CN109120405A - A kind of terminal security cut-in method, apparatus and system - Google Patents
A kind of terminal security cut-in method, apparatus and system Download PDFInfo
- Publication number
- CN109120405A CN109120405A CN201811274285.2A CN201811274285A CN109120405A CN 109120405 A CN109120405 A CN 109120405A CN 201811274285 A CN201811274285 A CN 201811274285A CN 109120405 A CN109120405 A CN 109120405A
- Authority
- CN
- China
- Prior art keywords
- terminal
- message
- gateway
- key
- essential information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of terminal security cut-in method, apparatus and system, which includes: to receive the authentication and key negotiation request message that terminal issues;It whether there is access protocol between judgement and terminal;When access protocol is not present between judgement and terminal, is issued according to authentication and key negotiation request message to terminal and obtain terminal essential information message;Terminal is obtained according to the terminal essential information message for obtaining terminal essential information message feedback;Key agreement message is issued to terminal according to terminal essential information message, key agreement session is carried out with terminal, establishes the access protocol with terminal.By implementing the present invention, the terminal access based on udp protocol may be implemented, to access connectionless protocol terminal, reduce protocol overhead, the cipher key agreement process and TCP connection of terminal and gateway do not have binding relationship simultaneously, can flexible choice connectionless-mode or short connection type communication, be especially advantageous for short message or short connection type access terminal.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of terminal security cut-in method, apparatus and system.
Background technique
Traditionally, terminal security access is based primarily upon VPN technologies realization, is divided into SSL-VPN and two kinds of IPSEC-VPN.
Wherein IPSEC-VPN needs to dispose vpn gateway respectively in terminal side and access network side, therefore is usually applicable only to building net
Secure connection channel between network.SSL-VPN only need to dispose vpn gateway in access network side, and dialer software is disposed in terminal side,
It is commonly available to a large amount of distributed terminal Access Core Networks.
Since SSL-VPN only need to dispose vpn gateway in access network side, application range is wider, but SSL-VPN technology
Binding relationship is formd when constructing channel with transport layer protocol TCP connection, a terminal access must bind a TCP connection,
This causes SSL-VPN that can not support the connectionless short message communication pattern based on UDP.And various electric power in electric power industrial control system
Based on communication protocol between industrial control terminal and control centre largely uses UDP, this is because electric power industry control network number of terminals
Measure it is huge, and communication delay require it is low, will cause the protocol overhead that can not be born using Transmission Control Protocol.The above-mentioned UDP that is based on is without even
The electric power industrial control terminal of communication pattern is connect, secure accessing can not be realized using SSL-VPN.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of terminal security cut-in method, apparatus and system, it is existing to solve
Electric power industrial control terminal based on UDP connectionless communication mode in technology can not realize that the technology of secure accessing is asked using SSL-VPN
Topic.
Technical solution proposed by the present invention is as follows:
First aspect of the embodiment of the present invention proposes a kind of terminal security cut-in method, comprising: receives the body that terminal issues
Part certifiede-mail protocol request message;Judge between terminal whether the arranging key in existing validity period;When judgement with
There is no when the arranging key in validity period between the terminal, according to the authentication and key negotiation request message to institute
It states terminal and issues acquisition terminal essential information message;The terminal is obtained according to the acquisition terminal essential information message feedback
Terminal essential information message;Key agreement message is issued to the terminal according to the terminal essential information message, with the end
End carries out key agreement session, establishes the access protocol with the terminal.
Preferably, key agreement message is issued to the terminal according to the terminal essential information message, with the terminal
Key agreement session is carried out, establishes the access protocol with the terminal, comprising: receive the terminal according to the key agreement report
The key negotiation response message that text issues;Key agreement confirmation report is sent to the terminal according to the key negotiation response message
Text establishes the access protocol with the terminal.
Second aspect of the embodiment of the present invention proposes a kind of terminal security cut-in method, comprising: issues identity to gateway and recognizes
Card and key negotiation request message;Receive the acquisition terminal essential information message that the gateway issues;According to the acquisition terminal
Essential information message issues terminal essential information message to the gateway;The gateway is obtained according to the terminal essential information report
The key agreement message that text issues;Key agreement session, foundation and institute are carried out according to the key agreement message and the gateway
State the access protocol of gateway.
Preferably, key agreement session is carried out according to the key agreement message and the gateway, established and the terminal
Secure access protocol, comprising: according to the key agreement message to the gateway issue key negotiation response message;Receive institute
State the key agreement confirmation message of gateway feedback;Access protocol is established according to the key agreement confirmation message and the gateway.
The third aspect of the embodiment of the present invention proposes a kind of terminal security access device, comprising: request message receiving module,
For receiving authentication and the key negotiation request message of terminal sending;Key negotiation module is judged, for judgement and terminal
Between whether the arranging key in existing validity period;Essential information sending module, for working as between judgement and the terminal not
There are when arranging key in validity period, is issued and obtained to the terminal according to the authentication and key negotiation request message
Terminal essential information message;Essential information receiving module, for obtaining the terminal according to the acquisition terminal essential information report
The terminal essential information message of text feedback;AM access module, for being issued according to the terminal essential information message to the terminal
Key agreement message carries out key agreement session with the terminal, establishes the access protocol with the terminal.
Preferably, the AM access module includes: response message receiving submodule, for receiving the terminal according to described close
The key negotiation response message that key negotiation packet issues;Confirm submodule, for according to the key negotiation response message to institute
It states terminal and sends key agreement confirmation message, establish the access protocol with the terminal.
Fourth aspect of the embodiment of the present invention proposes a kind of terminal security access device, comprising: request message sending module,
For issuing authentication and key negotiation request message to gateway;Terminal essential information receiving module, for receiving the net
Close the acquisition terminal essential information message issued;Terminal essential information sending module, for being believed substantially according to the acquisition terminal
It ceases message and issues terminal essential information message to the gateway;Negotiation packet receiving module, for obtaining the gateway according to institute
State the key agreement message of terminal essential information message sending;Terminal AM access module, for according to the key agreement message with
The gateway carries out key agreement session, establishes the access protocol with the gateway.
Preferably, the terminal AM access module includes: response message sending submodule, for according to the key agreement report
Text issues key negotiation response message to the gateway;Confirmation message receiving submodule, for receiving the close of the gateway sending
Key negotiates confirmation message;Terminal accesses submodule, accesses for being established according to the key agreement confirmation message and the gateway
Agreement.
The 5th aspect of the embodiment of the present invention proposes a kind of terminal security access system, comprising: terminal and gateway, the end
It holds to the gateway and issues authentication and key negotiation request message, the gateway receives the authentication and key agreement
Request message;The gateway judges whether to complete key association with the terminal according to whether establishing access protocol with the terminal
Quotient;When gateway judgement does not complete key agreement with the terminal, according to the authentication and key negotiation request
Message issues to the terminal and obtains terminal essential information message;It is basic that the terminal receives the acquisition terminal that the gateway issues
Infomational message issues terminal essential information message to the gateway according to the acquisition terminal essential information message;The gateway
The terminal essential information message is obtained, key agreement message is issued to the terminal according to the terminal essential information message;
The terminal obtains the key agreement message, carries out key agreement session according to the key agreement message and the gateway,
Establish the access protocol with the gateway.
Preferably, the terminal security access system further include: postposition communications service components and server, the terminal are built
After the vertical access protocol with the gateway, the terminal sends uplink data messages to the gateway;Described in the gateway receives
Uplink data messages are sent to the postposition communications service components after uplink data messages decryption;The postposition communication
Uplink data messages after serviced component receiving and deciphering are sent to the server;After the server receives the decryption
Uplink data messages generate downlink data message according to the uplink data messages after the decryption, by the downlink data message
The gateway is sent to through the postposition communications service components;The gateway receives the downlink data message, by the downlink
After data message encryption, it is sent to the terminal;The terminal receives encrypted downlink data message, to the downlink data
Message is decrypted, and obtains the downlink data message.
Preferably, the terminal security access system further include: preposition communications service components, the preposition communication service group
Part receives the uplink data messages that the terminal issues, and the uplink data messages are sent to the gateway;It is described preposition
Communications service components receive the encrypted downlink data message that the gateway issues, and the downlink data message is sent to
The terminal.
Technical solution of the present invention has the advantages that
Terminal security cut-in method, system and device provided in an embodiment of the present invention, gateway is by obtaining the basic of terminal
Information and terminal complete key agreement, realize line process in terminal, base may be implemented without binding relationship in the process and TCP connection
It is accessed in the terminal of udp protocol, to access connectionless protocol terminal, reduces protocol overhead, while terminal and gateway is close
Key negotiations process and TCP connection are also without binding relationship, and only related to the key agreement period, in one cycle, terminal repeats
It is online to be not necessarily to renegotiate key.Therefore the expense that terminal is established without connection of worrying, without being forced using long connection access side
Formula, can flexible choice connectionless-mode or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection
Mode accesses magnanimity " internet+", internet-of-things terminal.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the structural block diagram of a specific example of terminal security access system in the embodiment of the present invention;
Fig. 2 is the structural block diagram of another specific example of terminal security access system in the embodiment of the present invention;
Fig. 3 is the structural block diagram of another specific example of terminal security access system in the embodiment of the present invention;
Fig. 4 is the flow chart of a specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 5 is the flow chart of another specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 6 is the flow chart of another specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 7 is the structural block diagram of a specific example of terminal security access device in the embodiment of the present invention;
Fig. 8 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention;
Fig. 9 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention;
Figure 10 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those skilled in the art are not having
Every other embodiment obtained under the premise of creative work is made, shall fall within the protection scope of the present invention.
The embodiment of the present invention proposes a kind of terminal security access system, as shown in Figure 1, the terminal security access system packet
Include: terminal 2 and gateway 1, terminal 2 issue authentication and key negotiation request message to gateway 1, and gateway 1 receives authentication
With key negotiation request message;Gateway 1 judges whether to complete key association with terminal 2 according to whether establishing access protocol with terminal 2
Quotient;When the judgement of gateway 1 does not complete key agreement with terminal 2, according to authentication and key negotiation request message to terminal 2
It issues and obtains terminal essential information message;Terminal 2 receives the acquisition terminal essential information message that gateway issues, according to acquisition terminal
Essential information message issues terminal essential information message to gateway;Gateway 1 obtains terminal essential information message, basic according to terminal
Infomational message issues key agreement message to terminal 2;Terminal 2 obtains key agreement message, according to key agreement message and gateway 1
Key agreement session is carried out, the access protocol with gateway 1 is established.
Terminal security access system provided in an embodiment of the present invention defines a kind of terminal security towards connectionless certification
Access protocol, gateway 1 complete key agreement by the essential information and terminal for obtaining terminal 2, realize line process in terminal 2, should
The terminal access based on udp protocol may be implemented without binding relationship in process and TCP connection, so that connectionless protocol terminal is accessed,
Reduce protocol overhead, while terminal 2 and the cipher key agreement process of gateway 1 and TCP connection be also without binding relationship, only and key
Negotiated periods are related, and in one cycle, terminal 2 repeats online without renegotiating key.Therefore terminal 2 is without connection of worrying
The expense of foundation, without being forced using long connection access way, can flexible choice connectionless-mode or the communication of short connection type,
It is especially advantageous for accessing magnanimity " internet+", internet-of-things terminal with a small amount of gateway with short message or short connection type.
In a preferred embodiment, terminal 2 can call SDK component to issue authentication to gateway 1 and ask with key agreement
Message is sought, the function of the SDK component is to call terminal side safety chip, completes gateway 1 and 2 cipher key agreement process of terminal.
In a preferred embodiment, gateway 1 obtains terminal essential information message, according to terminal essential information message to terminal
Issue key agreement message, specifically include: gateway 1 generates session key material and sequence according to the terminal essential information of acquisition
Number, by encrypting, signing etc., crypto-operations post package is sent to terminal 2 at key agreement message, wherein cryptographic cipher key material and sequence
Number it is 32 random numbers that gateway generates, as session key material and sequence number that this is negotiated, is needed when negotiating every time
It regenerates.
In a preferred embodiment, terminal 2 obtains key agreement message, is carried out according to key agreement message with gateway 1 close
Key consulting session is established the access protocol with gateway 1, specifically included: terminal 2 obtains key agreement message, to key agreement report
Text is handled, and after first verifying that signature, signature pass through, then is decrypted to encryption message, is generated session key material,
By encrypting, signing etc., operations post package is sent to gateway at key negotiation response message, while calculating symmetric key, gateway 1
Key negotiation response message is handled, after first verifying that signature, signature pass through, then encryption message is decrypted,
Generate key agreement confirmation message and be sent to terminal, while calculating symmetric key, terminal 2 to key agreement confirmation message at
Reason, verifies errorless, and confirmation is negotiated to complete, establish with the access protocol of gateway 1, wherein cryptographic cipher key material be generate 32 of gateway with
Machine number needs to regenerate as the session key material that this is negotiated when negotiating every time.
In a preferred embodiment, as shown in Fig. 2, terminal security access system provided in an embodiment of the present invention further include:
Postposition communications service components 3 and server 4, after terminal 2 establishes the access protocol with gateway 1, terminal 2 sends uplink to gateway 1
Data message;Gateway 1 receives uplink data messages, after uplink data messages are decrypted, is sent to postposition communications service components 3;
Uplink data messages after 3 receiving and deciphering of postposition communications service components, are sent to server 4;It is upper after 4 receiving and deciphering of server
Row data message generates downlink data message according to the uplink data messages after decryption, downlink data message is communicated through postposition
Serviced component 3 is sent to gateway 1;Gateway 1 receives downlink data message, after downlink data message is encrypted, is sent to terminal 2;
Terminal 2 receives encrypted downlink data message, and downlink data message is decrypted, and obtains downlink data message.
In a preferred embodiment, terminal 2 and gateway 1 complete key agreement, and after establishing access protocol, terminal 2 can be with
Server 4 carries out two-way communication, and the terminal 2 of access is connectionless protocol terminal, and terminal 2 sends uplink data messages to gateway
When, calling SDK component first initiates request, and SDK component is packaged upstream data according to proprietary protocol, SDK group after encapsulation
Part obtains symmetric key encryption uplink data messages, and SDK component, which is sent, later encapsulates encrypted uplink data messages.
In a preferred embodiment, gateway 1 receives uplink data messages, after uplink data messages are decrypted, after being sent to
Communications service components 3 are set, are specifically included: after gateway 1 decrypts uplink data messages, randomly selecting one and postposition communication service group
The TCP connection of part 3 sends uplink data messages.
In a preferred embodiment, the uplink data messages after 3 receiving and deciphering of postposition communications service components, are sent to service
Device 4, specifically includes: the uplink data messages after 3 receiving and deciphering of postposition communications service components, completes to unload according to proprietary protocol,
Short connection is initiated to server 4 and the original uplink data messages of unloading reduction are transmitted to server 4.
In a preferred embodiment, the uplink data messages after 4 receiving and deciphering of server, according to the upstream data after decryption
Message generates downlink data message, and downlink data message is sent to gateway 1 through postposition communications service components 3, is specifically included: clothes
After downlink data message is sent to postposition communications service components 3 by business device 4, postposition communications service components 3 are by downlink data message
It is packaged according to plaintext proprietary protocol, and randomly selects the downlink data report after a TCP connection forwarding encapsulation with gateway 1
Text disconnects above-mentioned short connection after forwarding.
In a preferred embodiment, gateway 1 receives downlink data message, after downlink data message is encrypted, is sent to end
End 2, specifically includes: gateway 1 receives downlink data message, is parsed according to proprietary protocol to downlink data message, from privately owned
The number of terminal 2 is obtained in protocol massages head, and obtains symmetric key, downlink data message is encrypted, by encrypted lower line number
Terminal 2 is sent to according to message.
In a preferred embodiment, terminal 2 receives encrypted downlink data message, solves to downlink data message
Close, obtain downlink data message, specifically include: terminal 2 receives encrypted downlink data message, SDK component is called, to downlink
Data message is decrypted, and restores original downlink data message and submits to terminal 2.
In a preferred embodiment, as shown in figure 3, terminal security access system provided in an embodiment of the present invention further include:
Preposition communications service components 5, preposition communications service components 5 receive the uplink data messages that terminal 2 issues, and by upstream data report
Text is sent to gateway 1;Preposition communications service components 5 receive the encrypted downlink data message that gateway 1 issues, and by lower line number
Terminal 2 is sent to according to message.
In a preferred embodiment, the terminal 2 of access can be connection protocol terminal, there is the access of connection protocol terminal
Afterwards, TCP connection is initiated to preposition communications service components 5, when terminal 1 is communicated with server 4, it is encrypted that terminal 2 issues encapsulation
After uplink data messages, preposition communications service components 5 receive uplink data messages according to the TCP connection of terminal 2, and select at random
Take one and the TCP connection forwarding uplink data message of gateway 1 to gateway 1;Preposition communications service components 5 receive gateway 1 and issue
Encryption encapsulation downlink data message after, selection and the TCP connection converting downlink data message of the terminal 2 to terminal 2.
Terminal security access system provided in an embodiment of the present invention, after terminal 2 establishes the access protocol with gateway 1, also
The two-way communication that terminal 2 Yu server 4 may be implemented can be directly realized by terminal 2 when terminal 2 is connectionless protocol terminal
It can be solved by disposing preposition communications service components 5 with the two-way communication of server 4 when access has connection protocol terminal
When having the access of connection protocol terminal the problem of connection maintenance, including establishment of connection, disconnection, heartbeat maintenance and two-way turn of message
Hair, to there is connection protocol terminal to provide communication channel.
The embodiment of the present invention also provides a kind of terminal security cut-in method, as shown in figure 4, the terminal security cut-in method packet
It includes:
Step 1: receiving the authentication and key negotiation request message that terminal issues;Specifically, it receives terminal and calls SDK
The authentication and key negotiation request message that component issues, the heading carried terminal ID of message, data field are sky, the SDK
The function of component is to call terminal side safety chip, completes gateway and gateway key negotiations process.
Step 2: judge between terminal whether the arranging key in existing validity period;Specifically, gateway inquires terminal
Whether key agreement is completed.
Step 3: when the arranging key being not present between judgement and terminal in validity period, being assisted according to authentication and key
Quotient's request message issues to terminal and obtains terminal essential information message;Specifically, the message of the acquisition terminal essential information message
Head carried terminal ID, data field are sky.
Step 4: obtaining terminal according to the terminal essential information message of the acquisition terminal essential information message feedback;Specifically
Ground, the heading carried terminal ID of the terminal essential information message, data field include terminal certificate.
Step 5: key agreement message being issued to terminal according to terminal essential information message, carries out key agreement meeting with terminal
Words establish the access protocol with terminal.
In a preferred embodiment, as shown in figure 5, step 5 issues key association to terminal according to terminal essential information message
Business's text carries out key agreement session with terminal, establishes the access protocol with terminal, comprising:
Step 51: receiving the key negotiation response message that terminal is issued according to key agreement message;
Step 52: key agreement confirmation message being sent to terminal according to key negotiation response message, foundation connects with terminal
Enter agreement.
Specifically, key agreement message is issued to terminal according to terminal essential information message, carries out key agreement with terminal
The access protocol with terminal is established in session, including gateway according to the terminal essential information of acquisition, extracts terminal certificate, verifying card
Book validity generates session key material and sequence number, by the crypto-operations post package such as encrypt, sign at key agreement message
It is sent to terminal, wherein cryptographic cipher key material and sequence number are 32 random numbers that gateway generates, and the session negotiated as this is close
Key material and sequence number need to regenerate when negotiating every time;Gateway receives the feedback that terminal is issued according to key agreement message
Key negotiation response message, key negotiation response message is handled, first verifies that signature, after signature passes through, then to adding
Secret report text is decrypted, and generates key agreement confirmation message and is sent to terminal, while calculating symmetric key, establish with it is described
The access protocol of terminal.
1 to step 5 through the above steps, and terminal security cut-in method provided in an embodiment of the present invention defines a kind of face
To the terminal security access protocol of connectionless certification, gateway completes key agreement by the essential information and terminal for obtaining terminal,
Realize line process in terminal, the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection, thus
Connectionless protocol terminal is accessed, reduces protocol overhead, while terminal and the cipher key agreement process of gateway do not have with TCP connection yet
Binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key.Therefore
The expense that terminal is established without connection of worrying, without being forced using long connection access way, can flexible choice connectionless-mode or
The short connection type communication of person, is especially advantageous for accessing magnanimity " internet+", Internet of Things with a small amount of gateway with short message or short connection type
Network termination.
The embodiment of the present invention also provides a kind of terminal security cut-in method, as shown in fig. 6, the terminal security cut-in method packet
It includes:
Step S1: authentication and key negotiation request message are issued to gateway;Specifically, terminal call SDK component to
Gateway issues authentication and key negotiation request message, the heading carried terminal ID of message, and data field is sky, the SDK group
The function of part is to call terminal side safety chip, completes gateway and gateway key negotiations process.
Step S2: the acquisition terminal essential information message that gateway issues is received;Specifically, it is not present between terminal and gateway
When access protocol, i.e., terminal and gateway do not complete key agreement, receive the acquisition terminal essential information message that gateway issues, should
The heading carried terminal ID of terminal essential information message is obtained, data field is sky.
Step S3: terminal essential information message is issued to gateway according to terminal essential information message is obtained;Specifically, the end
The heading carried terminal ID of this infomational message of end group, data field include terminal certificate.
Step S4: the key agreement message that gateway is issued according to terminal essential information message is obtained;Specifically, terminal obtains
After key agreement message, key agreement message is handled, first verifies that signature, after signature passes through, then to encryption message into
Row decryption processing generates session key material, by the operations post package such as encrypt, sign at key negotiation response message, simultaneously
Symmetric key is calculated, wherein cryptographic cipher key material is 32 random numbers that gateway generates, as the session key material that this is negotiated, often
It needs to regenerate when secondary negotiation.
Step S5: carrying out key agreement session according to key agreement message and gateway, establishes the access protocol with gateway, tool
Body, terminal generates key negotiation response message according to key agreement message, is sent to gateway, is assisted according to the key of gateway feedback
Quotient's confirmation message, confirmation are negotiated to complete, and establish the access protocol with gateway.
S1 to step S5 through the above steps, terminal security cut-in method provided in an embodiment of the present invention, defines one kind
Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal
Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection,
To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced
There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key.
Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way
Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+",
Internet-of-things terminal.
The embodiment of the present invention also provides a kind of terminal security access device, as shown in fig. 7, the terminal security access device packet
It includes:
Request message receiving module 11, for receiving authentication and the key negotiation request message of terminal sending;In detail
Content is referring to step 1 in above-described embodiment.
Judge key negotiation module 22, between judgement and terminal whether the arranging key in existing validity period;In detail
Thin content is referring to step 2 in above-described embodiment.
Essential information sending module 33, for when between judgement and terminal be not present validity period in arranging key when, root
It is issued according to authentication and key negotiation request message to terminal and obtains terminal essential information message;Detailed content is referring to above-mentioned reality
Apply step 3 in example.
Essential information receiving module 44, it is basic according to the terminal for obtaining terminal essential information message feedback for obtaining terminal
Infomational message;Detailed content is referring to step 4 in above-described embodiment.
AM access module 55 is carried out for issuing key agreement message to terminal according to terminal essential information message with terminal
The access protocol with terminal is established in key agreement session, and detailed content is referring to step 5 in above-described embodiment.
By above-mentioned module 11 to module 55, terminal security access device provided in an embodiment of the present invention defines one kind
Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal
Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection,
To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced
There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key.
Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way
Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+",
Internet-of-things terminal.
In a preferred embodiment, as shown in figure 8, AM access module 55 includes:
Response message receiving submodule 551, the key agreement issued for receiving terminal according to the key agreement message
Response message;
Confirm submodule 552, for sending key agreement confirmation message to terminal according to key negotiation response message, establishes
With the access protocol of terminal.
The function of terminal security access device provided in an embodiment of the present invention is described referring particularly to terminal in above-described embodiment
Safety access method description.
The embodiment of the invention also provides a kind of terminal security access devices, as shown in figure 9, the terminal security access device
Include:
Request message sending module 6, for issuing authentication and key negotiation request message to gateway;Detailed content ginseng
See step S1 in above-described embodiment.
Terminal essential information receiving module 7, for receiving the acquisition terminal essential information message of gateway sending;Detailed content
Referring to step S2 in above-described embodiment.
Terminal essential information sending module 8, for basic to gateway sending terminal according to terminal essential information message is obtained
Infomational message;Detailed content is referring to step S3 in above-described embodiment.
Negotiation packet receiving module 9, the key agreement message issued for obtaining gateway according to terminal essential information message;
Detailed content is referring to step S4 in above-described embodiment.
Terminal AM access module 10, for carrying out key agreement session, foundation and gateway according to key agreement message and gateway
Access protocol, detailed content is referring to step S5 in above-described embodiment.
By above-mentioned module 6 to module 10, in terminal security access device provided in an embodiment of the present invention, one kind is defined
Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal
Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection,
To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced
There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key.
Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way
Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+",
Internet-of-things terminal.
In a preferred embodiment, as shown in Figure 10, terminal AM access module 10 includes:
Response message sending submodule 101, for issuing key negotiation response message to gateway according to key agreement message;
Confirmation message receiving submodule 102, for receiving the key agreement confirmation message of gateway sending;
Terminal accesses submodule 103, for establishing access protocol according to key agreement confirmation message and gateway.
The function of terminal security access device provided in an embodiment of the present invention is described referring particularly to terminal in above-described embodiment
Safety access method description.
Although being described in conjunction with the accompanying the embodiment of the present invention, those skilled in the art can not depart from the present invention
Spirit and scope in the case where various modifications and variations can be made, such modifications and variations are each fallen within by appended claims institute
Within the scope of restriction.
Claims (11)
1. a kind of terminal security cut-in method characterized by comprising
Receive the authentication and key negotiation request message that terminal issues;
Judge between terminal whether the arranging key in existing validity period;
When the arranging key being not present between judgement and the terminal in validity period, according to the authentication and key agreement
Request message issues to the terminal and obtains terminal essential information message;
The terminal is obtained according to the terminal essential information message of the acquisition terminal essential information message feedback;
Key agreement message is issued to the terminal according to the terminal essential information message, carries out key agreement with the terminal
The access protocol with the terminal is established in session.
2. terminal security cut-in method according to claim 1, which is characterized in that according to the terminal essential information message
Key agreement message is issued to the terminal, carries out key agreement session with the terminal, the access with the terminal is established and assists
View, comprising:
Receive the key negotiation response message that the terminal is issued according to the key agreement message;
Key agreement confirmation message is sent to the terminal according to the key negotiation response message, foundation connects with the terminal
Enter agreement.
3. a kind of terminal security cut-in method characterized by comprising
Authentication and key negotiation request message are issued to gateway;
Receive the acquisition terminal essential information message that the gateway issues;
Terminal essential information message is issued to the gateway according to the acquisition terminal essential information message;
Obtain the key agreement message that the gateway is issued according to the terminal essential information message;
Key agreement session is carried out according to the key agreement message and the gateway, establishes the access protocol with the gateway.
4. terminal security cut-in method according to claim 3, which is characterized in that according to the key agreement message and institute
It states gateway and carries out key agreement session, establish the secure access protocol with the terminal, comprising:
Key negotiation response message is issued to the gateway according to the key agreement message;
Receive the key agreement confirmation message of the gateway feedback;
Access protocol is established according to the key agreement confirmation message and the gateway.
5. a kind of terminal security access device characterized by comprising
Request message receiving module, for receiving authentication and the key negotiation request message of terminal sending;
Judge key negotiation module, between judgement and terminal whether the arranging key in existing validity period;
Essential information sending module, for when between judgement and the terminal there is no when the arranging key in validity period, according to
The authentication and key negotiation request message are issued to the terminal obtains terminal essential information message;
Essential information receiving module, for obtaining the terminal according to the terminal base of the acquisition terminal essential information message feedback
This infomational message;
AM access module, for issuing key agreement message to the terminal according to the terminal essential information message, with the end
End carries out key agreement session, establishes the access protocol with the terminal.
6. terminal security access device according to claim 5, which is characterized in that the AM access module includes:
Response message receiving submodule, the key negotiation response issued for receiving the terminal according to the key agreement message
Message;
Confirm submodule, for sending key agreement confirmation message to the terminal according to the key negotiation response message, builds
The vertical access protocol with the terminal.
7. a kind of terminal security access device characterized by comprising
Request message sending module, for issuing authentication and key negotiation request message to gateway;
Terminal essential information receiving module, the acquisition terminal essential information message issued for receiving the gateway;
Terminal essential information sending module, for issuing terminal base to the gateway according to the acquisition terminal essential information message
This infomational message;
Negotiation packet receiving module, the key agreement report issued for obtaining the gateway according to the terminal essential information message
Text;
Terminal AM access module, for carrying out key agreement session, foundation and institute according to the key agreement message and the gateway
State the access protocol of gateway.
8. terminal security access device according to claim 7, which is characterized in that the terminal AM access module includes:
Response message sending submodule, for issuing key negotiation response report to the gateway according to the key agreement message
Text;
Confirmation message receiving submodule, the key agreement confirmation message issued for receiving the gateway;
Terminal accesses submodule, for establishing access protocol according to the key agreement confirmation message and the gateway.
9. a kind of terminal security access system characterized by comprising terminal and gateway,
The terminal issues authentication and key negotiation request message to the gateway, and the gateway receives the authentication
With key negotiation request message;
The gateway judges whether to complete key agreement with the terminal according to whether establishing access protocol with the terminal;
When gateway judgement does not complete key agreement with the terminal, according to the authentication and key negotiation request
Message issues to the terminal and obtains terminal essential information message;
The terminal receives the acquisition terminal essential information message that the gateway issues, according to the acquisition terminal essential information report
Text issues terminal essential information message to the gateway;
The gateway obtains the terminal essential information message, close to terminal sending according to the terminal essential information message
Key negotiation packet;
The terminal obtains the key agreement message, carries out key agreement meeting according to the key agreement message and the gateway
Words establish the access protocol with the gateway.
10. terminal security access system according to claim 9, which is characterized in that further include: postposition communications service components
And server,
After the terminal establishes the access protocol with the gateway, the terminal sends uplink data messages to the gateway;
The gateway receives the uplink data messages, after uplink data messages decryption, is sent to the postposition communication
Serviced component;
Uplink data messages after the postposition communications service components receiving and deciphering, are sent to the server;
The server receives the uplink data messages after the decryption, under being generated according to the uplink data messages after the decryption
The downlink data message is sent to the gateway through the postposition communications service components by row data message;
The gateway receives the downlink data message, after downlink data message encryption, is sent to the terminal;
The terminal receives encrypted downlink data message, is decrypted to the downlink data message, obtains the downlink
Data message.
11. terminal security access system according to claim 10, which is characterized in that further include: preposition communication service group
Part,
The preposition communications service components receive the uplink data messages that the terminal issues, and the uplink data messages are sent out
It send to the gateway;
The preposition communications service components receive the encrypted downlink data message that the gateway issues, and by the lower line number
The terminal is sent to according to message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811274285.2A CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811274285.2A CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109120405A true CN109120405A (en) | 2019-01-01 |
CN109120405B CN109120405B (en) | 2021-11-09 |
Family
ID=64854454
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811274285.2A Active CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109120405B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922081A (en) * | 2019-04-02 | 2019-06-21 | 全知科技(杭州)有限责任公司 | A kind of long connection data analysing method of TCP flow |
CN110995775A (en) * | 2019-10-11 | 2020-04-10 | 浙江口碑网络技术有限公司 | Service data processing method, device and system |
CN111585976A (en) * | 2020-04-09 | 2020-08-25 | 北京理工大学 | Communication method, communication apparatus, storage medium, and electronic device |
WO2021147660A1 (en) * | 2020-01-21 | 2021-07-29 | 华为技术有限公司 | Data transmission method, and device |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
CN103139770A (en) * | 2013-01-30 | 2013-06-05 | 中兴通讯股份有限公司 | Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system |
CN104113934A (en) * | 2014-07-25 | 2014-10-22 | 北京奇虎科技有限公司 | Router accessing method for communication equipment and accessing system |
CN104272671A (en) * | 2012-05-10 | 2015-01-07 | 三星电子株式会社 | Method and system for connectionless transmission during uplink and downlink of data packets |
CN105636033A (en) * | 2014-10-25 | 2016-06-01 | 华为技术有限公司 | Method, device and system for movably managing terminals |
US20160191245A1 (en) * | 2016-03-09 | 2016-06-30 | Yufeng Qin | Method for Offline Authenticating Time Encoded Passcode |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
WO2016191138A1 (en) * | 2015-05-22 | 2016-12-01 | Motorola Solutions, Inc. | Method and apparatus for initial certificate enrollment in a wireless communication system |
CN106385404A (en) * | 2016-08-31 | 2017-02-08 | 华北电力大学(保定) | Construction method for power information system based on mobile terminal |
CN108464054A (en) * | 2015-11-10 | 2018-08-28 | 夏普株式会社 | Terminal installation, MME and communication means |
-
2018
- 2018-10-29 CN CN201811274285.2A patent/CN109120405B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
CN104272671A (en) * | 2012-05-10 | 2015-01-07 | 三星电子株式会社 | Method and system for connectionless transmission during uplink and downlink of data packets |
CN103139770A (en) * | 2013-01-30 | 2013-06-05 | 中兴通讯股份有限公司 | Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system |
CN104113934A (en) * | 2014-07-25 | 2014-10-22 | 北京奇虎科技有限公司 | Router accessing method for communication equipment and accessing system |
CN105636033A (en) * | 2014-10-25 | 2016-06-01 | 华为技术有限公司 | Method, device and system for movably managing terminals |
WO2016191138A1 (en) * | 2015-05-22 | 2016-12-01 | Motorola Solutions, Inc. | Method and apparatus for initial certificate enrollment in a wireless communication system |
CN108464054A (en) * | 2015-11-10 | 2018-08-28 | 夏普株式会社 | Terminal installation, MME and communication means |
US20160191245A1 (en) * | 2016-03-09 | 2016-06-30 | Yufeng Qin | Method for Offline Authenticating Time Encoded Passcode |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
CN106385404A (en) * | 2016-08-31 | 2017-02-08 | 华北电力大学(保定) | Construction method for power information system based on mobile terminal |
Non-Patent Citations (3)
Title |
---|
LI YUFENG: "The automated negotiation framework design of management information system based on E-Hubs", 《IEEE》 * |
李兴华: "无线网络中认证及密钥协商协议的研究", 《中国优秀硕士学位论文全文数据库》 * |
王明书: "天地一体化信息网络密钥协商与加密认证设计", 《指挥信息系统与技术》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922081A (en) * | 2019-04-02 | 2019-06-21 | 全知科技(杭州)有限责任公司 | A kind of long connection data analysing method of TCP flow |
CN109922081B (en) * | 2019-04-02 | 2021-06-25 | 全知科技(杭州)有限责任公司 | TCP stream length connection data analysis method |
CN110995775A (en) * | 2019-10-11 | 2020-04-10 | 浙江口碑网络技术有限公司 | Service data processing method, device and system |
WO2021147660A1 (en) * | 2020-01-21 | 2021-07-29 | 华为技术有限公司 | Data transmission method, and device |
CN111585976A (en) * | 2020-04-09 | 2020-08-25 | 北京理工大学 | Communication method, communication apparatus, storage medium, and electronic device |
Also Published As
Publication number | Publication date |
---|---|
CN109120405B (en) | 2021-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107277061B (en) | IOT (Internet of things) equipment based end cloud secure communication method | |
CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
CN102833253B (en) | Set up method and server that client is connected with server security | |
CN109120405A (en) | A kind of terminal security cut-in method, apparatus and system | |
KR101438243B1 (en) | Sim based authentication | |
EP1717986B1 (en) | Key distribution method | |
CN105337740B (en) | A kind of auth method, client, trunking and server | |
CN102868665A (en) | Method and device for data transmission | |
US20120260088A1 (en) | Method and device for securely transmitting data | |
CN107516196A (en) | A kind of mobile-payment system and its method of mobile payment | |
CN113612605A (en) | Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology | |
CN104219217A (en) | SA (security association) negotiation method, device and system | |
CN105792193A (en) | End-to-end voice encryption method of mobile terminal based on iOS operating system | |
CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
CN113630407A (en) | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology | |
KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
CN108683641A (en) | A kind of data communications method, device, unmanned plane and computer storage media | |
CN106941403A (en) | Secrecy GSM and method based on quantum key | |
CN104243146A (en) | Encryption communication method and device and terminal | |
CN114422205B (en) | Method for establishing network layer data tunnel of special CPU chip for electric power | |
CN107517184A (en) | Message transmitting method, apparatus and system | |
CN105591748B (en) | A kind of authentication method and device | |
CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
CN103546442B (en) | The communication monitoring method and device of browser | |
CN100544247C (en) | The negotiating safety capability method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |