CN107104925A - Method, apparatus and system for secure communication - Google Patents

Method, apparatus and system for secure communication Download PDF

Info

Publication number
CN107104925A
CN107104925A CN201610096661.8A CN201610096661A CN107104925A CN 107104925 A CN107104925 A CN 107104925A CN 201610096661 A CN201610096661 A CN 201610096661A CN 107104925 A CN107104925 A CN 107104925A
Authority
CN
China
Prior art keywords
server
key
client
access mandate
mandate information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610096661.8A
Other languages
Chinese (zh)
Inventor
栗静文
齐麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to CN201610096661.8A priority Critical patent/CN107104925A/en
Publication of CN107104925A publication Critical patent/CN107104925A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Abstract

The embodiments of the invention provide the method for secure communication, apparatus and system.This method includes:In the case of it is determined that allowing client to access server, the access mandate information being authenticated for server to client is generated;Key is obtained, wherein, the key is generated according to the shared key schedule of server Authorization Manager and server, and server Authorization Manager and server belong to the limited applications protocol authentication and authorization framework system of commission;Access mandate information is encrypted using key;And send encrypted access mandate information to client.The embodiments of the invention provide the Secure Communication of server and SAM in DCAF systems, without carrying out cipher key interaction between server and SAM, so as to save signaling consumption, lifting system performance.

Description

Method, apparatus and system for secure communication
Technical field
The present invention relates to areas of information technology, more particularly, to the method for secure communication, device and (Constrained Application Protocol, the CoAP) certification of limited applications agreement and mandate of commission Framework (Delegated CoAP Authentication and Authorization Framework, DCAF) System.
Background technology
Due to traditional HTTP (HyperText Transfer Protocol, HTTP) no Suitable for resource constrained environment, therefore Internet Engineering Task group (Internet Engineering Task Force, IETF) a kind of application layer protocol, i.e. CoAP have been formulated for such constrained environment, make The constrained nodes obtained in constrained environment can be communicated on the internet.
And for the safety problem that constrained nodes communicate, IETF has drafted DCAF documents recently. In DCAF documents, a kind of DCAF systems are described, within the system by introducing less node To help constrained nodes to carry out the task related to mandate.It is such less in DCAF systems Node can be referred to as Authorization Manager.These Authorization Managers can be performed for the node of its management Complicated safe task (key for for example managing large number quipments), so that constrained nodes can be realized Delegated strategy.Authorization Manager can include the client authorization pipe for management client authorization message Manage device (Client Authorization Manager, CAM) and for manager server authorization message Server Authorization Manager (Server Authorization Manager, SAM).Performing with authorizing During the task of correlation, need to transmit some authorization messages between SAM and server.However, DCAF Document do not provide how between SAM and server the safely side of implementing of transmission information Case.
The content of the invention
In view of the above mentioned problem of prior art, The embodiment provides for secure communication Method, apparatus and system, have effectively achieved the secure communication of server and SAM in DCAF systems.
An embodiment provides a kind of method for secure communication, including:It is determined that In the case of allowing client access server, generate and the client is carried out for the server The access mandate information of certification;Key is obtained, wherein, the key is according to server empowerment management Device and the server shared key schedule is generated, the server Authorization Manager and The server belongs to the limited applications protocol authentication and authorization framework DCAF systems of commission;Using institute Key is stated the access mandate information is encrypted;And send encrypted visit to the client Ask authorization message.
Wherein, the acquisition key further comprises:The key is generated using dynamic token.
Another embodiment of the present invention provides a kind of method for secure communication, including:From client End receives encrypted access mandate information, and the access mandate information is used for server to the client End is authenticated;Key is obtained, wherein, the key is according to server Authorization Manager and described Server shared key schedule is generated, the server Authorization Manager and the service Device belongs to the limited applications protocol authentication and authorization framework DCAF systems of commission;Use the key pair The encrypted access mandate information is decrypted;And according to decrypted access mandate information come The client is authenticated.
Wherein, the acquisition key further comprises:The key is generated using dynamic token.
Another embodiment of the present invention provides a kind of device for secure communication, including:Generate mould Block, in the case of it is determined that allowing client to access server, generating for the server pair The access mandate information that the client is authenticated;Acquisition module, for obtaining key, wherein, The key is according to the server Authorization Manager and the shared key schedule of the server Come what is generated, the server Authorization Manager and the server belong to the limited applications agreement of commission Certification and authorization framework DCAF systems;Encrypting module, for being awarded using the key to the access Power information is encrypted;And sending module, awarded for sending encrypted access to the client Weigh information.
Wherein, the acquisition module is further used for:The key is generated using dynamic token.
Another embodiment of the present invention provides a kind of device for secure communication, including:Receive mould Block, for receiving encrypted access mandate information from client, the access mandate information is used for institute Server is stated to be authenticated the client;Acquisition module, for obtaining key, wherein, it is described Key is generated according to server Authorization Manager and the shared key schedule of the server , the server Authorization Manager and the server belong to commission limited applications protocol authentication and Authorization framework DCAF systems;Deciphering module, for using the key to the encrypted access Authorization message is decrypted;And authentication module, for according to decrypted access mandate information come pair The client is authenticated.
Wherein, the acquisition module is further used for:The key is generated using dynamic token.
Another embodiment of the present invention provides the limited applications protocol authentication and authorization framework of a kind of commission System, including:Server Authorization Manager, server, client and client authorization manager. Wherein, the server Authorization Manager is used to send encrypted to the client authorization manager Access mandate information, the client authorization manager is used to connect from the server Authorization Manager Receive after the encrypted access mandate information, the encrypted access is sent to the client Authorization message.
From the above, it can be seen that the embodiments of the invention provide server in DCAF systems and SAM Secure Communication, without carrying out cipher key interaction between server and SAM, so as to save signaling Expense, lifting system performance.
Brief description of the drawings
Further feature, feature, advantage and the benefit of the present invention passes through the detailed description below in conjunction with accompanying drawing It will become apparent.
Fig. 1 is the schematic diagram of DCAF systems according to an embodiment of the invention.
Fig. 2 is the flow chart of the method according to an embodiment of the invention for secure communication.
Fig. 3 is the flow chart of the method according to another embodiment of the present invention for secure communication.
Fig. 4 is the schematic diagram of the device according to an embodiment of the invention for secure communication.
Fig. 5 is the schematic diagram of the device according to an embodiment of the invention for secure communication.
Fig. 6 is SAM according to an embodiment of the invention schematic diagram.
Fig. 7 is the schematic diagram of server according to an embodiment of the invention.
Embodiment
Each embodiment of the present invention is described in detail next, with reference to accompanying drawing.
Fig. 1 is the schematic diagram of DCAF systems according to an embodiment of the invention.As shown in figure 1, DCAF systems 100 can include client 110, server 120, CAM 130 and SAM 140. Server 120 can have CoAP resources.Client 110 can be to the CoAP on server 120 Resource conducts interviews.CAM 130 can manage the certification and authorization data for client 110.SAM 140 can manage the certification and authorization data for server 120.
Client 110, can be to server when needing to access the CoAP resources on server 120 120 send initial unauthorized resource request message.Server 120 upon receiving the message, will be refused The request, and to client 110 return its corresponding SAM 140 address.
Client 110, can be to its corresponding CAM 130 after SAM 140 address is received Send authorization requests.CAM 130 can determine what client 110 was asked according to the authorization requests Whether action is allowed to.If permitted to if, CAM 130 can send label to SAM 140 please Seek message (Ticket Request Message).
SAM 140 is after label request message is received, it can be estimated that wherein included access please Seek information.After it is determined that allowing the access server 120 of client 110, SAM 140 can be generated Include the label approval message (Ticket Grant Message) for accessing label (Access Ticket).Visit Ask that label can include being used for the access mandate information that server 120 is authenticated client 110. As defined in DCAF documents, Face parts can be included by accessing label.The access mandate information It can be included in Face parts.In order to ensure the security of communication, SAM 140 can utilize key Face parts are encrypted.Then, SAM 140 can send the message to CAM 130.
CAM 130 can transmit message (Ticket after label approval message is received by label Transfer Message), label will be accessed and be sent to client 110.Then, client 110 can be with The Face parts accessed in label are sent to server 120.
Server 120 is received from client 110 after Face parts, it is possible to use key is to Face Part is decrypted, so as to obtain decrypted access mandate information.Server 120 can be according to warp The access mandate information of decryption, is authenticated and authorizes to client 120.So, client 110 Safe lane can be set up between server 120.By the safe lane, client 110 can be with Access the CoAP resources on server 120.
In above process, it is close that the key and server 120 that SAM 140 is encrypted are decrypted Key can be generated according to SAM 140 and the shared key schedule of server 120.So, It may insure that SAM 140 and server 120 perform encryption respectively using identical key and decryption is grasped Make, so as to avoid cipher key interaction process, signaling consumption can be saved.
In one embodiment, SAM 140 can be static close with the key that server 120 is shared Key.Generated for example, the key can be SAM 140 with server 120 using the two shared key Algorithm and previously generate, and be stored in respective memory.This mode realizes simply, cost It is low.
In another embodiment, the key that SAM 140 shares with server 120 can be dynamic Key.The key can be generated using dynamic token.For example, the dynamic of the side of server 120 The dynamic token of token device and the sides of SAM 140 can be generated synchronously identical token.So, The token generated may be used as the shared key between server 120 and SAM 140.In the present invention , can be using any dynamic token in the prior art in embodiment.This mode is compared to static state For key, the security of information more ensure that.
From the above, it can be seen that the embodiments of the invention provide server in DCAF systems and SAM Secure Communication, without carrying out cipher key interaction between server and SAM, so as to save signaling Expense, lifting system performance.
Referring now to Fig. 2, it is the stream of the method according to an embodiment of the invention for secure communication Cheng Tu.For example, Fig. 2 method can be performed by the SAM 140 in above-mentioned Fig. 1.
As shown in Fig. 2 this method comprises the following steps:
Step 210, in the case of it is determined that allowing client to access server, generate for server pair The access mandate information that client is authenticated.
Step 220, key is obtained, wherein, the key is according to SAM and the shared key of server Generating algorithm is come what is generated, and SAM and server belong to DCAF systems.
Step 230, access mandate information is encrypted using key.
Step 240, encrypted access mandate information is sent to client.
In one embodiment, in a step 220, it is possible to use dynamic token is come on generating State key.
Referring now to Fig. 3, it is the stream of the method according to an embodiment of the invention for secure communication Cheng Tu.For example, Fig. 3 method can be performed by the server 120 in above-mentioned Fig. 1.
As shown in figure 3, this method comprises the following steps:
Step 310, encrypted access mandate information is received from client, access mandate information is used to take Business device is authenticated to client.
Step 320, key is obtained, wherein, the key is according to SAM and the shared key of server Generating algorithm is come what is generated, and SAM and server belong to DCAF systems.
Step 330, encrypted access mandate information is decrypted using key.
Step 340, client is authenticated according to decrypted access mandate information.
In one embodiment, in step 320, it is possible to use dynamic token is come on generating State key.
Referring now to Fig. 4, it is showing for the device according to an embodiment of the invention for secure communication It is intended to.Device 400 shown in Fig. 4 can utilize software, hardware (such as integrated circuit or DSP) Or the mode of software and hardware combining is realized.One example of Fig. 4 device 400 can be above-mentioned SAM 140。
As shown in figure 4, device 400 can include generation module 410, acquisition module 420, encryption mould Block 430 and sending module 440.
Generation module 410 is used in the case of it is determined that allowing client to access server, and generating is used for The access mandate information that server is authenticated to client.Acquisition module 420 is used to obtain key, Wherein, key is generated according to the shared key schedule of SAM and server, SAM and Server belongs to DCAF systems.Encrypting module 430 is used to carry out access mandate information using key Encryption.Sending module 440 is used to send encrypted access mandate information to client.
In one embodiment, acquisition module 420 can be further used for utilizing dynamic token To generate above-mentioned key.
Referring now to Fig. 5, it is the schematic diagram of server according to an embodiment of the invention.Fig. 5 institutes The device 500 shown can utilize software, hardware (such as integrated circuit or DSP) or software and hardware knot The mode of conjunction is realized.One example of Fig. 5 device 500 can be above-mentioned server 120.
As shown in figure 5, device 500 can include receiving module 510, acquisition module 520, decryption mould Block 530 and authentication module 540.
Receiving module 510 is used to receive encrypted access mandate information, access mandate letter from client Cease and client is authenticated for server.Acquisition module 520 is used to obtain key, wherein, should Key is generated according to SAM and the shared key schedule of server, SAM devices and service Device belongs to DCAF systems.Deciphering module 530 is used for using key to encrypted access mandate information It is decrypted.Authentication module 540 is used to carry out client according to decrypted access mandate information Certification.
In one embodiment, acquisition module 520 can be further used for utilizing dynamic token To generate above-mentioned key.
Referring now to Fig. 6, it is SAM according to an embodiment of the invention schematic diagram.Such as Fig. 6 It is shown, SAM 600 can include be used for store executable instruction memory 610 and with memory 610 The processor 620 of connection, wherein, processor 620 can perform foregoing SAM 400 modules Performed operation.
Referring now to Fig. 7, it is the schematic diagram of server according to an embodiment of the invention.Such as Fig. 7 Shown, server 700 can include the memory 710 and and memory for being used to store executable instruction The processor 720 of 710 connections, wherein, processor 720 can perform each of aforementioned server 500 Operation performed by module.
The embodiment of the present invention also provides a kind of machine readable media, and executable instruction is stored thereon, when this When executable instruction is performed so that machine realizes the operation of processor 620.
The embodiment of the present invention also provides another machine readable media, and executable instruction is stored thereon, when When the executable instruction is performed so that machine realizes the operation of processor 720.
Detailed displaying and explanation have been carried out to the present invention above by accompanying drawing and preferred embodiment, but originally Invention is not limited to these embodiments having revealed that, other sides that those skilled in the art therefrom derive Case is also within protection scope of the present invention.

Claims (12)

1. a kind of method for secure communication, including:
In the case of it is determined that allowing client to access server, generate for the server to described The access mandate information that client is authenticated;
Key is obtained, wherein, the key is common according to server Authorization Manager and the server Key schedule is come what is generated, and the server Authorization Manager and the server belong to committee The limited applications protocol authentication and authorization framework DCAF systems of support;
The access mandate information is encrypted using the key;And
Encrypted access mandate information is sent to the client.
2. according to the method described in claim 1, wherein, it is described acquisition key further comprise:
The key is generated using dynamic token.
3. a kind of method for secure communication, including:
Encrypted access mandate information is received from client, the access mandate information is used for server The client is authenticated;
Key is obtained, wherein, the key is common according to server Authorization Manager and the server Key schedule is come what is generated, and the server Authorization Manager and the server belong to committee The limited applications protocol authentication and authorization framework DCAF systems of support;
The encrypted access mandate information is decrypted using the key;And
The client is authenticated according to decrypted access mandate information.
4. method according to claim 3, wherein, the acquisition key further comprises:
The key is generated using dynamic token.
5. a kind of device for secure communication, including:
Generation module, in the case of it is determined that allowing client to access server, generating for institute State the access mandate information that server is authenticated to the client;
Acquisition module, for obtaining key, wherein, the key is according to the server mandate pipe Manage device and the shared key schedule of the server to generate, the server Authorization Manager Belong to the limited applications protocol authentication and authorization framework DCAF systems of commission with the server;
Encrypting module, for the access mandate information to be encrypted using the key;And
Sending module, for sending encrypted access mandate information to the client.
6. equipment according to claim 5, wherein, the acquisition module is further used for:
The key is generated using dynamic token.
7. a kind of device for secure communication, including:
Receiving module, for receiving encrypted access mandate information, the access mandate from client Information is authenticated for the server to the client;
Acquisition module, for obtaining key, wherein, the key is according to server Authorization Manager The key schedule that is shared with the server is generated, the server Authorization Manager and institute State limited applications protocol authentication and authorization framework DCAF systems that server belongs to commission;
Deciphering module, for the encrypted access mandate information to be decrypted using the key; And
Authentication module, for being authenticated according to decrypted access mandate information to the client.
8. equipment according to claim 7, wherein, the acquisition module is further used for:
The key is generated using dynamic token.
9. a kind of server Authorization Manager, including:
Memory;And
Processor, for the operation included by perform claim requirement 1 or 2.
10. a kind of server, including:
Memory;And
Processor, for the operation included by perform claim requirement 3 or 4.
11. the limited applications protocol authentication and authorization framework system of a kind of commission, including:
Server Authorization Manager according to claim 9;
Server according to claim 10;
Client;And
Client authorization manager;
Wherein, the server Authorization Manager is used to send through adding to the client authorization manager Close access mandate information, the client authorization manager is used for from the server empowerment management Device is received after the encrypted access mandate information, sends described encrypted to the client Access mandate information.
12. a kind of machine readable media, is stored thereon with executable instruction, when the executable instruction When being performed so that machine perform claim requires the operation included by any one of 1-4.
CN201610096661.8A 2016-02-22 2016-02-22 Method, apparatus and system for secure communication Pending CN107104925A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610096661.8A CN107104925A (en) 2016-02-22 2016-02-22 Method, apparatus and system for secure communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610096661.8A CN107104925A (en) 2016-02-22 2016-02-22 Method, apparatus and system for secure communication

Publications (1)

Publication Number Publication Date
CN107104925A true CN107104925A (en) 2017-08-29

Family

ID=59658683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610096661.8A Pending CN107104925A (en) 2016-02-22 2016-02-22 Method, apparatus and system for secure communication

Country Status (1)

Country Link
CN (1) CN107104925A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882906A (en) * 2011-07-14 2013-01-16 华为技术有限公司 Method and device of data communication in constrained application protocol
CN104618362A (en) * 2015-01-23 2015-05-13 华为技术有限公司 Method and device for session message interaction between resource server and client side
US20150326539A1 (en) * 2014-03-31 2015-11-12 EXILANT Technologies Private Limited Increased communication security

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882906A (en) * 2011-07-14 2013-01-16 华为技术有限公司 Method and device of data communication in constrained application protocol
US20150326539A1 (en) * 2014-03-31 2015-11-12 EXILANT Technologies Private Limited Increased communication security
CN104618362A (en) * 2015-01-23 2015-05-13 华为技术有限公司 Method and device for session message interaction between resource server and client side

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ACE WORKING GROUP: ""Delegated CoAP Authentication and Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize-02"", 《IETF》 *

Similar Documents

Publication Publication Date Title
CN102195957B (en) Resource sharing method, device and system
JP7014806B2 (en) Digital certificate management method and equipment
EP2391083B1 (en) Method for realizing authentication center and authentication system
US11134069B2 (en) Method for authorizing access and apparatus using the method
CN109660485A (en) A kind of authority control method and system based on the transaction of block chain
KR20060100920A (en) Trusted third party authentication for web services
US10257171B2 (en) Server public key pinning by URL
US10958630B2 (en) System and method for securely exchanging data between devices
CN102098317A (en) Data transmitting method and system applied to cloud system
CN102377788A (en) Single sign-on (SSO) system and single sign-on (SSO) method
WO2019047927A1 (en) Digital credential management method and device
CN109150800A (en) Login access method, system and storage medium
CN112861157A (en) Data sharing method based on decentralized identity and proxy re-encryption
CN109698746A (en) Negotiate the method and system of the sub-key of generation bound device based on master key
TWI556618B (en) Network Group Authentication System and Method
JP4807944B2 (en) Challenge-based authentication that does not require knowledge of secret authentication data
CN106992978A (en) Network safety managing method and server
CN107566393A (en) A kind of dynamic rights checking system and method based on trust certificate
CN113965425B (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
CN102629928B (en) Implementation method for safety link of internet lottery ticket system based on public key
CN111835716B (en) Authentication communication method, server, device and storage medium
JP2005086428A (en) Method of obtaining authentication and performing crypto communication, authenticating system and authenticating method
CN107104925A (en) Method, apparatus and system for secure communication
JP2007074745A (en) Method for performing encrypted communication by obtaining authentication, authentication system and method
Rajathi et al. Practical Implementation and Analysis of TLS Client Certificate Authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170829