CN112073379A - Lightweight Internet of things security key negotiation method based on edge calculation - Google Patents
Lightweight Internet of things security key negotiation method based on edge calculation Download PDFInfo
- Publication number
- CN112073379A CN112073379A CN202010806877.5A CN202010806877A CN112073379A CN 112073379 A CN112073379 A CN 112073379A CN 202010806877 A CN202010806877 A CN 202010806877A CN 112073379 A CN112073379 A CN 112073379A
- Authority
- CN
- China
- Prior art keywords
- edge gateway
- authentication
- equipment
- edge
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
A lightweight Internet of things security key negotiation method based on edge calculation comprises the following steps: step 1, a cloud server performs bidirectional authentication on an edge gateway, authorizes the edge gateway, and the edge gateway obtains authentication key negotiation authority for terminal equipment; step 2, the edge gateway is responsible for the safety certification and management of the Internet of things equipment in the edge gateway local area network; step 3, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and the subsequent transmission data are transmitted to the edge gateway in a unified manner; step 4, the edge gateway performs preliminary processing on the data transmitted by the terminal equipment; and 5, in the subsequent process, the cloud server and the edge gateway server transmit and process the equipment data together. The invention realizes the lightweight and safe Internet of things authentication key agreement and ensures the security of Internet of things network data transmission.
Description
Technical Field
The invention belongs to the technical field of internet security, and particularly relates to a lightweight internet of things security key negotiation method based on edge calculation.
Background
The Internet of Things (IoT-Internet of Things) technology has been integrated into aspects of life with the rapid development of information technology. The intelligent network formed by the internet of things and interconnecting people, things and things greatly promotes the intelligent development in various fields. But the simultaneous access of a large number of devices and the exchange of a large amount of information also introduces new security challenges. Due to the fact that the number of devices is large and the device resources are limited in the environment of the internet of things, the traditional security protocol is too complex, and the cost of resources such as calculation, storage and communication is large, so that the requirements cannot be met. Moreover, a centralized authentication key agreement mechanism taking cloud as a center brings huge burden to a server at present, and even network congestion is caused to influence the authentication and key agreement process of equipment. Therefore, how to design a safer and lighter authentication key agreement technology to ensure confidentiality and integrity of information exchange in the environment of the internet of things is an urgent need.
In order to solve the development situation of the prior art, the existing papers and patents are searched, compared and analyzed, and the following technical information with high relevance to the invention is screened out:
the technical scheme 1: a patent of "a method and a system for performing security management on internet of things equipment", with a patent number of CN108881304A, provides a method and a system for performing security management on internet of things equipment, and the method includes: the Internet of things safety management platform is registered in a recognized third-party safety mechanism platform, and the third-party safety mechanism platform signs an Internet of things safety management platform certificate after passing the authentication of the Internet of things safety management platform; the method comprises the steps that the Internet of things equipment is registered on an Internet of things safety management platform, and after the Internet of things safety management platform passes authentication of an Internet of things equipment user identity identification card, an Internet of things equipment user identity identification card certificate is signed to the user identity identification card; when the service data is transmitted between the service platform of the internet of things and the equipment of the internet of things, the safety management platform of the internet of things and the user identity identification card perform identity authentication, and after the authentication is passed, a service data transmission encryption working key is negotiated, so that the safety of data transmission of both parties is ensured. The invention can effectively protect the Internet of things equipment from illegal management and control and improve the overall anti-attack capability of the Internet of things system.
Technical scheme 1 adopts an thing networking platform management authentication mode based on identification card, its characterized in that: the management platform of the internet of things needs to be registered in a third-party security organization, then the equipment of the internet of things registers in the management platform of the internet of things, and after the authentication of the identity identification card passes, a corresponding identity certificate is issued. The method can well protect the data transmission of the Internet of things equipment, so that the Internet of things equipment is not illegally controlled. However, such a management method is too centralized to satisfy the management of a large amount of devices. Meanwhile, registration, issuance and authentication are complicated, the equipment overhead is high, and the safety requirement of equipment with effective partial resources cannot be met.
The technical scheme 2 is as follows: an internet of things sensing node authentication method based on an edge gateway is disclosed in patent No. CN110995432A, and relates to an internet of things sensing node authentication method based on an edge gateway. The method mainly comprises the following steps: the sensing node firstly reads the NodeID and the authentication Key Key stored in the self equipment, and randomly generates a random number Nonce 1; if the authentication is the first authentication, randomly generating a Counter value at the same time, otherwise reading the locally stored Counter value; the sensing node calculates the node authentication credential and then sends an access request message to the edge gateway. The invention has the advantages that the invention provides an authentication implementation mode conforming to the idea of edge computing of decentralized and distributed type, the computing capacity of the system of the Internet of things is sunk to the edge gateway from the cloud end, and after the first authentication access, the edge gateway can independently complete the access authentication of the sensing node, so that the edge computing capacity of the Internet of things is enhanced, the computing pressure of the access authentication of the IoT cloud platform is greatly reduced, and the normal operation of the subordinate edge network can be ensured even if the edge gateway and the cloud end lose network connection.
Technical scheme 2 adopts a node authentication method based on an edge computing gateway, which is characterized in that: in the node authentication method based on the edge computing gateway, the edge gateway is responsible for sensing the access authentication of the node, the whole authentication method is based on the Counter value increasing sequence and fuses random numbers to equivalently practice the bidirectional authentication of the challenge/response idea, and the authentication is simple and light. Meanwhile, the computing power of the Internet of things system is sunk to the edge gateway from the cloud, so that the edge computing power of the Internet of things is enhanced, and the pressure of a cloud platform is reduced to some extent. However, in the authentication process, the edge gateway needs to query the IoT cloud platform for h (key) to which the node id of the device node is related. Therefore, when the number of the nodes is large and the number of the node authentication requests is large, the load of the cloud platform is still large, and effective decentralization is not realized. In addition, although the authentication protocol is lightweight, the most important security is low, and it is very vulnerable.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a dynamic password authentication key agreement method based on identity identification, and provides an authentication key agreement mechanism based on edge computing and 'cloud-edge-end' cooperation, and the authentication and key agreement task is put on edge gateway-level equipment, so that the time delay can be greatly reduced, the huge burden of mass equipment on a cloud center can be relieved, and the identity authentication and key agreement can be completed more safely and efficiently.
The invention adopts the following technical scheme. A lightweight Internet of things security key negotiation method based on edge calculation comprises the following steps:
step 1, the cloud server performs bidirectional authentication on an edge gateway, after the authentication is passed, the edge gateway is authorized, the edge gateway obtains authentication key negotiation authority for terminal equipment, meanwhile, identity information of the edge gateway is stored in a cloud database, and an authentication key negotiation task is transferred by the cloud server;
step 2, after the edge gateway obtains the authority through the cloud server authentication, receiving an authentication key negotiation task transferred by a corresponding cloud server, and starting to take charge of the safety authentication and management of the terminal equipment in the edge gateway local area network;
step 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and perform data transmission to the edge gateway;
step 4, the edge gateway performs primary processing on data transmitted by the terminal equipment, and partial data and the cloud are coordinated and transmitted to a cloud server;
and 5, the cloud server and the edge gateway process the data together, and the authentication key agreement of the terminal equipment is uniformly managed by the edge gateway.
Preferably, step 2 includes registering the new network access terminal device, and the registration process includes:
step 2.1, inputting relevant equipment information and a preset password PW at the terminal equipment, generating a unique equipment identity ID by the equipment registering system equipment end through the equipment information, and generating a random number NiAnd calculate the password
Step 2.2, the terminal equipment saves ID, PW and Ci,CiAnd the ID is transmitted to a registration server through a secure channel for checking and storing;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment ID is not registered, the server end stores CiAnd the equipment identity ID and returns registration success information.
Preferably, the device information includes: device area number, device type number, and device number.
Preferably, the performing, by the terminal device and the edge gateway, bidirectional authentication and key agreement in step 3 specifically includes:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication;
step 3.2, the terminal equipment and the edge gateway perform key negotiation exchange;
and 3.3, the terminal equipment and the edge gateway perform key negotiation verification.
Preferably, the step 3.1 of performing bidirectional authentication between the terminal device and the edge gateway specifically includes:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CNiAnd a time stamp TiThe equipment identity ID and the random challenge number CNiSending the data to an edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp TiWhether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, according to the ID of the equipment ID, searching the corresponding CiAnd calculating a response valueGenerating a random number CNi+1R and CNi+1Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculatesComparisonIf the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number Ni+1And calculating to generate a new passwordCalculating Di+1=H(ID,Ci+1) Calculating ComputingComputingAnd sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, calculatingComputing ComputingComputingComparisonAnd Di+1If the two are the same, the authentication fails, if the two are the same, the authentication of the equipment end is successful, the edge gateway updates the information of the registration information database and uses Ci+1Replacement CiFinishing password updating, the edge gateway computing r ═ H (ID, D)i+1) And sending Success and r to the user to provide the secondary authentication of the edge gateway;
step 3.1.5, after the terminal equipment receives r, calculatingComparisonIf the two-way authentication is the same as r, the key agreement is started, and ak is equal to Di+1As shared authentication material for the subsequent key agreement phase.
Preferably, step 3.2, the terminal device and the edge gateway perform key agreement exchange using the ECDH key exchange algorithm.
Preferably, the step 3.2 of the terminal device and the edge gateway performing key agreement exchange specifically includes:
step 3.2.1, the terminal equipment generates a random number KNiGenerating a random integer naCalculating the keying material KMi=naG, G is an elliptic curve base point, and KN is sent to an edge gatewayiAnd KMi;
Step 3.2.2, the edge gateway generates a random number KNrGenerating a random integer nbCalculating the keying material KMr=nbG, after receiving the key material data of the equipment end, sending KM to the terminal equipmentrAnd KNr。
Preferably, step 3.3, the key agreement verification between the terminal device and the edge gateway specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K ═ Ki=na·KMr=kr=nb·KMiCalculating a temporary session key
Step 3.3.2, the terminal device calculates the verification materialAnd sends the ID and the ID to the edge gateway for verification;
step 3.3.3, edge gateway computationComparisonAnd HiIf the two are the same, the verification fails and the negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generatedidCalculatingWill NidAnd HrSending the information to the terminal equipment, and enabling the edge gateway to enter a safe communication stage;
step 3.3.4, terminal device calculatesComparisonAnd HrIf the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed.
Compared with the prior art, the invention adopts a dynamic password authentication key agreement method based on the identity identification, provides a cloud-edge-end cooperative authentication key agreement mechanism based on edge computing, and puts down authentication and key agreement tasks on edge gateway-level equipment, so that the mechanism can greatly reduce time delay, relieve the huge burden of mass equipment on a cloud center, and complete identity authentication and key agreement more safely and efficiently. The method and the mechanism provided by the invention can effectively reduce the expenditure on equipment storage and computing resources, further improve the efficiency on the basis of ensuring the safety, and can meet the application requirements in the environment of the Internet of things.
The invention provides a dynamic password identity authentication protocol based on identity identification and a key agreement protocol taking an ECDH algorithm as a core, which can meet the communication safety requirements of resource-limited equipment with different types and provide communication safety guarantee. Meanwhile, the management problem caused by the large number of equipment in the environment of the Internet of things is solved, the pressure of the cloud center server can be relieved, the efficiency of authentication key agreement is improved, the time delay is reduced, and the safety is enhanced.
Drawings
Fig. 1 is a cloud-edge-end cooperative authentication key agreement mechanism architecture based on an edge gateway;
fig. 2 is a device registration flow diagram;
FIG. 3 is a dynamic password mutual authentication model based on identification;
fig. 4 is a key agreement protocol model.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
As shown in fig. 1, the edge gateway-based cloud-edge-end collaborative authentication key agreement mechanism mainly includes three parts, namely, an internet of things device end, an edge gateway, and a cloud center. In this architecture, the edge gateway assumes the role of a bridge in the internet of things network. By designing the edge gateway, the equipment can be better managed, and the identity authentication and key agreement tasks of the cloud are put down to the edge gateway, so that the problems of information congestion, service congestion and time delay under high concurrency can be greatly relieved. In the whole framework, the edge gateway is directly connected with each Internet of things device downwards, and identity authentication and key agreement service, subsequent data security protection and data processing can be carried out on the devices in the region. And after each terminal device of the internet of things passes through the authentication key negotiation of the edge gateway, data is collected or corresponding service is provided, and meanwhile, the data is safely transmitted to the edge gateway. The edge gateway is accessed upwards into the core network and can cooperate with the cloud center. The cloud center authenticates the edge gateway equipment, authorizes and transfers an authentication key negotiation task of the terminal equipment to the edge gateway after authentication, processes data uploaded by the edge gateway, and completes authentication key negotiation and corresponding data processing of the equipment through the cloud-edge cooperative mode.
Each packet edge gateway server manages the corresponding internet of things equipment, and the edge gateway is accessed into the core network to cooperate with the cloud center. The cloud center manages corresponding edge gateway equipment, and therefore an edge gateway authentication mechanism is achieved based on a cloud-edge-end integrated mode.
Therefore, the invention provides a lightweight Internet of things security key negotiation method based on edge calculation, which comprises the following steps:
step 1, the cloud server performs bidirectional authentication on the edge gateway, after the authentication is passed, the edge gateway is authorized, the edge gateway obtains authentication key negotiation authority for the terminal equipment, meanwhile, identity information of the edge gateway is stored in a cloud database, and then an authentication key negotiation task is transferred by the cloud server.
And 2, after the edge gateway obtains the authority through the cloud server authentication, the edge gateway receives corresponding cloud server tasks and starts to be responsible for the safety authentication and management of the terminal equipment in the edge gateway local area network, such as but not limited to the management of registration, data acquisition, transmission and processing of the terminal equipment of the internet of things.
And 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and the subsequent transmission data are uniformly transmitted to the edge gateway.
And 4, the edge gateway performs preliminary processing on data transmitted by the terminal device, such as but not limited to simple preprocessing and cleaning on the transmitted data, and transmits part of important data, such as but not limited to data acquired by a terminal sensor, possibly user privacy protection data and the like, to the cloud server in a cooperative manner, such as but not limited to cooperative processing of the cloud and the edge gateway on the processed data, and cooperatively completing tasks and the like.
Step 5, in the subsequent process, the cloud server and the edge gateway server process data together, and perform cloud-side cooperative processing to realize intelligent services, such as but not limited to, environment monitoring, intelligent camera shooting and the like according to specific scenes and deployment, and authentication key agreement of the terminal device is uniformly managed by the edge gateway.
By the method, massive Internet of things equipment can be efficiently managed, the edge gateway provides corresponding authentication key agreement, the safety of the equipment and data is guaranteed, in addition, cloud-edge cooperation can jointly process the data, intelligent service is provided, the interconnection of everything is really realized, and the development of the Internet of things is promoted.
The protocol designed by the invention mainly comprises a registration process and an authentication process, wherein the registration process is responsible for identity identification and information registration of each new network access device, and the authentication process is mutual identity authentication between the device and the edge gateway. Therefore, step 2 includes the registration of the new network-accessing terminal device, as shown in fig. 2, the registration process includes:
step 2.1, inputting relevant equipment information such as equipment area number, equipment type number and equipment number and a preset password PW at a terminal equipment, generating a unique equipment identity ID by a registration system equipment end running on the terminal equipment through the equipment information, and generating a random number NiAnd calculate the password
Step 2.2, the terminal equipment saves ID, PW and Ci,CiThe ID is transmitted to a registration server for checking and storing through a secure channel, and the registration server is generally arranged at an edge gateway and is convenient for responding to information inquiry of the gateway;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment ID is not registered, the server end stores CiAnd the equipment identity ID and returns registration success information.
The step 3 of performing bidirectional authentication and key agreement between the terminal device and the edge gateway specifically includes:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication;
step 3.2, the terminal equipment and the edge gateway perform key negotiation exchange;
and 3.3, the terminal equipment and the edge gateway perform key negotiation verification.
The authentication process is realized based on the identity identification and by taking an improved one-time password authentication technology as a core. The whole authentication process of the protocol is operated based on the hash function and provides bidirectional identity authentication, so that the occupation of equipment resources and communication is less, and the protocol is safer and more efficient. As shown in fig. 3, the step 3.1 of performing bidirectional authentication between the terminal device and the edge gateway specifically includes:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CNiAnd a time stamp TiThe equipment identity ID and the random challenge number CNiSending the data to an edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp TiWhether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, according to the ID of the equipment ID, searching the corresponding CiAnd calculating a response valueGenerating a random number CNi+1R and CNi+1Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculatesComparisonIf the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number Ni+1And calculating to generate a new passwordCalculating Di+1=H(ID,Ci+1) Calculating ComputingComputingAnd sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, calculatingComputing ComputingComputingComparisonAnd Di+1If the two are the same, the authentication fails, if the two are the same, the authentication of the equipment end is successful, the edge gateway updates the information of the registration information database and uses Ci+1Replacement CiFinishing password updating, the edge gateway computing r ═ H (ID, D)i+1) And sending Success and r to the user to provide the secondary authentication of the edge gateway;
step 3.1.5, after the terminal equipment receives r, calculatingComparisonIf the two-way authentication is the same as r, the key agreement is started, and ak is equal to Di+1As shared authentication material for the subsequent key agreement phase.
The whole key agreement protocol realizes the verification of the identity of both parties based on the authentication protocol, and then realizes the exchange of the key through the ECDH protocol, thereby generating the temporary session key. For the whole key agreement protocol, the core mainly consists of two stages of agreement exchange and agreement verification.
The key negotiation and exchange process is mainly realized based on an ECDH key exchange algorithm, namely a DH and an ECC are combined to form the ECDH algorithm to complete the key material exchange of the two parties on a public channel and generate a shared key. ECDH is more efficient than DH.
And a protocol verification stage, namely, the shared authentication material generated in the identity authentication stage and the shared key material generated in the key agreement exchange stage are combined to authenticate the whole authentication agreement, so that the reliability of the whole key agreement data exchange is ensured, and man-in-the-middle attack can be effectively prevented. As shown in fig. 4, step 3.2 of the terminal device and the edge gateway performing key agreement exchange specifically includes:
step 3.2.1, the terminal equipment generates a random number KNiGenerating a random integer naCalculating the keying material KMi=naG, G is an elliptic curve base point, and KN is sent to an edge gatewayiAnd KMi;
Step 3.2.2, the edge gateway generates a random number KNrGenerating a random integer nbCalculating the keying material KMrAfter receiving the key material data of the device end, the KM is sent to the terminal devicerAnd KNr。
Step 3.3, the key agreement verification of the terminal device and the edge gateway specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K ═ Ki=a·KMr=kr=b·KMiCalculating a temporary session key
Step 3.3.2, the terminal device calculates the verification materialAnd sends the ID and the ID to the edge gateway for verification;
step 3.3.3, edge gateway computationComparisonAnd HiIf the two are the same, the verification fails and the negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generatedidCalculatingWill NidAnd HrSending the information to the terminal equipment, and enabling the edge gateway to enter a safe communication stage;
step 3.3.4, terminal device calculatesComparisonAnd HrIf the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed.
The beneficial effects of the invention at least comprise: 1. the cloud-edge-end cooperative authentication key agreement mechanism based on the edge gateway considers the huge pressure of massive Internet of things equipment on a cloud center, the problem of equipment management, the safety of authentication and key agreement, task delay, resource occupation and the like. The authentication key agreement mechanism can better perform efficient management and control on the Internet of things equipment and provide a safe and efficient authentication key agreement task.
2. In the protocol design, on the basis of ensuring the protocol security and providing the bidirectional identity authentication and key agreement function, the invention has smaller occupation cost for computing and storing resources and is lighter and more efficient compared with the related protocol.
3. The protocol designed by the invention does not need certificates and other management organizations, and the application is more convenient. Compared with the related protocol, the method also has higher safety, excellent performance and low computing resource cost.
To more clearly describe the technical solution and the advantages of the present invention, an application example of the present invention is described below.
The method mainly tests two stages of identity authentication and key agreement. The system is started at the edge gateway server side first, and then the device client side is started. The device side initiates connection to the edge server side and starts identity authentication.
In the first stage, the client sends the ID and the challenge random number, in the second stage, the server calculates the Ahash and the random challenge book, and the client compares and verifies the received server information. And in the third stage, the client side sends the dynamically updated password related materials a and b to the server side, and the server side obtains a new password through calculation and simultaneously carries out verification. And in the last stage, both sides verify the rhash and complete the bidirectional identity authentication.
And the key negotiation module is started after the identity authentication module passes, so that key negotiation between the equipment end and the edge gateway is realized. The key agreement mainly comprises two stages, wherein the first stage is to realize the exchange of key materials based on an ECDH algorithm, and the second stage is mainly to verify the agreement and then complete the whole key agreement process. And entering a key agreement module after the identity authentication is passed.
And after the identity authentication is passed, the key agreement is started, and the key agreement is completed in two stages. In the first stage, both parties generate random numbers randnum and key materials (random large integers), then both parties exchange data, in the first stage, each party calculates a Session ID (a key obtained by an ECDH algorithm), in the second stage, both parties calculate a hash value and verify the hash value, and the whole key negotiation module completes negotiation work.
The system can realize the identity authentication and key agreement function between the equipment end and the edge gateway server end according to the protocol designed by the invention. The two parties successfully obtain the session key for subsequent secure communication through authentication key negotiation, thereby providing guarantee for the security of data transmission of the equipment.
Protocol applicationThe use effect is good, and compared with other protocols, the use effect is lighter and safer. The whole authentication and key agreement task has higher efficiency and performance, and can be well suitable for equipment with resource limitation in the environment of the Internet of things. The performance is shown in table 1 below. Wherein, TPM: calculating the time, T, of an elliptic curve scalar multiplicationPA: calculating the time, T, of an elliptic curve scalar addition operationHP: calculating the time, T, of a hash function mapping to pointsH: calculating the time, T, of a one-way hash functionI: calculating the time of one-time modular inverse operation; t isSE: time to symmetric encryption and decryption (AES) is calculated once.
TABLE 1 protocol Performance comparison
In summary, compared with other protocol algorithms, the lightweight security key agreement protocol based on the internet of things has better comprehensive performance, is suitable for device information transmission in the scene facing the internet of things, and can better provide communication security guarantee for resource-limited devices.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.
Claims (8)
1. A lightweight Internet of things security key negotiation method based on edge calculation is characterized by comprising the following steps:
step 1, the cloud server performs bidirectional authentication on an edge gateway, after the authentication is passed, the edge gateway is authorized, the edge gateway obtains authentication key negotiation authority for terminal equipment, meanwhile, identity information of the edge gateway is stored in a cloud database, and an authentication key negotiation task is transferred by the cloud server;
step 2, after the edge gateway obtains the authority through the cloud server authentication, receiving an authentication key negotiation task transferred by a corresponding cloud server, and starting to take charge of the safety authentication and management of the terminal equipment in the edge gateway local area network;
step 3, the terminal equipment accesses the Internet of things, the terminal equipment and the edge gateway perform bidirectional authentication and key agreement, after the authentication key agreement is passed, the terminal equipment and the edge gateway construct a safety channel to perform encryption protection on subsequent transmission data, and perform data transmission to the edge gateway;
step 4, the edge gateway performs primary processing on data transmitted by the terminal equipment, and partial data and the cloud are coordinated and transmitted to a cloud server;
and 5, the cloud server and the edge gateway process the data together, and the authentication key agreement of the terminal equipment is uniformly managed by the edge gateway.
2. The lightweight internet of things security key agreement method based on edge computing according to claim 1, characterized in that:
step 2, registering the new network access terminal equipment, wherein the registering process comprises the following steps:
step 2.1, inputting relevant equipment information and a preset password PW at the terminal equipment, generating a unique equipment identity ID by the equipment registering system equipment end through the equipment information, and generating a random number NiAnd calculate the password
Step 2.2, the terminal equipment saves ID, PW and Ci,CiAnd the ID is transmitted to a registration server through a secure channel for checking and storing;
step 2.3, at the edge gateway, the registration server inquires through the equipment identity ID, and if the equipment identity ID is registered, the registered information is returned; if the equipment identity markThe ID is not registered, the server side stores CiAnd the equipment identity ID and returns registration success information.
3. The lightweight internet of things security key agreement method based on edge computing according to claim 2, characterized in that:
the device information includes: device area number, device type number, and device number.
4. The lightweight internet of things security key agreement method based on edge computing according to any one of claims 1 to 3, characterized in that:
the step 3 of performing bidirectional authentication and key agreement between the terminal device and the edge gateway specifically includes:
step 3.1, the terminal equipment and the edge gateway perform bidirectional authentication;
step 3.2, the terminal equipment and the edge gateway perform key negotiation exchange;
and 3.3, the terminal equipment and the edge gateway perform key negotiation verification.
5. The lightweight internet of things security key agreement method based on edge computing according to claim 4, characterized in that:
step 3.1, the bidirectional authentication between the terminal device and the edge gateway specifically comprises the following steps:
step 3.1.1, the equipment end initiates an identity authentication request to the edge gateway to generate a random challenge number CNiAnd a time stamp TiThe equipment identity ID and the random challenge number CNiSending the data to an edge gateway;
step 3.1.2, after receiving the information, the edge gateway judges the timestamp TiWhether the equipment is valid or not is verified according to the equipment identity ID if the equipment is valid, and failure information is sent if the equipment is not registered; if registered, according to the ID of the equipment ID, searching the corresponding CiAnd calculating a response valueGenerating a random number CNi+1R and CNi+1Sending the data to the terminal equipment;
step 3.1.3, after receiving the information, the terminal equipment calculatesComparisonIf the authentication request is the same as the authentication request R, returning to the step 3.1.1 to resend the authentication request if the authentication request is different from the authentication request R, and if the authentication request is the same as the authentication request R, successfully authenticating the edge gateway; after the edge gateway is successfully authenticated, the terminal equipment generates a random number Ni+1And calculating to generate a new passwordCalculating Di+1=H(ID,Ci+1) Calculating ComputingComputingAnd sending (a, b, ID) to the edge gateway;
step 3.1.4, after the edge gateway receives the information, calculatingComputing ComputingComputingComparisonAnd Di+1If the two are the same, the authentication fails, if the two are the same, the authentication of the equipment end is successful, the edge gateway updates the information of the registration information database and uses Ci+1Replacement CiFinishing password updating, the edge gateway computing r ═ H (ID, D)i+1) And sending Success and r to the user to provide the secondary authentication of the edge gateway;
6. The lightweight internet of things security key agreement method based on edge computing according to claim 5, characterized in that:
and 3.2, the terminal equipment and the edge gateway use an ECDH key exchange algorithm to carry out key negotiation exchange.
7. The lightweight internet of things security key agreement method based on edge computing according to claim 5, characterized in that:
step 3.2, the key negotiation exchange between the terminal device and the edge gateway specifically includes:
step 3.2.1, the terminal equipment generates a random number KNiGenerating random integersnaCalculating the keying material KMi=naG, G is an elliptic curve base point, and KN is sent to an edge gatewayiAnd KMi;
Step 3.2.2, the edge gateway generates a random number KNrGenerating a random integer nbCalculating the keying material KMr=nbG, after receiving the key material data of the equipment end, sending KM to the terminal equipmentrAnd KNr。
8. The lightweight internet of things security key agreement method based on edge computing according to claim 6, characterized in that:
step 3.3, the key agreement verification of the terminal device and the edge gateway specifically includes:
step 3.3.1, the terminal device and the edge gateway calculate the shared secret key K ═ Ki=na·KMr=kr=nb·KMiCalculating a temporary session key
Step 3.3.2, the terminal device calculates the verification materialAnd sends the ID and the ID to the edge gateway for verification;
step 3.3.3, edge gateway computationComparisonAnd HiIf the two are the same, the verification fails and the negotiation is carried out again; if the two are the same, the verification is passed, and a random number N is generatedidCalculatingWill NidAnd HrSending the information to the terminal equipment, and enabling the edge gateway to enter a safe communication stage;
step 3.3.4, terminal device calculatesComparisonAnd HrIf the two are the same, the verification fails and the negotiation is carried out again; if the two types of the data are the same, the verification is passed, and the security communication stage is carried out after the verification is passed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010806877.5A CN112073379B (en) | 2020-08-12 | 2020-08-12 | Lightweight Internet of things security key negotiation method based on edge calculation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010806877.5A CN112073379B (en) | 2020-08-12 | 2020-08-12 | Lightweight Internet of things security key negotiation method based on edge calculation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112073379A true CN112073379A (en) | 2020-12-11 |
CN112073379B CN112073379B (en) | 2022-11-11 |
Family
ID=73661225
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010806877.5A Active CN112073379B (en) | 2020-08-12 | 2020-08-12 | Lightweight Internet of things security key negotiation method based on edge calculation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112073379B (en) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468983A (en) * | 2020-12-18 | 2021-03-09 | 国网河北省电力有限公司电力科学研究院 | Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof |
CN112511393A (en) * | 2021-02-08 | 2021-03-16 | 腾讯科技(深圳)有限公司 | Equipment linkage control method and device and storage medium |
CN112596914A (en) * | 2020-12-29 | 2021-04-02 | 贵州大学 | IoT-oriented edge node system architecture, working method thereof and computing migration method |
CN112702171A (en) * | 2020-12-23 | 2021-04-23 | 北京航空航天大学 | Distributed identity authentication method facing edge gateway |
CN112751661A (en) * | 2021-01-14 | 2021-05-04 | 重庆邮电大学 | Industrial field device privacy data protection method based on homomorphic encryption |
CN112822274A (en) * | 2021-01-08 | 2021-05-18 | 苏州蓝赫朋勃智能科技有限公司 | Safety verification method and device for household edge computing system |
CN113312652A (en) * | 2021-06-25 | 2021-08-27 | 国网辽宁省电力有限公司电力科学研究院 | Cloud edge collaborative power terminal collected data integrity verification system based on improved CAT |
CN113507474A (en) * | 2021-07-14 | 2021-10-15 | 同济大学 | User data cloud, side end and terminal collaborative interaction encryption and decryption method |
CN113766019A (en) * | 2021-09-01 | 2021-12-07 | 江苏信臣健康科技股份有限公司 | Internet of things system based on combination of cloud and edge calculation |
CN113783893A (en) * | 2021-09-29 | 2021-12-10 | 远景智能国际私人投资有限公司 | Data transmission method, device and system |
CN113783868A (en) * | 2021-09-08 | 2021-12-10 | 广西东信数建信息科技有限公司 | Method and system for protecting security of gate Internet of things based on commercial password |
CN114095256A (en) * | 2021-11-23 | 2022-02-25 | 广州市诺的电子有限公司 | Terminal authentication method, system, equipment and storage medium based on edge calculation |
CN114221822A (en) * | 2022-01-12 | 2022-03-22 | 杭州涂鸦信息技术有限公司 | Network distribution method, gateway device and computer readable storage medium |
CN114389838A (en) * | 2021-12-08 | 2022-04-22 | 广东电网有限责任公司 | Terminal security access control method for identifying abnormal service from multiple dimensions |
CN114398602A (en) * | 2022-01-11 | 2022-04-26 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114501440A (en) * | 2022-01-04 | 2022-05-13 | 中国人民武装警察部队工程大学 | Authentication key protocol applied to edge of wireless sensor network by block chain |
CN114650156A (en) * | 2020-12-18 | 2022-06-21 | 北京华弘集成电路设计有限责任公司 | Real-time data transmission method and system for Internet of things |
CN114935630A (en) * | 2022-05-17 | 2022-08-23 | 河南省保时安电子科技有限公司 | Internet of things platform for intelligently analyzing data of industrial gas detector |
CN115085943A (en) * | 2022-08-18 | 2022-09-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN115242388A (en) * | 2022-07-26 | 2022-10-25 | 郑州轻工业大学 | Group key negotiation method based on dynamic attribute authority |
CN117221010A (en) * | 2023-11-07 | 2023-12-12 | 合肥工业大学 | Cloud-based vehicle ECU identity authentication method, communication method and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
CN110995432A (en) * | 2020-03-05 | 2020-04-10 | 杭州字节物联安全技术有限公司 | Internet of things sensing node authentication method based on edge gateway |
-
2020
- 2020-08-12 CN CN202010806877.5A patent/CN112073379B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
CN110995432A (en) * | 2020-03-05 | 2020-04-10 | 杭州字节物联安全技术有限公司 | Internet of things sensing node authentication method based on edge gateway |
Non-Patent Citations (1)
Title |
---|
鲁阳: "物联网终端可信认证与自动接入技术研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468983A (en) * | 2020-12-18 | 2021-03-09 | 国网河北省电力有限公司电力科学研究院 | Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof |
CN114650156B (en) * | 2020-12-18 | 2023-11-14 | 北京华弘集成电路设计有限责任公司 | Real-time data transmission method and system for Internet of things |
CN114650156A (en) * | 2020-12-18 | 2022-06-21 | 北京华弘集成电路设计有限责任公司 | Real-time data transmission method and system for Internet of things |
CN112468983B (en) * | 2020-12-18 | 2022-05-10 | 国网河北省电力有限公司电力科学研究院 | Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof |
CN112702171B (en) * | 2020-12-23 | 2021-10-15 | 北京航空航天大学 | Distributed identity authentication method facing edge gateway |
CN112702171A (en) * | 2020-12-23 | 2021-04-23 | 北京航空航天大学 | Distributed identity authentication method facing edge gateway |
CN112596914B (en) * | 2020-12-29 | 2024-03-15 | 贵州大学 | IoT-oriented edge node system architecture, working method thereof and computing migration method |
CN112596914A (en) * | 2020-12-29 | 2021-04-02 | 贵州大学 | IoT-oriented edge node system architecture, working method thereof and computing migration method |
CN112822274B (en) * | 2021-01-08 | 2022-06-21 | 苏州蓝赫朋勃智能科技有限公司 | Safety verification method and device for household edge computing system |
CN112822274A (en) * | 2021-01-08 | 2021-05-18 | 苏州蓝赫朋勃智能科技有限公司 | Safety verification method and device for household edge computing system |
CN112751661A (en) * | 2021-01-14 | 2021-05-04 | 重庆邮电大学 | Industrial field device privacy data protection method based on homomorphic encryption |
CN112511393A (en) * | 2021-02-08 | 2021-03-16 | 腾讯科技(深圳)有限公司 | Equipment linkage control method and device and storage medium |
CN113312652A (en) * | 2021-06-25 | 2021-08-27 | 国网辽宁省电力有限公司电力科学研究院 | Cloud edge collaborative power terminal collected data integrity verification system based on improved CAT |
CN113312652B (en) * | 2021-06-25 | 2024-05-03 | 国网辽宁省电力有限公司电力科学研究院 | Cloud edge cooperative power terminal acquisition data integrity verification system based on improved CAT |
CN113507474A (en) * | 2021-07-14 | 2021-10-15 | 同济大学 | User data cloud, side end and terminal collaborative interaction encryption and decryption method |
CN113766019B (en) * | 2021-09-01 | 2024-04-30 | 江苏信臣健康科技股份有限公司 | Internet of things system based on cloud and edge computing combination |
CN113766019A (en) * | 2021-09-01 | 2021-12-07 | 江苏信臣健康科技股份有限公司 | Internet of things system based on combination of cloud and edge calculation |
CN113783868B (en) * | 2021-09-08 | 2023-09-01 | 广西东信数建信息科技有限公司 | Method and system for protecting Internet of things safety of gate based on commercial password |
CN113783868A (en) * | 2021-09-08 | 2021-12-10 | 广西东信数建信息科技有限公司 | Method and system for protecting security of gate Internet of things based on commercial password |
CN113783893A (en) * | 2021-09-29 | 2021-12-10 | 远景智能国际私人投资有限公司 | Data transmission method, device and system |
CN114095256A (en) * | 2021-11-23 | 2022-02-25 | 广州市诺的电子有限公司 | Terminal authentication method, system, equipment and storage medium based on edge calculation |
CN114095256B (en) * | 2021-11-23 | 2023-09-26 | 广州市诺的电子有限公司 | Terminal authentication method, system, equipment and storage medium based on edge calculation |
CN114389838A (en) * | 2021-12-08 | 2022-04-22 | 广东电网有限责任公司 | Terminal security access control method for identifying abnormal service from multiple dimensions |
CN114501440B (en) * | 2022-01-04 | 2024-02-09 | 中国人民武装警察部队工程大学 | Authentication key protocol for block chain application at edge of wireless sensor network |
CN114501440A (en) * | 2022-01-04 | 2022-05-13 | 中国人民武装警察部队工程大学 | Authentication key protocol applied to edge of wireless sensor network by block chain |
CN114398602A (en) * | 2022-01-11 | 2022-04-26 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114398602B (en) * | 2022-01-11 | 2024-05-10 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114221822B (en) * | 2022-01-12 | 2023-10-27 | 杭州涂鸦信息技术有限公司 | Distribution network method, gateway device and computer readable storage medium |
CN114221822A (en) * | 2022-01-12 | 2022-03-22 | 杭州涂鸦信息技术有限公司 | Network distribution method, gateway device and computer readable storage medium |
CN114935630A (en) * | 2022-05-17 | 2022-08-23 | 河南省保时安电子科技有限公司 | Internet of things platform for intelligently analyzing data of industrial gas detector |
CN115242388A (en) * | 2022-07-26 | 2022-10-25 | 郑州轻工业大学 | Group key negotiation method based on dynamic attribute authority |
CN115085943B (en) * | 2022-08-18 | 2023-01-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN115085943A (en) * | 2022-08-18 | 2022-09-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN117221010A (en) * | 2023-11-07 | 2023-12-12 | 合肥工业大学 | Cloud-based vehicle ECU identity authentication method, communication method and system |
CN117221010B (en) * | 2023-11-07 | 2024-01-12 | 合肥工业大学 | Cloud-based vehicle ECU identity authentication method, communication method and system |
Also Published As
Publication number | Publication date |
---|---|
CN112073379B (en) | 2022-11-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112073379B (en) | Lightweight Internet of things security key negotiation method based on edge calculation | |
CN113783836B (en) | Internet of things data access control method and system based on block chain and IBE algorithm | |
CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
CN108737436B (en) | Cross-domain server identity authentication method based on trust alliance block chain | |
CN112953727B (en) | Internet of things-oriented equipment anonymous identity authentication method and system | |
CN109743172A (en) | Based on alliance's block chain V2G network cross-domain authentication method, information data processing terminal | |
CN112039872A (en) | Cross-domain anonymous authentication method and system based on block chain | |
CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
Jia et al. | A Blockchain-Assisted Privacy-Aware Authentication scheme for internet of medical things | |
CN101951603A (en) | Access control method and system for wireless local area network | |
CN113746632B (en) | Multi-level identity authentication method for Internet of things system | |
US20230089134A1 (en) | Data communication method and apparatus, computer device, and storage medium | |
WO2008083628A1 (en) | A authentication server and a method,a system,a device for bi-authenticating in a mesh network | |
CN114867014B (en) | Internet of vehicles access control method, system, medium, equipment and terminal | |
CN112910861A (en) | Group authentication and segmented authentication-based authentication method for terminal equipment of power internet of things | |
CN112954680B (en) | Tracing attack resistant lightweight access authentication method and system for wireless sensor network | |
WO2023236551A1 (en) | Decentralized trusted access method for cellular base station | |
Patel et al. | Vehiclechain: Blockchain-based vehicular data transmission scheme for smart city | |
CN101577620A (en) | Authentication method of Ethernet passive optical network (EPON) system | |
Srikanth et al. | An efficient Key Agreement and Authentication Scheme (KAAS) with enhanced security control for IIoT systems | |
CN113055394A (en) | Multi-service double-factor authentication method and system suitable for V2G network | |
Prakash et al. | Authentication protocols and techniques: a survey | |
CN103781026A (en) | Authentication method of general authentication mechanism | |
CN110430207B (en) | Multi-point remote cross-network interaction collaborative authentication method for smart power grid | |
CN101272297B (en) | EAP authentication method of WiMAX network user |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |