WO2022021992A1 - Data transmission method and system based on nb-iot communication, and medium - Google Patents

Data transmission method and system based on nb-iot communication, and medium Download PDF

Info

Publication number
WO2022021992A1
WO2022021992A1 PCT/CN2021/092462 CN2021092462W WO2022021992A1 WO 2022021992 A1 WO2022021992 A1 WO 2022021992A1 CN 2021092462 W CN2021092462 W CN 2021092462W WO 2022021992 A1 WO2022021992 A1 WO 2022021992A1
Authority
WO
WIPO (PCT)
Prior art keywords
session key
server
client
digest
random number
Prior art date
Application number
PCT/CN2021/092462
Other languages
French (fr)
Chinese (zh)
Inventor
安成名
杨光
王文想
张静
孟伟
许超
Original Assignee
深圳市燃气集团股份有限公司
深圳市深燃燃气技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市燃气集团股份有限公司, 深圳市深燃燃气技术研究院 filed Critical 深圳市燃气集团股份有限公司
Publication of WO2022021992A1 publication Critical patent/WO2022021992A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present application relates to the technical field of session processing, and in particular to a data transmission method, system and medium based on NB-IoT communication.
  • SSL protocol Secure Socket Layer, developed by Netscape, is used to ensure the security of data transmission on the Internet. Using data encryption technology, it can ensure that data will not be intercepted and eavesdropped during the transmission process on the network. It has been widely used for authentication and encrypted data transmission between web browsers and servers.
  • the SSL protocol Since the SSL protocol is based on Web browsers, it can support B/S applications well, but it is not perfect for C/S applications. And the current SSL protocols that support domestic commercial cryptographic algorithms all use the Diffie-Hellman key exchange protocol-based scheme in the key negotiation process. The interaction process is more complicated, usually requiring 9 packets to exchange to complete the two-way authentication, which cannot be adapted to NB-IoT. (Narrowband Internet of Things) network characteristics of narrowband communication.
  • the present application provides a data transmission method based on NB-IoT communication, which is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication includes the following steps:
  • the client sends a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client;
  • the client decrypts the session key response message fed back by the server, obtains the second random number and the second signature of the server, and verifies the second signature of the session key response message;
  • the client When verifying the second signature of the session key response message is successful, the client generates a first session key according to the first random number and the second random number, and sends a session key confirmation to the server message; wherein, the session key confirmation message carries the first digest of the first session key;
  • the client When the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key is The server generates according to the first random number and the second random number.
  • the generation of the session key negotiation request message specifically includes:
  • a session key agreement request message is generated.
  • the verifying the second signature of the session key response message specifically includes:
  • both the first session key and the second session key are generated based on the XOR operation of the first random number and the second random number.
  • the data transmission method based on NB-IoT communication further includes:
  • the client disconnects the initial connection with the server.
  • the present application also provides a data transmission method based on NB-IoT communication, which is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication includes the following steps:
  • the server decrypts the session key negotiation request message of the client, obtains the first random number and the first signature of the client, and verifies the first signature of the session key negotiation request message;
  • the server When verifying that the first signature of the session key negotiation request message is successful, the server generates a second session key, and sends a session key response message to the client, where the session key response message carries the The second random number of the server;
  • the server When the first digest is the same as the second digest, the server performs encrypted data communication with the client through the second session key.
  • the verifying the first signature of the session key agreement request message specifically includes:
  • the generation of the session key response message specifically includes:
  • a session key response message is generated.
  • the present application also provides a data transmission system based on NB-IoT communication, where the data transmission system based on NB-IoT communication includes a client and a server;
  • the client is configured to send a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client; the client decrypts the session key response message fed back by the server message, obtain the second random number of the server, and verify the second signature of the session key response message; when verifying the second signature of the session key response message is successful, the client A random number and the second random number generate a first session key, and send a session key confirmation message to the server; wherein the session key confirmation message carries the first session key of the first session key Digest; when the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key The key is generated by the server according to the first random number and the second random number;
  • the server is used to decrypt the session key negotiation request message of the client, obtain the first random number of the client, and verify the first signature of the session key negotiation request message; when verifying the session key negotiation request message When the first signature of the document is successful, the server generates a second session key, and sends a session key response message to the client, wherein the session key response message carries the server's second random number; receiving the client
  • the sent session key confirmation message contains the first digest of the first session key, and obtains the second digest of the second session key; A random number and the second random number are generated; when the first digest is the same as the second digest, the server performs data encrypted communication with the client through the second session key.
  • the present application further provides a non-transitory computer-readable storage medium, when the instructions in the storage medium are executed by the processor of the electronic device, the electronic device can execute the NB-IoT communication-based storage medium. Steps in the data transfer method.
  • the present application provides a data transmission method, system and medium based on NB-IoT communication.
  • the data transmission method based on NB-IoT communication includes the following steps: a client sends a session key negotiation to a server.
  • the session key negotiation request message carries the first random number of the client; the client decrypts the session key response message fed back by the server, obtains the second random number of the server, and verifies all the second signature of the session key response message; when verifying the second signature of the session key response message is successful, the client generates a first random number according to the first random number and the second random number session key, and send a session key confirmation message to the server; wherein, the session key confirmation message carries the first digest of the first session key; when the first digest and the server's second When the second digest of the session key is the same, the client performs data encrypted communication with the server by using the first session key; wherein, the second session key is obtained by the server according to the first random number and the A second random number is generated.
  • This application uses the narrowband Internet of Things to simplify the key exchange algorithm and the data encryption algorithm and data integrity check algorithm based on the domestic commercial encryption algorithm, so that the client and the server can realize two-way authentication and determine the session encryption through simple three message interaction.
  • key establish a secure channel, prevent data from being eavesdropped, tampered with, destroyed, insert and replay attacks during the transmission process, and ensure the security of data transmission.
  • FIG. 1 is a flowchart of a data transmission method based on NB-IoT communication provided by the present application.
  • FIG. 2 is a structural block diagram of a data transmission system based on NB-IoT communication provided by the present application.
  • FIG. 3 is a structural block diagram of an electronic device provided by the present application.
  • the present application provides a data transmission method, system and medium based on NB-IoT communication.
  • NB-IoT communication a data transmission method, system and medium based on NB-IoT communication.
  • the present application will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
  • FIG. 1 is a flowchart of a data transmission method based on NB-IoT communication.
  • the drug screening method of the embodiment of the present invention is not limited to the steps and sequence in the flowchart shown in FIG. 1 , and steps in the flowchart may be added, removed or changed in sequence according to different requirements.
  • the data transmission method based on NB-IoT communication includes:
  • the client establishes an initial connection to the server.
  • the client acts as a session initiator and the server acts as a session receiver.
  • a session key for encrypted data communication needs to be negotiated.
  • the session key is negotiated between the client and the server to obtain the negotiated session key.
  • the client Before the client establishes session key negotiation, the client needs to establish an initial connection.
  • the initialized connection refers to a network connection, and in this application, the connection is performed based on the form of narrowband Internet of Things, such as dial-up Internet access.
  • the client When the client initiates the connection successfully, it starts to establish session key negotiation, so as to determine the session key for subsequent encrypted data communication.
  • session key negotiation if there is data information transmission that is not key negotiated, the client-side initialization connection will be closed. Therefore, in the session key negotiation process, in order to ensure the accuracy of the session key, no non-key negotiation data information transmission is performed until the session key negotiation is completed.
  • the client After the client initializes the connection successfully, the client sends a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client.
  • the client sends a session key negotiation request to the server, and at this time, a random function of the client itself is triggered to generate a first random number r1, and then a session key negotiation request message is generated according to the first random number r1 Text A.
  • the generating the session key negotiation request message based on the first random number specifically includes: using the public key of the server to perform asymmetric encryption on the first random number r1 by using the SM2 algorithm to obtain the first ciphertext ECert2(r1); use the SM3 digest algorithm to calculate the third digest H 3 (r1) of the first random number r1, that is, use the SM3 digest algorithm to calculate the hash value of the first random number r1; use the client's private key to pair all
  • the server decrypts the session key negotiation request message of the client, obtains the first random number of the client, and verifies the first signature of the session key negotiation request message.
  • the server receives the session key negotiation request message A sent by the client and parses the session key negotiation request message A, and obtains the first ciphertext ECert2(r1) and the first signature ESkey1 (H 3 (r1)), since the private key of the server and the public key of the client are paired, the first ciphertext ECert2 (r1) is decrypted by using the SM2 algorithm by using the private key of the server to obtain the first random number r1. Then, the first signature of the session key negotiation request message is verified to ensure the integrity of the data information and the legitimacy of the client connected to the server.
  • the verifying the first signature of the session key negotiation request message specifically includes: since the client's public key is paired with the server's private key, using the client's public key to sign the first signature ESkey1(H 3 (r1)) decryption to obtain the third digest H 3 (r1); at this time, adopt the SM3 digest algorithm to recalculate the hash value of the first random number r1 to obtain the fifth digest H of the first random number r1 5 (r1); compare whether the third abstract H 3 (r1) and the fifth abstract H 5 (r1) are the same, when the third abstract H 3 (r1) and the fifth abstract H 5 ( When r1) is the same, verify that the first signature of the session key negotiation request message is successful, that is, the first signature of the client is correct, the client is legal, and the data is not attacked or damaged during the transmission process, ensuring data integrity ; When the third digest H 3 (r1) is different from the fifth digest H 5 (r1), verify that the first signature of the session key negotiation request message is unsuccessful
  • the server verifies that the first signature of the session key negotiation request message is successful, the server generates a second session key, and sends a session key response message to the client, wherein the session key response message
  • the file carries the server's second random number.
  • the server when the server verifies that the first signature ESkey1 (H 3 (r1)) of the client is correct, the server generates a second random number r2 through its own random function, and responds to the session key negotiation request sent by the client message, at this time, based on the second random number r2, a session key response message B is generated and sent to the client.
  • the server performs an XOR operation according to the second random number r2 and the first random number r1 to generate a second session key and then stored in the database.
  • the client decrypts the session key response message fed back by the server, obtains the second random number of the server, and verifies the second signature of the session key response message.
  • the client receives the session key response message B, and parses the session key response message B to obtain the second ciphertext ECert1(r2) and the second signature ESkey2(H 4 (r2)), Then use the client's own private key to decrypt the second ciphertext ECert1(r2) by using the SM2 algorithm to obtain the second random number r2 of the server.
  • the verifying the second signature of the session key response message specifically includes: using the server's public key to decrypt the second signature ESkey2 (H 4 (r2)) by using the SM2 algorithm, to obtain a fourth digest H 4 (r2); using the SM3 digest algorithm, recalculate the hash value of the second random number r2 to obtain the sixth digest H 6 (r2) of the second random number r2; then compare the fourth digest H 4 (r2) and the sixth digest H 6 (r2) are the same, when the fourth digest H 4 (r2) and the sixth digest H 6 (r2) are the same, verify the session key response message.
  • the second signature is successful, indicating that the second signature of the server is correct, the server connected to the client is legal, and the transmitted data is complete, not damaged or stolen, etc.; when the fourth digest H 4 (r2) and the sixth digest H 6 (r2), the verification of the second signature of the session key response message is unsuccessful, that is, the second signature of the server is incorrect, indicating that the transmitted message B has been destroyed or stolen. At this time, the session Key negotiation fails, prompting to re-run session key negotiation.
  • the client verifies that the second signature of the session key response message is successful, the client generates a first session key according to the first random number and the second random number, and sends the key to the server.
  • a session key confirmation message wherein the session key confirmation message carries a first digest of the first session key.
  • the first session key is obtained by performing an XOR operation according to the first random number r1 and the second random number r2
  • the first session key is stored in the database of the client and used for subsequent data communication encryption and decryption. It should be noted that the first session key DK1 of the client and the second session key DK2 of the server are the same.
  • the client needs to send a session key confirmation message C to the server to inform the server that the identity verification of the other party is successful.
  • the client uses the SM3 algorithm to hash the first session key DK1 to obtain the first digest of the session key the first abstract Send the confirmation message C to the server by generating the session key.
  • the server receives the first digest of the first session key of the client, regenerates the second digest of the second session key, and sends the session negotiation successful to the client when the first digest is the same as the second digest information.
  • the server receives and parses the session key confirmation message C to obtain the first digest Then the server uses the SM3 algorithm to re-hash the stored second session key to obtain the second digest of the second session key DK2 Compare the first abstract with the second abstract Whether they are the same, to indicate whether the client and the server successfully authenticate each other's identities and whether they hold the corresponding session key. when the first abstract with the second abstract If they are the same, it indicates that both the client and the server have successfully verified the identity of the other party and both hold the corresponding session key. At this time, the server sends a session key negotiation success message to the client.
  • the server sends a session key negotiation failure message to the client to inform the client to re-initiate the session key negotiation.
  • the client performs encrypted data communication with the server by using the first session key.
  • the client receives the message that the session key negotiation is successful fed back by the server, indicating that the client and the server have successfully completed the session negotiation, not only the client and the server have successfully completed two-way authentication and identity authentication, but also hold the corresponding session
  • the key is used to facilitate the encrypted use of subsequent data communication and ensure the security and integrity of the data.
  • the first random number r1 of the client and the second random number r2 of the server are both randomly generated.
  • the key negotiation function of the key algorithm realizes the functions of dynamic key negotiation, key replacement, and key destruction. That is to say, the first random number r1 and the second random number r2 of each session key negotiation are different. , the generated session key changes with each session key negotiation, which further ensures data security.
  • the client of the secure communication protocol After the client of the secure communication protocol establishes key negotiation with the server, it will collect client device information and digital certificates, etc., encrypt it with the SM4 algorithm and send it to the server; the server decrypts the received data and communicates with it.
  • the client information in the database is compared to complete the process of identity authentication. Therefore, after negotiating the session key in the communication protocol, when conducting data communication, both parties will use the SM4 algorithm to encrypt and decrypt the data packets of the application layer, and implement the data encryption function of the application layer based on the hardware encryption algorithm for the data.
  • the data transmission method based on NB-IoT communication disclosed in this application simplifies the key exchange algorithm and the data encryption algorithm and data integrity check algorithm based on the domestic commercial cryptographic algorithm based on the use of the narrowband Internet of Things, so that the client and the server can It can realize two-way authentication and determine the session key through simple three-packet interaction, establish a secure channel, prevent data from being eavesdropped, tampered with, destroyed, insert and replay attacks during the transmission process, and ensure the security of data transmission.
  • the implementation of the present application does not need to change the network structure, and does not need to modify the configuration of the firewall and the configuration of the client user.
  • FIG. 2 illustrates a schematic structural diagram of a data transmission system based on NB-IoT communication in the present application.
  • the system 100 may include a client 101 and a server 102.
  • FIG. 2 only shows some components of the system 100, but it should be understood that it is not required to implement all the shown components, and more or less may be implemented instead. components.
  • the client 101 is configured to send a session key negotiation request message to the server 102, wherein the session key negotiation request message carries the first random number of the client; decrypt the session key response message fed back by the server 102 , obtain the second random number of the server 102, and verify the second signature of the session key response message; when the second signature is the same as the signature of the server 102, according to the first random number and the first Two random numbers are used to generate a first session key, and a session key confirmation message is sent to the server 102; wherein, the session key confirmation message carries the first digest of the first session key; When a digest is the same as the second digest of the second session key of the server 102, data encrypted communication is performed with the server 102 through the first session key; A random number and the second random number are generated; specifically, the steps are as in the above-mentioned data transmission method based on NB-IoT communication of the client.
  • the server 102 is used to decrypt the session key negotiation request message of the client 101, obtain the first random number of the client 101, and verify the first signature of the session key negotiation request message;
  • a second session key is generated, and a session key response message is sent to the client terminal 101, wherein the session key response message carries the second random number of the server;
  • the first random number and the second random number are generated; when the first digest is the same as the second digest, data encryption communication is performed with the client 101 through the second session key; specifically, the server
  • the present application also provides an electronic device.
  • the electronic device 1 includes a processor 11 and a memory 22 connected to the processor 11 .
  • FIG. 3 only shows some components of the electronic device 1 , but it should be understood that However, implementation of all illustrated components is not required, and more or fewer components may be implemented instead.
  • the memory 22 may be an internal storage unit of the electronic device 1 , such as the memory of the system 100 , in some embodiments. In other embodiments, the memory 22 may also be an external storage device of the system 100, such as a plug-in U disk equipped on the electronic device 1, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, flash memory card (Flash Card), etc. Further, the memory 22 may also include both an internal storage unit of the electronic device 1 and an external storage device. The memory 22 is used to store application software and various types of data installed in the electronic device 1 , such as the data transmission program code based on NB-IoT communication, and the like.
  • the memory 22 can also be used to temporarily store data that has been output or is to be output.
  • a data transmission program based on NB-IoT communication is stored on the memory 22, and the data transmission program based on NB-IoT communication can be executed by the processor 11, thereby realizing the NB-IoT communication-based data transmission program in this application.
  • the data transmission method is specifically as described in the above method.
  • the processor 11 may be a central processing unit (Central Processing Unit, CPU), a microprocessor, a mobile phone baseband processor or other data processing chips, for running the program codes stored in the memory 22 Or process data, for example, execute the data transmission method based on NB-IoT communication.
  • CPU Central Processing Unit
  • microprocessor a microprocessor
  • mobile phone baseband processor or other data processing chips
  • the present invention also provides a non-transitory computer-readable storage medium, where the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors (in this embodiment: The processor) executes the steps to implement the data transmission method based on NB-IoT communication, which is specifically as described in the above method.
  • the storage medium may be a memory, a magnetic disk, an optical disk, or the like.

Abstract

The present application discloses a data transmission method and system based on NB-IoT communication, and a medium. In the present application, narrowband Internet of things is used to simplify a cryptographic key exchange algorithm, and a data encryption algorithm and a data integrity testing algorithm that are based on a Chinese-made commercial cryptographic algorithm, allowing a client and a server to achieve bidirectional authentication and determine a session key by means of simple exchange of three messages, establish a secure pathway, and prevent data from being eavesdropped on, distorted, destroyed, or affected by replay attack insertion during the transfer process, thereby guaranteeing secure data transfer.

Description

一种基于NB-IoT通信的数据传输方法、系统及介质A data transmission method, system and medium based on NB-IoT communication 技术领域technical field
本申请涉及会话处理技术领域,具体涉及一种基于NB-IoT通信的数据传输方法、系统及介质。The present application relates to the technical field of session processing, and in particular to a data transmission method, system and medium based on NB-IoT communication.
背景技术Background technique
SSL协议:Secure Socket Layer,为Netscape所研发,用以保障在Internet上数据传输之安全,利用数据加密技术,可确保数据在网络上之传输过程中不会被截取及窃听。它已被广泛地用于Web浏览器与服务器之间的身份认证和加密数据传输。SSL protocol: Secure Socket Layer, developed by Netscape, is used to ensure the security of data transmission on the Internet. Using data encryption technology, it can ensure that data will not be intercepted and eavesdropped during the transmission process on the network. It has been widely used for authentication and encrypted data transmission between web browsers and servers.
由于SSL协议是基于Web浏览器的,可以很好的支持B/S应用,但对于C/S的应用支持不完善。并且目前支持国产商用密码算法的SSL协议在密钥协商过程中均采用基于Diffie-Hellman密钥交换协议的方案,交互过程较为复杂,通常需要9个报文交互完成双向认证,无法适应NB-IoT(窄带物联网)网络的窄带通信特点。Since the SSL protocol is based on Web browsers, it can support B/S applications well, but it is not perfect for C/S applications. And the current SSL protocols that support domestic commercial cryptographic algorithms all use the Diffie-Hellman key exchange protocol-based scheme in the key negotiation process. The interaction process is more complicated, usually requiring 9 packets to exchange to complete the two-way authentication, which cannot be adapted to NB-IoT. (Narrowband Internet of Things) network characteristics of narrowband communication.
因此,现有技术有待于改进和发展。Therefore, the existing technology needs to be improved and developed.
发明内容SUMMARY OF THE INVENTION
基于此,有必要针对现有技术中获取会话密钥的交互过程复杂,不支持窄带通信的技术问题,提供一种基于NB-IoT通信的数据传输方法、系统及介质。Based on this, it is necessary to provide a data transmission method, system and medium based on NB-IoT communication in order to solve the technical problem that the interaction process for obtaining the session key is complex and does not support narrowband communication in the prior art.
为了达到上述目的,本申请采取了以下技术方案:In order to achieve the above purpose, the application adopts the following technical solutions:
第一方面,本申请提供一种基于NB-IoT通信的数据传输方法,应用于NB-IoT网络,所述基于NB-IoT通信的数据传输方法包括以下步骤:In a first aspect, the present application provides a data transmission method based on NB-IoT communication, which is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication includes the following steps:
客户端向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数;The client sends a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client;
所述客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数和第二签名,并验证所述会话密钥应答报文的第二签名;The client decrypts the session key response message fed back by the server, obtains the second random number and the second signature of the server, and verifies the second signature of the session key response message;
当验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文; 其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;When verifying the second signature of the session key response message is successful, the client generates a first session key according to the first random number and the second random number, and sends a session key confirmation to the server message; wherein, the session key confirmation message carries the first digest of the first session key;
当所述第一摘要与服务器的第二会话密钥的第二摘要相同时,所述客户端通过所述第一会话密钥与服务器进行数据加密通信;其中,所述第二会话密钥是服务器根据所述第一随机数和所述第二随机数生成。When the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key is The server generates according to the first random number and the second random number.
可选地,所述会话密钥协商请求报文的生成具体包括:Optionally, the generation of the session key negotiation request message specifically includes:
利用服务器的公钥对所述第一随机数进行加密,得到第一密文;Encrypt the first random number with the public key of the server to obtain the first ciphertext;
采用SM3摘要算法,计算第一随机数的第三摘要;Adopt the SM3 digest algorithm to calculate the third digest of the first random number;
利用客户端的私钥对所述第三摘要加密,得到第一签名;其中,所述客户端的私钥与所述服务器的公钥配对;Encrypt the third digest with the private key of the client to obtain the first signature; wherein the private key of the client is paired with the public key of the server;
基于所述第一密文和所述第一签名,生成会话密钥协商请求报文。Based on the first ciphertext and the first signature, a session key agreement request message is generated.
可选地,所述验证所述会话密钥应答报文的第二签名具体包括:Optionally, the verifying the second signature of the session key response message specifically includes:
利用服务器的公钥对所述第二签名解密,得到第四摘要;Decrypt the second signature by using the public key of the server to obtain a fourth digest;
采用SM3摘要算法,重新计算服务器的所述第二随机数的第六摘要;Using the SM3 digest algorithm, recalculate the sixth digest of the second random number of the server;
当所述第四摘要与所述第六摘要相同时,验证所述会话密钥应答报文的第二签名成功;When the fourth digest is the same as the sixth digest, verifying that the second signature of the session key response message succeeds;
当所述第四摘要与所述第六摘要不同时,验证所述会话密钥应答报文的第二签名不成功。When the fourth digest is different from the sixth digest, verifying the second signature of the session key response message is unsuccessful.
可选地,所述第一会话密钥和所述第二会话密钥均是基于所述第一随机数和所述第二随机数异或运算生成。Optionally, both the first session key and the second session key are generated based on the XOR operation of the first random number and the second random number.
可选地,所述基于NB-IoT通信的数据传输方法还包括:Optionally, the data transmission method based on NB-IoT communication further includes:
在所述客户端与所述服务器完成会话密钥协商之前,若客户端与服务器之间存在非密钥协商的数据信息传输,则客户端断开与服务器的初始化连接。Before the client and the server complete the session key negotiation, if there is non-key negotiated data information transmission between the client and the server, the client disconnects the initial connection with the server.
第二方面,本申请还提供一种基于NB-IoT通信的数据传输方法,其应用于NB-IoT网络,所述基于NB-IoT通信的数据传输方法包括以下步骤:In a second aspect, the present application also provides a data transmission method based on NB-IoT communication, which is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication includes the following steps:
服务器解密客户端的会话密钥协商请求报文,得到客户端的第一随机数和第一签名,并验证所述会话密钥协商请求报文的第一签名;The server decrypts the session key negotiation request message of the client, obtains the first random number and the first signature of the client, and verifies the first signature of the session key negotiation request message;
当验证所述会话密钥协商请求报文的第一签名成功时,服务器生成第二会话密钥,并向客户端发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数;When verifying that the first signature of the session key negotiation request message is successful, the server generates a second session key, and sends a session key response message to the client, where the session key response message carries the The second random number of the server;
接收客户端发送的会话密钥确认报文中的第一会话密钥的第一摘要,并获取 所述第二会话密钥的第二摘要;其中,所述第一会话密钥是客户端根据所述第一随机数和所述第二随机数生成;Receive the first digest of the first session key in the session key confirmation message sent by the client, and obtain the second digest of the second session key; generating the first random number and the second random number;
当所述第一摘要与所述第二摘要相同时,服务器通过所述第二会话密钥与客户端进行数据加密通信。When the first digest is the same as the second digest, the server performs encrypted data communication with the client through the second session key.
可选地,所述验证所述会话密钥协商请求报文的第一签名具体包括:Optionally, the verifying the first signature of the session key agreement request message specifically includes:
利用客户端的公钥对所述第一签名解密,得到第三摘要;Decrypt the first signature by using the public key of the client to obtain a third digest;
采用SM3摘要算法,重新计算所述第一随机数的第五摘要;Using the SM3 digest algorithm, recalculate the fifth digest of the first random number;
当所述第三摘要与所述第五摘要相同时,验证所述会话密钥协商请求报文的第一签名成功;When the third digest is the same as the fifth digest, verify that the first signature of the session key negotiation request message succeeds;
当所述第三摘要与所述第五摘要不同时,验证所述会话密钥协商请求报文的第一签名不成功。When the third digest is different from the fifth digest, verifying the first signature of the session key negotiation request message is unsuccessful.
可选地,所述会话密钥应答报文的生成具体包括:Optionally, the generation of the session key response message specifically includes:
利用客户端的公钥对所述第二随机数进行加密,得到第二密文;Encrypt the second random number with the public key of the client to obtain a second ciphertext;
采用SM3摘要算法,计算第二随机数的第四摘要;Adopt the SM3 digest algorithm to calculate the fourth digest of the second random number;
利用服务器的私钥对所述第四摘要加密,得到第二签名;其中,所述服务器的私钥与所述客户端的公钥配对;Encrypt the fourth digest with the private key of the server to obtain a second signature; wherein the private key of the server is paired with the public key of the client;
基于所述第二密文和所述第二签名,生成会话密钥应答报文。Based on the second ciphertext and the second signature, a session key response message is generated.
第三方面,本申请还提供一种基于NB-IoT通信的数据传输系统,所述基于NB-IoT通信的数据传输系统包括客户端与服务器;In a third aspect, the present application also provides a data transmission system based on NB-IoT communication, where the data transmission system based on NB-IoT communication includes a client and a server;
所述客户端用于向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数;所述客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数,并验证所述会话密钥应答报文的第二签名;当验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;当所述第一摘要与服务器的第二会话密钥的第二摘要相同时,所述客户端通过所述第一会话密钥与服务器进行数据加密通信;其中,所述第二会话密钥是服务器根据所述第一随机数和所述第二随机数生成;The client is configured to send a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client; the client decrypts the session key response message fed back by the server message, obtain the second random number of the server, and verify the second signature of the session key response message; when verifying the second signature of the session key response message is successful, the client A random number and the second random number generate a first session key, and send a session key confirmation message to the server; wherein the session key confirmation message carries the first session key of the first session key Digest; when the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key The key is generated by the server according to the first random number and the second random number;
所述服务器用于解密客户端的会话密钥协商请求报文,得到客户端的第一随机数,并验证所述会话密钥协商请求报文的第一签名;当验证所述会话密钥协商 请求报文的第一签名成功时,服务器生成第二会话密钥,并向客户端发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数;接收客户端发送的会话密钥确认报文中的第一会话密钥的第一摘要,并获取所述第二会话密钥的第二摘要;其中,所述第一会话密钥是客户端根据所述第一随机数和所述第二随机数生成;当所述第一摘要与所述第二摘要相同时,服务器通过所述第二会话密钥与客户端进行数据加密通信。The server is used to decrypt the session key negotiation request message of the client, obtain the first random number of the client, and verify the first signature of the session key negotiation request message; when verifying the session key negotiation request message When the first signature of the document is successful, the server generates a second session key, and sends a session key response message to the client, wherein the session key response message carries the server's second random number; receiving the client The sent session key confirmation message contains the first digest of the first session key, and obtains the second digest of the second session key; A random number and the second random number are generated; when the first digest is the same as the second digest, the server performs data encrypted communication with the client through the second session key.
第四方面,本申请还提供一种非临时性计算机可读存储介质,当所述存储介质中的指令由电子设备的处理器执行时,使得电子设备能够执行所述的基于NB-IoT通信的数据传输方法中步骤。In a fourth aspect, the present application further provides a non-transitory computer-readable storage medium, when the instructions in the storage medium are executed by the processor of the electronic device, the electronic device can execute the NB-IoT communication-based storage medium. Steps in the data transfer method.
有益效果:Beneficial effects:
相对于现有技术,本申请提供了一种基于NB-IoT通信的数据传输方法、系统及介质,所述基于NB-IoT通信的数据传输方法包括以下步骤:客户端向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数;所述客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数,并验证所述会话密钥应答报文的第二签名;当验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;当所述第一摘要与服务器的第二会话密钥的第二摘要相同时,所述客户端通过所述第一会话密钥与服务器进行数据加密通信;其中,所述第二会话密钥是服务器根据所述第一随机数和所述第二随机数生成。本申请使用窄带物联网简化了密钥交换算法以及基于国产商用密码算法的数据加密算法和数据完整性检查算法,使得客户端和服务器能通过简单的三个报文交互实现双向认证以及确定会话密钥,建立安全通道,防止数据在传输过程中被窃听、篡改、破坏、插入重放攻击,保证数据传输的安全。Compared with the prior art, the present application provides a data transmission method, system and medium based on NB-IoT communication. The data transmission method based on NB-IoT communication includes the following steps: a client sends a session key negotiation to a server. request message, wherein the session key negotiation request message carries the first random number of the client; the client decrypts the session key response message fed back by the server, obtains the second random number of the server, and verifies all the second signature of the session key response message; when verifying the second signature of the session key response message is successful, the client generates a first random number according to the first random number and the second random number session key, and send a session key confirmation message to the server; wherein, the session key confirmation message carries the first digest of the first session key; when the first digest and the server's second When the second digest of the session key is the same, the client performs data encrypted communication with the server by using the first session key; wherein, the second session key is obtained by the server according to the first random number and the A second random number is generated. This application uses the narrowband Internet of Things to simplify the key exchange algorithm and the data encryption algorithm and data integrity check algorithm based on the domestic commercial encryption algorithm, so that the client and the server can realize two-way authentication and determine the session encryption through simple three message interaction. key, establish a secure channel, prevent data from being eavesdropped, tampered with, destroyed, insert and replay attacks during the transmission process, and ensure the security of data transmission.
附图说明Description of drawings
图1为本申请提供的一种基于NB-IoT通信的数据传输方法的流程图。FIG. 1 is a flowchart of a data transmission method based on NB-IoT communication provided by the present application.
图2为本申请提供的一种基于NB-IoT通信的数据传输系统的结构框图。FIG. 2 is a structural block diagram of a data transmission system based on NB-IoT communication provided by the present application.
图3为本申请提供的一种电子设备的结构框图。FIG. 3 is a structural block diagram of an electronic device provided by the present application.
具体实施方式detailed description
本申请提供一种基于NB-IoT通信的数据传输方法、系统及介质,为使本申请的目的、技术方案及效果更加清楚、明确,以下参照附图并举实施例对本申请进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。The present application provides a data transmission method, system and medium based on NB-IoT communication. In order to make the purpose, technical solution and effect of the present application clearer and clearer, the present application will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本申请的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。It will be understood by those skilled in the art that the singular forms "a", "an", "the" and "the" as used herein can include the plural forms as well, unless expressly stated otherwise. It should be further understood that the word "comprising" used in the specification of this application refers to the presence of the stated features, integers, steps, operations, elements and/or components, but does not preclude the presence or addition of one or more other features, Integers, steps, operations, elements, components and/or groups thereof. It will be understood that when we refer to an element as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Furthermore, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combination of one or more of the associated listed items.
本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本申请所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It should also be understood that terms, such as those defined in a general dictionary, should be understood to have meanings consistent with their meanings in the context of the prior art and, unless specifically defined as herein, should not be interpreted in idealistic or overly formal meaning to explain.
请参阅图1,图1为基于NB-IoT通信的数据传输方法的流程图。应该说明的是,本发明实施方式的药物筛选方法并不限于图1所示的流程图中的步骤及顺序,根据不同的需求,流程图中的步骤可以增加、移除或者改变顺序。如图1所示,所述基于NB-IoT通信的数据传输方法包括:Please refer to FIG. 1, which is a flowchart of a data transmission method based on NB-IoT communication. It should be noted that the drug screening method of the embodiment of the present invention is not limited to the steps and sequence in the flowchart shown in FIG. 1 , and steps in the flowchart may be added, removed or changed in sequence according to different requirements. As shown in Figure 1, the data transmission method based on NB-IoT communication includes:
S10、客户端向服务器建立初始化连接。S10, the client establishes an initial connection to the server.
在本申请实施例中,客户端作为会话发起方,服务器作为会话接收方,当客户端与服务器以加密的形式进行数据通信之前,需要协商好数据通信加密的会话密钥。而会话密钥通过客户端与服务器建立会话密钥协商,以获取协商好的会话密钥。而在客户端建立会话密钥协商之前,需要客户端建立初始化连接。所述初始化连接,指的是网络连接,在本申请中基于窄带物联网的形式进行连接,例如拨号上网的方式进行网络连接。In this embodiment of the present application, the client acts as a session initiator and the server acts as a session receiver. Before the client and the server perform data communication in an encrypted form, a session key for encrypted data communication needs to be negotiated. The session key is negotiated between the client and the server to obtain the negotiated session key. Before the client establishes session key negotiation, the client needs to establish an initial connection. The initialized connection refers to a network connection, and in this application, the connection is performed based on the form of narrowband Internet of Things, such as dial-up Internet access.
当客户端初始化连接成功后,开始建立会话密钥协商,从而确定后续进行数 据加密通信的会话密钥。当然,需要说明的是,在会话密钥协商完成前,若存在非密钥协商的数据信息传输,则客户端初始化连接将关闭。因此,在会话密钥协商过程中,为确保会话密钥的准确性,在会话密钥协商完成前,不进行任何非密钥协商数据信息传输。When the client initiates the connection successfully, it starts to establish session key negotiation, so as to determine the session key for subsequent encrypted data communication. Of course, it should be noted that, before the session key negotiation is completed, if there is data information transmission that is not key negotiated, the client-side initialization connection will be closed. Therefore, in the session key negotiation process, in order to ensure the accuracy of the session key, no non-key negotiation data information transmission is performed until the session key negotiation is completed.
S20、当客户端初始化连接成功后,客户端向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数。S20. After the client initializes the connection successfully, the client sends a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client.
在本申请实施例中,客户端向服务器发送会话密钥协商请求,此时触发客户端本身的随机函数产生第一随机数r1,然后根据该第一随机数r1,生成会话密钥协商请求报文A。具体地,所述基于所述第一随机数,生成会话密钥协商请求报文具体包括:利用服务器的公钥对所述第一随机数r1采用SM2算法进行非对称加密,得到第一密文ECert2(r1);采用SM3摘要算法,计算第一随机数r1的第三摘要H 3(r1),也就是利用SM3摘要算法计算第一随机数r1的哈希值;利用客户端的私钥对所述第三摘要H 3(r1)采用SM3算法进行非对称加密,得到第一签名ESkey1(H 3(r1));其中,所述客户端的私钥与所述服务器的公钥配对;基于所述第一密文ECert2(r1)和所述第一签名ESkey1(H 3(r1)),生成会话密钥协商请求报文A=ECert2(r1)‖ESkey1(H 3(r1))。然后将会话密钥协商请求报文向服务器发送。 In the embodiment of the present application, the client sends a session key negotiation request to the server, and at this time, a random function of the client itself is triggered to generate a first random number r1, and then a session key negotiation request message is generated according to the first random number r1 Text A. Specifically, the generating the session key negotiation request message based on the first random number specifically includes: using the public key of the server to perform asymmetric encryption on the first random number r1 by using the SM2 algorithm to obtain the first ciphertext ECert2(r1); use the SM3 digest algorithm to calculate the third digest H 3 (r1) of the first random number r1, that is, use the SM3 digest algorithm to calculate the hash value of the first random number r1; use the client's private key to pair all The third digest H 3 (r1) adopts the SM3 algorithm to perform asymmetric encryption to obtain the first signature ESkey1 (H 3 (r1)); wherein, the private key of the client is paired with the public key of the server; based on the The first ciphertext ECert2(r1) and the first signature ESkey1(H 3 (r1)) generate a session key negotiation request message A=ECert2(r1)∥ESkey1(H 3 (r1)). Then, the session key negotiation request message is sent to the server.
S30、服务器解密客户端的会话密钥协商请求报文,得到客户端的第一随机数,并验证所述会话密钥协商请求报文的第一签名。S30. The server decrypts the session key negotiation request message of the client, obtains the first random number of the client, and verifies the first signature of the session key negotiation request message.
在本申请实施例中,服务器接收客户端发送的会话密钥协商请求报文A并解析所述会话密钥协商请求报文A,得到第一密文ECert2(r1)和所述第一签名ESkey1(H 3(r1)),由于服务器的私钥与客户端的公钥是配对的,因此,利用服务器自身的私钥对所述第一密文ECert2(r1)采用SM2算法进行解密,得到第一随机数r1。然后验证所述会话密钥协商请求报文的第一签名,以保证数据信息完整性以及与服务器连接的客户端合法性。具体地,所述验证所述会话密钥协商请求报文的第一签名具体包括:由于客户端的公钥与服务器的私钥配对,因此,利用客户端的公钥对所述第一签名ESkey1(H 3(r1))解密,得到第三摘要H 3(r1);此时,采用SM3摘要算法,重新计算所述第一随机数r1的哈值得到所述第一随机数r1的第五摘要H 5(r1);比较所述第三摘要H 3(r1)与所述第五摘要H 5(r1)是否相同,当所述第三摘要H 3(r1)与所述第五摘要H 5(r1)相同时,验证所述会话密钥协商请 求报文的第一签名成功,即客户端的第一签名正确,该客户端属于合法,在传输过程中数据未被攻击和破坏,保证数据完整性;当所述第三摘要H 3(r1)与所述第五摘要H 5(r1)不同时,验证所述会话密钥协商请求报文的第一签名不成功,此时,服务器向客户端反馈会话密钥协商失败的消息,并提示客户端重新建立会话密钥协商请求。 In the embodiment of the present application, the server receives the session key negotiation request message A sent by the client and parses the session key negotiation request message A, and obtains the first ciphertext ECert2(r1) and the first signature ESkey1 (H 3 (r1)), since the private key of the server and the public key of the client are paired, the first ciphertext ECert2 (r1) is decrypted by using the SM2 algorithm by using the private key of the server to obtain the first random number r1. Then, the first signature of the session key negotiation request message is verified to ensure the integrity of the data information and the legitimacy of the client connected to the server. Specifically, the verifying the first signature of the session key negotiation request message specifically includes: since the client's public key is paired with the server's private key, using the client's public key to sign the first signature ESkey1(H 3 (r1)) decryption to obtain the third digest H 3 (r1); at this time, adopt the SM3 digest algorithm to recalculate the hash value of the first random number r1 to obtain the fifth digest H of the first random number r1 5 (r1); compare whether the third abstract H 3 (r1) and the fifth abstract H 5 (r1) are the same, when the third abstract H 3 (r1) and the fifth abstract H 5 ( When r1) is the same, verify that the first signature of the session key negotiation request message is successful, that is, the first signature of the client is correct, the client is legal, and the data is not attacked or damaged during the transmission process, ensuring data integrity ; When the third digest H 3 (r1) is different from the fifth digest H 5 (r1), verify that the first signature of the session key negotiation request message is unsuccessful, at this time, the server sends the client Feedback the message that the session key negotiation failed, and prompt the client to re-establish the session key negotiation request.
S40、当服务器验证所述会话密钥协商请求报文的第一签名成功时,服务器生成第二会话密钥,并向客户端发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数。S40. When the server verifies that the first signature of the session key negotiation request message is successful, the server generates a second session key, and sends a session key response message to the client, wherein the session key response message The file carries the server's second random number.
在本申请实施例中,当服务器验证到客户端的第一签名ESkey1(H 3(r1))正确时,通过本身的随机函数生成第二随机数r2,并响应客户端发送的会话密钥协商请求报文,此时基于第二随机数r2,生成会话密钥应答报文B并向客户端发送。具体实施时,所述会话密钥应答报文的生成具体包括:利用客户端的公钥对所述第二随机数r2采用SM2算法进行非对称加密,得到第二密文ECert1(r2);采用SM3摘要算法,计算第二随机数r2的哈希值以得到所述第二随机数r2的第四摘要H 4(r2);然后利用服务器的私钥对所述第四摘要加密H 4(r2),得到第二签名ESkey2(H 4(r2));然后基于所述第二密文ECert1(r2)和所述第二签名ESkey2(H 4(r2)),生成会话密钥应答报文B=ECert1(r2)‖ESkey2(H 4(r2)),并将所述会话密钥应答报文B向客户端发送。 In this embodiment of the present application, when the server verifies that the first signature ESkey1 (H 3 (r1)) of the client is correct, the server generates a second random number r2 through its own random function, and responds to the session key negotiation request sent by the client message, at this time, based on the second random number r2, a session key response message B is generated and sent to the client. During specific implementation, the generation of the session key response message specifically includes: using the public key of the client to perform asymmetric encryption on the second random number r2 using the SM2 algorithm to obtain the second ciphertext ECert1(r2); using SM3 Digest algorithm, calculate the hash value of the second random number r2 to obtain the fourth digest H 4 (r2) of the second random number r2; then encrypt the fourth digest H 4 (r2) with the private key of the server , obtain the second signature ESkey2 (H 4 (r2)); then based on the second ciphertext ECert1 (r2) and the second signature ESkey2 (H 4 (r2)), generate a session key response message B= ECert1(r2)∥ESkey2(H 4 (r2)), and send the session key response message B to the client.
同时,服务器根据第二随机数r2和第一随机数r1进行异或运算生成第二会话密钥
Figure PCTCN2021092462-appb-000001
然后存储在数据库中。 At the same time, the server performs an XOR operation according to the second random number r2 and the first random number r1 to generate a second session key
Figure PCTCN2021092462-appb-000001
and then stored in the database.
S50、客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数,并验证所述会话密钥应答报文的第二签名。S50. The client decrypts the session key response message fed back by the server, obtains the second random number of the server, and verifies the second signature of the session key response message.
在本申请实施例中,客户端接收会话密钥应答报文B,解析会话密钥应答报文B得到第二密文ECert1(r2)和所述第二签名ESkey2(H 4(r2)),然后利用客户端自身的私钥对第二密文ECert1(r2)采用SM2算法解密得到服务器的第二随机数r2。具体实施时,所述验证所述会话密钥应答报文的第二签名具体包括:利用服务器的公钥对所述第二签名ESkey2(H 4(r2))采用SM2算法进行解密,得到第四摘要H 4(r2);采用SM3摘要算法,重新计算所述第二随机数r2的哈希值以得到所述第二随机数r2的第六摘要H 6(r2);然后比较第四摘要H 4(r2)和第六摘要H 6(r2)是否相同,当所述第四摘要H 4(r2)和第六摘要H 6(r2)相同时,验证所述会话密钥应 答报文的第二签名成功,说明服务器的第二签名正确,与客户端连接的服务器合法,并且传输的数据完整,未被破坏或窃取等;当所述第四摘要H 4(r2)和第六摘要H 6(r2)时,验证所述会话密钥应答报文的第二签名不成功,即所述服务器的第二签名不正确,说明该传输的报文B遭到破坏或窃取等,此时,会话密钥协商失败,提示重新进行会话密钥协商。 In the embodiment of the present application, the client receives the session key response message B, and parses the session key response message B to obtain the second ciphertext ECert1(r2) and the second signature ESkey2(H 4 (r2)), Then use the client's own private key to decrypt the second ciphertext ECert1(r2) by using the SM2 algorithm to obtain the second random number r2 of the server. During specific implementation, the verifying the second signature of the session key response message specifically includes: using the server's public key to decrypt the second signature ESkey2 (H 4 (r2)) by using the SM2 algorithm, to obtain a fourth digest H 4 (r2); using the SM3 digest algorithm, recalculate the hash value of the second random number r2 to obtain the sixth digest H 6 (r2) of the second random number r2; then compare the fourth digest H 4 (r2) and the sixth digest H 6 (r2) are the same, when the fourth digest H 4 (r2) and the sixth digest H 6 (r2) are the same, verify the session key response message. The second signature is successful, indicating that the second signature of the server is correct, the server connected to the client is legal, and the transmitted data is complete, not damaged or stolen, etc.; when the fourth digest H 4 (r2) and the sixth digest H 6 (r2), the verification of the second signature of the session key response message is unsuccessful, that is, the second signature of the server is incorrect, indicating that the transmitted message B has been destroyed or stolen. At this time, the session Key negotiation fails, prompting to re-run session key negotiation.
S60、当客户端验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要。S60. When the client verifies that the second signature of the session key response message is successful, the client generates a first session key according to the first random number and the second random number, and sends the key to the server. A session key confirmation message, wherein the session key confirmation message carries a first digest of the first session key.
在本申请实施例中,当客户端验证服务器的第二签名正确时,则根据第一随机数r1和第二随机数r2进行异或运算得到第一会话密钥
Figure PCTCN2021092462-appb-000002
该第一会话密钥存储在客户端的数据库中,用于后续数据通信加解密。需要说明的是,客户端的第一会话密钥DK1和服务器的第二会话密钥DK2是相同的。 In this embodiment of the present application, when the client verifies that the second signature of the server is correct, the first session key is obtained by performing an XOR operation according to the first random number r1 and the second random number r2
Figure PCTCN2021092462-appb-000002
The first session key is stored in the database of the client and used for subsequent data communication encryption and decryption. It should be noted that the first session key DK1 of the client and the second session key DK2 of the server are the same.
当客户端与服务器均生成并存储有相同的会话密钥后,客户端需要向所述服务器发送会话密钥确认报文C,以告知服务器验证对方身份成功。此时,客户端利用SM3算法对所述第一会话密钥DK1进行哈希后得到会话密钥的第一摘要
Figure PCTCN2021092462-appb-000003
该第一摘要
Figure PCTCN2021092462-appb-000004
以生成会话密钥确认报文C向服务器发送。 After the client and the server both generate and store the same session key, the client needs to send a session key confirmation message C to the server to inform the server that the identity verification of the other party is successful. At this point, the client uses the SM3 algorithm to hash the first session key DK1 to obtain the first digest of the session key
Figure PCTCN2021092462-appb-000003
the first abstract
Figure PCTCN2021092462-appb-000004
Send the confirmation message C to the server by generating the session key.
S70、服务器接收到客户端的第一会话密钥的第一摘要,重新生成第二会话密钥的第二摘要,并当所述第一摘要与第二摘要相同时,向客户端发送会话协商成功消息。S70. The server receives the first digest of the first session key of the client, regenerates the second digest of the second session key, and sends the session negotiation successful to the client when the first digest is the same as the second digest information.
在本申请实施例中,服务器接收并解析所述会话密钥确认报文C,得到第一摘要
Figure PCTCN2021092462-appb-000005
然后服务器利用SM3算法重新对所存储的第二会话密钥打开进行哈希计算,得到所述第二会话密钥DK2的第二摘要
Figure PCTCN2021092462-appb-000006
比较第一摘要
Figure PCTCN2021092462-appb-000007
与第二摘要
Figure PCTCN2021092462-appb-000008
是否相同,以表征客户端与服务器是否成功验证对方身份以及是否持有对应的会话密钥。当第一摘要
Figure PCTCN2021092462-appb-000009
与第二摘要
Figure PCTCN2021092462-appb-000010
相同时,表明客户端与服务器均成功验证对方身份,并均持有对应的会话密钥,此时服务器向客户端发送会话密钥协商成功消息。当然,当第一摘要
Figure PCTCN2021092462-appb-000011
与第二摘要
Figure PCTCN2021092462-appb-000012
不同时,表明客户端与服务器存在未成功验证对方身份或存在一方未持有会话密钥,此时服务器向客户端发送会话密钥协商失败消息,以告知客户端重新发起会话密钥协商。 In this embodiment of the present application, the server receives and parses the session key confirmation message C to obtain the first digest
Figure PCTCN2021092462-appb-000005
Then the server uses the SM3 algorithm to re-hash the stored second session key to obtain the second digest of the second session key DK2
Figure PCTCN2021092462-appb-000006
Compare the first abstract
Figure PCTCN2021092462-appb-000007
with the second abstract
Figure PCTCN2021092462-appb-000008
Whether they are the same, to indicate whether the client and the server successfully authenticate each other's identities and whether they hold the corresponding session key. when the first abstract
Figure PCTCN2021092462-appb-000009
with the second abstract
Figure PCTCN2021092462-appb-000010
If they are the same, it indicates that both the client and the server have successfully verified the identity of the other party and both hold the corresponding session key. At this time, the server sends a session key negotiation success message to the client. Of course, when the first summary
Figure PCTCN2021092462-appb-000011
with the second abstract
Figure PCTCN2021092462-appb-000012
If they are different, it indicates that the client and the server have not successfully verified the identity of the other party or that one party does not hold the session key. At this time, the server sends a session key negotiation failure message to the client to inform the client to re-initiate the session key negotiation.
S80、所述客户端通过所述第一会话密钥与服务器进行数据加密通信。S80. The client performs encrypted data communication with the server by using the first session key.
在本申请实施例中,客户端接收服务器反馈的会话密钥协商成功的消息,表明客户端与服务器成功完成会话协商,不仅客户端与服务器成功完成双向认证、身份认证,还持有对应的会话密钥,以便于后续数据通信的加密使用,保证数据的安全性和完整性。In the embodiment of the present application, the client receives the message that the session key negotiation is successful fed back by the server, indicating that the client and the server have successfully completed the session negotiation, not only the client and the server have successfully completed two-way authentication and identity authentication, but also hold the corresponding session The key is used to facilitate the encrypted use of subsequent data communication and ensure the security and integrity of the data.
在上述步骤S10-S80的整个会话密钥协商过程中,客户端的第一随机数r1和服务器的第二随机数r2均是随机产生的,因此,在通信协议中实现了客户端和服务器基于专用密钥算法的密钥协商功能,实现动态密钥协商、密钥更换、密钥销毁等功能,也就是说,每一次会话密钥协商的第一随机数r1和第二随机数r2是不同的,其所产生的会话密钥跟随每次会话密钥协商而变化,这样更进一步保证数据的安全性。During the whole session key negotiation process in the above steps S10-S80, the first random number r1 of the client and the second random number r2 of the server are both randomly generated. The key negotiation function of the key algorithm realizes the functions of dynamic key negotiation, key replacement, and key destruction. That is to say, the first random number r1 and the second random number r2 of each session key negotiation are different. , the generated session key changes with each session key negotiation, which further ensures data security.
进一步地,安全通信协议的客户端在与服务端建立密钥协商之后,将收集客户端设备信息和数字证书等,通过SM4算法加密后发送到服务端;服务端将收到的数据解密后与数据库中的客户端信息进行比对,完成身份认证的过程。因此,通信协议在协商好会话密钥之后,进行数据通信的时候,双方都将对应用层的数据报文使用SM4算法进行加解密,对数据实现了基于硬件密码算法的应用层数据加密功能。Further, after the client of the secure communication protocol establishes key negotiation with the server, it will collect client device information and digital certificates, etc., encrypt it with the SM4 algorithm and send it to the server; the server decrypts the received data and communicates with it. The client information in the database is compared to complete the process of identity authentication. Therefore, after negotiating the session key in the communication protocol, when conducting data communication, both parties will use the SM4 algorithm to encrypt and decrypt the data packets of the application layer, and implement the data encryption function of the application layer based on the hardware encryption algorithm for the data.
综上,本申请所公开的基于NB-IoT通信的数据传输方法基于使用窄带物联网简化了密钥交换算法以及基于国产商用密码算法的数据加密算法和数据完整性检查算法,使得客户端和服务器能通过简单的三个报文交互实现双向认证以及确定会话密钥,建立安全通道,防止数据在传输过程中被窃听、篡改、破坏、插入重放攻击,保证数据传输的安全。To sum up, the data transmission method based on NB-IoT communication disclosed in this application simplifies the key exchange algorithm and the data encryption algorithm and data integrity check algorithm based on the domestic commercial cryptographic algorithm based on the use of the narrowband Internet of Things, so that the client and the server can It can realize two-way authentication and determine the session key through simple three-packet interaction, establish a secure channel, prevent data from being eavesdropped, tampered with, destroyed, insert and replay attacks during the transmission process, and ensure the security of data transmission.
另外,本申请的实现不需要改变网络结构,不需要修改防火墙配置和修改客户端用户的配置。In addition, the implementation of the present application does not need to change the network structure, and does not need to modify the configuration of the firewall and the configuration of the client user.
基于上述基于NB-IoT通信的数据传输方法,本申请还提供一种基于NB-IoT通信的数据传输系统。请参照图2,图2示例出了本申请中一种基于NB-IoT通信的数据传输系统的结构示意图。该系统100可以包括客户端101以及服务器102,图2仅示出了系统100的部分组件,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。Based on the above data transmission method based on NB-IoT communication, the present application also provides a data transmission system based on NB-IoT communication. Please refer to FIG. 2 , which illustrates a schematic structural diagram of a data transmission system based on NB-IoT communication in the present application. The system 100 may include a client 101 and a server 102. FIG. 2 only shows some components of the system 100, but it should be understood that it is not required to implement all the shown components, and more or less may be implemented instead. components.
所述客户端101用于向服务器102发送会话密钥协商请求报文,其中,所述 会话密钥协商请求报文携带有客户端的第一随机数;解密服务器102反馈的会话密钥应答报文,得到服务器102的第二随机数,并验证所述会话密钥应答报文的第二签名;当所述第二签名与服务器102的签名相同时,根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器102发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;当所述第一摘要与服务器102的第二会话密钥的第二摘要相同时,通过所述第一会话密钥与服务器102进行数据加密通信;其中,所述第二会话密钥是服务器102根据所述第一随机数和所述第二随机数生成;具体如客户端的上述基于NB-IoT通信的数据传输方法中步骤。The client 101 is configured to send a session key negotiation request message to the server 102, wherein the session key negotiation request message carries the first random number of the client; decrypt the session key response message fed back by the server 102 , obtain the second random number of the server 102, and verify the second signature of the session key response message; when the second signature is the same as the signature of the server 102, according to the first random number and the first Two random numbers are used to generate a first session key, and a session key confirmation message is sent to the server 102; wherein, the session key confirmation message carries the first digest of the first session key; When a digest is the same as the second digest of the second session key of the server 102, data encrypted communication is performed with the server 102 through the first session key; A random number and the second random number are generated; specifically, the steps are as in the above-mentioned data transmission method based on NB-IoT communication of the client.
所述服务器102用于解密客户端101的会话密钥协商请求报文,得到客户端101的第一随机数,并验证所述会话密钥协商请求报文的第一签名;当所述第一签名与客户端101的签名相同时,生成第二会话密钥,并向客户端101发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数;接收客户端101发送的会话密钥确认报文中的第一会话密钥的第一摘要,并获取所述第二会话密钥的第二摘要;其中,所述第一会话密钥是客户端根据所述第一随机数和所述第二随机数生成;当所述第一摘要与所述第二摘要相同时,通过所述第二会话密钥与客户端101进行数据加密通信;具体如服务器的上述基于NB-IoT通信的数据传输方法中步骤。The server 102 is used to decrypt the session key negotiation request message of the client 101, obtain the first random number of the client 101, and verify the first signature of the session key negotiation request message; When the signature is the same as the signature of the client terminal 101, a second session key is generated, and a session key response message is sent to the client terminal 101, wherein the session key response message carries the second random number of the server; receiving The first digest of the first session key in the session key confirmation message sent by the client 101, and obtains the second digest of the second session key; The first random number and the second random number are generated; when the first digest is the same as the second digest, data encryption communication is performed with the client 101 through the second session key; specifically, the server The steps in the above-mentioned data transmission method based on NB-IoT communication.
本申请还提供一种电子设备,如图3所示,电子设备1包括处理器11以及与所述处理器11连接的存储器22,图3仅示出了电子设备1的部分组件,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。The present application also provides an electronic device. As shown in FIG. 3 , the electronic device 1 includes a processor 11 and a memory 22 connected to the processor 11 . FIG. 3 only shows some components of the electronic device 1 , but it should be understood that However, implementation of all illustrated components is not required, and more or fewer components may be implemented instead.
所述存储器22在一些实施例中可以是所述电子设备1的内部存储单元,例如系统100的内存。所述存储器22在另一些实施例中也可以是所述系统100的外部存储设备,例如所述电子设备1上配备的插接式U盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述存储器22还可以既包括所述电子设备1的内部存储单元也包括外部存储设备。所述存储器22用于存储安装于所述电子设备1的应用软件及各类数据,例如所述基于NB-IoT通信的数据传输程序代码等。所述存储器22还可以用于暂时地存储已经输出或者将要输出的数据。在一实施例中,存储器22 上存储有基于NB-IoT通信的数据传输程序,该基于NB-IoT通信的数据传输程序可被处理器11所执行,从而实现本申请中基于NB-IoT通信的数据传输方法,具体如上述方法所述。The memory 22 may be an internal storage unit of the electronic device 1 , such as the memory of the system 100 , in some embodiments. In other embodiments, the memory 22 may also be an external storage device of the system 100, such as a plug-in U disk equipped on the electronic device 1, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, flash memory card (Flash Card), etc. Further, the memory 22 may also include both an internal storage unit of the electronic device 1 and an external storage device. The memory 22 is used to store application software and various types of data installed in the electronic device 1 , such as the data transmission program code based on NB-IoT communication, and the like. The memory 22 can also be used to temporarily store data that has been output or is to be output. In one embodiment, a data transmission program based on NB-IoT communication is stored on the memory 22, and the data transmission program based on NB-IoT communication can be executed by the processor 11, thereby realizing the NB-IoT communication-based data transmission program in this application. The data transmission method is specifically as described in the above method.
所述处理器11在一些实施例中可以是一中央处理器(Central Processing Unit,CPU),微处理器,手机基带处理器或其他数据处理芯片,用于运行所述存储器22中存储的程序代码或处理数据,例如执行所述基于NB-IoT通信的数据传输方法。In some embodiments, the processor 11 may be a central processing unit (Central Processing Unit, CPU), a microprocessor, a mobile phone baseband processor or other data processing chips, for running the program codes stored in the memory 22 Or process data, for example, execute the data transmission method based on NB-IoT communication.
本发明还提供一种非临时性计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器(本实施例为所述处理器)执行,以实现所述基于NB-IoT通信的数据传输方法的步骤,具体如上述方法所述。The present invention also provides a non-transitory computer-readable storage medium, where the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors (in this embodiment: The processor) executes the steps to implement the data transmission method based on NB-IoT communication, which is specifically as described in the above method.
当然,本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关硬件(如处理器,控制器等)来完成,所述的程序可存储于一计算机可读取的存储介质中,该程序在执行时可包括如上述各方法实施例的流程。其中所述的存储介质可为存储器、磁碟、光盘等。Of course, those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware (such as processors, controllers, etc.) through a computer program, and the programs can be stored in a In the computer-readable storage medium, when the program is executed, the processes of the above-mentioned method embodiments may be included. The storage medium may be a memory, a magnetic disk, an optical disk, or the like.
应当理解的是,本申请的应用不限于上述的举例,对本领域普通技术人员来说,可以根据上述说明加以改进或变换,所有这些改进和变换都应属于本申请所附权利要求的保护范围。It should be understood that the application of the present application is not limited to the above examples. For those of ordinary skill in the art, improvements or transformations can be made according to the above descriptions, and all these improvements and transformations should belong to the protection scope of the appended claims of the present application.

Claims (10)

  1. 一种基于NB-IoT通信的数据传输方法,其特征在于,应用于NB-IoT网络,所述基于NB-IoT通信的数据传输方法包括以下步骤:A data transmission method based on NB-IoT communication, characterized in that it is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication comprises the following steps:
    客户端向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数;The client sends a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client;
    所述客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数和第二签名,并验证所述会话密钥应答报文的第二签名;The client decrypts the session key response message fed back by the server, obtains the second random number and the second signature of the server, and verifies the second signature of the session key response message;
    当验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;When verifying the second signature of the session key response message is successful, the client generates a first session key according to the first random number and the second random number, and sends a session key confirmation to the server message; wherein, the session key confirmation message carries the first digest of the first session key;
    当所述第一摘要与服务器的第二会话密钥的第二摘要相同时,所述客户端通过所述第一会话密钥与服务器进行数据加密通信;其中,所述第二会话密钥是服务器根据所述第一随机数和所述第二随机数生成。When the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key is The server generates according to the first random number and the second random number.
  2. 根据权利要求1所述的基于NB-IoT通信的数据传输方法,其特征在于,所述会话密钥协商请求报文的生成具体包括:The data transmission method based on NB-IoT communication according to claim 1, wherein the generation of the session key negotiation request message specifically includes:
    利用服务器的公钥对所述第一随机数进行加密,得到第一密文;Encrypt the first random number with the public key of the server to obtain the first ciphertext;
    采用SM3摘要算法,计算第一随机数的第三摘要;Adopt the SM3 digest algorithm to calculate the third digest of the first random number;
    利用客户端的私钥对所述第三摘要加密,得到第一签名;其中,所述客户端的私钥与所述服务器的公钥配对;Encrypt the third digest with the private key of the client to obtain the first signature; wherein the private key of the client is paired with the public key of the server;
    基于所述第一密文和所述第一签名,生成会话密钥协商请求报文。Based on the first ciphertext and the first signature, a session key agreement request message is generated.
  3. 根据权利要求1所述的基于NB-IoT通信的数据传输方法,其特征在于,所述验证所述会话密钥应答报文的第二签名具体包括:The data transmission method based on NB-IoT communication according to claim 1, wherein the verifying the second signature of the session key response message specifically comprises:
    利用服务器的公钥对所述第二签名解密,得到第四摘要;Decrypt the second signature by using the public key of the server to obtain a fourth digest;
    采用SM3摘要算法,重新计算服务器的所述第二随机数的第六摘要;Using the SM3 digest algorithm, recalculate the sixth digest of the second random number of the server;
    当所述第四摘要与所述第六摘要相同时,验证所述会话密钥应答报文的第二签名成功;When the fourth digest is the same as the sixth digest, verifying that the second signature of the session key response message succeeds;
    当所述第四摘要与所述第六摘要不同时,验证所述会话密钥应答报文的第二签名不成功。When the fourth digest is different from the sixth digest, verifying the second signature of the session key response message is unsuccessful.
  4. 根据权利要求1所述的基于NB-IoT通信的数据传输方法,其特征在于,所述第一会话密钥和所述第二会话密钥均是基于所述第一随机数和所述第二随机数异或运算生成。The data transmission method based on NB-IoT communication according to claim 1, wherein the first session key and the second session key are both based on the first random number and the second Random number XOR operation is generated.
  5. 根据权利要求1所述的基于NB-IoT通信的数据传输方法,其特征在于,所述基于NB-IoT通信的数据传输方法还包括:The data transmission method based on NB-IoT communication according to claim 1, wherein the data transmission method based on NB-IoT communication further comprises:
    在所述客户端与所述服务器完成会话密钥协商之前,若客户端与服务器之间存在非密钥协商的数据信息传输,则客户端断开与服务器的初始化连接。Before the client and the server complete the session key negotiation, if there is non-key negotiated data information transmission between the client and the server, the client disconnects the initial connection with the server.
  6. 一种基于NB-IoT通信的数据传输方法,其特征在于,应用于NB-IoT网络,所述基于NB-IoT通信的数据传输方法包括以下步骤:A data transmission method based on NB-IoT communication, characterized in that it is applied to an NB-IoT network, and the data transmission method based on NB-IoT communication comprises the following steps:
    服务器解密客户端的会话密钥协商请求报文,得到客户端的第一随机数和第一签名,并验证所述会话密钥协商请求报文的第一签名;The server decrypts the session key negotiation request message of the client, obtains the first random number and the first signature of the client, and verifies the first signature of the session key negotiation request message;
    当验证所述会话密钥协商请求报文的第一签名成功时,服务器生成第二会话密钥,并向客户端发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数;When verifying that the first signature of the session key negotiation request packet is successful, the server generates a second session key, and sends a session key response packet to the client, where the session key response packet carries the The second random number of the server;
    接收客户端发送的会话密钥确认报文中的第一会话密钥的第一摘要,并获取所述第二会话密钥的第二摘要;其中,所述第一会话密钥是客户端根据所述第一随机数和所述第二随机数生成;Receive the first digest of the first session key in the session key confirmation message sent by the client, and obtain the second digest of the second session key; generating the first random number and the second random number;
    当所述第一摘要与所述第二摘要相同时,服务器通过所述第二会话密钥与客户端进行数据加密通信。When the first digest is the same as the second digest, the server performs encrypted data communication with the client through the second session key.
  7. 根据权利要求6所述的基于NB-IoT通信的数据传输方法,其特征在于,所述验证所述会话密钥协商请求报文的第一签名具体包括:The data transmission method based on NB-IoT communication according to claim 6, wherein the verifying the first signature of the session key agreement request message specifically comprises:
    利用客户端的公钥对所述第一签名解密,得到第三摘要;Decrypt the first signature by using the public key of the client to obtain a third digest;
    采用SM3摘要算法,重新计算所述第一随机数的第五摘要;Using the SM3 digest algorithm, recalculate the fifth digest of the first random number;
    当所述第三摘要与所述第五摘要相同时,验证所述会话密钥协商请求报文的第一签名成功;When the third digest is the same as the fifth digest, verifying that the first signature of the session key negotiation request message succeeds;
    当所述第三摘要与所述第五摘要不同时,验证所述会话密钥协商请求报文的第一签名不成功。When the third digest is different from the fifth digest, verifying the first signature of the session key negotiation request message is unsuccessful.
  8. 根据权利要求6所述的基于NB-IoT通信的数据传输方法,其特征在于,所述会话密钥应答报文的生成具体包括:The data transmission method based on NB-IoT communication according to claim 6, wherein the generation of the session key response message specifically includes:
    利用客户端的公钥对所述第二随机数进行加密,得到第二密文;Encrypt the second random number with the public key of the client to obtain a second ciphertext;
    采用SM3摘要算法,计算第二随机数的第四摘要;Adopt the SM3 digest algorithm to calculate the fourth digest of the second random number;
    利用服务器的私钥对所述第四摘要加密,得到第二签名;其中,所述服务器的私钥与所述客户端的公钥配对;Encrypt the fourth digest with the private key of the server to obtain a second signature; wherein the private key of the server is paired with the public key of the client;
    基于所述第二密文和所述第二签名,生成会话密钥应答报文。Based on the second ciphertext and the second signature, a session key response message is generated.
  9. 一种基于NB-IoT通信的数据传输系统,其特征在于,所述基于NB-IoT通信的数据传输系统包括客户端与服务器;A data transmission system based on NB-IoT communication, characterized in that the data transmission system based on NB-IoT communication includes a client and a server;
    所述客户端用于向服务器发送会话密钥协商请求报文,其中,所述会话密钥协商请求报文携带有客户端的第一随机数;所述客户端解密服务器反馈的会话密钥应答报文,得到服务器的第二随机数,并验证所述会话密钥应答报文的第二签名;当验证所述会话密钥应答报文的第二签名成功时,所述客户端根据所述第一随机数和所述第二随机数生成第一会话密钥,并向服务器发送会话密钥确认报文;其中,所述会话密钥确认报文携带有所述第一会话密钥的第一摘要;当所述第一摘要与服务器的第二会话密钥的第二摘要相同时,所述客户端通过所述第一会话密钥与服务器进行数据加密通信;其中,所述第二会话密钥是服务器根据所述第一随机数和所述第二随机数生成;The client is configured to send a session key negotiation request message to the server, wherein the session key negotiation request message carries the first random number of the client; the client decrypts the session key response message fed back by the server message, obtain the second random number of the server, and verify the second signature of the session key response message; when verifying the second signature of the session key response message is successful, the client A random number and the second random number generate a first session key, and send a session key confirmation message to the server; wherein the session key confirmation message carries the first session key of the first session key Digest; when the first digest is the same as the second digest of the second session key of the server, the client performs encrypted data communication with the server through the first session key; wherein the second session key The key is generated by the server according to the first random number and the second random number;
    所述服务器用于解密客户端的会话密钥协商请求报文,得到客户端的第一随机数,并验证所述会话密钥协商请求报文的第一签名;当验证所述会话密钥协商请求报文的第一签名成功时,服务器生成第二会话密钥,并向客户端发送会话密钥应答报文,其中,所述会话密钥应答报文携带有服务器的第二随机数;接收客户端发送的会话密钥确认报文中的第一会话密钥的第一摘要,并获取所述第二会话密钥的第二摘要;其中,所述第一会话密钥是客户端根据所述第一随机数和所述第二随机数生成;当所述第一摘要与所述第二摘要相同时,服务器通过所述第二会话密钥与客户端进行数据加密通信。The server is used to decrypt the session key negotiation request message of the client, obtain the first random number of the client, and verify the first signature of the session key negotiation request message; when verifying the session key negotiation request message When the first signature of the document is successful, the server generates a second session key, and sends a session key response message to the client, wherein the session key response message carries the server's second random number; receiving the client The sent session key confirmation message contains the first digest of the first session key, and obtains the second digest of the second session key; A random number and the second random number are generated; when the first digest is the same as the second digest, the server performs data encrypted communication with the client through the second session key.
  10. 一种非临时性计算机可读存储介质,其特征在于,当所述存储介质中的指令由电子设备的处理器执行时,使得电子设备能够执行如权利要求1-5中任意一项所述的基于NB-IoT通信的数据传输方法中步骤,和/或权利要求6-8中任意一项所述基于NB-IoT通信的数据传输方法中步骤。A non-transitory computer-readable storage medium, characterized in that, when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device can execute the method described in any one of claims 1-5. The steps in the data transmission method based on NB-IoT communication, and/or the steps in the data transmission method based on NB-IoT communication described in any one of claims 6-8.
PCT/CN2021/092462 2020-07-31 2021-05-08 Data transmission method and system based on nb-iot communication, and medium WO2022021992A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010763166.4A CN111935712A (en) 2020-07-31 2020-07-31 Data transmission method, system and medium based on NB-IoT communication
CN202010763166.4 2020-07-31

Publications (1)

Publication Number Publication Date
WO2022021992A1 true WO2022021992A1 (en) 2022-02-03

Family

ID=73315606

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/092462 WO2022021992A1 (en) 2020-07-31 2021-05-08 Data transmission method and system based on nb-iot communication, and medium

Country Status (2)

Country Link
CN (1) CN111935712A (en)
WO (1) WO2022021992A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844720A (en) * 2022-06-06 2022-08-02 湖南五凌电力科技有限公司 Internet of things data encryption transmission method, system, server and client
CN115134177A (en) * 2022-09-02 2022-09-30 国网瑞嘉(天津)智能机器人有限公司 Networking encryption communication method and device, server equipment and terminal equipment
CN115694945A (en) * 2022-10-25 2023-02-03 北京珞安科技有限责任公司 Industrial terminal host maintenance method, system and equipment
CN116055188A (en) * 2023-01-28 2023-05-02 紫光同芯微电子有限公司 Bidirectional authentication method, bidirectional authentication device and bidirectional authentication system for equipment
CN117119449A (en) * 2023-10-20 2023-11-24 长江量子(武汉)科技有限公司 Vehicle cloud safety communication method and system

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935712A (en) * 2020-07-31 2020-11-13 深圳市燃气集团股份有限公司 Data transmission method, system and medium based on NB-IoT communication
CN112822262B (en) * 2021-01-04 2022-11-22 北京知道创宇信息技术股份有限公司 Message processing method and device, message processing equipment and storage medium
CN113242212A (en) * 2021-04-15 2021-08-10 杭州链城数字科技有限公司 Network node bidirectional communication authentication method and device, electronic equipment and storage medium
CN113259096B (en) * 2021-04-27 2021-11-12 江南信安(北京)科技有限公司 Key online negotiation method and system suitable for communication environment of Internet of things
CN114978540A (en) * 2022-05-19 2022-08-30 广西电网有限责任公司电力科学研究院 PMU (phasor measurement Unit) system authentication method based on SM2 algorithm

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1620005A (en) * 2003-11-18 2005-05-25 华为技术有限公司 Method of safety transmitting key
US20100020964A1 (en) * 2007-02-20 2010-01-28 Oki Electric Industry Co., Ltd. Key generation method using quadratic-hyperbolic curve group
US20130195274A1 (en) * 2012-01-27 2013-08-01 Oki Electric Industry Co., Ltd. Commission information generator for making processes on communication performed by another computer
CN103795545A (en) * 2014-02-14 2014-05-14 飞天诚信科技股份有限公司 Safety communication method and system
CN106790278A (en) * 2017-02-21 2017-05-31 中国信息安全测评中心 A kind of mutual authentication method and communication system
CN107493271A (en) * 2017-07-28 2017-12-19 大唐高鸿信安(浙江)信息科技有限公司 Credible and secure network system
CN109005028A (en) * 2018-11-02 2018-12-14 美的集团股份有限公司 Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system
CN110048849A (en) * 2019-03-11 2019-07-23 广东安创信息科技开发有限公司 A kind of session cipher negotiating method of multilayer protection
CN110474898A (en) * 2019-08-07 2019-11-19 北京明朝万达科技股份有限公司 Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing
CN111935712A (en) * 2020-07-31 2020-11-13 深圳市燃气集团股份有限公司 Data transmission method, system and medium based on NB-IoT communication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
CN109561106B (en) * 2018-12-29 2021-06-04 北京工业大学 Ship communication message real-time analysis and filtering method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1620005A (en) * 2003-11-18 2005-05-25 华为技术有限公司 Method of safety transmitting key
US20100020964A1 (en) * 2007-02-20 2010-01-28 Oki Electric Industry Co., Ltd. Key generation method using quadratic-hyperbolic curve group
US20130195274A1 (en) * 2012-01-27 2013-08-01 Oki Electric Industry Co., Ltd. Commission information generator for making processes on communication performed by another computer
CN103795545A (en) * 2014-02-14 2014-05-14 飞天诚信科技股份有限公司 Safety communication method and system
CN106790278A (en) * 2017-02-21 2017-05-31 中国信息安全测评中心 A kind of mutual authentication method and communication system
CN107493271A (en) * 2017-07-28 2017-12-19 大唐高鸿信安(浙江)信息科技有限公司 Credible and secure network system
CN109005028A (en) * 2018-11-02 2018-12-14 美的集团股份有限公司 Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system
CN110048849A (en) * 2019-03-11 2019-07-23 广东安创信息科技开发有限公司 A kind of session cipher negotiating method of multilayer protection
CN110474898A (en) * 2019-08-07 2019-11-19 北京明朝万达科技股份有限公司 Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing
CN111935712A (en) * 2020-07-31 2020-11-13 深圳市燃气集团股份有限公司 Data transmission method, system and medium based on NB-IoT communication

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844720A (en) * 2022-06-06 2022-08-02 湖南五凌电力科技有限公司 Internet of things data encryption transmission method, system, server and client
CN114844720B (en) * 2022-06-06 2023-06-02 湖南五凌电力科技有限公司 Method, system, server and client for encrypting and transmitting Internet of things data
CN115134177A (en) * 2022-09-02 2022-09-30 国网瑞嘉(天津)智能机器人有限公司 Networking encryption communication method and device, server equipment and terminal equipment
CN115134177B (en) * 2022-09-02 2022-11-18 国网瑞嘉(天津)智能机器人有限公司 Networking encryption communication method and device, server equipment and terminal equipment
CN115694945A (en) * 2022-10-25 2023-02-03 北京珞安科技有限责任公司 Industrial terminal host maintenance method, system and equipment
CN115694945B (en) * 2022-10-25 2023-05-23 北京珞安科技有限责任公司 Industrial terminal host maintenance method and equipment
CN116055188A (en) * 2023-01-28 2023-05-02 紫光同芯微电子有限公司 Bidirectional authentication method, bidirectional authentication device and bidirectional authentication system for equipment
CN116055188B (en) * 2023-01-28 2023-07-14 紫光同芯微电子有限公司 Bidirectional authentication method, bidirectional authentication device and bidirectional authentication system for equipment
CN117119449A (en) * 2023-10-20 2023-11-24 长江量子(武汉)科技有限公司 Vehicle cloud safety communication method and system
CN117119449B (en) * 2023-10-20 2024-01-19 长江量子(武汉)科技有限公司 Vehicle cloud safety communication method and system

Also Published As

Publication number Publication date
CN111935712A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
WO2022021992A1 (en) Data transmission method and system based on nb-iot communication, and medium
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
US10554636B2 (en) Lightweight encrypted communication protocol
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
US9621545B2 (en) System and method for connecting client devices to a network
CN110380852B (en) Bidirectional authentication method and communication system
EP3518458B1 (en) Method and device for secure communications over a network using a hardware security engine
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
KR101786132B1 (en) Low-latency peer session establishment
CN111030814B (en) Secret key negotiation method and device
EP1577736A2 (en) Efficient and secure authentication of computing systems
US10055591B1 (en) Secure protocol attack mitigation
WO2006032214A1 (en) Method for realizng transmission of syncml synchronous data
US10798086B2 (en) Implicit certificates using ring learning with errors
US11070537B2 (en) Stateless method for securing and authenticating a telecommunication
CN110493272B (en) Communication method and communication system using multiple keys
CN110690969B (en) Method and system for achieving bidirectional SSL/TLS authentication through multiparty cooperation
US20210392004A1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN109361681B (en) Method, device and equipment for authenticating national secret certificate
CN110839240B (en) Method and device for establishing connection
CN110708304A (en) Information processing method and device
JP2014147039A (en) Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program
CN114707158A (en) Network communication authentication method and network communication authentication system based on TEE
JP2004274134A (en) Communication method, communication system using the communication method, server and client
CN114928503B (en) Method for realizing secure channel and data transmission method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21849951

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21849951

Country of ref document: EP

Kind code of ref document: A1