CN105025020A - Internet of Things implementation method - Google Patents

Abstract

The invention provides an Internet of Things implementation method. In the method, integrity verification protection of data collected by user nodes of each layer in a tree layered structure is carried out through a root server. The Internet of Things contains a root server and M user nodes, and the M user nodes can collect the obtained data to the root server layer by layer. The data layer-by-layer collection process comprises steps: firstly, M user nodes are subjected to identity and access authority authentication, N user nodes passing identity and access authority authentication are obtained, and M is more than or equal to N; secondly, the N user nodes passing identity and access authority authentication are subjected to initialization; after the second step, the third step and the fourth step are carried out regularly, wherein, thirdly, the N user nodes passing identity and access authority authentication encrypt the obtained data and collect the data to the root server layer by layer; fourthly, the root server carries out integrity verification of data collected by the user nodes of each layer.

Description

A kind of implementation method of Internet of Things

Technical field

The present invention relates to a kind of implementation method of Internet of Things, belong to the crossing domain of Internet of Things and information security technology.

Background technology

Internet of Things refers to by technology such as transducer, REID, global positioning systems, monitoring, connection, interactive object or process is needed in real time to any, gather the information of the various needs such as its sound, light, heat, electricity, mechanics, chemistry, biology, position, by all kinds of possible network insertion, realize the connection of thing and thing, thing and people, realize the intelligent perception to article and process, identification and management.Along with the development of science and technology, the life of Internet of Things distance people is more and more nearer.In the gatherer process of data; there are some application higher to security requirement; so fail safe and the integrity protection of image data will be carried out; gathering with the leakage in fusion process to prevent data and distorting; make the server of root node position correctly can obtain the data that in Internet of Things, in tree hierarchy, each layer user node gathers, finally make application correctly carry out.

Summary of the invention

Technical problem to be solved by this invention how to carry out integrity verification to the data that layer user node each in tree hierarchy in Internet of Things collects.

The present invention is for solving the problems of the technologies described above by the following technical solutions:

A kind of implementation method of Internet of Things, it is characterized in that, comprise a root server and M user node in described Internet of Things, the data of acquisition can be successively collected to this root server by a described M user node, and described data are successively collected process and comprised the following steps:

Step 1, a described M user node carried out to identity and access rights are differentiated, obtain the N number of user node differentiated by identity and access rights, wherein, M >=N;

Step 2, initialization is carried out to the described N number of user node differentiated by identity and access rights; And

After described step 2, regularly perform following steps 3 and step 4, particularly:

After the data of acquisition are encrypted by step 3, the described N number of user node differentiated by identity and access rights, be successively collected to described root server;

Step 4, described root server carry out integrity verification to the data that each layer user node collects.

Alternatively, described step 1 specifically comprises:

Step 1.1, use wireless identity authentication equipment carry out identity verify to user node, specific as follows:

Step 1.1.1, detect user node whether open wireless communication function, be connected if then set up radio communication with described user node, otherwise first remind described user node open wireless communication function, then set up radio communication with described user node and be connected; Wherein, described radio communication function comprises bluetooth and/or NFC;

Step 1.1.2, described wireless identity authentication equipment receive the authentication challenge that described user node sends, the authentication challenge preserved in advance in the authentication challenge received and described wireless identity authentication equipment is compared, if consistent, show that described user node is legal user node, return identity verify to this legal user node and be verified information;

Step 1.1.3, described wireless identity authentication equipment carry out digital signature to the biometric information that legal user node sends, and the biometric information after signature is returned to described user node;

Wherein, described biometric information comprises the finger print information of user, facial characteristics identifying information and voice messaging;

Step 1.2, for by the legal user node of identity verify, based on the biometric information of user, determine that the use user of this user node is to the access rights of Internet resources, specific as follows:

The biometric information of the user of collection is sent to root server by step 1.2.1, user node; Wherein, in the biometric information database of described root server, preserve the finger print information of all validated users, facial characteristics identifying information, voice messaging, and the network access authority corresponding to described validated user;

Step 1.2.2, described root server mate the biometric information of the user gathered with the finger print information in described biometric information database, facial characteristics identifying information and voice messaging, if the match is successful, then user identity is differentiated successfully;

Step 1.2.3, user identity are differentiated successfully, and described root server, according to the biometric information in described biometric information database, gives user corresponding network access authority;

Step 1.2.4, user's Successful login, to conduct interviews to the resource in network according to the network access authority of giving and operate.

Alternatively, described step 2 specifically comprises, and performs following operation by root server:

Step 2.1, selected root server encryption key K, and the user encryption key ki of each user node, wherein, i=1,2 ..., N;

Step 2.2, select N number of one group of coprime between two integer p1, p2 ..., pN};

Step 2.3, to be produced by random number generator one group of random number r1, r2 ... rN},

Step 2.4, use encryption key K to described one group of coprime between two integer p1, p2 ..., pN} encrypt, obtain a group encryption numeral p1 ', p2 ' ..., pN ' };

Step 2.5, by this group encryption numeral p1 ', p2 ' ..., pN ' } and described one group of random number r1, r2 ... rN} is corresponding in turn to addition, obtain one group of initial parameter s1, s2 ..., sN}; That is, si=pi '+ri, i=1,2 ..., N;

Step 2.6, send initial parameter si and user encryption key ki to each user node i, wherein, i=1,2 ..., N.

Alternatively, described step 3 specifically comprises:

Step 3.1, for all N number of user nodes, if user node i obtain image data be ai, the checking data calculating this user node i is bi, wherein: bi=ai+si, i=1,2 ..., N;

Step 3.2, for each leaf child m, respectively perform step 3.2.1 and 3.2.2 successively:

Step 3.2.1, the user encryption key km adopting root server in initialization procedure to be distributed to user node m are encrypted image data am and checking data bm respectively, and result is am*=Ekm (am), bm*=Ekm (bm);

Checking data bm* after image data am* after encryption and encryption is sent to the father node of oneself by step 3.2.2, user node m;

Step 3.3, for each n omicronn-leaf child n, respectively perform step 3.3.1 to 3.3.4 successively:

Step 3.3.1, by the image data after the encryption of all childs of this node n and encryption after checking data deciphering, obtain the image data after the deciphering of each child of this node n and deciphering after checking data;

Step 3.3.2, be added by the image data an of the image data after the deciphering of each child of this node n with this node n self, what obtain this node n converges image data an ';

Step 3.3.3, be added by the checking data bn of the checking data after the deciphering of each child of this node n with this node n self, what obtain this node n converges checking data bn ';

Step 3.3.4, the user encryption key kn adopting root server in initialization procedure to be distributed to user node i are encrypted converging image data an ' and converging checking data bn ' respectively, result is an ' *=Ekn (an '), bn ' *=Ekn (bn '); Then by user node n by encryption after converge image data an ' * and encryption after converge the father node that checking data bn ' * sends to oneself;

Step 3.4, for root server, perform step 3.4.1 to 3.4.3:

Step 3.4.1, by the image data after the encryption of all childs of root server and encryption after checking data deciphering, obtain root server each child deciphering after image data and deciphering after checking data;

Step 3.4.2, by after the deciphering of each child of root server image data be added, obtain root server converge image data A;

Step 3.4.3, by after the deciphering of each child of root server checking data be added, obtain root server converge checking data B.

Alternatively, described step 4 specifically comprises:

The initial parameter sum S=s1+s2+ of all user nodes in step 4.1, computing network ... + sN;

Step 4.2, root server converged the initial parameter sum S that checking data B deducts all user nodes, obtain and converge image data control value A ', wherein, A '=B-S;

Step 4.3, converging root server image data A and converging image data control value A ' and compare;

If A=A ', then show that data integrity is not destroyed, the data of acquisition be successively collected in the tidal data recovering process of root server at user node, data are not tampered; Otherwise in this tidal data recovering process, data receive Tampering attack.

The present invention adopts above technical scheme compared with prior art, has following technique effect:

The present invention carries out integrity verification protection by root server to the data that layer user node each in tree hierarchy collects.In above-mentioned integrity verification protection process: first, by carrying out identity and access rights discriminating to user node, there is higher information security access level; Secondly, by data encryption checking procedure, turn increase the fail safe that transfer of data converges collection, safer guarantee can be provided for the application of Internet of Things.

Embodiment

By hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Described description is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and in order to above and other objects of the present invention, feature and advantage can be become apparent.

Below technical scheme of the present invention is described in further detail:

The present invention carries out integrity verification protection by root server to the data that layer user node each in tree hierarchy collects.

In above-mentioned integrity verification protection process: first, by carrying out identity and access rights discriminating to user node, there is higher information security access level; Secondly, by data encryption checking procedure, turn increase the fail safe that transfer of data converges collection, safer guarantee can be provided for the application of Internet of Things.

Particularly:

An implementation method for Internet of Things, wherein, comprise a root server and M user node in described Internet of Things, the data of acquisition can be successively collected to this root server by a described M user node, and described data are successively collected process and comprised the following steps:

Step 1, a described M user node carried out to identity and access rights are differentiated, obtain the N number of user node differentiated by identity and access rights, wherein, M >=N;

Step 2, initialization is carried out to the described N number of user node differentiated by identity and access rights; And

After described step 2, regularly perform following steps 3 and step 4, particularly:

After the data of acquisition are encrypted by step 3, the described N number of user node differentiated by identity and access rights, be successively collected to described root server;

Step 4, described root server carry out integrity verification to the data that each layer user node collects.

Alternatively, described step 1 specifically comprises:

Step 1.1, use wireless identity authentication equipment carry out identity verify to user node, specific as follows:

Step 1.1.1, detect user node whether open wireless communication function, be connected if then set up radio communication with described user node, otherwise first remind described user node open wireless communication function, then set up radio communication with described user node and be connected; Wherein, described radio communication function comprises bluetooth and/or NFC;

Step 1.1.2, described wireless identity authentication equipment receive the authentication challenge that described user node sends, the authentication challenge preserved in advance in the authentication challenge received and described wireless identity authentication equipment is compared, if consistent, show that described user node is legal user node, return identity verify to this legal user node and be verified information;

Step 1.1.3, described wireless identity authentication equipment carry out digital signature to the biometric information that legal user node sends, and the biometric information after signature is returned to described user node;

Wherein, described biometric information comprises the finger print information of user, facial characteristics identifying information and voice messaging;

Step 1.2, for by the legal user node of identity verify, based on the biometric information of user, determine that the use user of this user node is to the access rights of Internet resources, specific as follows:

The biometric information of the user of collection is sent to root server by step 1.2.1, user node; Wherein, in the biometric information database of described root server, preserve the finger print information of all validated users, facial characteristics identifying information, voice messaging, and the network access authority corresponding to described validated user;

Step 1.2.2, described root server mate the biometric information of the user gathered with the finger print information in described biometric information database, facial characteristics identifying information and voice messaging, if the match is successful, then user identity is differentiated successfully;

Step 1.2.3, user identity are differentiated successfully, and described root server, according to the biometric information in described biometric information database, gives user corresponding network access authority;

Step 1.2.4, user's Successful login, to conduct interviews to the resource in network according to the network access authority of giving and operate.

Alternatively, described step 2 specifically comprises, and performs following operation by root server:

Step 2.1, selected root server encryption key K, and the user encryption key ki of each user node, wherein, i=1,2 ..., N;

Step 2.2, select N number of one group of coprime between two integer p1, p2 ..., pN};

Step 2.3, to be produced by random number generator one group of random number r1, r2 ... rN},

Step 2.4, use encryption key K to described one group of coprime between two integer p1, p2 ..., pN} encrypt, obtain a group encryption numeral p1 ', p2 ' ..., pN ' };

Step 2.5, by this group encryption numeral p1 ', p2 ' ..., pN ' } and described one group of random number r1, r2 ... rN} is corresponding in turn to addition, obtain one group of initial parameter s1, s2 ..., sN}; That is, si=pi '+ri, i=1,2 ..., N;

Step 2.6, send initial parameter si and user encryption key ki to each user node i, wherein, i=1,2 ..., N.

Alternatively, described step 3 specifically comprises:

Step 3.1, for all N number of user nodes, if user node i obtain image data be ai, the checking data calculating this user node i is bi, wherein: bi=ai+si, i=1,2 ..., N;

Step 3.2, for each leaf child m, respectively perform step 3.2.1 and 3.2.2 successively:

Step 3.2.1, the user encryption key km adopting root server in initialization procedure to be distributed to user node m are encrypted image data am and checking data bm respectively, and result is am*=Ekm (am), bm*=Ekm (bm);

Checking data bm* after image data am* after encryption and encryption is sent to the father node of oneself by step 3.2.2, user node m;

Step 3.3, for each n omicronn-leaf child n, respectively perform step 3.3.1 to 3.3.4 successively:

Step 3.3.1, by the image data after the encryption of all childs of this node n and encryption after checking data deciphering, obtain the image data after the deciphering of each child of this node n and deciphering after checking data;

Step 3.3.2, be added by the image data an of the image data after the deciphering of each child of this node n with this node n self, what obtain this node n converges image data an ';

Step 3.3.3, be added by the checking data bn of the checking data after the deciphering of each child of this node n with this node n self, what obtain this node n converges checking data bn ';

Step 3.3.4, the user encryption key kn adopting root server in initialization procedure to be distributed to user node i are encrypted converging image data an ' and converging checking data bn ' respectively, result is an ' *=Ekn (an '), bn ' *=Ekn (bn '); Then by user node n by encryption after converge image data an ' * and encryption after converge the father node that checking data bn ' * sends to oneself; Step 3.4, for root server, perform step 3.4.1 to 3.4.3:

Step 3.4.1, by the image data after the encryption of all childs of root server and encryption after checking data deciphering, obtain root server each child deciphering after image data and deciphering after checking data;

Step 3.4.2, by after the deciphering of each child of root server image data be added, obtain root server converge image data A;

Step 3.4.3, by after the deciphering of each child of root server checking data be added, obtain root server converge checking data B.

Alternatively, described step 4 specifically comprises:

The initial parameter sum S=s1+s2+ of all user nodes in step 4.1, computing network ... + sN;

Step 4.2, root server converged the initial parameter sum S that checking data B deducts all user nodes, obtain and converge image data control value A ', wherein, A '=B-S;

Step 4.3, converging root server image data A and converging image data control value A ' and compare;

If A=A ', then show that data integrity is not destroyed, the data of acquisition be successively collected in the tidal data recovering process of root server at user node, data are not tampered; Otherwise in this tidal data recovering process, data receive Tampering attack.

All or part of content in the technical scheme that the above embodiment of the present invention provides can be realized by software programming, and its software program is stored in the storage medium that can read, storage medium such as: the hard disk in computer, CD or floppy disk.

The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (5)

1. the implementation method of an Internet of Things, it is characterized in that, comprise a root server and M user node in described Internet of Things, the data of acquisition can be successively collected to this root server by a described M user node, and described data are successively collected process and comprised the following steps:

Step 1, a described M user node carried out to identity and access rights are differentiated, obtain the N number of user node differentiated by identity and access rights, wherein, M >=N;

Step 2, initialization is carried out to the described N number of user node differentiated by identity and access rights; And

After described step 2, regularly perform following steps 3 and step 4, particularly:

After the data of acquisition are encrypted by step 3, the described N number of user node differentiated by identity and access rights, be successively collected to described root server;

Step 4, described root server carry out integrity verification to the data that each layer user node collects.

2. method according to claim 1, is characterized in that, described step 1 specifically comprises:

Step 1.1, use wireless identity authentication equipment carry out identity verify to user node, specific as follows:

Step 1.1.1, detect user node whether open wireless communication function, be connected if then set up radio communication with described user node, otherwise first remind described user node open wireless communication function, then set up radio communication with described user node and be connected; Wherein, described radio communication function comprises bluetooth and/or NFC;

Step 1.1.2, described wireless identity authentication equipment receive the authentication challenge that described user node sends, the authentication challenge preserved in advance in the authentication challenge received and described wireless identity authentication equipment is compared, if consistent, show that described user node is legal user node, return identity verify to this legal user node and be verified information;

Step 1.1.3, described wireless identity authentication equipment carry out digital signature to the biometric information that legal user node sends, and the biometric information after signature is returned to described user node;

Wherein, described biometric information comprises the finger print information of user, facial characteristics identifying information and voice messaging;

Step 1.2, for by the legal user node of identity verify, based on the biometric information of user, determine that the use user of this user node is to the access rights of Internet resources, specific as follows:

The biometric information of the user of collection is sent to root server by step 1.2.1, user node; Wherein, in the biometric information database of described root server, preserve the finger print information of all validated users, facial characteristics identifying information, voice messaging, and the network access authority corresponding to described validated user;

Step 1.2.2, described root server mate the biometric information of the user gathered with the finger print information in described biometric information database, facial characteristics identifying information and voice messaging, if the match is successful, then user identity is differentiated successfully;

Step 1.2.3, user identity are differentiated successfully, and described root server, according to the biometric information in described biometric information database, gives user corresponding network access authority;

Step 1.2.4, user's Successful login, to conduct interviews to the resource in network according to the network access authority of giving and operate.

3. method according to claim 2, is characterized in that, described step 2 specifically comprises, and performs following operation by root server:

Step 2.1, selected root server encryption key K, and the user encryption key ki of each user node, wherein, i=1,2 ..., N;

Step 2.2, select N number of one group of coprime between two integer p1, p2 ..., pN};

Step 2.3, to be produced by random number generator one group of random number r1, r2 ... rN},

Step 2.4, use encryption key K to described one group of coprime between two integer p1, p2 ..., pN} encrypt, obtain a group encryption numeral p1 ', p2 ' ..., pN ' };

Step 2.5, by this group encryption numeral p1 ', p2 ' ..., pN ' } and described one group of random number r1, r2 ... rN} is corresponding in turn to addition, obtain one group of initial parameter s1, s2 ..., sN}; That is, si=pi '+ri, i=1,2 ..., N;

Step 2.6, send initial parameter si and user encryption key ki to each user node i, wherein, i=1,2 ..., N.

4. method according to claim 3, is characterized in that, described step 3 specifically comprises:

Step 3.1, for all N number of user nodes, if user node i obtain image data be ai, the checking data calculating this user node i is bi, wherein: bi=ai+si, i=1,2 ..., N;

Step 3.2, for each leaf child m, respectively perform step 3.2.1 and 3.2.2 successively:

Step 3.2.1, the user encryption key km adopting root server in initialization procedure to be distributed to user node m are encrypted image data am and checking data bm respectively, and result is am*=Ekm (am), bm*=Ekm (bm);

Checking data bm* after image data am* after encryption and encryption is sent to the father node of oneself by step 3.2.2, user node m;

Step 3.3, for each n omicronn-leaf child n, respectively perform step 3.3.1 to 3.3.4 successively:

Step 3.3.1, by the image data after the encryption of all childs of this node n and encryption after checking data deciphering, obtain the image data after the deciphering of each child of this node n and deciphering after checking data;

Step 3.3.2, be added by the image data an of the image data after the deciphering of each child of this node n with this node n self, what obtain this node n converges image data an ';

Step 3.3.3, be added by the checking data bn of the checking data after the deciphering of each child of this node n with this node n self, what obtain this node n converges checking data bn ';

Step 3.3.4, the user encryption key kn adopting root server in initialization procedure to be distributed to user node i are encrypted converging image data an ' and converging checking data bn ' respectively, result is an ' *=Ekn (an '), bn ' *=Ekn (bn '); Then by user node n by encryption after converge image data an ' * and encryption after converge the father node that checking data bn ' * sends to oneself;

Step 3.4, for root server, perform step 3.4.1 to 3.4.3:

Step 3.4.1, by the image data after the encryption of all childs of root server and encryption after checking data deciphering, obtain root server each child deciphering after image data and deciphering after checking data;

Step 3.4.2, by after the deciphering of each child of root server image data be added, obtain root server converge image data A;

Step 3.4.3, by after the deciphering of each child of root server checking data be added, obtain root server converge checking data B.

5. method according to claim 4, is characterized in that, described step 4 specifically comprises:

The initial parameter sum S=s1+s2+ of all user nodes in step 4.1, computing network ... + sN;

Step 4.2, root server converged the initial parameter sum S that checking data B deducts all user nodes, obtain and converge image data control value A ', wherein, A '=B-S;

Step 4.3, converging root server image data A and converging image data control value A ' and compare;

If A=A ', then show that data integrity is not destroyed, the data of acquisition be successively collected in the tidal data recovering process of root server at user node, data are not tampered; Otherwise in this tidal data recovering process, data receive Tampering attack.