CN107294932B - Method and server for centralized control type key management - Google Patents
Method and server for centralized control type key management Download PDFInfo
- Publication number
- CN107294932B CN107294932B CN201610222494.7A CN201610222494A CN107294932B CN 107294932 B CN107294932 B CN 107294932B CN 201610222494 A CN201610222494 A CN 201610222494A CN 107294932 B CN107294932 B CN 107294932B
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- key
- gateway
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000009977 dual effect Effects 0.000 claims description 55
- 238000012163 sequencing technique Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 abstract description 14
- 230000006870 function Effects 0.000 description 32
- 238000010586 diagram Methods 0.000 description 14
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention discloses a kind of method and server for centralized control type key management.This method comprises: being ranked up to Internet of Things group membership, wherein Internet of Things group membership includes things-internet gateway and internet-of-things terminal;It is random to generate initialization seed;First key chain and the second key chain are generated respectively according to the first one-way function and the second one-way function;According to the sequence of Internet of Things group membership, corresponding Internet of Things group membership successively is sent by the key of first key chain and the second key chain.The present invention, to enhance the safety that information is transmitted under environment of internet of things, greatly reduces the risk that information is stolen by the corresponding pairwise key of communications setting for different Internet of Things group memberships.
Description
Technical Field
The invention relates to the field of Internet of things, in particular to a method and a server for centralized control type key management.
Background
For the internet of things group communication with the security requirement, the system generally adopts the mode of distributing the group key corresponding to the group to the internet of things equipment in the same group, so that the internet of things equipment in the same group normally performs group communication by using the same group key.
However, the internet of things terminal with high requirements on safety and real-time performance has high risk, and if a secret key for communication is obtained by other internet of things equipment, the secret key can be easily cracked.
Disclosure of Invention
In view of the above technical problems, the present invention provides a method and a server for centralized control type key management, which can enhance the security of information transmission in the environment of the internet of things and greatly reduce the risk of information theft.
According to an aspect of the present invention, there is provided a method for centrally controlled key management, comprising:
sequencing the members of the Internet of things, wherein the members of the Internet of things comprise an Internet of things gateway and an Internet of things terminal;
randomly generating an initialization seed;
respectively generating a first key chain and a second key chain according to the first one-way function and the second one-way function;
and sequentially sending the keys of the first key chain and the second key chain to corresponding members of the Internet of things according to the sequence of the members of the Internet of things.
In one embodiment of the present invention, the step of ordering the members of the internet of things group comprises: and respectively sequencing the Internet of things gateway and the Internet of things terminal.
In an embodiment of the present invention, the step of sequentially sending the keys of the first keychain and the second keychain to the corresponding members of the internet of things group according to the order of the members of the internet of things group includes:
sequentially sending the keys of the first key chain to corresponding internet of things terminals according to the sequence of the internet of things terminals;
and sequentially sending the keys of the second key chain to the corresponding Internet of things gateways according to the sequence of the Internet of things gateways.
In an embodiment of the present invention, the step of sequentially sending the keys of the first keychain to the corresponding terminals of the internet of things according to the sequence of the terminals of the internet of things includes:
and according to the sequence of the Internet of things terminals, sequentially using the key of the first key chain as a dual key of each Internet of things terminal and the corresponding Internet of things gateway and a dual key between every two Internet of things terminals, and sending the keys to the corresponding Internet of things terminals and the corresponding Internet of things gateways.
In an embodiment of the present invention, the step of sequentially sending the keys of the second keychain to the corresponding internet of things gateways according to the sequence of the internet of things gateways includes:
and according to the sequence of the Internet of things gateways, sequentially using the keys of the second key chain as the dual key of each Internet of things gateway and the server, the dual key between every two Internet of things gateways and the broadcast key, and sending the keys to the corresponding Internet of things gateways and the corresponding Internet of things terminals.
In one embodiment of the invention, the step of generating the first keychain and the second keychain from the first one-way function and the second one-way function, respectively, comprises:
generating a 1 st key of the first key chain according to the initialization seed and the first one-way function;
generating an i +1 th key of the first key chain according to the ith key of the first key chain and the first one-way function, wherein i is a natural number greater than 0;
generating a 1 st key of a second key chain according to the 1 st key of the first key chain and a second one-way function;
and generating a j +1 th key of the second key chain according to the j key of the second key chain and the second one-way function, wherein j is a natural number larger than 0.
In one embodiment of the invention, the method further comprises:
under the condition that the members of the Internet of things group change, broadcasting notification is carried out before the members of the Internet of things group change, wherein the change comprises change, addition or deletion;
and updating the key of the member of the Internet of things group.
In one embodiment of the present invention, the step of updating the key of the member of the internet of things group includes:
under the condition that the Internet of things gateway is changed, sending a key related to the Internet of things gateway before the change in the first key chain to the changed Internet of things gateway, and sending a key related to the Internet of things gateway before the change in the second key chain to the changed Internet of things gateway;
under the condition of adding an internet of things terminal, adding a corresponding key in the current first key chain, and sending the key to the corresponding internet of things terminal and the corresponding internet of things gateway, wherein the corresponding key comprises a dual key of the added internet of things terminal and the corresponding internet of things gateway and a dual key between the added internet of things terminal and an original internet of things terminal under the internet of things gateway;
or,
and under the condition that the members of the Internet of things group change, re-executing the step of sequencing the members of the Internet of things group.
According to another aspect of the present invention, there is provided a server for centrally controlled key management, comprising an ordering module, a random generator, a key chain generation module, and a key transmission module, wherein:
the sequencing module is used for sequencing the members of the Internet of things, wherein the members of the Internet of things comprise an Internet of things gateway and an Internet of things terminal;
a random generator for randomly generating an initialization seed;
the key chain generating module is used for respectively generating a first key chain and a second key chain according to the first one-way function and the second one-way function;
and the key sending module is used for sequentially sending the keys of the first key chain and the second key chain to the corresponding members of the Internet of things according to the sequence of the members of the Internet of things.
In an embodiment of the invention, the sorting module is used for sorting the internet of things gateway and the internet of things terminal respectively.
In one embodiment of the present invention, the key transmission module includes a first key transmission unit and a second key transmission unit, wherein:
the first key sending unit is used for sequentially sending the keys of the first key chain to the corresponding Internet of things terminals according to the sequence of the Internet of things terminals;
and the second key sending unit is used for sequentially sending the keys of the second key chain to the corresponding Internet of things gateways according to the sequence of the Internet of things gateways.
In an embodiment of the invention, the first key sending unit is configured to send the keys of the first key chain to the corresponding internet of things terminals and internet of things gateways according to the sequence of the internet of things terminals, wherein the keys of the first key chain are sequentially used as dual keys of each internet of things terminal and the corresponding internet of things gateway and dual keys between every two internet of things terminals; and the second key sending unit is used for sequentially using the keys of the second key chain as the dual key of each Internet of things gateway and the server, the dual key between every two Internet of things gateways and the broadcast key according to the sequence of the Internet of things gateways and sending the keys to the corresponding Internet of things gateways and the corresponding Internet of things terminals.
In one embodiment of the invention, the keychain generation module comprises a first key generation unit and a second key generation unit, wherein:
a first key generation unit, configured to generate a 1 st key of the first keychain according to the initialization seed and the first one-way function; generating an i +1 th key of the first key chain according to the ith key of the first key chain and the first one-way function, wherein i is a natural number greater than 0;
a second key generation unit, configured to generate a 1 st key of a second keychain according to the 1 st key of the first keychain and a second one-way function; and generating a j +1 th key of the second key chain according to the j key of the second key chain and a second one-way function, wherein j is a natural number greater than 0.
In one embodiment of the present invention, the server further comprises a change notification module and a key update module, wherein:
the change notification module is used for broadcasting notification before the change of the members of the Internet of things group occurs under the condition that the members of the Internet of things group change, wherein the change comprises change, addition or deletion;
and the key updating module is used for updating the key of the member of the Internet of things group.
In an embodiment of the invention, the key updating module is configured to, in a case where the internet of things gateway is changed, send a key in the first key chain, which is related to the internet of things gateway before the change, to the changed internet of things gateway, and send a key in the second key chain, which is related to the internet of things gateway before the change, to the changed internet of things gateway; under the condition of adding an internet of things terminal, adding a corresponding key in the current first key chain, and sending the key to the corresponding internet of things terminal and the corresponding internet of things gateway, wherein the corresponding key comprises a dual key of the added internet of things terminal and the corresponding internet of things gateway and a dual key between the added internet of things terminal and an original internet of things terminal under the internet of things gateway; or, when the internet of things group member changes, the ordering module is instructed to re-execute the operation of ordering the internet of things group member.
According to the invention, the corresponding dual keys are set for the communication of different members of the Internet of things group, so that the safety of information transmission in the Internet of things environment is enhanced, and the risk of information stealing is greatly reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of an embodiment of a method for centrally controlled key management according to the present invention.
Fig. 2 is a diagram illustrating the generation of a keychain by a one-way function in one embodiment of the invention.
Fig. 3 is a diagram illustrating another embodiment of the method for centrally controlled key management according to the present invention.
Fig. 4 is a schematic diagram of a service implementation scenario of the internet of things in an embodiment of the present invention.
Fig. 5 is a schematic diagram of the internet of things gateway after being changed in the internet of things service implementation scenario of fig. 4.
Fig. 6 is a schematic diagram of the internet of things terminal added in the internet of things service implementation scenario of fig. 4.
Fig. 7 is a diagram illustrating an embodiment of a server for centrally controlled key management according to the present invention.
Fig. 8 is a schematic diagram of a keychain generation module in one embodiment of the invention.
Fig. 9 is a diagram of a keychain sending module according to an embodiment of the invention.
Fig. 10 is a diagram of another embodiment of the server for centrally controlled key management according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a schematic diagram of an embodiment of a method for centrally controlled key management according to the present invention. Preferably, the present embodiment may be performed by a server for centrally controlled key management. The method comprises the following steps:
and establishing a three-layer group communication system for all the nodes of the Internet of things, wherein each leaf node corresponds to one terminal member DM of the Internet of things, the root node corresponds to a server root node SR, and the other nodes are gateway nodes GM of the Internet of things.
Step 101, ordering internet of things group members, wherein the internet of things group members comprise an internet of things gateway (internet of things gateway node) GM and an internet of things terminal (internet of things terminal member) DM.
In one embodiment of the present invention, step 101 may comprise: and respectively sequencing the gateway GM of the Internet of things and the terminal DM of the Internet of things.
At step 102, an initialization seed S is randomly generated by using a random generator.
Step 103, generating a first keychain { K } and a second keychain { K } according to the first one-way function f and the second one-way function g, respectively.
In one embodiment of the present invention, the first one-way function f and the second one-way function g may be quadratic one-way functions.
In one embodiment of the present invention, as shown in fig. 2, step 103 may comprise:
step 1031, generating the 1 st key k of the first keychain { k } according to the initialization seed S and the first one-way function f1。
Step 1032, the ith key k from the first keychain { k }, is appliediAnd a first one-way function f generating the (i + 1) th key k of the first keychain { k }i+1Wherein i is a natural number greater than 0.
Step 1033, the 1 st key k from the first keychain { k }1And a second one-way function g generates a 1 st key K of a second keychain { K }1。
Step 1034, the jth key K from the second keychain { K }jAnd a second one-way function g generates a j +1 th key K of a second keychain { K }j+1Wherein j is a natural number greater than 0.
And step 104, sequentially sending the keys of the first key chain { K } and the second key chain { K } to the corresponding members of the internet of things group according to the sequence of the members of the internet of things group.
In one embodiment of the present invention, step 104 may comprise:
and 1041, according to the sequence of the terminals of the internet of things, sequentially using the key of the first key chain { k } as a dual key of each terminal of the internet of things and the corresponding gateway of the internet of things and a dual key between every two terminals of the internet of things, and sending the keys to the corresponding terminals of the internet of things and the gateways of the internet of things.
And 1042, according to the sequence of the internet of things gateways, sequentially using the key of the second key chain { K } as a dual key of each internet of things gateway and the server, a dual key between every two internet of things gateways and a broadcast key, and sending the keys to the corresponding internet of things gateways and the corresponding internet of things terminals.
Based on the method for centrally controlling key management provided by the embodiment of the invention, the server can generate corresponding dual keys for the terminals of the internet of things in advance, generate corresponding dual keys for each terminal of the internet of things and the corresponding gateway of the internet of things, and send the dual keys to the corresponding terminals of the internet of things and the gateway of the internet of things; and generating a corresponding dual key between each Internet of things gateway and the server, generating a corresponding dual key between every two Internet of things gateways, generating a broadcast key, and sending the broadcast key to the corresponding Internet of things gateway and the corresponding Internet of things terminal.
Therefore, the secret key for communication in the embodiment of the invention cannot be obtained by other internet of things equipment, so that the safety of information transmission in the environment of the internet of things is enhanced, and the risk of information stealing is greatly reduced; therefore, the method is suitable for the fields of Machine to Machine (M2M) information transmission with certain safety requirements, Internet of things terminals with higher requirements on safety and real-time performance and the like.
Fig. 3 is a diagram illustrating another embodiment of the method for centrally controlled key management according to the present invention. Preferably, the present embodiment may be performed by a server for centrally controlled key management. The method comprises the following steps:
step 301, a server root node SR establishes a secure communication channel with an internet of things gateway GM and an internet of things terminal DM, respectively.
Step 302, initializing the members of the Internet of things group; respectively sequencing an Internet of things gateway GM and an Internet of things terminal DM; the SR generates an initialization seed S by a random generator.
In step 303, the two one-way functions f and g stored in the SR are used to calculate and generate the keychain, and the SR stores the initialization seed S corresponding to the corresponding DM and the generated two keychains { K } and { K } in the memory. The specific steps for generating the key chains K and K are the same as or similar to step 103 in the embodiment of fig. 1 and the embodiment of fig. 2, and will not be described in detail here.
And 304, the SR sequentially uses the key of the first key chain { k } as a dual key of each Internet of things terminal and the corresponding Internet of things gateway and a dual key between every two Internet of things terminals according to the sequence of the Internet of things terminals through a safety channel between the SR and the DM and a safety channel between the SR and the GM, and sends the keys to the corresponding Internet of things terminals and the Internet of things gateways.
For example: in the scenario for implementing the service of the internet of things in the embodiment of fig. 4 of the present invention, after the gateways GM and the terminals DM of the internet of things are sorted, two gateways GM1 and GM2 of the internet of things are included under SR, three terminals DM1, DM2 and DM3 of the internet of things correspond to the gateway GM1 of the internet of things, and two terminals DM4 and DM5 of the internet of things correspond to the gateway GM2 of the internet of things.
At this point, the 1 st through 5 th keys (i.e., k) in the first keychain { k }, are combined1To k is5) Set to dual keys between DM1 and GM1, DM2 and GM1, DM3 and GM1, DM4 and GM2, DM5 and GM2, respectively; the 6 th to 9 th keys (i.e., k) in the first keychain { k }6To k is9) Set as dual keys between DM1 and DM2, DM1 and DM3, DM2 and DM3, DM4 and DM5, respectively.
Then, the SR passes through a safety channel between the SR and the GM to connect k1To k is3Sends it to GM1, and k4To k is5Sent to GM 2.
At the same time, SR passes through the secure channel between DM and SR, and k is1、k6、k7Sending to DM1, k2、k6、k8Sending to DM2, k3、k7、k8Sending to DM3, k4、k9Sending to DM4, k5、k9To DM 5.
And 305, the SR sequentially uses the key of the second key chain { K } as a dual key of each Internet of things gateway and the server, a dual key between every two Internet of things gateways and a broadcast key according to the sequence of the Internet of things gateways through a security channel between the SR and the DM and a security channel between the SR and the GM, and sends the keys to the corresponding Internet of things gateways and the corresponding Internet of things terminals.
For example: for the service implementation scenario of the internet of things in the embodiment of fig. 4 of the present invention, step 305 may specifically include:
the 1 st and 2 nd keys (i.e., K) in the second key chain { K }1、K2) Set as dual keys between SR and GM1, SR and GM2, respectively; the 3 rd key (i.e., K) in the second keychain { K }3) Is set asA dual key between GM1 and GM 2; the 4 th key (i.e., K) in the second keychain { K }4) Set to the broadcast key.
Then, the SR passes through a safety channel between the SR and the GM to set K1、K3、K4Sending it to GM1 to send K2、K3、K4Sent to GM 2.
At the same time, SR broadcasts the key K through a secure channel between the SR and DM4To each of DM1 through DM5, respectively.
And 306, under the condition that the member of the internet of things group changes, broadcasting notification before the member of the internet of things group changes, wherein the change of the member of the internet of things group comprises at least one of changes, such as change, addition, deletion and the like.
And 307, updating the key of the member of the Internet of things group.
How to update the key in step 307 is further described below with reference to specific situations that several internet-of-things group members change:
firstly, the gateway of the internet of things is changed.
For example: in the service implementation scenario of the internet of things shown in fig. 5, the gateway GM1 of the internet of things in the service implementation scenario of the internet of things shown in fig. 4 is changed to a GM 3. In this case, step 307 may include: key (k) in the first keychain { k } relating to the pre-change IOT gateway GM11To k is3) Sending the information to the changed gateway GM3 of the Internet of things; and the key (K) in the second key chain { K } related to the pre-change IOT gateway GM11、K3、K4) And sending the information to the changed gateway GM3 of the Internet of things.
And secondly, for the situation that the internet of things terminal is newly added.
For example: in the service implementation scenario of the internet of things shown in fig. 6, an internet of things terminal DM6 is added in the service implementation scenario of the internet of things shown in fig. 4. In this case, step 301 may further include: the server root node SR establishes a secure communication channel with the internet of things terminal DM 6.
In this case, step 307 may include: adding a correspondence to the current first keychain kThe corresponding key comprises a dual key k of the newly added Internet of things terminal DM6 and the corresponding Internet of things gateway GM110And a dual key (k) between the terminal DM6 of the newly added Internet of things and the terminal DM1 of the original Internet of things (DM1, DM2 and DM3) under the gateway of the Internet of things11、k12And k13). Then k is put10、k11、k12、k13And a broadcast key K4Sending the information to a newly added Internet of things terminal DM 6; will k10Sending an internet of things gateway GM 1; and will k11、k12And k13And respectively sending the data to the original internet of things terminals DM1, DM2 and DM 3.
And thirdly, deleting the terminal of the internet of things.
If the internet of things terminal DM3 is deleted in the internet of things service implementation scenario shown in fig. 4, it may be indicated that the keys of other internet of things group members remain unchanged, or may be indicated that the keys related to DM3 are deleted by the other internet of things group members.
In another embodiment of the present invention, in case of a change of the members of the internet of things group (for example, in the above three cases), the step of sorting the members of the internet of things group (step 302) may be performed again, that is, the GM and the DM are randomly re-randomly sorted to generate new keychains { K } and { K }, and simultaneously the GM and the DM are put into the key to be changed synchronously.
And 308, the internet of things group members communicate with each other and perform bidirectional authentication through the dual key.
In the embodiment of the invention, on the basis of the embodiment shown in fig. 1, the server root node SR establishes the secure communication channels with the gateway GM of the internet of things and the terminal DM of the internet of things respectively to send the generated secret key, so that the security of information transmission in the environment of the internet of things is further improved, and the risk of information stealing is further reduced.
Meanwhile, the embodiment of the invention can update the key of the member of the internet of things under the condition that the member of the internet of things member changes. For example, when a DM is added or deleted or a GM is changed, the SR may ensure synchronous authentication between a new GM and a DM by downloading a new key to the new GM, updating the key at the DM, and synchronizing with the related DM.
Fig. 7 is a diagram illustrating an embodiment of a server for centrally controlled key management according to the present invention. The server comprises a sorting module 71, a random generator 72, a key chain generation module 73 and a key sending module 74, wherein:
the sorting module 71 is configured to sort internet of things group members, where the internet of things group members include an internet of things gateway and an internet of things terminal.
In an embodiment of the present invention, the sorting module 71 may be specifically configured to sort the internet of things gateway and the internet of things terminal respectively.
A random generator 72 for randomly generating an initialization seed.
A keychain generation module 73, configured to generate a first keychain { K } and a second keychain { K } according to the first one-way function f and the second one-way function g, respectively.
In one embodiment of the present invention, as shown in fig. 8, the key chain generating module 73 includes a first key generating unit 731 and a second key generating unit 732, where:
a first key generation unit 731 for generating a 1 st key of the first keychain { k } according to the initialization seed and the first one-way function f; and generating the (i + 1) th key of the first keychain { k } according to the ith key of the first keychain { k } and the first one-way function f, see the embodiment shown in fig. 2, where i is a natural number greater than 0.
A second key generation unit 732 for generating a 1 st key of the second keychain { K } from the 1 st key of the first keychain { K } and the second one-way function g; and generating the j +1 th key of the second key chain { K } according to the j-th key of the second key chain { K } and the second one-way function g, see the embodiment shown in FIG. 2, wherein j is a natural number greater than 0.
And the key sending module 74 is configured to send the keys of the first keychain { K } and the second keychain { K } to the corresponding internet-of-things group members in sequence according to the order of the internet-of-things group members.
In an embodiment of the present invention, as shown in fig. 9, the key sending module 74 may specifically include a first key sending unit 741 and a second key sending unit 742, where:
the first key sending unit 741, configured to sequentially send the keys of the first key chain { k } to the corresponding internet of things terminals according to the order of the internet of things terminals.
In a preferred embodiment of the present invention, the first key sending unit 731 is specifically configured to send the key of the first key chain { k } to the corresponding internet of things terminal and the internet of things gateway, in turn as the dual key of each internet of things terminal and the corresponding internet of things gateway, and the dual key between every two internet of things terminals, according to the sequence of the internet of things terminals.
And a second key sending unit 742, configured to sequentially send the keys of the second key chain { K } to the corresponding internet of things gateways according to the order of the internet of things gateways.
In a preferred embodiment of the present invention, the second key sending unit 742 is specifically configured to, according to the sequence of the internet of things gateways, sequentially use the keys of the second key chain { K } as a dual key of each internet of things gateway and the server, a dual key between every two internet of things gateways, and a broadcast key, and send the keys to the corresponding internet of things gateways and the corresponding internet of things terminals.
Based on the server for centralized control type key management provided by the embodiment of the invention, the corresponding dual key can be generated between every two terminals of the internet of things in advance, and the corresponding dual key is generated for each terminal of the internet of things and the corresponding gateway of the internet of things and sent to the corresponding terminal of the internet of things and the gateway of the internet of things; and generating a corresponding dual key between each Internet of things gateway and the server, generating a corresponding dual key between every two Internet of things gateways, generating a broadcast key, and sending the broadcast key to the corresponding Internet of things gateway and the corresponding Internet of things terminal.
Therefore, the secret key for communication in the embodiment of the invention cannot be obtained by other internet of things equipment, so that the safety of information transmission in the environment of the internet of things is enhanced, and the risk of information stealing is greatly reduced; therefore, the method is suitable for the fields of M2M information transmission with certain safety requirements, Internet of things terminals with higher requirements on safety and real-time performance and the like.
Fig. 10 is a schematic diagram of another embodiment of the server for centrally controlled key management according to the present invention. In contrast to the embodiment shown in fig. 7, in the embodiment shown in fig. 10, the server may further include a change notification module 75 and a key update module 76, where:
the change notification module 75 is configured to perform broadcast notification before the change of the internet-of-things group member occurs when the change of the internet-of-things group member occurs, where the change of the internet-of-things group member includes at least one of changes such as changing, adding, and deleting.
And a key updating module 76, configured to update the key of the member of the internet of things group.
In an embodiment of the present invention, the key updating module 76 may be specifically configured to, in a case that the internet of things gateway is changed, send the key related to the internet of things gateway before the change in the first keychain { K } to the changed internet of things gateway, and instruct the key sending module 74 to send the key related to the internet of things gateway before the change in the second keychain { K } to the changed internet of things gateway; under the condition of adding an internet of things terminal, adding a corresponding key in the current first key chain { k }, and instructing the key sending module 74 to send the added corresponding key to the corresponding internet of things terminal and the internet of things gateway, wherein the corresponding key comprises a dual key of the added internet of things terminal and the corresponding internet of things gateway and a dual key between the added internet of things terminal and an original internet of things terminal under the internet of things gateway; or, in a case that the change of the internet-of-things group member occurs, instruct the ranking module 71 to re-perform the operation of ranking the internet-of-things group member.
According to the embodiment of the invention, the key of the member of the Internet of things can be updated under the condition that the member of the Internet of things member changes. For example, when a DM is added or deleted or a GM is changed, the SR may ensure synchronous authentication between a new GM and a DM by downloading a new key to the new GM, updating the key at the DM, and synchronizing with the related DM.
In one embodiment of the present invention, as shown in fig. 10, the server may further include a secure channel establishing module 77, wherein:
a secure channel establishing module 77, configured to respectively establish a secure communication channel between the server root node SR and the internet of things gateway GM and the internet of things terminal DM, so that the key sending module 74 sends the key generated by the key chain generating module 73 to a corresponding member of the internet of things through the secure communication channel.
On the basis of the above embodiments of the present invention, the secure channel establishing module 77 establishes secure communication channels with the gateway GM of the internet of things and the terminal DM of the internet of things respectively at the root node SR of the server to send the generated secret key, thereby further improving the security of information transmission in the environment of the internet of things and further reducing the risk of information theft.
The servers described above may be implemented as a general purpose processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any suitable combination thereof, for performing the functions described herein.
Thus far, the present invention has been described in detail. Some details well known in the art have not been described in order to avoid obscuring the concepts of the present invention. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (10)
1. A method for centrally controlled key management, comprising:
sequencing the members of the Internet of things, wherein the members of the Internet of things comprise an Internet of things gateway and an Internet of things terminal;
randomly generating an initialization seed;
respectively generating a first key chain and a second key chain according to the first one-way function and the second one-way function;
according to the sequence of the members of the Internet of things, keys of the first key chain and the second key chain are sequentially sent to the corresponding members of the Internet of things;
the step of sequencing the members of the Internet of things group comprises the following steps: sequencing the Internet of things gateway and the Internet of things terminal respectively;
the step of sequentially sending the keys of the first key chain and the second key chain to the corresponding members of the internet of things group according to the sequence of the members of the internet of things group comprises the following steps:
sequentially sending the keys of the first key chain to corresponding internet of things terminals according to the sequence of the internet of things terminals;
sequentially sending the keys of the second key chain to the corresponding internet of things gateways according to the sequence of the internet of things gateways;
the step of generating a first keychain and a second keychain from the first one-way function and the second one-way function, respectively, includes:
the 1 st key of the second keychain is generated according to the 1 st key of the first keychain and the second one-way function.
2. The method of claim 1,
the step of sequentially sending the keys of the first key chain to the corresponding internet of things terminals according to the sequence of the internet of things terminals comprises the following steps:
according to the sequence of the Internet of things terminals, the key of the first key chain is sequentially used as a dual key of each Internet of things terminal and the corresponding Internet of things gateway and a dual key between every two Internet of things terminals and is sent to the corresponding Internet of things terminal and the corresponding Internet of things gateway;
the step of sequentially sending the keys of the second key chain to the corresponding internet of things gateways according to the sequence of the internet of things gateways comprises the following steps:
and according to the sequence of the Internet of things gateways, sequentially using the keys of the second key chain as the dual key of each Internet of things gateway and the server, the dual key between every two Internet of things gateways and the broadcast key, and sending the keys to the corresponding Internet of things gateways and the corresponding Internet of things terminals.
3. The method of claim 1 or 2, wherein the step of generating the first keychain and the second keychain from the first one-way function and the second one-way function, respectively, further comprises:
generating a 1 st key of the first key chain according to the initialization seed and the first one-way function;
generating an i +1 th key of the first key chain according to the ith key of the first key chain and the first one-way function, wherein i is a natural number greater than 0;
and generating a j +1 th key of the second key chain according to the j key of the second key chain and the second one-way function, wherein j is a natural number larger than 0.
4. The method of claim 1 or 2, further comprising:
under the condition that the members of the Internet of things group change, broadcasting notification is carried out before the members of the Internet of things group change, wherein the change comprises change, addition or deletion;
and updating the key of the member of the Internet of things group.
5. The method of claim 1 or 2, wherein the step of updating the key of the member of the internet of things group comprises:
under the condition that the Internet of things gateway is changed, sending a key related to the Internet of things gateway before the change in the first key chain to the changed Internet of things gateway, and sending a key related to the Internet of things gateway before the change in the second key chain to the changed Internet of things gateway;
under the condition of adding an internet of things terminal, adding a corresponding key in the current first key chain, and sending the key to the corresponding internet of things terminal and the corresponding internet of things gateway, wherein the corresponding key comprises a dual key of the added internet of things terminal and the corresponding internet of things gateway and a dual key between the added internet of things terminal and an original internet of things terminal under the internet of things gateway;
or,
and under the condition that the members of the Internet of things group change, re-executing the step of sequencing the members of the Internet of things group.
6. A server for centrally controlled key management, comprising an ordering module, a random generator, a key chain generation module, and a key transmission module, wherein:
the sequencing module is used for sequencing the members of the Internet of things, wherein the members of the Internet of things comprise an Internet of things gateway and an Internet of things terminal;
a random generator for randomly generating an initialization seed;
the key chain generating module is used for respectively generating a first key chain and a second key chain according to the first one-way function and the second one-way function;
the key sending module is used for sequentially sending the keys of the first key chain and the second key chain to the corresponding members of the Internet of things according to the sequence of the members of the Internet of things;
the sequencing module is used for sequencing the Internet of things gateway and the Internet of things terminal respectively;
the key sending module comprises a first key sending unit and a second key sending unit, wherein:
the first key sending unit is used for sequentially sending the keys of the first key chain to the corresponding Internet of things terminals according to the sequence of the Internet of things terminals;
the second key sending unit is used for sequentially sending the keys of the second key chain to the corresponding Internet of things gateways according to the sequence of the Internet of things gateways;
the keychain generation module includes a second key generation unit, wherein:
and the second key generation unit is used for generating the 1 st key of the second key chain according to the 1 st key of the first key chain and the second one-way function.
7. The server according to claim 6,
the first key sending unit is used for sequentially using keys of the first key chain as dual keys of each Internet of things terminal and the corresponding Internet of things gateway and dual keys between every two Internet of things terminals according to the sequence of the Internet of things terminals and sending the keys to the corresponding Internet of things terminals and the Internet of things gateways;
and the second key sending unit is used for sequentially using the keys of the second key chain as the dual key of each Internet of things gateway and the server, the dual key between every two Internet of things gateways and the broadcast key according to the sequence of the Internet of things gateways and sending the keys to the corresponding Internet of things gateways and the corresponding Internet of things terminals.
8. The server according to claim 6 or 7, wherein the key chain generation module further comprises a first key generation unit, wherein:
a first key generation unit, configured to generate a 1 st key of the first keychain according to the initialization seed and the first one-way function; generating an i +1 th key of the first key chain according to the ith key of the first key chain and the first one-way function, wherein i is a natural number greater than 0;
and the second key generation unit is further used for generating a j +1 th key of the second key chain according to a j-th key of the second key chain and the second one-way function, wherein j is a natural number greater than 0.
9. The server according to claim 6 or 7, further comprising a change notification module and a key update module, wherein:
the change notification module is used for broadcasting notification before the change of the members of the Internet of things group occurs under the condition that the members of the Internet of things group change, wherein the change comprises change, addition or deletion;
and the key updating module is used for updating the key of the member of the Internet of things group.
10. The server according to claim 6 or 7,
the key updating module is used for sending a key related to the internet of things gateway before change in the first key chain to the internet of things gateway after change and sending a key related to the internet of things gateway before change in the second key chain to the internet of things gateway after change under the condition that the internet of things gateway is changed; under the condition of adding an internet of things terminal, adding a corresponding key in the current first key chain, and sending the key to the corresponding internet of things terminal and the corresponding internet of things gateway, wherein the corresponding key comprises a dual key of the added internet of things terminal and the corresponding internet of things gateway and a dual key between the added internet of things terminal and an original internet of things terminal under the internet of things gateway; or, when the internet of things group member changes, the ordering module is instructed to re-execute the operation of ordering the internet of things group member.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610222494.7A CN107294932B (en) | 2016-04-12 | 2016-04-12 | Method and server for centralized control type key management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610222494.7A CN107294932B (en) | 2016-04-12 | 2016-04-12 | Method and server for centralized control type key management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107294932A CN107294932A (en) | 2017-10-24 |
| CN107294932B true CN107294932B (en) | 2019-11-15 |
Family
ID=60093658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610222494.7A Active CN107294932B (en) | 2016-04-12 | 2016-04-12 | Method and server for centralized control type key management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107294932B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449756B (en) * | 2018-06-29 | 2020-06-05 | 北京邮电大学 | System, method and device for updating network key |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101044754A (en) * | 2004-11-12 | 2007-09-26 | 三星电子株式会社 | Method of managing user key for broadcast encryption |
| CN102131195A (en) * | 2011-04-25 | 2011-07-20 | 上海电机学院 | Wireless sensor network key distribution and management protocol based on multiple hash chains |
| CN103702325A (en) * | 2013-12-19 | 2014-04-02 | 华南理工大学 | Lightweight wireless sensor network safety small data distribution method |
| CN103765857A (en) * | 2011-06-21 | 2014-04-30 | 高通股份有限公司 | Secure client authentication and network service authorization |
| CN103957101A (en) * | 2014-05-15 | 2014-07-30 | 三星电子(中国)研发中心 | Group key establishing method in group communication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8737745B2 (en) * | 2012-03-27 | 2014-05-27 | The Nielsen Company (Us), Llc | Scene-based people metering for audience measurement |
-
2016
- 2016-04-12 CN CN201610222494.7A patent/CN107294932B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101044754A (en) * | 2004-11-12 | 2007-09-26 | 三星电子株式会社 | Method of managing user key for broadcast encryption |
| CN102131195A (en) * | 2011-04-25 | 2011-07-20 | 上海电机学院 | Wireless sensor network key distribution and management protocol based on multiple hash chains |
| CN103765857A (en) * | 2011-06-21 | 2014-04-30 | 高通股份有限公司 | Secure client authentication and network service authorization |
| CN103702325A (en) * | 2013-12-19 | 2014-04-02 | 华南理工大学 | Lightweight wireless sensor network safety small data distribution method |
| CN103957101A (en) * | 2014-05-15 | 2014-07-30 | 三星电子(中国)研发中心 | Group key establishing method in group communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107294932A (en) | 2017-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109462483B (en) | Block chain based mail evidence storage method, device, equipment and storage medium | |
| CN104219328B (en) | The share system and sharing method of a kind of internet of things equipment | |
| CN110601814A (en) | Federal learning data encryption method, device, equipment and readable storage medium | |
| CN107846289B (en) | Method, electronic equipment and system for supporting artificial participation block chain decision | |
| CN109565518B (en) | Method and system for interchangeable content retrieval | |
| DE112008002768T5 (en) | Submitting cryptographic information in network transmissions | |
| CN112292708B (en) | Presentation system and method with real-time feedback | |
| US20200037119A1 (en) | Method for regrouping multiple groups and device | |
| CN108881354A (en) | A kind of pushed information storage method, device, server and computer storage medium | |
| CN107438981A (en) | Across controller failure switching and the wireless client business continuance of balancing the load | |
| CA2877359A1 (en) | Network filter | |
| CN107018524A (en) | Network configuration information management method and system, Cloud Server based on Cloud Server | |
| CN109510758A (en) | Session establishing method, terminal, third-party application server and system | |
| CN107294932B (en) | Method and server for centralized control type key management | |
| CN108206738B (en) | Quantum key output method and system | |
| WO2018175781A1 (en) | System and method for mesh network streaming | |
| CN113472734B (en) | Identity authentication method and device | |
| CN109660381A (en) | Distribution management method, device, server and storage medium | |
| CN112100145B (en) | Digital model sharing learning system and method | |
| CN104270800A (en) | Method and system for establishing communication connection with terminal | |
| CN111447247A (en) | On-site ticket checking system | |
| US8082444B1 (en) | System and method for adding new network devices to an existing network | |
| JP2009038416A (en) | Multicast communication system, and group key management server | |
| CN105933352B (en) | Method of data synchronization, client and system between client-based server | |
| CN113852624A (en) | Data cross-network transmission method, device and computer medium thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |