 인증 매니저 장치
KR20180046032A (ko) * 2016-10-27 2018-05-08 삼성전자주식회사 전자 장치 및 그의 동작 방법

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012134901A (ja) * 2010-12-24 2012-07-12 Nakayo Telecommun Inc 通信装置の電源制御方法、通信装置、およびアダプタ装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150117226A (ko) * 2014-04-09 2015-10-19 (주) 아이씨티케이 인증 장치 및 방법
KR20170130904A (ko) * 2016-05-20 2017-11-29 에스케이텔레콤 주식회사 단말 장치와 서비스 서버 간의 연결 설정 방법 및 이를 위한 장치
KR20170135103A (ko) * 2016-05-30 2017-12-08 주식회사 알티캐스트 IoT 환경에서 P2P 데이터 보안 서비스 제공 방법 및 장치
KR20180046032A (ko) * 2016-10-27 2018-05-08 삼성전자주식회사 전자 장치 및 그의 동작 방법
KR101836211B1 (ko) * 2016-12-16 2018-03-09 주식회사 시옷 전자 기기 인증 매니저 장치

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654858A (zh) * 2020-04-30 2020-09-11 广东电网有限责任公司 一种符合国家商密标准的LoRa通信模块
CN112631177A (zh) * 2020-12-13 2021-04-09 贵州省通信产业服务有限公司 一种基于硬件加密传输的农业数据采集装置

Also Published As

Publication number Publication date
KR102135710B1 (ko) 2020-07-20
KR20190134924A (ko) 2019-12-05

Similar Documents

Publication Publication Date Title
WO2019221419A1 (fr) Module de sécurité matérielle
US10841759B2 (en) Securely providing a password using an internet of things (IoT) system
KR101851261B1 (ko) 사설 블록체인 데이터 기반 중앙집중형 원격검침 보안시스템
JP4545197B2 (ja) 無線ネットワークシステム及びこれを用いる通信方法
US20070257813A1 (en) Secure network bootstrap of devices in an automatic meter reading network
WO2016137304A1 (fr) Sécurité de bout en bout sur la base de zone de confiance
WO2015147547A1 (fr) Procédé et appareil permettant la prise en charge de l'ouverture de session au moyen d'un terminal d'utilisateur
WO2014069778A1 (fr) Procédé de chiffrement et de déchiffrement à base d'id et appareil pour sa mise en œuvre
CN110932842B (zh) 用于执行虚拟专用网络功能的片上系统及包含该片上系统的系统
WO2019059453A1 (fr) Dispositif et procédé de communication utilisant une clé de sécurité fondée sur l'historique de messages au moyen d'une chaîne de blocs
WO2012099330A2 (fr) Système et procédé de délivrance d'une clé d'authentification pour authentifier un utilisateur dans un environnement cpns
KR101575862B1 (ko) 이기종 전력기기 간 보안 연계 시스템
GB2535749A (en) Authentication module
JP5766780B2 (ja) デバイス間暗号通信方法及びこれを用いたデータ通信方法
CN102984045A (zh) 虚拟专用网的接入方法及虚拟专用网客户端
WO2019182377A1 (fr) Procédé, dispositif électronique et support d'enregistrement lisible par ordinateur permettant de générer des informations d'adresse utilisées pour une transaction de cryptomonnaie à base de chaîne de blocs
WO2020130348A1 (fr) Générateur de clé de chiffrement spécifique à un dispositif et procédé
WO2022177204A1 (fr) Système décentralisé basé sur un did pour stocker et partager des données d'utilisateur
WO2019124667A1 (fr) Appareil et procédé de prise en charge d'une communication de dispositifs vestimentaires
BR112016007210B1 (pt) Método e dispositivo para segurança de comunicação dentro de um ponto de extremidade em uma rede
WO2018186543A1 (fr) Procédé et système de chiffrement de données utilisant une clé d'authentification de dispositif
WO2015178597A1 (fr) Système et procédé de mise à jour de clé secrète au moyen d'un module puf
US20210336781A1 (en) Network device, method for security and computer readable storage medium
WO2015156622A2 (fr) Appareil et procédé d'authentification
WO2019103360A1 (fr) Procédé et système de gestion de données basés sur un rechiffrement de serveur mandataire dans un environnement de terminal léger ido

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19804281

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 09.04.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19804281

Country of ref document: EP

Kind code of ref document: A1