CN111917790A - Hybrid encryption method for Internet of things security - Google Patents

Hybrid encryption method for Internet of things security Download PDF

Info

Publication number
CN111917790A
CN111917790A CN202010794304.5A CN202010794304A CN111917790A CN 111917790 A CN111917790 A CN 111917790A CN 202010794304 A CN202010794304 A CN 202010794304A CN 111917790 A CN111917790 A CN 111917790A
Authority
CN
China
Prior art keywords
key
node
opensll
encryption method
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010794304.5A
Other languages
Chinese (zh)
Inventor
钱承山
宗文杰
孙宁
毛伟民
王彭辉
赵贤
茹清晨
蒋丹阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Information Science and Technology
Original Assignee
Nanjing University of Information Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Information Science and Technology filed Critical Nanjing University of Information Science and Technology
Priority to CN202010794304.5A priority Critical patent/CN111917790A/en
Publication of CN111917790A publication Critical patent/CN111917790A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种物联网安全的混合加密方法,由ECC加密算法与D‑H秘钥交换算法相结合,步骤如下:生成ECC公钥和私钥:应用安全套接层密码库OpenSLL,先通过API函数得到并选择OpenSLL中的一种椭圆曲线;再生成密钥参数g,根据密钥参数g生成对应的公钥和私钥;ECC签名以及签名验证:用OpenSLL中的ECSSA_sign()函数完成数据签名功能,在OpenSLL中利用ECSSA_verify()函数完成对应数据签名的验证,以保证数据在传输过程中未被修改;共享会话密钥的生成:通过D‑H秘钥交换算法,获取对方的公钥数据,在两节点处生成各自的会话密钥。本发明使网络传输安全性能得到提升。

Figure 202010794304

The invention discloses a hybrid encryption method for Internet of Things security. The ECC encryption algorithm is combined with the D-H secret key exchange algorithm. The steps are as follows: generating an ECC public key and a private key; The API function obtains and selects an elliptic curve in OpenSLL; then generates the key parameter g, and generates the corresponding public key and private key according to the key parameter g; ECC signature and signature verification: use the ECSSA_sign() function in OpenSLL to complete the data Signature function, use the ECSSA_verify() function in OpenSLL to complete the verification of the corresponding data signature to ensure that the data is not modified during the transmission process; the generation of the shared session key: obtain the public key of the other party through the D‑H key exchange algorithm data, and generate respective session keys at the two nodes. The invention improves the security performance of network transmission.

Figure 202010794304

Description

一种物联网安全的混合加密方法A hybrid encryption method for IoT security

技术领域technical field

本发明属于网络安全技术领域,具体涉及一种物联网安全的混合加密方法。The invention belongs to the technical field of network security, in particular to a hybrid encryption method for Internet of Things security.

背景技术Background technique

物联网是通过使用射频识别(Radio Frequency Identification,RFID)、传感器、红外感应器、全球定位系统、激光扫描器等信息采集设备,按约定的协议,把任何物品与互联网连接起来,进行信息交换和通讯以实现智能化识别、定位、跟踪、监控和管理的一种网络。物联网市场发展迅速,终端数量剧增,安全隐患大,物联网产业链中安全环节占比低。物联网业务深入多个行业,全方位影响人民生活,相应的安全问题也将带来严重威胁,甚至包括生命和财产安全。The Internet of Things is the use of radio frequency identification (RFID), sensors, infrared sensors, global positioning systems, laser scanners and other information collection equipment, according to the agreed protocol, to connect any item with the Internet for information exchange and A network that communicates to achieve intelligent identification, positioning, tracking, monitoring and management. The IoT market is developing rapidly, the number of terminals has increased sharply, and there are great security risks. The security link in the IoT industry chain accounts for a low proportion. The Internet of Things business penetrates into many industries and affects people's lives in an all-round way. The corresponding security problems will also bring serious threats, even including life and property safety.

物联网安全指物联网硬件、软件及其系统中的数据受到保护,不受偶然的或者恶意的原因而遭到破坏、更改、泄露,物联网系统可连续可靠正常地运行,物联网服务不中断。物联网安全包括一切解决或者缓解物联网网络技术应用过程中存在的安全威胁的技术手段或者管理手段,也包括这些安全威胁本身以及相关的活动。物联网安全威胁和物联网安全技术是网络安全含义最基本的表现。IoT security means that IoT hardware, software and data in their systems are protected from being damaged, altered, or leaked by accidental or malicious reasons. IoT systems can run continuously, reliably and normally, and IoT services are not interrupted. IoT security includes all technical means or management means to solve or mitigate the security threats existing in the application of IoT network technology, as well as these security threats themselves and related activities. IoT security threats and IoT security technologies are the most basic manifestations of the meaning of network security.

目前,物联网节点中还存在许多安全问题亟待解决。At present, there are still many security problems in IoT nodes that need to be solved urgently.

发明内容SUMMARY OF THE INVENTION

本发明针对现有技术中的不足,提供一种非对称加密算法与D-H秘钥交换算法相结合的加密算法对数据加密,从而解决物联网节点中存在的安全问题。物联网节点也使用传输层安全协议来创建连到云端的安全连接。但要实现真正的安全,物联网节点还必须获得应用层的安全性。这意味着不只是通信管道,节点本身也需要经过认证。除了通道认证,应用层应建立加密和数据完整性检查机制来保护流经管道的数据。Aiming at the deficiencies in the prior art, the present invention provides an encryption algorithm combining an asymmetric encryption algorithm and a D-H secret key exchange algorithm to encrypt data, thereby solving the security problems existing in the IoT nodes. IoT nodes also use Transport Layer Security to create secure connections to the cloud. But to achieve true security, IoT nodes must also acquire application-layer security. This means that not only the communication pipes, but the nodes themselves also need to be authenticated. In addition to channel authentication, the application layer should establish encryption and data integrity checking mechanisms to protect the data flowing through the pipeline.

为实现上述目的,本发明采用以下技术方案:To achieve the above object, the present invention adopts the following technical solutions:

一种物联网安全的混合加密方法,混合加密方法由ECC加密算法与D-H秘钥交换算法相结合,步骤如下:A hybrid encryption method for Internet of Things security. The hybrid encryption method is combined with an ECC encryption algorithm and a D-H key exchange algorithm. The steps are as follows:

S1、生成ECC公钥和私钥:应用安全套接层密码库OpenSLL,先通过API函数得到并选择OpenSLL中的一种椭圆曲线;再根据选择的椭圆曲线生成密钥参数g,根据获取的密钥参数g生成对应的公钥和私钥;S1. Generate ECC public key and private key: Apply the secure socket layer cryptographic library OpenSLL, first obtain and select an elliptic curve in OpenSLL through the API function; then generate the key parameter g according to the selected elliptic curve, according to the obtained key The parameter g generates the corresponding public key and private key;

S2、ECC签名以及签名验证:用OpenSLL中的ECSSA_sign()函数完成数据签名功能,在OpenSLL中利用ECSSA_verify()函数完成对应数据签名的验证,以保证数据在传输过程中未被修改;S2, ECC signature and signature verification: use the ECSSA_sign() function in OpenSLL to complete the data signature function, and use the ECSSA_verify() function in OpenSLL to complete the verification of the corresponding data signature to ensure that the data is not modified during transmission;

S3、共享会话密钥的生成:通过D-H秘钥交换算法,获取对方的公钥数据,在两节点处生成各自的会话密钥。S3. Generation of a shared session key: Obtain the public key data of the other party through the D-H key exchange algorithm, and generate respective session keys at the two nodes.

为优化上述技术方案,采取的具体措施还包括:In order to optimize the above technical solutions, the specific measures taken also include:

进一步地,步骤S1中,密钥参数g包含了选择的椭圆的基本参数,包括椭圆曲线的名字、半径。Further, in step S1, the key parameter g includes the basic parameters of the selected ellipse, including the name and radius of the ellipse curve.

进一步地,步骤S1中,根据获取的密钥参数g生成对应的公钥和私钥具体为:Further, in step S1, generating the corresponding public key and private key according to the obtained key parameter g is specifically:

A、B为网络中两节点,A节点随机生成随机数x1,B节点随机生成随机数x2;x1,x2分别对应作为两个节点的各自的私钥,令A2=x1*g,B2=x2*g,A2、B2分别对应作为两节点各自的公钥。A and B are two nodes in the network. Node A randomly generates a random number x 1 , and node B randomly generates a random number x 2 ; x 1 , x 2 correspond to the respective private keys of the two nodes, let A 2 =x 1 *g, B 2 =x 2 *g, A 2 and B 2 correspond to the respective public keys of the two nodes.

进一步地,步骤S3包括:A节点通过查询Raft服务器集群中区块链保存的数据,来获得B节点的公钥数据。Further, step S3 includes: node A obtains the public key data of node B by querying the data stored in the blockchain in the Raft server cluster.

进一步地,步骤S3具体包括:Further, step S3 specifically includes:

当A节点得到B节点的公钥B2,计算出H=x1*B2,通过D-H秘钥交换,由自己的私钥x1与交换后A节点的公钥B2得到对称秘钥H;同理B节点得到A节点的A2计算出H*=x2*A2,然后通过D-H秘钥交换,由自己的私钥x2与交换后B节点的公钥A2得到对称密钥H*When node A obtains the public key B 2 of node B, it calculates H=x 1 *B 2 . Through DH key exchange, the symmetric key H is obtained from its own private key x 1 and the public key B 2 of node A after the exchange. ; Similarly, node B obtains A 2 of node A and calculates H * = x 2 *A 2 , and then through DH key exchange, the symmetric key is obtained from its own private key x 2 and the public key A 2 of node B after the exchange H * .

进一步地,步骤S3中,在OpenSLL中通过函数ECDH_compute_key()来确定对称会话密钥。Further, in step S3, the symmetric session key is determined by the function ECDH_compute_key() in OpenSLL.

本发明的有益效果是:使用ECC加密算法与D-H秘钥交换算法相结合会使网络传输安全性能得到提升。交换的密钥是由ECC等非对称密码算法生成的密钥对中的公钥,而私钥每个节点单独保存,不暴露给任何人,这样保证通信的安全性;已保证进入网络的所有访客的身份更具有真实性。The beneficial effect of the present invention is that the combination of the ECC encryption algorithm and the D-H key exchange algorithm can improve the security performance of network transmission. The exchanged key is the public key in the key pair generated by asymmetric cryptographic algorithms such as ECC, and the private key is stored separately for each node and is not exposed to anyone, thus ensuring the security of communication; The identity of the visitor is more authentic.

附图说明Description of drawings

图1:本发明的混合加密算法程序流程图。Fig. 1: The flow chart of the mixed encryption algorithm program of the present invention.

图2:本发明的混合加密方法中Diffie-Hellman密钥交换方法示意图。Figure 2: A schematic diagram of the Diffie-Hellman key exchange method in the hybrid encryption method of the present invention.

图3:本发明的混合加密方法中ECC算法程序流程图。Figure 3: The flow chart of the ECC algorithm program in the hybrid encryption method of the present invention.

具体实施方式Detailed ways

现在结合附图对本发明作进一步详细的说明。The present invention will now be described in further detail with reference to the accompanying drawings.

需要注意的是,发明中所引用的如“上”、“下”、“左”、“右”、“前”、“后”等的用语,亦仅为便于叙述的明了,而非用以限定本发明可实施的范围,其相对关系的改变或调整,在无实质变更技术内容下,当亦视为本发明可实施的范畴。It should be noted that the terms such as "up", "down", "left", "right", "front", "rear", etc. quoted in the invention are only for the convenience of description and clarity, and are not used for Limiting the applicable scope of the present invention, the change or adjustment of the relative relationship shall be regarded as the applicable scope of the present invention without substantially changing the technical content.

本发明提供了一种物联网安全的混合加密方法,混合加密方法由ECC加密算法与D-H秘钥交换算法相结合,步骤如下:The invention provides a hybrid encryption method for Internet of Things security. The hybrid encryption method is combined with an ECC encryption algorithm and a D-H secret key exchange algorithm, and the steps are as follows:

S1、生成ECC公钥和私钥:应用安全套接层密码库OpenSLL,在计算机网络上,OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连接者的身份。OpenSLL中有很多椭圆曲线,先通过API函数得到OpenSLL中的椭圆曲线并选择一种椭圆曲线;再根据选择的椭圆曲线生成密钥参数g,其中g包含了该椭圆的一些基本参数,如椭圆曲线的名字、半径等等。根据获取的密钥参数g生成对应的公钥和私钥。S1. Generate ECC public and private keys: Apply the secure socket layer cryptographic library OpenSLL. On computer networks, OpenSSL is an open source software library package. Applications can use this package for secure communication, avoid eavesdropping, and confirm at the same time. The identity of the other end of the connection. There are many elliptic curves in OpenSLL. First, get the elliptic curve in OpenSLL through the API function and select an elliptic curve; then generate the key parameter g according to the selected elliptic curve, where g contains some basic parameters of the ellipse, such as elliptic curve name, radius, etc. Generate the corresponding public key and private key according to the obtained key parameter g.

ECC算法原理:ECC又叫做椭圆曲线密码算法。它是一种基于数学椭圆曲线的公钥密码算法。设l是一个大于3的整数,在椭圆曲线y2=x3+dx+e由一个基于同余式y2=x3+dx+emodp的解集(a,b)和一个成为无穷远点的o组成,且4d3+27e2≠0modl的常数。l1=(a1,b1)和l2=(a2,b2)是椭圆曲线上的两个点,由定义椭圆曲线的加法与减法运算得到:ECC algorithm principle: ECC is also called elliptic curve cryptographic algorithm. It is a public key cryptographic algorithm based on mathematical elliptic curves. Let l be an integer greater than 3, the elliptic curve y 2 =x 3 +dx+e is formed by a solution set (a,b) based on the congruence y 2 =x 3 +dx+emodp and a point at infinity The o of , and 4d 3 +27e 2 ≠0modl constant. l 1 =(a 1 , b 1 ) and l 2 =(a 2 , b 2 ) are two points on the elliptic curve, which are obtained by the addition and subtraction operations that define the elliptic curve:

Figure BDA0002624886870000031
Figure BDA0002624886870000031

根据上述的公式可以得到椭圆上的两个点相加还在椭圆上,所以可以得到以下的式子:kl=l+l+…+l=o,k为l的个数。根据k和点l可以求出点o,但是如果已知的是o和l求k则比较困难。这叫做椭圆曲线上点群的离散对数问题。ECC就是以此而得出的算法,即k作为私有秘钥,o作为公开秘钥。According to the above formula, it can be obtained that the two points on the ellipse are added together on the ellipse, so the following formula can be obtained: kl=l+l+...+l=o, where k is the number of l. Point o can be found from k and point l, but it is more difficult to find k if o and l are known. This is called the discrete logarithm problem of point groups on elliptic curves. ECC is the algorithm derived from this, that is, k as the private key and o as the public key.

S2、ECC签名以及签名验证:用OpenSLL中的ECSSA_sign()函数完成数据签名功能,接着在OpenSLL中利用ECSSA_verify()函数完成对应数据签名的验证,以保证数据在传输过程中未被修改。S2, ECC signature and signature verification: use the ECSSA_sign() function in OpenSLL to complete the data signature function, and then use the ECSSA_verify() function in OpenSLL to complete the verification of the corresponding data signature to ensure that the data is not modified during transmission.

S3、共享会话密钥的生成:通过D-H秘钥交换算法,获取对方的公钥数据,在两节点处生成各自的会话密钥。S3. Generation of a shared session key: Obtain the public key data of the other party through the D-H key exchange algorithm, and generate respective session keys at the two nodes.

D-H算法原理:D-H算法不是用来加密或者解密的,而是用于密钥的传输和分配。由于在有限域上计算离散对数非常困难所以它的安全性很好。比如有两个人在不安全的网络上进行协商,一个是A一个是B,以确认本次谈话使用的共享密码。首先A和B先约定好一个很大的素数x和它的原始根y,然后A随机产生一个只有它自己知道的数a,计算A1=yamodx,并把A1发给B;B随机产生一个只有自己知道的数b,计算B1=ybmodx,并把B1发给A;接着A计算k=B1 amod x;B计算k*=A1 bmodx。根据乘法交换定律与乘法结合定律推导出如下式子:Principle of DH algorithm: DH algorithm is not used for encryption or decryption, but for the transmission and distribution of keys. Since it is very difficult to compute discrete logarithms over finite fields, it is quite secure. For example, there are two people negotiating on an insecure network, one is A and one is B, to confirm the shared password used for this conversation. First A and B agree on a large prime number x and its original root y, then A randomly generates a number a that only it knows, calculates A 1 =y a modx, and sends A 1 to B; B Randomly generate a number b that only you know, calculate B 1 =y b modx, and send B 1 to A; then A calculates k=B 1 a mod x; B calculates k * =A 1 b modx. According to the law of exchange of multiplication and the law of combination of multiplication, the following formula is derived:

k*=A1 bmod x=(yamod x)bmodx=yabmod x=(ybmod x)amodx=B1 amod x=kk * =A 1 b mod x=(y a mod x) b modx=y ab mod x=(y b mod x) a modx=B 1 a mod x=k

在整个的过程中即使窃听者得到x、y、A1、B1这个四个数据,但是要是想得到密钥k,则必须先计算出离散对数a和b。在通话的过程中要把a、b、x的数值取得大一点,否则有可能将modx的所有取值得出再通过枚举的方式得到的。In the whole process, even if the eavesdropper obtains the four data of x, y, A 1 , and B 1 , if he wants to obtain the key k, he must first calculate the discrete logarithms a and b. During the call, the values of a, b, and x should be made larger, otherwise it is possible to obtain all the values of modx by enumeration.

根据D-H密钥交换原理,要想在通信一方生成本次的会话密钥,那么就要获取对方的公钥数据。比如A节点与B节点要通信时,A节点通过查询Raft服务器集群中区块链保存的数据,来获得B节点的公钥数据,最后在A处生成会话密钥。B节点和A节点对应的原理一样。在OpenSLL中通过函数ECDH_compute_key()来确定对称会话密钥。According to the D-H key exchange principle, in order to generate this session key on the communicating party, the public key data of the other party must be obtained. For example, when node A and node B want to communicate, node A obtains the public key data of node B by querying the data stored in the blockchain in the Raft server cluster, and finally generates a session key at A. Node B and A node correspond to the same principle. The symmetric session key is determined in OpenSLL by the function ECDH_compute_key().

本发明提出了ECDH,其中EC是“elliptic curves”的意思,DH是“Diffie-Hellman”的意思,ECDH是ECC与D-H的结合。The present invention proposes ECDH, wherein EC means "elliptic curves", DH means "Diffie-Hellman", and ECDH is the combination of ECC and D-H.

本发明实施例中,在秘钥交换的时候,根据获取的密钥参数g生成对应的公钥和私钥具体为:A、B为网络中两节点,都拥有椭圆曲线基点g。A节点随机生成随机数x1,B节点随机生成随机数x2;x1,x2分别对应作为两个节点的各自的私钥,令A2=x1*g,B2=x2*g,A2、B2分别对应作为两节点各自的公钥。当A把A2传给B的时候和B把B2传给A的时候,被窃听者窃取到了但是在ECC中对数问题想解出来比较困难,所以窃听者无法计算出x1x2。当A得到B的B2就能计算出H=x1*B2,即通过D-H秘钥交换由自己的私钥x1与A的公钥B2得到了对称秘钥H。同理B得到A的A2计算出H*=x2*A2,然后通过D-H秘钥交换由自己的私钥x2与B的公钥A2得到了对称密钥H*In the embodiment of the present invention, when the secret key is exchanged, the corresponding public key and private key are generated according to the obtained key parameter g as follows: A and B are two nodes in the network, both of which have an elliptic curve base point g. Node A randomly generates a random number x 1 , and node B randomly generates a random number x 2 ; x 1 and x 2 correspond to the respective private keys of the two nodes, let A 2 =x 1 *g, B 2 =x 2 * g, A 2 and B 2 correspond to the respective public keys of the two nodes. When A passes A 2 to B and B passes B 2 to A, it is stolen by the eavesdropper, but it is difficult to solve the logarithm problem in ECC, so the eavesdropper cannot calculate x 1 x 2 . When A obtains B 2 of B, it can calculate H=x 1 *B 2 , that is, the symmetric key H is obtained from its own private key x 1 and A's public key B 2 through DH key exchange. Similarly, B obtains A 2 of A and calculates H * =x 2 *A 2 , and then obtains the symmetric key H * from its own private key x 2 and B's public key A 2 through DH key exchange.

由数学公式推出:Deduced from the mathematical formula:

H=x1*B2=x1*(x2*g)=(x1*x2)*g=(x2*x1)*g=x2*(x1*g)=x2*A2=H* H=x 1 *B 2 =x 1 *(x 2 *g)=(x 1 *x 2 )*g=(x 2 *x 1 )*g=x 2 *(x 1 *g)=x 2 *A 2 =H *

即A、B两节点得到了相同的密钥。That is, two nodes A and B have obtained the same key.

使用ECC加密算法与D-H秘钥交换算法相结合会让安全性能进行提升。交换的密钥是由ECC等非对称密码算法生成的密钥对中的公钥,而私钥每个节点单独保存,不暴露给任何人,这样保证通信的安全性;本发明能够保证进入网络的所有访客的身份更具有真实性。Using the ECC encryption algorithm combined with the D-H key exchange algorithm will improve the security performance. The exchanged key is the public key in the key pair generated by asymmetric cryptographic algorithms such as ECC, and the private key is stored separately for each node and is not exposed to anyone, thus ensuring the security of communication; the present invention can ensure access to the network The identities of all visitors are more authentic.

以上仅是本发明的优选实施方式,本发明的保护范围并不仅局限于上述实施例,凡属于本发明思路下的技术方案均属于本发明的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理前提下的若干改进和润饰,应视为本发明的保护范围。The above are only preferred embodiments of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions that belong to the idea of the present invention belong to the protection scope of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principle of the present invention should be regarded as the protection scope of the present invention.

Claims (6)

1. A hybrid encryption method for the security of the Internet of things is characterized in that the hybrid encryption method is formed by combining an ECC encryption algorithm and a D-H key exchange algorithm and comprises the following steps:
s1, generating an ECC public key and a private key: applying a secure socket layer password library OpenSLL, and obtaining and selecting an elliptic curve in the OpenSLL through an API function; generating a key parameter g according to the selected elliptic curve, and generating a corresponding public key and a corresponding private key according to the obtained key parameter g;
s2, ECC signature and signature verification: an ECSSA _ sign () function in OpenSLL is used for completing a data signature function, and an ECSSA _ verify () function is used for completing verification of a corresponding data signature in OpenSLL so as to ensure that data is not modified in the transmission process;
s3, generation of shared session key: and acquiring the public key data of the opposite party through a D-H secret key exchange algorithm, and generating respective session keys at the two nodes.
2. The hybrid encryption method according to claim 1, wherein in step S1, the key parameter g contains basic parameters of the selected ellipse, including the name and radius of the elliptic curve.
3. The hybrid encryption method according to claim 1, wherein in step S1, the generation of the corresponding public key and private key according to the obtained key parameter g specifically comprises:
A. b is two nodes in the network, and the A node randomly generates a random number x1Node B randomly generates a random number x2;x1,x2Respectively corresponding to respective private keys as two nodes, order A2=x1*g,B2=x2*g,A2、B2And the public keys are respectively corresponding to the two nodes.
4. The hybrid encryption method according to claim 3, wherein step S3 includes: the A node obtains the public key data of the B node by inquiring the data stored in the block chain in the Raft server cluster.
5. The hybrid encryption method according to claim 4, wherein the step S3 specifically includes:
when the node A obtains the public key B of the node B2Calculating H ═ x1*B2By its own private key x, by means of D-H key exchange1Public key B with exchanged node A2Obtaining a symmetric key H; obtaining A of A node by B node2Calculate H*=x2*A2Then exchanged by D-H secret key, with its own private key x2Public key A with exchanged node B2Get the symmetric key H*
6. The hybrid encryption method according to claim 1, wherein in step S3, a symmetric session key is determined by a function ECDH _ compute _ key () in OpenSLL.
CN202010794304.5A 2020-08-10 2020-08-10 Hybrid encryption method for Internet of things security Pending CN111917790A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010794304.5A CN111917790A (en) 2020-08-10 2020-08-10 Hybrid encryption method for Internet of things security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010794304.5A CN111917790A (en) 2020-08-10 2020-08-10 Hybrid encryption method for Internet of things security

Publications (1)

Publication Number Publication Date
CN111917790A true CN111917790A (en) 2020-11-10

Family

ID=73283407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010794304.5A Pending CN111917790A (en) 2020-08-10 2020-08-10 Hybrid encryption method for Internet of things security

Country Status (1)

Country Link
CN (1) CN111917790A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113946852A (en) * 2021-10-27 2022-01-18 重庆臻链汇物联网科技有限公司 Vehicle-mounted intelligent data dynamic encryption method
CN114039727A (en) * 2021-12-09 2022-02-11 施耐德电气(中国)有限公司 A data transmission method, device, intelligent terminal and gateway device
CN118869199A (en) * 2024-07-03 2024-10-29 江苏省工商行政管理局信息中心 A commercial password security transmission method and system based on a trusted network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
CN105812142A (en) * 2016-03-10 2016-07-27 西京学院 Strong forward-secure digital signature method for combining fingerprint, ECDH and ECC
CN109687957A (en) * 2018-12-26 2019-04-26 无锡泛太科技有限公司 A kind of RFID authentication method of the public-key cryptography scheme based on ellipse-hyperbolic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
CN105812142A (en) * 2016-03-10 2016-07-27 西京学院 Strong forward-secure digital signature method for combining fingerprint, ECDH and ECC
CN109687957A (en) * 2018-12-26 2019-04-26 无锡泛太科技有限公司 A kind of RFID authentication method of the public-key cryptography scheme based on ellipse-hyperbolic

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李明: "IPSec中IKE协议的分析和ECC算法的改进", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *
赵艳杰: "基于区块链的物联网信息安全传输与存储研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113946852A (en) * 2021-10-27 2022-01-18 重庆臻链汇物联网科技有限公司 Vehicle-mounted intelligent data dynamic encryption method
CN114039727A (en) * 2021-12-09 2022-02-11 施耐德电气(中国)有限公司 A data transmission method, device, intelligent terminal and gateway device
CN118869199A (en) * 2024-07-03 2024-10-29 江苏省工商行政管理局信息中心 A commercial password security transmission method and system based on a trusted network
CN118869199B (en) * 2024-07-03 2025-02-07 江苏省市场监督管理局数据中心 Commercial password secure transmission method and system based on credit network

Similar Documents

Publication Publication Date Title
Wang et al. A secure authentication scheme for internet of things
US7120797B2 (en) Methods for authenticating potential members invited to join a group
Zhang et al. Blockchain-based asymmetric group key agreement protocol for internet of vehicles
CN111917790A (en) Hybrid encryption method for Internet of things security
Farash et al. A new efficient authenticated multiple-key exchange protocol from bilinear pairings
Huszti et al. Scalable, password-based and threshold authentication for smart homes
CN113676333A (en) A Two-Party Collaboration to Generate SM2 Blind Signatures
CN110809000B (en) Service interaction method, device, equipment and storage medium based on block chain network
Schmidt Requirements for password-authenticated key agreement (PAKE) schemes
Ashraf et al. Lightweight and authentic symmetric session key cryptosystem for client–server mobile communication
Ghaffar et al. A lightweight and efficient remote data authentication protocol over cloud storage environment
Puthiyidam et al. Enhanced authentication security for IoT client nodes through T-ECDSA integrated into MQTT broker
Wang et al. AP-CDE: Cost-efficient authentication protocol for cross-domain data exchange in IIoT
Shekhawat et al. Quantum-resistance blockchain-assisted certificateless data authentication and key exchange scheme for the smart grid metering infrastructure
Fan et al. CAKE-PUF: A Collaborative Authentication and Key Exchange Protocol Based on Physically Unclonable Functions for Industrial Internet of Things
Nair et al. A post-quantum secure PUF based cross-domain authentication mechanism for Internet of drones
Xu et al. A decentralized lightweight authentication protocol under blockchain
Saha et al. Private blockchain envisioned access control system for securing industrial IoT-based pervasive edge computing
Chhikara et al. Construction of elliptic curve cryptography‐based authentication protocol for internet of things
Xia et al. A Quantum-Resistant Identity Authentication and Key Agreement Scheme for UAV Networks Based on Kyber Algorithm
Shabani et al. An intelligent RFID-enabled authentication protocol in VANET
Yu et al. A Multi-Scenario Authenticated Key Exchange Scheme with Forward Secrecy for Fog-enabled VANETs
WO2023025369A1 (en) Client application entity, target application entity, root of trust device, and methods for establishing a secure communication channel
Momeni et al. An energy-efficient multiple-factor authentication protocol for critical infrastructure iot systems
Yuan et al. Blockchain-Based Group Covert Communication for IoT Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201110