CN113543128B - Method, apparatus and computer readable storage medium for secure synchronization between access devices - Google Patents

Method, apparatus and computer readable storage medium for secure synchronization between access devices Download PDF

Info

Publication number
CN113543128B
CN113543128B CN202010275096.8A CN202010275096A CN113543128B CN 113543128 B CN113543128 B CN 113543128B CN 202010275096 A CN202010275096 A CN 202010275096A CN 113543128 B CN113543128 B CN 113543128B
Authority
CN
China
Prior art keywords
access
key
meshid
access equipment
mesh
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010275096.8A
Other languages
Chinese (zh)
Other versions
CN113543128A (en
Inventor
辛军
彭华熹
张艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202010275096.8A priority Critical patent/CN113543128B/en
Publication of CN113543128A publication Critical patent/CN113543128A/en
Application granted granted Critical
Publication of CN113543128B publication Critical patent/CN113543128B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W56/00Synchronisation arrangements
    • H04W56/001Synchronization between nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Abstract

The embodiment of the invention provides a method, a device and a computer readable storage medium for safety synchronization among access devices, wherein the method comprises the following steps: the access equipment generates a mesh identifier (MeshID) and a key based on the information negotiated with other access equipment and the information generated by the access equipment; when the self is determined to be the main access equipment, the mesh identification MeshID and the key are sent to other access equipment for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification; receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.

Description

Method, apparatus and computer readable storage medium for secure synchronization between access devices
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to a method and an apparatus for secure synchronization between access devices, and a computer-readable storage medium.
Background
WireLess Mesh Networks (WMNs) are a new type of dynamically self-organizing self-configuring WireLess Networks. In WMN, any wireless device node can act as both an AP and a router, each node in the network can send and receive signals, and each node can communicate directly with one or more peer nodes, which is a multipoint-to-multipoint network topology.
For the ad hoc network novel network which needs a plurality of access devices (such as routers) to build, the configuration parameters of the access devices have special requirements (for example, all routers in the network have the same mesh id and key, which is an important premise for forming a mesh network), and some configuration parameters of the plurality of access devices need to be kept consistent, when the configuration parameter of one access device changes, the configuration parameter information changed by the access device needs to be synchronized to other access devices in the network, so as to implement synchronization and sharing of data of each access device.
At present, when the strategy configuration parameters of one access device are changed, other access devices need to be reconfigured one by one in a manual mode, a large amount of human resources need to be input in the mode, and the operation is easy to make mistakes, so that the strategy configuration synchronization efficiency among the access devices is low, time consumption and labor consumption are caused, and the user experience is poor.
Disclosure of Invention
In view of this, embodiments of the present invention are intended to provide a method, an apparatus, and a computer-readable storage medium for security synchronization between access devices.
In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:
the embodiment of the invention provides a method for safely synchronizing access devices, which is applied to any access device and comprises the following steps:
generating a mesh identifier MeshID and a key based on the information negotiated with other access devices and the information generated by the mesh identifier MeshID and the key;
when the self is determined to be the main access equipment, the mesh identification MeshID and the key are sent to other access equipment for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
Optionally, before generating the mesh identifier meshrid and the key based on the message negotiated with the other access device and the message generated by the access device, the method further includes:
and negotiating with other access devices pairwise to obtain a message negotiated with other access devices.
The negotiating with other access devices to obtain the negotiation information with other access devices includes:
establishing network connection with other access equipment;
the message generated by the self is encrypted by the initial key and then is sent to other access equipment;
receiving responses sent by other access devices and receiving messages generated by other access devices; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein the content of the first and second substances,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
Wherein, the generating mesh identifier meshrid and key based on the message negotiated with other access devices and the message generated by itself includes:
generating the mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
and generating the key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key.
Wherein, the determining itself as the primary access device includes:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
Wherein the preset conditions include, but are not limited to, the following:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
When the self is determined to be the main access device, the mesh identifier meshrid and the key are sent to other access devices for verification, and a verification success message sent by other access devices is received, including:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after verification passes; or receiving an authentication failure message sent by other access equipment after authentication fails.
Receiving the mesh identifier meshrid and the key sent by the master access device for verification, and sending a verification success message to the master access device, where the verification includes:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
The embodiment of the invention also provides a safety synchronization device between the access devices, which is applied to any access device and comprises the following steps:
the generation module is used for generating a mesh identifier (MeshID) and a key based on the information negotiated with other access equipment and the information generated by the generation module;
the receiving and sending module is used for sending the mesh identifier MeshID and the key to other access equipment for verification when determining that the access equipment is the main access equipment; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
The embodiment of the invention also provides a safety synchronization device between the access devices, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the above method when running the computer program.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps of the above-mentioned method.
According to the method, the device and the computer-readable storage medium for safety synchronization between the access devices, provided by the embodiment of the invention, the access devices generate the mesh identification MeshID and the secret key based on the information negotiated with other access devices and the information generated by the access devices; when the self is determined to be the main access equipment, the mesh identification MeshID and the key are sent to other access equipment for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification; receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success. The method for safely synchronizing the access devices does not need manual configuration, saves time and labor, and improves the efficiency and the accuracy of strategy synchronization between the access devices. In addition, the embodiment of the invention generates the policy configuration parameters (mesh identification MeshID and the secret key) based on the information negotiated among the access devices, and can avoid the problem that the whole configuration parameters are invalid because one device is attacked, so the generation process of the policy configuration is safer.
In addition, the embodiment of the invention also selects and determines the main access equipment, and the strategy configuration parameters of the synchronous access equipment are verified for other access equipment, thereby reducing the times of interactive communication between the access equipment and improving the efficiency of strategy configuration synchronization.
Drawings
Fig. 1 is a schematic flow chart of a method for security synchronization between access devices according to an embodiment of the present invention;
fig. 2 is a first schematic structural diagram of a security synchronization apparatus between access devices according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a second security synchronization apparatus between access devices according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating policy security synchronization among N access devices according to the embodiment of the present invention;
fig. 5 is a schematic flowchart of a second method for security synchronization between access devices according to an embodiment of the present invention.
Detailed Description
The invention is described below with reference to the figures and examples.
An embodiment of the present invention provides a method for security synchronization between access devices, as shown in fig. 1, where the method is applied to any access device, and includes:
step 101: generating a mesh identifier MeshID and a key based on the information negotiated with other access devices and the information generated by the mesh identifier MeshID and the key;
step 102: when the self is determined to be the main access equipment, the mesh identification MeshID and the key are sent to other access equipment for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
step 103: receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
In the embodiment of the invention, the safety synchronization method between the access devices does not need manual configuration, saves time and labor, and improves the efficiency and the accuracy of strategy synchronization between the access devices. In addition, the embodiment of the invention generates the policy configuration parameters (mesh identification MeshID and the secret key) based on the information negotiated among the access devices, and can avoid the problem that the whole configuration parameters are invalid because one device is attacked, so the generation process of the policy configuration is safer.
The embodiment of the invention also selects and determines the main access equipment, and verifies other access equipment by the strategy configuration parameters of the synchronous access equipment, thereby reducing the times of interactive communication between the access equipment and improving the efficiency of strategy configuration synchronization.
In addition, in the embodiment of the invention, the same initial grid identifier and initial key are preset before each access device leaves the factory. The presetting is realized by swiping firmware in each access device without manual configuration, so that the problems of high error rate and low efficiency caused by manual setting can be avoided.
In an embodiment, before generating the mesh identification meshrid and the key based on the message negotiated with the other access device and the message generated by itself, the method further includes:
and negotiating with other access devices pairwise to obtain a message negotiated with other access devices.
In the embodiment of the present invention, negotiating with other access devices pairwise to obtain a negotiation message with other access devices includes:
establishing network connection with other access equipment;
the message generated by the access device is encrypted by the initial key and then is sent to other access devices;
receiving responses sent by other access equipment and receiving messages generated by other access equipment; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein the content of the first and second substances,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
In the embodiment of the invention, the messages (the messages generated by the access devices and the messages generated by other access devices) negotiated among the access devices are encrypted by the initial key during transmission, thereby ensuring that the messages are not attacked maliciously and ensuring the safety of message transmission.
In this embodiment of the present invention, the generating a mesh identifier meshrid and a key based on a message negotiated with other access devices and a message generated by the mesh identifier meshrid and the key includes:
generating the mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
and generating the key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key.
In this embodiment of the present invention, the determining that the access device itself is the primary access device includes:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
In the embodiment of the present invention, the preset conditions include, but are not limited to, the following cases:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
In this embodiment of the present invention, when determining that the self is the master access device, the sending the mesh identifier meshrid and the key to other access devices for verification, and receiving a verification success message sent by other access devices includes:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after the verification is passed; or receiving an authentication failure message sent by other access equipment after authentication fails.
In this embodiment of the present invention, the receiving the mesh identifier meshrid and the key sent by the master access device for verification, and sending a verification success message to the master access device includes:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
In order to implement the foregoing method embodiment, an embodiment of the present invention further provides a device for security synchronization between access devices, where as shown in fig. 2, the device is applied to any access device, and includes:
a generating module 201, configured to generate a mesh identifier meshrid and a key based on a message negotiated with other access devices and a message generated by the generating module;
the transceiver module 202 is configured to send the mesh identifier meshrid and the secret key to other access devices for verification when determining that the access device is a primary access device; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
In one embodiment, as shown in fig. 3, the apparatus further comprises: a negotiation module 203;
the generation module 201 generates the mesh identification MeshID and the key before generating the mesh identification MeshID and the key based on the message negotiated with other access devices and the message generated by itself,
the negotiation module 203 is configured to negotiate with other access devices pairwise to obtain a negotiation message with other access devices.
In this embodiment of the present invention, the negotiating module 203 negotiates with other access devices two by two to obtain a negotiation message with other access devices, including:
establishing network connection with other access equipment;
the message generated by the access device is encrypted by the initial key and then is sent to other access devices;
receiving responses sent by other access devices and receiving messages generated by other access devices; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein the content of the first and second substances,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
In the embodiment of the invention, the messages (the messages generated by the access devices and the messages generated by other access devices) negotiated among the access devices are encrypted by the initial key during transmission, thereby ensuring that the messages are not attacked maliciously and ensuring the safety of message transmission.
In this embodiment of the present invention, the generating module 201 generates the mesh identifier meshrid and the key based on the message negotiated with other access devices and the message generated by itself, including:
generating the mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
and generating the key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key.
In this embodiment of the present invention, the determining, by the transceiver module 202, that the access device is a primary access device includes:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
In the embodiment of the present invention, the preset conditions include, but are not limited to, the following situations:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
In this embodiment of the present invention, when the transceiver module 202 determines that it is a master access device, it sends the mesh identifier meshrid and the key to other access devices for verification, and receives a verification success message sent by other access devices, where the verification success message includes:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after the verification is passed; or receiving an authentication failure message sent by other access equipment after authentication fails.
In this embodiment of the present invention, the receiving and sending module 202 receives the mesh identifier meshrid and the key sent by the master access device for verification, and sends a verification success message to the master access device, where the verification success message includes:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
The embodiment of the invention also provides a safety synchronization device between the access devices, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to execute, when running the computer program:
generating a mesh identifier MeshID and a key based on the information negotiated with other access devices and the information generated by the mesh identifier MeshID and the key;
when the main access device is determined, the mesh identification MeshID and the secret key are sent to other access devices for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein the verification success message is used for representing the synchronization success.
Before generating the mesh identification meshrid and the key based on the message negotiated with the other access device and the message generated by itself, the processor is further configured to execute, when running the computer program:
and negotiating with other access devices pairwise to obtain a message negotiated with other access devices.
When the negotiation with other access devices is performed pairwise to obtain the information negotiated with other access devices, the processor is further configured to execute:
establishing network connection with other access equipment;
the message generated by the self is encrypted by the initial key and then is sent to other access equipment;
receiving responses sent by other access devices and receiving messages generated by other access devices; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein, the first and the second end of the pipe are connected with each other,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
When the mesh identifier meshrid and the key are generated based on the message negotiated with the other access device and the message generated by the processor, the processor is further configured to execute, when the computer program is run:
generating the mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
and generating the key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key.
When the determination itself is the main access device, the processor is further configured to execute, when the computer program is run:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
Wherein the preset conditions include, but are not limited to, the following:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
When the mesh identifier meshrid and the secret key are sent to other access devices for verification when the self is determined to be the main access device, and when verification success messages sent by other access devices are received, the processor is further configured to execute, when the computer program is run:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after verification passes; or receiving an authentication failure message sent by other access equipment after authentication fails.
The processor is further configured to, when receiving the mesh identifier meshrid and the key sent by the master access device for verification, and sending a verification success message to the master access device, execute:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
It should be noted that: the apparatus provided in the foregoing embodiment is only illustrated by dividing the program modules when performing security synchronization between access devices, and in practical applications, the above processing allocation may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing. In addition, the apparatus provided in the above embodiments and the corresponding method embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
In an exemplary embodiment, the embodiment of the present invention also provides a computer-readable storage medium, which may be a Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disc, or CD-ROM; or may be a variety of devices including one or any combination of the above memories, such as a mobile phone, computer, tablet device, personal digital assistant, etc.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs:
generating a mesh identifier MeshID and a key based on the information negotiated with other access devices and the information generated by the mesh identifier MeshID and the key;
when the main access device is determined, the mesh identification MeshID and the secret key are sent to other access devices for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
Before generating the mesh identification meshrid and the key based on the message negotiated with the other access device and the message generated by the computer program, when the computer program is executed by the processor, the computer program further performs:
and negotiating with other access devices pairwise to obtain a message negotiated with other access devices.
When the negotiation with other access devices is performed pairwise to obtain the information negotiated with other access devices, the computer program is executed by the processor, and the following steps are also executed:
establishing network connection with other access equipment;
the message generated by the access device is encrypted by the initial key and then is sent to other access devices;
receiving responses sent by other access devices and receiving messages generated by other access devices; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein the content of the first and second substances,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
When the mesh identifier meshrid and the key are generated based on the message negotiated with the other access device and the message generated by the access device, when the computer program is executed by the processor, the computer program further performs:
generating the mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
and generating the key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key.
When the determination is that the self is the primary access device, the computer program further executes, when executed by the processor:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
Wherein the preset condition includes but is not limited to the following cases:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
When the mesh identifier meshrid and the key are sent to other access devices for verification when the self is determined to be the main access device, and when a verification success message sent by other access devices is received, the computer program is executed when the processor is operated, and the computer program further executes:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after verification passes; or receiving an authentication failure message sent by other access equipment after authentication fails.
The receiving of the mesh identifier meshrid and the key sent by the master access device is verified, and when a verification success message is sent to the master access device, the computer program is executed by the processor, further:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
The present invention is described below with reference to scene embodiments.
This embodiment provides a method for security synchronization between access devices, where an SDK needs to be preset in an access device, where the SDK includes a networking configuration update algorithm required for implementing policy synchronization. According to the embodiment, automatic and safe networking can be realized after the access equipment is started, additional configuration of a user is not needed, and safety and convenience are realized.
In this embodiment, a wireless mesh network including a plurality of access devices is provided, and for clarity, a specific flow of the solution is described below by taking three routers (access devices A, B, C) as an example.
In this embodiment, the access device has the firmware flushed before the access device leaves the factory, and it is ensured that the meshrid (initial grid identifier) and the Key (initial Key) preset before the access device leaves the factory are the same, thereby meeting the networking condition. For the security of wireless mesh networking, in this embodiment, after the device is started, the mesh id and the Key preset in the firmware of the access device before leaving the factory are updated and synchronized, so as to prevent other access devices (without presetting the initial mesh identifier and the initial Key) from performing networking according to the initial mesh identifier and the initial Key obtained illegally, and ensure the security of networking. The method comprises the following specific steps:
step 501: the access device a establishes a network connection (such as a TCP connection) with the access device B, and after the network connection is successfully established, the access device a sends a message MessageA to the access device B.
Step 502: after receiving the message MessageA, the access device B responds to the request to confirm that the message MessageA is received, and sends the message MessageB to the access device A.
The content of the Message includes but is not limited to: a device identification number DeviceID, a startup Time, an MAC address, etc. corresponding to the access device.
Step 503: and after receiving the message MessageB, the access device A responds to the request to confirm that the message MessageB is received.
Step 504: network connection is established between every two access devices, and Message negotiation and sharing are carried out, namely steps 501-503 are repeated between the access device A and the access device C and between the access device B and the access device C to carry out Message negotiation and sharing, and in addition, the Message negotiation between the access devices needs to be encrypted and transmitted by using factory preset keys (initial keys), so that the security of policy configuration parameter transmission is ensured. Here, if there are N access devices, the negotiation scenario is schematically shown in fig. 4, and the above steps are repeated between every two access devices.
Step 505: after the access devices negotiate and share messages, each access device may calculate a New Message _ New (i.e., a mesh identifier Message generated by the above access device) through a common algorithm (a preset networking configuration update algorithm, such as a hash function SHA 1) based on the Message shared by other devices and the Message generated by itself, and may generate a New password Key _ New (a Key generated by the above access device) through multiple Key generation algorithms, such as a KDF (KDF), for example, in the case of an architecture of three access devices, for example, then the access devices may be configured as three access devices
MeshID_New=SHA1(MessageA,MessageB,MessageC);
Key_New=KDF(Key,MeshID_New)。
The KDF is a Key generation algorithm, and the Key generation parameter is composed of a preset Key (initial Key) and a MeshID _ New.
Then in the case of N (N > = 2) routers, the new MeshID and Key are calculated as follows:
MeshID_New=SHA1(Message1,Message2,Message3,…,MessageN);
Key_New=KDF(Key,MeshID_New)。
the KDF is a Key generation algorithm, and the Key generation parameter consists of a preset Key and a MeshID _ New.
It should be noted that other devices may calculate the meshrid _ New and the Key _ New at this time, or may calculate the meshrid _ New and the Key _ New after receiving the encrypted data sent by the master access device in step 508.
Step 506: determining a main access device;
here, each access device judges whether the network parameters of itself and other access devices meet preset conditions, and if the network parameters of itself meet the preset conditions, the access device is judged to be the main access device; the primary access device may be selected in a variety of ways, including but not limited to the following:
determining an access device connected with an external network Internet as a main access device;
comparing the sizes of the MAC addresses of all the access devices, wherein the access device with the largest MAC address is the main access device;
and comparing the sizes of the IP addresses of all the access devices, wherein the access device with the minimum IP address is the main access device.
Step 507: the master access equipment encrypts the MeshID _ New through the Key _ New and packages the MeshID _ New into data, and synchronizes the encrypted data to all other access equipment;
step 508: after other access equipment receives the encrypted data, meshID _ New and Key _ New are calculated by using the same algorithm, the data sent by the main access equipment is decrypted by using the Key _ New, if the data can be successfully decrypted, the decrypted MeshID _ New and the MeshID _ New calculated by the access equipment are compared to be the same, if the data can be successfully decrypted, the preset MeshID and the password are synchronously updated to the MeshID _ New and the Key _ New, and a message is sent to respond that the main access equipment is successfully synchronized; and if the decryption fails, asynchronously updating the MeshID _ New and the Key _ New, and sending a message to respond to the synchronization failure of the main access equipment.
Step 509: after the negotiation information between the access devices is finished, the network connection is disconnected.
According to the method for safely synchronizing the access devices based on the message negotiation, the whole process does not need manual configuration, time and labor are saved, and the efficiency and the accuracy of strategy synchronization between the access devices are improved.
In addition, in this embodiment, the generation of the policy configuration parameters of the access device is generated based on negotiation of messages between the access devices, which can avoid the problem that the entire configuration parameters are invalid due to one device being attacked, so that the generation process of the policy configuration is safer. Moreover, the message interaction between the access devices and the synchronization process of the strategy configuration parameters are encrypted, so that the security of the transmission of the configuration parameters is ensured.
In addition, the embodiment of the invention selects the main access equipment in various modes and synchronizes the strategy configuration parameters of the access equipment to other access equipment, thereby reducing the times of interactive communication between the access equipment and improving the efficiency of strategy configuration synchronization.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (10)

1. A method for security synchronization between access devices is applied to any access device, and comprises the following steps:
generating a mesh identifier MeshID by using a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the access equipment;
generating a key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key;
when the self is determined to be the main access equipment, the mesh identification MeshID and the key are sent to other access equipment for verification; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
2. The method of claim 1, wherein before generating the mesh identification MeshID and the key based on the message negotiated with the other access device and the message generated by itself, the method further comprises:
and negotiating with other access devices pairwise to obtain a message negotiated with other access devices.
3. The method of claim 2, wherein negotiating with other access devices pairwise to obtain a message negotiated with other access devices comprises:
establishing network connection with other access equipment;
the message generated by the self is encrypted by the initial key and then is sent to other access equipment;
receiving responses sent by other access equipment and receiving messages generated by other access equipment; messages generated by the other access equipment are encrypted by an initial key before being sent; wherein the content of the first and second substances,
the content of the self-generated message and the other access device-generated messages includes, but is not limited to, one or more of the following information:
equipment identification number, starting time, MAC address, IP address and external network connection condition.
4. The method of claim 1, wherein the determining itself to be the primary access device comprises:
judging whether the network parameters of the self and other access equipment meet preset conditions or not;
and if the network parameters of the self-body meet the preset conditions, the self-body is judged to be the main access equipment.
5. The method according to claim 4, wherein the preset conditions include, but are not limited to, the following:
determining the access equipment connected with the external network as main access equipment;
determining the access equipment with the maximum MAC address as main access equipment;
and determining the access equipment with the minimum IP address as the main access equipment.
6. The method of claim 1, wherein when determining that the access device is a master access device, the sending the mesh identifier MeshID and the key to other access devices for authentication, and receiving an authentication success message sent by other access devices, comprises:
encrypting and packaging the mesh identification MeshID by using the key;
sending the encrypted data to other access equipment for verification;
receiving a verification success message sent by other access equipment after verification passes; or receiving an authentication failure message sent by other access equipment after authentication fails.
7. The method of claim 1, wherein the receiving the mesh identification meshrid and the key sent by the master access device for verification, and sending a verification success message to the master access device includes:
receiving a mesh identifier MeshID which is sent by a main access device and encrypted by the secret key;
generating a mesh identifier MeshID and a key based on the same algorithm as the main access equipment;
decrypting the received encrypted mesh identification MeshID by using the key generated by the key, updating the initial mesh identification and the initial key into the mesh identification MeshID and the key if the decryption is successful and the mesh identification MeshID obtained by the decryption is the same as the mesh identification MeshID generated by the key, and sending a verification success message to the main access equipment;
and when the decryption is determined to be failed, directly sending a verification failure message to the main access equipment.
8. A safety synchronization device between access devices is characterized in that the device is applied to any access device and comprises:
the generation module is used for generating a mesh identifier MeshID by utilizing a preset networking configuration updating algorithm based on the information negotiated with other access equipment and the information generated by the generation module; generating a key by using a preset key generation algorithm based on the mesh identifier MeshID and the initial key;
the receiving and sending module is used for sending the mesh identifier MeshID and the key to other access equipment for verification when determining that the access equipment is the main access equipment; or, receiving the mesh identifier MeshID and the key sent by the main access device for verification;
receiving verification success messages sent by other access devices; or, sending a verification success message to the main access device; wherein, the verification success message is used for representing the synchronization success.
9. An apparatus for secure synchronization between access devices, the apparatus comprising: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is adapted to perform the steps of the method of any one of claims 1-7 when running the computer program.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202010275096.8A 2020-04-09 2020-04-09 Method, apparatus and computer readable storage medium for secure synchronization between access devices Active CN113543128B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010275096.8A CN113543128B (en) 2020-04-09 2020-04-09 Method, apparatus and computer readable storage medium for secure synchronization between access devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010275096.8A CN113543128B (en) 2020-04-09 2020-04-09 Method, apparatus and computer readable storage medium for secure synchronization between access devices

Publications (2)

Publication Number Publication Date
CN113543128A CN113543128A (en) 2021-10-22
CN113543128B true CN113543128B (en) 2023-03-31

Family

ID=78087748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010275096.8A Active CN113543128B (en) 2020-04-09 2020-04-09 Method, apparatus and computer readable storage medium for secure synchronization between access devices

Country Status (1)

Country Link
CN (1) CN113543128B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109314916B (en) * 2016-04-19 2021-10-01 诺基亚通信公司 Method, apparatus and computer readable medium for communication
CN107241356B (en) * 2017-07-24 2020-08-14 无锡江南计算技术研究所 Network equipment validity verification method
CN107395431B (en) * 2017-08-17 2020-07-28 普联技术有限公司 Network construction method and device, equipment processing and accessing method and network equipment
CN110391981B (en) * 2018-04-20 2021-10-26 慧与发展有限责任合伙企业 Apparatus, method, and medium for establishing a source routing tree for gateway nodes in a mesh network
CN109146360B (en) * 2018-07-24 2022-04-26 拉扎斯网络科技(上海)有限公司 Grid establishing method and device and distribution method and device
CN110278568B (en) * 2019-06-11 2022-11-08 广州极飞科技股份有限公司 Method and network system for constructing networking based on network equipment

Also Published As

Publication number Publication date
CN113543128A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
EP3700124B1 (en) Security authentication method, configuration method, and related device
EP2247131A1 (en) A method, device and system of id based wireless multi-hop network autentication access
EP2839631B1 (en) Method and device for scalable replay counters
US20170099137A1 (en) Secure connection method for network device, related apparatus, and system
KR20100103721A (en) Method and system for mutual authentication of nodes in a wireless communication network
CN112671763B (en) Data synchronization method and device in networking environment, computer equipment and storage medium
CN104145465A (en) Group based bootstrapping in machine type communication
WO2009097789A1 (en) Method and communication system for establishing security association
EP3413508A1 (en) Devices and methods for client device authentication
TWI733408B (en) Internet of things networking authentication system and method thereof
CN113543128B (en) Method, apparatus and computer readable storage medium for secure synchronization between access devices
JPWO2011064858A1 (en) Wireless authentication terminal
CN112751664B (en) Internet of things networking method, internet of things networking device and computer readable storage medium
KR20210126319A (en) Apparatus and method for managing key
WO2009085528A2 (en) Apparatus and method for negotiating pairwise master key for securing peer links in wireless mesh networks
CN110933674A (en) SDN controller and Ad Hoc node based security channel self-configuration method
Leshem et al. Probability based keys sharing for IoT security
EP4322460A1 (en) Reliability setting for improved security establishment methods and systems
EP4322456A1 (en) Quantum secure implicit authenticated password-based protocols and systems
EP4322455A1 (en) Improved security establishment methods and systems
EP4322458A1 (en) Post quantum integration for password-authenticated key exchange
EP4322472A1 (en) Improved security establishment methods and systems
EP4322457A1 (en) Improved security establishment methods and systems
EP4322459A1 (en) Improved security establishment methods and systems
EP4322461A1 (en) Improved security establishment methods and systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant