CN113473456A - Million-level Internet of things terminal security access method and system based on domestic passwords - Google Patents

Million-level Internet of things terminal security access method and system based on domestic passwords Download PDF

Info

Publication number
CN113473456A
CN113473456A CN202110526583.1A CN202110526583A CN113473456A CN 113473456 A CN113473456 A CN 113473456A CN 202110526583 A CN202110526583 A CN 202110526583A CN 113473456 A CN113473456 A CN 113473456A
Authority
CN
China
Prior art keywords
gateway
service node
terminal
internet
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110526583.1A
Other languages
Chinese (zh)
Other versions
CN113473456B (en
Inventor
李松斌
刘鹏
张遥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Research Station Of South China Sea Institute Of Acoustics Chinese Academy Of Sciences
Original Assignee
Research Station Of South China Sea Institute Of Acoustics Chinese Academy Of Sciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Research Station Of South China Sea Institute Of Acoustics Chinese Academy Of Sciences filed Critical Research Station Of South China Sea Institute Of Acoustics Chinese Academy Of Sciences
Priority to CN202110526583.1A priority Critical patent/CN113473456B/en
Publication of CN113473456A publication Critical patent/CN113473456A/en
Application granted granted Critical
Publication of CN113473456B publication Critical patent/CN113473456B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a million-level Internet of things terminal secure access method based on a domestic password, which comprises the following steps: the terminal of the Internet of things generates a time delay test request by adopting SM4 and a gateway key GWKey and sends the time delay test request to a plurality of gateways; after checking, generating a time delay test response message and sending the time delay test response message to the terminal of the Internet of things; the terminal of the Internet of things sends a terminal network access request to the determined target gateway; after the target gateway is checked, the terminal network access request is forwarded to the corresponding target LoRaWAN service node; the target LoRaWAN service node generates an encrypted distributed key message and forwards the encrypted distributed key message to a corresponding Internet of things terminal through a target gateway; the Internet of things terminal calculates a session key NwkSKey and an AppSKey according to the SM4 and the original keys SerKey and AppKey; and the SM4 and the AppSKey are adopted to encrypt the acquired data, and the data are sent to the target LoRaWAN service node through the target gateway.

Description

Million-level Internet of things terminal security access method and system based on domestic passwords
Technical Field
The invention relates to the technical field of communication, in particular to a method and a system for safe access of an Internet of things terminal based on a domestic password and a LoRa protocol.
Background
In a traditional wireless protocol, the longer the transmission distance is, the higher the Power consumption of the system is, and in order to solve the contradiction, Semtech company introduced the LoRa technology and the corresponding LoRaWAN standard, so that the Low Power Wide Area Network (LPWAN) technology has received Wide attention from all social circles.
With the increasing development and popularization of the LoRa technology, safety issues become the focus of attention of researchers. In the existing information acquisition system based on the LoRa protocol, generally, a terminal of the internet of things sends out a message in a radio manner, all gateways can receive the message and forward the message to a pre-configured corresponding LoRaWAN service node, the terminal of the internet of things is not subjected to security authentication, and a large amount of repeated data is reported. And the original LoRaWAN protocol stipulates that a network session key NkwSKey and an application session key AppSKey are derived through a pre-configured key AppKey for information transmission, so that the security of the pre-configured key determines the security of the whole network. Once the pre-configured key is compromised, the entire network will no longer be secure. The MWR laboratory Infosecurity department is one of the globally known network security research institutions, and Robert of its member issues a white paper about the security analysis of the LoRaWAN, which describes in more detail the security vulnerabilities and the security threats faced by the LoRaWAN protocol, and indicates that all current LoRaWAN network entities should pay attention to the potential threats existing in the key management, data communication and internet interaction parts. Therefore, how to realize a stable and reliable large-scale internet of things terminal security access mechanism on LoRaWAN is a problem to be solved urgently.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a large-scale Internet of things terminal secure access method and system based on a domestic password and a LoRa protocol. A set of complete data verification, encryption and transmission processes are provided, the access security of the terminal of the Internet of things can be greatly improved, and the security isolation strength of the network and the service is improved.
In order to achieve the purpose, the invention provides a million-level Internet of things terminal security access method based on domestic passwords, which comprises the following steps:
the terminal of the Internet of things generates a time delay test request by adopting a state encryption algorithm SM4 and a gateway key GWKey and sends the time delay test request to a plurality of gateways;
each gateway analyzes and verifies the received delay test request, if the verification is passed and meets the preset conditions, a time delay test response message is generated by adopting a national encryption algorithm SM4 and a gateway key GWKey and is sent to the terminal of the Internet of things;
the Internet of things terminal analyzes and verifies the received first time delay test response message, determines a target gateway, generates a terminal network access request by adopting a national encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway;
the target gateway analyzes and verifies the received terminal network access request, and forwards the terminal network access request to a corresponding target LoRaWAN service node after the verification is passed;
the target LoRaWAN service node analyzes and verifies the received terminal network access request, and after the verification is passed, an encrypted distributed key message is generated by adopting a national encryption algorithm SM4 and a terminal network layer original key SerKey and is sent to a target gateway;
the target gateway forwards the received encrypted distribution key message to a corresponding Internet of things terminal;
the internet of things terminal decrypts and verifies the distributed key message, and after verification is passed, a network layer session key NwkSKey and an application layer session key AppSKey are obtained through calculation according to a national secret encryption algorithm SM4, a terminal network layer original key SerKey and an original key AppKey;
the terminal of the Internet of things encrypts the acquired data by adopting a national secret encryption algorithm SM4 and an application layer session key AppSKey to generate an uplink data message, and sends the uplink data message to a target gateway;
and the target gateway decrypts and verifies the received uplink data message, and reports the data to the target LoRaWAN service node after the verification is passed.
As an improvement of the method, each gateway analyzes and verifies the received delay test request, if the verification is passed and meets the preset conditions, a time delay test response message is generated by adopting a cryptographic algorithm SM4 and a gateway key GWKey and is sent to the terminal of the internet of things; the method specifically comprises the following steps:
each gateway receives and analyzes the time delay test request to obtain a terminal identification code DevEUI and a random number DevNonce, the DevNonce values of the past N requests of the Internet of things terminal are inquired based on the DevEUI, if the same DevNonce values exist, the request is discarded, the number of the discarded requests of the Internet of things terminal in one day is counted, and when the discarded number threshold is reached, the gateway sends out 'attacked' alarm information; if the same DevNonce value is not found, checking an MIC value of a message consistent code by adopting a secret encryption algorithm SM4 and a gateway key GWKey, when the MIC value passes the check and the field value of the message Type obtained by analysis is matched with a delay test flag bit, the terminal of the Internet of things is a legal terminal, inquiring the load index of the gateway, and when the load index is smaller than the load threshold, generating a delay test response message by adopting a secret encryption algorithm SM4 and the gateway key GWKey and sending the delay test response message to the terminal of the Internet of things;
the load index of the gateway is as follows:
load index ═ Σ t/3600
Wherein, Σ t is the total channel load duration counted within one hour, and the unit is second; and t is the receiving time length of the primary data packet and is obtained by calculation according to the receiving radio frequency parameter and the receiving packet length.
As an improvement of the method, the internet of things terminal analyzes and verifies the received first time delay test response message, determines a target gateway, generates a terminal network access request by adopting a state-secret encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway; the method specifically comprises the following steps:
the Internet of things terminal analyzes the received first time delay test response message, verifies the MIC value of the analyzed message consistent code, determines the gateway identified by the gateway identity code GWID as a target gateway when the MIC value passes verification and the field value of the analyzed message Type is matched, generates a terminal network access request by adopting a secret encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway; and discarding the delay test response messages sent by other gateways.
As an improvement of the method, the target gateway analyzes and verifies the received terminal network access request, and forwards the terminal network access request to the corresponding target LoRaWAN service node after the verification is passed; the method specifically comprises the following steps:
the method comprises the steps that a target gateway analyzes a received terminal network access request, when the field value of a message Type obtained through analysis is matched with the field value of a time delay test flag bit RFU, and the field value of a gateway identity identification code GWID obtained through analysis is consistent with the identity identification code of the target gateway, the terminal identification code DevEUI and a random number DevNoce obtained through analysis are judged, the DevNoce numerical values of N past requests of the internet of things terminal are inquired based on the DevEUI, if the same DevNoce numerical values exist, the request is discarded, the number of the discarded requests of the internet of things terminal in one day is counted, and when the discarded number threshold is reached, the gateway sends 'attacked' alarm information; if the same DevNonce value is not found, the gateway authentication code GRC value is verified by adopting a national encryption algorithm SM4 and a gateway key GWKey, and when the GRC value is verified to be passed, the gateway forwards a terminal network access request to a corresponding target LoRaWAN service node.
As an improvement of the method, the target LoRaWAN service node analyzes and verifies the received terminal network access request, and after the verification is passed, an encrypted distributed key message is generated by using a national secret encryption algorithm SM4 and a terminal network layer original key SerKey, and is sent to the target gateway; the method specifically comprises the following steps:
analyzing a terminal network access request by a target LoRaWAN service node to obtain a terminal identification code DevEUI and a random number DevNonce, inquiring DevNonce values of N past requests of the Internet of things terminal based on the DevEUI, discarding the request if the same DevNonce values exist, counting the number of the requests discarded by the Internet of things terminal in one day, and sending out 'attacked' alarm information by a gateway when the number of the requests discarded by the Internet of things terminal reaches a discarded number threshold value; if the same DevNonce value is not found, the message consistent code MIC value verification is carried out by adopting a national encryption algorithm SM4 and a gateway key GWKey, and when the MIC value verification is passed, an encrypted distributed key message is generated by adopting a national encryption algorithm SM4 and a terminal network layer original key SerKey and is sent to a target gateway.
As an improvement of the method, the internet of things terminal decrypts and verifies the distributed key message, and after the verification is passed, the internet of things terminal calculates a network layer session key nwkkskey and an application layer session key AppSKey according to a national secret encryption algorithm SM4, a terminal network layer original key SerKey and an original key AppKey; the method specifically comprises the following steps:
decrypting the distributed key message by adopting a state encryption algorithm SM4 and a network layer original key SerKey;
parsing a distributed key message, the distributed key message comprising: the method comprises the steps of determining a message type MType, a field length 3 bit, a delay test flag bit RFU, a field length 3 bit, a Major version number Major, a field length 2 bit, an application random number AppNonce, a field length 24 bit, a gateway identifier NetID, a field length 24 bit, a terminal address DevAddr, a field length 32 bit, setting information DLSettings, a length 8 bit, a delay RxDelay, a field length 8 bit, an optional channel list field CFList, a field length variable MIC and a field length 32 bit;
the intermediate amount msg is calculated according to the following formula:
msg=SM4_encrypt(SerKey,MType|RFU|Major|AppNonce|NetID|
DevAddr|DLSettings|RxDelay|CFList)
wherein, SM4_ encrypt () represents to adopt the cryptographic algorithm SM4 of national password, and "|" represents OR operation;
taking the lower 32 bits of msg to obtain an MIC value;
when the MIC value passes the verification, respectively calculating a network layer session key NwkSKey and an application layer session key AppSKey according to the original key SerKey and the original key AppKey of the terminal network layer by the following formula:
NwkSKey=SM4_encrypt(SerKey,0x01|AppNonce|NetID|DevNonce|pad 16)
AppSKey — SM4_ encrypt (AppKey,0x02| AppNonce | NetID | DevNonce | pad 16) where pad16 represents a supplemental bit;
as an improvement of the above method, the target gateway parsing and verifying the received terminal network access request, and after the verification is passed, before forwarding the terminal network access request to the corresponding target LoRaWAN service node, the method further includes: determining a target LoRaWAN service node corresponding to the target gateway and completing access; the method specifically comprises the following steps:
the target gateway generates an authentication request by adopting a state secret encryption algorithm SM4 and a gateway key GWKey and sends the authentication request to an authentication service node;
the authentication service node checks according to the authentication request, generates an encrypted authentication result message by adopting the SM4, the GWKey, the key mKey for managing service node communication and the key sKey for communicating with the LoRaWan service node, and sends the encrypted authentication result message to the target gateway;
the target gateway decrypts and verifies the authentication result message, adopts SM4 to decrypt and calculate mKey and sKey, analyzes the IP address of the management service node, adopts SM4 and mKey to generate a LoRaWan service node allocation request, and sends the LoRaWan service node allocation request to the management service node;
the management service node checks according to the LoRaWan service node distribution request, determines a target LoRaWAN service node according to the vacancy degree of each LoRaWAN service node, generates a distribution response message by adopting SM4 and mKey, and sends the distribution response message to a target gateway;
the target gateway checks according to the allocation response message, analyzes the IP address of the target LoRaWAN service node, generates an access request by adopting SM4 and sKey, and sends the access request to the target LoRaWAN service node;
the target LoRaWAN service node checks according to the access request, if the check is passed, the gateway identity identification code GWID of the target gateway is added into a white list, and an access success message is generated by adopting SM4 and sKey and is sent to the target gateway;
and the target gateway checks according to the access success message, and starts to process the data of the terminal of the Internet of things if the check is passed.
As an improvement of the foregoing method, the idleness k (t) of the LoRaWAN service node is:
Figure BDA0003066156510000051
wherein n iscThe number of CPU cores is represented, k (t) represents the latest load value obtained by the iteration, and the following formula is satisfied:
Figure BDA0003066156510000052
Figure BDA0003066156510000053
wherein k (0) is an iteration initial value, k (t-1) represents a load value obtained in the last iteration, and anRepresenting the number of the n-th instantaneous active jump process, n representing the index of the number of times, nrIndicating the average number of active processes over a set time.
As an improvement of the above method, the method further comprises:
after receiving the reported data, the target LoRaWAN service node performs message consistent code MIC value verification, and if the verification is passed, a data index I of the target database service node in the database service node list is obtained by calculation according to the following formula:
I=DevEUI%L+1
wherein, DevEUI is terminal identification code, L is data number in the database service node list;
inserting the reported data into a data index I of a database service node list;
and the target database service node synchronizes the reported data to other database services according to the database service node list.
A million-level Internet of things terminal security access system based on domestic passwords comprises: the system comprises an Internet of things terminal, a gateway, an authentication service node, a management service node and a LoRaWAN service node;
the Internet of things terminal is used for acquiring data and reporting the data to the gateway;
the gateway is used for receiving data reported by the terminal of the Internet of things and then sending the data to the LoRaWAN service node based on an IP protocol;
the authentication service node is used for performing access authentication on the gateway;
the management service node is used for dynamically allocating LoRaWAN service nodes for the gateway;
the LoRaWAN service node is used for distributing keys, receiving and storing data.
Compared with the prior art, the invention has the advantages that:
1. the method of the invention provides a set of complete data checking, encrypting and transmitting processes, which can greatly improve the security of the access of the terminal of the Internet of things and simultaneously improve the security isolation strength of the network and the service;
2. the invention also provides a technical scheme for dynamically distributing the LoRaWAN service nodes for the gateway according to the idleness index of the LoRaWAN service nodes, and the technical scheme can realize the load balance and the expansion as required of system resources while providing the safe access of the large-scale Internet of things terminal.
Drawings
Fig. 1 is a schematic diagram of a terminal access and data reporting flow in embodiment 1 of the present invention;
fig. 2 is a schematic view of a gateway access flow in embodiment 1 of the present invention;
fig. 3 is a block diagram of a large-scale internet of things terminal secure access system based on a domestic password and an LoRa protocol in embodiment 2 of the present invention.
Detailed Description
The invention discloses a large-scale Internet of things terminal secure access method and a system based on a domestic password and a LoRa protocol, wherein the method comprises the following steps: the terminal generates a time delay test request by adopting a state secret SM4 and a gateway key GWKey and sends the time delay test request to a plurality of gateways; after each gateway checks the delay test request, a delay response message is sent to the terminal, so that the terminal determines a target gateway and sends a network access request to the target gateway; the target gateway checks the network access request and then forwards the network access request to a target LoRaWAN service node, the target LoRaWAN service node sends a distributed key message to the target gateway, and the target gateway forwards the distributed key message to the terminal; the terminal receives the key distribution message and calculates the session keys NwkSKey and AppSKey according to the original key SerKey and the AppKey, thereby realizing the safe access of the terminal. The invention also provides a technical scheme for dynamically distributing the LoRaWAN service nodes for the gateway according to the idleness index of the LoRaWAN service nodes, and the technical scheme can realize the load balance and the expansion as required of system resources while providing the safe access of the large-scale Internet of things terminal.
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings and examples.
Example 1
In the embodiment of the invention, the values of the parameters are set, but each field or parameter value can be modified according to the actual application requirements.
Fig. 1 is a schematic diagram of a terminal access and data reporting process provided by the present invention, and the following describes the design of each link in the terminal access and data reporting process with reference to fig. 1.
1. And the terminal sends a delay test request to the gateway after being electrified every time, and if the reply message is not received for more than 30 seconds, the delay test request is sent again. The request format is shown in table 1_ 1:
TABLE 1_1
Figure BDA0003066156510000071
The terminal network access request consists of the following fields:
the length of the message type MType field is 3 bits, and the field in the delay test request is set to be '000'; the length of the field of the time delay test flag bit RFU is 3 bits, and the field in the time delay test request is set to be '001'; the Major version number Major field has a length of 2 bits, which is set to "00"; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the terminal identification code is used for uniquely identifying the current terminal and has the length of 64 bits; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a value of DevNonce each time it sends an authentication request; the message consistent code MIC is used for the gateway to authenticate the terminal identity, and the MIC value is calculated by the following formula:
msg=SM4_encrypt(GWKey,MType|RFU|Major|AppEUI|DevEUI|DevNonce) (1-1)
MIC=msg[0..31] (1-2)
wherein, SM4_ encrypt represents the SM4 cryptographic algorithm of state secret, GWKey is the gateway key, and the low-order 32 bits of msg are taken as MIC values. In addition, SM4_ encrypt in the subsequent embodiments each represents a secret SM4 encryption algorithm.
2. After receiving the delay test request sent by the terminal, the gateway firstly analyzes fields of ApEUI, DevEUI and DevNonce, and inquires DevNonce values of past N requests of the terminal based on the DevEUI. N is set to 100 by default and can be modified as desired. If the terminal is queried to issue a request for the same DevNonce value, the gateway directly discards the request. When the number of discarded requests of a certain terminal in one day exceeds 50, the gateway sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, a MIC value is generated based on equations (1-1) and (1-2) and checked against the received MIC value, and if the two are equal and the MType field value is "000", the RFU field value is "001", the gateway recognizes the terminal as a legitimate terminal. At this time, the gateway queries its own load index, and when the load index is smaller than 0.6, sends a delay test response message, where the message format is shown in table 1_ 2:
TABLE 1_2
Figure BDA0003066156510000081
The delay test reply message is composed of the following fields:
the message Type has a field length of 8 bits and a value of 00000001; a reserved bit Opt with the field length of 8 bits is used for subsequent protocol expansion; the gateway identity identification code GWID has a field length of 64 bits and is used for uniquely identifying the gateway equipment; the message consistent code MIC has a field length of 16 bits and is used for authenticating the gateway equipment by the terminal, and the calculation formula of the MIC is as follows:
msg=SM4_encrypt(GWKey,Type|Opt|GWID) (1-3)
MIC=msg[0..15] (1-4)
where "|" represents an OR operation, the MIC takes the lower 16 bits of msg _ 2.
3. After receiving the delay response message sent by the gateway, the terminal judges whether the message transmission gateway, namely the target gateway, is selected. If yes, discarding the message; if not, generating and checking a MIC value based on the formulas (1-3) and (1-4) with the received MIC value, and if the two are equal and the Type field value is '00000001', recording the GWID value and using the gateway as a message passing gateway.
After the terminal sends a delay test request to the gateways, all normally working gateways can return delay response messages to the terminal, the terminal selects the gateway corresponding to the received first delay response message as a target gateway, and the delay response messages sent by other gateways are directly discarded after being subsequently received.
And after the message transmission gateway is determined, the terminal sends a network access request to the message transmission gateway, and if the reply message is not received for more than 30 seconds, the terminal network access request is sent again. The format of the terminal network access request is shown in table 1_ 3:
TABLE 1_3
Figure BDA0003066156510000082
The terminal network access request consists of the following fields:
the length of a message type MType field is 3 bits, and the field value in the network access request is set to be '000'; the length of the field of the time delay test flag bit RFU is 3 bits, and the field in the network access request is set to be '000'; the Major version number Major field has a length of 2 bits, which is set to "00"; the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the terminal identification code is used for uniquely identifying the current terminal and has the length of 64 bits; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a value of DevNonce each time it sends an authentication request; the message consistent code MIC is used for LoRaWAN service nodes to authenticate the terminal identity, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(SerKey,MType|RFU|Major|AppEUI|DevEUI|DevNonce) (1-5)
MIC=msg[0..31] (1-6)
wherein, serKey is the original key of the terminal network layer, and the lower 32 bits of msg obtained by formula (1-5) calculation are taken as MIC values.
The gateway authentication code is used for the gateway to authenticate the terminal identity, and the GRC value is obtained by the following calculation:
msg=SM4_encrypt(GWKey,MType|RFU|Major|GWID|DevNonce) (1-7)
GRC=msg[0..31] (1-8)
wherein, GWKey is a gateway key, and the lower 32 bits of msg obtained by formula (1-7) calculation are taken as GRC values.
4. After the gateway receives a network access request sent by the terminal, if the field value of the MType is '000' and the field value of the RFU is '000', analyzing the GWID field, and performing subsequent processing when the GWID obtained by analysis is consistent with the identity identification code of the gateway. The DevEUI and DevNonce fields are parsed and the terminal is queried for DevNonce values for the past N requests based on the DevEUI. N is set to 100 by default and can be modified as desired. If the terminal is queried to issue a request for the same DevNonce value, the gateway directly discards the request. When the number of discarded requests of a certain terminal in one day exceeds 50, the gateway sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, generating GRC value based on formulas (1-7) and (1-8) and checking with the received GRC value, if the GRC value is equal to the GRC value, the gateway forwards the terminal network access request to the corresponding target LoRaWAN service node, and the message format is shown in Table 1_ 4:
TABLE 1_4
Figure BDA0003066156510000091
The forwarded terminal network access request consists of the following fields:
the length of a message type MType field is 3 bits, and the field value in the network access request is set to be '000'; the length of the field of the time delay test flag bit RFU is 3 bits, and the field in the network access request is set to be '000'; the Major version number Major field has a length of 2 bits, which is set to "00"; the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the terminal identification code is used for uniquely identifying the current terminal and has the length of 64 bits; the random number is 32 bits in length and is used for resisting replay attack; and the message consistent code MIC is used for the LoRaWAN service node to authenticate the terminal identity.
The above fields directly adopt the numerical values in the network access request sent by the terminal to the gateway, and the gateway does not recalculate.
The target LoRaWAN service node may be pre-allocated, or may be dynamically allocated by the management service node, which will be described in detail in the following embodiments.
5. After receiving the network access request sent by the gateway, the LoRaWAN service node firstly analyzes the DedevEUI and DevNonce fields, and inquires the DevNonce values of the past N requests of the terminal based on the DevEUI. N is set to 100 by default and can be modified as desired. If the terminal is queried to issue a request for the same DevNonce value, the gateway directly discards the request. When the number of discarded requests of a certain terminal in one day exceeds 50, the gateway sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, then a MIC value is generated based on equations (1-5) and (1-6) and checked against the received MIC value, and if the two are equal, then the LoRaWAN service node sends a distribute key message to the gateway, the message format being shown in table 1_ 5:
TABLE 1_5
Figure BDA0003066156510000101
The distribution key message is composed of the following fields:
the length of a message type MType field is 3 bits, and the field value in the network access request is set to be '000'; the length of the field of the time delay test flag bit RFU is 3 bits, and the field in the network access request is set to be '000'; the Major version number Major field has a length of 2 bits, which is set to "00"; the random number section is 24 bits in length and is used for resisting replay attack; the length of the gateway identifier field is 24 bits, which is used for indicating gateway information and is set according to LoRaWAN protocol; the length of the terminal address field is 32 bits, which is used for indicating the terminal address information and is set according to LoRaWAN protocol; setting the information length to be 8 bits, and setting according to a LoRaWAN protocol; the length of the delay field is 8 bits and is set according to a LoRaWAN protocol; the length of the field of the selectable channel list is variable, and the field is set according to a LoRaWAN protocol; the message consistent code MIC is used for the terminal to authenticate the identity of the LoRaWAN service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(SerKey,MType|RFU|Major|AppNonce|NetID|DevAddr|DLSettings|RxDelay|CFList) (1-9)
MIC=msg[0..31] (1-10)
wherein, serKey is the original key of the terminal network layer, and the low 32 bits of msg are taken as MIC value.
In addition, in order to improve data security, before sending a message, the fields of AppNonce, NetID, DevAddr, DLSettings, RxDelay, CFList and MIC need to be encrypted by using the national secret SM4, and the secret key is SerKey.
6. And after receiving the key distribution message sent by the LoRaWAN service node, the gateway directly forwards the message to the corresponding terminal.
7. After the terminal receives the message, firstly, based on the SM4 algorithm, the terminal decrypts AppNonce, NetID, DevAddr, DLSettings, RxDelay, CFList and MIC fields by using the secret key SerKey, then generates MIC values based on formulas (1-9) and (1-10) and checks the MIC values with the received MIC values, and if the two are equal, obtains a session key NwkSKey and AppSKey by the following calculation:
NwkSKey=SM4_encrypt(SerKey,0x01|AppNonce|NetID|DevNonce|pad 16) (1-11)
AppSKey=SM4_encrypt(AppKey,0x02|AppNonce|NetID|DevNonce|pad 16) (1-12)
where pad16 may be a 16-bit "0," representing a supplemental bit.
After obtaining the key AppSKey, the terminal can report data accordingly, and if the reply message is not received for more than 30 seconds, the data is retransmitted. The format of the data reporting message is shown in table 1_ 6:
TABLE 1_6
Figure BDA0003066156510000111
The data reporting message is composed of the following fields:
the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the length of the frame header field is lengthened and is set according to a LoRaWAN protocol; the length of the port field is 16 bits and is set according to a LoRaWAN protocol; the length of the frame load field is lengthened and is set according to a LoRaWAN protocol; the message consistent code MIC is used for LoRaWAN service nodes to authenticate the terminal identity, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(AppSKey,FHDR|Fport|FRMPayload) (1-13)
MIC=msg[0..31] (1-14)
wherein, MIC takes the lower 32 bits of msg obtained by calculating the formula (1-13).
The gateway authentication code is used for the gateway to authenticate the terminal identity, and the GRC value is obtained by the following calculation:
msg=SM4_encrypt(GWKey,FHDR|Fport|FRMPayload|GWID) (1-15)
GRC=msg[0..31] (1-16)
wherein, GWKey is a gateway key, and the lower 32 bits of msg obtained by formula (1-15) calculation are taken as GRC values.
In the LoRaWAN protocol, two session keys AppSKey and NwkSKey are all dispersed by one original key AppKey, the communication ranges and the levels protected by the two keys are different, the NwkSKey is in a network layer, the protection range is in the LoRa network, and the AppSKey is in an application layer and is protected end to end. Under the condition that the network operator and the service operator are separated, the same original key has security management loopholes, and the LoRa network operator can break the application layer data of the service operator through the grasped original key information. Therefore, the invention adopts 2 original keys AppKey and SerKey to respectively disperse AppSKey and NwkSKey, thereby enhancing the security isolation strength and effectively avoiding the security threat of the network operator to the service operator.
8. And after receiving the data reported by the terminal, the gateway analyzes the GWID field, and performs subsequent processing when the GWID obtained by analysis is consistent with the identity identification code of the gateway. Then, based on formulas (1-15) and (1-16), generating a GRC value and checking the GRC value with the received GRC value, if the GRC value and the GRC value are equal, the gateway reports data to a corresponding LoRaWAN service node, and the message format is shown in table 1_ 7:
TABLE 1_7
Figure BDA0003066156510000121
The data message reported by the gateway is composed of the following fields:
the length of the frame header field is lengthened and is set according to a LoRaWAN protocol; the length of the port field is 16 bits and is set according to a LoRaWAN protocol; the length of the frame load field is lengthened and is set according to a LoRaWAN protocol; and the message consistent code MIC is used for the LoRaWAN service node to authenticate the terminal identity.
The fields directly adopt values in reported data sent to the gateway by the terminal, and the gateway does not recalculate.
The invention provides a set of complete data management scheme, designs the data format and the data verification, encryption and transmission flow of each link in the access process of the terminal of the Internet of things, improves the safety and high efficiency of data encryption and identity authentication, realizes the safe access of the terminal, adopts the original keys AppKey and SerKey to respectively disperse AppSKey and NwkSKey, and greatly enhances the safety isolation strength.
9. After receiving the reported data, the LoRaWAN service node checks based on an MIC value, and after the checking is passed, the LoRaWAN service node inserts the data into a database in the following mode:
1) assuming that there are L pieces of data in the current database service node list, the LoRaWAN service node performs the following calculation on the terminal identification code:
I=DevEUI%L+1 (1-17)
2) and inserting the data into the database service node corresponding to the I-th record in the database service node list.
3) And after the database service node receives the new data, synchronizing the newly inserted data with other database services according to the database service node list.
10. And the database service node calculates the self-idleness every 10 minutes and reports the self-idleness to the management service node. The management service node checks whether the database service node already exists in the database service node list. If the idle degree value exists, updating the idle degree value of the corresponding database service node, and recording the updating time; and if not, adding the database service node into a database service node list, and recording the creation time. The management service node then returns the latest database service node list to the LoRaWAN service node. The method for calculating the idle degree will be described in detail in the following embodiments.
And when the idleness of all the database service nodes is lower than 0.3, the management service node sends out high-load alarm information. At this time, the operation and maintenance personnel should start the new database service node in time. And after the new database service node is started, immediately reporting the vacancy to the management service node. And after receiving the state report message of the new database service node, the management service node can add the node into the database service node list.
In addition, the management service node performs database service node failure detection every 10 minutes. And circularly detecting the updating time of the latest record of each service node in the service node list of the database. A database service node is considered to have failed if it has no status updates for more than 20 minutes. At this time, the management service node sends out the 'database service node failure' alarm information, and deletes the node from the database service node list.
By designing a self-checking mechanism of the database service nodes, the idleness calculation is regularly carried out, the load balance of a plurality of database service nodes can be realized, and the reasonable and efficient utilization of each server node is ensured. The integrity of the data reported by the terminal can be guaranteed by carrying out periodic fault detection on the database service node.
The gateway periodically calculates the load index. After receiving a data packet of a terminal, a gateway calculates the receiving time length according to a receiving radio frequency parameter and a receiving packet length, and records the receiving time length as t; storing the communication channel number and the receiving time length information in the local; the gateway counts the total channel load time within one hour in an iterative mode, and the total channel load time is recorded as sigma t, and the unit is second; and the load index is sigma t/3600. When the load index is higher than 0.7, a 'gateway high load' alarm is sent. And the terminal periodically carries out the time delay test again.
When the load indexes of all gateways are higher than 0.7, operation and maintenance personnel can add new gateway nodes in time according to the alarm information, and the system is guaranteed to support the access of large-scale internet of things terminals. The load index is calculated regularly by designing the gateway, so that the load balance of the gateway can be ensured; the terminal carries out time delay test regularly, and can ensure the high-efficient transmission of data between the terminal and the gateway.
Fig. 2 is a schematic view of a gateway access process provided by the present invention, and the following describes the design of each link in the gateway access process with reference to fig. 2.
1. And after the gateway is electrified every time, sending an authentication request to the authentication service node based on the TCP protocol, and if the reply message is not received for more than 30 seconds, resending the authentication request. The authentication request format is shown in table 2_ 1:
TABLE 2_1
Figure BDA0003066156510000141
The authentication request consists of the following fields:
the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the request type field length is 8 bits, "00000001" represents the gateway authentication request; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a value of DevNonce each time it sends an authentication request; the message consistent code MIC is used for authenticating the gateway identity by the service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(GWKey,GWID|AppID|Type|Opt|DevNonce) (2-1)
MIC=msg[0..15] (2-2)
wherein, GWKey is a gateway initial key, and the lower 16 bits of msg are taken as MIC values.
2. After receiving an authentication request sent by the gateway, the authentication service node firstly analyzes GWID, AppID and DevNonce fields, and inquires DevNonce values of past N requests of the gateway based on the GWID. N is set to 100 by default and can be modified as desired. If the gateway device is queried to issue a request with the same DevNonce value, the authentication service node directly discards the request. When the number of discarded authentication requests of a certain gateway in one day exceeds 50, the authentication service node sends out 'attacked' alarm information; if no duplicate DevNonce value is found, a MIC value is generated based on equations (2-1) and (2-2) and checked against the received MIC value, and if the two are equal, authentication is successful, at which point an authentication result message is returned to the gateway, in the format shown in table 2_ 2:
TABLE 2_2
Figure BDA0003066156510000142
The authentication result message is composed of the following fields:
the management service key MKey field length is 128 bits, which is used to distribute the key mKey communicated with the management service node to the gateway device, and the value of the MKey is obtained by the following calculation:
MKey=SM4_encrypt(GWKey,mKey) (2-3)
the service key SKey field length is 128 bits, and is used for distributing a key SKey communicated with the LoRaWan service node to the gateway device, and the value of SKey is obtained by the following calculation:
SKey=SM4_encrypt(GWKey,sKey) (2-4)
the lengths of the IP field of the management service node address and the IPbackup field of the standby management service node address are both 32 bits:
the authentication result field length is 8 bits, "00000001" represents the authentication success;
reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. The authentication service node generates a random number as a DevNonce value each time it sends an authentication result; the message consistent code MIC is used for the gateway to authenticate the identity of the authentication service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(GWKey,MKey|SKey|IP|IPBackup|RST|Opt|DevNonce) (2-5)
MIC=msg[0..15] (2-6)
wherein, GWKey is a gateway initial key, and the lower 16 bits of msg are taken as MIC values.
In addition, in order to improve data load security, before sending an authentication result message, IP, IPBackup, RST, Opt, DevNonce, and MIC fields need to be merged into load data with a length of 128 bits, and encrypted by using the secret key SM4, where the secret key is GWKey. In order to prevent single-point failure faults, the authentication service node adopts a dual-computer hot standby scheme.
3. After receiving the authentication result message returned by the authentication service node, the gateway node decrypts the load data by using the SM4 algorithm, analyzes the load data to obtain fields such as IP, IPBackup, RST, Opt, DevNonce and the like, generates an MIC value based on the formulas (2-5) and (2-6) and verifies the MIC value with the received MIC value. If the two are equal and the RST field value is "00000001", the keys mKey and sKey are obtained by the following calculation:
mKey=SM4_decrypt(GWKey,MKey) (2-7)
sKey=SM4_decrypt(GWKey,SKey) (2-8)
after obtaining the key, the gateway node requests a general service node from the management service node pointed by the IP field, sends a LoRaWan service node allocation request, and resends the request if no reply message is received in more than 30 seconds. Wherein, the general service node is a LoRaWAN service node, and the request format is shown in table 2_ 3:
TABLE 2_3
Figure BDA0003066156510000151
The LoRaWan service node allocation request is composed of the following fields:
the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the request type field is 8 bits in length, and the '10000001' indicates that a general service node is requested to be allocated; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a value of DevNonce each time it sends an authentication request; the message consistent code MIC is used for the management service node to authenticate the gateway identity, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(mKey,GWID|AppID|Type|Opt|DevNonce) (2-9)
MIC=msg[0..15] (2-10)
the SM4_ encrypt represents a state secret SM4 encryption algorithm, the mKey is a management service key, and the lower 16 bits of the msg are taken as MIC values.
4. After receiving a LoRaWan service node allocation request sent by a gateway, a management service node firstly analyzes GWID, AppID and DevNonce fields, and inquires DevNonce values of N past requests of the gateway based on the GWID. N is set to 100 by default and can be modified as desired. If the gateway device is inquired to send a request with the same DevNonce value, the management service node directly discards the request. When the number of discarded requests of a certain gateway in one day exceeds 50, the management service node sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, a MIC value is generated based on equations (2-9) and (2-10) and checked against the received MIC value, and if the two are equal and the RST field value is "10000001", authentication is successful. At the moment, the management service node sends the LoRaWAN service node IP with the highest vacancy degree to the gateway based on the vacancy degree indexes of all the LoRaWAN service nodes, and generates a distribution response message, namely the LoRaWAN service node with the highest vacancy degree is distributed as a target LoRaWAN service node corresponding to the gateway. The allocation response message format is shown in table 2_ 4:
TABLE 2_4
Figure BDA0003066156510000161
The allocation response message is composed of the following fields:
the length of the address field of the general service node is 32 bits, which represents the IP address of the service node allocated to the gateway; the general service node identification code is used for uniquely identifying the general service node, namely identifying each LoRaWAN service node, and the length of the general service node identification code is 32 bits; the authentication result field length is 8 bits, "00000001" represents the authentication success; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. Generating a random number as a value of DevNonce each time the authentication request is transmitted; the message consistent code MIC is used for the gateway node to authenticate the identity of the management service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(mKey,IP|ServerID|RST|Opt|DevNonce) (2-11)
MIC=msg[0..15] (2-12)
the SM4_ encrypt represents a state secret SM4 encryption algorithm, the mKey is a management service key, and the lower 16 bits of the msg are taken as MIC values.
In addition, in order to improve data load security, before sending a message, the IP, ServerID, RST, Opt, DevNonce, and MIC fields need to be merged into load data with a length of 128 bits, and encrypted by using the secret SM4, where the secret key is mKey. In order to prevent single-point failure faults, the management service node adopts a dual-computer hot standby scheme.
5. After receiving the result returned by the management service node, the gateway decrypts the load data by using the SM4 algorithm, then analyzes the load data to obtain fields such as IP, ServerID, RST, Opt, DevNonce and the like, generates an MIC value based on the formulas (2-11) and (2-12) and verifies the MIC value with the received MIC value. If the two are equal and the RST field value is '00000001', the gateway sends the access request to the resolved general service node IP, and if the reply message is not received for more than 30 seconds, the request is sent again. The access request format is shown in table 2_ 5:
TABLE 2_5
Figure BDA0003066156510000171
The access request consists of the following fields:
the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the length of the request type field is 8 bits, "11000001" represents the request access; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a DevNonce value each time it sends an access request; the message consistent code MIC is used for a general service node to authenticate the gateway identity, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(sKey,GWID|AppID|Type|Opt|DevNonce) (2-13)
MIC=msg[0..15] (2-14)
the SM4_ encrypt represents a state secret SM4 encryption algorithm, the sKey is a service key, and the lower 16 bits of the msg are taken as MIC values.
5. After receiving the request sent by the gateway, the LoRaWAN service node firstly analyzes GWID, AppID and DevNonce fields, and inquires DevNonce values of the past N requests of the gateway based on the GWID. N is set to 100 by default and can be modified as desired. If the gateway device is queried to issue a request for the same DevNonce value, the LoRaWAN service node directly discards the request. When the number of discarded authentication requests of a certain gateway in one day exceeds 50, the LoRaWAN service node sends out 'attacked' alarm information; if no duplicate DevNonce value is found, a MIC value is generated based on the identities (2-13) and (2-14) and checked against the received MIC value, and if the two are equal and the RST field value is "11000001", the authentication is successful. At this time, the LoRaWAN service node adds the gateway GWID to the white list and returns an access success message, where the format 2_6 shows:
TABLE 2_6
Figure BDA0003066156510000181
The access success message is composed of the following fields:
the authentication result field length is 8 bits, "00000001" represents the authentication success; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. Generating a random number as a value of DevNonce each time the authentication request is transmitted; the message consistent code MIC is used for the gateway node to authenticate the identity of the general service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(sKey,RST|Opt|DevNonce) (2-15)
MIC msg [0..15] (2-16), where SM4_ encrypt denotes a secret SM4 encryption algorithm, sbey is a service key, and the lower 16 bits of msg take values as MIC.
And after receiving the result returned by the LoRaWAN service node, the gateway generates a MIC value based on the formulas (2-15) and (2-16) and checks the MIC value with the received MIC value. If the two are equal and the RST field value is '00000001', the authentication is successful, and the gateway starts to process the terminal data.
7. And the LoRaWAN service node calculates the idleness once every 10 minutes and reports the idleness to the management service node. The idleness calculation formula is as follows:
Figure BDA0003066156510000182
Figure BDA0003066156510000183
wherein k (t-1) represents the load value obtained by the last iteration, k (t) represents the latest load value obtained by the current iteration, K (t) represents the idleness obtained by the current iteration, and ncRepresenting the number of CPU cores, nrThe average number of active strokes for approximately 10 minutes is shown. The active process satisfies the following conditions: the process is not waiting for the results of the I/O operation, is not actively entering a wait state, and is not halted. The iteration initial value k (0) is calculated as follows:
Figure BDA0003066156510000184
wherein, anRepresenting the number of n' th instantaneous active-process, this value is taken every 5 seconds and the last 120 results are retained.
The format of the report management service node message is shown in table 2_ 7:
TABLE 2_7
Figure BDA0003066156510000191
The report management service node message is composed of the following fields:
the general service node identification code is used for uniquely identifying the general service node and has the length of 32 bits; the idle length field is 32 bits in length. The length of the type field is 8 bits, and '00000010' represents a state reporting message; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. Generating a random number as a value of DevNonce each time the authentication request is transmitted; the message consistent code MIC is used for the gateway node to authenticate the identity of the management service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(mKey,ServerID|KValue|Type|Opt|DevNonce) (2-20)
MIC=msg[0..15] (2-21)
the SM4_ encrypt represents a state secret SM4 encryption algorithm, the mKey is a management service key, and the lower 16 bits of the msg are taken as MIC values.
After receiving the state message sent by LoRaWAN service node, the management service node firstly analyzes ServerID and DevNonce fields, and inquires the DevNonce values of the past N requests of the service node based on the ServerID. N is set to 100 by default and can be modified as desired. If the service node is queried to send out a message with the same DevNonce value, the management service node directly discards the message. When the number of discarded messages of a certain gateway in one day exceeds 50, the management service node sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, a MIC value is generated based on equations (2-20) and (2-21) and checked against the received MIC value, and if the two are equal and the Type field value is "00000010", the management service node checks whether the node already exists in the service node state table. If the idle degree value exists, updating the idle degree value corresponding to the LoRaWAN service node, and recording the updating time; and if the service node state information does not exist, adding the service node state information into a service node state table, and recording the creation time. The management service node then returns the latest list of database service nodes to the LoRaWAN service node.
And when the idleness of all LoRaWAN service nodes is lower than 0.3, the management service node sends out high-load alarm information. At this time, the operation and maintenance personnel should start the new LoRaWAN service node in time. And immediately reporting the vacancy to the management service node after the new LoRaWAN service node is started. After receiving the report message of the state of the new LoRaWAN service node, the management service node can add the node into the service node state table.
The Internet of things terminal access method provided by the invention can realize the Internet of things system safely accessed by the million-level LoRa terminal, and realizes load balance of LoRaWAN service nodes by periodically updating the vacancy of each LoRaWAN service node and dynamically allocating the LoRaWAN service nodes to each gateway according to the vacancy, thereby ensuring high-efficiency transmission of data under the condition of million concurrences.
In addition, the management service node performs LoRaWAN service node failure detection every 10 minutes. And circularly detecting the update time of the latest record of each service node in the service node state table. If a node has no status updates for more than 20 minutes, the node is considered to have failed. At this time, the management service node sends out a 'LoRaWAN service node failure' alarm message, and deletes the node from the service node state table.
Through the idleness calculation and fault detection of the service nodes, the abnormal conditions of the LoRaWAN service nodes can be found in time, so that operation and maintenance personnel can maintain in time, and the safe and effective transmission of terminal data is ensured.
In addition, the gateway device sends a status update request to the management service node every P minutes, and if a reply message is not received for more than 30 seconds, the request is resent. And the management server determines whether to replace the LoRaWAN server according to the real-time load condition (to deal with the failure condition of the network server). The status update request format is shown in table 2_ 8:
TABLE 2_8
Figure BDA0003066156510000201
The status update request consists of the following fields:
the gateway identity identification code is used for uniquely identifying the gateway equipment and has the length of 64 bits; the application identification code is used for uniquely identifying the current application and has the length of 64 bits; the request type field is 8 bits in length, "11000011" represents a status update request; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. The gateway generates a random number as a DevNonce value each time it sends an access request; the message consistent code MIC is used for a general service node to authenticate the gateway identity, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(mKey,GWID|AppID|Type|Opt|DevNonce) (2-22)
MIC=msg[0..15] 2-(23)
the SM4_ encrypt represents a state secret SM4 encryption algorithm, the mKey is a service key, and the low 16 bits of the msg are taken as MIC values.
After receiving the state request sent by the gateway, the management service node firstly analyzes GWID, AppID and DevNonce fields, and inquires DevNonce values of past N requests of the gateway based on GWID. N is set to 100 by default and can be modified as desired. If the gateway device is inquired to send a request with the same DevNonce value, the management service node directly discards the request. When the number of discarded requests of a certain gateway in one day exceeds 50, the management service node sends out the alarm information of 'attack'; if no duplicate DevNonce value is found, a MIC value is generated based on equations (2-22) and (2-23) and checked against the received MIC value, and if the two are equal and the RST field value is "11000011", the management service node determines whether a service node corresponding to the gateway has failed. If the service node fails, the management service node sends the IP of the service node with the highest current vacancy (namely the target LoRaWAN service node) to the gateway based on the vacancy index of each LoRaWAN service node, if the vacancy of the corresponding LoRaWAN service node is lower than 0.3 or the node fails, and the message format is shown in a table 2_ 9:
TABLE 2_9
Figure BDA0003066156510000211
The general service node address field is 32 bits in length and represents the IP address of the service node assigned to the gateway.
The general service node identification code is used for uniquely identifying the general service node and has the length of 32 bits; the result field is 8 bits in length, "00000001" indicates reallocation and "00000000" indicates no reallocation; reserving the bit length as 8 bits for subsequent protocol extension; the random number is 32 bits in length and is used to resist replay attacks. Generating a random number as a value of DevNonce each time the authentication request is transmitted; the message consistent code MIC is used for the gateway node to authenticate the identity of the management service node, and the MIC value is obtained by the following calculation:
msg=SM4_encrypt(mKey,IP|ServerID|RST|Opt|DevNonce) (2-24)
MIC msg [0..15] (2-25), where SM4_ encrypt denotes a secret SM4 encryption algorithm, mKey is a management service key, and the lower 16 bits of msg take values as MIC.
In addition, in order to improve data load security, before sending a message, the IP, ServerID, RST, Opt, DevNonce, and MIC fields need to be merged into load data with a length of 128 bits, and encrypted by using the secret SM4, where the secret key is mKey.
The early warning mechanism and the fault detection mechanism of each link provided by the invention can assist operation and maintenance personnel to find the abnormal condition of the corresponding node in the system in time and adopt a coping strategy, ensure the complete and effective transmission of terminal data, and especially have important significance for the effective transmission of important data.
Example 2
As shown in fig. 3, embodiment 2 of the present invention provides a large-scale internet of things terminal security access system based on a domestic password and an LoRa protocol. The system can execute any large-scale internet of things terminal security access method provided by the embodiment 1. As shown in fig. 3, the system is composed of an internet of things terminal 310, a gateway 320 and a LoRaWAN service node 350,
and the internet of things terminal 310 is used for acquiring data and reporting the data to the gateway.
And the gateway 320 is configured to send the data reported by the terminal to the LoRaWAN service node based on an IP protocol after receiving the data.
LoRaWAN service node 340 for distributing keys, receiving and storing data.
Further, as shown in fig. 3, the system may further include: an authentication service node 320, configured to perform access authentication on the gateway; and the management service node 330 is configured to dynamically allocate the LoRaWAN service node to the gateway.
Further, as shown in fig. 3, the system may further include: and the database service node 360 is used for storing data and providing data query service.
Specifically, the method comprises the following steps:
the internet of things terminal 310 is used for generating a time delay test request by adopting a cryptographic algorithm SM4 and a gateway key GWKey and sending the time delay test request to a plurality of gateways; the system comprises a first time delay test response message receiving module, a second time delay test response message receiving module, a first time delay test response message sending module, a second time delay test response message sending module and a third time delay test response message receiving module, wherein the first time delay test response message is used for analyzing and verifying the received first time delay test response message, determining a target gateway, generating a terminal network access request by adopting a national secret encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sending the terminal network access request to the target gateway; the system is used for decrypting and verifying the distributed key message, and after the distributed key message passes the verification, the network layer session key NwkSKey and the application layer session key AppSKey are obtained through calculation according to the SM4, the terminal network layer original key SerKey and the original key AppKey; the system is also used for encrypting the acquired data by adopting a national secret encryption algorithm SM4 and an application layer session key AppSKey, generating an uplink data message and sending the uplink data message to a target gateway;
the gateway 320: the system comprises a time delay test module, a time delay module, a gateway key GWKey and a public encryption algorithm SM4, wherein the time delay test module is used for analyzing and checking a received time delay test request, if the time delay test request passes the check and meets a preset condition, the time delay test module generates a time delay test response message by adopting the SM4 and the GWKey and sends the time delay test response message to the Internet of things terminal; the system comprises a target gateway, a terminal access request receiving unit, a target LoRaWAN service node and a plurality of LoRaWAN service nodes, wherein the target gateway is used for analyzing and checking the received terminal access request when the terminal access request becomes the target gateway, and forwarding the terminal access request to the corresponding target LoRaWAN service node after the terminal access request passes the check; forwarding the received encrypted distribution key message to a corresponding Internet of things terminal; decrypting and verifying the received uplink data message, and reporting data to a target LoRaWAN service node after the verification is passed;
and the LoRaWAN service node 350 is used for analyzing and verifying the received terminal network access request, generating an encrypted distributed key message by adopting a national secret encryption algorithm SM4 and a terminal network layer original key SerKey after the verification is passed, and sending the encrypted distributed key message to the target gateway.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and are not limited. Although the present invention has been described in detail with reference to the embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A million-level Internet of things terminal secure access method based on domestic passwords comprises the following steps:
the terminal of the Internet of things generates a time delay test request by adopting a state encryption algorithm SM4 and a gateway key GWKey and sends the time delay test request to a plurality of gateways;
each gateway analyzes and verifies the received delay test request, if the verification is passed and meets the preset conditions, a time delay test response message is generated by adopting a national encryption algorithm SM4 and a gateway key GWKey and is sent to the terminal of the Internet of things;
the Internet of things terminal analyzes and verifies the received first time delay test response message, determines a target gateway, generates a terminal network access request by adopting a national encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway;
the target gateway analyzes and verifies the received terminal network access request, and forwards the terminal network access request to a corresponding target LoRaWAN service node after the verification is passed;
the target LoRaWAN service node analyzes and verifies the received terminal network access request, and after the verification is passed, an encrypted distributed key message is generated by adopting a national encryption algorithm SM4 and a terminal network layer original key SerKey and is sent to a target gateway;
the target gateway forwards the received encrypted distribution key message to a corresponding Internet of things terminal;
the internet of things terminal decrypts and verifies the distributed key message, and after verification is passed, a network layer session key NwkSKey and an application layer session key AppSKey are obtained through calculation according to a national secret encryption algorithm SM4, a terminal network layer original key SerKey and an original key AppKey;
the terminal of the Internet of things encrypts the acquired data by adopting a national secret encryption algorithm SM4 and an application layer session key AppSKey to generate an uplink data message, and sends the uplink data message to a target gateway;
and the target gateway decrypts and verifies the received uplink data message, and reports the data to the target LoRaWAN service node after the verification is passed.
2. The million-level Internet of things terminal security access method based on domestic passwords according to claim 1, wherein each gateway analyzes and verifies the received delay test request, if the verification is passed and meets preset conditions, a delay test response message is generated by adopting a domestic encryption algorithm SM4 and a gateway key GWKey and is sent to the Internet of things terminal; the method specifically comprises the following steps:
each gateway receives and analyzes the time delay test request to obtain a terminal identification code DevEUI and a random number DevNonce, the DevNonce values of the past N requests of the Internet of things terminal are inquired based on the DevEUI, if the same DevNonce values exist, the request is discarded, the number of the discarded requests of the Internet of things terminal in one day is counted, and when the discarded number threshold is reached, the gateway sends out 'attacked' alarm information; if the same DevNonce value is not found, checking an MIC value of a message consistent code by adopting a secret encryption algorithm SM4 and a gateway key GWKey, when the MIC value passes the check and the field value of the message Type obtained by analysis is matched with a delay test flag bit, the terminal of the Internet of things is a legal terminal, inquiring the load index of the gateway, and when the load index is smaller than the load threshold, generating a delay test response message by adopting a secret encryption algorithm SM4 and the gateway key GWKey and sending the delay test response message to the terminal of the Internet of things;
the load index of the gateway is as follows:
load index ═ Σ t/3600
Wherein, Σ t is the total channel load duration counted within one hour, and the unit is second; and t is the receiving time length of the primary data packet and is obtained by calculation according to the receiving radio frequency parameter and the receiving packet length.
3. The million-level Internet of things terminal security access method based on domestic passwords according to claim 1, wherein the Internet of things terminal analyzes and verifies the received first time delay test response message, determines a target gateway, generates a terminal network access request by adopting a domestic secret encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway; the method specifically comprises the following steps:
the Internet of things terminal analyzes the received first time delay test response message, verifies the MIC value of the analyzed message consistent code, determines the gateway identified by the gateway identity code GWID as a target gateway when the MIC value passes verification and the field value of the analyzed message Type is matched, generates a terminal network access request by adopting a secret encryption algorithm SM4, a gateway key GWKey and a terminal network layer original key SerKey, and sends the terminal network access request to the target gateway; and discarding the delay test response messages sent by other gateways.
4. The million-level Internet of things terminal security access method based on the domestic password according to claim 1, wherein the target gateway analyzes and verifies the received terminal network access request, and after the verification is passed, the terminal network access request is forwarded to the corresponding target LoRaWAN service node; the method specifically comprises the following steps:
the method comprises the steps that a target gateway analyzes a received terminal network access request, when the field value of a message Type obtained through analysis is matched with the field value of a time delay test flag bit RFU, and the field value of a gateway identity identification code GWID obtained through analysis is consistent with the identity identification code of the target gateway, the terminal identification code DevEUI and a random number DevNoce obtained through analysis are judged, the DevNoce numerical values of N past requests of the internet of things terminal are inquired based on the DevEUI, if the same DevNoce numerical values exist, the request is discarded, the number of the discarded requests of the internet of things terminal in one day is counted, and when the discarded number threshold is reached, the gateway sends 'attacked' alarm information; if the same DevNonce value is not found, the gateway authentication code GRC value is verified by adopting a national encryption algorithm SM4 and a gateway key GWKey, and when the GRC value is verified to be passed, the gateway forwards a terminal network access request to a corresponding target LoRaWAN service node.
5. The million-level Internet of things terminal security access method based on domestic passwords according to claim 1, wherein the target LoRaWAN service node analyzes and verifies the received terminal network access request, and after verification is passed, an encrypted distributed key message is generated by adopting a domestic encryption algorithm SM4 and a terminal network layer original key SerKey and is sent to a target gateway; the method specifically comprises the following steps:
analyzing a terminal network access request by a target LoRaWAN service node to obtain a terminal identification code DevEUI and a random number DevNonce, inquiring DevNonce values of N past requests of the Internet of things terminal based on the DevEUI, discarding the request if the same DevNonce values exist, counting the number of the requests discarded by the Internet of things terminal in one day, and sending out 'attacked' alarm information by a gateway when the number of the requests discarded by the Internet of things terminal reaches a discarded number threshold value; if the same DevNonce value is not found, the message consistent code MIC value verification is carried out by adopting a national encryption algorithm SM4 and a gateway key GWKey, and when the MIC value verification is passed, an encrypted distributed key message is generated by adopting a national encryption algorithm SM4 and a terminal network layer original key SerKey and is sent to a target gateway.
6. The million-level Internet of things terminal security access method based on domestic passwords according to claim 1, wherein the Internet of things terminal decrypts and verifies the distributed key message, and after verification is passed, the network layer session key NwkSKey and the application layer session key AppSKey are obtained through calculation according to a domestic secret encryption algorithm SM4, a terminal network layer original key SerKey and an original key AppKey; the method specifically comprises the following steps:
decrypting the distributed key message by adopting a state encryption algorithm SM4 and a network layer original key SerKey;
parsing a distributed key message, the distributed key message comprising: the method comprises the steps of determining a message type MType, a field length 3 bit, a delay test flag bit RFU, a field length 3 bit, a Major version number Major, a field length 2 bit, an application random number AppNonce, a field length 24 bit, a gateway identifier NetID, a field length 24 bit, a terminal address DevAddr, a field length 32 bit, setting information DLSettings, a length 8 bit, a delay RxDelay, a field length 8 bit, an optional channel list field CFList, a field length variable MIC and a field length 32 bit;
the intermediate amount msg is calculated according to the following formula:
msg=SM4_encrypt(SerKey,MType|RFU|Major|AppNonce|NetID|
DevAddr|DLSettings|RxDelay|CFList)
wherein, SM4_ encrypt () represents to adopt the cryptographic algorithm SM4 of national password, and "|" represents OR operation;
taking the lower 32 bits of msg to obtain an MIC value;
when the MIC value passes the verification, respectively calculating a network layer session key NwkSKey and an application layer session key AppSKey according to the original key SerKey and the original key AppKey of the terminal network layer by the following formula:
NwkSKey=SM4_encrypt(SerKey,0x01|AppNonce|NetID|DevNonce|pad 16)
AppSKey — SM4_ encrypt (AppKey,0x02| AppNonce | NetID | DevNonce | pad 16) where pad16 represents a supplemental bit.
7. The million-level internet of things terminal security access method based on domestic passwords according to claim 1, wherein the target gateway analyzes and verifies the received terminal network access request, and after the verification is passed, the terminal network access request is forwarded to the corresponding target LoRaWAN service node, and the method further comprises the following steps: determining a target LoRaWAN service node corresponding to the target gateway and completing access; the method specifically comprises the following steps:
the target gateway generates an authentication request by adopting a state secret encryption algorithm SM4 and a gateway key GWKey and sends the authentication request to an authentication service node;
the authentication service node checks according to the authentication request, generates an encrypted authentication result message by adopting the SM4, the GWKey, the key mKey for managing service node communication and the key sKey for communicating with the LoRaWan service node, and sends the encrypted authentication result message to the target gateway;
the target gateway decrypts and verifies the authentication result message, adopts SM4 to decrypt and calculate mKey and sKey, analyzes the IP address of the management service node, adopts SM4 and mKey to generate a LoRaWan service node allocation request, and sends the LoRaWan service node allocation request to the management service node;
the management service node checks according to the LoRaWan service node distribution request, determines a target LoRaWAN service node according to the vacancy degree of each LoRaWAN service node, generates a distribution response message by adopting SM4 and mKey, and sends the distribution response message to a target gateway;
the target gateway checks according to the allocation response message, analyzes the IP address of the target LoRaWAN service node, generates an access request by adopting SM4 and sKey, and sends the access request to the target LoRaWAN service node;
the target LoRaWAN service node checks according to the access request, if the check is passed, the gateway identity identification code GWID of the target gateway is added into a white list, and an access success message is generated by adopting SM4 and sKey and is sent to the target gateway;
and the target gateway checks according to the access success message, and starts to process the data of the terminal of the Internet of things if the check is passed.
8. The million-level internet of things terminal security access method based on domestic passwords according to claim 7, wherein the idleness K (t) of the LoRaWAN service node is as follows:
Figure FDA0003066156500000041
wherein n iscThe number of CPU cores is represented, k (t) represents the latest load value obtained by the iteration, and the following formula is satisfied:
Figure FDA0003066156500000042
Figure FDA0003066156500000051
wherein k (0) is an iteration initial value, k (t-1) represents a load value obtained in the last iteration, and anRepresenting the number of the n-th instantaneous active jump process, n representing the index of the number of times, nrIndicating the average number of active processes over a set time.
9. The method for the secure access of the million-level internet of things terminal based on the domestic password according to claim 1, further comprising:
after receiving the reported data, the target LoRaWAN service node performs message consistent code MIC value verification, and if the verification is passed, a data index I of the target database service node in the database service node list is obtained by calculation according to the following formula:
I=DevEUI%L+1
wherein, DevEUI is terminal identification code, L is data number in the database service node list;
inserting the reported data into a data index I of a database service node list;
and the target database service node synchronizes the reported data to other database services according to the database service node list.
10. A million-level Internet of things terminal security access system based on domestic passwords is characterized by comprising: the system comprises an Internet of things terminal, a gateway, an authentication service node, a management service node and a LoRaWAN service node;
the Internet of things terminal is used for acquiring data and reporting the data to the gateway;
the gateway is used for receiving data reported by the terminal of the Internet of things and then sending the data to the LoRaWAN service node based on an IP protocol;
the authentication service node is used for performing access authentication on the gateway;
the management service node is used for dynamically allocating LoRaWAN service nodes for the gateway;
the LoRaWAN service node is used for distributing keys, receiving and storing data.
CN202110526583.1A 2021-05-14 2021-05-14 Million-level Internet of things terminal security access method and system based on domestic passwords Active CN113473456B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110526583.1A CN113473456B (en) 2021-05-14 2021-05-14 Million-level Internet of things terminal security access method and system based on domestic passwords

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110526583.1A CN113473456B (en) 2021-05-14 2021-05-14 Million-level Internet of things terminal security access method and system based on domestic passwords

Publications (2)

Publication Number Publication Date
CN113473456A true CN113473456A (en) 2021-10-01
CN113473456B CN113473456B (en) 2023-03-14

Family

ID=77870685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110526583.1A Active CN113473456B (en) 2021-05-14 2021-05-14 Million-level Internet of things terminal security access method and system based on domestic passwords

Country Status (1)

Country Link
CN (1) CN113473456B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124376A (en) * 2021-11-23 2022-03-01 中国标准化研究院 Data processing method and system based on network data acquisition
CN114389963A (en) * 2021-11-26 2022-04-22 国电南瑞南京控制系统有限公司 Whole-process debugging method and debugging device for rapid access of Internet of things fusion terminal

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107819574A (en) * 2017-11-10 2018-03-20 国网河南省电力公司鹤壁供电公司 A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies
CN107846280A (en) * 2017-12-22 2018-03-27 重庆邮电大学 A kind of matrix form key management method for LoRaWAN
EP3306970A1 (en) * 2016-10-07 2018-04-11 Giesecke+Devrient Mobile Security GmbH Lpwa communication system key management
CN108600376A (en) * 2018-04-27 2018-09-28 深圳市信锐网科技术有限公司 Data transmission method, device, LoRa gateways, system based on LoRa and storage medium
WO2019001713A1 (en) * 2017-06-29 2019-01-03 Telefonaktiebolaget Lm Ericsson (Publ) A method of authentication of a long range radio device
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
CN109413644A (en) * 2018-12-06 2019-03-01 广州邦讯信息系统有限公司 LoRa encryption certification communication means, storage medium and electric terminal
CN110572828A (en) * 2019-10-24 2019-12-13 山东省计算中心(国家超级计算济南中心) internet of things security authentication method, system and terminal based on state cryptographic algorithm
CN111181991A (en) * 2020-01-03 2020-05-19 苏州融卡智能科技有限公司 Method and device for constructing terminal access platform of Internet of things
CN111479269A (en) * 2020-04-13 2020-07-31 中科芯集成电路有限公司 L ora node network access method capable of realizing synchronization

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3306970A1 (en) * 2016-10-07 2018-04-11 Giesecke+Devrient Mobile Security GmbH Lpwa communication system key management
WO2019001713A1 (en) * 2017-06-29 2019-01-03 Telefonaktiebolaget Lm Ericsson (Publ) A method of authentication of a long range radio device
CN107819574A (en) * 2017-11-10 2018-03-20 国网河南省电力公司鹤壁供电公司 A kind of rural power grids leak current fault system based on the close SM1 algorithms of state and LoRa technologies
CN107846280A (en) * 2017-12-22 2018-03-27 重庆邮电大学 A kind of matrix form key management method for LoRaWAN
CN108600376A (en) * 2018-04-27 2018-09-28 深圳市信锐网科技术有限公司 Data transmission method, device, LoRa gateways, system based on LoRa and storage medium
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
CN109413644A (en) * 2018-12-06 2019-03-01 广州邦讯信息系统有限公司 LoRa encryption certification communication means, storage medium and electric terminal
CN110572828A (en) * 2019-10-24 2019-12-13 山东省计算中心(国家超级计算济南中心) internet of things security authentication method, system and terminal based on state cryptographic algorithm
CN111181991A (en) * 2020-01-03 2020-05-19 苏州融卡智能科技有限公司 Method and device for constructing terminal access platform of Internet of things
CN111479269A (en) * 2020-04-13 2020-07-31 中科芯集成电路有限公司 L ora node network access method capable of realizing synchronization

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DEREK HEEGER ET AL: "Analysis of IoT Authentication Over LoRa", 《2020 16TH INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING IN SENSOR SYSTEMS (DCOSS)》 *
杨阳等: "基于信誉评价机制的LoRa物联网安全架构", 《计算机与数字工程》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124376A (en) * 2021-11-23 2022-03-01 中国标准化研究院 Data processing method and system based on network data acquisition
CN114389963A (en) * 2021-11-26 2022-04-22 国电南瑞南京控制系统有限公司 Whole-process debugging method and debugging device for rapid access of Internet of things fusion terminal
CN114389963B (en) * 2021-11-26 2024-05-14 国电南瑞南京控制系统有限公司 Whole-process debugging method and device for fast access of integrated terminal of Internet of things

Also Published As

Publication number Publication date
CN113473456B (en) 2023-03-14

Similar Documents

Publication Publication Date Title
US8762707B2 (en) Authorization, authentication and accounting protocols in multicast content distribution networks
CN113473456B (en) Million-level Internet of things terminal security access method and system based on domestic passwords
US11252196B2 (en) Method for managing data traffic within a network
US8041812B2 (en) System and method for supplicant based accounting and access
Tiloca et al. Axiom: DTLS-based secure IoT group communication
CN113132170B (en) Data management method and system, association subsystem and computer readable medium
EP2992646B1 (en) Handling of performance monitoring data
US20230269579A1 (en) Communication method, related apparatus, and system
WO2014144555A1 (en) System and method for mitigation of denial of service attacks in networked computing systems
Tourani et al. TACTIC: Tag-based access control framework for the information-centric wireless edge networks
US20240195839A1 (en) Data transmission method and related device
WO2023040527A1 (en) Blockchain-based network node control method and system and consensus node
Schmittner et al. SEMUD: Secure multi-hop device-to-device communication for 5G public safety networks
Lu et al. A novel path‐based approach for single‐packet IP traceback
CN101309157B (en) Multicast service management method and apparatus thereof
CN109150290B (en) Satellite lightweight data transmission protection method and ground safety service system
Zhang et al. A provable semi-outsourcing privacy preserving scheme for data transmission from IoT devices
Garlapati Blockchain for IOT-based NANs and HANs in smart grid
CN114025346B (en) Data transmission method for data security and effectiveness between mobile self-setting networks
US20100042836A1 (en) Method for securely transmitting device management message via broadcast channel and server and terminal thereof
CN112995140A (en) Safety management system and method
Ma et al. A flow-level architecture for balancing accountability and privacy
WO2023208183A2 (en) Information transmission method, and device
CN113242249B (en) Session control method and device
Kumar et al. A Public Key Infrastructure for 5G Service-Based Architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant