CN113553574A - Internet of things trusted data management method based on block chain technology - Google Patents
Internet of things trusted data management method based on block chain technology Download PDFInfo
- Publication number
- CN113553574A CN113553574A CN202110856422.9A CN202110856422A CN113553574A CN 113553574 A CN113553574 A CN 113553574A CN 202110856422 A CN202110856422 A CN 202110856422A CN 113553574 A CN113553574 A CN 113553574A
- Authority
- CN
- China
- Prior art keywords
- data
- gateway
- internet
- key
- things
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000005516 engineering process Methods 0.000 title claims abstract description 27
- 238000013523 data management Methods 0.000 title claims abstract description 24
- 238000003860 storage Methods 0.000 claims abstract description 17
- 230000007246 mechanism Effects 0.000 claims abstract description 15
- 238000013500 data storage Methods 0.000 claims abstract description 13
- 230000005540 biological transmission Effects 0.000 claims abstract description 9
- 230000006854 communication Effects 0.000 claims abstract description 5
- 238000007726 management method Methods 0.000 claims abstract description 5
- 238000004891 communication Methods 0.000 claims abstract description 4
- 230000008569 process Effects 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 8
- 238000013475 authorization Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 abstract description 5
- 230000003993 interaction Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an Internet of things credible data management method based on a block chain technology, which divides credible management problems faced by Internet of things data into four parts: trusted device authentication, trusted data transmission, trusted data storage, and trusted data sharing. The invention constructs a distributed and tamper-proof communication network for the gateway and the edge server based on the block chain technology, and aiming at equipment authentication, the invention designs a mutual authentication mechanism for the Internet of things equipment and the gateway by using the Diffie-Hellman key exchange technology, and designs a session key negotiation mechanism for ensuring safe and reliable data transmission; for data storage, a distributed safe storage scheme is constructed in an edge server network by using a Kademlia algorithm; finally, the invention realizes a user access control mechanism by using an attribute-based encryption technology, and ensures the credible sharing of the data of the Internet of things.
Description
Technical Field
The invention belongs to the technical field of Internet of things and network security, and particularly relates to an Internet of things trusted data management method based on a block chain technology.
Background
With the progress of wireless communication technology and intelligent device manufacturing technology, the technology of internet of things is developed vigorously, and great convenience is brought to the life of people through a novel interaction mode of interconnection of everything. The internet of things creates a batch of novel application scenes including intelligent medical treatment, intelligent home, intelligent transportation and the like in a mode that real-time data are collected by an intelligent terminal to assist in applying high-performance decisions, but because the internet of things needs a plurality of heterogeneous devices to perform distributed cooperation, a plurality of trust problems exist in a data management layer: firstly, the quality of service of the internet of things is damaged because a dishonest data source may provide inaccurate and biased data to upper-layer application; in addition, a malicious user can insert false internet-of-things equipment to disturb application and influence normal operation of an internet-of-things system, and the problems are caused by lack of an equipment authentication identity mechanism, and the internet-of-things data is easy to be attacked in a transmission process to cause privacy leakage, malicious tampering and the like; moreover, the existing internet of things data storage scheme depends on a third-party cloud service provider, so that a centralized risk is introduced, and once a third-party organization is attacked by a single point or an internal attack, serious privacy disclosure and data security problems can be caused; in addition, due to the fact that the data of the internet of things lack of an access control mechanism at present, a user can acquire required data without authorization through bribery data storage merchants or eavesdropping and other means.
The Chinese patent with the publication number of CN113032814A provides an Internet of things data management method and system, an Internet of things gateway encrypts Internet of things data sent by Internet of things equipment according to a data private key to obtain target encrypted data, and the Internet of things equipment is trust equipment associated and authenticated by a data authentication server; the internet of things gateway acquires a target data fingerprint of target encrypted data; the gateway of the Internet of things sends the target data fingerprint and the authority information of the target encrypted data to a data authentication server for storage; and the data storage server performs integrity verification on the received target encrypted data according to the target data fingerprint, and stores the target encrypted data in a target area if the target encrypted data is successfully verified.
Chinese patent publication No. CN113066552A discloses a guardianship data management system based on blockchain technology, which includes an equipment acquisition client, a data interaction management client, a consumption client, and blockchain nodes, where the equipment acquisition client, the data interaction management client, and the consumption client implement data interaction through the blockchain nodes. According to the technology, a Raft consensus mechanism is adopted, a block chain technology is combined to aspects of hardware equipment data acquisition, data sharing and the like, and union chain design and multi-role access control based on Internet of things equipment and a data interaction platform are achieved.
In summary, it can be seen that many research technologies can solve part of data management problems at present, most of the research technologies focus on internet of things data storage and trusted data sharing, but only one ring of trusted data management is solved, and no trusted solution is proposed for equipment authentication, data transmission, data storage and access control. With the prosperous development of the block chain technology, the characteristics of decentralization, tamper resistance, traceability, safety and transparency are widely applied to the field of distributed cooperation, and the fusion of the block chain and the cryptography technology provides an excellent solution for the trusted data management of the internet of things. In addition, the solution of trusted data management can be automatically coded by using the intelligent contract technology of the block chain, the requirement on a third-party organization is eliminated, the safety is improved, and the operation cost is reduced.
Disclosure of Invention
In view of the above, the invention provides a block chain technology-based trusted data management method for the internet of things, which is divided into four parts, namely equipment identity authentication, data security transmission, trusted data storage and trusted data sharing, and a distributed and tamper-proof communication network is established for a gateway and an edge server, so that authorized access of a legal user is guaranteed, malicious reading of data by an illegal user is resisted, and trusted sharing of data of the internet of things is guaranteed.
An Internet of things trusted data management method based on a block chain technology comprises the following steps:
(1) the method comprises the steps that the identity security authentication between the terminal equipment of the Internet of things and a gateway is completed by using an asymmetric encryption algorithm and a signature algorithm, and the session key negotiation between the terminal equipment and the gateway is completed by using a Diffie-Hellman key exchange technology;
(2) the method comprises the steps that terminal equipment encrypts original internet of things data by using a session key obtained by negotiation between the terminal equipment and a gateway and transmits the encrypted data to the gateway, the gateway sends the encrypted data to an edge server, and the edge server uses a Kademlia algorithm to realize distributed safe storage of the internet of things data in an edge server network;
(3) and an attribute-based encryption scheme is used for realizing an access control mechanism of the user to the data of the Internet of things.
Further, the specific implementation process of the step (1) is as follows:
1.1 generating a random number n by the terminal equipment of the Internet of thingsaUsing its own private signature key SKSdTo naAnd a current time stamp TS1Signing and using the encrypted public key PK of the gateway requiring authenticationEgEncrypting the signature result to form a message M1And sends it to the gateway;
1.2 gateway uses its own encryption private key SKEgTo M1Decrypting to obtain a signature result, and then using a signature public key PK of the terminal deviceSdVerify signature and obtain naIf the verification is successful, the terminal equipment is proved to be legal equipment; then the gateway randomly generates a random number nbUsing its own private signature key SKSgTo na、nbAnd a current time stamp TS2Signing and using the encrypted public key PK of the terminal deviceEdEncrypting the signature result to form a message M2And sends it to the terminal device;
1.3 terminal device uses its own private encryption key SKEdTo M2Decrypting to obtain a signature result, and then using a public signature key PK of the gatewaySgVerify signature and obtain naAnd nbIf the verification is successful, the gateway identity is legal; simultaneously the terminal equipment verifies the acquired naIf the two are consistent, the terminal equipment uses the signature private key SKSdTo nbAnd a current time stamp TS3Signing and using the encrypted public key PK of the gatewayEgEncrypting the signature result to form a message M3And send it toA gateway;
1.4 gateway uses its own encryption private key SKEgTo M3Decrypting to obtain a signature result, and then using a signature public key PK of the terminal deviceSdVerify signature and obtain nbAnd then verifying the obtained nbIf the mutual authentication between the terminal equipment of the Internet of things and the gateway is not consistent, the sender is a correct interactive object if the mutual authentication is consistent, and the mutual authentication between the terminal equipment of the Internet of things and the gateway is completed;
1.5 the terminal device generates a random number mDAs a private key, the public key PK is then calculated1=mDG, G denotes the group, and further uses the encrypted public key PK of the gatewayEgFor PK1And a current time stamp TS4Encrypting to form message M4And sends it to the gateway;
1.6 the gateway generates a random number mGAs a private key, the public key PK is then calculated2=mGG, in turn using the encrypted public key PK of the terminal deviceEdFor PK2And a current time stamp TS5Encrypting to form message M5And sends it to the terminal device;
1.7 gateway uses its own encryption private key SKEgTo M4Decrypting to obtain PK1Then, a secure session key SKey m between the terminal equipment and the terminal equipment is calculatedG*PK1=mG*mDG; terminal equipment uses own encrypted private key SKEdTo M5Decrypting to obtain PK2Then, a secure session key SKey m between the gateway and the gateway is calculatedD*PK2=mD*mGG, session key negotiation between the terminal equipment of the Internet of things and the gateway is completed.
Further, the specific implementation process of the step (2) is as follows:
2.1 the internet of things terminal equipment encrypts the original internet of things data by using the secure session key SKey between the internet of things terminal equipment and the gateway and transmits the encrypted data to the gateway, and the gateway forwards the encrypted data to the edge server S closest to the gateway1;
2.2 edge Server S1Will be used for the calculationAnd taking 160-bit Hash of the encrypted data as Key, taking the encrypted data as Value, finding out k edge servers with ID numbers closest to the Key according to k values set by the system, and transmitting the Key-Value to the k edge servers for storage, thereby completing distributed storage of the data of the Internet of things in an edge server network.
Further, the specific implementation process of the step (3) is as follows:
3.1 data owner stores the Access policy P on the gateway, which implements Setup (1)λ) → (PK, MSK), namely, calculating a system public key PK and a system master key MSK according to the security parameter lambda, then embedding the PK into the transaction and transmitting the PK to the blockchain network, and simultaneously storing the MSK locally;
3.2 the user sends a data request to the edge server, the edge server first verifies the user ' S identity, then uses the intelligent contract to interact with the gateway, if the user ' S identity is legal, the gateway will generate the corresponding attribute set S, the user ' S public key PK for ituserThe identifier is stored in the intelligent contract as an authorized user identifier, and the gateway generates a private key for the user;
3.3 the gateway executes KeyGen (PK, MSK, S) → SK, namely, inputs a system public key PK, a system master key MSK and an attribute set S of the user, and calculates and outputs a user access private key SK; gateway uses user public key PKuserEncrypting the SK, embedding the encryption result into the transaction, and sending the transaction ID and the intelligent contract address to the edge server through the block chain;
3.4 the edge server receives the encrypted result and transmits it to the user, who uses its own private key SKuserDecrypting the data to obtain a user access private key SK;
3.5 the gateway executes Encrypt (PK, P, SKey) → CT, namely, a system public key PK, an access strategy P and a session key SKey between the terminal equipment of the internet of things and the gateway are input, a ciphertext CT is generated, the encryption of the session key SKey is completed, and then the ciphertext CT is sent to the edge server by the gateway through the block chain network for storage;
3.6 the user downloads the encrypted data and the ciphertext CT from the edge server by using a Kademlia algorithm, runs decryption (PK, SK, CT) → SKey, namely inputs a system public key PK, a user access private key SK and the ciphertext CT, and decrypts to obtain a session key Skey; if the attribute set S of the user meets the access policy P set by the data owner, the SKey can be successfully decrypted, otherwise, the decryption fails;
and 3.7, the user executes Decrypt (SKey, encrypted data) → original data, and decrypts the encrypted data by using the session key SKey to obtain the original Internet of things data.
Further, in step 3.6, the specific process of downloading the encrypted data and the ciphertext CT from the edge server by the user using the Kademlia algorithm is as follows:
3.6.1 the user sends a search request to the edge server according to the Key of the requested data, the edge server searches whether the edge server stores a data pair (Key, Value) or not, if yes, the edge server directly returns encrypted data to the user, otherwise, k node IDs closest to the Key VALUEs are found, and a FIND _ VALUE request is sent to the k nodes (namely, the edge server in the network);
3.6.2 the node receiving the FIND _ VALUE request first checks whether the local stores the data pair (Key, VALUE), if yes, returns the encrypted data to the sender edge server, otherwise, the node FINDs k node IDs nearest to the Key VALUE, and sends the FIND _ VALUE request to the k nodes; and the searching is continuously diffused until the encrypted data is acquired or the edge server which is closer to the Key value than the current known node ID cannot be acquired (which indicates that the data searched by the user does not exist).
The identity authentication scheme between the terminal equipment and the gateway effectively inhibits the security risk of malicious equipment accessing the network, and ensures the validity of the data source of the Internet of things; the confidentiality of data in the transmission process is protected by designing a session key negotiation mechanism between the terminal equipment and the gateway, and the attack of eavesdropping and tampering is avoided; in addition, the invention constructs a reliable distributed data storage scheme in the edge network based on the Kademlia algorithm, thereby greatly reducing the security and privacy risks of centralized storage, solving the bandwidth bottleneck and greatly improving the expandability of data storage. Finally, because the invention designs a set of active access control mechanism based on the attribute-based encryption, only the user with the attribute set matched with the access strategy formulated by the data owner can obtain the access authorization, thereby ensuring the availability of the data of the authorized user, effectively preventing the malicious user from obtaining the original data by adopting an illegal means, improving the security of the user at the consumption layer for accessing the data, protecting the original value of the data of the internet of things, and realizing the user-oriented authority management.
Drawings
Fig. 1 is a schematic diagram of an authentication process between an internet of things terminal device and a gateway according to the present invention.
Fig. 2 is a schematic diagram of a session key negotiation process according to the present invention.
FIG. 3 is a schematic diagram of a trusted data management process according to the present invention.
Detailed Description
In order to more specifically describe the present invention, the following detailed description is provided for the technical solution of the present invention with reference to the accompanying drawings and the detailed description.
The invention uses Diffie-Hellman key exchange technology, asymmetric encryption, signature algorithm, Kademlia algorithm and attribute-based encryption technology to realize a trusted data management scheme of the Internet of things based on the block chain technology, the gateway equipment and the edge server are used as block chain nodes to maintain a block chain network, and logic interaction is carried out by calling intelligent saving, and the whole flow is shown in figure 3.
As shown in fig. 1, the internet of things terminal and the gateway perform bidirectional authentication, and the identity validity of the device joining the network is verified, which specifically includes the following steps:
step 1: randomly generating a random number n by terminal equipment of the Internet of thingsaUsing its own private signature key SKSdTo naAnd real-time stamping TS1Signing, and using the encrypted public key PK of the gateway needing authentication after signingEgEncrypting the signature result to form a message M1And sends it to the corresponding gateway.
Step 2: gateway uses its own encryption private key SKEgTo M1Decrypting and then using the public signature key PK of the Internet of things deviceSdVerify signature and obtain naVerification ofSuccessfully, the Internet of things equipment is stated to be legal equipment, and then the gateway randomly generates a random number nbThen using the signature private key SKSgTo na、nbAnd real-time stamping TS2Signing, and using the encrypted public key PK of the Internet of things equipment needing authentication after signingEdEncrypting the signature result to form a message M2And then the information is fed back to the Internet of things equipment.
And step 3: internet of things equipment uses self-encryption private key SKEdTo M2Decrypting to obtain signature result, and using signature public key PK of gatewaySgVerifying the signature, if the verification is successful, indicating that the gateway identity is legal, and simultaneously verifying the acquired n by the equipmentaWhether it is correct; if the signature is correct, the Internet of things equipment uses the signature private key SKSdTo nbAnd real-time stamping TS3Signing and using the encrypted public key PK of the gatewayEgEncrypting the signature result to form a message M3And then sent to the gateway.
And 4, step 4: gateway uses encrypted private key SKEgTo M3Decrypting and then using the public signature key PK of the Internet of things deviceSdVerify signature and obtain nbVerification of nbAnd if so, indicating that the sender is a correct interactive object, and finishing the mutual authentication between the Internet of things equipment and the gateway.
As shown in fig. 2, the internet of things device and the gateway perform session key negotiation to protect the security of data transmission in the communication process, and the specific steps are as follows:
step 1: randomly generating a number m by Internet of things equipmentDAs a private key, the public key PK is then calculated1=mDG, then the Internet of things equipment uses the encrypted public key PK of the gatewayEgFor PK1And a real time timestamp TS4Encrypting to form message M4It is sent to the gateway.
Step 2: gateway acceptance M4And randomly generating a number mGAs a private key, the public key PK is then calculated2=mGG, then gateway using the addition of Internet of things devicesSecret public key PKEdFor PK2And a real time timestamp TS5Encrypting to form message M5And then the information is fed back to the Internet of things equipment.
And step 3: the equipment of the Internet of things calculates a secure session key SKey of a gateway as mD*PK2=mD*mG*G。
And 4, step 4: the gateway calculates a security session key of the Internet of things equipment: SKey ═ mG*PK1=mD*mGG, session key negotiation between the gateway and the Internet of things equipment is completed.
After the internet of things equipment completes mutual identity authentication and session key negotiation with the gateway, a data owner uploads an access strategy P of internet of things data to the gateway, then the gateway executes Encrypt (PK, P, SKey) → CT, namely, a system public key PK, the data access strategy P and a session key SKey are input, a ciphertext CT is output, and encryption of the session key SKey is completed. Meanwhile, the Internet of things equipment encrypts original data by using the SKey and sends the encrypted data to the gateway, and the gateway sends (CT, encrypted data and timestamp) to the edge server for storage through the block chain network.
The invention provides a distributed safe storage scheme by using a Kademlia algorithm, which comprises the following specific processes: the edge servers calculate 160-bit hash values of the encrypted data as keys, the encrypted data are used as Value, the k edge servers with ID numbers (each edge server has a 160-bit ID number) closest to the keys are found according to k values set by the system, and the Key-Value, the CT and the timestamp are transmitted to the k edge servers through a block chain network for storage, so that distributed storage of the data of the Internet of things in the edge server network is completed.
This distributed redundant storage scheme proposed by the present invention has two significant advantages: firstly, as the encrypted data stores a plurality of copies, even if one edge server is attacked, the data searching is not influenced, the availability of service is ensured, and the robustness of the system is improved; in addition, the Kademlia algorithm provides an efficient data query method, which can be in log2 NTimeAnd locating the target edge server so that the user can quickly obtain the service.
In order to prevent the illegal access of the data of the Internet of things, the invention designs an access control mechanism aiming at the data users of the Internet of things by using an attribute-based encryption technology, and the access control mechanism comprises the following specific steps:
step 1: when a user needs to use the data of the Internet of things, a data request is sent to the edge server closest to the user, and public key information and identity information of the user are provided.
Step 2: the edge server transmits the user information to the gateway through the block chain.
And step 3: the gateway judges whether the user identity is legal or not, if so, generates a corresponding attribute base S and a public key PK of the useruserStoring the identifier as an authorized user identifier in the intelligent contract; then the gateway runs KeyGen (PK, MSK, S) → SK, inputs a system public key PK, a system master key MSK and an attribute set S of the user, and outputs a user access private key SK; gateway uses public key PK of useruserThe SK is encrypted, the encryption result is embedded into the blockchain transaction, and the transaction ID and the intelligent contract address are sent to the edge server through the blockchain.
And 4, step 4: the user firstly downloads a system public key PK and an encrypted self private key SK from an edge server network, and uses the self private key SKuserDecrypting the SK, and then using Kademlia query algorithm to find the encrypted data block and the CT from the edge server network, wherein the specific process is as follows:
step 4-1: the data user sends a search request to the edge server according to the Key of the requested data, the edge server searches whether the edge server stores a (Key, Value) data pair, if yes, the edge server directly returns encrypted data to the user, otherwise, k nodes closest to the Key Value are found, and a FIND _ VALUE request is sent to the k node IDs.
Step 4-2: the node receiving the FIND _ VALUE request first checks whether it stores a (Key, VALUE) data pair, if it exists, returns the encrypted data to the sender edge server, otherwise FINDs the k nodes closest to the Key VALUE again, and sends the FIND _ VALUE request to the k node IDs.
Step 4-3: the above steps are repeated until a VALUE is obtained or an edge server closer to the Key VALUE than the current known server ID cannot be obtained, which indicates that the data searched by the user does not exist.
And 5: the user runs Decrypt (PK, SK, CT) → SKey, inputs a system public key PK, a user private key SK and an encrypted session key CT, and outputs a session key Skey; if the attribute set S of the user meets the access policy P set by the data owner, the SKey can be successfully decrypted, otherwise, the decryption fails.
Step 6: the user runs Decrypt (SKey, encrypted data) → original data, and decrypts the encrypted data by using the session key SKey to obtain the original data.
The invention guarantees authorized access of legal users through the access control mechanism, resists malicious reading of data by illegal users, and realizes credible sharing of data of the Internet of things.
The foregoing description of the embodiments is provided to enable one of ordinary skill in the art to make and use the invention, and it is to be understood that other modifications of the embodiments, and the generic principles defined herein may be applied to other embodiments without the use of inventive faculty, as will be readily apparent to those skilled in the art. Therefore, the present invention is not limited to the above embodiments, and those skilled in the art should make improvements and modifications to the present invention based on the disclosure of the present invention within the protection scope of the present invention.
Claims (8)
1. An Internet of things trusted data management method based on a block chain technology comprises the following steps:
(1) the method comprises the steps that the identity security authentication between the terminal equipment of the Internet of things and a gateway is completed by using an asymmetric encryption algorithm and a signature algorithm, and the session key negotiation between the terminal equipment and the gateway is completed by using a Diffie-Hellman key exchange technology;
(2) the method comprises the steps that terminal equipment encrypts original internet of things data by using a session key obtained by negotiation between the terminal equipment and a gateway and transmits the encrypted data to the gateway, the gateway sends the encrypted data to an edge server, and the edge server uses a Kademlia algorithm to realize distributed safe storage of the internet of things data in an edge server network;
(3) and an attribute-based encryption scheme is used for realizing an access control mechanism of the user to the data of the Internet of things.
2. The internet of things trusted data management method according to claim 1, wherein: the specific implementation process of the step (1) is as follows:
1.1 generating a random number n by the terminal equipment of the Internet of thingsaUsing its own private signature key SKSdTo naAnd a current time stamp TS1Signing and using the encrypted public key PK of the gateway requiring authenticationEgEncrypting the signature result to form a message M1And sends it to the gateway;
1.2 gateway uses its own encryption private key SKEgTo M1Decrypting to obtain a signature result, and then using a signature public key PK of the terminal deviceSdVerify signature and obtain naIf the verification is successful, the terminal equipment is proved to be legal equipment; then the gateway randomly generates a random number nbUsing its own private signature key SKSgTo na、nbAnd a current time stamp TS2Signing and using the encrypted public key PK of the terminal deviceEdEncrypting the signature result to form a message M2And sends it to the terminal device;
1.3 terminal device uses its own private encryption key SKEdTo M2Decrypting to obtain a signature result, and then using a public signature key PK of the gatewaySgVerify signature and obtain naAnd nbIf the verification is successful, the gateway identity is legal; simultaneously the terminal equipment verifies the acquired naIf the two are consistent, the terminal equipment uses the signature private key SKSdTo nbAnd a current time stamp TS3Signing and using the encrypted public key PK of the gatewayEgEncrypting the signature result to form a message M3And sends it to the gateway;
1.4 gateway uses its own encryption private key SKEgTo M3Decrypting to obtain a signature result, and then using a signature public key PK of the terminal deviceSdVerify signature and obtain nbAnd then verifying the obtained nbIf the mutual authentication between the terminal equipment of the Internet of things and the gateway is not consistent, the sender is a correct interactive object if the mutual authentication is consistent, and the mutual authentication between the terminal equipment of the Internet of things and the gateway is completed;
1.5 the terminal device generates a random number mDAs a private key, the public key PK is then calculated1=mDG, G denotes the group, and further uses the encrypted public key PK of the gatewayEgFor PK1And a current time stamp TS4Encrypting to form message M4And sends it to the gateway;
1.6 the gateway generates a random number mGAs a private key, the public key PK is then calculated2=mGG, in turn using the encrypted public key PK of the terminal deviceEdFor PK2And a current time stamp TS5Encrypting to form message M5And sends it to the terminal device;
1.7 gateway uses its own encryption private key SKEgTo M4Decrypting to obtain PK1Then, a secure session key SKey m between the terminal equipment and the terminal equipment is calculatedG*PK1=mG*mDG; terminal equipment uses own encrypted private key SKEdTo M5Decrypting to obtain PK2Then, a secure session key SKey m between the gateway and the gateway is calculatedD*PK2=mD*mGG, session key negotiation between the terminal equipment of the Internet of things and the gateway is completed.
3. The internet of things trusted data management method according to claim 1, wherein: the specific implementation process of the step (2) is as follows:
2.1 the internet of things terminal equipment encrypts the original internet of things data by using the secure session key SKey between the internet of things terminal equipment and the gateway and transmits the encrypted data to the gateway, and the gateway forwards the encrypted data to the edge server S closest to the gateway1;
2.2 edge Server S1And taking 160-bit Hash for calculating the encrypted data as Key, taking the encrypted data as Value, finding out k edge servers with ID numbers closest to the Key according to k values set by the system, and transmitting the Key-Value to the k edge servers for storage, thereby completing distributed storage of the data of the Internet of things in an edge server network.
4. The internet of things trusted data management method according to claim 1, wherein: the specific implementation process of the step (3) is as follows:
3.1 data owner stores the Access policy P on the gateway, which implements Setup (1)λ) → (PK, MSK), namely, calculating a system public key PK and a system master key MSK according to the security parameter lambda, then embedding the PK into the transaction and transmitting the PK to the blockchain network, and simultaneously storing the MSK locally;
3.2 the user sends a data request to the edge server, the edge server first verifies the user ' S identity, then uses the intelligent contract to interact with the gateway, if the user ' S identity is legal, the gateway will generate the corresponding attribute set S, the user ' S public key PK for ituserThe identifier is stored in the intelligent contract as an authorized user identifier, and the gateway generates a private key for the user;
3.3 the gateway executes KeyGen (PK, MSK, S) → SK, namely, inputs a system public key PK, a system master key MSK and an attribute set S of the user, and calculates and outputs a user access private key SK; gateway uses user public key PKuserEncrypting the SK, embedding the encryption result into the transaction, and sending the transaction ID and the intelligent contract address to the edge server through the block chain;
3.4 the edge server receives the encrypted result and transmits it to the user, who uses its own private key SKuserDecrypting the data to obtain a user access private key SK;
3.5 the gateway executes Encrypt (PK, P, SKey) → CT, namely, a system public key PK, an access strategy P and a session key SKey between the terminal equipment of the internet of things and the gateway are input, a ciphertext CT is generated, the encryption of the session key SKey is completed, and then the ciphertext CT is sent to the edge server by the gateway through the block chain network for storage;
3.6 the user downloads the encrypted data and the ciphertext CT from the edge server by using a Kademlia algorithm, runs decryption (PK, SK, CT) → SKey, namely inputs a system public key PK, a user access private key SK and the ciphertext CT, and decrypts to obtain a session key Skey; if the attribute set S of the user meets the access policy P set by the data owner, the SKey can be successfully decrypted, otherwise, the decryption fails;
and 3.7, the user executes Decrypt (SKey, encrypted data) → original data, and decrypts the encrypted data by using the session key SKey to obtain the original Internet of things data.
5. The internet of things trusted data management method according to claim 4, wherein: the specific process of the user downloading the encrypted data and the ciphertext CT from the edge server by using the Kademlia algorithm in the step 3.6 is as follows:
3.6.1 the user sends a search request to the edge server according to the Key of the requested data, the edge server searches whether the edge server stores a data pair (Key, Value) or not, if yes, the edge server directly returns encrypted data to the user, otherwise, k node IDs closest to the Key VALUEs are found, and a FIND _ VALUE request is sent to the k nodes;
3.6.2 the node receiving the FIND _ VALUE request first checks whether the local stores the data pair (Key, VALUE), if yes, returns the encrypted data to the sender edge server, otherwise, the node FINDs k node IDs nearest to the Key VALUE, and sends the FIND _ VALUE request to the k nodes; and continuously diffusing and searching until the encrypted data is obtained or the edge server which is closer to the Key value than the current known node ID cannot be obtained.
6. The internet of things trusted data management method according to claim 1, wherein: the data management method comprises four parts, namely equipment identity authentication, data security transmission, trusted data storage and trusted data sharing, a distributed and tamper-proof communication network is established for a gateway and an edge server, authorized access of legal users is guaranteed, malicious reading of data by illegal users is resisted, and trusted sharing of data of the Internet of things is guaranteed.
7. The internet of things trusted data management method according to claim 1, wherein: the designed identity authentication scheme between the terminal equipment and the gateway effectively restrains the security risk of malicious equipment accessing the network, and guarantees the validity of the data source of the Internet of things; the confidentiality of data in the transmission process is protected by designing a session key negotiation mechanism between the terminal equipment and the gateway, and the attack of eavesdropping and tampering is avoided.
8. The internet of things trusted data management method according to claim 1, wherein: a reliable distributed data storage scheme is constructed in an edge network based on a Kademlia algorithm, so that the security and privacy risks of centralized storage are greatly reduced, the bandwidth bottleneck is solved, and the expandability of data storage is greatly improved; meanwhile, a set of active access control mechanism is designed based on attribute-based encryption, only a user with an attribute set matched with an access strategy formulated by a data owner can obtain access authorization, the data availability of authorized users is guaranteed, malicious users are effectively prevented from obtaining original data by adopting illegal means, the security of the user access data of a consumption layer is improved, the original value of the data of the Internet of things is protected, and user-oriented authority management is realized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110856422.9A CN113553574A (en) | 2021-07-28 | 2021-07-28 | Internet of things trusted data management method based on block chain technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110856422.9A CN113553574A (en) | 2021-07-28 | 2021-07-28 | Internet of things trusted data management method based on block chain technology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113553574A true CN113553574A (en) | 2021-10-26 |
Family
ID=78104743
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110856422.9A Pending CN113553574A (en) | 2021-07-28 | 2021-07-28 | Internet of things trusted data management method based on block chain technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113553574A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114117499A (en) * | 2021-12-06 | 2022-03-01 | 中电万维信息技术有限责任公司 | Authority management based trusted data exchange method |
CN114189359A (en) * | 2021-11-18 | 2022-03-15 | 临沂大学 | Internet of things equipment for avoiding data tampering, and data secure transmission method and system |
CN114398602A (en) * | 2022-01-11 | 2022-04-26 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114499895A (en) * | 2022-04-06 | 2022-05-13 | 国网浙江省电力有限公司电力科学研究院 | Data trusted processing method and system fusing trusted computing and block chain |
CN114499988A (en) * | 2021-12-30 | 2022-05-13 | 电子科技大学 | Block chain-based Internet of things key distribution and equipment authentication method |
CN114615006A (en) * | 2021-12-01 | 2022-06-10 | 江苏省电力试验研究院有限公司 | Edge layer data security protection method and system for power distribution Internet of things and storage medium |
CN114928491A (en) * | 2022-05-20 | 2022-08-19 | 国网江苏省电力有限公司信息通信分公司 | Internet of things security authentication method, device and system based on identification cryptographic algorithm |
CN115085943A (en) * | 2022-08-18 | 2022-09-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN115277026A (en) * | 2022-09-26 | 2022-11-01 | 国网浙江余姚市供电有限公司 | Block chain-based Internet of things gateway control method, device and medium |
CN115412374A (en) * | 2022-11-01 | 2022-11-29 | 国网浙江省电力有限公司金华供电公司 | Safe data sharing method based on credit consensus mechanism |
WO2023071751A1 (en) * | 2021-10-29 | 2023-05-04 | 华为技术有限公司 | Authentication method and communication apparatus |
WO2023078013A1 (en) * | 2021-11-08 | 2023-05-11 | 华为云计算技术有限公司 | Encryption method and apparatus, and related device |
CN117240625A (en) * | 2023-11-14 | 2023-12-15 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
CN117494111A (en) * | 2023-09-11 | 2024-02-02 | 德浦勒仪表(广州)有限公司 | Edge computing system and method for data processing and transmission of industrial flowmeter |
CN117544376A (en) * | 2023-11-21 | 2024-02-09 | 广州东兆信息科技有限公司 | Mobile terminal equipment credible authentication method and system based on Internet of things |
CN117579256A (en) * | 2023-10-12 | 2024-02-20 | 智慧工地科技(广东)有限公司 | Internet of things data management method and device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103929745A (en) * | 2014-04-16 | 2014-07-16 | 东北大学 | Wireless MESH network access authentication system and method based on privacy protection |
CN105978883A (en) * | 2016-05-17 | 2016-09-28 | 上海交通大学 | Large-scale IoV security data acquisition method |
CN111147228A (en) * | 2019-12-28 | 2020-05-12 | 西安电子科技大学 | Ethernet IoT entity based lightweight authentication method, system and intelligent terminal |
CN111835752A (en) * | 2020-07-09 | 2020-10-27 | 国网山西省电力公司信息通信分公司 | Lightweight authentication method based on equipment identity and gateway |
CN111986755A (en) * | 2020-08-24 | 2020-11-24 | 中国人民解放军战略支援部队信息工程大学 | Data sharing system based on block chain and attribute-based encryption |
AU2020103294A4 (en) * | 2020-11-06 | 2021-01-14 | Mushtaq Ahmed | Trusted and secure configuration and validation of data for public IoT devices using block chain technology |
CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | Attribute-based encryption and block-chaining combined trusted data access control scheme |
-
2021
- 2021-07-28 CN CN202110856422.9A patent/CN113553574A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103929745A (en) * | 2014-04-16 | 2014-07-16 | 东北大学 | Wireless MESH network access authentication system and method based on privacy protection |
CN105978883A (en) * | 2016-05-17 | 2016-09-28 | 上海交通大学 | Large-scale IoV security data acquisition method |
CN111147228A (en) * | 2019-12-28 | 2020-05-12 | 西安电子科技大学 | Ethernet IoT entity based lightweight authentication method, system and intelligent terminal |
CN111835752A (en) * | 2020-07-09 | 2020-10-27 | 国网山西省电力公司信息通信分公司 | Lightweight authentication method based on equipment identity and gateway |
CN111986755A (en) * | 2020-08-24 | 2020-11-24 | 中国人民解放军战略支援部队信息工程大学 | Data sharing system based on block chain and attribute-based encryption |
AU2020103294A4 (en) * | 2020-11-06 | 2021-01-14 | Mushtaq Ahmed | Trusted and secure configuration and validation of data for public IoT devices using block chain technology |
CN112836229A (en) * | 2021-02-10 | 2021-05-25 | 北京深安信息科技有限公司 | Attribute-based encryption and block-chaining combined trusted data access control scheme |
Non-Patent Citations (1)
Title |
---|
程冠杰等: ""基于区块链与边缘计算的物联网数据管理"", 《物联网学报》, vol. 4, no. 2, 30 June 2020 (2020-06-30), pages 1 - 9 * |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023071751A1 (en) * | 2021-10-29 | 2023-05-04 | 华为技术有限公司 | Authentication method and communication apparatus |
WO2023078013A1 (en) * | 2021-11-08 | 2023-05-11 | 华为云计算技术有限公司 | Encryption method and apparatus, and related device |
CN114189359A (en) * | 2021-11-18 | 2022-03-15 | 临沂大学 | Internet of things equipment for avoiding data tampering, and data secure transmission method and system |
CN114189359B (en) * | 2021-11-18 | 2023-12-01 | 临沂大学 | Internet of things equipment capable of avoiding data tampering, data safety transmission method and system |
CN114615006A (en) * | 2021-12-01 | 2022-06-10 | 江苏省电力试验研究院有限公司 | Edge layer data security protection method and system for power distribution Internet of things and storage medium |
CN114117499A (en) * | 2021-12-06 | 2022-03-01 | 中电万维信息技术有限责任公司 | Authority management based trusted data exchange method |
CN114117499B (en) * | 2021-12-06 | 2024-05-03 | 中电万维信息技术有限责任公司 | Trusted data exchange method based on authority management |
CN114499988A (en) * | 2021-12-30 | 2022-05-13 | 电子科技大学 | Block chain-based Internet of things key distribution and equipment authentication method |
CN114499988B (en) * | 2021-12-30 | 2022-11-08 | 电子科技大学 | Block chain-based Internet of things key distribution and equipment authentication method |
CN114398602A (en) * | 2022-01-11 | 2022-04-26 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114398602B (en) * | 2022-01-11 | 2024-05-10 | 国家计算机网络与信息安全管理中心 | Internet of things terminal identity authentication method based on edge calculation |
CN114499895A (en) * | 2022-04-06 | 2022-05-13 | 国网浙江省电力有限公司电力科学研究院 | Data trusted processing method and system fusing trusted computing and block chain |
CN114928491A (en) * | 2022-05-20 | 2022-08-19 | 国网江苏省电力有限公司信息通信分公司 | Internet of things security authentication method, device and system based on identification cryptographic algorithm |
CN115085943A (en) * | 2022-08-18 | 2022-09-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN115085943B (en) * | 2022-08-18 | 2023-01-20 | 南方电网数字电网研究院有限公司 | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions |
CN115277026A (en) * | 2022-09-26 | 2022-11-01 | 国网浙江余姚市供电有限公司 | Block chain-based Internet of things gateway control method, device and medium |
CN115412374A (en) * | 2022-11-01 | 2022-11-29 | 国网浙江省电力有限公司金华供电公司 | Safe data sharing method based on credit consensus mechanism |
CN117494111A (en) * | 2023-09-11 | 2024-02-02 | 德浦勒仪表(广州)有限公司 | Edge computing system and method for data processing and transmission of industrial flowmeter |
CN117579256A (en) * | 2023-10-12 | 2024-02-20 | 智慧工地科技(广东)有限公司 | Internet of things data management method and device |
CN117579256B (en) * | 2023-10-12 | 2024-04-23 | 智慧工地科技(广东)有限公司 | Internet of things data management method and device |
CN117240625B (en) * | 2023-11-14 | 2024-01-12 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
CN117240625A (en) * | 2023-11-14 | 2023-12-15 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
CN117544376A (en) * | 2023-11-21 | 2024-02-09 | 广州东兆信息科技有限公司 | Mobile terminal equipment credible authentication method and system based on Internet of things |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
US7334255B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
US7688975B2 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
CN106104562B (en) | System and method for securely storing and recovering confidential data | |
US20170214664A1 (en) | Secure connections for low power devices | |
TW201701226A (en) | System, method, and apparatus for electronic prescription | |
CN104641592A (en) | Method and system for a certificate-less authentication encryption (CLAE) | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN108880995B (en) | Block chain-based unfamiliar social network user information and message pushing encryption method | |
CN112532580B (en) | Data transmission method and system based on block chain and proxy re-encryption | |
CN113761582A (en) | Group signature based method and system for protecting privacy of block chain transaction under supervision | |
US20210167963A1 (en) | Decentralised Authentication | |
CN113225302B (en) | Data sharing system and method based on proxy re-encryption | |
CN106657002A (en) | Novel crash-proof base correlation time multi-password identity authentication method | |
Zhang et al. | Cerberus: Privacy-preserving computation in edge computing | |
CN111245611B (en) | Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment | |
WO2023116027A1 (en) | Cross-domain identity verification method in secure multi-party computation, and server | |
WO2022135399A1 (en) | Identity authentication method, authentication access controller, request device, storage medium, program, and program product | |
CN113364803B (en) | Block chain-based security authentication method for power distribution Internet of things | |
CN106790185B (en) | CP-ABE-based method and device for safely accessing authority dynamic update centralized information | |
CN115987519B (en) | Block chain intelligent collaborative authentication method for multi-user common management | |
CN114218555B (en) | Method and device for enhancing password security strength of password management APP (application) password and storage medium | |
CN113037686B (en) | Multi-database secure communication method and system, computer readable storage medium | |
WO2023151427A1 (en) | Quantum key transmission method, device and system | |
Abdulrazaq | Memory-agency Based Authentication Scheme |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |