CN109120405B - Terminal secure access method, device and system - Google Patents

Terminal secure access method, device and system Download PDF

Info

Publication number
CN109120405B
CN109120405B CN201811274285.2A CN201811274285A CN109120405B CN 109120405 B CN109120405 B CN 109120405B CN 201811274285 A CN201811274285 A CN 201811274285A CN 109120405 B CN109120405 B CN 109120405B
Authority
CN
China
Prior art keywords
terminal
message
gateway
key negotiation
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811274285.2A
Other languages
Chinese (zh)
Other versions
CN109120405A (en
Inventor
周诚
汪晨
马媛媛
邵志鹏
李伟伟
陈璐
张波
管小娟
陈牧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Interconnection Research Institute
Original Assignee
Global Energy Interconnection Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Interconnection Research Institute filed Critical Global Energy Interconnection Research Institute
Priority to CN201811274285.2A priority Critical patent/CN109120405B/en
Publication of CN109120405A publication Critical patent/CN109120405A/en
Application granted granted Critical
Publication of CN109120405B publication Critical patent/CN109120405B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a terminal security access method, a device and a system, wherein the terminal security access method comprises the following steps: receiving an identity authentication and key agreement request message sent by a terminal; judging whether an access protocol exists between the terminal and the terminal; when judging that an access protocol does not exist between the terminal and the terminal, sending a message for acquiring basic information of the terminal to the terminal according to the identity authentication and key negotiation request message; acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal. By implementing the invention, the terminal access based on the UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal and the gateway has no binding relation with the TCP connection, the connectionless mode or the short connection mode can be flexibly selected for communication, and the access of the terminal in a short message or short connection mode is very facilitated.

Description

Terminal secure access method, device and system
Technical Field
The invention relates to the technical field of information security, in particular to a terminal security access method, device and system.
Background
Traditionally, the terminal security access is mainly realized based on VPN technology and is divided into SSL-VPN and IPSEC-VPN. The IPSEC-VPN requires VPN gateways to be respectively deployed on the terminal side and the access network side, and is therefore generally only suitable for establishing a secure connection path between networks. The SSL-VPN only needs to deploy a VPN gateway at the side of an access network, and the side of a terminal deploys dialing software, and is generally suitable for a large number of distributed terminals to access a core network.
The SSL-VPN only needs to deploy a VPN gateway at the side of an access network, so the application range is wide, but the SSL-VPN technology forms a binding relationship with a transmission layer protocol (TCP) connection when a channel is built, and one terminal access must bind one TCP connection, so that the SSL-VPN cannot support a connection-free short message communication mode based on UDP. The communication protocols between various industrial power control terminals and the control center in the industrial power control system are based on UDP in large quantity, because the industrial power control network terminals are huge in quantity and low in communication delay requirement, and the use of TCP protocol causes intolerable protocol overhead. The industrial power control terminal based on the UDP connectionless communication mode cannot adopt SSL-VPN to realize safe access.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for secure access of a terminal, so as to solve a technical problem that a UDP-based connectionless communication mode cannot be used by an SSL-VPN for secure access of an industrial power control terminal in the prior art.
The technical scheme provided by the invention is as follows:
the first aspect of the embodiments of the present invention provides a method for securely accessing a terminal, including: receiving an identity authentication and key agreement request message sent by a terminal; judging whether a negotiation key in the validity period exists between the terminal and the terminal; when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message; acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal.
Preferably, sending a key negotiation message to the terminal according to the basic information message of the terminal, performing a key negotiation session with the terminal, and establishing an access protocol with the terminal, includes: receiving a key negotiation response message sent by the terminal according to the key negotiation message; and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
A second aspect of the embodiments of the present invention provides a terminal secure access method, including: sending an identity authentication and key agreement request message to a gateway; receiving a message for acquiring basic information of the terminal sent by the gateway; sending a basic terminal information message to the gateway according to the basic terminal information message; acquiring a key negotiation message sent by the gateway according to the terminal basic information message; and carrying out key negotiation session with the gateway according to the key negotiation message, and establishing an access protocol with the gateway.
Preferably, performing a key agreement session with the gateway according to the key agreement packet, and establishing a secure access protocol with the terminal, including: sending a key negotiation response message to the gateway according to the key negotiation message; receiving a key negotiation confirmation message fed back by the gateway; and establishing an access protocol with the gateway according to the key negotiation confirmation message.
A third aspect of the embodiments of the present invention provides a terminal security access apparatus, including: the request message receiving module is used for receiving an identity authentication and key agreement request message sent by a terminal; the judgment key negotiation module is used for judging whether a negotiation key in the validity period exists between the judgment key negotiation module and the terminal; a basic information sending module, configured to send a message for obtaining basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that there is no agreement key within the validity period with the terminal; a basic information receiving module, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet; and the access module is used for sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal and establishing an access protocol with the terminal.
Preferably, the access module comprises: a response message receiving submodule, configured to receive a key negotiation response message sent by the terminal according to the key negotiation message; and the confirmation submodule is used for sending a key negotiation confirmation message to the terminal according to the key negotiation response message and establishing an access protocol with the terminal.
A fourth aspect of the present invention provides a terminal security access apparatus, including: a request message sending module, configured to send an identity authentication and key agreement request message to the gateway; a terminal basic information receiving module, configured to receive a message for acquiring terminal basic information sent by the gateway; a terminal basic information sending module, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message; a negotiation message receiving module, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message; and the terminal access module is used for carrying out key negotiation session with the gateway according to the key negotiation message and establishing an access protocol with the gateway.
Preferably, the terminal access module includes: a response message sending submodule, configured to send a key negotiation response message to the gateway according to the key negotiation message; a confirmation message receiving submodule, configured to receive a key agreement confirmation message sent by the gateway; and the terminal access submodule is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
A fifth aspect of the embodiments of the present invention provides a terminal secure access system, including: the terminal sends an identity authentication and key agreement request message to the gateway, and the gateway receives the identity authentication and key agreement request message; the gateway judges whether to complete key negotiation with the terminal according to whether to establish an access protocol with the terminal; when the gateway judges that the key agreement with the terminal is not completed, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key agreement request message; the terminal receives a basic information message of the terminal sent by the gateway, and sends the basic information message of the terminal to the gateway according to the basic information message of the terminal; the gateway acquires the basic information message of the terminal and sends a key negotiation message to the terminal according to the basic information message of the terminal; and the terminal acquires the key negotiation message, performs key negotiation session with the gateway according to the key negotiation message, and establishes an access protocol with the gateway.
Preferably, the terminal secure access system further includes: the terminal establishes an access protocol with the gateway and then sends an uplink data message to the gateway; the gateway receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component; the rear communication service assembly receives the decrypted uplink data message and sends the decrypted uplink data message to the server; the server receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway through the rear communication service component; the gateway receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal; and the terminal receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
Preferably, the terminal secure access system further includes: the front communication service assembly receives an uplink data message sent by the terminal and sends the uplink data message to the gateway; and the preposed communication service assembly receives the encrypted downlink data message sent by the gateway and sends the downlink data message to the terminal.
The technical scheme of the invention has the following advantages:
according to the terminal security access method, the system and the device provided by the embodiment of the invention, the gateway finishes key negotiation with the terminal by acquiring the basic information of the terminal, the terminal online process is realized, the process has no binding relation with TCP connection, and the terminal access based on UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal and the gateway has no binding relation with TCP connection and is only related to the key negotiation period, and the terminal is repeatedly online in one period without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a block diagram illustrating a specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 2 is a block diagram illustrating another specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating another specific example of a secure access system for a terminal according to an embodiment of the present invention;
fig. 4 is a flowchart of a specific example of a terminal secure access method in an embodiment of the present invention;
fig. 5 is a flowchart of another specific example of a secure access method for a terminal in an embodiment of the present invention;
fig. 6 is a flowchart of another specific example of a terminal secure access method in the embodiment of the present invention;
fig. 7 is a block diagram illustrating a specific example of a terminal security access apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram showing another specific example of the terminal security access apparatus according to the embodiment of the present invention;
fig. 9 is a block diagram showing another specific example of the terminal security access apparatus according to the embodiment of the present invention;
fig. 10 is a block diagram illustrating another specific example of the terminal security access apparatus according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a terminal security access system, as shown in fig. 1, the terminal security access system includes: the terminal 2 sends an identity authentication and key agreement request message to the gateway 1, and the gateway 1 receives the identity authentication and key agreement request message; the gateway 1 judges whether to complete key agreement with the terminal 2 according to whether to establish an access protocol with the terminal 2; when the gateway 1 judges that the key agreement with the terminal 2 is not completed, sending a message for acquiring basic terminal information to the terminal 2 according to the identity authentication and key agreement request message; the terminal 2 receives a message for acquiring the basic information of the terminal sent by the gateway, and sends the message for acquiring the basic information of the terminal to the gateway according to the message for acquiring the basic information of the terminal; the gateway 1 acquires a basic information message of the terminal and sends a key negotiation message to the terminal 2 according to the basic information message of the terminal; the terminal 2 obtains the key negotiation message, performs a key negotiation session with the gateway 1 according to the key negotiation message, and establishes an access protocol with the gateway 1.
The terminal security access system provided by the embodiment of the invention defines a connectionless authentication-oriented terminal security access protocol, the gateway 1 finishes key negotiation with the terminal by acquiring the basic information of the terminal 2, the online process of the terminal 2 is realized, the process has no binding relationship with TCP connection, and the terminal access based on UDP protocol can be realized, so that the connectionless protocol terminal is accessed, the protocol overhead is reduced, meanwhile, the key negotiation process of the terminal 2 and the gateway 1 has no binding relationship with TCP connection and is only related to a key negotiation period, and the terminal 2 is repeatedly online in one period without renegotiating a key. Therefore, the terminal 2 does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive terminals of the internet and the internet of things in a short message or short connection mode.
In a preferred embodiment, the terminal 2 may invoke an SDK component to send an identity authentication and key agreement request message to the gateway 1, where the SDK component functions to invoke a terminal-side security chip to complete the key agreement process between the gateway 1 and the terminal 2.
In a preferred embodiment, the gateway 1 obtains a basic information message of the terminal, and sends a key negotiation message to the terminal according to the basic information message of the terminal, which specifically includes: the gateway 1 generates a session key material and a serial number according to the acquired terminal basic information, and encapsulates the session key material and the serial number into a key negotiation message after cryptographic operations such as encryption, signature and the like, and sends the key negotiation message to the terminal 2, wherein the key material and the serial number are both 32-bit random numbers generated by the gateway and are used as the session key material and the serial number of the negotiation at this time, and the session key material and the serial number need to be generated again during each negotiation.
In a preferred embodiment, the terminal 2 obtains the key agreement message, performs a key agreement session with the gateway 1 according to the key agreement message, and establishes an access protocol with the gateway 1, which specifically includes: the terminal 2 obtains the key negotiation message, processes the key negotiation message, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a session key material, packages the session key material into a key negotiation response message after the operations of encryption, signature and the like, sends the key negotiation response message to the gateway, simultaneously calculates the symmetric key, processes the key negotiation response message by the gateway 1, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a key negotiation confirmation message, sends the key negotiation confirmation message to the terminal, simultaneously calculates the symmetric key, processes the key negotiation confirmation message by the terminal 2, verifies the symmetric key, finishes the confirmation negotiation, establishes an access protocol with the gateway 1, wherein the key material is a 32-bit random number generated by the gateway and is used as the session key material of the negotiation, and the key material needs to be generated again during each negotiation.
In a preferred embodiment, as shown in fig. 2, the terminal security access system provided in the embodiment of the present invention further includes: the terminal 2 sends an uplink data message to the gateway 1 after the terminal 2 establishes an access protocol with the gateway 1; the gateway 1 receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component 3; the post-positioned communication service component 3 receives the decrypted uplink data message and sends the decrypted uplink data message to the server 4; the server 4 receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway 1 through the post-communication service component 3; the gateway 1 receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal 2; and the terminal 2 receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
In a preferred embodiment, the terminal 2 and the gateway 1 complete key agreement, after an access protocol is established, the terminal 2 can perform two-way communication with the server 4, the accessed terminal 2 is a connectionless protocol terminal, when the terminal 2 sends an uplink data message to the gateway, the terminal first calls the SDK component to initiate a request, the SDK component encapsulates the uplink data according to a private protocol, the encapsulated SDK component obtains a symmetric key to encrypt the uplink data message, and then the SDK component sends the encapsulated and encrypted uplink data message.
In a preferred embodiment, the gateway 1 receives the uplink data packet, decrypts the uplink data packet, and sends the decrypted uplink data packet to the post-communication service component 3, which specifically includes: after decrypting the uplink data message, the gateway 1 randomly selects a TCP connection with the rear communication service component 3 to send the uplink data message.
In a preferred embodiment, the receiving, by the post-communication service component 3, the decrypted uplink data packet, and sending the decrypted uplink data packet to the server 4 specifically includes: the post-positioned communication service component 3 receives the decrypted uplink data message, completes the unloading according to the private protocol, initiates short connection to the server 4 and forwards the original uplink data message restored by the unloading to the server 4.
In a preferred embodiment, the server 4 receives the decrypted uplink data packet, generates a downlink data packet according to the decrypted uplink data packet, and sends the downlink data packet to the gateway 1 through the post-communication service component 3, which specifically includes: and after the server 4 sends the downlink data message to the post-communication service component 3, the post-communication service component 3 encapsulates the downlink data message according to a plaintext private protocol, randomly selects a TCP (transmission control protocol) connection with the gateway 1 to forward the encapsulated downlink data message, and disconnects the short connection after the forwarding is finished.
In a preferred embodiment, the gateway 1 receives the downlink data packet, encrypts the downlink data packet, and sends the encrypted downlink data packet to the terminal 2, which specifically includes: the gateway 1 receives the downlink data message, analyzes the downlink data message according to the private protocol, acquires the number of the terminal 2 from the header of the private protocol message, acquires the symmetric key, encrypts the downlink data message, and sends the encrypted downlink data message to the terminal 2.
In a preferred embodiment, the receiving, by the terminal 2, the encrypted downlink data packet, and decrypting the downlink data packet to obtain the downlink data packet specifically includes: and the terminal 2 receives the encrypted downlink data message, calls the SDK component, decrypts the downlink data message, restores the original downlink data message and submits the original downlink data message to the terminal 2.
In a preferred embodiment, as shown in fig. 3, the terminal security access system provided in the embodiment of the present invention further includes: the preposed communication service component 5 receives an uplink data message sent by the terminal 2 and sends the uplink data message to the gateway 1; the front-end communication service component 5 receives the encrypted downlink data message sent by the gateway 1 and sends the downlink data message to the terminal 2.
In a preferred embodiment, the accessed terminal 2 may be a connection protocol terminal, after the connection protocol terminal is accessed, a TCP connection is initiated to the front-end communication service component 5, when the terminal 1 communicates with the server 4, after the terminal 2 sends an uplink data packet after being encapsulated and encrypted, the front-end communication service component 5 receives the uplink data packet according to the TCP connection with the terminal 2, and randomly selects a TCP connection with the gateway 1 to forward the uplink data packet to the gateway 1; after receiving the encrypted and encapsulated downlink data packet sent by the gateway 1, the front end communication service component 5 selects a TCP connection with the terminal 2 to forward the downlink data packet to the terminal 2.
The terminal security access system provided by the embodiment of the invention can also realize the two-way communication between the terminal 2 and the server 4 after the terminal 2 establishes an access protocol with the gateway 1, can directly realize the two-way communication between the terminal 2 and the server 4 when the terminal 2 is a connectionless protocol terminal, and can solve the problem of connection maintenance when the connection protocol terminal is accessed by deploying the front communication service component 5 when the connection protocol terminal is accessed, wherein the problem comprises the establishment and disconnection of connection, heartbeat maintenance and message two-way forwarding, and a communication channel is provided for the connection protocol terminal.
An embodiment of the present invention further provides a terminal secure access method, as shown in fig. 4, the terminal secure access method includes:
step 1: receiving an identity authentication and key agreement request message sent by a terminal; specifically, the receiving terminal calls an identity authentication and key agreement request message sent by an SDK component, a message header of the message carries a terminal ID, a data field is empty, and the SDK component has the function of calling a terminal side security chip to complete a gateway and gateway key agreement process.
Step 2: judging whether a negotiation key in the validity period exists between the terminal and the terminal; specifically, the gateway queries whether the terminal completes the key agreement.
And step 3: when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message; specifically, the header of the basic information packet of the terminal carries the terminal ID, and the data field is empty.
And 4, step 4: acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message; specifically, the header of the basic information packet of the terminal carries a terminal ID, and the data field includes a terminal certificate.
And 5: and sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal.
In a preferred embodiment, as shown in fig. 5, step 5 sends a key agreement message to the terminal according to the basic information message of the terminal, performs a key agreement session with the terminal, and establishes an access protocol with the terminal, including:
step 51: receiving a key negotiation response message sent by the terminal according to the key negotiation message;
step 52: and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
Specifically, a key agreement message is sent to a terminal according to a terminal basic information message, a key agreement session is carried out with the terminal, an access protocol with the terminal is established, a gateway extracts a terminal certificate according to the obtained terminal basic information, verifies the validity of the certificate, generates a session key material and a serial number, and the session key material and the serial number are packaged into the key agreement message after cryptographic operations such as encryption, signature and the like and are sent to the terminal, wherein the key material and the serial number are 32-bit random numbers generated by the gateway and are used as the session key material and the serial number of the negotiation at this time, and the key agreement message needs to be regenerated during each negotiation; the gateway receives a key negotiation response message fed back by the terminal according to the key negotiation message, processes the key negotiation response message, firstly verifies the signature, decrypts the encrypted message after the signature passes, generates a key negotiation confirmation message and sends the key negotiation confirmation message to the terminal, and meanwhile calculates the symmetric key and establishes an access protocol with the terminal.
Through the steps 1 to 5, the terminal security access method provided by the embodiment of the invention defines a terminal security access protocol facing to connectionless authentication, the gateway completes key negotiation with the terminal by acquiring basic information of the terminal, and realizes the terminal online process, the process has no binding relationship with TCP connection, and can realize terminal access based on UDP protocol, thereby accessing the connectionless protocol terminal, reducing protocol overhead, meanwhile, the key negotiation process of the terminal and the gateway has no binding relationship with TCP connection, and is only related to the key negotiation period, and in one period, the terminal repeatedly online without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
An embodiment of the present invention further provides a terminal secure access method, as shown in fig. 6, the terminal secure access method includes:
step S1: sending an identity authentication and key agreement request message to a gateway; specifically, the terminal calls an SDK component to send an identity authentication and key agreement request message to the gateway, the message header of the message carries a terminal ID, the data field is empty, and the SDK component has the function of calling a terminal side security chip to complete the gateway and gateway key agreement process.
Step S2: receiving a message for acquiring basic information of a terminal sent by a gateway; specifically, when an access protocol does not exist between the terminal and the gateway, that is, the terminal and the gateway do not complete key agreement, a message for acquiring basic terminal information sent by the gateway is received, a message header of the message for acquiring basic terminal information carries a terminal ID, and a data field is empty.
Step S3: sending a basic terminal information message to a gateway according to the obtained basic terminal information message; specifically, the header of the basic information packet of the terminal carries a terminal ID, and the data field includes a terminal certificate.
Step S4: acquiring a key negotiation message sent by a gateway according to a basic information message of a terminal; specifically, after a terminal acquires a key agreement message, the key agreement message is processed, a signature is verified firstly, then the encrypted message is decrypted after the signature passes, a session key material is generated, the session key material is packaged into a key agreement response message after operations such as encryption, signature and the like, a symmetric key is calculated, wherein the key material is a 32-bit random number generated by a gateway and is used as a session key material of the negotiation, and the key material needs to be generated again during each negotiation.
Step S5: and performing key negotiation session with the gateway according to the key negotiation message, establishing an access protocol with the gateway, specifically, generating a key negotiation response message by the terminal according to the key negotiation message, sending the key negotiation response message to the gateway, confirming that the negotiation is completed according to a key negotiation confirmation message fed back by the gateway, and establishing the access protocol with the gateway.
Through the steps S1 to S5, the terminal security access method provided in the embodiment of the present invention defines a connectionless authentication-oriented terminal security access protocol, and the gateway completes the key agreement with the terminal by acquiring the basic information of the terminal, thereby implementing the terminal online process, which has no binding relationship with the TCP connection, and can implement the terminal access based on the UDP protocol, thereby accessing the connectionless protocol terminal, reducing the protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway also has no binding relationship with the TCP connection, and is only related to the key agreement period, and in one period, the terminal repeatedly goes online without renegotiating the key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
An embodiment of the present invention further provides a terminal security access apparatus, as shown in fig. 7, the terminal security access apparatus includes:
a request message receiving module 11, configured to receive an identity authentication and key agreement request message sent by a terminal; see step 1 in the above examples for details.
A judgment key negotiation module 22, configured to judge whether a negotiation key within a validity period exists between the terminal and the judgment key negotiation module; see step 2 in the above example for details.
The basic information sending module 33 is configured to send a message for acquiring basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that the agreement key within the validity period does not exist between the terminal and the terminal; see step 3 in the above example for details.
A basic information receiving module 44, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet; see step 4 in the above examples for details.
The access module 55 is configured to send a key negotiation message to the terminal according to the terminal basic information message, perform a key negotiation session with the terminal, and establish an access protocol with the terminal, for details, see step 5 in the foregoing embodiment.
Through the modules 11 to 55, the terminal security access device provided in the embodiment of the present invention defines a terminal security access protocol oriented to connectionless authentication, and the gateway completes key agreement with the terminal by acquiring basic information of the terminal to implement a terminal online process, which has no binding relationship with TCP connection and can implement terminal access based on UDP protocol, thereby accessing a connectionless protocol terminal, reducing protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway has no binding relationship with TCP connection and is only related to a key agreement period, and in one period, the terminal repeatedly goes online without renegotiating a key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
In a preferred embodiment, as shown in fig. 8, the access module 55 includes:
the response message receiving submodule 551 is used for receiving a key negotiation response message sent by the terminal according to the key negotiation message;
the confirming submodule 552 is configured to send a key agreement confirmation message to the terminal according to the key agreement response message, and establish an access protocol with the terminal.
The functional description of the terminal security access device provided by the embodiment of the invention refers to the description of the terminal security access method in the above embodiment in detail.
An embodiment of the present invention further provides a terminal security access apparatus, as shown in fig. 9, the terminal security access apparatus includes:
a request message sending module 6, configured to send an identity authentication and key agreement request message to the gateway; see step S1 in the above embodiment for details.
A terminal basic information receiving module 7, configured to receive a message for acquiring terminal basic information sent by a gateway; see step S2 in the above embodiment for details.
A terminal basic information sending module 8, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message; see step S3 in the above embodiment for details.
A negotiation message receiving module 9, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message; see step S4 in the above embodiment for details.
The terminal access module 10 is configured to perform a key agreement session with the gateway according to the key agreement message, and establish an access protocol with the gateway, for details, see step S5 in the foregoing embodiment.
Through the modules 6 to 10, in the terminal security access device provided in the embodiment of the present invention, a connectionless authentication-oriented terminal security access protocol is defined, the gateway completes key agreement with the terminal by acquiring basic information of the terminal, and implements a terminal online process, which has no binding relationship with TCP connection, and can implement terminal access based on UDP protocol, thereby accessing a connectionless protocol terminal, reducing protocol overhead, and meanwhile, the key agreement process of the terminal and the gateway has no binding relationship with TCP connection, and is only related to a key agreement period, and in one period, the terminal repeatedly goes online without renegotiating a key. Therefore, the terminal does not need to consider the overhead of connection establishment and is not forced to adopt a long connection access mode, a connectionless mode or a short connection mode can be flexibly selected for communication, and a small number of gateways can be used for accessing massive Internet +' and Internet of things terminals in a short message or short connection mode.
In a preferred embodiment, as shown in fig. 10, the terminal access module 10 includes:
the response message sending submodule 101 is configured to send a key negotiation response message to the gateway according to the key negotiation message;
a confirmation message receiving submodule 102, configured to receive a key negotiation confirmation message sent by a gateway;
and the terminal access sub-module 103 is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
The functional description of the terminal security access device provided by the embodiment of the invention refers to the description of the terminal security access method in the above embodiment in detail.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (7)

1. A terminal security access method facing connectionless authentication is characterized by comprising the following steps:
receiving an identity authentication and key agreement request message sent by a terminal;
judging whether a negotiation key in the validity period exists between the terminal and the access protocol according to whether the access protocol is established with the terminal;
when judging that the negotiation key within the validity period does not exist between the terminal and the terminal, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key negotiation request message;
acquiring a terminal basic information message fed back by the terminal according to the acquired terminal basic information message;
sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal, and establishing an access protocol with the terminal;
sending a key negotiation message to the terminal according to the basic terminal information message, performing a key negotiation session with the terminal, and establishing an access protocol with the terminal, wherein the key negotiation message comprises:
receiving a key negotiation response message sent by the terminal according to the key negotiation message;
and sending a key negotiation confirmation message to the terminal according to the key negotiation response message, and establishing an access protocol with the terminal.
2. A terminal security access method facing connectionless authentication is characterized by comprising the following steps:
sending an identity authentication and key agreement request message to a gateway;
when the key negotiation with the gateway is not completed according to the access protocol, receiving a message for acquiring the basic information of the terminal sent by the gateway;
sending a basic terminal information message to the gateway according to the basic terminal information message;
acquiring a key negotiation message sent by the gateway according to the terminal basic information message;
carrying out key negotiation session with the gateway according to the key negotiation message, and establishing an access protocol with the gateway;
the method for establishing the secure access protocol with the terminal by performing the key negotiation session with the gateway according to the key negotiation message comprises the following steps:
sending a key negotiation response message to the gateway according to the key negotiation message;
receiving a key negotiation confirmation message fed back by the gateway;
and establishing an access protocol with the gateway according to the key negotiation confirmation message.
3. A terminal security access device facing connectionless authentication is characterized by comprising:
the request message receiving module is used for receiving an identity authentication and key agreement request message sent by a terminal;
the judgment key negotiation module is used for judging whether a negotiation key in the validity period exists between the judgment key negotiation module and the terminal according to whether an access protocol is established with the terminal or not;
a basic information sending module, configured to send a message for obtaining basic information of the terminal to the terminal according to the identity authentication and key agreement request message when it is determined that there is no agreement key within the validity period with the terminal;
a basic information receiving module, configured to obtain a terminal basic information packet fed back by the terminal according to the obtained terminal basic information packet;
the access module is used for sending a key negotiation message to the terminal according to the basic information message of the terminal, carrying out key negotiation session with the terminal and establishing an access protocol with the terminal;
wherein the access module comprises:
a response message receiving submodule, configured to receive a key negotiation response message sent by the terminal according to the key negotiation message;
and the confirmation submodule is used for sending a key negotiation confirmation message to the terminal according to the key negotiation response message and establishing an access protocol with the terminal.
4. A terminal security access device facing connectionless authentication is characterized by comprising:
a request message sending module, configured to send an identity authentication and key agreement request message to the gateway;
the terminal basic information receiving module is used for receiving a message for acquiring the terminal basic information sent by the gateway when the key negotiation with the gateway is not completed according to the access protocol;
a terminal basic information sending module, configured to send a terminal basic information message to the gateway according to the obtained terminal basic information message;
a negotiation message receiving module, configured to obtain a key negotiation message sent by the gateway according to the terminal basic information message;
the terminal access module is used for carrying out key negotiation session with the gateway according to the key negotiation message and establishing an access protocol with the gateway;
wherein the terminal access module comprises:
a response message sending submodule, configured to send a key negotiation response message to the gateway according to the key negotiation message;
a confirmation message receiving submodule, configured to receive a key agreement confirmation message sent by the gateway;
and the terminal access submodule is used for establishing an access protocol with the gateway according to the key negotiation confirmation message.
5. A terminal security access system oriented to connectionless authentication is characterized by comprising: a terminal and a gateway, wherein the terminal and the gateway,
the terminal sends an identity authentication and key agreement request message to the gateway, and the gateway receives the identity authentication and key agreement request message;
the gateway judges whether to complete key negotiation with the terminal according to whether to establish an access protocol with the terminal;
when the gateway judges that the key agreement with the terminal is not completed, sending a message for acquiring basic terminal information to the terminal according to the identity authentication and key agreement request message;
the terminal receives a basic information message of the terminal sent by the gateway, and sends the basic information message of the terminal to the gateway according to the basic information message of the terminal;
the gateway acquires the basic information message of the terminal and sends a key negotiation message to the terminal according to the basic information message of the terminal;
the terminal sends a key negotiation response message to the gateway according to the key negotiation message;
the gateway receives the key negotiation response message and sends a key negotiation confirmation message to the terminal according to the key negotiation response message;
and the terminal receives the key negotiation confirmation message fed back by the gateway and establishes an access protocol with the gateway according to the key negotiation confirmation message.
6. The connectionless authentication oriented terminal security access system according to claim 5, further comprising: a post-positioned communication service component and a server,
after the terminal establishes an access protocol with the gateway, the terminal sends an uplink data message to the gateway;
the gateway receives the uplink data message, decrypts the uplink data message and sends the decrypted uplink data message to the post-communication service component;
the rear communication service assembly receives the decrypted uplink data message and sends the decrypted uplink data message to the server;
the server receives the decrypted uplink data message, generates a downlink data message according to the decrypted uplink data message, and sends the downlink data message to the gateway through the rear communication service component;
the gateway receives the downlink data message, encrypts the downlink data message and then sends the encrypted downlink data message to the terminal;
and the terminal receives the encrypted downlink data message, decrypts the downlink data message and acquires the downlink data message.
7. The connectionless authentication oriented terminal security access system according to claim 6, further comprising: the communication service component is arranged in the front-end,
the preposed communication service assembly receives an uplink data message sent by the terminal and sends the uplink data message to the gateway;
and the preposed communication service assembly receives the encrypted downlink data message sent by the gateway and sends the downlink data message to the terminal.
CN201811274285.2A 2018-10-29 2018-10-29 Terminal secure access method, device and system Active CN109120405B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811274285.2A CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811274285.2A CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Publications (2)

Publication Number Publication Date
CN109120405A CN109120405A (en) 2019-01-01
CN109120405B true CN109120405B (en) 2021-11-09

Family

ID=64854454

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811274285.2A Active CN109120405B (en) 2018-10-29 2018-10-29 Terminal secure access method, device and system

Country Status (1)

Country Link
CN (1) CN109120405B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922081B (en) * 2019-04-02 2021-06-25 全知科技(杭州)有限责任公司 TCP stream length connection data analysis method
CN110995775B (en) * 2019-10-11 2020-12-01 浙江口碑网络技术有限公司 Service data processing method, device and system
CN114698149A (en) * 2020-01-21 2022-07-01 华为技术有限公司 Data transmission method and equipment
CN111585976B (en) * 2020-04-09 2021-11-23 北京理工大学 Communication method, communication apparatus, storage medium, and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742491A (en) * 2009-12-04 2010-06-16 同济大学 Method for exchanging and consulting secret keys between mobile device and safe access gateway
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN105636033A (en) * 2014-10-25 2016-06-01 华为技术有限公司 Method, device and system for movably managing terminals
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106385404A (en) * 2016-08-31 2017-02-08 华北电力大学(保定) Construction method for power information system based on mobile terminal

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130108045A1 (en) * 2011-10-27 2013-05-02 Architecture Technology, Inc. Methods, networks and nodes for dynamically establishing encrypted communications
EP2847947B1 (en) * 2012-05-10 2020-12-23 Samsung Electronics Co., Ltd. Method and system for connectionless transmission during uplink and downlink of data packets
CN104113934B (en) * 2014-07-25 2017-09-05 北京奇虎科技有限公司 The method and access system of communication equipment couple in router
US9882726B2 (en) * 2015-05-22 2018-01-30 Motorola Solutions, Inc. Method and apparatus for initial certificate enrollment in a wireless communication system
JP2019009480A (en) * 2015-11-10 2019-01-17 シャープ株式会社 Terminal device, c-sgn, and communication control method
US20160191245A1 (en) * 2016-03-09 2016-06-30 Yufeng Qin Method for Offline Authenticating Time Encoded Passcode

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742491A (en) * 2009-12-04 2010-06-16 同济大学 Method for exchanging and consulting secret keys between mobile device and safe access gateway
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN105636033A (en) * 2014-10-25 2016-06-01 华为技术有限公司 Method, device and system for movably managing terminals
CN105871873A (en) * 2016-04-29 2016-08-17 国家电网公司 Security encryption authentication module for power distribution terminal communication and method thereof
CN106385404A (en) * 2016-08-31 2017-02-08 华北电力大学(保定) Construction method for power information system based on mobile terminal

Also Published As

Publication number Publication date
CN109120405A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
CN109120405B (en) Terminal secure access method, device and system
CN107306214B (en) Method, system and related equipment for connecting terminal with virtual private network
CN102833253B (en) Set up method and server that client is connected with server security
CN111093198B (en) Wireless local area network data transmission method and device
CN109413060B (en) Message processing method, device, equipment and storage medium
CN111212429A (en) Safety access system and method for mobile terminal
WO2008044581A1 (en) Method and network device for processing nested internet protocol security tunnels
CN107005400A (en) Method for processing business and device
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
WO2002082769A2 (en) Facilitating legal interception of ip connections
WO2013166696A1 (en) Data transmission method, system and device
CN112104604A (en) System and method for realizing safety access service based on electric power internet of things management platform
CN113747434B (en) Mobile communication safety communication method and device based on IPSec
CN114338844A (en) Cross-protocol communication method and device between client servers
CN113452660A (en) Communication method of mesh network and cloud server, mesh network system and node device thereof
CN101436933A (en) HTTPS encipher access method, system and apparatus
US7934088B2 (en) Method of secure communication between endpoints
CN113904766A (en) Encrypted communication method, device, equipment and medium
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
CN110602112A (en) MQTT (multiple quantum dots technique) secure data transmission method
CN107294968A (en) The monitoring method and system of a kind of audio, video data
US10015208B2 (en) Single proxies in secure communication using service function chaining
EP1738555A1 (en) Fast and secure connectivity for a mobile node
CN113141333B (en) Communication method, device, server, system and storage medium of network access device
CN108900584B (en) Data transmission method and system for content distribution network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant