CN112291230A - Data security authentication transmission method and device for terminal of Internet of things - Google Patents

Data security authentication transmission method and device for terminal of Internet of things Download PDF

Info

Publication number
CN112291230A
CN112291230A CN202011154082.7A CN202011154082A CN112291230A CN 112291230 A CN112291230 A CN 112291230A CN 202011154082 A CN202011154082 A CN 202011154082A CN 112291230 A CN112291230 A CN 112291230A
Authority
CN
China
Prior art keywords
internet
terminal
things
key
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011154082.7A
Other languages
Chinese (zh)
Other versions
CN112291230B (en
Inventor
苟智雄
徐常星
邢更力
肖瑞林
刁冯博
赵俊博
关博健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
First Research Institute of Ministry of Public Security
Original Assignee
First Research Institute of Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by First Research Institute of Ministry of Public Security filed Critical First Research Institute of Ministry of Public Security
Priority to CN202011154082.7A priority Critical patent/CN112291230B/en
Publication of CN112291230A publication Critical patent/CN112291230A/en
Application granted granted Critical
Publication of CN112291230B publication Critical patent/CN112291230B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data security authentication transmission method and device for an Internet of things terminal. The method comprises the following steps: respectively presetting an identification key pair at the factory of the terminal of the Internet of things and presetting a corresponding public key matrix at an edge gateway; according to an identification key pair preset by the Internet of things terminal and a public key matrix preset by the edge gateway, completing bidirectional authentication of the Internet of things terminal and the edge gateway, and obtaining a communication encryption/decryption key; and the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key. The situation that the traditional safety means are difficult to meet the requirements of the Internet of things scene is effectively solved. A key management system which is realized based on a public key cryptography technology and can be applied to the Internet of things terminal is constructed through a lightweight authentication system, online support of a third party is not needed, large-scale key generation is conveniently realized, the authentication efficiency is high, the authentication flow is simple, and a cryptographic protocol and a cryptographic module are realized on the basis of a national cryptographic algorithm, so that interactive authentication and data encryption of the Internet of things terminal are realized.

Description

Data security authentication transmission method and device for terminal of Internet of things
Technical Field
The invention relates to a data security authentication transmission method for an Internet of things terminal, and also relates to a corresponding data security authentication transmission device, belonging to the technical field of network security.
Background
With the gradual construction of a large number of internet of things terminals, ubiquitous internet of things terminal equipment is accessed into an internet of things network, and great threat is caused to a security system constructed based on a traditional boundary security means. In the whole construction of the internet of things, the equipment can be divided into a perception layer, a network layer, a platform layer and an application layer, and at present, security manufacturers of domestic and foreign mainstream at home and abroad have relatively mature and complete integrated solutions aiming at network security, cloud security, data security and application security and correspond to the network layer, the platform layer and the application layer, so that the maximum short board of security capability appears on the internet of things terminal of the perception layer.
The safety problem of the construction of the internet of things on the internet of things terminal mainly shows the defects of three aspects of capacity, namely, the loss of an identity system, no protection of interactive data and insufficient safety protection of an equipment body, so that the terminal can face the risks that the equipment is reversed, hijacked, counterfeited and infected, data is stolen, tampered and forged, the supply chain of the terminal equipment is attacked and the like. The expression is on the business: whether the collected data source, the destination and the content are credible or not, whether the control signaling source, the destination and the content are credible or not and whether the terminal equipment is controllable or not are determined. For the system, there are three levels of security crisis: firstly, errors occur in collected data, particularly large-range and long-term errors, which cause wrong data analysis and decision basis and directly influence the operation of a service system; secondly, controlling the instruction execution deviation, and issuing a wrong instruction by a correct person or performing the correct instruction by a mistake, namely making a decision to perform wrongly; and thirdly, the terminal equipment is broken through, especially in the supply chain link, because the orientation of some equipment is broken through and the equipment is copied in a large scale, the batch of equipment is broken through.
The traditional identity authentication method is an authentication system implemented mainly based on Public Key Infrastructure (PKI) technology. The identity authentication realized by adopting the PKI technology has the following problems:
(1) the method mainly aims at the security authentication of the upper computer and the service background, can be applied to the authentication of the gateway and the background, but is not suitable for the security authentication of the internet of things terminal and the gateway.
(2) Because the public key generation of the PKI technology is not large-scale, the certificate is uniformly issued aiming at massive Internet of things terminals with various communication protocols, and the actual operation is difficult.
(3) The certificate directory needs to be operated online, the public key is stored in the online operated directory library in a directory mode, the maintenance amount is large, and the requirement that the terminal of the internet of things needs to be authenticated offline with the gateway cannot be met.
(4) Authentication reliability relies on a trusted third party Certificate Authority (CA) Certificate chain, limiting authentication flexibility.
Disclosure of Invention
The invention aims to provide a data security authentication transmission method for an Internet of things terminal.
Another technical problem to be solved by the present invention is to provide a data security authentication transmission device for an internet of things terminal.
In order to achieve the purpose, the invention adopts the following technical scheme:
according to a first aspect of the embodiments of the present invention, a data security authentication transmission method for an internet of things terminal is provided, which includes the following steps:
respectively presetting an identification key pair at the factory of the terminal of the Internet of things and presetting a corresponding public key matrix at an edge gateway;
according to an identification key pair preset by the Internet of things terminal and a public key matrix preset by the edge gateway, completing bidirectional authentication of the Internet of things terminal and the edge gateway, and obtaining a communication encryption/decryption key;
and the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key.
Preferably, the preset leaving-factory identification key pair of the internet of things terminal comprises the following steps:
burning a special COS (chip operating system) to the terminal of the Internet of things, and simultaneously writing an equipment identifier ID (identity) of the terminal of the Internet of things in the upper computer software;
sending a request command for generating a temporary key pair to the terminal of the Internet of things so that the terminal of the Internet of things responds to the request command to generate a temporary key pair, and feeding back a response data packet, wherein the response data packet comprises a signature value of the equipment identification ID and a temporary public key;
sending the response data packet and the equipment identification ID to a trusted background, and applying for downloading an identification key pair, so that a key envelope is generated and fed back to upper computer software after the signature verification of the trusted background is successful;
and sending a command of importing a key envelope to the Internet of things terminal so that the Internet of things terminal obtains the identification public key and decrypts the identification private key.
Preferably, the trusted background checks the signature value of the device identifier ID in the response packet, and if the signature check is successful, the identification key pair of the internet of things terminal is calculated according to the device identifier ID.
Preferably, the trusted background encrypts and packages the identification key pair of the terminal of the internet of things in a digital envelope by using the temporary public key in the response data packet to obtain a key envelope.
Preferably, the internet of things terminal decrypts the symmetric key ciphertext by using the temporary private key to obtain a symmetric key, and decrypts the encrypted identification private key by using the symmetric key.
Preferably, when the one-way authentication from the terminal of the internet of things to the edge gateway is completed, the method comprises the following steps:
receiving an authentication data packet which is sent by the terminal of the Internet of things and signed by using an identification private key, wherein the authentication data packet comprises a signature value, an equipment Identification (ID) and a first random number;
and calculating a corresponding identification public key by using a built-in public key matrix according to the equipment identification ID, checking the signature of the authentication data packet by using the identification public key, and generating a second random number after the signature is checked successfully.
Preferably, the terminal of the internet of things generates the first random number by using a pseudo random number generation function or calling a true random number unit in other security modules.
Preferably, when the one-way authentication from the edge gateway to the terminal of the internet of things is completed, the method comprises the following steps:
receiving a ciphertext encrypted by the edge gateway by using the identification public key, wherein the ciphertext comprises a second random number;
and decrypting the received ciphertext by using the identification private key, and obtaining the second random number as a communication encryption/decryption key after the received ciphertext is successfully decrypted.
Preferably, one of the terminal of the internet of things and the edge gateway encrypts transmission data by using a communication encryption key through a symmetric encryption algorithm SM4 or SM1, and the other of the terminal of the internet of things and the edge gateway decrypts the transmitted encrypted transmission data by using a communication decryption key through the symmetric encryption algorithm SM4 or SM 1.
According to a second aspect of the embodiments of the present invention, there is provided a data security authentication transmission apparatus for an internet of things terminal, including a processor and a memory, where the processor reads a computer program or an instruction in the memory to perform the following operations:
respectively presetting an identification key pair at the factory of the terminal of the Internet of things and presetting a corresponding public key matrix at an edge gateway;
according to an identification key pair preset by the Internet of things terminal and a public key matrix preset by the edge gateway, completing bidirectional authentication of the Internet of things terminal and the edge gateway, and obtaining a communication encryption/decryption key;
and the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key.
The data security authentication transmission method and device for the Internet of things terminal are suitable for various end-to-end authentications. In the process of carrying out the security interaction authentication on the Internet of things terminal, the identification key pair with the ECC encryption key structure preset on the Internet of things terminal is adopted, so that the consumption of the storage resources of the Internet of things terminal is reduced, and the consumption of bandwidth in the transmission process is reduced; meanwhile, the invention effectively solves the problem that the traditional safety means is difficult to cover the requirement of the internet of things scene. A key management system which is realized based on a public key cryptography technology and can be applied to the Internet of things terminal is constructed through a lightweight authentication system, the online support of a third party is not needed in the authentication process, the large-scale key generation is conveniently realized, the authentication efficiency is high, the authentication flow is simple, and a cryptographic protocol and a cryptographic module are realized on the basis of a national cryptographic algorithm, so that the interactive authentication and data encryption of the Internet of things terminal are realized.
Drawings
Fig. 1 is a flowchart of a data security authentication transmission method for an internet of things terminal according to an embodiment of the present invention;
fig. 2 is a schematic diagram of security authentication and encryption/decryption communication between an internet of things terminal and an edge gateway in the data security authentication transmission method for the internet of things terminal according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data security authentication transmission device for an internet of things terminal according to an embodiment of the present invention.
Detailed Description
The technical contents of the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.
In order to make the present invention better understood by those skilled in the art, some technical terms appearing in the embodiments of the present invention are explained below:
host computer software "preset key tool": the special customized production tool is used for realizing the key presetting work of the client equipment in batch, automation and imaging. The tool body is an exe executable client program.
CPK: combined Public Key, Combined Public Key authentication technology.
SM 2: the national crypto-authority publishes an asymmetric cryptographic algorithm which becomes the national crypto-industry standard in 2012.
SM 4: the national cryptology agency publishes symmetric cryptographic algorithms that became the national cryptology industry standard in 2012.
In order to implement the interactive authentication and encrypted communication between the terminal of the internet of things and the edge gateway, as shown in fig. 1 and 2, an embodiment of the present invention provides a data security authentication transmission method for the terminal of the internet of things, including the following steps:
and step S1, respectively factory-preset identification key pairs at the terminal of the Internet of things and presetting a corresponding public key matrix at the edge gateway.
Each terminal of the internet of things has a corresponding equipment identifier ID when leaving a factory. The device identification ID is typically a fixed length and structured character sequence designed by combining various information such as device model, specification, lot, process plant code, serial number, etc. And presetting an identification key pair for the terminal of the Internet of things by using upper computer software 'preset key tool' according to the equipment identification ID, wherein the successfully preset identification key pair is the equipment key pair which finally belongs to the terminal of the Internet of things, and the equipment key pair is used for equipment authentication and key agreement in the subsequent bidirectional authentication and communication encryption of the terminal of the Internet of things and the edge gateway, and is particularly used for signature verification and encryption and decryption of transmission data.
The method for realizing delivery of the preset identification key pair at the terminal of the Internet of things by taking an upper computer software 'preset key tool' as an execution main body comprises the following steps:
and S11, burning the special COS to the Internet of things terminal, and simultaneously writing the equipment identifier ID of the Internet of things terminal into the upper computer software 'preset key tool'.
Data writing and reading are realized in the Internet of things terminal through a serial port, a preset key tool runs on an upper computer, the Internet of things terminal and the upper computer are connected together by a conversion line of a USB-to-serial port,
the special COS (Chip Operating System) is burned to a security Chip or a cryptographic module in other forms in the terminal of the Internet of things through the upper computer software 'preset key tool', and is used for responding to various commands sent by the upper computer software 'preset key tool' so as to execute corresponding operations. Meanwhile, writing the equipment identification ID of the Internet of things terminal in the 'preset key tool' of the upper computer software.
Step S12, sending a request command for generating a temporary key pair to the terminal of the internet of things, so that the terminal of the internet of things responds to the request command to generate a temporary key pair, and feeding back a response data packet, where the response data packet includes a signature value of the device identification ID and the temporary public key.
When the upper computer software 'preset key tool' sends a request command for generating the temporary key pair to the internet of things terminal, the internet of things terminal receives and responds to the request command for generating the temporary key pair through the special COS, and generates a pair of temporary key pairs through a security chip or other forms of cryptographic modules in the internet of things terminal, wherein the temporary key pairs comprise temporary public keys and temporary private keys. Meanwhile, the terminal of the internet of things signs the equipment identification ID of the terminal of the internet of things, and packs the signature value of the equipment identification ID and the temporary public key as a response data packet to be fed back to the upper computer software 'preset key tool'.
And step S13, sending the response data packet and the equipment identification ID to the trusted background, applying for downloading the identification key pair, so that after the trusted background successfully verifies the signature, a key envelope is generated and fed back to the upper computer software 'preset key tool'.
And after receiving a response data packet sent by the Internet of things terminal, the upper computer software 'preset key tool' sends the response data packet and the equipment identification ID of the Internet of things terminal to the trusted background, and applies for downloading an identification key pair to the trusted background. The trusted background checks the signature value of the equipment identification ID in the response data packet sent by the upper computer software 'preset key tool', if the signature is successfully checked, an identification key pair of the Internet of things terminal is calculated according to the equipment identification ID of the Internet of things terminal, and the identification key pair comprises an identification private key and an identification public key; the trusted background encrypts and packages the identification key pair in a digital envelope, namely a key envelope, by using the temporary public key in the response data packet, and feeds the key envelope back to the upper computer software 'preset key tool'. The trusted background is a platform for providing key service and management service.
The data structure in the key envelope adopts ECC (Elliptic curve Cryptography) encryption key pair protection structure (see the standard: GM/T0016-2012). Specifically, the following are shown:
Figure BDA0002742170190000061
Figure BDA0002742170190000071
and step S14, sending a command of importing the key envelope to the terminal of the Internet of things so that the terminal of the Internet of things can obtain the identification public key and decrypt the identification private key.
The Internet of things terminal receives a command of importing the key envelope sent by upper computer software 'preset key tool', decrypts the symmetric key ciphertext by using the temporary private key to obtain a symmetric key, decrypts the encrypted identification private key by using the symmetric key, and directly places the identification public key in the key envelope. Therefore, the preset identification key pair is delivered from the factory at the terminal of the Internet of things, and the identification key pair is stored in a FLASH chip of the terminal of the Internet of things.
The data structure for identifying the public key adopts an ECC encryption public key structure (see the standard: GM/T0016-2012). Specifically, the following are shown:
Figure BDA0002742170190000072
the data structure identifying the private key is an ECC encrypted private key structure (see standard: GM/T0016-2012). Specifically, the following are shown:
Figure BDA0002742170190000073
the ECC encryption public and private key structure has the advantages that under the condition of the same algorithm security strength, the ECC encryption public and private key structure has the advantages that the ECC encryption public and private key structure has the key length far smaller than that of the RSA encryption key, the reduction of the key length directly brings the improvement of the calculation efficiency and the reduction of the resource consumption, and meanwhile, under the same key strength, the ECC encryption key production speed and the encryption, signature and decryption speeds are superior to those of the RSA encryption key.
When the edge gateway presets the corresponding public key matrix, the public key matrix can be set as a self-defined vdk-format file, and the file is placed in the gateway system as file security, and the file name of the public key matrix is generally pub. And burning a program for calculating the public key matrix in the gateway system to calculate the public key matrix corresponding to the terminal of the internet of things.
The public key matrix is constructed by utilizing the CPK key matrix construction principle, the public key matrix is not fixed, different products have different use scenes in different batches, different parameters can be used for generating different public key matrixes according to needs, and the public key matrixes are fixed when in specific use.
The process of constructing the public key matrix by using the CPK key matrix construction principle is as follows:
in the CPK key system, given a set of elliptic curve parameters T ═ a, b, G, n, p, a public-private key matrix can be established. Under this set of parameters, m elements are arbitrarily chosen:
X1=i1*G=(X1,y1)
X2=i2*G=(X1,y1)
……
Xm=im*G=(Xm,ym)
(X1, i1), (X2, i2), … … (Xm, im) are m public and private key pairs. The former can be used as a public key and the latter as a private key. The elliptic curve parameter G is the key of the public and private keys, and the base point G needs to be specially stored and cannot be revealed when the CPK is used.
And step S2, finishing the mutual authentication of the terminal of the Internet of things and the edge gateway according to the identification key pair preset by the terminal of the Internet of things and the public key matrix preset by the edge gateway, and obtaining a communication encryption/decryption key.
When the one-way authentication from the terminal of the Internet of things to the edge gateway is completed, the edge gateway is taken as an execution main body, and the method comprises the following steps:
step S21, receiving an authentication data packet which is sent by the terminal of the Internet of things and signed by using the identification private key, wherein the authentication data packet comprises a signature value, a device Identification (ID) and a first random number.
The terminal of the internet of things can use a pseudo-random number generation function or call a true random number unit in other security modules to generate a first random number SK1, then uses a preset identification private key to sign the device identification ID and the first random number SK1 as original texts, and forms an authentication data packet by the signature value, the device identification ID and the first random number. The terminal of the Internet of things is used as a client, the client is connected with an edge gateway server in a local area network through a network cable, after the connection is successful, a bidirectional authentication request is initiated, and the authentication data packet is sent to the edge gateway server through a TCP/IP protocol.
And step S22, calculating a corresponding identification public key by using a built-in public key matrix according to the equipment identification ID, checking the signature of the authentication data packet by using the identification public key, and generating a second random number after the signature is successfully checked.
And performing corresponding operation on the equipment identifier ID by using a CPK key generation principle, and then mapping the equipment identifier ID to a public key matrix built in the edge gateway to generate an identifier public key. The signature public key is used for verifying the signature value, the equipment identification ID and the first random number SK1 in the authentication data packet sent by the terminal of the Internet of things, and a second random number SK2 is generated after the verification is successful.
When the one-way authentication from the edge gateway to the terminal of the Internet of things is completed, the method takes the terminal of the Internet of things as an execution main body and comprises the following steps:
and step S23, receiving the encrypted ciphertext encrypted by the edge gateway by using the identification public key, wherein the ciphertext comprises the second random number.
The edge gateway encrypts the second random number SK2 generated in step S22 using the identification public key, and sends the ciphertext to the corresponding internet of things terminal.
And step S24, the received ciphertext is decrypted by using the identification private key, and the decryption succeeds to obtain a second random number SK2 which is used as a communication encryption/decryption key.
And the Internet of things terminal decrypts the received ciphertext sent by the edge gateway, and if the decryption is successful, the one-way authentication from the edge gateway to the Internet of things terminal is completed.
And step S3, completing encryption and decryption of data transmitted between the terminal of the Internet of things and the edge gateway by using the communication encryption/decryption key.
In the encryption and decryption process of data transmission between the terminal of the Internet of things and the edge gateway, one of the terminal of the Internet of things and the edge gateway receives transmission data encrypted by the other party by using the communication encryption key, the transmission data is decrypted by using the communication decryption key, and after the decryption is finished, the operation is completely responded according to the service logic.
One of the terminal of the internet of things and the edge gateway encrypts transmission data by using a communication encryption key through a symmetric encryption algorithm SM4 or SM 1; and the other party of the terminal of the Internet of things and the edge gateway decrypts the encrypted transmission data by using the communication decryption key through the symmetric encryption algorithm SM4 or SM 1.
For example, the internet of things terminal adopts a power distribution terminal in an electric power system, and the edge gateway adopts a remote monitoring control gateway located in a power distribution room, and the power distribution terminal is a power distribution switch monitoring terminal for short. The power distribution switch monitoring terminal (FTU for short) has the functions of remote control, remote measurement, remote signaling and fault detection, is communicated with a power distribution automation master station, provides the running condition of a power distribution system and various parameters, namely information required by monitoring and controlling, including on-off state, electric energy parameters, phase-to-phase faults, grounding faults and parameters during faults, executes commands issued by the power distribution master station, adjusts and controls power distribution equipment, and realizes the functions of fault positioning, fault isolation, quick recovery of a non-fault area, power supply and the like.
The remote monitoring control gateway generally comprises power distribution room equipment state monitoring, power distribution room environment monitoring, power distribution room security monitoring, power distribution room equipment linkage control and the like, and reports related information to a superior unit, receives superior issued commands and the like. The edge gateway can be an ARM high-end CPU (Central processing Unit), has strong edge computing capability, is a Linux system, has rich interfaces, is convenient for wide access of various instruments, sensors, videos and the like in a power distribution room, is provided with rich industrial application interfaces, comprises rich acquisition control ports such as LAN (local area network) ports, WAN (wide area network) ports, RS232, RS485 and serial ports, and is convenient for access of various instruments, sensors, cameras and other devices in the power distribution room.
The power distribution terminal is connected with the power distribution room monitoring gateway through a network cable. The connection model of the power distribution room monitoring gateway and the power distribution terminal is a client/server (C/S) model.
If the power distribution terminal detects a ground fault, the state needs to be sent to a service platform of a superior unit through a remote monitoring control gateway, and the encryption sending process specifically comprises the following steps:
the power distribution terminal encrypts fault information by using a communication encryption key SK2 through a symmetric encryption algorithm SM4 or SM1, connects the encrypted information with a certain command format through a network, then sends the encrypted information, after the edge gateway server receives the encrypted information, decrypts the fault information by using a communication decryption key SK2 through a symmetric encryption algorithm SM4 or SM1, and after decryption is completed, the fault information completely responds to operation according to service logic. Namely, the power distribution terminal detects the ground fault and sends the ground fault to a service platform of a superior unit for further processing.
In addition, as shown in fig. 3, an embodiment of the present invention further provides a data security authentication transmission device for an internet of things terminal, which includes a processor 32 and a memory 31, and may further include a communication component, a sensor component, a power component, a multimedia component, and an input/output interface according to actual needs. The memory, communication components, sensor components, power components, multimedia components, and input/output interfaces are all connected to the processor 32. As mentioned above, the memory 31 may be a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read Only Memory (EEPROM), an Erasable Programmable Read Only Memory (EPROM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a magnetic memory, a flash memory, etc.; the processor 32 may be a Central Processing Unit (CPU), Graphics Processing Unit (GPU), Field Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC), Digital Signal Processing (DSP) chip, or the like. Other communication components, sensor components, power components, multimedia components, etc. may be implemented using common components found in existing smartphones and are not specifically described herein.
In addition, the data security authentication transmission apparatus for the terminal of the internet of things provided by the embodiment of the present invention includes a processor 32 and a memory 31, where the processor 32 reads a computer program or an instruction in the memory 31 to perform the following operations:
and respectively presetting an identification key pair at the factory of the terminal of the Internet of things and a corresponding public key matrix at the edge gateway.
And finishing the bidirectional authentication of the terminal of the Internet of things and the edge gateway according to the identification key pair preset by the terminal of the Internet of things and the public key matrix preset by the edge gateway, and obtaining a communication encryption/decryption key.
And the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key.
The data security authentication transmission method and device for the Internet of things terminal are suitable for various end-to-end authentications. In the process of carrying out the security interaction authentication on the Internet of things terminal, the identification key pair with the ECC encryption key structure preset on the Internet of things terminal is adopted, so that the consumption of the storage resources of the Internet of things terminal is reduced, and the consumption of bandwidth in the transmission process is reduced; meanwhile, the invention effectively solves the problem that the traditional safety means is difficult to cover the requirement of the internet of things scene. A key management system which is realized based on a public key cryptography technology and can be applied to the Internet of things terminal is constructed through a lightweight authentication system, the online support of a third party is not needed in the authentication process, the large-scale key generation is conveniently realized, the authentication efficiency is high, the authentication flow is simple, and a cryptographic protocol and a cryptographic module are realized on the basis of a national cryptographic algorithm, so that the interactive authentication and data encryption of the Internet of things terminal are realized.
The data security authentication transmission method and device for the internet of things terminal provided by the invention are described in detail above. It will be apparent to those skilled in the art that various modifications can be made without departing from the spirit of the invention.

Claims (10)

1. A data security authentication transmission method for an Internet of things terminal is characterized by comprising the following steps:
respectively presetting an identification key pair at the factory of the terminal of the Internet of things and presetting a corresponding public key matrix at an edge gateway;
according to an identification key pair preset by the Internet of things terminal and a public key matrix preset by the edge gateway, completing bidirectional authentication of the Internet of things terminal and the edge gateway, and obtaining a communication encryption/decryption key;
and the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key.
2. The data security authentication transmission method for the terminal of the internet of things according to claim 1, wherein:
the preset delivery identification key pair of the Internet of things terminal comprises the following steps:
burning a special COS (chip operating system) to the terminal of the Internet of things, and simultaneously writing an equipment identifier ID (identity) of the terminal of the Internet of things in the upper computer software;
sending a request command for generating a temporary key pair to the terminal of the Internet of things so that the terminal of the Internet of things responds to the request command to generate a temporary key pair, and feeding back a response data packet, wherein the response data packet comprises a signature value of the equipment identification ID and a temporary public key;
sending the response data packet and the equipment identification ID to a trusted background, and applying for downloading an identification key pair, so that a key envelope is generated and fed back to upper computer software after the signature verification of the trusted background is successful;
and sending a command of importing a key envelope to the Internet of things terminal so that the Internet of things terminal obtains the identification public key and decrypts the identification private key.
3. The data security authentication transmission method for the terminal of the internet of things according to claim 2, wherein:
and the trusted background checks the signature value of the equipment identification ID in the response data packet, and if the signature is successfully checked, the identification key pair of the Internet of things terminal is calculated according to the equipment identification ID.
4. The data security authentication transmission method for the terminal of the internet of things according to claim 3, wherein:
and the trusted background encrypts and packages the identification key pair of the Internet of things terminal in a digital envelope by using the temporary public key in the response data packet to obtain a key envelope.
5. The data security authentication transmission method for the terminal of the internet of things according to claim 2, wherein:
and the Internet of things terminal decrypts the symmetric key ciphertext by using the temporary private key to obtain a symmetric key, and decrypts the encrypted identification private key by using the symmetric key.
6. The data security authentication transmission method for the terminal of the internet of things according to claim 1, wherein:
when the one-way authentication from the terminal of the Internet of things to the edge gateway is completed, the method comprises the following steps:
receiving an authentication data packet which is sent by the terminal of the Internet of things and signed by using an identification private key, wherein the authentication data packet comprises a signature value, an equipment Identification (ID) and a first random number;
and calculating a corresponding identification public key by using a built-in public key matrix according to the equipment identification ID, checking the signature of the authentication data packet by using the identification public key, and generating a second random number after the signature is checked successfully.
7. The data security authentication transmission method for the terminal of the internet of things according to claim 6, wherein:
and the terminal of the Internet of things generates the first random number by using a pseudo random number generation function or calling a true random number unit in other security modules.
8. The data security authentication transmission method for the terminal of the internet of things according to claim 1, wherein:
when the one-way authentication from the edge gateway to the terminal of the Internet of things is completed, the method comprises the following steps:
receiving a ciphertext encrypted by the edge gateway by using the identification public key, wherein the ciphertext comprises a second random number;
and decrypting the received ciphertext by using the identification private key, and obtaining the second random number as a communication encryption/decryption key after the received ciphertext is successfully decrypted.
9. The data security authentication transmission method for the terminal of the internet of things according to claim 1, wherein:
one of the terminal of the internet of things and the edge gateway encrypts transmission data through a symmetric encryption algorithm SM4 or SM1 by using a communication encryption key, and the other of the terminal of the internet of things and the edge gateway decrypts the transmitted encrypted transmission data through the symmetric encryption algorithm SM4 or SM1 by using a communication decryption key.
10. A data security authentication transmission apparatus for an internet of things terminal, comprising a processor and a memory, wherein the processor reads a computer program or an instruction in the memory to perform the following operations:
respectively presetting an identification key pair at the factory of the terminal of the Internet of things and presetting a corresponding public key matrix at an edge gateway;
according to an identification key pair preset by the Internet of things terminal and a public key matrix preset by the edge gateway, completing bidirectional authentication of the Internet of things terminal and the edge gateway, and obtaining a communication encryption/decryption key;
and the encryption and decryption of the data transmitted between the terminal of the Internet of things and the edge gateway are completed by using the communication encryption/decryption key.
CN202011154082.7A 2020-10-26 2020-10-26 Data security authentication transmission method and device for terminal of Internet of things Active CN112291230B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011154082.7A CN112291230B (en) 2020-10-26 2020-10-26 Data security authentication transmission method and device for terminal of Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011154082.7A CN112291230B (en) 2020-10-26 2020-10-26 Data security authentication transmission method and device for terminal of Internet of things

Publications (2)

Publication Number Publication Date
CN112291230A true CN112291230A (en) 2021-01-29
CN112291230B CN112291230B (en) 2023-04-07

Family

ID=74424918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011154082.7A Active CN112291230B (en) 2020-10-26 2020-10-26 Data security authentication transmission method and device for terminal of Internet of things

Country Status (1)

Country Link
CN (1) CN112291230B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112699352A (en) * 2021-03-23 2021-04-23 中国信息通信研究院 Trusted data acquisition terminal identity verification method, computer storage medium and electronic equipment
CN112713995A (en) * 2021-02-08 2021-04-27 成都杰微科技有限公司 Dynamic communication key distribution method and device for terminal of Internet of things
CN113079022A (en) * 2021-03-31 2021-07-06 郑州信大捷安信息技术股份有限公司 Secure transmission method and system based on SM2 key negotiation mechanism
CN113609213A (en) * 2021-07-01 2021-11-05 深圳数字电视国家工程实验室股份有限公司 Method, system, device and storage medium for synchronizing device keys
CN113784342A (en) * 2021-09-22 2021-12-10 四川中电启明星信息技术有限公司 Encryption communication method and system based on Internet of things terminal
CN114171175A (en) * 2021-12-13 2022-03-11 医贝云服(杭州)科技有限公司 Hospital material fine management system based on RFID and multi-terminal communication
CN114422588A (en) * 2022-01-19 2022-04-29 南京南瑞信息通信科技有限公司 Safety autonomous implementing system and method for authenticating terminal access by edge internet of things agent
CN114513361A (en) * 2021-06-28 2022-05-17 山东华科信息技术有限公司 Power distribution Internet of things based on block chain
CN114826794A (en) * 2022-07-04 2022-07-29 荣耀终端有限公司 Video monitoring method and device
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
CN115174145A (en) * 2022-05-30 2022-10-11 青岛海尔科技有限公司 Equipment control method and edge gateway equipment
CN115694997A (en) * 2022-10-31 2023-02-03 贵州省通信产业服务有限公司 Intelligent gateway system of Internet of things
CN116668200A (en) * 2023-07-31 2023-08-29 深圳市联新移动医疗科技有限公司 Internet of things data security transmission method and system
WO2023184262A1 (en) * 2022-03-30 2023-10-05 北京小米移动软件有限公司 Secure transmission method and apparatus for data frames, electronic device and storage medium
CN117692902A (en) * 2024-02-02 2024-03-12 深圳市迈腾电子有限公司 Intelligent home interaction method and system based on embedded home gateway

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN105141426A (en) * 2015-08-17 2015-12-09 北京幺正科技有限公司 Industrial control equipment security authentication method, server and client
CN105282179A (en) * 2015-11-27 2016-01-27 中国电子科技集团公司第五十四研究所 Family Internet of things security control method based on CPK
CN108847942A (en) * 2018-06-03 2018-11-20 李维刚 A kind of authentication method and system based on mark public key
US20200162269A1 (en) * 2018-11-20 2020-05-21 Iot And M2M Technologies, Llc Mutually authenticated ecdhe key exchange for a device and a network using multiple pki key pairs
CN111372247A (en) * 2019-12-23 2020-07-03 国网天津市电力公司 Terminal secure access method and terminal secure access system based on narrowband Internet of things
CN111415445A (en) * 2020-04-28 2020-07-14 北京仁信证科技有限公司 Logistics box management method and device, computer equipment and storage medium
CN111756531A (en) * 2020-05-11 2020-10-09 北京仁信证科技有限公司 Communication system and method of LoRa terminal based on CPK

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN105141426A (en) * 2015-08-17 2015-12-09 北京幺正科技有限公司 Industrial control equipment security authentication method, server and client
CN105282179A (en) * 2015-11-27 2016-01-27 中国电子科技集团公司第五十四研究所 Family Internet of things security control method based on CPK
CN108847942A (en) * 2018-06-03 2018-11-20 李维刚 A kind of authentication method and system based on mark public key
US20200162269A1 (en) * 2018-11-20 2020-05-21 Iot And M2M Technologies, Llc Mutually authenticated ecdhe key exchange for a device and a network using multiple pki key pairs
CN111372247A (en) * 2019-12-23 2020-07-03 国网天津市电力公司 Terminal secure access method and terminal secure access system based on narrowband Internet of things
CN111415445A (en) * 2020-04-28 2020-07-14 北京仁信证科技有限公司 Logistics box management method and device, computer equipment and storage medium
CN111756531A (en) * 2020-05-11 2020-10-09 北京仁信证科技有限公司 Communication system and method of LoRa terminal based on CPK

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
任晓龙: "电力物联网传感装置安全接入技术", 《农村电气化》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112713995A (en) * 2021-02-08 2021-04-27 成都杰微科技有限公司 Dynamic communication key distribution method and device for terminal of Internet of things
CN112699352B (en) * 2021-03-23 2021-06-18 中国信息通信研究院 Trusted data acquisition terminal identity verification method, computer storage medium and electronic equipment
CN112699352A (en) * 2021-03-23 2021-04-23 中国信息通信研究院 Trusted data acquisition terminal identity verification method, computer storage medium and electronic equipment
CN113079022A (en) * 2021-03-31 2021-07-06 郑州信大捷安信息技术股份有限公司 Secure transmission method and system based on SM2 key negotiation mechanism
CN113079022B (en) * 2021-03-31 2022-02-18 郑州信大捷安信息技术股份有限公司 Secure transmission method and system based on SM2 key negotiation mechanism
CN114513361A (en) * 2021-06-28 2022-05-17 山东华科信息技术有限公司 Power distribution Internet of things based on block chain
CN114513361B (en) * 2021-06-28 2022-11-01 山东华科信息技术有限公司 Power distribution Internet of things based on block chain
CN113609213A (en) * 2021-07-01 2021-11-05 深圳数字电视国家工程实验室股份有限公司 Method, system, device and storage medium for synchronizing device keys
CN113609213B (en) * 2021-07-01 2024-02-13 深圳数字电视国家工程实验室股份有限公司 Method, system, device and storage medium for synchronizing device keys
CN113784342A (en) * 2021-09-22 2021-12-10 四川中电启明星信息技术有限公司 Encryption communication method and system based on Internet of things terminal
CN113784342B (en) * 2021-09-22 2023-05-26 四川中电启明星信息技术有限公司 Encryption communication method and system based on Internet of things terminal
CN114171175A (en) * 2021-12-13 2022-03-11 医贝云服(杭州)科技有限公司 Hospital material fine management system based on RFID and multi-terminal communication
CN114171175B (en) * 2021-12-13 2023-09-19 医贝云服(杭州)科技有限公司 Hospital material refinement management system based on RFID and multi-terminal communication
CN114422588A (en) * 2022-01-19 2022-04-29 南京南瑞信息通信科技有限公司 Safety autonomous implementing system and method for authenticating terminal access by edge internet of things agent
CN114422588B (en) * 2022-01-19 2023-12-19 南京南瑞信息通信科技有限公司 Security autonomous realization system and method for authenticating terminal access by edge internet of things agent
WO2023184262A1 (en) * 2022-03-30 2023-10-05 北京小米移动软件有限公司 Secure transmission method and apparatus for data frames, electronic device and storage medium
CN114938304A (en) * 2022-05-23 2022-08-23 贵州大学 Method and system for safely transmitting data of industrial Internet of things
CN115174145A (en) * 2022-05-30 2022-10-11 青岛海尔科技有限公司 Equipment control method and edge gateway equipment
CN115174145B (en) * 2022-05-30 2023-12-19 青岛海尔科技有限公司 Equipment control method and edge gateway equipment
CN114826794B (en) * 2022-07-04 2022-11-08 荣耀终端有限公司 Video monitoring method and device
CN114826794A (en) * 2022-07-04 2022-07-29 荣耀终端有限公司 Video monitoring method and device
CN115694997B (en) * 2022-10-31 2023-08-15 贵州省通信产业服务有限公司 Intelligent gateway system of Internet of things
CN115694997A (en) * 2022-10-31 2023-02-03 贵州省通信产业服务有限公司 Intelligent gateway system of Internet of things
CN116668200A (en) * 2023-07-31 2023-08-29 深圳市联新移动医疗科技有限公司 Internet of things data security transmission method and system
CN116668200B (en) * 2023-07-31 2023-10-17 深圳市联新移动医疗科技有限公司 Internet of things data security transmission method and system
CN117692902A (en) * 2024-02-02 2024-03-12 深圳市迈腾电子有限公司 Intelligent home interaction method and system based on embedded home gateway

Also Published As

Publication number Publication date
CN112291230B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN112291230B (en) Data security authentication transmission method and device for terminal of Internet of things
CN112887338B (en) Identity authentication method and system based on IBC identification password
CN111435913B (en) Identity authentication method and device for terminal of Internet of things and storage medium
CN102111265B (en) Method for encrypting secure chip of power system acquisition terminal
CN103716167A (en) Method and device for safely collecting and distributing transmission keys
TWI636373B (en) Method and device for authorizing between devices
CN111372247A (en) Terminal secure access method and terminal secure access system based on narrowband Internet of things
CN103888444A (en) Distribution safety authentication device and method
CN103036681B (en) A kind of password safety keyboard device and system
CN106301793B (en) A kind of method of PLC certifications and secure communication
CN112422587B (en) Identity verification method and device, computer equipment and storage medium
CN115001717B (en) Terminal equipment authentication method and system based on identification public key
CN104035408A (en) RTU (Remote Terminal Unit) controller and communication method with SCADA (Supervisory Control And Data Acquisition) system
CN114139176A (en) Industrial internet core data protection method and system based on state secret
CN111212105A (en) Remote safe transmission method and system for wind and light storage data
CN111541698B (en) Data acquisition system and data acquisition method based on power distribution
CN111245604B (en) Server data security interaction system
CN111490874A (en) Distribution network safety protection method, system, device and storage medium
CN115909560A (en) Data encryption method, data decryption method and door lock system
CN112055071B (en) Industrial control safety communication system and method based on 5G
CN111065091B (en) Wireless data acquisition system and data transmission method based on lora
CN113329033A (en) Method for establishing communication connection between local area networks, user side equipment and gateway equipment
CN108712399B (en) Distribution network master station and communication method thereof, communication conversion device and communication method thereof
CN117596421B (en) Video encryption transmission method, device and system based on fusion terminal
CN117318295B (en) Comprehensive data sensing system and method for power distribution network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant