CN110784322B - Method, system, equipment and medium for connecting gateway equipment and cloud platform - Google Patents

Method, system, equipment and medium for connecting gateway equipment and cloud platform Download PDF

Info

Publication number
CN110784322B
CN110784322B CN201911090514.XA CN201911090514A CN110784322B CN 110784322 B CN110784322 B CN 110784322B CN 201911090514 A CN201911090514 A CN 201911090514A CN 110784322 B CN110784322 B CN 110784322B
Authority
CN
China
Prior art keywords
key
session
cloud platform
function library
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911090514.XA
Other languages
Chinese (zh)
Other versions
CN110784322A (en
Inventor
贾槐真
宋昌健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinmao Green Building Technology Co Ltd
Original Assignee
Jinmao Green Building Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinmao Green Building Technology Co Ltd filed Critical Jinmao Green Building Technology Co Ltd
Priority to CN201911090514.XA priority Critical patent/CN110784322B/en
Publication of CN110784322A publication Critical patent/CN110784322A/en
Application granted granted Critical
Publication of CN110784322B publication Critical patent/CN110784322B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method and a system for connecting a gateway device and a cloud platform, an electronic device and a storage medium. The method comprises the following steps: the cloud platform initializes a public key defining a communication key; the security server generates a private key of the communication key after receiving the public key, and the function library checks the public key certificate by using the public key sent by the cloud platform; under the condition that the verification label is correct, the function library generates a session key and a synchronous session instruction; the function library encrypts the session key and the synchronous session command by using the public key and sends the session key and the synchronous session command to the security server; and the security server receives the encrypted session key and the synchronous session command, and establishes first secure communication connection between the cloud platform and the gateway equipment. According to the scheme, the communication data is doubly encrypted, and the session key, the public key and the private key are stored in the function library of the security server and the function library of the terminal, so that the security of the communication data is ensured, the gateway equipment cannot be controlled by illegal personnel, and the data leakage of a user cannot be caused, and the serious loss is caused.

Description

Method, system, equipment and medium for connecting gateway equipment and cloud platform
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a system for connecting a gateway device to a cloud platform, an electronic device, and a storage medium.
Background
In the current big data era, smart home systems are increasingly applied, so that intelligent life is brought to users, the functions of the current intelligent equipment are more powerful, the users can use the smart home systems conveniently and quickly, and the smart home systems can be applied to ordinary families and also can be widely applied to scenes such as large business supermarkets, office buildings and the like in the foreseeable future.
The gateway equipment is generally arranged in the existing intelligent home system and used for carrying out unified management on intelligent equipment in the intelligent home system, providing services and the like.
At present, most of communication data between the gateway device and the cloud platform does not use a special encryption technology or only uses a weak encryption technology, so that the communication data is easily captured and decrypted in the data communication transmission process, the gateway device is operated by illegal personnel, and the gateway device may store related data of a user and may cause data leakage of the user, thereby causing serious loss to the user.
Disclosure of Invention
The invention provides a method, a system, electronic equipment and a storage medium for connecting gateway equipment and a cloud platform, and solves the problems.
In order to solve the above technical problem, an embodiment of the present invention provides a method for connecting a gateway device and a cloud platform, which is applied to a secure communication system, where the secure communication system includes: the system comprises gateway equipment, a cloud platform and a security server; a function library is embedded in the gateway equipment; the method comprises the following steps:
the cloud platform initializes a public key defining a communication key and sends the public key to the function library and the security server;
after receiving the public key, the security server generates a private key of the communication key and sends the private key and a public key certificate to the gateway equipment;
the gateway equipment sends the public key certificate to the function library;
the function library checks and signs the public key certificate by using the public key sent by the cloud platform;
under the condition that the signature verification result is that the signature verification is correct, the function library generates a session key and a synchronous session instruction;
the function library encrypts the session key and the synchronous session command by using the public key and sends the encrypted session key and the synchronous session command to the security server;
and the security server receives the encrypted session key and the synchronous session command sent by the function library and establishes first secure communication connection between the cloud platform and the gateway equipment.
Optionally, the receiving, by the security server, the encrypted session key and the synchronous session instruction sent by the function library, and establishing a first secure communication connection between the cloud platform and the gateway device includes:
the security server receives the encrypted session key and the synchronous session command sent by the function library and decrypts the encrypted session key and the synchronous session command;
and under the condition that the security server successfully decrypts the encrypted session key and the synchronous session instruction sent by the function library, the security server establishes first secure communication connection between the cloud platform and the gateway equipment according to the synchronous session instruction.
Optionally, after establishing the first secure communication connection between the cloud platform and the gateway device, the method further includes:
and the gateway equipment sends an authentication request to the security server, wherein the authentication request is used for the security server to carry out authentication operation so as to establish security connection between the cloud platform and the gateway equipment again.
Optionally, the sending, by the gateway device, an authentication request to the security server, where the authentication request is used for the security server to perform an authentication operation, where the authentication request includes:
the security server receives the authentication request sent by the gateway equipment and generates challenge information;
the security server double-encrypts the challenge information by using the session key and the public key, and sends the double-encrypted challenge information to the gateway device;
the gateway equipment receives the challenge information after double encryption and sends the challenge information and the local stored private key to the function library;
the function library signs the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key, and returns the signed challenge information to the gateway equipment after double encryption by using the session key and the private key;
the gateway equipment sends the signed challenge information subjected to double encryption to the security server;
the security server decrypts the signed challenge information after the double encryption by using the session key and the public key, performs authentication operation and returns an authentication result;
and under the condition that the authentication result is correct, establishing second secure communication connection between the cloud platform and the gateway equipment so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction.
Optionally, the session key is time-limited, and when the time limit of the session key expires, the secure connection between the cloud platform and the gateway device is automatically interrupted, and the cloud platform and the gateway device re-execute any one of the above methods to achieve secure connection therebetween.
The embodiment of the invention also provides a system for connecting the gateway equipment and the cloud platform, which comprises: the system comprises gateway equipment, a cloud platform and a security server; a function library is embedded in the gateway equipment;
the cloud platform includes: initializing a public key module;
the initialization public key module is used for initializing a public key defining a communication secret key and sending the public key to the function library and the security server;
the security server includes: a private key generation module and a decryption establishment module;
the private key generation module is used for generating a private key of a communication key after receiving the public key and sending the private key and a public key certificate to the gateway equipment;
the decryption establishing module is used for receiving the encrypted session key and the synchronous session command sent by the function library and establishing first secure communication connection between the cloud platform and the gateway equipment;
the gateway apparatus includes: the system comprises a public key certificate sending module, a signature verification module, a session key generation and synchronization instruction module, and an encrypted session key and synchronization instruction module;
a public key certificate sending module, configured to send the public key certificate to the function library;
the signature verification module is used for verifying the signature of the public key certificate by using the public key sent by the cloud platform through the function library;
the session key generation and synchronization instruction module is used for generating a session key and a synchronization instruction through the function library under the condition that the signature verification result is correct;
and the encryption session key and synchronous session instruction module is used for encrypting the session key and the synchronous session instruction by using the public key through the function library and sending the encrypted session key and the synchronous session instruction to the security server.
Optionally, the decryption establishing module includes:
the decryption submodule is used for receiving the encrypted session key and the synchronous session instruction sent by the function library and decrypting the encrypted session key and the synchronous session instruction;
and the establishing submodule is used for establishing the first-time secure communication connection between the cloud platform and the gateway equipment according to the synchronous session instruction by the security server under the condition of successfully decrypting the encrypted session key and the synchronous session instruction which are sent by the function library.
Optionally, the security server further comprises: the device comprises a challenge information generating module, a double encryption module, a decryption authentication module and a connection establishing module;
a challenge information generation module, configured to receive the authentication request sent by the gateway device, and generate challenge information;
the double encryption module is used for carrying out double encryption on the challenge information by utilizing the session key and the public key and sending the challenge information subjected to double encryption to the gateway equipment;
the decryption authentication module is used for decrypting the challenge information after the double encryption by using the session key and the public key, performing authentication operation and returning an authentication result;
the connection establishing module is used for establishing second secure communication connection between the cloud platform and the gateway equipment under the condition that the authentication result is correct, so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction;
the gateway device further includes: the double encryption challenge information receiving module, the signature decryption module and the double encryption signature sending module are connected with the double encryption module;
the receiving double encryption challenge information module is used for receiving the challenge information after double encryption and sending the challenge information and the locally stored private key to the function library;
the decryption signing module is used for signing the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key through the function library, and returning the signed challenge information to the gateway equipment after double encryption by using the session key and the private key;
and the double encryption signature sending module is used for sending the signed challenge information subjected to double encryption to the security server. Embodiments of the present invention also provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps in the method according to the present invention.
An embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the electronic device implements the steps in the above-described method of the present invention.
By adopting the method for connecting the gateway equipment and the cloud platform, the function library of the encryption and decryption technology for communication is embedded in the terminal side, the security server is used for encrypting and decrypting the communication of the cloud platform specially, namely the security server is the function library of the cloud platform, the cloud platform initializes the public key for defining the communication key and sends the public key to the function library and the security server; after receiving the public key, the security server generates a private key of the communication key and sends the private key and a public key certificate to the gateway equipment; the gateway equipment sends the public key certificate to a function library; the function library checks the public key certificate by using the public key sent by the cloud platform; under the condition that the signature verification result is that the signature verification is correct, the function library generates a session key and a synchronous session instruction; the function library encrypts the session key and the synchronous session command by using the public key and sends the encrypted session key and the synchronous session command to the security server; and the security server receives the encrypted session key and the synchronous session command sent by the function library and establishes first secure communication connection between the cloud platform and the gateway equipment. This ensures that both the gateway device and the security server possess the public and private keys of the communication key as well as the session key. By the method, the cloud platform and the gateway equipment are connected safely and reliably for the first time, then data interaction between the cloud platform and the gateway equipment is based on public and private key encryption technologies of a session key and a communication key, the communication safety of the cloud platform and the gateway equipment is guaranteed, and even if data information is captured in the data communication transmission process, each key cannot be decrypted because each key is stored in a function library and a safety server during initialization, so that the safety of communication data is guaranteed, the gateway equipment cannot be controlled by illegal personnel, data leakage of a user cannot be caused, and serious loss is caused.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a flowchart of a method for connecting a gateway device to a cloud platform according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for performing an authentication operation between a function library of a gateway device and a security server according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a system for secure communication connection according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The inventor finds that data interaction between the gateway device and the cloud platform is high in risk of stealing communication data in the data transmission process. This is because some data communication between the gateway device and the cloud platform may use an encryption technology with a weak technology, and some data communication may not have the encryption technology, so when the gateway device performs communication data interaction with the cloud platform, communication data is more easily captured, and in addition, the communication data itself is not high in security and is easily cracked, so that the gateway device is operated by an illegal person, and since the gateway device may store related data of a user, data of the user may be leaked, a serious loss may be caused to the user.
Aiming at the problems, through intensive research, the inventor creatively embeds a function library of encryption and decryption technology for communication in the gateway device side, uses a security server to specially encrypt and decrypt the communication of the cloud platform, and ensures the uniqueness and the correctness of the gateway device and the cloud platform when the gateway device and the cloud platform are initialized and also ensures the correctness and the consistency of session keys owned by the function library of the gateway device and the security server. Thereby establishing a secure and reliable connection. The embodiments of the present invention are specifically explained and illustrated below.
Fig. 1 is a flowchart illustrating a method for connecting a gateway device to a cloud platform according to an embodiment of the present invention, where the method is applied to a secure communication system, and the secure communication system includes: the system comprises gateway equipment, a cloud platform and a security server; a function library is embedded in the gateway equipment; the method for connecting the gateway equipment with the cloud platform comprises the following steps:
step 101: the cloud platform initializes a public key defining a communication key and sends the public key to the function library and the security server.
In the embodiment of the invention, the cloud platform refers to a network platform built by a manufacturer for producing intelligent equipment, and a service server is used for supporting the cloud platform in general, namely, all operable functions on the cloud platform are completed by the service server; the invention is distinguished from the characteristic that the service server only completes service operation on all cloud platforms at present, the service data operation, processing and service data security encryption are separated, the service server is only responsible for processing various service data operation tasks, and the functions of the function library required by the service data security encryption and decryption and the functions of completing the encryption and decryption are all independently completed by the security server, so that the security of communication data is greatly improved; the gateway device is an intelligent device for data interaction with the cloud platform in an intelligent home, and when a general user uses the intelligent home system produced by the same manufacturer, only one gateway device is arranged in the whole intelligent home system and is responsible for management of all other devices in the whole intelligent home system.
And the gateway equipment is embedded with a function library which is mainly used for encrypting and decrypting communication data and providing instruction codes for managing and controlling the intelligent home system.
When the cloud platform is initialized, namely when the service server is initialized, the service server defines a public key of the communication key and sends the public key to the function library of the gateway device and the security server.
In addition, it should be noted that, since the function library is embedded, any data received or sent by the function library needs to be transparently transmitted by the terminal embedded with the function library, all operations related to data reception or sending by the function library in the description of the present invention include operations related to data transparently transmitted by the gateway device embedded with the function library, and similarly, any data received or sent by the security server also needs to be transparently transmitted by the service server, and for the sake of brevity of the description, it is not separately described.
Step 102: and after receiving the public key, the security server generates a private key of the communication key and sends the private key and the public key certificate to the gateway equipment.
In the embodiment of the invention, after the security server receives the public key, the private key of the communication key is generated, so that the public key and the private key of the communication key in an asymmetric encryption mode are generated during data communication between the gateway equipment and the service server, and then the security server sends the private key and the public key certificate to the gateway equipment.
Step 103: the gateway device sends the public key certificate to the function library.
In the embodiment of the invention, after receiving the private key and the public key certificate sent by the security server, the gateway equipment transmits the public key certificate to the function library embedded in the gateway equipment.
Step 104: and the function library checks the public key certificate by using the public key sent by the cloud platform.
In the embodiment of the invention, after the function library receives the public key certificate transmitted by the gateway equipment in a transparent mode, the public key transmitted by the cloud platform is used for verifying and signing the public key certificate transmitted by the gateway equipment in the transparent mode, and the purpose of ensuring the correctness and the uniqueness of the public key is achieved.
Step 105: and under the condition that the signature verification result is that the signature verification is correct, the function library generates a session key and a synchronous session instruction.
In the embodiment of the invention, after the function library checks the public key certificate by using the public key sent by the cloud platform, the function library generates the session key and the synchronous session command under the condition that the check result is correct, and naturally, if the check result is incorrect, the four steps are required to be repeated until the check result is correct.
Step 106: and the function library encrypts the session key and the synchronous session command by using the public key and sends the encrypted session key and the synchronous session command to the security server.
In the embodiment of the invention, after the function library generates the session key and the synchronous session command, the function library encrypts the session key and the synchronous session command by using the public key and sends the encrypted session key and the synchronous session command to the security server.
Step 107: and the security server receives the encrypted session key and the synchronous session command sent by the function library and establishes first secure communication connection between the cloud platform and the gateway equipment.
In the embodiment of the invention, after the security server receives the encrypted synchronous session command and the session key sent by the function library, the security server needs to decrypt by using the private key of the security server, and under the condition that the synchronous session command and the session key are obtained through successful decryption, the first secure communication connection between the cloud platform and the gateway equipment is established, so that the correctness and consistency of the session key, the public key of the communication key and the private key owned by the function library of the security server and the gateway equipment are ensured.
Optionally, step 107 specifically includes:
step s 1: and the security server receives the encrypted session key and the synchronous session command sent by the function library and decrypts the encrypted session key and the synchronous session command.
In the embodiment of the invention, after the security server receives the synchronous session command and the session key sent by the function library, the security server firstly decrypts the encrypted session key and the synchronous session command sent by the function library by using the private key of the security server, so as to ensure that the public key is not tampered.
Step s 2: and the security server establishes first secure communication connection between the cloud platform and the gateway equipment according to the synchronous session instruction under the condition that the security server successfully decrypts the encrypted session key and the synchronous session instruction sent by the function library.
In the embodiment of the invention, the security server returns the successfully decrypted information to the service server under the condition that the encrypted session key and the synchronous session command sent by the function library are successfully decrypted, namely, the public key is not tampered, the service server establishes the first secure communication connection between the service server and the gateway device according to the synchronous session command after receiving the information, namely, the first secure communication connection between the cloud platform and the gateway device is established, and then the communication data between the cloud platform and the gateway device can be encrypted and decrypted by using the session key, the public key of the communication key and the private key of the communication key, so that the purpose of the secure communication connection between the cloud platform and the gateway device is achieved.
The session key is a symmetric key, and the symmetric key has the advantages of high calculation speed, high efficiency, small occupied resource space and the like; the public key and the private key of the communication key are asymmetric keys, and the method has the advantages that the key pair has the defects that any one key stored by each of two parties is lost, information leakage cannot be caused, but the efficiency is low, the occupied resource space is large and the like. In addition, the session key, the public key and the private key of the communication key are all stored in the function libraries of the security server and the gateway device, and even if the communication data are captured, the communication data cannot be decrypted and cracked if being stolen, so that the communication data of the cloud platform and the gateway device are safe and reliable, the gateway device cannot be controlled by illegal personnel, the data of a user cannot be leaked, and the security of the privacy data of the user is ensured.
It should be noted that the session key in the embodiment of the present invention substantially refers to a session key index, and whether it is a function library or a secure server, the session key generated by various built-in functions and algorithms is stored in the respective function libraries, which cannot be leaked out, and the session key index is used for guiding the function libraries for encryption and decryption to find out which session key is specifically used, which is also generated through a series of algorithms.
For example: the function library uses a session key generated by an H function and an E algorithm, the index corresponding to the session key is No. 6, the function library encrypts communication data to be sent by using the session key generated by the H function and the E algorithm, the encrypted communication data and the session index No. 6 are sent to the security server, and the security server firstly finds out the corresponding H function and E algorithm which can be decrypted through the session key index No. 6 after receiving the encrypted communication data and the session key, so that decryption can be performed. The purpose of the method is to improve the security of the communication data, if the communication data is captured by an illegal person, the illegal person does not have the H function and the E algorithm in the function library, and does not know which algorithm is specifically represented by the number 6, and the captured communication data cannot be cracked.
Optionally, after the function library and the security server of the gateway device both have the public key and the private key of the communication key and the session key, in order to ensure that the function library and the security server of the gateway device both have the public key and the private key of the communication key and the session key, and that the public key, the private key of the communication key and the session key all correspond correctly and uniquely, the security server is further required to perform an authentication operation to achieve the above purpose. Referring to fig. 2, it is shown that the specific steps include:
step 201: the security server receives an authentication request sent by the gateway equipment and generates challenge information;
in the embodiment of the invention, after the gateway device and the security server both have the public key, the private key and the session key of the communication key, the gateway device sends the authentication request to the security server, the security server receives the authentication request sent by the gateway device and generates the challenge information, the authentication request is used for the security server to perform the authentication operation, and the challenge information has no specific operation content and is only plaintext information generated for realizing the authentication operation. After the authentication operation of the security server is finished and information with correct authentication is returned, the cloud platform and the gateway device are considered to really complete establishment of the secure communication connection, that is, the secure communication connection between the gateway device and the cloud platform is established again, it can be understood that establishing the secure communication connection between the gateway device and the cloud platform again here means that on the basis of establishing the secure communication connection between the gateway device and the cloud platform for the first time, the correctness and uniqueness of a public key and a private key of a communication key between the gateway device and the cloud platform and a session key are verified again to realize the secure communication connection between the gateway device and the cloud platform, and the establishment of the secure communication connection between the gateway device and the cloud platform for the second time is not meant to interrupt the communication connection between the gateway device and the cloud platform for the first time.
Step 202: the security server doubly encrypts the challenge information by using the session key and the public key and sends the doubly encrypted challenge information to the gateway equipment;
in the embodiment of the invention, after the challenge information is generated by the security server, the challenge information is doubly encrypted by using the session key and the public key, and then the doubly encrypted challenge information is sent to the gateway equipment.
Step 203: the gateway equipment receives the challenge information after double encryption and sends the challenge information and a locally stored private key to the function library;
step 204: the function library decrypts the challenge information subjected to double encryption by using the session key and the private key, signs the challenge information, performs double encryption on the signed challenge information by using the session key and the private key, and returns the challenge information to the gateway equipment;
in the embodiment of the invention, the gateway equipment receives the challenge information which is sent by the security server after double encryption, sends the challenge information and a private key which is locally stored by the gateway equipment to the function library, the function library decrypts the challenge information which is subjected to double encryption by using the existing session key and the private key to obtain the challenge information of a plaintext, signs the challenge information of the plaintext, and returns the signed challenge information to the gateway equipment after double encryption by using the session key and the private key.
If the function library cannot decrypt the challenge information after the double encryption by using the existing session key and private key, it indicates that the public key and private key of the communication key owned by both the gateway device and the secure server are stolen and tampered, or the session key is stolen and tampered, or some steps of establishing secure communication connection between the gateway device and the cloud platform have a problem, then step 101 is executed again to step 204.
Step 205: and the gateway equipment sends the signed challenge information subjected to double encryption to the security server.
Step 206: the security server decrypts the signed challenge information after double encryption by using the session key and the public key, performs authentication operation, and returns an authentication result.
In the embodiment of the invention, the gateway equipment receives the challenge information which is sent by the function library and subjected to double encryption and signature by the function library, sends the challenge information to the security server, the security server receives the challenge information which is sent by the double encryption and subjected to signature by the function library, decrypts the challenge information which is subjected to double encryption and subjected to signature by the function library by using the session key and the public key of the security server, obtains the challenge information which is in plaintext and subjected to signature by the function library, then carries out authentication operation, and returns the authentication result to the service server.
Step 207: and under the condition that the authentication result is correct, establishing second-time secure communication connection between the cloud platform and the gateway equipment so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction.
In the embodiment of the invention, the service server receives the authentication result returned by the security server, and under the condition that the authentication result is correct, the service server establishes the second secure communication connection with the gateway device, namely, the gateway device and the cloud platform establish the secure connection again by using the session key, the public key and the private key of the communication key so as to perform subsequent secure communication data interaction.
If the service server receives that the authentication result returned by the security server is an authentication error, the process starts from step 101 to step 207 again.
It can be understood that the gateway device sends the challenge information, the authentication performed by the security server is equivalent to verifying whether the cloud platform and the gateway device establish the second secure communication connection correctly, and then all communication data between the cloud platform and the gateway device perform secure interaction in a double encryption manner.
Optionally, in this embodiment of the present invention, in order to further improve the security of the communication data between the cloud platform and the gateway device, the session key is set to have a time limit, when the time limit of the session key expires, the secure connection between the cloud platform and the gateway device is automatically interrupted, and if the time limit of the session key is 875 seconds, after the cloud platform establishes the first secure communication connection with the gateway device for 875 seconds, the secure connection between the cloud platform and the gateway device is automatically interrupted, and the cloud platform and the gateway device need to re-execute the methods in steps 101 to 207 to implement the secure connection between the cloud platform and the gateway device.
In summary, the overall scheme of the invention is as follows: function libraries used for encrypting and decrypting communication data are embedded in the gateway equipment, and a security server is used for providing encryption and decryption services for the cloud platform specially. Firstly, when the cloud platform is initialized, a public key of a communication key is defined, and the public key is sent to a function library and a security server of the gateway device. After the security server receives the public key, a private key of the communication key is generated, and then the security server sends the private key and the public key certificate to the gateway device.
After receiving the private key and the public key certificate sent by the security server, the gateway device passes the public key certificate through to a function library embedded in the gateway device, and after receiving the public key certificate passed through by the gateway device, the function library checks the public key certificate passed through by the gateway device by using the public key sent by the front cloud platform, under the condition that the signature checking result is that the signature checking is correct, the function library generates a session key and a synchronous session instruction, encrypts the session key and the synchronous session instruction by using the public key and sends the encrypted session key and the synchronous session instruction to the security server, after the security server receives the encrypted synchronous session command and the session key sent by the function library, the security server decrypts the command and the session key by using the private key of the security server, and under the condition that the synchronous session instruction and the session key are obtained through successful decryption, establishing first-time secure communication connection between the cloud platform and the gateway equipment.
After the gateway device and the security server both possess the public and private keys of the communication key and the session key, the gateway device sends an authentication request to the security server, the security server receives the authentication request sent by the gateway device, generating challenge information, after the challenge information is generated by the security server, carrying out double encryption on the challenge information by using a session key and a public key, then sending the challenge information after double encryption to the gateway equipment, receiving the challenge information after double encryption sent by the security server by the gateway equipment, sending the challenge information and a private key locally stored by the gateway equipment to a function library, decrypting the challenge information after double encryption by using the existing session key and the private key by the function library to obtain the challenge information of a plaintext, and signing the challenge information of the plaintext, and returning the signed challenge information to the gateway equipment after double encryption by using the session key and the private key.
The gateway equipment receives the challenge information which is sent by the function library and is subjected to double encryption and signature by the function library, sends the challenge information to the security server, the security server receives the challenge information which is sent by the double encryption and is subjected to signature by the function library, decrypts the challenge information which is subjected to double encryption and is subjected to signature by using a session key and a public key of the security server, is subjected to signature by the function library to obtain the challenge information which is sent by the plaintext and is subjected to signature by the function library, and then carries out authentication operation, and returns the authentication result to the service server, the service server receives the authentication result returned by the security server, if the authentication result is right, the service server establishes second safety communication connection with the gateway device, namely, the gateway device and the cloud platform establish secure connection again by using the session key, the public key and the private key of the communication key, so as to perform subsequent communication data secure interaction.
Based on the scheme, when data interaction is carried out between the gateway equipment and the cloud platform, communication data are doubly encrypted, safety is greatly improved, the session key, the public key and the private key of the communication key are stored in the safety server and the function library of the gateway equipment, and even if data information is captured in the data communication transmission process, the session key, the public key and the private key of the communication key cannot be decrypted because the session key, the public key and the private key of the communication key are stored in the function library of the gateway equipment and the safety server, so that safety of the communication data is guaranteed, the gateway equipment cannot be controlled by illegal personnel, and data of a user cannot be leaked.
Referring to fig. 3, a schematic diagram of a system for secure communication connection according to an embodiment of the present invention is shown, the system including: the system comprises gateway equipment, a cloud platform and a security server; the gateway device is embedded with a function library.
Wherein, the cloud platform includes: initializing a public key module; the security server includes: the device comprises a private key generation module, a decryption establishment module, a challenge information generation module, a double encryption module, a decryption authentication module and a connection establishment module; the gateway apparatus includes: the system comprises a public key certificate sending module, a signature verification module, a session key generation and synchronization instruction module, a session key encryption and synchronization instruction module, a double encryption challenge information receiving module, a signature decryption module and a double encryption signature sending module;
the initialization public key module is used for initializing a public key defining a communication secret key and sending the public key to the function library and the security server;
the private key generation module is used for generating a private key of a communication key after receiving the public key and sending the private key and a public key certificate to the gateway equipment;
the decryption establishing module is used for receiving the encrypted session key and the synchronous session command sent by the function library and establishing first secure communication connection between the cloud platform and the gateway equipment;
the challenge information generating module is used for receiving the authentication request sent by the gateway equipment and generating challenge information;
the double encryption module is used for carrying out double encryption on the challenge information by utilizing the session key and the public key and sending the challenge information subjected to double encryption to the gateway equipment;
the decryption authentication module is used for decrypting the signed challenge information subjected to the double encryption by using the session key and the public key, performing authentication operation and returning an authentication result;
the connection establishing module is used for establishing secondary secure communication connection between the cloud platform and the gateway equipment under the condition that the authentication result is correct, so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction;
the public key certificate sending module is used for sending the public key certificate to the function library;
the signature verification module is used for verifying and signing the public key certificate by using the public key sent by the cloud platform through the function library;
the generation session key and synchronous session instruction module is used for generating a session key and a synchronous session instruction through the function library under the condition that the signature verification result is correct;
the encryption session key and synchronous session instruction module is used for encrypting the session key and the synchronous session instruction by using a public key through the function library and sending the encrypted session key and the synchronous session instruction to the security server;
the receiving double encryption challenge information module is used for receiving the challenge information after double encryption and sending the challenge information and a locally stored private key to the function library;
the decryption signing module is used for signing the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key through the function library, and returning the signed challenge information to the gateway equipment after double encryption by using the session key and the private key;
and the double encryption signature sending module is used for sending the signed challenge information subjected to double encryption to the security server.
Optionally, the decryption establishing module includes:
the decryption submodule is used for receiving the encrypted session key and the synchronous session instruction sent by the function library and decrypting the encrypted session key and the synchronous session instruction;
and the establishing submodule is used for establishing the first-time secure communication connection between the cloud platform and the gateway equipment according to the synchronous session instruction by the security server under the condition of successfully decrypting the encrypted session key and the synchronous session instruction which are sent by the function library.
Through the embodiment, when the gateway device and the cloud platform are used, communication data between the gateway device and the cloud platform are doubly encrypted by using the public key and the private key of the communication key on the basis of session key encryption, and the session key, the public key and the private key of the communication key are stored in the function libraries of the security server and the gateway device, so that even if data information is captured in the data communication transmission process, the session key, the public key and the private key of the communication key cannot be decrypted because the session key, the public key and the private key of the communication key are stored in the function libraries of the security server and the gateway device, the security of the communication data is ensured, the gateway device cannot be controlled by illegal personnel, the data of a user cannot be leaked, and serious loss is caused.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, herein, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (8)

1. A method for connecting a gateway device with a cloud platform is applied to a secure communication system, and the secure communication system comprises: the system comprises gateway equipment, a cloud platform and a security server; a function library is embedded in the gateway equipment; the method comprises the following steps:
the cloud platform initializes a public key defining a communication key and sends the public key to the function library and the security server;
after receiving the public key, the security server generates a private key of the communication key and sends the private key and a public key certificate to the gateway equipment;
the gateway equipment sends the public key certificate to the function library;
the function library checks and signs the public key certificate by using the public key sent by the cloud platform;
under the condition that the signature verification result is that the signature verification is correct, the function library generates a session key and a synchronous session instruction;
the function library encrypts the session key and the synchronous session command by using the public key and sends the encrypted session key and the synchronous session command to the security server;
the security server receives the encrypted session key and the synchronous session command sent by the function library, and decrypts the encrypted session key and the synchronous session command sent by the function library by using a private key;
and the security server returns the successfully decrypted information to the cloud platform under the condition of successfully decrypting the encrypted session key and the synchronous session instruction sent by the function library, so that the cloud platform establishes the first security communication connection between the cloud platform and the gateway equipment.
2. The method of claim 1, further comprising, after establishing the first secure communication connection between the cloud platform and the gateway device:
and the gateway equipment sends an authentication request to the security server, wherein the authentication request is used for the security server to carry out authentication operation so as to establish security connection between the cloud platform and the gateway equipment again.
3. The method of claim 2, wherein the gateway device sends an authentication request to the security server, and wherein the authentication request is used for the security server to perform an authentication operation, and wherein the authentication request comprises:
the security server receives the authentication request sent by the gateway equipment and generates challenge information;
the security server double-encrypts the challenge information by using the session key and the public key, and sends the double-encrypted challenge information to the gateway device;
the gateway equipment receives the challenge information after double encryption and sends the challenge information and the local stored private key to the function library;
the function library signs the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key, and returns the signed challenge information to the gateway equipment after double encryption by using the session key and the private key;
the gateway equipment sends the signed challenge information subjected to double encryption to the security server;
the security server decrypts the signed challenge information after the double encryption by using the session key and the public key, performs authentication operation and returns an authentication result;
and under the condition that the authentication result is correct, establishing second secure communication connection between the cloud platform and the gateway equipment so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction.
4. The method of claim 3, wherein the session key is time-limited, and when the time limit of the session key expires, the secure connection between the cloud platform and the gateway device is automatically interrupted, and the cloud platform and the gateway device re-execute the method of any one of claims 1 to 3 to achieve the secure connection therebetween.
5. A system for connecting a gateway device to a cloud platform, the system comprising: the system comprises gateway equipment, a cloud platform and a security server; a function library is embedded in the gateway equipment;
the cloud platform includes: initializing a public key module;
the initialization public key module is used for initializing a public key defining a communication secret key and sending the public key to the function library and the security server;
the security server includes: a private key generation module and a decryption establishment module;
the private key generation module is used for generating a private key of a communication key after receiving the public key and sending the private key and a public key certificate to the gateway equipment;
the decryption establishing module is used for receiving the encrypted session key and the synchronous session instruction sent by the function library and decrypting the encrypted session key and the synchronous session instruction sent by the function library by using a private key;
the cloud platform is further used for returning information of successful decryption to the cloud platform under the condition that the encrypted session key and the synchronous session instruction sent by the function library are successfully decrypted, so that the cloud platform establishes the first-time secure communication connection between the cloud platform and the gateway equipment;
the gateway apparatus includes: the system comprises a public key certificate sending module, a signature verification module, a session key generation and synchronous session instruction module and an encryption session key and synchronous session instruction module;
a public key certificate sending module, configured to send the public key certificate to the function library;
the signature verification module is used for verifying the signature of the public key certificate by using the public key sent by the cloud platform through the function library;
the session key generation and synchronization instruction module is used for generating a session key and a synchronization instruction through the function library under the condition that the signature verification result is correct;
and the encryption session key and synchronous session instruction module is used for encrypting the session key and the synchronous session instruction by using the public key through the function library and sending the encrypted session key and the synchronous session instruction to the security server.
6. The system of claim 5, wherein the security server further comprises: the device comprises a challenge information generating module, a double encryption module, a decryption authentication module and a connection establishing module;
a challenge information generation module, configured to receive the authentication request sent by the gateway device, and generate challenge information;
the double encryption module is used for carrying out double encryption on the challenge information by utilizing the session key and the public key and sending the challenge information subjected to double encryption to the gateway equipment;
the decryption authentication module is used for decrypting the signed challenge information subjected to double encryption by using the session key and the public key, performing authentication operation and returning an authentication result;
the connection establishing module is used for establishing second secure communication connection between the cloud platform and the gateway equipment under the condition that the authentication result is correct, so that the cloud platform and the gateway equipment establish secure connection again by using the session key, the public key and the private key to perform subsequent data secure interaction;
the gateway device further includes: the double encryption challenge information receiving module, the signature decryption module and the double encryption signature sending module are connected with the double encryption module;
the receiving double encryption challenge information module is used for receiving the challenge information after double encryption and sending the challenge information and the locally stored private key to the function library;
the decryption signing module is used for signing the challenge information after decrypting the challenge information subjected to double encryption by using the session key and the private key through the function library, and returning the signed challenge information to the gateway equipment after double encryption by using the session key and the private key;
and the double encryption signature sending module is used for sending the signed challenge information subjected to double encryption to the security server.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 3.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1-3 are implemented when the computer program is executed by the processor.
CN201911090514.XA 2019-11-08 2019-11-08 Method, system, equipment and medium for connecting gateway equipment and cloud platform Active CN110784322B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911090514.XA CN110784322B (en) 2019-11-08 2019-11-08 Method, system, equipment and medium for connecting gateway equipment and cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911090514.XA CN110784322B (en) 2019-11-08 2019-11-08 Method, system, equipment and medium for connecting gateway equipment and cloud platform

Publications (2)

Publication Number Publication Date
CN110784322A CN110784322A (en) 2020-02-11
CN110784322B true CN110784322B (en) 2020-10-09

Family

ID=69390314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911090514.XA Active CN110784322B (en) 2019-11-08 2019-11-08 Method, system, equipment and medium for connecting gateway equipment and cloud platform

Country Status (1)

Country Link
CN (1) CN110784322B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343170B (en) * 2020-02-19 2022-07-08 深圳壹账通智能科技有限公司 Electronic signing method and system
CN111556064B (en) * 2020-05-06 2022-03-11 广东纬德信息科技股份有限公司 Key management method, device, medium and terminal equipment based on power gateway
CN111741031B (en) * 2020-08-26 2020-11-20 深圳信息职业技术学院 Block chain based network communication encryption method
CN114598482A (en) * 2020-11-20 2022-06-07 福州数据技术研究院有限公司 Encryption communication method and system for server and intelligent edge gateway
CN112887199B (en) * 2021-01-28 2022-11-25 深圳云里物里科技股份有限公司 Gateway, cloud platform, configuration method and device thereof, and computer-readable storage medium
CN113127930B (en) * 2021-05-17 2024-06-25 阳光电源股份有限公司 Charging data processing method, device and computer readable storage medium
CN114244630B (en) * 2022-02-15 2022-06-03 北京指掌易科技有限公司 Communication method, device, equipment and storage medium
CN115242468B (en) * 2022-07-07 2023-05-26 广州河东科技有限公司 Safe communication system and method based on RS485 bus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642069A (en) * 2004-01-16 2005-07-20 威达电股份有限公司 Encryption/decryption module dynamic updating system and method for safety gateway device
EP3281386B1 (en) * 2015-04-07 2020-01-01 Tyco Fire & Security GmbH Machine-to-machine and machine to cloud end-to-end authentication and security
CN106789476B (en) * 2016-12-29 2020-08-18 Tcl科技集团股份有限公司 Gateway communication method and system
CN107919956B (en) * 2018-01-04 2020-09-22 重庆邮电大学 End-to-end safety guarantee method in cloud environment facing to Internet of things

Also Published As

Publication number Publication date
CN110784322A (en) 2020-02-11

Similar Documents

Publication Publication Date Title
CN110784322B (en) Method, system, equipment and medium for connecting gateway equipment and cloud platform
US10601801B2 (en) Identity authentication method and apparatus
EP3661120B1 (en) Method and apparatus for security authentication
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
CN110690966B (en) Method, system, equipment and storage medium for connecting terminal and service server
CN110808991B (en) Method, system, electronic device and storage medium for secure communication connection
CN106788989B (en) Method and equipment for establishing secure encrypted channel
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN109150897B (en) End-to-end communication encryption method and device
CN104836784B (en) A kind of information processing method, client and server
CN103338215A (en) Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
US11831753B2 (en) Secure distributed key management system
US11811939B2 (en) Advanced crypto token authentication
CN112351037B (en) Information processing method and device for secure communication
CN110716441B (en) Method for controlling intelligent equipment, intelligent home system, equipment and medium
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN115473655B (en) Terminal authentication method, device and storage medium for access network
EP3292654B1 (en) A security approach for storing credentials for offline use and copy-protected vault content in devices
CN107682380B (en) Cross authentication method and device
CN115795446A (en) Method for processing data in trusted computing platform and management device
CN115801232A (en) Private key protection method, device, equipment and storage medium
KR101172876B1 (en) System and method for performing mutual authentication between user terminal and server
CN114297355A (en) Method and system for establishing secure session, solid state disk and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant