CN101867530B - Things-internet gateway system based on virtual machine and data interactive method - Google Patents

Things-internet gateway system based on virtual machine and data interactive method Download PDF

Info

Publication number
CN101867530B
CN101867530B CN 201010188081 CN201010188081A CN101867530B CN 101867530 B CN101867530 B CN 101867530B CN 201010188081 CN201010188081 CN 201010188081 CN 201010188081 A CN201010188081 A CN 201010188081A CN 101867530 B CN101867530 B CN 101867530B
Authority
CN
China
Prior art keywords
module
user
data
virtual machine
information
Prior art date
Application number
CN 201010188081
Other languages
Chinese (zh)
Other versions
CN101867530A (en
Inventor
刘阳
唐宏
姜晓鸿
孙晓楠
宁奔
尹浩
庞辽军
房帅磊
李京英
李红宁
李鹏
杨亮
沈玉龙
裴庆祺
谢敏
马建峰
高鹏
黄洁
Original Assignee
中国人民解放军总参谋部第六十一研究所
中国人民解放军第四军医大学
西安电子科技大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国人民解放军总参谋部第六十一研究所, 中国人民解放军第四军医大学, 西安电子科技大学 filed Critical 中国人民解放军总参谋部第六十一研究所
Priority to CN 201010188081 priority Critical patent/CN101867530B/en
Publication of CN101867530A publication Critical patent/CN101867530A/en
Application granted granted Critical
Publication of CN101867530B publication Critical patent/CN101867530B/en

Links

Abstract

The invention discloses a things-internet gateway system based on a virtual machine and a data interactive method, which mainly solves the safety integration problem of a things-internet user network and a service provision network. In the system, a virtual machine monitor is built on a hardware layer of the gateway, and a safety virtual machine and a service virtual machine are arranged on the virtual machine monitor, so as to separate different functional modules. The safety virtual machine comprises a secret key management module, an authentication module, an encryption and decryption module, an information processing module and a judgment module; the service virtual machine comprises a multi-network interface module, a user management module, an information management module, a perception node management module and an information publishing module; restricted data is transmitted among the virtual machines by a safety data channel in the virtual machine monitor, the safety virtual machine has no external interface, and users only can access the service virtual machine; in the invention, the safety of the things-internet gateway is improved, security protocol integration difficulty among different networks in the things internet is reduced, and the system is suitable for integration of different networks in the things internet.

Description

基于虚拟机的物联网网关系统及数据交互方法 Things gateway system based on virtual machines and data interaction method

技术领域 FIELD

[0001] 本发明属于通信技术领域,涉及物联网中的网关结构设计与使用,具体是一种基于虚拟机技术的物联网融合网关系统和使用方法,应用于物联网中不同网络间融合的通信和安全领域。 [0001] The present invention belongs to the communication technical field of communication, to the gateway structural design and IOT, in particular a virtual machine based on fusion technology IOT gateway system and methods of use, applied between different networks IoT Fusion and security.

背景技术 Background technique

[0002] “物联网”这一概念是在互联网概念的基础上,将其用户端延伸和扩展到任何物品与物品之间,进行信息交换和通信的一种网络概念。 [0002] "Things" This concept is based on the concept of the Internet, which the user terminal extension and expansion of any goods and articles A network for exchange of information and communication concepts. 其中无线传感器网络、RFID网络等作为末端感应网络,与现有的Internet网络或无线通信网络互联,通过相应协议把实际的物品与互联网相连接,进行信息交换和通信的一种网络结构的概念。 Wherein the wireless sensor network, the RFID network, etc. as a terminal sense network, the Internet and existing Internet or a wireless communication network, the actual protocol by respective items connected to the Internet, a concept network structure for the exchange of information and communication. 物联网最早源于对无线传感网络的研究。 Research on wireless sensor networks of things originated from. 2005年,国际电信联盟(ITU)正式提出了“物联网”的概念。 In 2005, the International Telecommunication Union (ITU) formally proposed the "Internet of Things" concept.

[0003] 物联网被认为拥有“更透彻的感知,更广泛的互联互通,更深入的智能化”,物联网产业被认为是继计算机产业、通信产业后的又一次信息技术浪潮,据权威机构预测:未来物联网产业将是互联网产业的30倍。 [0003] Things are considered to have "a more thorough perception, broader interoperability, more in-depth intelligence", the networking industry is considered to be another wave of information technology following the computer industry, communications industry, according to authorities prediction: future networking industry will be 30 times the Internet industry. 物联网可以应用于智能化识别、定位、跟踪、监控和管理等诸多行业和领域。 Things can be applied to intelligent identification, location, tracking, monitoring and management, and many other industries and fields. 在智能家庭、医疗保健、环境监测等方面都已经开始进行了逐步的应用。 In terms of smart home, health care, environmental monitoring and so on we have already begun a gradual application. 而随着“感知中国”、“智慧地球”等概念的提出,物联网进入了加速发展的阶段,逐渐开始进行较大范围的应用。 With the concept of "Experience China", "wisdom of the Earth" and other things entered a stage of accelerated development, gradually began to be a wide range of applications.

[0004] “虚拟机”最早可追溯到IBM的VM/370。 [0004] "virtual machine" dating back to IBM's VM / 370. 使用虚拟机技术可以在在一台物理计算机上模拟出一台或多台虚拟的计算机,这些虚拟机完全就像真正的计算机那样进行工作。 The use of virtual machine technology can simulate one or more virtual computers on a single physical computer, the virtual machines that work exactly like a real computer. 而由于虚拟机技术可以良好的隔离不同的应用,它可以用于隔离不同安全性的应用,进而防止较为危险的应用对安全性要求较高的应用产生不良的影响。 And because virtual machine technology can be good isolation for different applications, it can be used to apply different security isolation, thus preventing the more dangerous application of a negative impact on the high security requirements of the application. 因此在安全方面已经有一些基于虚拟机的安全方案的研究和探索。 So in terms of security it has been some research and exploration based security scheme of the virtual machine.

[0005] 现有的物联网网络研究对于网关结构的研究不多,对于网关安全结构的研究更少。 [0005] Internet of Things existing network structure much research gateway, the gateway security architecture for research less. 由于物联网是一种多网融合的网络结构,一些重要的感知信息将在公共的传统网络,如Internet或移动通信网络中传输,因此安全性对于物联网的实现十分重要。 As the Internet of Things is a network structure of a multi-network integration, the perception of some important information, such as the Internet or mobile communication network in the public transmission of traditional network, security for the realization of things is very important. 网关由于是融合的关键位置,其安全性非常重要。 Because it is a key gateway location integration, safety is very important. 如果不能有效的分离用户的服务使用和网关内的安全信息和安全过程,则很可能使网关遭受到针对于此的恶意攻击。 If it can not effectively separate security information and security processes within the user's service use and gateway, the gateway is likely to suffer against this malicious attack. 而且由于物联网中不同网络间安全协议的不同,不同安全协议间的融合难度较大。 And because of the difficulty of the larger integration between different security protocols between different things in different network security protocols. 同时如果不能在一个安全的网关结构上完成安全协议的转换过程,很可能会使这些安全协议的安全性都大为降低。 At the same time if you can not secure agreement on a security gateway structural transformation process, is likely to make these security security protocols are greatly reduced.

发明内容 SUMMARY

[0006] 本发明为了解决上述问题,提出了一种基于虚拟机的物联网网关系统及其数据交互方法,以有效的把安全信息和安全过程与用户和对外接口隔离,提高网关的安全性,同时简化了物联网中各不同网络安全融合难度,提高物联网等整体安全性。 [0006] The present invention is to solve the above problem, a gateway system and IOT data interaction method based on a virtual machine, the security information in an efficient and secure processes and user interfaces and external isolation, improve the security gateway, while simplifying things in various network security convergence difficulty, improve the overall security of the internet of things.

[0007] 为实现上述目的,本发明的物联网网关系统,包括多网络接口模块、信息发布模块、用户管理模块、信息管理模块、感知节点管理模块、信息处理模块、密钥管理模块、认证模块和加解密模块,其中:网关的硬件层上搭建有虚拟机监视器,在虚拟机监视器上建立安全虚拟机和服务虚拟机;所述的密钥管理模块、认证模块加解密模块以及信息处理模块设置在安全虚拟机内,所述的多网络接口模块、用户管理模块、信息管理模块、感知节点管理模块和信息发布模块设置在服务虚拟机内,以实现对明文、密钥、加解密过程、认证过程和信息处理过程与用户和外部接口的隔离。 [0007] To achieve the above object, the present invention IOT gateway system, including a multi-network interface module, release module information, user management module, information management module, sensing module management node, information processing module, the key management module, the authentication module decryption and processing module, wherein: the virtual machine monitor set up on the hardware layer gateway services to establish a secure virtual machine and a virtual machine on a virtual machine monitor; key management module, the authentication module and an information processing encryption and decryption module module is disposed inside the virtual machine, the multi-network interface module, user management module, information management module, module-aware node management and information dissemination service module is disposed within a virtual machine, in order to achieve plaintext, key, encryption and decryption process , and the authentication process with the user information processing procedures and an external interface isolation.

[0008] 所述的安全虚拟机和服务虚拟机之间通过虚拟机监视器中的安全数据通道传输受限制的数据,该受限数据仅包括数据密文、用户数据要求、更新要求、用户身份信息、节点身份信息以及用户和节点的认证信息。 Between [0008] the secure virtual machine and the virtual machine security service channel to transmit data through the virtual machine monitor restricted data, the restricted data includes only the ciphertext data, user data requests, update request, the user identity information, identity information and authentication information node and user node.

[0009] 所述的服务虚拟机通过多网络接口模块对外通信,安全虚拟机没有对外通信接口,即用户只能访问服务虚拟机,无法访问安全虚拟机。 [0009] The multi-service virtual machine via the network interface module external communications, secure virtual machine no external communication interface, the user can only access the service virtual machine, the virtual machine can not access security.

[0010] 所述的安全虚拟机内设有判定模块,用于判定是否有用户的数据要求、感知节点的报警要求或更新要求,当有更新要求时,通知服务虚拟机内的感知节点管理模块向感知节点发送数据更新要求;当有用户数据要求或感知节点报警信息要求时发送用户身份IDu给加解密模块并要求它加密安全虚拟机内暂存的信息。 Said virtual machine equipped with security [0010] with a determination module, for determining whether there is user data requirements, or required alarm sensing node update request, when an update is required, the management module in the sensing node notification service virtual machine data update request transmitted to the sensing node; data required when a user sends the identity or sensing alarm information to the requesting node IDu encryption and decryption module and temporarily stored encrypted information it requires within the security virtual machine.

[0011] 为实现上述目的,本发明基于虚拟机的物联网网关数据交互方法,包括如下步骤: [0011] To achieve the above object, the present invention is based on the interaction data network gateway virtual machine object, comprising the steps of:

[0012] (I)用户通过多网络接口模块接入网关,用户管理模块通过多网络接口模块获得用户所在网络信息Field,将用户认证信息发送给安全虚拟机的认证模块,安全虚拟机的认证模块验证用户身份认证信息,并将验证结果发送给用户管理模块,如果用户认证信息验证正确,则成功认证用户,用户管理模块将用户指令、身份IDu和用户所在网络信息Field转发给信息管理模块,否则对用户拒绝服务; [0012] (I) a multi-user network interface module via an access gateway, the user management module obtains the user location information Field network via multiple network interface module transmits the user authentication information to the authentication module of the security virtual machine, virtual machine security authentication module verify user authentication information and verification results to the user management module, if the user authentication information to verify correct, the user is successfully authenticated, the user management module user instructions, and user's network identity IDu information Field forwarded to the information management module, otherwise denial of service to users;

[0013] (2)信息管理模块根据用户指令中的控制信息作出配置,将指令中的数据要求和用户身份IDu通过安全数据通道发送给安全虚拟机的判定模块,并根据用户配置的时间向判定模块定时发送数据更新要求; [0013] (2) information management module make the configuration according to the control information of the user instruction, the data required instructions and user identity IDu decision block sent to the security virtual machine by a secure data channel, and to the determination according to user-configured sending data update request module;

[0014] (3)判定模块根据是否有数据要求或警报要求产生要求加解密模块进行数据加密的通知,若没有要求,则不对安全虚拟机内暂存的数据进行加密操作,若有要求,则产生要求加解密模块对暂存在安全虚拟机的数据进行加密的通知,此时根据是否有更新要求进行暂存数据的更新,若没有更新要求,则发送产生的通知和要求所涉及的用户身份IDu到加解密模块,若有更新要求,则通过感知节点管理模块通知感知节点更新数据; [0014] (3) determines the module according to whether the data required to produce the desired or required alarm notification data encryption and decryption module encrypts, if not required, not to the security virtual machine in the temporary data encryption operation, if so desired, to produce the desired encryption and decryption module to be temporarily stored in a secure virtual machine data encryption notice, in which case, depending on whether an update is required to update data is temporarily stored, if there is no update request, and then sends the generated notification requirements related to user identity IDu the encryption and decryption module, if update request, the notification to update the data sensing node sensing node management module;

[0015] (4)加解密模块收到判定模块的通知后,根据收到的用户身份10„在密钥管理模块中查询用户通信密钥Kut,并使用Kut对虚拟机中暂存的数据信息加密,之后通过安全数据通道发送数据密文给信息管理模块; [0015] (4) After receiving the encryption and decryption module decision notification module 10 "Kut querying user communication key in the key management module according to the received user identity, and uses the data information Kut temporarily stored in virtual machines encryption, secure data channel after transmitting the data to the ciphertext information management module;

[0016] (5)信息管理模块将数据密文、用户所在网络信息Field和用户身份IDu发送给信息发布模块,信息发布模块根据用户的身份IDu和所在网络信息Field,通过多网络接口模块选择发送网络,将数据密文信息发送到用户; [0016] (5) information management module data ciphertext user's network information Field and user IDu sent to the information distribution module, information distribution module according to the identity of the user IDu and where the network information Field, through the multiple network interface module selects the transmission network, sends the ciphertext data to the user information;

[0017] (6)感知节点收到步骤(3)的更新数据要求或者感知到事件时,通过多网络接口模块接入感知节点管理模块,感知节点管理模块将感知节点认证信息发送给安全虚拟机的认证模块,安全虚拟机的认证模块验证节点身份认证信息,并将验证结果发送给感知节点管理模块,如果身份信息验证正确,则认为认证成功,将信息数据密文和感知节点身份IDn发送给安全虚拟机的加解密模块,否则拒绝接受感知节点的数据; When [0017] (6) sensing node receives in step (3) is updated or sensed event data requirements, the network interface module through a multi-node-aware access management module, sensing module sensing node management node transmits the authentication information to the security virtual machine the node authentication module to verify the identity authentication information module, secure virtual machine, and the verification results to perceive node management module, if the correct identity verification, authentication is considered successful, the information will be sent to the ciphertext data and identity-aware node IDn encryption and decryption module secure virtual machine, or refuse to accept data-aware nodes;

[0018] (7)加解密模块收到数据密文后根据感知节点身份IDn在密钥管理模块中查询感知节点通信密钥Knt,并使用Knt对密文解密,发送数据明文给数据处理模块; After [0018] (7) receives the data encryption and decryption module in accordance with the ciphertext IDn sensing node identity key management module Query knt sensing node communication key, and decrypts the ciphertext using knt sends plaintext data to the data processing module;

[0019] (9)数据处理模块对数据明文进行融合,并将融合后的数据处理为易于用户使用的标准化的数据格式后,根据是否是警报信息进行操作,若是警报信息,则暂存处理后的数据,并将警报要求发送给判定模块,返回步骤(3),若不是警报信息,则不发送警报要求,暂存处理后的数据,返回步骤(3)。 After [0019] (9) processing data fusion module plaintext data, and data processing is fused easily standardized data format used by the user, depending on whether the operation is the alarm information, if the alarm information, the temporary treatment data, and alert request to the decision block returns to step (3), if an alarm message is not sent alert claim temporary data processing is returned to step (3).

[0020] 本发明具有如下优点: [0020] The present invention has the following advantages:

[0021 ] I)本发明由于提出了一种基于虚拟机的物联网网关系统结构,通过在虚拟机监视器上建立服务虚拟机和安全虚拟机的方式,将明文、密钥、数据处理过程、加解密过程和认证过程与用户和对外接口隔离,保证用户和外部程序无法对安全虚拟机部分直接访问,提高了安全性; [0021] I) of the present invention, since the IOT is proposed structure of a gateway system based on the virtual machine, the virtual machines and services through the establishment of a secure virtual machine and a virtual machine monitor in the plaintext, the key, data processing, encryption and decryption process and certification process with the user interfaces and external isolation, and external programs to ensure that users can not directly access to the secure virtual machine part, enhance the security;

[0022] 2)本发明由于使用了隔离的结构,不要求用户设备网络和感知节点网络使用相同的密码算法协议,使具体的安全协议的转化过程在本发明的网关中安全实现,简化了不同网络间安全协议间的融合,在多网融合为主的物联网内有较好的适用性; [0022] 2) according to the present invention, since a structure of isolation, it does not require the user device of the network and sensing nodes of the network using the same cryptographic algorithm protocol to make the conversion process specific security protocol security implemented in the gateway of the present invention to simplify the different between network convergence between security protocols, better applicability in the multi-network integration-oriented things;

附图说明 BRIEF DESCRIPTION

[0023] 图I是本发明的应用场景示意图; [0023] FIG. I is a schematic view of an application scenario according to the present invention;

[0024] 图2是本发明基于虚拟机的物联网网关系统结构示意图; [0024] FIG. 2 is a schematic view of the present invention, the structure of the gateway system of things based on a virtual machine;

[0025] 图3是本发明中基于虚拟机的物联网网关数据交互方法流程图。 [0025] FIG. 3 is a flowchart of the present invention, the gateway IOT data interaction method based on a virtual machine.

具体实施方式 detailed description

[0026] 本发明所应用的场景如图I所示,基于虚拟机的物联网网关系统位于物联网中服务提供网络和Internet或移动通信网络等通信网络之间,服务提供网络,如无线传感器网络、RFID网络,包含大量的感知节点,而用户主要通过Internet或移动通信网络进行通信。 [0026] The application scene of the present invention shown in FIG. I, the IoT located between the service providing network and a mobile communication network or the Internet communication network such things gateway system based on the virtual machine, providing network services, such as wireless sensor networks , the RFID network, comprising a large number of sensing nodes, the user primarily communicate through the Internet or a mobile communication network. 物联网网关通过多网络接口模块和服务提供网络中的感知节点通信,并通过多网络接口模块接入Internet或移动通信网络,用户通过各自不同的网络接入方式接入Internet或移动通信网络,与物联网网关通信。 Things gateways provided by a multi-network interface module and a service-aware node in a communication network, and access to the Internet or a mobile communication network via multiple network interface module, the user access to the Internet or a mobile communication network through different respective access networks, and things gateway communication.

[0027] 服务提供网络中的大量感应节点分别对各自地理范围内的事件进行感知,并把感知数据发送给物联网网关,网关完成不同网络间数据帧格式的转换和安全协议的转换,以及对数据进行数据融合和标准化格式的处理。 [0027] The service providing a large number of sensor nodes in the network are events within their geographical range perceptual, and transmits sensing data to the IOT gateway, to complete the conversion data frame format conversion and security protocols between different networks, as well as data processing and data fusion standardized format. 之后网关根据用户所在的网络,选择合适的网络接口,将加密后的数据发送给通过网关认证的用户。 The network gateway after the user is to select the appropriate network interface, the encrypted data sent via the gateway to the user authentication.

[0028] 本发明提出了基于虚拟机的物联网网关系统,以及基于虚拟机的物联网网关数据交互方法, [0028] The present invention proposes IOT gateway system of the virtual machine, and the IOT data gateway based on the interaction method based on virtual machines,

[0029] 参照图2,本发明基于虚拟机的物联网网关系统,是在物联网网关的硬件层上搭建有虚拟机监视器,在虚拟机监视器上搭建有两个虚拟机,包括安全虚拟机和服务虚拟机。 [0029] Referring to Figure 2, network gateway system of the present invention was based on the virtual machine, the virtual machine monitor is set up in the gateway hardware layer things, built on the virtual machine monitors have two virtual machines, including virtual safety machine and service virtual machine. 两个虚拟机内部包括各自的功能模块。 Two internal virtual machine includes a respective functional module. 两个虚拟机的内部模块相互隔离,仅能通过虚拟机监视器内的安全数据通道交互受限的数据,这些数据仅包括数据密文、用户数据要求、更新要求、用户身份信息、节点身份信息以及用户和节点的认证信息。 Internal modules of two virtual machines are isolated, only limited by the secure data interactive data channel within the virtual machine monitor, the data include only the ciphertext data, user data requests, update request, the user identification information, peer node identification information and user authentication information and nodes. [0030] 所述的服务虚拟机,主要负责多网络的管理、用户和感知节点的管理以及信息的发布,它是用户直接访问的虚拟机,拥有对外的接口。 [0030] The service virtual machine, is responsible for management, information management and publishing user and multi-node network-aware, it is the user direct access to virtual machines, with the external interface. 该服务虚拟机中包括的模块有:多网络接口模块、用户管理模块、感知节点管理模块、信息管理模块和信息发布模块。 The service includes a virtual machine modules are: multi-network interface module, user management module, module-aware node management, information management and information dissemination module module. 该多网络接口模块,负责多网络的的协议实现和连通;该用户管理模块,负责网关对用户的管理,在安全虚拟机认证模块的帮助下对用户进行认证和对接收到的用户指令的转发;该感知节点管理模块负责感知节点的管理,在安全虚拟机认证模块的帮助下对感知节点认证并将节点发送来的数据密文发送给安全虚拟机;该信息管理模块,负责信息的管理,根据用户的指令向安全虚拟机内的判定模块发送用户数据要求和更新要求,并且接受安全虚拟机发送来的密文;该信息发布模块负责将数据密文根据用户网络信息选择合适的网络发布给用户。 The multi-network interface module, multi-protocol network responsible for the implementation and connectivity; the user management module, the gateway is responsible for the management of the user, the user authentication and user instructions received with the help of virtual machine security authentication module forwarding ; node management module is responsible for the perception of perception management node, the data is sent to the sensing nodes and node authentication security with the help of a virtual machine authentication module ciphertext is sent to a secure virtual machine; the information management module, responsible for the management of information, the user's instruction to transmit user data requirements and update request to the decision module within the secure virtual machine, and to accept the security VM transmitted ciphertext; the information distribution module is responsible for data ciphertext select the appropriate network based on the user network information issued to user.

[0031] 所述的安全虚拟机,主要负责密钥和数据明文的管理和储存,它是禁止用户访问的虚拟机,没有对外的接口。 The [0031] secure virtual machine, is mainly responsible for the key and plaintext data management and storage, it is prohibited user access to virtual machines, no external interfaces. 该安全虚拟机中包括的模块有:密钥管理模块、加解密模块、认证模块、信息处理模块和判定模块。 The security virtual machine modules included are: key management module, encryption module, authentication module, information processing module and a determination module. 该密钥管理模块,负责密钥的管理,用于存储和查询用户和感知节点的通信密钥和认证密钥;该加解密模块,负责依据用户通信密钥或感知节点通信密钥完成加解密过程;该认证模块,负责依据用户和感知节点的认证密钥,对接入的感知节点和用户的身份认证信息进行验证;该信息处理模块,负责对信息的融合、标准化处理和产生警报要求;该判定模块,负责根据用户数据要求和警报要求通知加解密模块进行加密工作,根据更新要求通知感知节点管理模块要求感知节点更新数据。 The key management module, responsible for key management, and authentication key for communication key storage and query users and sensing nodes; the encryption and decryption module, responsible for the completion of encryption and decryption keys based on user communication or sense node communication key process; the authentication module, responsible for user authentication key basis and sensing nodes, the nodes of the authentication information and user-aware access to verify; the information processing module, responsible for the integration of information, standardized processing and generating an alarm requirements; the determination module is responsible for data based on user requirements and alert notification requirements for encryption and decryption modules to work, according to the update request notification requirement aware node management module to update the data-aware node.

[0032] 参照图3,本发明基于虚拟机技术的物联网网关系统的数据交互方法包括以下步骤: [0032] Referring to FIG 3, the present invention is a data interaction method IOT gateway system based on virtual machine technology comprising the steps of:

[0033] 步骤1,用户接入认证和指令发送。 [0033] Step 1, and instructions for transmitting user access authentication.

[0034] (Ia)用户通过多网络接口模块接入,发送用户指令和身份认证信息给用户管理模块; [0034] (Ia) via a multi-user network access interface module, and transmits the user command to a user authentication information management module;

[0035] (Ib)用户管理模块将用户认证信息通过安全数据通道发送给认证模块; [0035] (Ib) user management module user authentication information to the authentication module via a secure data channel;

[0036] (Ic)认证模块通过认证信息声称的身份IDu在密钥管理模块中查找对应的Kui,验证身份认证信息,并将验证结果发送给用户管理模块; [0036] (Ic) to find the corresponding identity module IDu in the key management module by the claimed identity authentication information Kui, verify the identity authentication information, and the verification result to the user management module;

[0037] (Id)用户管理模块根据认证信息验证结果进行操作,如果认证信息验证正确,则认为用户认证成功,将用户身份IDu、用户所在网络信息Field和用户的指令发送给信息管理模块,如果身份信息验证错误,则认为用户认证失败,用户管理模块拒绝对用户服务。 [0037] (Id) user management module operates in accordance with the authentication information verification result, if the authentication information is verified correctly, then that user authentication is successful, transmits the user identity IDu, user's network information Field and user's instruction to the information management module, if identity authentication error, then that user authentication fails, the user management module denial of user services.

[0038] 步骤2,信息管理模块根据用户指令进行操作。 [0038] Step 2, the information management module operates in accordance with a user instruction.

[0039] (2a)信息管理模块根据用户指令中的控制信息配置用户数据要求的更新时间,并根据配置的更新时间向判定模块发送更新要求; [0039] (2a) information management module is configured to update user data requests based on the control information of the user instruction, and transmits the update request to the update time is determined according to the configuration of the module;

[0040] (2b)信息管理模块存储用户身份IDu和用户所在网络信息Field ; [0040] (2b) stored in the user information management module and the user's identity IDu Field, network information;

[0041] (2c)信息管理模块将指令中的数据要求和用户身份IDu通过安全数据通道发送给安全虚拟机的判定模块。 [0041] (2c) information management module and the user data requirements IDu instructions sent to the decision block by the security virtual machine secure data channel.

[0042] 步骤3,判定模块根据数据要求或警报要求产生要求加解密模块加密数据的通知。 [0042] Step 3, the notification request determination module generates the encrypted data encryption and decryption module in accordance with the alert data requirements or requirements.

[0043] 判定模块跟据当前时刻是否有来自信息管理模块的用户数据要求或者来自数据处理模块的警报要求产生要求加解密模块进行数据加密的通知,如果用户数据要求和警报要求两者都不存在,则不对暂存在虚拟机内的数据进行处理,继续进行步骤4;如果用户数据要求或报警要求两者任一存在,则获得相应的用户数据要求或报警要求中涉及的用户身份IDu并产生要求加解密模块进行加密的通知,继续进行步骤4。 [0043] It is determined whether the current time block with the user data request from the management module or alarm information from the data processing module is required to produce the desired data encryption and decryption modules notification alerts if the user data requirements and requirements exist neither , not in the temporal storage within a virtual machine to process data, proceed to step 4; if the user request or alarm data to any one of claims both exist, then the user identity to obtain a corresponding user data requests or requirements involved IDu alarm and produce the desired encryption and decryption modules encrypt the notification, proceed to step 4.

[0044] 步骤4,判定模块根据更新要求更新数据。 [0044] Step 4, according to the update request determination module update data.

[0045] 安全虚拟机内的判定模块根据当前时刻是否有来自信息管理模块的更新要求更新安全虚拟机内暂存的数据,如果有更新要求,则向感知节点管理模块发送更新要求,进入步骤8 ;如果没有更新要求,则将步骤3中的要求加解密模块工作的通知和涉及的用户身份IDu发送给加解密模块,进入步骤5,如果此时没有暂存的要求加解密模块工作的通知,则返回步骤3。 [0045] The decision module within the secure virtual machine based on the current time whether an update request from the information management module updates the temporarily stored data security virtual machine, if the update request is sent to the sensing node update request management module proceeds to step 8 ; If no update is required, then in step 3, wherein encryption and decryption module of the notice according to the identity of the user and sent to the encryption and decryption module IDu proceeds to step 5, if this time is not notified of temporary work required encryption and decryption module, returns to step 3.

[0046] 步骤5,加解密模块对虚拟机内暂存的数据进行加密。 [0046] Step 5, encryption and decryption module encrypts the data temporarily stored in the virtual machine.

[0047] 安全虚拟机内的加解密模块收到来自判定模块的通知后,根据涉及的用户身份IDu在密钥管理模块中查找到相应的用户通信密钥Kut,并对用户要求的安全虚拟机内暂存的数据进行加密,将加密后的数据和用户身份IDu通过安全数据通道发送给信息管理模块。 After the [0047] encryption and decryption module within the secure virtual machine notified from the determination module, IDu lookup based on user identity according to the key management module to a respective user communication key Kut, security and user requirements of the virtual machine the temporarily stored data is encrypted, the data and the encrypted user identity IDu to the information management module via a secure data channel.

[0048] 步骤6,信息管理模块转发数据密文和用户信息给信息发布模块。 [0048] Step 6, the information management module forwards the cipher text data and user information to the information distribution module.

[0049] (6a)信息管理模块在收到来自安全虚拟机的数据密文和对应的用户身份IDu后,根据IDu查询用户所在网络信息Field ; [0049] (6a) IDu information management module after receiving the data and the corresponding ciphertext secure user identity from a virtual machine, according to the network that the user IDu Field query information;

[0050] (6b)信息管理模块将用户身份IDu、用户所在网络信息Field和数据密文发送给信息发布模块。 [0050] (6b) the user identity information management module IDu, where the user data and network information Field ciphertext transmitted to the information distribution module.

[0051] 步骤7,信息发布模块根据用户身份IDu和用户所在网络信息Field在多网络接口模块中选择合适的网络接口,将数据密文发送给用户。 [0051] Step 7, information distribution module selects the appropriate network interface in a multiple network interface module based on user identity and the user's network information IDu Field, ciphertext data is sent to the user.

[0052] 步骤8,感知节点管理模块收到步骤4中判定模块发送的更新要求后,向感知节点发送指令,要求感知节点更新数据。 After [0052] Step 8, the management module receives sensing nodes is determined in step 4 update request sent by the module, send instructions to the sensing node, the update data required sensing node.

[0053] 步骤9,感知节点接入认证和感知数据密文发送。 [0053] Step 9, sensing nodes access authentication ciphertext data transmission and sensing.

[0054] (9a)感知节点在收到步骤8的数据更新要求或者感知到事件发生时,将感知数据的密文和感知节点身份认证信息发送给节点管理模块; [0054] (9a) of the received data sensing node update step of claim 8 or perceived sensing nodes transmitting ciphertext and authentication information when an event occurs, the sensing data to the node management module;

[0055] (9b)节点管理模块通将感知节点的身份认证信息通过安全数据通道发送给安全虚拟机内的认证模块; [0055] (9b) through the node management module perceptual identity authentication information to the authentication node within the secure module via a secure data channel virtual machine;

[0056] (9c)认证模块通过感知节点认证信息声称的IDn在密钥管理模块中查找认证密钥Kni,验证身份认证信息并将结果发送给感知节点管理模块; [0056] (9c) authentication module authentication information by sensing node alleged IDn look authentication key management module key Kni, verify the identity authentication information and sends the result to the sensing node management module;

[0057] (9d)感知节点管理模块根据认证信息验证结果进行操作,如果身份认证信息验证错误,则认为感知节点认证失败,用户管理模块拒绝接受感知节点的数据;如果身份认证证信息验证正确,则认为节点认证成功,将感知节点身份IDn和数据密文通过安全数据通道发送给安全虚拟机。 [0057] (9d) aware node management module operates according to the authentication information verification result, if the authentication information verification error is considered sensing node authentication fails, the user management module refuse to accept data-aware nodes; if authentication certificate to verify the correct, node authentication is considered successful, and data-aware node identity IDn ciphertext secure data channel is sent to a secure virtual machine through.

[0058] 步骤10,加解密模块对感知节点发送的的数据密文进行解密。 [0058] Step 10, the data encryption and decryption module for sensing nodes transmitted decrypt the ciphertext.

[0059] 安全虚拟机内的加解密模块在收到来自感知节点管理模块的数据密文后,根据感知节点身份101<在密钥管理模块中查找到相应的感知节点通信密钥Knt,使用Knt对数据密文进行解密,并将解密后得到的数据明文发送给信息处理模块。 [0059] The encryption and decryption module within the secure virtual machine after receiving the ciphertext data from the sensing node management module 101 <sensing node identity lookup The key management module to respective sense nodes knt communication key, using knt decrypt the ciphertext data, and the decrypted plaintext data is transmitted to the information processing module.

[0060] 步骤11,信息处理模块对数据明文进行处理。 [0060] Step 11, the information processing module for processing plaintext data.

[0061] (Ila)信息处理模块将步骤10产生的数据明文进行融合,并将融合后的数据处理为便于用户使用的标准化的数据格式; [0061] (Ila) The information processing module 10 generates the step of plaintext data fusion, and the data normalized for ease of fusion data format used by the user;

[0062] (Ilb)信息处理模块根据处理后的数据中是否有警报信息发送警报要求给判定模块。 [0062] (Ilb) information processing module sends an alert alarm information request to decision block depending on whether the data processing. 如果有警报信息,则发送警报要求给判定模块,将处理后的数据暂存在安全虚拟机中,进入步骤3判断后进行发布;如果没有警报信息,则不发送警报要求给判定模块,将处理后的数据暂存在安全虚拟机中,进入步骤3。 If there is alarm information request to send an alert determination module, the processed data is temporarily stored in the security virtual machine, to publish into the determination step 3; if there is no alarm information is not required to send an alert to a decision block, the treatment the data is temporarily stored in a secure virtual machine, go to step 3.

[0063] 符号说明 [0063] Description of Symbols

[0064] IDu :用户身份信息 [0064] IDu: user identity information

[0065] IDn :感知节点身份信息 [0065] IDn: sensing node status information

[0066] Field :用户所在网络信息 [0066] Field: user's network information

[0067] Kui :用户认证密钥 [0067] Kui: User authentication key

[0068] Kni :感知节点认证密钥[0069] Kut :用户通信密钥 [0068] Kni: sensing node authentication key [0069] Kut: user communication key

[0070] Knt :感知节点通信密钥。 [0070] Knt: sensing node communication key.

Claims (2)

1. 一种基于虚拟机技术的物联网网关系统,包括多网络接口模块、信息发布模块、用户管理模块、信息管理模块、感知节点管理模块、信息处理模块、密钥管理模块、认证模块和加解密模块,其特征在于:网关的硬件层上搭建有虚拟机监视器,在虚拟机监视器上建立安全虚拟机和服务虚拟机,两个虚拟机内部包括各自的功能模块,两个虚拟机的内部模块相互隔离,仅能通过虚拟机监视器内的安全数据通道交互受限的数据,这些数据仅包括数据密文、用户数据要求、更新要求、用户身份信息、节点身份信息以及用户和节点的认证信息; 所述的服务虚拟机,负责多网络的管理、用户和感知节点的管理以及信息的发布,它是用户直接访问的虚拟机,拥有对外的接口,该服务虚拟机中包括:多网络接口模块、用户管理模块、感知节点管理模块、信息管理模 A gateway system of things based on virtual machine technology, including multiple network interface module, release module information, user management module, information management module, sensing module management node, information processing module, the key management module, the authentication module and processing decryption module, wherein: the hardware layer structures gateway virtual machine monitor, virtual machines and service a secure virtual machines on the virtual machine monitor, virtual machine includes two inside respective functional modules, two virtual machines internal modules isolated from each other only through a secure data channel within the virtual machine monitor interaction limited data, which includes only encrypted data, user data requests, update request, the user identity information, the identity information and the user node and node authentication information; the virtual machine services, information management, and release management is responsible for multi-network, users, and sensing nodes, it is the user direct access to virtual machines, with the external interface, the service virtual machine include: multi-network the interface module, the user management module, sensing module management node, information management module 块和信息发布模块; 所述的安全虚拟机,负责密钥和数据明文的管理和储存,它是禁止用户访问的虚拟机,没有对外的接口,该安全虚拟机中包括:密钥管理模块、加解密模块、认证模块、信息处理模块和判定模块,该判定模块用于判定是否有用户的数据要求、感知节点的报警要求或更新要求,当有更新要求时,通知服务虚拟机内的感知节点管理模块向感知节点发送数据更新要求;当有用户数据要求或感知节点报警信息要求时发送用户身份IDu给加解密模块并要求它加密安全虚拟机内暂存的信息; 所述的密钥管理模块、认证模块、加解密模块和信息处理模块设置在安全虚拟机内,所述的多网络接口模块、用户管理模块、信息管理模块、感知节点管理模块和信息发布模块设置在服务虚拟机内,以实现对明文、密钥、加解密过程、认证过程和信息处理 Block and information dissemination module; a secure virtual machine, and is responsible for key plaintext data management and storage, it is prohibited user access to virtual machines, no external interfaces, the secure virtual machine include: key management module, encryption and decryption module, the authentication module, the information processing module and a decision module, the determination module for determining whether a user's data requirements, or required alarm sensing node update request, when an update is required, the notification service sensing nodes within the virtual machine management module sends data to the sensing node update request; transmitting user data when a user request or alarm sensing node IDu to claim encryption and decryption module and temporarily stored encrypted information it requires within the secure virtual machine; the key management module , authentication module, encryption and decryption module and an information processing module disposed inside the virtual machine, the multi-network interface module, user management module, information management module, module-aware node management and information dissemination service module is disposed within the virtual machine to achieve plaintext, key, encryption and decryption process, the certification process and information processing 程与用户和外部接口的隔尚。 Process and the user partition and an external interface still.
2. 一种基于虚拟机的物联网网关数据交互方法,是在物联网网关的硬件层上搭建有虚拟机监视器,在虚拟机监视器上搭建有两个虚拟机,包括安全虚拟机和服务虚拟机,两个虚拟机内部包括各自的功能模块,两个虚拟机的内部模块相互隔离,仅能通过虚拟机监视器内的安全数据通道交互受限的数据,这些数据仅包括数据密文、用户数据要求、更新要求、用户身份信息、节点身份信息以及用户和节点的认证信息;所述的服务虚拟机,负责多网络的管理、用户和感知节点的管理以及信息的发布,它是用户直接访问的虚拟机,拥有对外的接口,该服务虚拟机中包括的模块有:多网络接口模块、用户管理模块、感知节点管理模块、信息管理模块和信息发布模块;所述的安全虚拟机,负责密钥和数据明文的管理和储存,它是禁止用户访问的虚拟机,没有对外 A, is a gateway network data structures interaction method based on a virtual machine hardware layer gateway things virtual machine monitor, built on the virtual machine monitors have two virtual machines, including virtual machines and service security virtual machines, each virtual machine includes two internal functional modules, internal modules of two virtual machines are isolated, only limited by the secure data interactive data channel within the virtual machine monitor, the data include only the ciphertext data, user data requests, update requirements, user authentication information, identity information, identity information and the user node and nodes; the virtual machine services, information management, and release management is responsible for multi-network, users, and sensing nodes, it is the user directly access to virtual machines, with the external interface, the virtual machine service modules included are: multi-network interface module, user management module, module-aware node management, information management and information dissemination module module; a secure virtual machine, is responsible for key and plaintext data management and storage, it is prohibited user access to virtual machines, no external 接口,该安全虚拟机中包括的模块有:密钥管理模块、加解密模块、认证模块、信息处理模块和判定模块;其数据交互包括如下步骤: (1)用户通过多网络接口模块接入网关,用户管理模块通过多网络接口模块获得用户所在网络信息Field,将用户认证信息通过安全数据通道发送给安全虚拟机的认证模块,安全虚拟机的认证模块验证用户身份认证信息,并将验证结果通过安全数据通道发送给用户管理模块,如果用户认证信息验证正确,则成功认证用户,将用户身份IDu、用户所在网络信息Field和用户的指令发送给信息管理模块,否则对用户拒绝服务; (2)信息管理模块根据用户指令中的控制信息配置用户数据要求的更新时间,并根据配置的更新时间向判定模块发送更新要求;信息管理模块存储用户身份IDu和用户所在网络信息Field ;信息管理模块将指令中的 Interfaces, the security of the virtual machine module comprising: a key management module, encryption and decryption module, the authentication module, the information processing module and a determination module; data interaction which comprises the following steps: (1) a multi-user access gateway via the network interface module the user management module obtains user's information network Field through a multi-network interface module, the user authentication information to the security of virtual machines over a secure channel data authentication module, secure virtual machine authentication module to authenticate the user authentication information and verification results secure data channel to the user management module, if the user authentication information to verify correct, the user is successfully authenticated, sends the user identity IDu, user's network information Field and user instructions to the information management module, otherwise the user denial of service; (2) information management module configured in accordance with the control information of the user instruction updated user data requests, and sends an update request to the decision module according to the updated time configuration; information management module stores user IDu and user location network information Field,; information management module instruction middle 据要求和用户身份IDu通过安全数据通道发送给安全虚拟机的判定模块; (3)判定模块根据是否有数据要求或警报要求产生要求加解密模块进行数据加密的通知,若没有要求,则不对安全虚拟机内暂存的数据进行加密操作,若有要求,则产生要求加解密模块对暂存在安全虚拟机的数据进行加密的通知,此时根据是否有更新要求进行暂存数据的更新,若没有更新要求,则发送产生的通知和要求所涉及的用户身份IDu到加解密模块,若有更新要求,则通过感知节点管理模块通知感知节点更新数据; (4)加解密模块收到判定模块的通知后,根据收到的用户身份IDu在密钥管理模块中查询用户通信密钥Kut,并使用Kut对虚拟机中暂存的数据信息加密,之后通过安全数据通道发送数据密文给信息管理模块; (5)信息管理模块将数据密文、用户所在网络信息Field和用户身份 According to requirements and user IDu sent to the security virtual machine by a secure data channel determination module; and (3) determination module depending on whether the data request or alert required to produce the desired encryption and decryption modules encrypt data notification, if not required, no safety the temporarily stored data is encrypted within a virtual machine operations, if so desired, to produce the desired encryption and decryption module notifies the data temporarily stored in a secure encrypted virtual machine, this time depending on whether there is buffered data update request to update, if there is no update request, the user identity and sends the generated notification request relates to the encryption and decryption module IDu, if update request, the node management module is notified through the sensing sensing node update transactions; (4) encryption and decryption module notified of decision block after the user identity according to the received query IDu in the key management module Kut user communications key, and the encrypted data using the virtual machine Kut temporarily stored, after the transmission of the data to the information ciphertext secure data channel management module; (5) information management module ciphertext data, where the user network information and user identity Field IDu发送给信息发布模块,信息发布模块根据用户的身份IDu和所在网络信息Field,通过多网络接口模块选择发送网络,将数据密文发送到用户; (6)感知节点收到步骤(3)的更新数据要求或者感知到事件时,通过多网络接口模块接入感知节点管理模块,感知节点管理模块将感知节点的身份认证信息通过安全数据通道发送给安全虚拟机的认证模块,安全虚拟机的认证模块验证感知节点的身份认证信息,并将验证结果通过安全数据通道发送给感知节点管理模块,如果感知节点的身份认证信息验证正确,则认为认证成功,将数据密文和感知节点身份IDn通过安全数据通道发送给安全虚拟机的加解密模块,否则拒绝接受感知节点的数据; (7)加解密模块收到数据密文后根据感知节点身份IDn在密钥管理模块中查询感知节点通信密钥Knt,并使用Knt对数据密文解密,发送 IDu sent to the information distribution module, information dissemination module information IDu Field The identity of the user and the network is located, selects the transmission network via multiple network interface module, the data transmitted to the user ciphertext; (6) sensing node receives in step (3) when updating data requirements or perceived events, through a multi-node network interface module-aware access management module, management module will perceive perception node authentication information node to secure virtual machines over a secure channel data authentication module, authentication security virtual machine module to verify the identity authentication information of sensing nodes, and verification results to the sensing node management module via a secure data channel, if the perception authentication node to verify the correct information, then that authentication is successful, the data will be encrypted and sensing nodes via a secure identity IDn channel data transmitted to the encryption and decryption module of the security virtual machine, or to reject the data of the sensing nodes; (7) after receiving the data encryption and decryption module ciphertext sensing node communication node identity based on the sensed key Knt IDn query key management module and using Knt ciphertext decryption of data, transmission 据明文给信息处理模块; (8)信息处理模块对数据明文进行融合,并将融合后的数据处理为易于用户使用的标准化的数据格式后,根据是否是警报信息进行操作,若是警报信息,则暂存处理后的数据,并将警报要求发送给判定模块,返回步骤(3),若不是警报信息,则不发送警报要求,暂存处理后的数据,返回步骤(3)。 According to the information processing module plaintext; (8) The information processing plaintext data fusion module, after the data processing is easily standardized data format used by the user, whether operating in accordance with the alert information fusion, if the alarm information, temporarily storing processed data, and an alert request to the decision block returns to step (3), if an alarm message is not sent alert claim temporary data processing is returned to step (3).
CN 201010188081 2010-05-31 2010-05-31 Things-internet gateway system based on virtual machine and data interactive method CN101867530B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010188081 CN101867530B (en) 2010-05-31 2010-05-31 Things-internet gateway system based on virtual machine and data interactive method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010188081 CN101867530B (en) 2010-05-31 2010-05-31 Things-internet gateway system based on virtual machine and data interactive method

Publications (2)

Publication Number Publication Date
CN101867530A CN101867530A (en) 2010-10-20
CN101867530B true CN101867530B (en) 2012-10-24

Family

ID=42959099

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010188081 CN101867530B (en) 2010-05-31 2010-05-31 Things-internet gateway system based on virtual machine and data interactive method

Country Status (1)

Country Link
CN (1) CN101867530B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984706A (en) * 2010-11-04 2011-03-09 中国电信股份有限公司 Gateway of Internet of things and automatic adaptation method of communication protocol
CN102045896A (en) * 2010-11-22 2011-05-04 中山爱科数字科技有限公司 Virtual Internet-of-things gateway system capable of realizing multiprotocol and network self-adapting
CN102571338B (en) * 2010-12-23 2015-09-23 北京时代凌宇科技有限公司 A kind of Internet of Things authentication method based on PKI technology and system
CN102025577B (en) * 2011-01-06 2012-07-04 西安电子科技大学 Network system of Internet of things and data processing method thereof
US8566899B2 (en) * 2011-03-16 2013-10-22 Symantec Corporation Techniques for securing a checked-out virtual machine in a virtual desktop infrastructure
CN102801658A (en) * 2011-05-23 2012-11-28 镇江金钛软件有限公司 Configurable access gateway for Internet of things
CN102215180A (en) * 2011-05-26 2011-10-12 苏州震旦科技有限公司 Access gateway of internet of things
CN102882676A (en) * 2011-07-15 2013-01-16 深圳市汇川控制技术有限公司 Method and system for equipment to safely access Internet of things
CN102663278B (en) * 2012-03-09 2016-09-28 浪潮通信信息系统有限公司 Cloud computing mode platform of internet of things data process method for security protection
CN103312682B (en) * 2012-03-16 2016-12-14 中兴通讯股份有限公司 The method and system that gateway security accesses
CN103428627B (en) * 2012-05-22 2016-12-14 中国移动通信集团江苏有限公司 The transfer approach of data, Internet of things system and related device in Internet of things system
CN102932459B (en) * 2012-11-05 2016-02-10 广州杰赛科技股份有限公司 A kind of method of controlling security of virtual machine
CN102984258A (en) * 2012-11-30 2013-03-20 易程科技股份有限公司 Internet of things data transmission method and adapter
CN103107994B (en) * 2013-02-06 2017-02-08 中电长城网际系统应用有限公司 Vitualization environment data security partition method and system
CN103544089B (en) * 2013-10-13 2016-05-25 西安电子科技大学 Operating system recognition methods based on Xen
CN103957242B (en) * 2014-04-16 2017-06-20 北京大学工学院南京研究院 A kind of things-internet gateway of IP virtualizations conversion
JP6487883B2 (en) * 2015-08-26 2019-03-20 大同股▲ふん▼有限公司 Failure recovery method, Internet system of goods and charging system using the same
US10140147B2 (en) 2017-02-16 2018-11-27 Sanctum Solutions Inc. Intelligently assisted IoT endpoint device
US10382450B2 (en) 2017-02-21 2019-08-13 Sanctum Solutions Inc. Network data obfuscation
CN107026870A (en) * 2017-05-03 2017-08-08 桂斌 It is a kind of to encrypt the outdoor public Internet of Things access stack of dynamic group net safely

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805441A (en) 2005-11-23 2006-07-19 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
WO2008012567A1 (en) 2006-07-28 2008-01-31 Hewlett-Packard Development Company, L.P. Secure use of user secrets on a computing platform
CN101600198A (en) 2009-07-08 2009-12-09 西安电子科技大学 Identity-based wireless sensor network security trust method
EP2172862A1 (en) 2008-10-02 2010-04-07 Broadcom Corporation Secure virtual machine manager

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805441A (en) 2005-11-23 2006-07-19 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
WO2008012567A1 (en) 2006-07-28 2008-01-31 Hewlett-Packard Development Company, L.P. Secure use of user secrets on a computing platform
EP2172862A1 (en) 2008-10-02 2010-04-07 Broadcom Corporation Secure virtual machine manager
CN101600198A (en) 2009-07-08 2009-12-09 西安电子科技大学 Identity-based wireless sensor network security trust method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张志勇等.支持验证代理方的远程证明模型及其安全协议.《西安电子科技大学学报(自然科学版)》.2009,第36卷(第1期),第58-63页.
王结太等.无线传感器网络移动Agent的应用.《计算机工程》.2008,第34卷(第3期),第133-135页.

Also Published As

Publication number Publication date
CN101867530A (en) 2010-10-20

Similar Documents

Publication Publication Date Title
Heer et al. Security Challenges in the IP-based Internet of Things
Dawson et al. SKMA: a key management architecture for SCADA systems
Das et al. A dynamic password-based user authentication scheme for hierarchical wireless sensor networks
EP1811744B1 (en) Method, system and centre for authenticating in End-to-End communications based on a mobile network
ES2706540T3 (en) User equipment credentials system
US20040161110A1 (en) Server apparatus, key management apparatus, and encrypted communication method
JP2009533932A (en) Channel coupling mechanism based on parameter coupling in key derivation
JP5707486B2 (en) Key management device, system, and method having key update mechanism
KR100896365B1 (en) Method and apparatus for authentication of mobile device
Garcia-Morchon et al. Security Considerations in the IP-based Internet of Things
CN1753359B (en) Method of implementing SyncML synchronous data transmission
CN102111410B (en) Agent-based single sign on (SSO) method and system
Hernandez-Ramos et al. Toward a lightweight authentication and authorization framework for smart objects
CN101005359B (en) Method and device for realizing safety communication between terminal devices
US20110154022A1 (en) Method and Apparatus for Machine-to-Machine Communication
US20120170751A1 (en) Cryptographic communication with mobile devices
CN101232378B (en) Authentication accessing method of wireless multi-hop network
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
CN101317359B (en) Method and apparatus for generating a local interface key
Zillner et al. Zigbee exploited—the good, the bad and the ugly
US20160337354A1 (en) System and method for securing machine-to-machine communications
CN102857912A (en) Method for secure channelization by using internal key center (IKC)
EP1997292A2 (en) Establishing communications
CN100581102C (en) Data safety transmission method for wireless sensor network
CN100550725C (en) Method for negotiating about cipher key shared by users and application server

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted