CN112422289B - Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment - Google Patents
Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment Download PDFInfo
- Publication number
- CN112422289B CN112422289B CN202011064016.0A CN202011064016A CN112422289B CN 112422289 B CN112422289 B CN 112422289B CN 202011064016 A CN202011064016 A CN 202011064016A CN 112422289 B CN112422289 B CN 112422289B
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- iot
- certificate file
- iot terminal
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000009826 distribution Methods 0.000 title claims abstract description 19
- 238000004519 manufacturing process Methods 0.000 claims abstract description 49
- 230000008569 process Effects 0.000 claims description 18
- 238000005520 cutting process Methods 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 abstract description 3
- 238000004891 communication Methods 0.000 description 4
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a system for offline security distribution of digital certificates of NB-IoT terminal equipment. The method comprises the following steps: logging in an IoT cloud platform through an IoT platform user client, executing product creation operation on the IoT cloud platform, and acquiring a user identification code authorized by the IoT cloud platform; adding NB-IoT terminal equipment and a corresponding equipment identification ID on the created product through an IoT platform user client; the user identification code and the equipment identification ID are synchronized to the security service platform by the IoT cloud platform, so that the security service platform generates a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID; the method comprises the steps that an IoT platform user client operates on an IoT cloud platform, digital certificate file ciphertexts of related NB-IoT terminal equipment are selected to be downloaded, the downloaded digital certificate file ciphertexts of the NB-IoT terminal equipment are transmitted to a production line PC in an off-line mode, the digital certificate file ciphertexts are decrypted on the production line PC, and the decrypted digital certificate files are filled into the corresponding NB-IoT terminal equipment.
Description
Technical Field
The invention relates to the technical field of secure communication, in particular to a method and a system for offline secure distribution of digital certificates of NB-IoT terminal equipment.
Background
In the world of everything interconnection, the information interaction and communication between people and things and between things are realized through the Internet of things, and then more convenient life experience is obtained. As NB-IoT is formally incorporated into the 5G standard and becomes a core technology of mtc (mass machine type communication) scenario, the application of NB-IoT technology will develop faster, and the network information security problem also presents a new challenge to the development. Under the scene that massive NB-IoT terminal equipment is connected with a unified Internet of things cloud platform, various collected data are transmitted through an NB-IoT network, the process has data leakage risks, bidirectional identity authentication and a safety channel between an equipment end and a platform side are needed, so that the confidentiality, integrity and tamper resistance of wireless communication from the equipment end to the platform side are realized, and the introduction of a PKI system is undoubtedly the best mode for solving the problem of identity authentication. And issuing respective unique identity certificates for the Internet of things cloud platform and each NB-IoT terminal device, performing bidirectional identity authentication between the device side and the platform side, and establishing a security channel. Therefore, a method is needed for issuing and filling the digital certificate of the equipment to the NB-IoT terminal equipment from the internet of things cloud platform in a secure manner.
At present, most of the conventional certificate application modes are certificate online issuing systems constructed based on RA + CA, and the specific method is as follows: user application → RA audit → CA issues certificate → RA forwards certificate → user certificate acquisition. Wherein, the user applies for the process: a user acquires a digital certificate (root certificate) of a CA (certificate Authority), and establishes connection with a security server; and generating a public key and a private key of the user, submitting the public key and the identity information of the user to the security server, and transmitting the application information of the user to the RA server by the security server. And (3) RA auditing process: the RA receives the application of the user, the user proves the identity of the user to the RA, and the RA checks the identity. If the RA agrees to the request of the user for applying the certificate, the certificate application information is digitally signed, and the user application and the RA signature are transmitted to the CA; otherwise, the user is refused to apply. CA issuing certificate process: and the CA authenticates the RA digital signature, if the authentication is passed, the CA agrees with the user request, issues the certificate and then outputs the certificate. If the authentication is not passed, the certificate application is rejected. RA forwarding certificate procedure: RA obtains a new certificate from CA, firstly outputs the certificate to LDAP server to provide directory browsing, then informs user of successful certificate issue, informs serial number of the certificate, and downloads the certificate to the appointed website. A user certificate acquisition process: the user uses the certificate serial number to appoint the website to download the digital certificate of the user, and only the private key matched with the public key submitted in application can be successfully downloaded.
It can be seen from the above-mentioned issuing process of the existing online certificate issuing system constructed based on RA + CA that the identity of the application subject of the certificate issuing method is clear, and the certificate obtained by application can only be used by the application subject. If the CA + RA mode is adopted to distribute the digital certificate for the Internet of things equipment, due to the mass characteristic of the Internet of things equipment, if the mass Internet of things equipment simultaneously applies for the digital certificate on line, the issuing system cannot support the access of the mass Internet of things equipment. In addition, the identity of the internet of things equipment is uncertain, and the authentication of an application subject cannot be realized in the certificate application process, so that the safety is not high.
Disclosure of Invention
Aiming at the problem that a method for safely distributing digital certificates to NB-IoT terminal equipment is lacked in the prior art, the invention provides a method and a system for safely distributing digital certificates of NB-IoT terminal equipment offline, which can safely distribute NB-IoT terminal equipment certificates from an IoT cloud platform and fill the NB-IoT terminal equipment certificates into a security password module of the NB-IoT terminal equipment.
The invention provides a digital certificate offline security distribution method of NB-IoT terminal equipment, which comprises the following steps:
step 1: logging in an IoT cloud platform through an IoT platform user client, executing product creation operation on the IoT cloud platform, and acquiring a user identification code authorized by the IoT cloud platform;
step 2: adding NB-IoT terminal equipment and a corresponding equipment identification ID on the created product through an IoT platform user client;
and step 3: the user identification code and the equipment identification ID are synchronized to the security service platform by the IoT cloud platform, so that the security service platform generates a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID;
and 4, step 4: the method comprises the steps that an IoT platform user client operates on an IoT cloud platform, digital certificate file ciphertexts of related NB-IoT terminal equipment are selected to be downloaded, the downloaded digital certificate file ciphertexts of the NB-IoT terminal equipment are transmitted to a production line PC in an off-line mode, the digital certificate file ciphertexts are decrypted on the production line PC, and the decrypted digital certificate files are filled into the corresponding NB-IoT terminal equipment.
Further, in step 3, the generating, by the security service platform, a digital certificate file ciphertext of the NB-IoT terminal device according to the user identifier and the device identifier ID includes:
generating a certificate request according to the equipment identification ID, and issuing and generating a digital certificate file;
and generating a random number, performing SM3 hash operation on the secret according to the user identification code and the generated random number, cutting the obtained digest value to be used as a symmetric key, and calling a SM4 symmetric encryption algorithm to encrypt the digital certificate file to obtain a digital certificate file ciphertext.
Further, in step 4, when downloading the digital certificate file ciphertext of the relevant NB-IoT terminal device, two downloading methods are included:
downloading the digital certificate file ciphertext of one NB-IoT terminal device at a time; or,
downloading the digital certificate file ciphertexts of batch NB-IoT terminal equipment at a time;
in the two downloading modes, each NB-IoT terminal device corresponds to one digital certificate file ciphertext.
Further, in step 4, decrypting the digital certificate file ciphertext on the production line PC, and filling the decrypted digital certificate file into the corresponding NB-IoT terminal device, includes:
connecting NB-IoT terminal equipment to a production line PC;
operating a certificate filling tool on a PC (personal computer) of a production line, importing a digital certificate file ciphertext into the certificate filling tool, inputting a user identification code, configuring serial port parameters and entering a filling interface;
identifying the equipment identification ID of the connected NB-IoT terminal equipment by adopting a certificate filling tool, and determining a digital certificate file ciphertext associated with the equipment identification ID;
generating a symmetric key according to the user identification code and a random number carried by the head of the ciphertext of the digital certificate file;
decrypting the digital certificate file ciphertext by using the symmetric key to obtain a digital certificate file;
and filling the digital certificate file into the corresponding NB-IoT terminal equipment.
Further, before the digital certificate file is filled into the corresponding NB-IoT terminal device, the method further includes:
verifying whether the equipment identification ID in the digital certificate file is correct by adopting a certificate filling tool, and if so, sending the digital certificate file to NB-IoT terminal equipment; in a corresponding manner, the first and second electrodes are,
the filling of the digital certificate file into the corresponding NB-IoT terminal device includes:
the NB-IoT terminal equipment verifies whether the equipment identification ID in the digital certificate file is consistent with the equipment identification ID carried by the NB-IoT terminal equipment; and verifying whether the public key and the private key of the digital certificate in the digital certificate file are successfully paired;
and if the equipment identification ID is consistent and the public key and the private key are successfully paired, writing the digital certificate file into a security password module of the NB-IoT terminal equipment.
Further, after the digital certificate file is filled into the corresponding NB-IoT terminal device, the method further includes:
the NB-IoT terminal equipment returns a digital certificate filling result to the certificate filling tool;
and the certificate filling tool records the filling result of the digital certificate file of the NB-IoT terminal equipment.
Further, the method further comprises:
after the certificate filling tool finishes the filling operation of the digital certificate of the NB-IoT terminal equipment, sensitive information generated by the certificate filling tool in the filling operation process is eliminated, and then the certificate filling tool of the PC machine of the production line is logged out.
Further, the digital components of the digital certificate file include a random number, a device identification ID, a digital certificate for signature, and a digital certificate for encryption.
Further, the invoking of the national secret SM4 symmetric encryption algorithm encrypts the digital certificate file to obtain a digital certificate file ciphertext, which specifically includes:
and encrypting other data except the random number in the data composition part by adopting a national secret SM4 symmetric encryption algorithm, and converting the encrypted data into 16-system character strings to obtain a digital certificate file ciphertext.
The invention also provides a digital certificate offline security distribution system of the NB-IoT terminal equipment, which comprises the following steps: the system comprises an IoT platform user client, an IoT cloud platform, a security service platform, a production line PC and NB-IoT terminal equipment;
the IoT platform user client is used for logging in an IoT cloud platform to perform product creation operation; acquiring a user identification code authorized by an IoT cloud platform; adding NB-IoT terminal equipment and corresponding equipment identification IDs on products created in an IoT cloud platform;
the IoT cloud platform is used for synchronizing the user identification code and the equipment identification ID to the security service platform; selecting and downloading a digital certificate file ciphertext of a relevant NB-IoT terminal device from the security service platform; transmitting the downloaded digital certificate file ciphertext of the NB-IoT terminal equipment to a production line PC in an off-line mode;
the security service platform is used for generating a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID;
and the production line PC is used for decrypting the digital certificate file ciphertext and filling the decrypted digital certificate file into the corresponding NB-IoT terminal equipment.
The invention has the beneficial effects that:
according to the digital certificate offline security distribution method and system of the NB-IoT terminal equipment, the digital certificate file ciphertext of the NB-IoT terminal equipment is generated according to the user identification code and the equipment identification ID through the security service platform based on the state secret SM3 decentralized operation and the state secret SM4 symmetric encryption operation, then the digital certificate file ciphertext of the NB-IoT terminal equipment is transmitted to the production line PC through an offline mode, the digital certificate file ciphertext is decrypted on the production line PC, and the decrypted digital certificate file is filled into the corresponding NB-IoT terminal equipment. Moreover, the invention can realize the batch filling of the digital certificates on the production line and improve the filling efficiency of the production line.
Drawings
Fig. 1 is a schematic flowchart of a method for offline security distribution of a digital certificate of an NB-IoT terminal device according to an embodiment of the present invention;
fig. 2 is a schematic view of a process of filling an NB-IoT terminal device digital certificate through a production line PC according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a digital certificate offline security distribution system of an NB-IoT terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, an embodiment of the present invention provides an offline security distribution method for a digital certificate of an NB-IoT terminal device, including:
s101: logging in an IoT cloud platform through an IoT platform user client, executing product creation operation on the IoT cloud platform, and acquiring a user identification code authorized by the IoT cloud platform;
s102: adding NB-IoT terminal equipment and a corresponding equipment identification ID on the created product through an IoT platform user client;
s103: the user identification code and the equipment identification ID are synchronized to the security service platform by the IoT cloud platform, so that the security service platform generates a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID;
s104: the method comprises the steps that an IoT platform user client operates on an IoT cloud platform, digital certificate file ciphertexts of related NB-IoT terminal equipment are selected to be downloaded, the downloaded digital certificate file ciphertexts of the NB-IoT terminal equipment are transmitted to a production line PC in an off-line mode, the digital certificate file ciphertexts are decrypted on the production line PC, and the decrypted digital certificate files are filled into the corresponding NB-IoT terminal equipment.
According to the digital certificate offline security distribution method of the NB-IoT terminal equipment, the digital certificate file ciphertext of the NB-IoT terminal equipment is generated through the security service platform according to the user identification code and the equipment identification ID, then the digital certificate file ciphertext of the NB-IoT terminal equipment is transmitted to the production line PC in an offline mode, the digital certificate file ciphertext is decrypted on the production line PC, and then the decrypted digital certificate file is filled into the corresponding NB-IoT terminal equipment.
Example 2
On the basis of the foregoing embodiment 1, the present invention provides another method for offline security distribution of a digital certificate of NB-IoT terminal device, including:
s201: logging in an IoT cloud platform through an IoT platform user client, executing product creation operation on the IoT cloud platform, and acquiring a user identification code authorized by the IoT cloud platform;
s202: adding NB-IoT terminal equipment and a corresponding equipment identification ID on the created product through an IoT platform user client;
s203: the IoT cloud platform synchronizes the user identification code and the equipment identification ID to the security service platform;
s204: the security service platform generates a digital certificate file ciphertext of the NB-IoT terminal device according to the user identification code and the device identification ID, and specifically comprises the following steps:
s2041: the security service platform generates a certificate request according to the equipment identification ID and issues a generated digital certificate file;
specifically, the digital component of the digital certificate file includes a random number, a device identification ID, a digital certificate for signature, and a digital certificate for encryption.
S2042: the security service platform generates a random number, performs SM3 hash operation according to the user identification code and the generated random number, cuts the obtained digest value to be used as a symmetric key, and calls a SM4 symmetric encryption algorithm to encrypt the digital certificate file to obtain a digital certificate file ciphertext.
Specifically, the invoking of the national secret SM4 symmetric encryption algorithm encrypts the digital certificate file to obtain a digital certificate file ciphertext, which specifically includes: and encrypting other data except the random number in the data composition part by adopting a national secret SM4 symmetric encryption algorithm, and converting the encrypted data into 16-system character strings to obtain a digital certificate file ciphertext.
For example, as one possible implementation, table 1 is a composition format of a digital certificate file of an NB-IoT terminal device.
TABLE 1 compositional format of digital certificate files for NB-IoT terminal devices
S205: operating on an IoT cloud platform through an IoT platform user client, selecting to download a digital certificate file ciphertext of related NB-IoT terminal equipment, and transmitting the downloaded digital certificate file ciphertext of the NB-IoT terminal equipment to a production line PC in an off-line manner;
specifically, when downloading the digital certificate file ciphertext of the relevant NB-IoT terminal device, two downloading methods are included: downloading the digital certificate file ciphertext of one NB-IoT terminal device at a time; or downloading the digital certificate file ciphertexts of the batch NB-IoT terminal equipment at a time; in the two downloading modes, each NB-IoT terminal device corresponds to one digital certificate file ciphertext.
In practical application, if a batch of digital certificate file ciphertexts are downloaded at a time, each digital certificate file ciphertext can be managed based on the device identification ID, that is, the batch of digital certificate file ciphertexts can be stored in a specified folder, a mapping table between the device identification ID and the corresponding digital certificate file ciphertexts is established, and when the device identification ID of the NB-IoT terminal device to be canned is received, the mapping table can be queried to determine the corresponding digital certificate file ciphertexts.
S206: decrypting the digital certificate file ciphertext on a production line PC, and filling the decrypted digital certificate file into corresponding NB-IoT terminal equipment;
specifically, corresponding to the two downloading methods in step S205, this step is also divided into the following two cases:
in the first case: when downloading the digital certificate file ciphertext of the related NB-IoT terminal equipment, downloading the digital certificate file ciphertext of one NB-IoT terminal equipment at a time, transmitting the digital certificate file ciphertext of one NB-IoT terminal equipment to a production line PC in an off-line mode, then decrypting the digital certificate file ciphertext on the production line PC, and filling the decrypted digital certificate file into the corresponding NB-IoT terminal equipment.
In the second case: when downloading the digital certificate file ciphertext of the related NB-IoT terminal equipment, downloading the digital certificate file ciphertext of the batch NB-IoT terminal equipment at a time, transmitting the digital certificate file ciphertext of the batch NB-IoT terminal equipment to a production line PC in an off-line mode, decrypting the digital certificate file ciphertext on the production line PC, and filling the decrypted digital certificate file into the corresponding NB-IoT terminal equipment.
The digital certificate offline security distribution method of the NB-IoT terminal equipment provided by the embodiment of the invention is based on the encryption and decryption mechanism of the national secret symmetric algorithm, and ensures the security distribution of the certificate by using the national secret SM3 decentralized operation and the national secret SM4 symmetric encryption operation through the participation of the user identification code and the random number, thereby improving the security, the integrity and the non-tamper property of the digital certificate file transmission. Moreover, the invention can realize the batch filling of the digital certificates on the production line and improve the filling efficiency of the production line.
Example 3
The difference from embodiment 2 is that: in the embodiment of the present invention, the decrypting of the digital certificate file ciphertext on the production line PC, and the filling of the decrypted digital certificate file into the corresponding NB-IoT terminal device include four application scenarios, and the working processes of the 4 application scenarios are respectively described with reference to fig. 2.
First application scenario: filling a digital certificate file of NB-IoT terminal equipment on a production line PC, wherein the digital certificate file of the NB-IoT terminal equipment only needs one filling operation;
second application scenario: filling a digital certificate file of NB-IoT terminal equipment on a production line PC, wherein the digital certificate file of the NB-IoT terminal equipment needs to be filled for many times;
the third application scenario: filling digital certificate files of batch NB-IoT terminal equipment on a production line PC; the digital certificate file of each NB-IoT terminal device only needs one filling operation;
a fourth application scenario: filling digital certificate files of batch NB-IoT terminal equipment on a production line PC; there are some digital certificate files for NB-IoT terminal devices that require multiple filling operations.
Taking the first application scenario as an example, the filling operation process is as follows:
s301: connecting NB-IoT terminal equipment to a production line PC;
s302: operating a certificate filling tool on a PC (personal computer) of a production line, importing a digital certificate file ciphertext into the certificate filling tool, inputting a user identification code, configuring serial port parameters and entering a filling interface;
s303: identifying the equipment identification ID of the connected NB-IoT terminal equipment by adopting a certificate filling tool, and searching a digital certificate file ciphertext associated with the equipment identification ID;
s304: the certificate filling tool generates a symmetric key according to the user identification code and the random number carried by the head of the ciphertext of the digital certificate file; decrypting the digital certificate file ciphertext by using the symmetric key to obtain a digital certificate file;
s305: verifying whether the equipment identification ID in the digital certificate file is correct by adopting a certificate filling tool, and if so, sending the digital certificate file to NB-IoT terminal equipment;
s306: the NB-IoT terminal equipment verifies whether the equipment identification ID in the digital certificate file is consistent with the equipment identification ID carried by the NB-IoT terminal equipment; and verifying whether the public key and the private key of the digital certificate in the digital certificate file are successfully paired;
s307: and if the equipment identification IDs are consistent and the public key and the private key are successfully paired, the NB-IoT terminal equipment writes the digital certificate file into the security password module of the NB-IoT terminal equipment.
S308: the NB-IoT terminal equipment returns a digital certificate filling result to the certificate filling tool;
s309: the certificate filling tool records the filling result of the digital certificate file of the NB-IoT terminal equipment;
s310: after the certificate filling tool finishes the filling operation of the digital certificate of the NB-IoT terminal equipment, sensitive information generated by the certificate filling tool in the filling operation process is eliminated, and then the certificate filling tool of the PC machine of the production line is logged out.
Taking the second application scenario as an example, the difference between the filling operation process and the first application scenario is that the digital certificate file of the NB-IoT terminal device needs several filling operations, and then the steps S305 to S308 are executed in a loop for several times until the digital certificate file of the NB-IoT terminal device is completely filled; then, the following steps S309 and S310 are performed next.
Taking the third application scenario as an example, the filling operation process is different from the first application scenario in that steps S303 to S309 need to be executed in a loop until the certificate filling tool completes the filling of the digital certificate file for all batch NB-IoT terminal devices; then step S310 is performed next.
Taking the fourth application scenario as an example, the difference between the filling operation process and the third application scenario is that if the digital certificate file of the current NB-IoT terminal device needs to be filled for multiple times, the filling of the digital certificate file of the current NB-IoT terminal device is completed according to the working process of the second application scenario; and then filling the digital certificate file of the next NB-IoT terminal device according to the process flow of the third application scenario.
Example 4
Corresponding to the above-mentioned method for offline security distribution of digital certificates of NB-IoT terminal devices, as shown in fig. 3, an embodiment of the present invention further provides a system for offline security distribution of digital certificates of NB-IoT terminal devices, where the system includes: the system comprises an IoT platform user client, an IoT cloud platform, a security service platform, a production line PC and NB-IoT terminal equipment;
the IoT platform user client is used for logging in an IoT cloud platform to perform product creation operation; acquiring a user identification code authorized by an IoT cloud platform; adding NB-IoT terminal equipment and corresponding equipment identification IDs on products created in an IoT cloud platform; the IoT cloud platform is used for synchronizing the user identification code and the equipment identification ID to the security service platform; selecting and downloading a digital certificate file ciphertext of a relevant NB-IoT terminal device from the security service platform; transmitting the downloaded digital certificate file ciphertext of the NB-IoT terminal equipment to a production line PC in an off-line mode; the security service platform is used for generating a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID; and the production line PC is used for decrypting the digital certificate file ciphertext and filling the decrypted digital certificate file into the corresponding NB-IoT terminal equipment.
Specifically, the security service platform generates a certificate request according to the equipment identification ID as an identification, issues and generates a digital certificate file, performs SM3 hash operation by using the user identification code and an internally generated random number, cuts the obtained digest value as a symmetric key, and calls a SM4 symmetric encryption algorithm to encrypt the digital certificate file to obtain a digital certificate file ciphertext; and the PC machine of the production line is provided with a certificate filling tool, decrypts the ciphertext of the digital certificate file through the certificate filling tool, and fills the digital certificate file into the corresponding NB-IoT terminal equipment.
It should be noted that, the digital certificate offline security distribution system of the NB-IoT terminal device provided in the embodiment of the present invention is for implementing the above method, and specific reference may be made to the above method embodiment for functions thereof, which is not described herein again.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (9)
1. A method for offline secure distribution of digital certificates of NB-IoT terminal equipment is characterized by comprising the following steps:
step 1: logging in an IoT cloud platform through an IoT platform user client, executing product creation operation on the IoT cloud platform, and acquiring a user identification code authorized by the IoT cloud platform;
step 2: adding NB-IoT terminal equipment and a corresponding equipment identification ID on the created product through an IoT platform user client;
and step 3: the IoT cloud platform synchronizes the user identification code and the equipment identification ID to the security service platform so that the security service platform generates a digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID, and the security service platform generates the digital certificate file ciphertext of the NB-IoT terminal equipment according to the user identification code and the equipment identification ID, and the method comprises the following steps:
generating a certificate request according to the equipment identification ID, and issuing and generating a digital certificate file;
generating a random number, performing SM3 hash operation on the obtained digest value according to the user identification code and the generated random number, cutting the obtained digest value to be used as a symmetric key, and calling a SM4 symmetric encryption algorithm to encrypt the digital certificate file to obtain a digital certificate file ciphertext;
and 4, step 4: the method comprises the steps that an IoT platform user client operates on an IoT cloud platform, digital certificate file ciphertexts of related NB-IoT terminal equipment are selected to be downloaded, the downloaded digital certificate file ciphertexts of the NB-IoT terminal equipment are transmitted to a production line PC in an off-line mode, the digital certificate file ciphertexts are decrypted on the production line PC, and the decrypted digital certificate files are filled into the corresponding NB-IoT terminal equipment.
2. The method according to claim 1, wherein in step 4, when downloading the digital certificate file ciphertext of the relevant NB-IoT terminal device, two downloading methods are included:
downloading the digital certificate file ciphertext of one NB-IoT terminal device at a time; or,
downloading the digital certificate file ciphertexts of batch NB-IoT terminal equipment at a time;
in the two downloading modes, each NB-IoT terminal device corresponds to one digital certificate file ciphertext.
3. The method according to claim 1, wherein in step 4, decrypting the digital certificate file ciphertext on the production line PC, and filling the decrypted digital certificate file into the corresponding NB-IoT terminal device includes:
connecting NB-IoT terminal equipment to a production line PC;
operating a certificate filling tool on a PC (personal computer) of a production line, importing a digital certificate file ciphertext into the certificate filling tool, inputting a user identification code, configuring serial port parameters and entering a filling interface;
identifying the equipment identification ID of the connected NB-IoT terminal equipment by adopting a certificate filling tool, and determining a digital certificate file ciphertext associated with the equipment identification ID;
generating a symmetric key according to the user identification code and a random number carried by the head of the ciphertext of the digital certificate file;
decrypting the digital certificate file ciphertext by using the symmetric key to obtain a digital certificate file;
and filling the digital certificate file into the corresponding NB-IoT terminal equipment.
4. The method of claim 3, further comprising, prior to populating the digital certificate file into the corresponding NB-IoT terminal device:
verifying whether the equipment identification ID in the digital certificate file is correct by adopting a certificate filling tool, and if so, sending the digital certificate file to NB-IoT terminal equipment; in a corresponding manner, the first and second electrodes are,
the filling of the digital certificate file into the corresponding NB-IoT terminal device includes:
the NB-IoT terminal equipment verifies whether the equipment identification ID in the digital certificate file is consistent with the equipment identification ID carried by the NB-IoT terminal equipment; and verifying whether the public key and the private key of the digital certificate in the digital certificate file are successfully paired;
and if the equipment identification ID is consistent and the public key and the private key are successfully paired, writing the digital certificate file into a security password module of the NB-IoT terminal equipment.
5. The method of claim 3, further comprising, after populating the digital certificate file into the corresponding NB-IoT terminal device:
the NB-IoT terminal equipment returns a digital certificate filling result to the certificate filling tool;
and the certificate filling tool records the filling result of the digital certificate file of the NB-IoT terminal equipment.
6. The method of claim 3, further comprising:
after the certificate filling tool finishes the filling operation of the digital certificate of the NB-IoT terminal equipment, sensitive information generated by the certificate filling tool in the filling operation process is eliminated, and then the certificate filling tool of the PC machine of the production line is logged out.
7. The method of claim 1, wherein the data components of the digital certificate file include a random number, a device Identification (ID), a digital certificate for signature, and a digital certificate for encryption.
8. The method according to claim 7, wherein the invoking of the cryptographic SM4 symmetric encryption algorithm encrypts the digital certificate file to obtain a digital certificate file ciphertext, specifically:
and encrypting other data except the random number in the data composition part by adopting a national secret SM4 symmetric encryption algorithm, and converting the encrypted data into 16-system character strings to obtain a digital certificate file ciphertext.
9. A digital certificate offline security distribution system of NB-IoT terminal devices, comprising: the system comprises an IoT platform user client, an IoT cloud platform, a security service platform, a production line PC and NB-IoT terminal equipment;
the IoT platform user client is used for logging in an IoT cloud platform to perform product creation operation; acquiring a user identification code authorized by an IoT cloud platform; adding NB-IoT terminal equipment and corresponding equipment identification IDs on products created in an IoT cloud platform;
the IoT cloud platform is used for synchronizing the user identification code and the equipment identification ID to the security service platform; selecting and downloading a digital certificate file ciphertext of a relevant NB-IoT terminal device from the security service platform; transmitting the downloaded digital certificate file ciphertext of the NB-IoT terminal equipment to a production line PC in an off-line mode;
the security service platform is used for generating a digital certificate file ciphertext of the NB-IoT terminal device according to the user identification code and the device identification ID, specifically, the security service platform generates a certificate request according to the device identification ID as an identification, issues and generates a digital certificate file, performs SM3 hash operation by using the user identification code and an internally generated random number, cuts an obtained digest value to be used as a symmetric key, and calls a SM4 symmetric encryption algorithm to encrypt the digital certificate file to obtain the digital certificate file ciphertext;
and the production line PC is used for decrypting the digital certificate file ciphertext and filling the decrypted digital certificate file into the corresponding NB-IoT terminal equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011064016.0A CN112422289B (en) | 2020-09-30 | 2020-09-30 | Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011064016.0A CN112422289B (en) | 2020-09-30 | 2020-09-30 | Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112422289A CN112422289A (en) | 2021-02-26 |
CN112422289B true CN112422289B (en) | 2022-02-22 |
Family
ID=74854326
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011064016.0A Active CN112422289B (en) | 2020-09-30 | 2020-09-30 | Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112422289B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113163375B (en) * | 2021-03-31 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | Air certificate issuing method and system based on NB-IoT communication module |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107171805A (en) * | 2017-05-17 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of internet-of-things terminal digital certificate signs and issues system and method |
CN107743067A (en) * | 2017-11-30 | 2018-02-27 | 美的智慧家居科技有限公司 | Awarding method, system, terminal and the storage medium of digital certificate |
CN107948302A (en) * | 2017-12-06 | 2018-04-20 | 上海麦腾物联网技术有限公司 | A kind of life cycle management method and system of Internet of Things embedded device |
CN108199844A (en) * | 2018-04-09 | 2018-06-22 | 北京无字天书科技有限公司 | Method for supporting off-line SM9 algorithm key first application downloading |
CN108696360A (en) * | 2018-04-16 | 2018-10-23 | 北京虎符信息技术有限公司 | A kind of CA certificate distribution method and system based on CPK keys |
CN109412792A (en) * | 2017-08-16 | 2019-03-01 | 中国移动通信有限公司研究院 | Generation, authentication method, communication equipment and the storage medium of digital certificate |
WO2019161412A1 (en) * | 2018-02-16 | 2019-08-22 | Verimatrix, Inc. | Systems and methods for decentralized certificate hierarchy using a distributed ledger to determine a level of trust |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130086385A1 (en) * | 2011-09-30 | 2013-04-04 | Yuri Poeluev | System and Method for Providing Hardware-Based Security |
US10581620B2 (en) * | 2016-11-14 | 2020-03-03 | Integrity Security Services Llc | Scalable certificate management system architectures |
GB2566265B (en) * | 2017-09-01 | 2020-05-13 | Trustonic Ltd | Post-manufacture generation of device certificate and private key for public key infrastructure |
-
2020
- 2020-09-30 CN CN202011064016.0A patent/CN112422289B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107171805A (en) * | 2017-05-17 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of internet-of-things terminal digital certificate signs and issues system and method |
CN109412792A (en) * | 2017-08-16 | 2019-03-01 | 中国移动通信有限公司研究院 | Generation, authentication method, communication equipment and the storage medium of digital certificate |
CN107743067A (en) * | 2017-11-30 | 2018-02-27 | 美的智慧家居科技有限公司 | Awarding method, system, terminal and the storage medium of digital certificate |
CN107948302A (en) * | 2017-12-06 | 2018-04-20 | 上海麦腾物联网技术有限公司 | A kind of life cycle management method and system of Internet of Things embedded device |
WO2019161412A1 (en) * | 2018-02-16 | 2019-08-22 | Verimatrix, Inc. | Systems and methods for decentralized certificate hierarchy using a distributed ledger to determine a level of trust |
CN108199844A (en) * | 2018-04-09 | 2018-06-22 | 北京无字天书科技有限公司 | Method for supporting off-line SM9 algorithm key first application downloading |
CN108696360A (en) * | 2018-04-16 | 2018-10-23 | 北京虎符信息技术有限公司 | A kind of CA certificate distribution method and system based on CPK keys |
Non-Patent Citations (1)
Title |
---|
"物联网身份认证解决方案探讨";郭茂文;《广东通信技术》;20190215;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN112422289A (en) | 2021-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106357649B (en) | User identity authentication system and method | |
CN107465689B (en) | Key management system and method of virtual trusted platform module in cloud environment | |
US7366905B2 (en) | Method and system for user generated keys and certificates | |
CN111464301B (en) | Key management method and system | |
CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
CN111447214A (en) | Method for centralized service of public key and password based on fingerprint identification | |
CN102833253A (en) | Method and server for establishing safe connection between client and server | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN108809633B (en) | Identity authentication method, device and system | |
CN103237305B (en) | Password protection method for smart card on facing moving terminal | |
CN109861813B (en) | Anti-quantum computing HTTPS communication method and system based on asymmetric key pool | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
CN101605137A (en) | Safe distribution file system | |
CN111181723B (en) | Method and device for offline security authentication between Internet of things devices | |
CN110958209A (en) | Bidirectional authentication method, system and terminal based on shared secret key | |
CN113079022B (en) | Secure transmission method and system based on SM2 key negotiation mechanism | |
CN109194474A (en) | A kind of data transmission method and device | |
CN113868684B (en) | Signature method, device, server, medium and signature system | |
CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
CN114697040B (en) | Electronic signature method and system based on symmetric key | |
CN104243439A (en) | File transfer processing method and system and terminals | |
CN105142134A (en) | Parameter obtaining and transmission methods/devices | |
CN114070579A (en) | Industrial control service authentication method and system based on quantum key | |
CN110166460B (en) | Service account registration method and device, storage medium and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A method and system for offline secure distribution of digital certificates for NB IoT terminal devices Granted publication date: 20220222 Pledgee: Bank of Zhengzhou Co.,Ltd. Zhongyuan Science and Technology City Sub branch Pledgor: ZHENGZHOU XINDA JIEAN INFORMATION TECHNOLOGY Co.,Ltd. Registration number: Y2024980007004 |