A kind of Internet of Things data security system based on trusting
Technical field
The present invention relates to Internet of Things field, be specifically related to Internet of Things data security system.
Background technology
The trust management system of Internet of Things has received the concern of a lot of scholar, this is proposed to a lot of trust management systems, but these systems have a lot of limitation places, as: the finite energy that can not meet Internet of Things, the more important thing is and can not meet large-scale Internet of Things.As far as we know, Internet of Things trust management lack the consideration of utilance to resource energy and reliability.
The GTMS that Shaikh etc. propose, more pay close attention to the calculating with the trust value of individuality relative to traditional trust framework, the advantage of this method is that each node has little memory space.But it relies on the information of removing to collect bunch head based on the strategy of broadcasting, and this just needs a large amount of resources and energy.
Bao etc. propose HTMP, the trust management of a layering, its consider two aspects trust value, social trust and service quality trust value, the acquisition of trust value is the trust based on node location, but the amount of calculation of each node is too large, and the realization for Internet of Things is unpractical.
The TCHEM that Crosby etc. propose, based on the faith mechanism of election of cluster head, the framework of this scheme is the ID that each node has only, and this method can reduce catches node and become leader cluster node, but this method, because trust management is not introduced, can not cover the details of trust value.
Boukerche etc. propose ATRM, a kind of based on agency and recommend trust and credit management framework, here refer to a mobile agent and manage local trust and reputation, the calculating of therefore trusting and propagate and do not have the execution of time delay, supposes that mobile agent is attempted to steal to malicious node or amendment information is resilient here.In numerous applications, this hypothesis is irrealizable.
Summary of the invention
The technical problem to be solved in the present invention overcomes existing defect, and provide a kind of Internet of Things data security system based on trusting, little communication overhead, only needs little position at inter-node transmission trust value, so be conducive to saving transmission and saving energy.
In order to solve the problems of the technologies described above, the invention provides following technical scheme:
The invention provides a kind of Internet of Things data security system based on trusting to be made up of the Internet of Things network platform, center-side safety means and network management services center, the described Internet of Things network platform is made up of three levels, the i.e. metropolitan area network on the Wireless Personal Network of bottom, the WIMAX wireless network in intermediate layer and upper strata, described metropolitan area network is communicated with center-side safety means and network management services center.
Further, described Wireless Personal Network is made up of multiple independence territory net, and each independence territory net contains a telegon.
Further, a described independence territory net, is made up of telegon and 1 to 1024 transducer, wherein, and the neighbor node router each other of 1 to 1024 transducer.
Further, described telegon is a main control device for territory net, and telegon and 1024 transducer compositions independently individual territory net, be operated in 2.4G frequency band, in accordance with IEEE802.15.4 agreement and ZigBeePro procotol; 1024 transducers can router each other, jump through network calculations and redirect switching 5, extend transmission distance and can reach 300 meters, information transmit delay time is less than 2 seconds, each sensor information arrives telegon through redirect routing function or direct (clear situation), then delivers to WIMAX wireless network; Described sensor terminal is in resting state at ordinary times, when there being perceptual signal, automatically wakes sensor device up, makes transducer forward transmission operating state to; Send perceptual signal by yellow, red classification, red perceptual signal is preferentially forced to send, and after center deciphering machine is decrypted, send corresponding department to process.In order to realize the digital encryption system of perception information, first must carry out the digitized processing of perception data, analog signal is become digital signal, namely A/D conversion being carried out to perceptual signal, by the read-write of CPU Master control chip to perception data; After security module carries out sensing data encryption, radio-frequency (RF) transceiver is encrypted the work such as transmission and reception of data.
Further, described transducer comprises sensor senses device, CPU and radio-frequency (RF) transceiver, security module and antenna, and wherein, CPU and radio-frequency (RF) transceiver are connected with sensor senses device, security module and antenna respectively.
Store based on the device authentication key data identified, main information and key management information in the chip of described security module; this security module is provided with encipherment protection mechanism and the anti-tamper measure of information; to guarantee that security module internal information third party cannot read, ensure that can not the distorting of security module internal data, counterfeit.After user obtains safety sensor, perception data transfer function can be realized.
Described transducer adopts standardized designs, makes transducer become omnipotent standard security sensor device, as long as change perception device just can realize the detection control of different perception information and the safe transmission of perception information.
Wherein, described WIMAX wireless network by some CPE (indoor outer terminal equipment) and converge base station form.
Further, described independence territory net telegon by CPE with converge base station communication, described convergence base station UNICOM metropolitan area network.
Further, described CPE is arranged in distance telegon 2.5 kilometer range.
Further, described CPE is arranged in the scope of convergence base station radius 8 kilometers.
Described WIMAX wireless network is operated in 5.8GH frequency band, in accordance with IEEE802.16 agreement, task is collected in the covering that this net completes sensor information, first the sensor information of the telegon in collection 1.5 kilometer range is received by indoor or outdoors unit CPE (indoor outer terminal equipment), deliver to WIMAX base station again, WIMAX breathes out base station the CPE data receiving collection 5 kilometer range, sensor information is delivered to metropolitan area network in base station by WIMAX again, metropolitan area network is built municipal fiber optic communication network, sensor information is sent to security control center by metropolitan area network, be decrypted by center cipher machine, the rear information of deciphering is delivered to corresponding department and is processed.
Wherein, described center-side safety means and network management services center comprise center cipher machine, authenticate key administrative center, data server, safety database and PC terminal.
Described authenticate key administrative center is authoritative department Ye Shi Third Party Authentication department, the management of this center unified management, the responsible making to all the sensors terminal key, distribution, key and the device authentication management based on mark.Ensure uniqueness and the correctness of each sensor user key.The functions such as the authority that described authenticate key administrative center also has centralized management, off-line is distributed and regular, irregular online replacing key.Implement and use key material produced, register, certification, distribution, installation, storage, filing, destruction service, KMC, according to security strategy, implements the management to key.The described cipher key content based on mark not only disperses to be stored in sensor safe inside modules, is also stored in KMC, when buying safety sensor, should get sensor device by " system of real name " to appointment key authentication administrative center.
Described center cipher machine, in order to solve the decipher function of magnanimity sensor terminal concurrent data, adopts high-performance, and the high speed password machine equipment based on data flow encryption and decryption treatment mechanism is real to be seen the synchronous decipher function of mass data flow; In upper strata is called, optimize encryption dispatching algorithm, adopt multithreading, the legitimacy realizing carrying out magnanimity transducer low speed data certification and equipment detects and the function such as sensor terminal decrypt data.
Point level security means such as described safety database service system configuration classification rights management mechanism, secret key safety storage, cipher key destruction, device authentication, access control, Backup and Restore.System have employed decentralization power mechanism in rights management, and setting data library manager and safety officer realize the reading to sensitive data jointly.Introduce audit administrator simultaneously, to the access of sensitive information, record of the audit is carried out to the behavior of safety officer and database user, ensure the safety of sensitive data.
Further, need to be connected isolator when described center-side safety means are connected with metropolitan area network with network management services center, firewall box and vulnerability scanning intrusion detection module.
Described network management services center is the Internet of Things network operation, Wireless Communication Equipment is safeguarded, sensor device is safeguarded, the automatic management of online management and equipment provides monitoring and safeguards.
A kind of Internet of Things data security system based on trusting provided by the invention, according to the feature of internet of things, devise brand-new network architecture of Internet of things to reduce investment outlay, construction cost achieve Internet of Things network security technology; System sets up safety prevention measure from inside to outside successively, is mainly reflected in terminal security, communication security, application safety and safety management; Multi-level efficient public security system is disposed in the confidentiality of data, integrality, the aspect such as security mechanism and management such as authenticity and non repudiation.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, together with embodiments of the present invention for explaining the present invention, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the network architecture of Internet of things schematic block diagram with safety system of the present invention;
Fig. 2 is an independence of the present invention territory net composition structural representation;
Fig. 3 is transducer of the present invention composition structural representation;
Fig. 4 is thing wireless personal area network architecture schematic diagram of the present invention;
Fig. 5 is Internet of Things safety means of the present invention and isolator, fire compartment wall connection diagram;
Fig. 6 is center-side safety means of the present invention and network management services center composition schematic block diagram.
Wherein, 101-transducer, 103-Wireless Personal Network, 104-WIMAX wireless network, 105-metropolitan area network, 106-center-side safety means and network management services center, 202-center cipher machine, 203-authenticate key administrative center, 204-data server, 205-safety database, 206-PC network terminal, 302-converge base station, 303-CPE, 305-telegon, 402-isolator, 403-firewall box, 404-vulnerability scanning intrusion detection module, 501-sensor senses device, 502-CPU and radio-frequency (RF) transceiver, 503-security module, 504-antenna.
Embodiment
Below in conjunction with accompanying drawing, the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein is only for instruction and explanation of the present invention, is not intended to limit the present invention.
Embodiment one
Be illustrated in figure 1 and the invention provides a kind of Internet of Things data security system based on trusting, comprise the Internet of Things network platform, center-side safety means and network management services center 106, as shown in Figure 1, the described Internet of Things network platform is made up of three levels, and namely bottom is with the Wireless Personal Network 103 of IEEE802.15.4 and ZigBeePro protocol realization; The intermediate layer WIMAX wireless network 104 of IEEE802.16 protocol realization; Upper strata is metropolitan area network (built government municipal administration optical networking) 105.
Further, described Wireless Personal Network 103 is made up of multiple independence territory net.
As shown in Figure 2, a described independence territory net, is made up of telegon 305 and 1 to 1024 transducer 101, wherein, and the neighbor node router each other of 1 to 1024 transducer 101.
As shown in Figure 3, described transducer 101 comprises sensor senses device 501, CPU and radio-frequency (RF) transceiver 502, strong and the antenna 504 of security module 503, wherein, CPU and radio-frequency (RF) transceiver 502 are connected with sensor senses device 501, security module 503 and antenna 504 respectively.
Further, described metropolitan area network 105 is communicated with center-side safety means and network management services center 106.
As shown in Figure 4, described WIMAX wireless network 104 is made up of with convergence base station 302 CPE303 of some.
The telegon 305 of a described independence territory net is communicated with convergence base station 302 by CPE303, described convergence base station 302 UNICOM metropolitan area network 105.Described CPE303 is arranged in 1.5 kilometer range of distance telegon 305.Described CPE302 is arranged in the scope of convergence base station 302 radius 5 kilometers.
As shown in Figure 5, need to be connected isolator 402 when described center-side safety means are connected with metropolitan area network 105 with network management services center 106, firewall box 403 and vulnerability scanning intrusion detection module 404.
A kind of Internet of Things data security system based on trusting is made up of the Internet of Things network platform, center-side safety means and network management services center, the described Internet of Things network platform is made up of three levels, the i.e. metropolitan area network on the Wireless Personal Network of bottom, the WIMAX wireless network in intermediate layer and upper strata, described metropolitan area network is communicated with center-side safety means and network management services center; Described Wireless Personal Network is made up of multiple independence territory net, and each independence territory net contains a telegon; A described independence territory net, is made up of telegon and 1 to 1024 transducer, wherein, and the neighbor node router each other of 1 to 1024 transducer.
Described telegon is a main control device for territory net, and telegon and 1024 transducer compositions independently individual territory net, be operated in 2.4G frequency band, in accordance with IEEE802.15.4 agreement and ZigBeePro procotol; 1024 transducers can router each other, jump through network calculations and redirect switching 5, extend transmission distance and can reach 300 meters, information transmit delay time is less than 2 seconds, each sensor information arrives telegon through redirect routing function or direct (clear situation), then delivers to WIMAX wireless network; Described sensor terminal is in resting state at ordinary times, when there being perceptual signal, automatically wakes sensor device up, makes transducer forward transmission operating state to; Send perceptual signal by yellow, red classification, red perceptual signal is preferentially forced to send, and after center deciphering machine is decrypted, send corresponding department to process.In order to realize the digital encryption system of perception information, first must carry out the digitized processing of perception data, analog signal is become digital signal, namely A/D conversion being carried out to perceptual signal, by the read-write of CPU Master control chip to perception data; After security module carries out sensing data encryption, radio-frequency (RF) transceiver is encrypted the work such as transmission and reception of data.
Described transducer comprises sensor senses device, CPU and radio-frequency (RF) transceiver, security module and antenna, and wherein, CPU and radio-frequency (RF) transceiver are connected with sensor senses device, security module and antenna respectively.
Store based on the device authentication key data identified, main information and key management information in the chip of described security module; this security module is provided with encipherment protection mechanism and the anti-tamper measure of information; to guarantee that security module internal information third party cannot read, ensure that can not the distorting of security module internal data, counterfeit.After user obtains safety sensor, perception data transfer function can be realized.
Described transducer adopts standardized designs, makes transducer become omnipotent standard security sensor device, as long as change perception device just can realize the detection control of different perception information and the safe transmission of perception information.
Wherein, described WIMAX wireless network by some CPE (indoor outer terminal equipment) and converge base station form; The telegon of a described independence territory net is by CPE and converge base station communication, described convergence base station UNICOM metropolitan area network; Described CPE is arranged in distance telegon 1.5 kilometer range; Described CPE is arranged in the scope of convergence base station radius 5 kilometers.
Described WIMAX wireless network is operated in 5.8GH frequency band, in accordance with IEEE802.16 agreement, task is collected in the covering that this net completes sensor information, first the sensor information of the telegon in collection 1.5 kilometer range is received by indoor or outdoors unit CPE (indoor outer terminal equipment), deliver to WIMAX base station again, WIMAX breathes out base station the CPE data receiving collection 5 kilometer range, sensor information is delivered to metropolitan area network in base station by WIMAX again, metropolitan area network is built municipal fiber optic communication network, sensor information is sent to security control center by metropolitan area network, be decrypted by center cipher machine, the rear information of deciphering is delivered to corresponding department and is processed.
Wherein, described center-side safety means and network management services center comprise center cipher machine, authenticate key administrative center, data server, safety database and PC terminal.
Described authenticate key administrative center is authoritative department Ye Shi Third Party Authentication department, the management of this center unified management, the responsible making to all the sensors terminal key, distribution, key and the device authentication management based on mark.Ensure uniqueness and the correctness of each sensor user key.The functions such as the authority that described authenticate key administrative center also has centralized management, off-line is distributed and regular, irregular online replacing key.Implement and use key material produced, register, certification, distribution, installation, storage, filing, destruction service, KMC, according to security strategy, implements the management to key.The described cipher key content based on mark not only disperses to be stored in sensor safe inside modules, is also stored in KMC, when buying safety sensor, should get sensor device by " system of real name " to appointment key authentication administrative center.
Described center cipher machine, in order to solve the decipher function of magnanimity sensor terminal concurrent data, adopts high-performance, and the high speed password machine equipment based on data flow encryption and decryption treatment mechanism is real to be seen the synchronous decipher function of mass data flow; In upper strata is called, optimize encryption dispatching algorithm, adopt multithreading, the legitimacy realizing carrying out magnanimity transducer low speed data certification and equipment detects and the function such as sensor terminal decrypt data.
Point level security means such as described safety database service system configuration classification rights management mechanism, secret key safety storage, cipher key destruction, device authentication, access control, Backup and Restore.System have employed decentralization power mechanism in rights management, and setting data library manager and safety officer realize the reading to sensitive data jointly.Introduce audit administrator simultaneously, to the access of sensitive information, record of the audit is carried out to the behavior of safety officer and database user, ensure the safety of sensitive data.
Described center-side safety means need to be connected isolator when being connected with metropolitan area network with network management services center, firewall box and vulnerability scanning intrusion detection module.
Described network management services center is the Internet of Things network operation, Wireless Communication Equipment is safeguarded, sensor device is safeguarded, the automatic management of online management and equipment provides monitoring and safeguards
A kind of Internet of Things data security system based on trusting provided by the invention, according to the feature of internet of things, devise brand-new network architecture of Internet of things to reduce investment outlay, construction cost achieve Internet of Things network security technology; System sets up safety prevention measure from inside to outside successively, is mainly reflected in terminal security, communication security, application safety and safety management; Multi-level efficient public security system is disposed in the confidentiality of data, integrality, the aspect such as security mechanism and management such as authenticity and non repudiation.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, although with reference to previous embodiment to invention has been detailed description, for a person skilled in the art, it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.