CN109120405B - Terminal secure access method, device and system - Google Patents
Terminal secure access method, device and system Download PDFInfo
- Publication number
- CN109120405B CN109120405B CN201811274285.2A CN201811274285A CN109120405B CN 109120405 B CN109120405 B CN 109120405B CN 201811274285 A CN201811274285 A CN 201811274285A CN 109120405 B CN109120405 B CN 109120405B
- Authority
- CN
- China
- Prior art keywords
- terminal
- message
- gateway
- key negotiation
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a terminal security access method, a device and a system, wherein the terminal security access method comprises the following steps: receiving an identity authentication and key agreement request message sent by a terminal; judging whether an access protocol exists between the terminal and the terminal; when judging that an access protocol does not exist between the terminal and the terminal, sending a message for acquiring basic information of the terminal to the terminal according to the identity authentication and key negotiation request message; acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal. By implementing the invention, the terminal access based on the UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal and the gateway has no binding relation with the TCP connection, the connectionless mode or the short connection mode can be flexibly selected for communication, and the access of the terminal in a short message or short connection mode is very facilitated.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a terminal security access method, device and system.
Background
Traditionally, the terminal security access is mainly realized based on VPN technology and is divided into SSL-VPN and IPSEC-VPN. The IPSEC-VPN requires VPN gateways to be respectively deployed on the terminal side and the access network side, and is therefore generally only suitable for establishing a secure connection path between networks. The SSL-VPN only needs to deploy a VPN gateway at the side of an access network, and the side of a terminal deploys dialing software, and is generally suitable for a large number of distributed terminals to access a core network.
The SSL-VPN only needs to deploy a VPN gateway at the side of an access network, so the application range is wide, but the SSL-VPN technology forms a binding relationship with a transmission layer protocol (TCP) connection when a channel is built, and one terminal access must bind one TCP connection, so that the SSL-VPN cannot support a connection-free short message communication mode based on UDP. The communication protocols between various industrial power control terminals and the control center in the industrial power control system are based on UDP in large quantity, because the industrial power control network terminals are huge in quantity and low in communication delay requirement, and the use of TCP protocol causes intolerable protocol overhead. The industrial power control terminal based on the UDP connectionless communication mode cannot adopt SSL-VPN to realize safe access.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for secure access of a terminal, so as to solve a technical problem that a UDP-based connectionless communication mode cannot be used by an SSL-VPN for secure access of an industrial power control terminal in the prior art.
The technical scheme provided by the invention is as follows:
the first aspect of the embodiments of the present invention provides a method for securely accessing a terminal, including: receiving an identity authentication and key agreement request message sent by a terminal; judging whether a negotiation key in the validity period exists between the terminal and the terminal; when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message; acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal.
Preferably, sending a key negotiation message to the terminal according to the basic information message of the terminal, performing a key negotiation session with the terminal, and establishing an access protocol with the terminal, includes: receiving a key negotiation response message sent by the terminal according to the key negotiation message; and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
A second aspect of the embodiments of the present invention provides a terminal secure access method, including: sending an identity authentication and key agreement request message to a gateway; receiving a message for acquiring basic information of the terminal sent by the gateway; sending a basic terminal information message to the gateway according to the basic terminal information message; acquiring a key negotiation message sent by the gateway according to the terminal basic information message; and carrying out key negotiation session with the gateway according to the key negotiation message, and establishing an access protocol with the gateway.
Preferably, performing a key agreement session with the gateway according to the key agreement packet, and establishing a secure access protocol with the terminal, including: sending a key negotiation response message to the gateway according to the key negotiation message; receiving a key negotiation confirmation message fed back by the gateway; and establishing an access protocol with the gateway according to the key negotiation confirmation message.
A third aspect of the embodiments of the present invention provides a terminal security access apparatus, including: the request message receiving module is used for receiving an identity authentication and key agreement request message sent by a terminal; the judgment key negotiation module is used for judging whether a negotiation key in the validity period exists between the judgment key negotiation module and the terminal; a basic information sending module, configured to send a message for obtaining basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that there is no agreement key within the validity period with the terminal; a basic information receiving module, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet; and the access module is used for sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal and establishing an access protocol with the terminal.
Preferably, the access module comprises: a response message receiving submodule, configured to receive a key negotiation response message sent by the terminal according to the key negotiation message; and the confirmation submodule is used for sending a key negotiation confirmation message to the terminal according to the key negotiation response message and establishing an access protocol with the terminal.
A fourth aspect of the present invention provides a terminal security access apparatus, including: a request message sending module, configured to send an identity authentication and key agreement request message to the gateway; a terminal basic information receiving module, configured to receive a message for acquiring terminal basic information sent by the gateway; a terminal basic information sending module, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message; a negotiation message receiving module, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message; and the terminal access module is used for carrying out key negotiation session with the gateway according to the key negotiation message and establishing an access protocol with the gateway.
Preferably, the terminal access module includes: a response message sending submodule, configured to send a key negotiation response message to the gateway according to the key negotiation message; a confirmation message receiving submodule, configured to receive a key agreement confirmation message sent by the gateway; and the terminal access submodule is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
A fifth aspect of the embodiments of the present invention provides a terminal secure access system, including: the terminal sends an identity authentication and key agreement request message to the gateway, and the gateway receives the identity authentication and key agreement request message; the gateway judges whether to complete key negotiation with the terminal according to whether to establish an access protocol with the terminal; when the gateway judges that the key agreement with the terminal is not completed, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key agreement request message; the terminal receives a basic information message of the terminal sent by the gateway, and sends the basic information message of the terminal to the gateway according to the basic information message of the terminal; the gateway acquires the basic information message of the terminal and sends a key negotiation message to the terminal according to the basic information message of the terminal; and the terminal acquires the key negotiation message, performs key negotiation session with the gateway according to the key negotiation message, and establishes an access protocol with the gateway.
Preferably, the terminal secure access system further includes: the terminal establishes an access protocol with the gateway and then sends an uplink data message to the gateway; the gateway receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component; the rear communication service assembly receives the decrypted uplink data message and sends the decrypted uplink data message to the server; the server receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway through the rear communication service component; the gateway receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal; and the terminal receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
Preferably, the terminal secure access system further includes: the front communication service assembly receives an uplink data message sent by the terminal and sends the uplink data message to the gateway; and the preposed communication service assembly receives the encrypted downlink data message sent by the gateway and sends the downlink data message to the terminal.
The technical scheme of the invention has the following advantages:
according to the terminal security access method, the system and the device provided by the embodiment of the invention, the gateway finishes key negotiation with the terminal by acquiring the basic information of the terminal, the terminal online process is realized, the process has no binding relation with TCP connection, and the terminal access based on UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal and the gateway has no binding relation with TCP connection and is only related to the key negotiation period, and the terminal is repeatedly online in one period without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a block diagram illustrating a specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 2 is a block diagram illustrating another specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating another specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 4 is a flowchart of a specific example of a terminal secure access method in an embodiment of the present invention;
fig. 5 is a flowchart of another specific example of a secure access method for a terminal in an embodiment of the present invention;
fig. 6 is a flowchart of another specific example of a terminal secure access method in the embodiment of the present invention;
fig. 7 is a block diagram illustrating a specific example of a terminal security access apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram showing another specific example of the terminal security access apparatus according to the embodiment of the present invention;
fig. 9 is a block diagram showing another specific example of the terminal security access apparatus according to the embodiment of the present invention;
fig. 10 is a block diagram illustrating another specific example of the terminal security access apparatus according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a terminal security access system, as shown in fig. 1, the terminal security access system includes: the terminal 2 sends an identity authentication and key agreement request message to the gateway 1, and the gateway 1 receives the identity authentication and key agreement request message; the gateway 1 judges whether to complete key agreement with the terminal 2 according to whether to establish an access protocol with the terminal 2; when the gateway 1 judges that the key agreement with the terminal 2 is not completed, sending a message for acquiring basic terminal information to the terminal 2 according to the identity authentication and key agreement request message; the terminal 2 receives a message for acquiring the basic information of the terminal sent by the gateway, and sends the message for acquiring the basic information of the terminal to the gateway according to the message for acquiring the basic information of the terminal; the gateway 1 acquires a basic information message of the terminal and sends a key negotiation message to the terminal 2 according to the basic information message of the terminal; the terminal 2 obtains the key negotiation message, performs a key negotiation session with the gateway 1 according to the key negotiation message, and establishes an access protocol with the gateway 1.
The terminal security access system provided by the embodiment of the invention defines a connectionless authentication-oriented terminal security access protocol, the gateway 1 finishes key negotiation with the terminal by acquiring the basic information of the terminal 2, the online process of the terminal 2 is realized, the process has no binding relationship with TCP connection, and the terminal access based on UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal 2 and the gateway 1 has no binding relationship with TCP connection and is only related to a key negotiation period, and the terminal 2 is repeatedly online in one period without renegotiating a key. Therefore, the terminal 2 does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive terminals of the internet and the internet of things in a short message or short connection mode.
In a preferred embodiment, the terminal 2 may invoke an SDK component to send an identity authentication and key agreement request message to the gateway 1, where the SDK component functions to invoke a terminal-side security chip to complete the key agreement process between the gateway 1 and the terminal 2.
In a preferred embodiment, the gateway 1 obtains a basic information message of the terminal, and sends a key negotiation message to the terminal according to the basic information message of the terminal, which specifically includes: the gateway 1 generates a session key material and a serial number according to the acquired terminal basic information, and encapsulates the session key material and the serial number into a key negotiation message after cryptographic operations such as encryption, signature and the like, and sends the key negotiation message to the terminal 2, wherein the key material and the serial number are both 32-bit random numbers generated by the gateway and are used as the session key material and the serial number of the negotiation at this time, and the session key material and the serial number need to be generated again during each negotiation.
In a preferred embodiment, the terminal 2 obtains the key agreement message, performs a key agreement session with the gateway 1 according to the key agreement message, and establishes an access protocol with the gateway 1, which specifically includes: the terminal 2 obtains the key negotiation message, processes the key negotiation message, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a session key material, packages the session key material into a key negotiation response message after the operations of encryption, signature and the like, sends the key negotiation response message to the gateway, simultaneously calculates the symmetric key, processes the key negotiation response message by the gateway 1, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a key negotiation confirmation message, sends the key negotiation confirmation message to the terminal, simultaneously calculates the symmetric key, processes the key negotiation confirmation message by the terminal 2, verifies the symmetric key, finishes the confirmation negotiation, establishes an access protocol with the gateway 1, wherein the key material is a 32-bit random number generated by the gateway and is used as the session key material of the negotiation, and the key material needs to be generated again during each negotiation.
In a preferred embodiment, as shown in fig. 2, the terminal security access system provided in the embodiment of the present invention further includes: the terminal 2 sends an uplink data message to the gateway 1 after the terminal 2 establishes an access protocol with the gateway 1; the gateway 1 receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component 3; the post-positioned communication service component 3 receives the decrypted uplink data message and sends the decrypted uplink data message to the server 4; the server 4 receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway 1 through the post-communication service component 3; the gateway 1 receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal 2; and the terminal 2 receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
In a preferred embodiment, the terminal 2 and the gateway 1 complete key agreement, after an access protocol is established, the terminal 2 can perform two-way communication with the server 4, the accessed terminal 2 is a connectionless protocol terminal, when the terminal 2 sends an uplink data message to the gateway, the terminal first calls the SDK component to initiate a request, the SDK component encapsulates the uplink data according to a private protocol, the encapsulated SDK component obtains a symmetric key to encrypt the uplink data message, and then the SDK component sends the encapsulated and encrypted uplink data message.
In a preferred embodiment, the gateway 1 receives the uplink data packet, decrypts the uplink data packet, and sends the decrypted uplink data packet to the post-communication service component 3, which specifically includes: after decrypting the uplink data message, the gateway 1 randomly selects a TCP connection with the rear communication service component 3 to send the uplink data message.
In a preferred embodiment, the receiving, by the post-communication service component 3, the decrypted uplink data packet, and sending the decrypted uplink data packet to the server 4 specifically includes: the post-positioned communication service component 3 receives the decrypted uplink data message, completes the unloading according to the private protocol, initiates short connection to the server 4 and forwards the original uplink data message restored by the unloading to the server 4.
In a preferred embodiment, the server 4 receives the decrypted uplink data packet, generates a downlink data packet according to the decrypted uplink data packet, and sends the downlink data packet to the gateway 1 through the post-communication service component 3, which specifically includes: and after the server 4 sends the downlink data message to the post-communication service component 3, the post-communication service component 3 encapsulates the downlink data message according to a plaintext private protocol, randomly selects a TCP (transmission control protocol) connection with the gateway 1 to forward the encapsulated downlink data message, and disconnects the short connection after the forwarding is finished.
In a preferred embodiment, the gateway 1 receives the downlink data packet, encrypts the downlink data packet, and sends the encrypted downlink data packet to the terminal 2, which specifically includes: the gateway 1 receives the downlink data message, analyzes the downlink data message according to the private protocol, acquires the number of the terminal 2 from the header of the private protocol message, acquires the symmetric key, encrypts the downlink data message, and sends the encrypted downlink data message to the terminal 2.
In a preferred embodiment, the receiving, by the terminal 2, the encrypted downlink data packet, and decrypting the downlink data packet to obtain the downlink data packet specifically includes: and the terminal 2 receives the encrypted downlink data message, calls the SDK component, decrypts the downlink data message, restores the original downlink data message and submits the original downlink data message to the terminal 2.
In a preferred embodiment, as shown in fig. 3, the terminal security access system provided in the embodiment of the present invention further includes: the preposed communication service component 5 receives an uplink data message sent by the terminal 2 and sends the uplink data message to the gateway 1; the front-end communication service component 5 receives the encrypted downlink data message sent by the gateway 1 and sends the downlink data message to the terminal 2.
In a preferred embodiment, the accessed terminal 2 may be a connection protocol terminal, after the connection protocol terminal is accessed, a TCP connection is initiated to the front-end communication service component 5, when the terminal 1 communicates with the server 4, after the terminal 2 sends an uplink data packet after being encapsulated and encrypted, the front-end communication service component 5 receives the uplink data packet according to the TCP connection with the terminal 2, and randomly selects a TCP connection with the gateway 1 to forward the uplink data packet to the gateway 1; after receiving the encrypted and encapsulated downlink data packet sent by the gateway 1, the front end communication service component 5 selects a TCP connection with the terminal 2 to forward the downlink data packet to the terminal 2.
The terminal security access system provided by the embodiment of the invention can also realize the two-way communication between the terminal 2 and the server 4 after the terminal 2 establishes an access protocol with the gateway 1, can directly realize the two-way communication between the terminal 2 and the server 4 when the terminal 2 is a connectionless protocol terminal, and can solve the problem of connection maintenance when the connection protocol terminal is accessed by deploying the front communication service component 5 when the connection protocol terminal is accessed, wherein the problem comprises the establishment and disconnection of connection, heartbeat maintenance and message two-way forwarding, and a communication channel is provided for the connection protocol terminal.
An embodiment of the present invention further provides a terminal secure access method, as shown in fig. 4, the terminal secure access method includes:
step 1: receiving an identity authentication and key agreement request message sent by a terminal; specifically, the receiving terminal calls an identity authentication and key agreement request message sent by an SDK component, a message header of the message carries a terminal ID, a data field is empty, and the SDK component has the function of calling a terminal side security chip to complete a gateway and gateway key agreement process.
Step 2: judging whether a negotiation key in the validity period exists between the terminal and the terminal; specifically, the gateway queries whether the terminal completes the key agreement.
And step 3: when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message; specifically, the header of the basic information packet of the terminal carries the terminal ID, and the data field is empty.
And 4, step 4: acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; specifically, the header of the basic information packet of the terminal carries a terminal ID, and the data field includes a terminal certificate.
And 5: and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal.
In a preferred embodiment, as shown in fig. 5, step 5 sends a key agreement message to the terminal according to the basic information message of the terminal, performs a key agreement session with the terminal, and establishes an access protocol with the terminal, including:
step 51: receiving a key negotiation response message sent by the terminal according to the key negotiation message;
step 52: and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
Specifically, a key agreement message is sent to a terminal according to a terminal basic information message, a key agreement session is carried out with the terminal, an access protocol with the terminal is established, a gateway extracts a terminal certificate according to the obtained terminal basic information, verifies the validity of the certificate, generates a session key material and a serial number, and the session key material and the serial number are packaged into the key agreement message after cryptographic operations such as encryption, signature and the like and are sent to the terminal, wherein the key material and the serial number are 32-bit random numbers generated by the gateway and are used as the session key material and the serial number of the negotiation at this time, and the key agreement message needs to be regenerated during each negotiation; the gateway receives a key negotiation response message fed back by the terminal according to the key negotiation message, processes the key negotiation response message, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a key negotiation confirmation message and sends the key negotiation confirmation message to the terminal, and meanwhile calculates the symmetric key and establishes an access protocol with the terminal.
Through the steps 1 to 5, the terminal security access method provided by the embodiment of the invention defines a terminal security access protocol facing to connectionless authentication, the gateway completes key negotiation with the terminal by acquiring basic information of the terminal, and realizes the terminal online process, the process has no binding relationship with TCP connection, and can realize terminal access based on UDP protocol, thereby accessing the connectionless protocol terminal, reducing protocol overhead, meanwhile, the key negotiation process of the terminal and the gateway has no binding relationship with TCP connection, and is only related to the key negotiation period, and in one period, the terminal repeatedly online without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
An embodiment of the present invention further provides a terminal secure access method, as shown in fig. 6, the terminal secure access method includes:
step S1: sending an identity authentication and key agreement request message to a gateway; specifically, the terminal calls an SDK component to send an identity authentication and key agreement request message to the gateway, the message header of the message carries a terminal ID, the data field is empty, and the SDK component has the function of calling a terminal side security chip to complete the gateway and gateway key agreement process.
Step S2: receiving a message for acquiring basic information of a terminal sent by a gateway; specifically, when an access protocol does not exist between the terminal and the gateway, that is, the terminal and the gateway do not complete key agreement, a message for acquiring basic terminal information sent by the gateway is received, a message header of the message for acquiring basic terminal information carries a terminal ID, and a data field is empty.
Step S3: sending a basic terminal information message to a gateway according to the obtained basic terminal information message; specifically, the header of the basic information packet of the terminal carries a terminal ID, and the data field includes a terminal certificate.
Step S4: acquiring a key negotiation message sent by a gateway according to a basic information message of a terminal; specifically, after a terminal acquires a key agreement message, the key agreement message is processed, a signature is verified firstly, then the encrypted message is decrypted after the signature passes, a session key material is generated, the session key material is packaged into a key agreement response message after operations such as encryption, signature and the like, a symmetric key is calculated, wherein the key material is a 32-bit random number generated by a gateway and is used as a session key material of the negotiation, and the key material needs to be generated again during each negotiation.
Step S5: and performing key negotiation session with the gateway according to the key negotiation message, establishing an access protocol with the gateway, specifically, generating a key negotiation response message by the terminal according to the key negotiation message, sending the key negotiation response message to the gateway, confirming that the negotiation is completed according to a key negotiation confirmation message fed back by the gateway, and establishing the access protocol with the gateway.
Through the steps S1 to S5, the terminal security access method provided in the embodiment of the present invention defines a connectionless authentication-oriented terminal security access protocol, and the gateway completes the key agreement with the terminal by acquiring the basic information of the terminal, thereby implementing the terminal online process, which has no binding relationship with the TCP connection, and can implement the terminal access based on the UDP protocol, thereby accessing the connectionless protocol terminal, reducing the protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway also has no binding relationship with the TCP connection, and is only related to the key agreement period, and in one period, the terminal repeatedly goes online without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
An embodiment of the present invention further provides a terminal security access apparatus, as shown in fig. 7, the terminal security access apparatus includes:
a request message receiving module 11, configured to receive an identity authentication and key agreement request message sent by a terminal; see step 1 in the above examples for details.
A judgment key negotiation module 22, configured to judge whether a negotiation key within a validity period exists between the terminal and the judgment key negotiation module; see step 2 in the above example for details.
The basic information sending module 33 is configured to send a message for acquiring basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that the agreement key within the validity period does not exist between the terminal and the terminal; see step 3 in the above example for details.
A basic information receiving module 44, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet; see step 4 in the above examples for details.
The access module 55 is configured to send a key negotiation message to the terminal according to the terminal basic information message, perform a key negotiation session with the terminal, and establish an access protocol with the terminal, for details, see step 5 in the foregoing embodiment.
Through the modules 11 to 55, the terminal security access device provided in the embodiment of the present invention defines a terminal security access protocol oriented to connectionless authentication, and the gateway completes key agreement with the terminal by acquiring basic information of the terminal to implement a terminal online process, which has no binding relationship with TCP connection and can implement terminal access based on UDP protocol, thereby accessing a connectionless protocol terminal, reducing protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway has no binding relationship with TCP connection and is only related to a key agreement period, and in one period, the terminal repeatedly goes online without renegotiating a key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
In a preferred embodiment, as shown in fig. 8, the access module 55 includes:
the response message receiving submodule 551 is used for receiving a key negotiation response message sent by the terminal according to the key negotiation message;
the confirming submodule 552 is configured to send a key agreement confirmation message to the terminal according to the key agreement response message, and establish an access protocol with the terminal.
The functional description of the terminal security access device provided by the embodiment of the invention refers to the description of the terminal security access method in the above embodiment in detail.
An embodiment of the present invention further provides a terminal security access apparatus, as shown in fig. 9, the terminal security access apparatus includes:
a request message sending module 6, configured to send an identity authentication and key agreement request message to the gateway; see step S1 in the above embodiment for details.
A terminal basic information receiving module 7, configured to receive a message for acquiring terminal basic information sent by a gateway; see step S2 in the above embodiment for details.
A terminal basic information sending module 8, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message; see step S3 in the above embodiment for details.
A negotiation message receiving module 9, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message; see step S4 in the above embodiment for details.
The terminal access module 10 is configured to perform a key agreement session with the gateway according to the key agreement message, and establish an access protocol with the gateway, for details, see step S5 in the foregoing embodiment.
Through the modules 6 to 10, in the terminal security access device provided in the embodiment of the present invention, a connectionless authentication-oriented terminal security access protocol is defined, the gateway completes key agreement with the terminal by acquiring basic information of the terminal, and implements a terminal online process, which has no binding relationship with TCP connection, and can implement terminal access based on UDP protocol, thereby accessing a connectionless protocol terminal, reducing protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway has no binding relationship with TCP connection, and is only related to a key agreement period, and in one period, the terminal repeatedly goes online without renegotiating a key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
In a preferred embodiment, as shown in fig. 10, the terminal access module 10 includes:
the response message sending submodule 101 is configured to send a key negotiation response message to the gateway according to the key negotiation message;
a confirmation message receiving submodule 102, configured to receive a key negotiation confirmation message sent by a gateway;
and the terminal access sub-module 103 is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
The functional description of the terminal security access device provided by the embodiment of the invention refers to the description of the terminal security access method in the above embodiment in detail.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (7)
1. A terminal security access method facing connectionless authentication is characterized by comprising the following steps:
receiving an identity authentication and key agreement request message sent by a terminal;
judging whether a negotiation key in the validity period exists between the terminal and the access protocol according to whether the access protocol is established with the terminal;
when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message;
acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message;
sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal;
sending a key negotiation message to the terminal according to the basic terminal information message, performing a key negotiation session with the terminal, and establishing an access protocol with the terminal, wherein the key negotiation message comprises:
receiving a key negotiation response message sent by the terminal according to the key negotiation message;
and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
2. A terminal security access method facing connectionless authentication is characterized by comprising the following steps:
sending an identity authentication and key agreement request message to a gateway;
when the key negotiation with the gateway is not completed according to the access protocol, receiving a message for acquiring the basic information of the terminal sent by the gateway;
sending a basic terminal information message to the gateway according to the basic terminal information message;
acquiring a key negotiation message sent by the gateway according to the terminal basic information message;
carrying out key negotiation session with the gateway according to the key negotiation message, and establishing an access protocol with the gateway;
the method for establishing the secure access protocol with the terminal by performing the key negotiation session with the gateway according to the key negotiation message comprises the following steps:
sending a key negotiation response message to the gateway according to the key negotiation message;
receiving a key negotiation confirmation message fed back by the gateway;
and establishing an access protocol with the gateway according to the key negotiation confirmation message.
3. A terminal security access device facing connectionless authentication is characterized by comprising:
the request message receiving module is used for receiving an identity authentication and key agreement request message sent by a terminal;
the judgment key negotiation module is used for judging whether a negotiation key in the validity period exists between the judgment key negotiation module and the terminal according to whether an access protocol is established with the terminal or not;
a basic information sending module, configured to send a message for obtaining basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that there is no agreement key within the validity period with the terminal;
a basic information receiving module, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet;
the access module is used for sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal and establishing an access protocol with the terminal;
wherein the access module comprises:
a response message receiving submodule, configured to receive a key negotiation response message sent by the terminal according to the key negotiation message;
and the confirmation submodule is used for sending a key negotiation confirmation message to the terminal according to the key negotiation response message and establishing an access protocol with the terminal.
4. A terminal security access device facing connectionless authentication is characterized by comprising:
a request message sending module, configured to send an identity authentication and key agreement request message to the gateway;
the terminal basic information receiving module is used for receiving a message for acquiring the terminal basic information sent by the gateway when the key negotiation with the gateway is not completed according to the access protocol;
a terminal basic information sending module, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message;
a negotiation message receiving module, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message;
the terminal access module is used for carrying out key negotiation session with the gateway according to the key negotiation message and establishing an access protocol with the gateway;
wherein the terminal access module comprises:
a response message sending submodule, configured to send a key negotiation response message to the gateway according to the key negotiation message;
a confirmation message receiving submodule, configured to receive a key agreement confirmation message sent by the gateway;
and the terminal access submodule is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
5. A terminal security access system oriented to connectionless authentication is characterized by comprising: a terminal and a gateway, wherein the terminal and the gateway,
the terminal sends an identity authentication and key agreement request message to the gateway, and the gateway receives the identity authentication and key agreement request message;
the gateway judges whether to complete key negotiation with the terminal according to whether to establish an access protocol with the terminal;
when the gateway judges that the key agreement with the terminal is not completed, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key agreement request message;
the terminal receives a basic information message of the terminal sent by the gateway, and sends the basic information message of the terminal to the gateway according to the basic information message of the terminal;
the gateway acquires the basic information message of the terminal and sends a key negotiation message to the terminal according to the basic information message of the terminal;
the terminal sends a key negotiation response message to the gateway according to the key negotiation message;
the gateway receives the key negotiation response message and sends a key negotiation confirmation message to the terminal according to the key negotiation response message;
and the terminal receives the key negotiation confirmation message fed back by the gateway and establishes an access protocol with the gateway according to the key negotiation confirmation message.
6. The connectionless authentication oriented terminal security access system according to claim 5, further comprising: a post-positioned communication service component and a server,
after the terminal establishes an access protocol with the gateway, the terminal sends an uplink data message to the gateway;
the gateway receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component;
the rear communication service assembly receives the decrypted uplink data message and sends the decrypted uplink data message to the server;
the server receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway through the rear communication service component;
the gateway receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal;
and the terminal receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
7. The connectionless authentication oriented terminal security access system according to claim 6, further comprising: the communication service component is arranged in the front-end,
the preposed communication service assembly receives an uplink data message sent by the terminal and sends the uplink data message to the gateway;
and the preposed communication service assembly receives the encrypted downlink data message sent by the gateway and sends the downlink data message to the terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811274285.2A CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811274285.2A CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109120405A CN109120405A (en) | 2019-01-01 |
CN109120405B true CN109120405B (en) | 2021-11-09 |
Family
ID=64854454
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811274285.2A Active CN109120405B (en) | 2018-10-29 | 2018-10-29 | Terminal secure access method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109120405B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922081B (en) * | 2019-04-02 | 2021-06-25 | 全知科技(杭州)有限责任公司 | TCP stream length connection data analysis method |
CN110995775B (en) * | 2019-10-11 | 2020-12-01 | 浙江口碑网络技术有限公司 | Service data processing method, device and system |
CN114698149A (en) * | 2020-01-21 | 2022-07-01 | 华为技术有限公司 | Data transmission method and equipment |
CN111585976B (en) * | 2020-04-09 | 2021-11-23 | 北京理工大学 | Communication method, communication apparatus, storage medium, and electronic device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
CN103139770A (en) * | 2013-01-30 | 2013-06-05 | 中兴通讯股份有限公司 | Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system |
CN105636033A (en) * | 2014-10-25 | 2016-06-01 | 华为技术有限公司 | Method, device and system for movably managing terminals |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
CN106385404A (en) * | 2016-08-31 | 2017-02-08 | 华北电力大学(保定) | Construction method for power information system based on mobile terminal |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130108045A1 (en) * | 2011-10-27 | 2013-05-02 | Architecture Technology, Inc. | Methods, networks and nodes for dynamically establishing encrypted communications |
EP2847947B1 (en) * | 2012-05-10 | 2020-12-23 | Samsung Electronics Co., Ltd. | Method and system for connectionless transmission during uplink and downlink of data packets |
CN104113934B (en) * | 2014-07-25 | 2017-09-05 | 北京奇虎科技有限公司 | The method and access system of communication equipment couple in router |
US9882726B2 (en) * | 2015-05-22 | 2018-01-30 | Motorola Solutions, Inc. | Method and apparatus for initial certificate enrollment in a wireless communication system |
JP2019009480A (en) * | 2015-11-10 | 2019-01-17 | シャープ株式会社 | Terminal device, c-sgn, and communication control method |
US20160191245A1 (en) * | 2016-03-09 | 2016-06-30 | Yufeng Qin | Method for Offline Authenticating Time Encoded Passcode |
-
2018
- 2018-10-29 CN CN201811274285.2A patent/CN109120405B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
CN103139770A (en) * | 2013-01-30 | 2013-06-05 | 中兴通讯股份有限公司 | Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system |
CN105636033A (en) * | 2014-10-25 | 2016-06-01 | 华为技术有限公司 | Method, device and system for movably managing terminals |
CN105871873A (en) * | 2016-04-29 | 2016-08-17 | 国家电网公司 | Security encryption authentication module for power distribution terminal communication and method thereof |
CN106385404A (en) * | 2016-08-31 | 2017-02-08 | 华北电力大学(保定) | Construction method for power information system based on mobile terminal |
Also Published As
Publication number | Publication date |
---|---|
CN109120405A (en) | 2019-01-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109120405B (en) | Terminal secure access method, device and system | |
CN107306214B (en) | Method, system and related equipment for connecting terminal with virtual private network | |
CN102833253B (en) | Set up method and server that client is connected with server security | |
CN111093198B (en) | Wireless local area network data transmission method and device | |
CN109413060B (en) | Message processing method, device, equipment and storage medium | |
CN111212429A (en) | Safety access system and method for mobile terminal | |
WO2008044581A1 (en) | Method and network device for processing nested internet protocol security tunnels | |
CN107005400A (en) | Method for processing business and device | |
WO2011041962A1 (en) | Method and system for end-to-end session key negotiation which support lawful interception | |
WO2002082769A2 (en) | Facilitating legal interception of ip connections | |
WO2013166696A1 (en) | Data transmission method, system and device | |
CN112104604A (en) | System and method for realizing safety access service based on electric power internet of things management platform | |
CN113747434B (en) | Mobile communication safety communication method and device based on IPSec | |
CN114338844A (en) | Cross-protocol communication method and device between client servers | |
CN113452660A (en) | Communication method of mesh network and cloud server, mesh network system and node device thereof | |
CN101436933A (en) | HTTPS encipher access method, system and apparatus | |
US7934088B2 (en) | Method of secure communication between endpoints | |
CN113904766A (en) | Encrypted communication method, device, equipment and medium | |
WO2012024905A1 (en) | Method, terminal and ggsn for encrypting and decrypting data in mobile communication network | |
CN110602112A (en) | MQTT (multiple quantum dots technique) secure data transmission method | |
CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
EP1738555A1 (en) | Fast and secure connectivity for a mobile node | |
CN113141333B (en) | Communication method, device, server, system and storage medium of network access device | |
CN108900584B (en) | Data transmission method and system for content distribution network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |