CN113163375A - Air certificate issuing method and system based on NB-IoT communication module - Google Patents
Air certificate issuing method and system based on NB-IoT communication module Download PDFInfo
- Publication number
- CN113163375A CN113163375A CN202110345962.0A CN202110345962A CN113163375A CN 113163375 A CN113163375 A CN 113163375A CN 202110345962 A CN202110345962 A CN 202110345962A CN 113163375 A CN113163375 A CN 113163375A
- Authority
- CN
- China
- Prior art keywords
- certificate
- iot terminal
- iot
- internet
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Abstract
The invention provides an aerial certificate issuing method and system based on an NB-IoT communication module, which aim at NB-IoT terminals adopting NB-IoT network communication, adopt an IoT (Internet of things) general protocol LWM2M + COAP (Internet of things), and construct a transmission channel butt joint security authentication management system by combining with an IoT cloud platform bootstrap service, issue digital certificates of the NB-IoT terminals, mutually authenticate identities of the NB-IoT terminals applying for certificates and the security authentication management system of the IoT cloud platform, realize encryption protection on certificate issuing request data transmitted by a network based on a security data transmission link of an asymmetric key, simplify certificate issuing receipt data so as to reduce network overhead and perform integrity protection. Compared with the traditional off-line certificate issuing mode, the over-the-air certificate issuing mode can automatically complete the certificate application issuing process, thereby effectively saving the labor cost and the time cost in the production link.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to an aerial certificate issuing method and system based on an NB-IoT communication module.
Background
In recent years, with the arrival of the world of everything interconnection, more and more internet of things terminals access to an internet of things cloud platform, and an NB-IoT communication mode is widely used in a low-speed and wide-area network scene. In order to ensure that the identity of the internet of things terminal accessed to the internet of things cloud platform through NB-IoT communication module communication is credible, a digital certificate needs to be issued to the NB-IoT terminal, and access authentication and safe communication of the internet of things cloud platform are carried out based on the digital certificate. The traditional certificate issuing mode has the problems of long flow, complex operation, low execution efficiency and the like.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an over-the-air certificate issuing method and system based on an NB-IoT communication module, which can simplify the digital certificate issuing process for an NB-IoT terminal and improve the execution efficiency.
The invention provides an air certification method based on an NB-IoT communication module, which comprises the following steps:
step 1, integrating a security SDK on an NB-IoT terminal and presetting an Internet of things cloud platform certificate and a CA certificate;
step 2, the NB-IoT terminal operates a security SDK to interact with a security module, the NB-IoT terminal detects whether an NB-IoT terminal digital certificate exists in the security module, if yes, encrypted service data transmission is carried out, and if no NB-IoT terminal digital certificate exists, the step 3 is switched to enter an online certificate issuing process;
step 3, generating an asymmetric key pair by a security module, and acquiring a public key of the asymmetric key pair generated by the security module by the NB-IoT terminal and generating a certification request, wherein the certification request comprises the public key of the asymmetric key pair;
reading a public key in the Internet of things cloud platform certificate, encrypting the certification request by adopting the public key in the Internet of things cloud platform certificate to obtain a certification request ciphertext, and performing protocol encapsulation on the certification request ciphertext to obtain a certification request data message;
step 4, the NB-IoT terminal issues an AT instruction to the NB-IoT communication module to connect with a bootstrap service of the Internet of things cloud platform, and the certificate issuing request data message is transmitted into the AT instruction;
step 5, the NB-IoT communication module sends a bootstrap request packet to bootstrap service of the IoT cloud platform and loads the certificate issuing request data message;
step 6, the Bootstrap service of the cloud platform of the Internet of things analyzes the certificate issuing request data message from the received Bootstrap request packet and forwards the certificate issuing request data message to a security authentication management system of the cloud platform of the Internet of things;
step 7, the security authentication management system performs protocol analysis on the certificate issuing request data message to obtain the certificate issuing request ciphertext, and performs data decryption on the certificate issuing request ciphertext by using a private key of an internet of things cloud platform to obtain the certificate issuing request;
step 8, the security authentication management system issues NB-IoT terminal digital certificates based on the certification request, wherein the NB-IoT terminal digital certificates comprise NB-IoT terminal signature certificates and NB-IoT terminal encryption certificates;
step 9, the security authentication management system performs operation processing on the private key corresponding to the NB-IoT terminal encryption certificate to obtain an NB-IoT terminal encryption private key ciphertext data packet;
step 10, the security authentication management system acquires an NB-IoT terminal signature certificate, an NB-IoT terminal encryption certificate and an NB-IoT terminal encryption private key ciphertext data packet to jointly form a receipt data packet, and after the receipt data packet is signed by using a private key of an Internet of things cloud platform, protocol encapsulation is carried out on the receipt data packet and signature information to obtain a certificate-issuing receipt data message;
step 11, the security authentication management system replies the certification receipt data message to a bootstrap service along a calling interface, and the bootstrap service issues the certification receipt data message to a corresponding NB-IoT communication module through a bootstrap write packet;
step 12, after receiving the bootstrap write packet, the NB-IoT communication module analyzes a certificate issuance receipt data message from the bootstrap write packet, and returns the certificate issuance receipt data message to the corresponding NB-IoT terminal;
step 13, after receiving the certificate-issuing receipt data message, the NB-IoT terminal performs protocol analysis to obtain the receipt data packet and signature information, and verifies the signature of the Internet of things cloud platform by using a public key in the Internet of things cloud platform certificate to confirm the integrity and identity validity of the certificate-issuing receipt data message;
step 14, the NB-IoT terminal calls a preset CA certificate to verify the validity of the digital certificate of the NB-IoT terminal of the receipt, and after the verification is passed, the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate are stored in the corresponding security module;
and step 15, the NB-IoT terminal calls a private key of the security module to decrypt the encrypted private key ciphertext data packet of the NB-IoT terminal, obtains a private key corresponding to the NB-IoT terminal encryption certificate and stores the private key in the security module, and the process of signing and issuing the NB-IoT terminal digital certificate is completed.
The second aspect of the present invention provides an air certification system based on an NB-IoT communication module, which is configured to implement the above-mentioned air certification method based on an NB-IoT communication module, and the air certification system includes: the terminal of the Internet of things is in communication connection with the cloud platform of the Internet of things, wherein the terminal of the Internet of things comprises an NB-IoT terminal, a security module and an NB-IoT communication module, and the cloud platform of the Internet of things comprises a bootstrap service and a security certification management system.
The invention ensures the privacy and the integrity of the certification request data and the certification receipt data based on the safe data transmission of the asymmetric key.
The invention aims at NB-IoT terminals adopting NB-IoT network communication, adopts an IoT general protocol LWM2M + COAP, constructs a transmission channel to be connected with a security authentication management system by combining bootstrap service of a networking cloud platform, issues a digital certificate of the NB-IoT terminal, mutually authenticates identities of the NB-IoT terminal applying the digital certificate and the security authentication management system of the networking cloud platform, encrypts and protects certificate issuing request data transmitted by a network, simplifies certificate issuing receipt data to reduce network overhead and performs integrity protection.
Compared with the traditional off-line certificate issuing mode, the over-the-air certificate issuing mode can automatically complete the certificate application issuing process, and further effectively saves the labor cost and the time cost in the production link.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 shows a flowchart of an over-the-air certificate issuing method based on an NB-IoT communication module according to the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
An NB-IoT (narrow Band Internet of things), an NB-IoT terminal refers to a terminal device which performs communication based on the narrowband IoT, a security SDK refers to an SDK (software development kit), wherein the security SDK is an interface of a security module, and the communication between the NB-IoT terminal and the security module can be realized through the interface; the bootstrap service refers to a boot service, the bootstrap request packet refers to a boot request packet, and the bootstrap write packet refers to a boot write packet.
Fig. 1 shows a flowchart of an over-the-air certificate issuing method based on an NB-IoT communication module according to the present invention.
As shown in fig. 1, a first aspect of the present invention provides an over-the-air certification method based on an NB-IoT communication module, where the method includes:
step 1, integrating a security SDK on an NB-IoT terminal and presetting an Internet of things cloud platform certificate and a CA certificate; the Internet of things cloud platform certificate comprises public keys and the like corresponding to the Internet of things cloud platform, and the CA certificate comprises public keys and the like corresponding to the security certification management system;
it should be noted that the NB-IoT terminal that presets the internet of things cloud platform certificate and the CA certificate is a legal NB-IoT terminal, and the internet of things cloud platform that stores the private key in the internet of things cloud platform certificate corresponding to the public key in the internet of things cloud platform certificate and the private key corresponding to the public key in the CA certificate is a legal internet of things cloud platform;
step 2, before the NB-IoT terminal conducts encryption service data transmission, the NB-IoT terminal runs a security SDK to interact with a security module, whether an NB-IoT terminal digital certificate exists in the security module or not is detected, if yes, encryption service data transmission can be conducted, and if no NB-IoT terminal digital certificate exists in the security module, the step 3 is turned to enter an online certificate issuing process;
it can be understood that the NB-IoT terminal digital certificate generally has a certificate name, etc., such as the NB-IoT terminal digital certificate, and whether the NB-IoT terminal digital certificate already exists in the security module is detected by polling the search file (for example, the certificate name), if the NB-IoT terminal digital certificate already exists in the security module, it indicates that the NB-IoT terminal digital certificate has already been issued, the NB-IoT terminal digital certificate does not need to be issued again, the subsequent communication uses the certificate for communication, and the security module does not have the NB-IoT terminal digital certificate, and then the online certification procedure of the present invention is executed;
step 3, before the NB-IoT terminal generates a certification request, the security module generates an asymmetric key pair, and the NB-IoT terminal calls a security SDK interface to acquire a public key of the asymmetric key pair generated by the security module; the NB-IoT terminal generating a certification request comprising a public key of an asymmetric key pair generated by a security module;
reading a public key in an internet of things cloud platform certificate, encrypting a certificate issuing request generated by an NB-IoT terminal by adopting the public key in the internet of things cloud platform certificate to obtain a certificate issuing request ciphertext, and performing protocol encapsulation on the certificate issuing request ciphertext to obtain a certificate issuing request data message;
the NB-IoT terminal encrypts the certification request transmitted by the network and transmits the certification request in a ciphertext form, so as to prevent the certification request from being tampered, and performs encryption protection on the certificate request side, thereby ensuring that the certification request can be safely and reliably transmitted to the internet of things cloud platform;
step 4, the NB-IoT terminal issues an AT instruction to the NB-IoT communication module to connect with a bootstrap service of the Internet of things cloud platform, establishes an online certificate issuing secure transmission channel to connect with a security certification management system of the Internet of things cloud platform, and transmits the certificate issuing request data message into the AT instruction;
it can be understood that, the NB-IoT terminal and the NB-IoT communication module transmit data therebetween in an AT instruction manner, where the AT instruction includes the certification request data packet; the method comprises the steps that while an online certificate issuing safe transmission channel between an NB-IoT terminal applying for a certificate and a safety certification management system of an Internet of things cloud platform is constructed, transmission of certificate issuing request data is achieved, and an online certificate issuing process is shortened;
step 5, the NB-IoT communication module sends a bootstrap request packet to bootstrap service of the IoT cloud platform and loads the certificate issuing request data message;
it can be understood that the NB-IoT communication module acquires the certification request data packet from the received AT instruction, and encapsulates the certification request data packet into a bootstrap request packet through the internet of things generic protocol LWM2M + COAP, where the bootstrap request is a structural body of the certification request data packet encapsulated by the internet of things generic protocol LWM2M + COAP.
Step 6, the Bootstrap service of the cloud platform of the Internet of things analyzes the certificate issuing request data message from the received Bootstrap request packet and forwards the certificate issuing request data message to a security authentication management system of the cloud platform of the Internet of things;
step 7, the security authentication management system performs protocol analysis on the certificate issuing request data message to obtain the certificate issuing request ciphertext, and performs data decryption on the certificate issuing request ciphertext by using a private key of an internet of things cloud platform to obtain the certificate issuing request;
it should be noted that the private key of the internet of things cloud platform and the public key in the internet of things cloud platform certificate used in step 2 are a set of asymmetric key pairs, and are generated by the internet of things cloud platform; the certification request ciphertext can be decrypted only by a legal private key of the Internet of things cloud platform, the integrity and the safety of the certification request data are further ensured while the certification request data are transmitted based on the online certification safety transmission channel, and meanwhile, the identity authentication of the NB-IoT terminal applying the certificate is facilitated by the Internet of things cloud platform;
if the security authentication management system can successfully decrypt the private key certification request ciphertext of the Internet of things cloud platform, the identity legitimacy of the NB-IoT terminal applying the certificate and the identity legitimacy of the Internet of things platform can be confirmed, the illegal Internet of things platform cannot successfully decrypt the certification request ciphertext, and the certification request ciphertext sent by the illegal NB-IoT terminal cannot be successfully decrypted.
Step 8, the security authentication management system requests the issuance of an NB-IoT terminal digital certificate based on the certificate, wherein the NB-IoT terminal digital certificate comprises an NB-IoT terminal signature certificate and an NB-IoT terminal encryption certificate;
note that, the NB-IoT terminal signing certificate corresponds to a public and private key pair, that is, an asymmetric key pair generated by the security module.
Step 9, the security authentication management system performs operation processing on the private key corresponding to the NB-IoT terminal encryption certificate to obtain an NB-IoT terminal encryption private key ciphertext data packet;
it should be noted that the private key corresponding to the NB-IoT terminal encryption certificate is generated by the security authentication management system of the internet of things cloud platform after receiving the certification request, so that the private key corresponding to the NB-IoT terminal encryption certificate needs to be securely transmitted to the NB-IoT terminal.
Step 10, the security authentication management system acquires an NB-IoT terminal signature certificate, an NB-IoT terminal encryption certificate and an NB-IoT terminal encryption private key ciphertext data packet to jointly form a receipt data packet, and after the receipt data packet is signed by using a private key of an Internet of things cloud platform, protocol encapsulation is carried out on the receipt data packet and signature information to obtain a certificate-issuing receipt data message;
step 11, the security authentication management system replies the certification receipt data message to a bootstrap service along a calling interface, and the bootstrap service issues the certification receipt data message to a corresponding NB-IoT communication module through a bootstrap write packet;
it can be understood that the bootstrap service sends a bootstrap write packet to a corresponding NB-IoT communication module and loads the certificate receipt data message, and the security authentication management system issues the certificate receipt data message through a pre-established online certificate sending secure transmission channel to ensure secure transmission of the certificate receipt data;
step 12, after receiving the bootstrap write packet, the NB-IoT communication module analyzes a certificate issuance receipt data message from the bootstrap write packet, and returns the certificate issuance receipt data message to the corresponding NB-IoT terminal;
step 13, after receiving the certificate-issuing receipt data message, the NB-IoT terminal performs protocol analysis to obtain the receipt data packet and signature information, and verifies the signature of the Internet of things cloud platform by using a public key in the Internet of things cloud platform certificate to confirm the integrity and identity validity of the receipt message;
it should be noted that the security authentication management system signs the receipt data packet by using a private key of the internet of things cloud platform, so that the NB-IoT terminal can check and sign the signature information of the receipt data packet by using a public key in the internet of things cloud platform certificate to confirm the validity of the identity of the sending end of the receipt data packet;
in step 10, the security authentication management system signs the receipt data packet by using the private key of the internet of things cloud platform, encrypts the receipt data packet by using the private key of the internet of things cloud platform to obtain a receipt data packet ciphertext, and uses the receipt data packet ciphertext as signature information of the receipt data packet; and when the NB-IoT terminal checks the signature information of the receipt data packet through the public key in the cloud platform certificate of the Internet of things, decrypting the ciphertext of the receipt data packet through the public key in the cloud platform certificate of the Internet of things, comparing the decryption result with the obtained receipt data packet, and judging the integrity of the receipt message according to the consistency of the comparison result.
Step 14, extracting the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate in the receipt data packet to form an NB-IoT terminal certificate of the receipt; the NB-IoT terminal calls a CA certificate preset by the security SDK to verify the validity of the NB-IoT terminal certificate of the receipt, and after the verification is passed, the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate are stored in the corresponding security module;
the security certification management system of the internet of things cloud platform serves as a CA authority, and a so-called CA certificate is a certificate of the security certification management system. In step 8, the security authentication management system signs the generated NB-IoT terminal encryption certificate and NB-IoT terminal signature certificate with the private key corresponding to the CA certificate, and attaches the signature information to the certificate. Therefore, in step 14, after the NB-IoT terminal receives the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate, the preset public key corresponding to the CA certificate may be used to verify the validity of the corresponding certificate.
And step 15, the NB-IoT terminal calls a private key of the security module to decrypt the encrypted private key ciphertext data packet of the NB-IoT terminal in the receipt data packet, obtains a private key corresponding to the NB-IoT terminal encryption certificate and stores the private key in the security module, and the certificate signing and issuing process is completed.
It should be noted that, the private key of the security module is the private key of the asymmetric key pair generated by the security module in step 3, and the public key of the asymmetric key pair is sent to the security authentication management system along with the content of the authentication request, and plays a role when the security authentication management system generates the NB-IoT terminal encryption certificate;
in step 9, when the private key corresponding to the NB-IoT terminal encryption certificate is operated to generate the NB-IoT terminal encryption private key ciphertext data packet, the public key of the asymmetric key pair generated by the security module needs to be used, so that the NB-IoT terminal can decrypt the NB-IoT terminal encryption private key ciphertext data packet by using the security module private key (the private key of the asymmetric key pair) to obtain the private key corresponding to the NB-IoT terminal encryption certificate.
Further, step 8 specifically includes: the security certification management system signs the acquired content of the certification request and the NB-IoT terminal identification by adopting a private key corresponding to a CA certificate to obtain first CA signature information, and signs and obtains an NB-IoT terminal signature certificate based on the content of the certification request, the NB-IoT terminal identification and the first CA signature information; the contents of the certification request comprise a public key of an asymmetric key pair generated by the security module, certification request information and the like;
the security authentication management system also generates a group of public and private key pairs used for signing and issuing the NB-IoT terminal encryption certificate, signs the public key of the public and private key pair (generated by the security authentication management system) and the NB-IoT terminal identification by adopting a private key corresponding to the CA certificate to obtain second CA signature information, and signs and issues the NB-IoT terminal encryption certificate according to the public key of the public and private key pair (generated by the security authentication management system), the NB-IoT terminal identification and the second CA signature information.
It should be noted that the NB-IoT terminal identifier may be a device serial number, and in order to improve certificate issuing efficiency, the NB-IoT terminal identifier is added to the certificate issuing request.
The private key of the CA certificate stored in the security authentication management system and the public key in the CA certificate preset on the NB-IoT terminal are a group of asymmetric key pairs, and only the NB-IoT terminal preset with the CA certificate can perform signature release on the signature information of the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate.
The step of the NB-IoT terminal calling the preset CA certificate to verify the validity of the NB-IoT terminal digital certificate of the receipt in the corresponding de-signing step 14 specifically refers to performing signature verification on first CA signature information in the NB-IoT terminal signature certificate and second CA signature information in the NB-IoT terminal encryption certificate, and if the signature verification is correct, it indicates that the NB-IoT terminal certificate of the receipt is legal.
Further, step 9 specifically includes: the security authentication management system randomly generates a random number as a key, and the key is adopted to carry out operation processing on a private key corresponding to the NB-IoT terminal encryption certificate through a national secret SM4 algorithm to obtain a private key ciphertext; the private key corresponding to the NB-IoT terminal encryption certificate is a private key in a public and private key pair generated by the security authentication management system and used for signing and issuing the NB-IoT terminal encryption certificate;
and acquiring a public key generated in advance by a security module corresponding to the NB-IoT terminal from the certificate issuing request, encrypting the key based on the public key to obtain a ciphertext of the key, and forming an NB-IoT terminal encryption private key ciphertext data packet by using the private key ciphertext and the ciphertext of the key.
It can be understood that, in step 15, the NB-IoT terminal calls the security module private key to decrypt the ciphertext of the key in the NB-IoT terminal encryption private key ciphertext data packet to obtain the key, and then the private key ciphertext is operated through the decrypted key and the national secret SM4 algorithm to obtain the private key corresponding to the NB-IoT terminal encryption certificate.
The invention adopts a public key of the internet of things cloud platform to encrypt the certification request, and sends the certification request data message to the internet of things platform in an AT instruction mode while establishing an online certification security transmission channel, and a security authentication management system of the internet of things platform decrypts the certification request ciphertext, so that the effects of sending the certification request to the internet of things cloud platform together while performing identity authentication on an NB-IoT terminal applying for a certificate and the security authentication management system of the internet of things cloud platform are achieved; and after the security authentication management system of the Internet of things cloud platform successfully decrypts the certification request ciphertext, the security authentication management system can issue the NB-IoT terminal digital certificate and return the NB-IoT terminal digital certificate to the NB-IoT terminal. In conclusion, the whole online certificate signing process can be realized only by once link back and forth, the signing and issuing process of the NB-IoT terminal digital certificate can be effectively shortened, the signing and issuing process of the NB-IoT terminal digital certificate is simpler and more convenient, and meanwhile, the online signing and issuing efficiency of the NB-IoT terminal digital certificate is effectively improved on the premise of ensuring the safety and reliability of data interaction.
Example 2
The invention also provides an air certification system based on the NB-IoT communication module, which is used for realizing the air certification method based on the NB-IoT communication module, and the air certification system comprises: the terminal of the Internet of things is in communication connection with the cloud platform of the Internet of things, wherein the terminal of the Internet of things comprises an NB-IoT terminal, a security module and an NB-IoT communication module, and the cloud platform of the Internet of things comprises a bootstrap service and a security certification management system.
The invention ensures the privacy and the integrity of the certification request data and the certification receipt data based on the safe data transmission of the asymmetric key.
Aiming at NB-IoT terminals adopting NB-IoT network communication, the invention adopts an IoT general protocol LWM2M + COAP, and constructs a special secure transmission channel butt-joint secure authentication management system by combining bootstrap service of an Internet of things cloud platform, and issues a digital certificate of the NB-IoT terminal, the NB-IoT terminal applying for the certificate and the secure authentication management system of the Internet of things cloud platform mutually perform identity authentication, and perform encryption protection on certificate issuing request data transmitted by a network; the NB-IoT terminal signature certificate and the NB-IoT terminal encryption certificate can be simultaneously signed and issued only by one round-trip link in the whole online certificate signing process, meanwhile, an NB-IoT terminal encryption private key ciphertext data packet is returned, data required by encryption service data transmission is returned to the NB-IoT terminal at one time, and the certificate-issuing receipt data is simplified to reduce network overhead and carry out integrity protection.
Further, because the NB-IoT module generally does not support the TLS secure communication protocol and the HTTP protocol based on consideration of power consumption and cost, but supports the lighter LWM2M + COAP protocol, the application and issuance of the digital certificate are performed on the LWM2M + COAP protocol, which has better applicability and is more convenient for popularization and application.
Compared with the traditional off-line certificate issuing mode, the over-the-air certificate issuing mode can automatically complete the certificate application issuing process, and further effectively saves the labor cost and the time cost in the production link.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (4)
1. An air certification method based on an NB-IoT communication module is characterized by comprising the following steps:
step 1, integrating a security SDK on an NB-IoT terminal and presetting an Internet of things cloud platform certificate and a CA certificate;
step 2, the NB-IoT terminal operates a security SDK to interact with a security module, the NB-IoT terminal detects whether an NB-IoT terminal digital certificate exists in the security module, if yes, encrypted service data transmission is carried out, and if no NB-IoT terminal digital certificate exists, the step 3 is switched to enter an online certificate issuing process;
step 3, generating an asymmetric key pair by a security module, and acquiring a public key of the asymmetric key pair generated by the security module by the NB-IoT terminal and generating a certification request, wherein the certification request comprises the public key of the asymmetric key pair;
reading a public key in the Internet of things cloud platform certificate, encrypting the certification request by adopting the public key in the Internet of things cloud platform certificate to obtain a certification request ciphertext, and performing protocol encapsulation on the certification request ciphertext to obtain a certification request data message;
step 4, the NB-IoT terminal issues an AT instruction to the NB-IoT communication module to connect with a bootstrap service of the Internet of things cloud platform, and the certificate issuing request data message is transmitted into the AT instruction;
step 5, the NB-IoT communication module sends a bootstrap request packet to bootstrap service of the IoT cloud platform and loads the certificate issuing request data message;
step 6, the Bootstrap service of the cloud platform of the Internet of things analyzes the certificate issuing request data message from the received Bootstrap request packet and forwards the certificate issuing request data message to a security authentication management system of the cloud platform of the Internet of things;
step 7, the security authentication management system performs protocol analysis on the certificate issuing request data message to obtain the certificate issuing request ciphertext, and performs data decryption on the certificate issuing request ciphertext by using a private key of an internet of things cloud platform to obtain the certificate issuing request;
step 8, the security authentication management system issues NB-IoT terminal digital certificates based on the certification request, wherein the NB-IoT terminal digital certificates comprise NB-IoT terminal signature certificates and NB-IoT terminal encryption certificates;
step 9, the security authentication management system performs operation processing on the private key corresponding to the NB-IoT terminal encryption certificate to obtain an NB-IoT terminal encryption private key ciphertext data packet;
step 10, the security authentication management system acquires an NB-IoT terminal signature certificate, an NB-IoT terminal encryption certificate and an NB-IoT terminal encryption private key ciphertext data packet to jointly form a receipt data packet, and after the receipt data packet is signed by using a private key of an Internet of things cloud platform, protocol encapsulation is carried out on the receipt data packet and signature information to obtain a certificate-issuing receipt data message;
step 11, the security authentication management system replies the certification receipt data message to a bootstrap service along a calling interface, and the bootstrap service issues the certification receipt data message to a corresponding NB-IoT communication module through a bootstrap write packet;
step 12, after receiving the bootstrap write packet, the NB-IoT communication module analyzes a certificate issuance receipt data message from the bootstrap write packet, and returns the certificate issuance receipt data message to the corresponding NB-IoT terminal;
step 13, after receiving the certificate-issuing receipt data message, the NB-IoT terminal performs protocol analysis to obtain the receipt data packet and signature information, and verifies the signature of the Internet of things cloud platform by using a public key in the Internet of things cloud platform certificate to confirm the integrity and identity validity of the certificate-issuing receipt data message;
step 14, the NB-IoT terminal calls a preset CA certificate to verify the validity of the digital certificate of the NB-IoT terminal of the receipt, and after the verification is passed, the NB-IoT terminal encryption certificate and the NB-IoT terminal signature certificate are stored in the corresponding security module;
and step 15, the NB-IoT terminal calls a private key of the security module to decrypt the encrypted private key ciphertext data packet of the NB-IoT terminal, obtains a private key corresponding to the NB-IoT terminal encryption certificate and stores the private key in the security module, and the process of signing and issuing the NB-IoT terminal digital certificate is completed.
2. The NB-IoT communication module-based over-the-air certification method according to claim 1, wherein the step 8 specifically includes:
the security certification management system signs the acquired content of the certification request and the NB-IoT terminal identification by adopting a private key corresponding to the CA certificate to obtain first CA signature information, and signs and obtains an NB-IoT terminal signature certificate according to the content of the certification request, the NB-IoT terminal identification and the first CA signature information;
the security certification management system also generates a group of public and private key pairs used for signing and issuing the NB-IoT terminal encryption certificate, signs the public key of the public and private key pair generated by the security certification management system and the NB-IoT terminal identification by adopting the private key corresponding to the CA certificate to obtain second CA signature information, and signs and issues the NB-IoT terminal encryption certificate according to the public key of the public and private key pair, the NB-IoT terminal identification and the second CA signature information.
3. The NB-IoT communication module-based over-the-air certification method according to claim 1, wherein the step 9 specifically includes:
the security authentication management system randomly generates a random number as a key, and the key is adopted to carry out operation processing on a private key corresponding to the NB-IoT terminal encryption certificate through a SM4 algorithm to obtain a private key ciphertext;
and acquiring a public key generated in advance by a security module corresponding to the NB-IoT terminal from the certificate issuing request, encrypting the key based on the public key to obtain a ciphertext of the key, and combining the ciphertext of the private key and the ciphertext of the key to form an NB-IoT terminal encrypted private key ciphertext data packet.
4. An over-the-air certificate issuing system based on an NB-IoT communication module, which is used for implementing the over-the-air certificate issuing method based on the NB-IoT communication module as claimed in any one of the above claims 1-3, and is characterized in that the over-the-air certificate issuing system comprises: the terminal of the Internet of things is in communication connection with the cloud platform of the Internet of things, wherein the terminal of the Internet of things comprises an NB-IoT terminal, a security module and an NB-IoT communication module, and the cloud platform of the Internet of things comprises a bootstrap service and a security certification management system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110345962.0A CN113163375B (en) | 2021-03-31 | 2021-03-31 | Air certificate issuing method and system based on NB-IoT communication module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110345962.0A CN113163375B (en) | 2021-03-31 | 2021-03-31 | Air certificate issuing method and system based on NB-IoT communication module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113163375A true CN113163375A (en) | 2021-07-23 |
| CN113163375B CN113163375B (en) | 2022-02-11 |
Family
ID=76885667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110345962.0A Active CN113163375B (en) | 2021-03-31 | 2021-03-31 | Air certificate issuing method and system based on NB-IoT communication module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113163375B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115767522A (en) * | 2023-01-09 | 2023-03-07 | 中国电子科技集团公司第三十研究所 | Internet of things application security enhancement system and method based on communication security integrated design |
| CN115835194A (en) * | 2023-02-15 | 2023-03-21 | 信联科技(南京)有限公司 | NB-IOT (network B-Internet of things) terminal security access system and access method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101115060A (en) * | 2007-08-09 | 2008-01-30 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
| US20100138907A1 (en) * | 2008-12-01 | 2010-06-03 | Garret Grajek | Method and system for generating digital certificates and certificate signing requests |
| US20130067236A1 (en) * | 2011-09-12 | 2013-03-14 | Microsoft Corporation | Systems for validating hardware devices |
| CN107171805A (en) * | 2017-05-17 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of internet-of-things terminal digital certificate signs and issues system and method |
| CN107809412A (en) * | 2016-09-09 | 2018-03-16 | 百度在线网络技术(北京)有限公司 | The method and apparatus being decrypted using the website certificate and private key of targeted website |
| ES2687717A1 (en) * | 2017-04-26 | 2018-10-26 | Universidad Carlos Iii De Madrid | Method and mobile device to issue digital certificates to electronic devices (Machine-translation by Google Translate, not legally binding) |
| CN111786799A (en) * | 2020-07-24 | 2020-10-16 | 郑州信大捷安信息技术股份有限公司 | Digital certificate signing and issuing method and system based on Internet of things communication module |
| CN111865919A (en) * | 2020-06-16 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Digital certificate application method and system based on V2X |
| CN112422289A (en) * | 2020-09-30 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment |
-
2021
- 2021-03-31 CN CN202110345962.0A patent/CN113163375B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101115060A (en) * | 2007-08-09 | 2008-01-30 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
| US20100138907A1 (en) * | 2008-12-01 | 2010-06-03 | Garret Grajek | Method and system for generating digital certificates and certificate signing requests |
| US20130067236A1 (en) * | 2011-09-12 | 2013-03-14 | Microsoft Corporation | Systems for validating hardware devices |
| CN107809412A (en) * | 2016-09-09 | 2018-03-16 | 百度在线网络技术(北京)有限公司 | The method and apparatus being decrypted using the website certificate and private key of targeted website |
| ES2687717A1 (en) * | 2017-04-26 | 2018-10-26 | Universidad Carlos Iii De Madrid | Method and mobile device to issue digital certificates to electronic devices (Machine-translation by Google Translate, not legally binding) |
| CN107171805A (en) * | 2017-05-17 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of internet-of-things terminal digital certificate signs and issues system and method |
| CN111865919A (en) * | 2020-06-16 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Digital certificate application method and system based on V2X |
| CN111786799A (en) * | 2020-07-24 | 2020-10-16 | 郑州信大捷安信息技术股份有限公司 | Digital certificate signing and issuing method and system based on Internet of things communication module |
| CN112422289A (en) * | 2020-09-30 | 2021-02-26 | 郑州信大捷安信息技术股份有限公司 | Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王煜等: "非对称加密算法在身份认证中的应用研究", 《计算机技术与发展》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115767522A (en) * | 2023-01-09 | 2023-03-07 | 中国电子科技集团公司第三十研究所 | Internet of things application security enhancement system and method based on communication security integrated design |
| CN115835194A (en) * | 2023-02-15 | 2023-03-21 | 信联科技(南京)有限公司 | NB-IOT (network B-Internet of things) terminal security access system and access method |
| CN115835194B (en) * | 2023-02-15 | 2023-06-06 | 信联科技(南京)有限公司 | NB-IOT terminal safety access system and access method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113163375B (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20110113250A1 (en) | Security integration between a wireless and a wired network using a wireless gateway proxy | |
| CN111372247A (en) | Terminal secure access method and terminal secure access system based on narrowband Internet of things | |
| CN102111410A (en) | Agent-based single sign on (SSO) method and system | |
| CN112039951A (en) | Safe distribution method, device and system of vehicle Bluetooth key and storage medium | |
| CN103532713A (en) | Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor | |
| CN109495445A (en) | Identity identifying method, device, terminal, server and medium based on Internet of Things | |
| CN112491550B (en) | Mobile terminal equipment credibility authentication method and system based on Internet of vehicles | |
| KR20150079489A (en) | Instant messaging method and system | |
| CN113163375B (en) | Air certificate issuing method and system based on NB-IoT communication module | |
| CN105635062A (en) | Network access equipment verification method and device | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
| CN113630407A (en) | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology | |
| CN113572795B (en) | Vehicle safety communication method, system and vehicle-mounted terminal | |
| CN110049045B (en) | Safety certification system for power line carrier | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| KR20200099873A (en) | HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems | |
| KR20190078154A (en) | Apparatus and method for performing intergrated authentification for vehicles | |
| CN113660271B (en) | Security authentication method and device for Internet of vehicles | |
| CN114650181B (en) | E-mail encryption and decryption method, system, equipment and computer readable storage medium | |
| CN113115309B (en) | Data processing method and device for Internet of vehicles, storage medium and electronic equipment | |
| CN114826659A (en) | Encryption communication method and system | |
| CN114650173A (en) | Encryption communication method and system | |
| CN112954643B (en) | Direct communication authentication method, terminal, edge service node and network side equipment | |
| CN113051548A (en) | Industrial safety control system of light-weight undisturbed formula |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |