CN109120405A - A kind of terminal security cut-in method, apparatus and system - Google Patents

A kind of terminal security cut-in method, apparatus and system Download PDF

Info

Publication number
CN109120405A
CN109120405A CN201811274285.2A CN201811274285A CN109120405A CN 109120405 A CN109120405 A CN 109120405A CN 201811274285 A CN201811274285 A CN 201811274285A CN 109120405 A CN109120405 A CN 109120405A
Authority
CN
China
Prior art keywords
terminal
message
gateway
key
essential information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811274285.2A
Other languages
Chinese (zh)
Other versions
CN109120405B (en
Inventor
周诚
汪晨
马媛媛
邵志鹏
李伟伟
陈璐
张波
管小娟
陈牧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Interconnection Research Institute
Original Assignee
Global Energy Interconnection Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Interconnection Research Institute filed Critical Global Energy Interconnection Research Institute
Priority to CN201811274285.2A priority Critical patent/CN109120405B/en
Publication of CN109120405A publication Critical patent/CN109120405A/en
Application granted granted Critical
Publication of CN109120405B publication Critical patent/CN109120405B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of terminal security cut-in method, apparatus and system, which includes: to receive the authentication and key negotiation request message that terminal issues;It whether there is access protocol between judgement and terminal;When access protocol is not present between judgement and terminal, is issued according to authentication and key negotiation request message to terminal and obtain terminal essential information message;Terminal is obtained according to the terminal essential information message for obtaining terminal essential information message feedback;Key agreement message is issued to terminal according to terminal essential information message, key agreement session is carried out with terminal, establishes the access protocol with terminal.By implementing the present invention, the terminal access based on udp protocol may be implemented, to access connectionless protocol terminal, reduce protocol overhead, the cipher key agreement process and TCP connection of terminal and gateway do not have binding relationship simultaneously, can flexible choice connectionless-mode or short connection type communication, be especially advantageous for short message or short connection type access terminal.

Description

A kind of terminal security cut-in method, apparatus and system
Technical field
The present invention relates to field of information security technology, and in particular to a kind of terminal security cut-in method, apparatus and system.
Background technique
Traditionally, terminal security access is based primarily upon VPN technologies realization, is divided into SSL-VPN and two kinds of IPSEC-VPN. Wherein IPSEC-VPN needs to dispose vpn gateway respectively in terminal side and access network side, therefore is usually applicable only to building net Secure connection channel between network.SSL-VPN only need to dispose vpn gateway in access network side, and dialer software is disposed in terminal side, It is commonly available to a large amount of distributed terminal Access Core Networks.
Since SSL-VPN only need to dispose vpn gateway in access network side, application range is wider, but SSL-VPN technology Binding relationship is formd when constructing channel with transport layer protocol TCP connection, a terminal access must bind a TCP connection, This causes SSL-VPN that can not support the connectionless short message communication pattern based on UDP.And various electric power in electric power industrial control system Based on communication protocol between industrial control terminal and control centre largely uses UDP, this is because electric power industry control network number of terminals Measure it is huge, and communication delay require it is low, will cause the protocol overhead that can not be born using Transmission Control Protocol.The above-mentioned UDP that is based on is without even The electric power industrial control terminal of communication pattern is connect, secure accessing can not be realized using SSL-VPN.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of terminal security cut-in method, apparatus and system, it is existing to solve Electric power industrial control terminal based on UDP connectionless communication mode in technology can not realize that the technology of secure accessing is asked using SSL-VPN Topic.
Technical solution proposed by the present invention is as follows:
First aspect of the embodiment of the present invention proposes a kind of terminal security cut-in method, comprising: receives the body that terminal issues Part certifiede-mail protocol request message;Judge between terminal whether the arranging key in existing validity period;When judgement with There is no when the arranging key in validity period between the terminal, according to the authentication and key negotiation request message to institute It states terminal and issues acquisition terminal essential information message;The terminal is obtained according to the acquisition terminal essential information message feedback Terminal essential information message;Key agreement message is issued to the terminal according to the terminal essential information message, with the end End carries out key agreement session, establishes the access protocol with the terminal.
Preferably, key agreement message is issued to the terminal according to the terminal essential information message, with the terminal Key agreement session is carried out, establishes the access protocol with the terminal, comprising: receive the terminal according to the key agreement report The key negotiation response message that text issues;Key agreement confirmation report is sent to the terminal according to the key negotiation response message Text establishes the access protocol with the terminal.
Second aspect of the embodiment of the present invention proposes a kind of terminal security cut-in method, comprising: issues identity to gateway and recognizes Card and key negotiation request message;Receive the acquisition terminal essential information message that the gateway issues;According to the acquisition terminal Essential information message issues terminal essential information message to the gateway;The gateway is obtained according to the terminal essential information report The key agreement message that text issues;Key agreement session, foundation and institute are carried out according to the key agreement message and the gateway State the access protocol of gateway.
Preferably, key agreement session is carried out according to the key agreement message and the gateway, established and the terminal Secure access protocol, comprising: according to the key agreement message to the gateway issue key negotiation response message;Receive institute State the key agreement confirmation message of gateway feedback;Access protocol is established according to the key agreement confirmation message and the gateway.
The third aspect of the embodiment of the present invention proposes a kind of terminal security access device, comprising: request message receiving module, For receiving authentication and the key negotiation request message of terminal sending;Key negotiation module is judged, for judgement and terminal Between whether the arranging key in existing validity period;Essential information sending module, for working as between judgement and the terminal not There are when arranging key in validity period, is issued and obtained to the terminal according to the authentication and key negotiation request message Terminal essential information message;Essential information receiving module, for obtaining the terminal according to the acquisition terminal essential information report The terminal essential information message of text feedback;AM access module, for being issued according to the terminal essential information message to the terminal Key agreement message carries out key agreement session with the terminal, establishes the access protocol with the terminal.
Preferably, the AM access module includes: response message receiving submodule, for receiving the terminal according to described close The key negotiation response message that key negotiation packet issues;Confirm submodule, for according to the key negotiation response message to institute It states terminal and sends key agreement confirmation message, establish the access protocol with the terminal.
Fourth aspect of the embodiment of the present invention proposes a kind of terminal security access device, comprising: request message sending module, For issuing authentication and key negotiation request message to gateway;Terminal essential information receiving module, for receiving the net Close the acquisition terminal essential information message issued;Terminal essential information sending module, for being believed substantially according to the acquisition terminal It ceases message and issues terminal essential information message to the gateway;Negotiation packet receiving module, for obtaining the gateway according to institute State the key agreement message of terminal essential information message sending;Terminal AM access module, for according to the key agreement message with The gateway carries out key agreement session, establishes the access protocol with the gateway.
Preferably, the terminal AM access module includes: response message sending submodule, for according to the key agreement report Text issues key negotiation response message to the gateway;Confirmation message receiving submodule, for receiving the close of the gateway sending Key negotiates confirmation message;Terminal accesses submodule, accesses for being established according to the key agreement confirmation message and the gateway Agreement.
The 5th aspect of the embodiment of the present invention proposes a kind of terminal security access system, comprising: terminal and gateway, the end It holds to the gateway and issues authentication and key negotiation request message, the gateway receives the authentication and key agreement Request message;The gateway judges whether to complete key association with the terminal according to whether establishing access protocol with the terminal Quotient;When gateway judgement does not complete key agreement with the terminal, according to the authentication and key negotiation request Message issues to the terminal and obtains terminal essential information message;It is basic that the terminal receives the acquisition terminal that the gateway issues Infomational message issues terminal essential information message to the gateway according to the acquisition terminal essential information message;The gateway The terminal essential information message is obtained, key agreement message is issued to the terminal according to the terminal essential information message; The terminal obtains the key agreement message, carries out key agreement session according to the key agreement message and the gateway, Establish the access protocol with the gateway.
Preferably, the terminal security access system further include: postposition communications service components and server, the terminal are built After the vertical access protocol with the gateway, the terminal sends uplink data messages to the gateway;Described in the gateway receives Uplink data messages are sent to the postposition communications service components after uplink data messages decryption;The postposition communication Uplink data messages after serviced component receiving and deciphering are sent to the server;After the server receives the decryption Uplink data messages generate downlink data message according to the uplink data messages after the decryption, by the downlink data message The gateway is sent to through the postposition communications service components;The gateway receives the downlink data message, by the downlink After data message encryption, it is sent to the terminal;The terminal receives encrypted downlink data message, to the downlink data Message is decrypted, and obtains the downlink data message.
Preferably, the terminal security access system further include: preposition communications service components, the preposition communication service group Part receives the uplink data messages that the terminal issues, and the uplink data messages are sent to the gateway;It is described preposition Communications service components receive the encrypted downlink data message that the gateway issues, and the downlink data message is sent to The terminal.
Technical solution of the present invention has the advantages that
Terminal security cut-in method, system and device provided in an embodiment of the present invention, gateway is by obtaining the basic of terminal Information and terminal complete key agreement, realize line process in terminal, base may be implemented without binding relationship in the process and TCP connection It is accessed in the terminal of udp protocol, to access connectionless protocol terminal, reduces protocol overhead, while terminal and gateway is close Key negotiations process and TCP connection are also without binding relationship, and only related to the key agreement period, in one cycle, terminal repeats It is online to be not necessarily to renegotiate key.Therefore the expense that terminal is established without connection of worrying, without being forced using long connection access side Formula, can flexible choice connectionless-mode or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection Mode accesses magnanimity " internet+", internet-of-things terminal.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the structural block diagram of a specific example of terminal security access system in the embodiment of the present invention;
Fig. 2 is the structural block diagram of another specific example of terminal security access system in the embodiment of the present invention;
Fig. 3 is the structural block diagram of another specific example of terminal security access system in the embodiment of the present invention;
Fig. 4 is the flow chart of a specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 5 is the flow chart of another specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 6 is the flow chart of another specific example of terminal security cut-in method in the embodiment of the present invention;
Fig. 7 is the structural block diagram of a specific example of terminal security access device in the embodiment of the present invention;
Fig. 8 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention;
Fig. 9 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention;
Figure 10 is the structural block diagram of another specific example of terminal security access device in the embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those skilled in the art are not having Every other embodiment obtained under the premise of creative work is made, shall fall within the protection scope of the present invention.
The embodiment of the present invention proposes a kind of terminal security access system, as shown in Figure 1, the terminal security access system packet Include: terminal 2 and gateway 1, terminal 2 issue authentication and key negotiation request message to gateway 1, and gateway 1 receives authentication With key negotiation request message;Gateway 1 judges whether to complete key association with terminal 2 according to whether establishing access protocol with terminal 2 Quotient;When the judgement of gateway 1 does not complete key agreement with terminal 2, according to authentication and key negotiation request message to terminal 2 It issues and obtains terminal essential information message;Terminal 2 receives the acquisition terminal essential information message that gateway issues, according to acquisition terminal Essential information message issues terminal essential information message to gateway;Gateway 1 obtains terminal essential information message, basic according to terminal Infomational message issues key agreement message to terminal 2;Terminal 2 obtains key agreement message, according to key agreement message and gateway 1 Key agreement session is carried out, the access protocol with gateway 1 is established.
Terminal security access system provided in an embodiment of the present invention defines a kind of terminal security towards connectionless certification Access protocol, gateway 1 complete key agreement by the essential information and terminal for obtaining terminal 2, realize line process in terminal 2, should The terminal access based on udp protocol may be implemented without binding relationship in process and TCP connection, so that connectionless protocol terminal is accessed, Reduce protocol overhead, while terminal 2 and the cipher key agreement process of gateway 1 and TCP connection be also without binding relationship, only and key Negotiated periods are related, and in one cycle, terminal 2 repeats online without renegotiating key.Therefore terminal 2 is without connection of worrying The expense of foundation, without being forced using long connection access way, can flexible choice connectionless-mode or the communication of short connection type, It is especially advantageous for accessing magnanimity " internet+", internet-of-things terminal with a small amount of gateway with short message or short connection type.
In a preferred embodiment, terminal 2 can call SDK component to issue authentication to gateway 1 and ask with key agreement Message is sought, the function of the SDK component is to call terminal side safety chip, completes gateway 1 and 2 cipher key agreement process of terminal.
In a preferred embodiment, gateway 1 obtains terminal essential information message, according to terminal essential information message to terminal Issue key agreement message, specifically include: gateway 1 generates session key material and sequence according to the terminal essential information of acquisition Number, by encrypting, signing etc., crypto-operations post package is sent to terminal 2 at key agreement message, wherein cryptographic cipher key material and sequence Number it is 32 random numbers that gateway generates, as session key material and sequence number that this is negotiated, is needed when negotiating every time It regenerates.
In a preferred embodiment, terminal 2 obtains key agreement message, is carried out according to key agreement message with gateway 1 close Key consulting session is established the access protocol with gateway 1, specifically included: terminal 2 obtains key agreement message, to key agreement report Text is handled, and after first verifying that signature, signature pass through, then is decrypted to encryption message, is generated session key material, By encrypting, signing etc., operations post package is sent to gateway at key negotiation response message, while calculating symmetric key, gateway 1 Key negotiation response message is handled, after first verifying that signature, signature pass through, then encryption message is decrypted, Generate key agreement confirmation message and be sent to terminal, while calculating symmetric key, terminal 2 to key agreement confirmation message at Reason, verifies errorless, and confirmation is negotiated to complete, establish with the access protocol of gateway 1, wherein cryptographic cipher key material be generate 32 of gateway with Machine number needs to regenerate as the session key material that this is negotiated when negotiating every time.
In a preferred embodiment, as shown in Fig. 2, terminal security access system provided in an embodiment of the present invention further include: Postposition communications service components 3 and server 4, after terminal 2 establishes the access protocol with gateway 1, terminal 2 sends uplink to gateway 1 Data message;Gateway 1 receives uplink data messages, after uplink data messages are decrypted, is sent to postposition communications service components 3; Uplink data messages after 3 receiving and deciphering of postposition communications service components, are sent to server 4;It is upper after 4 receiving and deciphering of server Row data message generates downlink data message according to the uplink data messages after decryption, downlink data message is communicated through postposition Serviced component 3 is sent to gateway 1;Gateway 1 receives downlink data message, after downlink data message is encrypted, is sent to terminal 2; Terminal 2 receives encrypted downlink data message, and downlink data message is decrypted, and obtains downlink data message.
In a preferred embodiment, terminal 2 and gateway 1 complete key agreement, and after establishing access protocol, terminal 2 can be with Server 4 carries out two-way communication, and the terminal 2 of access is connectionless protocol terminal, and terminal 2 sends uplink data messages to gateway When, calling SDK component first initiates request, and SDK component is packaged upstream data according to proprietary protocol, SDK group after encapsulation Part obtains symmetric key encryption uplink data messages, and SDK component, which is sent, later encapsulates encrypted uplink data messages.
In a preferred embodiment, gateway 1 receives uplink data messages, after uplink data messages are decrypted, after being sent to Communications service components 3 are set, are specifically included: after gateway 1 decrypts uplink data messages, randomly selecting one and postposition communication service group The TCP connection of part 3 sends uplink data messages.
In a preferred embodiment, the uplink data messages after 3 receiving and deciphering of postposition communications service components, are sent to service Device 4, specifically includes: the uplink data messages after 3 receiving and deciphering of postposition communications service components, completes to unload according to proprietary protocol, Short connection is initiated to server 4 and the original uplink data messages of unloading reduction are transmitted to server 4.
In a preferred embodiment, the uplink data messages after 4 receiving and deciphering of server, according to the upstream data after decryption Message generates downlink data message, and downlink data message is sent to gateway 1 through postposition communications service components 3, is specifically included: clothes After downlink data message is sent to postposition communications service components 3 by business device 4, postposition communications service components 3 are by downlink data message It is packaged according to plaintext proprietary protocol, and randomly selects the downlink data report after a TCP connection forwarding encapsulation with gateway 1 Text disconnects above-mentioned short connection after forwarding.
In a preferred embodiment, gateway 1 receives downlink data message, after downlink data message is encrypted, is sent to end End 2, specifically includes: gateway 1 receives downlink data message, is parsed according to proprietary protocol to downlink data message, from privately owned The number of terminal 2 is obtained in protocol massages head, and obtains symmetric key, downlink data message is encrypted, by encrypted lower line number Terminal 2 is sent to according to message.
In a preferred embodiment, terminal 2 receives encrypted downlink data message, solves to downlink data message Close, obtain downlink data message, specifically include: terminal 2 receives encrypted downlink data message, SDK component is called, to downlink Data message is decrypted, and restores original downlink data message and submits to terminal 2.
In a preferred embodiment, as shown in figure 3, terminal security access system provided in an embodiment of the present invention further include: Preposition communications service components 5, preposition communications service components 5 receive the uplink data messages that terminal 2 issues, and by upstream data report Text is sent to gateway 1;Preposition communications service components 5 receive the encrypted downlink data message that gateway 1 issues, and by lower line number Terminal 2 is sent to according to message.
In a preferred embodiment, the terminal 2 of access can be connection protocol terminal, there is the access of connection protocol terminal Afterwards, TCP connection is initiated to preposition communications service components 5, when terminal 1 is communicated with server 4, it is encrypted that terminal 2 issues encapsulation After uplink data messages, preposition communications service components 5 receive uplink data messages according to the TCP connection of terminal 2, and select at random Take one and the TCP connection forwarding uplink data message of gateway 1 to gateway 1;Preposition communications service components 5 receive gateway 1 and issue Encryption encapsulation downlink data message after, selection and the TCP connection converting downlink data message of the terminal 2 to terminal 2.
Terminal security access system provided in an embodiment of the present invention, after terminal 2 establishes the access protocol with gateway 1, also The two-way communication that terminal 2 Yu server 4 may be implemented can be directly realized by terminal 2 when terminal 2 is connectionless protocol terminal It can be solved by disposing preposition communications service components 5 with the two-way communication of server 4 when access has connection protocol terminal When having the access of connection protocol terminal the problem of connection maintenance, including establishment of connection, disconnection, heartbeat maintenance and two-way turn of message Hair, to there is connection protocol terminal to provide communication channel.
The embodiment of the present invention also provides a kind of terminal security cut-in method, as shown in figure 4, the terminal security cut-in method packet It includes:
Step 1: receiving the authentication and key negotiation request message that terminal issues;Specifically, it receives terminal and calls SDK The authentication and key negotiation request message that component issues, the heading carried terminal ID of message, data field are sky, the SDK The function of component is to call terminal side safety chip, completes gateway and gateway key negotiations process.
Step 2: judge between terminal whether the arranging key in existing validity period;Specifically, gateway inquires terminal Whether key agreement is completed.
Step 3: when the arranging key being not present between judgement and terminal in validity period, being assisted according to authentication and key Quotient's request message issues to terminal and obtains terminal essential information message;Specifically, the message of the acquisition terminal essential information message Head carried terminal ID, data field are sky.
Step 4: obtaining terminal according to the terminal essential information message of the acquisition terminal essential information message feedback;Specifically Ground, the heading carried terminal ID of the terminal essential information message, data field include terminal certificate.
Step 5: key agreement message being issued to terminal according to terminal essential information message, carries out key agreement meeting with terminal Words establish the access protocol with terminal.
In a preferred embodiment, as shown in figure 5, step 5 issues key association to terminal according to terminal essential information message Business's text carries out key agreement session with terminal, establishes the access protocol with terminal, comprising:
Step 51: receiving the key negotiation response message that terminal is issued according to key agreement message;
Step 52: key agreement confirmation message being sent to terminal according to key negotiation response message, foundation connects with terminal Enter agreement.
Specifically, key agreement message is issued to terminal according to terminal essential information message, carries out key agreement with terminal The access protocol with terminal is established in session, including gateway according to the terminal essential information of acquisition, extracts terminal certificate, verifying card Book validity generates session key material and sequence number, by the crypto-operations post package such as encrypt, sign at key agreement message It is sent to terminal, wherein cryptographic cipher key material and sequence number are 32 random numbers that gateway generates, and the session negotiated as this is close Key material and sequence number need to regenerate when negotiating every time;Gateway receives the feedback that terminal is issued according to key agreement message Key negotiation response message, key negotiation response message is handled, first verifies that signature, after signature passes through, then to adding Secret report text is decrypted, and generates key agreement confirmation message and is sent to terminal, while calculating symmetric key, establish with it is described The access protocol of terminal.
1 to step 5 through the above steps, and terminal security cut-in method provided in an embodiment of the present invention defines a kind of face To the terminal security access protocol of connectionless certification, gateway completes key agreement by the essential information and terminal for obtaining terminal, Realize line process in terminal, the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection, thus Connectionless protocol terminal is accessed, reduces protocol overhead, while terminal and the cipher key agreement process of gateway do not have with TCP connection yet Binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key.Therefore The expense that terminal is established without connection of worrying, without being forced using long connection access way, can flexible choice connectionless-mode or The short connection type communication of person, is especially advantageous for accessing magnanimity " internet+", Internet of Things with a small amount of gateway with short message or short connection type Network termination.
The embodiment of the present invention also provides a kind of terminal security cut-in method, as shown in fig. 6, the terminal security cut-in method packet It includes:
Step S1: authentication and key negotiation request message are issued to gateway;Specifically, terminal call SDK component to Gateway issues authentication and key negotiation request message, the heading carried terminal ID of message, and data field is sky, the SDK group The function of part is to call terminal side safety chip, completes gateway and gateway key negotiations process.
Step S2: the acquisition terminal essential information message that gateway issues is received;Specifically, it is not present between terminal and gateway When access protocol, i.e., terminal and gateway do not complete key agreement, receive the acquisition terminal essential information message that gateway issues, should The heading carried terminal ID of terminal essential information message is obtained, data field is sky.
Step S3: terminal essential information message is issued to gateway according to terminal essential information message is obtained;Specifically, the end The heading carried terminal ID of this infomational message of end group, data field include terminal certificate.
Step S4: the key agreement message that gateway is issued according to terminal essential information message is obtained;Specifically, terminal obtains After key agreement message, key agreement message is handled, first verifies that signature, after signature passes through, then to encryption message into Row decryption processing generates session key material, by the operations post package such as encrypt, sign at key negotiation response message, simultaneously Symmetric key is calculated, wherein cryptographic cipher key material is 32 random numbers that gateway generates, as the session key material that this is negotiated, often It needs to regenerate when secondary negotiation.
Step S5: carrying out key agreement session according to key agreement message and gateway, establishes the access protocol with gateway, tool Body, terminal generates key negotiation response message according to key agreement message, is sent to gateway, is assisted according to the key of gateway feedback Quotient's confirmation message, confirmation are negotiated to complete, and establish the access protocol with gateway.
S1 to step S5 through the above steps, terminal security cut-in method provided in an embodiment of the present invention, defines one kind Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection, To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key. Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+", Internet-of-things terminal.
The embodiment of the present invention also provides a kind of terminal security access device, as shown in fig. 7, the terminal security access device packet It includes:
Request message receiving module 11, for receiving authentication and the key negotiation request message of terminal sending;In detail Content is referring to step 1 in above-described embodiment.
Judge key negotiation module 22, between judgement and terminal whether the arranging key in existing validity period;In detail Thin content is referring to step 2 in above-described embodiment.
Essential information sending module 33, for when between judgement and terminal be not present validity period in arranging key when, root It is issued according to authentication and key negotiation request message to terminal and obtains terminal essential information message;Detailed content is referring to above-mentioned reality Apply step 3 in example.
Essential information receiving module 44, it is basic according to the terminal for obtaining terminal essential information message feedback for obtaining terminal Infomational message;Detailed content is referring to step 4 in above-described embodiment.
AM access module 55 is carried out for issuing key agreement message to terminal according to terminal essential information message with terminal The access protocol with terminal is established in key agreement session, and detailed content is referring to step 5 in above-described embodiment.
By above-mentioned module 11 to module 55, terminal security access device provided in an embodiment of the present invention defines one kind Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection, To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key. Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+", Internet-of-things terminal.
In a preferred embodiment, as shown in figure 8, AM access module 55 includes:
Response message receiving submodule 551, the key agreement issued for receiving terminal according to the key agreement message Response message;
Confirm submodule 552, for sending key agreement confirmation message to terminal according to key negotiation response message, establishes With the access protocol of terminal.
The function of terminal security access device provided in an embodiment of the present invention is described referring particularly to terminal in above-described embodiment Safety access method description.
The embodiment of the invention also provides a kind of terminal security access devices, as shown in figure 9, the terminal security access device Include:
Request message sending module 6, for issuing authentication and key negotiation request message to gateway;Detailed content ginseng See step S1 in above-described embodiment.
Terminal essential information receiving module 7, for receiving the acquisition terminal essential information message of gateway sending;Detailed content Referring to step S2 in above-described embodiment.
Terminal essential information sending module 8, for basic to gateway sending terminal according to terminal essential information message is obtained Infomational message;Detailed content is referring to step S3 in above-described embodiment.
Negotiation packet receiving module 9, the key agreement message issued for obtaining gateway according to terminal essential information message; Detailed content is referring to step S4 in above-described embodiment.
Terminal AM access module 10, for carrying out key agreement session, foundation and gateway according to key agreement message and gateway Access protocol, detailed content is referring to step S5 in above-described embodiment.
By above-mentioned module 6 to module 10, in terminal security access device provided in an embodiment of the present invention, one kind is defined Terminal security access protocol towards connectionless certification, gateway complete key association by the essential information and terminal for obtaining terminal Quotient realizes line process in terminal, and the terminal access based on udp protocol may be implemented without binding relationship in the process and TCP connection, To access connectionless protocol terminal, protocol overhead, while terminal and the cipher key agreement process of gateway and TCP connection are reduced There is no binding relationship, only related to the key agreement period, in one cycle, terminal repeats online without renegotiating key. Therefore the expense that terminal is established without connection of worrying can the connectionless side of flexible choice without being forced using long connection access way Formula or short connection type communication, be especially advantageous for a small amount of gateway with short message or short connection type access magnanimity " internet+", Internet-of-things terminal.
In a preferred embodiment, as shown in Figure 10, terminal AM access module 10 includes:
Response message sending submodule 101, for issuing key negotiation response message to gateway according to key agreement message;
Confirmation message receiving submodule 102, for receiving the key agreement confirmation message of gateway sending;
Terminal accesses submodule 103, for establishing access protocol according to key agreement confirmation message and gateway.
The function of terminal security access device provided in an embodiment of the present invention is described referring particularly to terminal in above-described embodiment Safety access method description.
Although being described in conjunction with the accompanying the embodiment of the present invention, those skilled in the art can not depart from the present invention Spirit and scope in the case where various modifications and variations can be made, such modifications and variations are each fallen within by appended claims institute Within the scope of restriction.

Claims (11)

1. a kind of terminal security cut-in method characterized by comprising
Receive the authentication and key negotiation request message that terminal issues;
Judge between terminal whether the arranging key in existing validity period;
When the arranging key being not present between judgement and the terminal in validity period, according to the authentication and key agreement Request message issues to the terminal and obtains terminal essential information message;
The terminal is obtained according to the terminal essential information message of the acquisition terminal essential information message feedback;
Key agreement message is issued to the terminal according to the terminal essential information message, carries out key agreement with the terminal The access protocol with the terminal is established in session.
2. terminal security cut-in method according to claim 1, which is characterized in that according to the terminal essential information message Key agreement message is issued to the terminal, carries out key agreement session with the terminal, the access with the terminal is established and assists View, comprising:
Receive the key negotiation response message that the terminal is issued according to the key agreement message;
Key agreement confirmation message is sent to the terminal according to the key negotiation response message, foundation connects with the terminal Enter agreement.
3. a kind of terminal security cut-in method characterized by comprising
Authentication and key negotiation request message are issued to gateway;
Receive the acquisition terminal essential information message that the gateway issues;
Terminal essential information message is issued to the gateway according to the acquisition terminal essential information message;
Obtain the key agreement message that the gateway is issued according to the terminal essential information message;
Key agreement session is carried out according to the key agreement message and the gateway, establishes the access protocol with the gateway.
4. terminal security cut-in method according to claim 3, which is characterized in that according to the key agreement message and institute It states gateway and carries out key agreement session, establish the secure access protocol with the terminal, comprising:
Key negotiation response message is issued to the gateway according to the key agreement message;
Receive the key agreement confirmation message of the gateway feedback;
Access protocol is established according to the key agreement confirmation message and the gateway.
5. a kind of terminal security access device characterized by comprising
Request message receiving module, for receiving authentication and the key negotiation request message of terminal sending;
Judge key negotiation module, between judgement and terminal whether the arranging key in existing validity period;
Essential information sending module, for when between judgement and the terminal there is no when the arranging key in validity period, according to The authentication and key negotiation request message are issued to the terminal obtains terminal essential information message;
Essential information receiving module, for obtaining the terminal according to the terminal base of the acquisition terminal essential information message feedback This infomational message;
AM access module, for issuing key agreement message to the terminal according to the terminal essential information message, with the end End carries out key agreement session, establishes the access protocol with the terminal.
6. terminal security access device according to claim 5, which is characterized in that the AM access module includes:
Response message receiving submodule, the key negotiation response issued for receiving the terminal according to the key agreement message Message;
Confirm submodule, for sending key agreement confirmation message to the terminal according to the key negotiation response message, builds The vertical access protocol with the terminal.
7. a kind of terminal security access device characterized by comprising
Request message sending module, for issuing authentication and key negotiation request message to gateway;
Terminal essential information receiving module, the acquisition terminal essential information message issued for receiving the gateway;
Terminal essential information sending module, for issuing terminal base to the gateway according to the acquisition terminal essential information message This infomational message;
Negotiation packet receiving module, the key agreement report issued for obtaining the gateway according to the terminal essential information message Text;
Terminal AM access module, for carrying out key agreement session, foundation and institute according to the key agreement message and the gateway State the access protocol of gateway.
8. terminal security access device according to claim 7, which is characterized in that the terminal AM access module includes:
Response message sending submodule, for issuing key negotiation response report to the gateway according to the key agreement message Text;
Confirmation message receiving submodule, the key agreement confirmation message issued for receiving the gateway;
Terminal accesses submodule, for establishing access protocol according to the key agreement confirmation message and the gateway.
9. a kind of terminal security access system characterized by comprising terminal and gateway,
The terminal issues authentication and key negotiation request message to the gateway, and the gateway receives the authentication With key negotiation request message;
The gateway judges whether to complete key agreement with the terminal according to whether establishing access protocol with the terminal;
When gateway judgement does not complete key agreement with the terminal, according to the authentication and key negotiation request Message issues to the terminal and obtains terminal essential information message;
The terminal receives the acquisition terminal essential information message that the gateway issues, according to the acquisition terminal essential information report Text issues terminal essential information message to the gateway;
The gateway obtains the terminal essential information message, close to terminal sending according to the terminal essential information message Key negotiation packet;
The terminal obtains the key agreement message, carries out key agreement meeting according to the key agreement message and the gateway Words establish the access protocol with the gateway.
10. terminal security access system according to claim 9, which is characterized in that further include: postposition communications service components And server,
After the terminal establishes the access protocol with the gateway, the terminal sends uplink data messages to the gateway;
The gateway receives the uplink data messages, after uplink data messages decryption, is sent to the postposition communication Serviced component;
Uplink data messages after the postposition communications service components receiving and deciphering, are sent to the server;
The server receives the uplink data messages after the decryption, under being generated according to the uplink data messages after the decryption The downlink data message is sent to the gateway through the postposition communications service components by row data message;
The gateway receives the downlink data message, after downlink data message encryption, is sent to the terminal;
The terminal receives encrypted downlink data message, is decrypted to the downlink data message, obtains the downlink Data message.
11. terminal security access system according to claim 10, which is characterized in that further include: preposition communication service group Part,
The preposition communications service components receive the uplink data messages that the terminal issues, and the uplink data messages are sent out It send to the gateway;
The preposition communications service components receive the encrypted downlink data message that the gateway issues, and by the lower line number The terminal is sent to according to message.
CN201811274285.2A 2018-10-29 2018-10-29 Terminal secure access method, device and system Active CN109120405B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811274285.2A CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811274285.2A CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Publications (2)

Publication Number Publication Date
CN109120405A true CN109120405A (en) 2019-01-01
CN109120405B CN109120405B (en) 2021-11-09

Family

ID=64854454

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811274285.2A Active CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Country Status (1)

Country Link
CN (1) CN109120405B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922081A (en) * 2019-04-02 2019-06-21 全知科技(杭州)有限责任公司 A kind of long connection data analysing method of TCP flow
CN110995775A (en) * 2019-10-11 2020-04-10 浙江口碑网络技术有限公司 Service data processing method, device and system
CN111585976A (en) * 2020-04-09 2020-08-25 北京理工大学 Communication method, communication apparatus, storage medium, and electronic device
WO2021147660A1 (en) * 2020-01-21 2021-07-29 华为技术有限公司 Data transmission method, and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742491A (en) * 2009-12-04 2010-06-16 同济大学 Method for exchanging and consulting secret keys between mobile device and safe access gateway
US20130108045A1 (en) * 2011-10-27 2013-05-02 Architecture Technology, Inc. Methods, networks and nodes for dynamically establishing encrypted communications
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN104113934A (en) * 2014-07-25 2014-10-22 北京奇虎科技有限公司 Router accessing method for communication equipment and accessing system
CN104272671A (en) * 2012-05-10 2015-01-07 三星电子株式会社 Method and system for connectionless transmission during uplink and downlink of data packets
CN105636033A (en) * 2014-10-25 2016-06-01 华为技术有限公司 Method, device and system for movably managing terminals
US20160191245A1 (en) * 2016-03-09 2016-06-30 Yufeng Qin Method for Offline Authenticating Time Encoded Passcode
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
WO2016191138A1 (en) * 2015-05-22 2016-12-01 Motorola Solutions, Inc. Method and apparatus for initial certificate enrollment in a wireless communication system
CN106385404A (en) * 2016-08-31 2017-02-08 华北电力大学(保定) Construction method for power information system based on mobile terminal
CN108464054A (en) * 2015-11-10 2018-08-28 夏普株式会社 Terminal installation, MME and communication means

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742491A (en) * 2009-12-04 2010-06-16 同济大学 Method for exchanging and consulting secret keys between mobile device and safe access gateway
US20130108045A1 (en) * 2011-10-27 2013-05-02 Architecture Technology, Inc. Methods, networks and nodes for dynamically establishing encrypted communications
CN104272671A (en) * 2012-05-10 2015-01-07 三星电子株式会社 Method and system for connectionless transmission during uplink and downlink of data packets
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN104113934A (en) * 2014-07-25 2014-10-22 北京奇虎科技有限公司 Router accessing method for communication equipment and accessing system
CN105636033A (en) * 2014-10-25 2016-06-01 华为技术有限公司 Method, device and system for movably managing terminals
WO2016191138A1 (en) * 2015-05-22 2016-12-01 Motorola Solutions, Inc. Method and apparatus for initial certificate enrollment in a wireless communication system
CN108464054A (en) * 2015-11-10 2018-08-28 夏普株式会社 Terminal installation, MME and communication means
US20160191245A1 (en) * 2016-03-09 2016-06-30 Yufeng Qin Method for Offline Authenticating Time Encoded Passcode
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106385404A (en) * 2016-08-31 2017-02-08 华北电力大学(保定) Construction method for power information system based on mobile terminal

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LI YUFENG: "The automated negotiation framework design of management information system based on E-Hubs", 《IEEE》 *
李兴华: "无线网络中认证及密钥协商协议的研究", 《中国优秀硕士学位论文全文数据库》 *
王明书: "天地一体化信息网络密钥协商与加密认证设计", 《指挥信息系统与技术》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922081A (en) * 2019-04-02 2019-06-21 全知科技(杭州)有限责任公司 A kind of long connection data analysing method of TCP flow
CN109922081B (en) * 2019-04-02 2021-06-25 全知科技(杭州)有限责任公司 TCP stream length connection data analysis method
CN110995775A (en) * 2019-10-11 2020-04-10 浙江口碑网络技术有限公司 Service data processing method, device and system
WO2021147660A1 (en) * 2020-01-21 2021-07-29 华为技术有限公司 Data transmission method, and device
CN111585976A (en) * 2020-04-09 2020-08-25 北京理工大学 Communication method, communication apparatus, storage medium, and electronic device

Also Published As

Publication number Publication date
CN109120405B (en) 2021-11-09

Similar Documents

Publication Publication Date Title
CN107277061B (en) IOT (Internet of things) equipment based end cloud secure communication method
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
CN102833253B (en) Set up method and server that client is connected with server security
CN109120405A (en) A kind of terminal security cut-in method, apparatus and system
KR101438243B1 (en) Sim based authentication
EP1717986B1 (en) Key distribution method
CN105337740B (en) A kind of auth method, client, trunking and server
CN102868665A (en) Method and device for data transmission
US20120260088A1 (en) Method and device for securely transmitting data
CN107516196A (en) A kind of mobile-payment system and its method of mobile payment
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN104219217A (en) SA (security association) negotiation method, device and system
CN105792193A (en) End-to-end voice encryption method of mobile terminal based on iOS operating system
CN112422560A (en) Lightweight substation secure communication method and system based on secure socket layer
CN113630407A (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN108683641A (en) A kind of data communications method, device, unmanned plane and computer storage media
CN106941403A (en) Secrecy GSM and method based on quantum key
CN104243146A (en) Encryption communication method and device and terminal
CN114422205B (en) Method for establishing network layer data tunnel of special CPU chip for electric power
CN107517184A (en) Message transmitting method, apparatus and system
CN105591748B (en) A kind of authentication method and device
CN107294968A (en) The monitoring method and system of a kind of audio, video data
CN103546442B (en) The communication monitoring method and device of browser
CN100544247C (en) The negotiating safety capability method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant