CN113556307B - Edge Internet of things agent, access gateway, internet of things management platform and safety protection method - Google Patents

Edge Internet of things agent, access gateway, internet of things management platform and safety protection method Download PDF

Info

Publication number
CN113556307B
CN113556307B CN202010258123.0A CN202010258123A CN113556307B CN 113556307 B CN113556307 B CN 113556307B CN 202010258123 A CN202010258123 A CN 202010258123A CN 113556307 B CN113556307 B CN 113556307B
Authority
CN
China
Prior art keywords
things
internet
agent
key
edge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010258123.0A
Other languages
Chinese (zh)
Other versions
CN113556307A (en
Inventor
何连杰
李二霞
亢超群
李玉凌
杨红磊
常方圆
孙智涛
许保平
樊勇华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Online Shanghai Energy Internet Research Institute Co ltd
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
China Online Shanghai Energy Internet Research Institute Co ltd
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Online Shanghai Energy Internet Research Institute Co ltd, State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd filed Critical China Online Shanghai Energy Internet Research Institute Co ltd
Priority to CN202010258123.0A priority Critical patent/CN113556307B/en
Publication of CN113556307A publication Critical patent/CN113556307A/en
Application granted granted Critical
Publication of CN113556307B publication Critical patent/CN113556307B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an edge internet of things agent, an access gateway, an internet of things management platform and a safety protection method, wherein the edge internet of things agent for a safety protection device is respectively in communication connection with the access gateway and the internet of things management platform for the safety protection device, and a first verification module in the edge internet of things agent is used for performing bidirectional identity authentication and key agreement with the access gateway; risks such as counterfeiting the access of the edge Internet of things agent and leakage when the edge Internet of things agent interacts data with the access gateway are effectively avoided; meanwhile, a second verification module in the edge Internet of things agent is used for performing bidirectional identity authentication with the Internet of things management platform after bidirectional identity authentication and key agreement with the access gateway are successful, and performing service data transmission with the Internet of things management platform after authentication, so that the safe access of a large number of edge Internet of things agents to the Internet of things management platform is ensured, and the safe and stable operation of the power distribution Internet of things is ensured.

Description

Edge Internet of things agent, access gateway, internet of things management platform and safety protection method
Technical Field
The invention relates to the technical field of power distribution internet of things in ubiquitous power internet of things, in particular to an edge internet of things agent, an access gateway, an internet of things management platform and a safety protection method.
Background
With the advance of energy internet, the distribution internet of things falls to the ground as the application of the ubiquitous power internet of things on the distribution network, and is a novel power network operation form generated by the deep fusion of the traditional power industry technology and the internet of things technology. By endowing sensitive and accurate sensing capability to power distribution network equipment and the functions of interconnection, intercommunication and interoperation among the equipment, a highly flexible and distributed intelligent cooperation power distribution network system based on software definition is constructed, the lean management requirement of a power distribution network is met, and the rapid development of an energy internet is supported. In the process of rapid development of energy internet, security protection of the internet is important, in 5 months in 2019, the national market supervision and management bureau and the national standardization management committee jointly issue basic requirements for network security level protection of information security technology (GB/T22239-2019), and cloud computing security, internet of things security protection and active defense technology are brought into the expansion requirements of a third-level system.
As can be seen from the power distribution internet of things architecture shown in fig. 1, the edge internet of things agent uploads the information collected by itself to the internet of things management platform through a standardized means on one hand, and becomes a local computing brain on the other hand, which plays roles of gathering, analyzing and deciding the information sent from the internet of things terminal of the sensing layer. According to estimation, under the scene of the internet of things, the number of edge internet of things agents of each province can reach hundreds of thousands of stations or even millions, and the edge internet of things agents are usually placed in a transformer box of a transformer area, are weak in physical protection measures and are communicated with an internet of things management platform through a wireless public network. If an effective safety protection measure is lacked, risks of being implanted with trojan horse/virus, man-in-the-middle attacks, denial-of-service attacks and the like can be faced, and the system is further used as a springboard attack internet-of-things management platform.
Therefore, safety protection measures need to be provided between the edge internet of things agent and the internet of things management platform to ensure the access safety of the edge internet of things agent.
Disclosure of Invention
In order to solve the above disadvantages in the prior art, the present invention provides an edge internet of things proxy, which is characterized in that the edge internet of things proxy is used for a security protection device, and is in communication connection with an access gateway and an internet of things management platform for the security protection device, respectively, and the edge internet of things proxy includes: a first authentication module and a second authentication module;
the first verification module is used for performing bidirectional identity authentication and key agreement with the access gateway;
and the second verification module is used for performing bidirectional identity authentication with the Internet of things management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful, and performing service data transmission with the Internet of things management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful.
Preferably, the first verification module includes:
the session application submodule is used for encapsulating the edge Internet of things proxy equipment certificate into a session application message and sending the session application message to the access gateway;
the gateway identity authentication submodule is used for receiving a key negotiation request message sent by the access gateway based on the session application message, verifying the key negotiation request message based on a public key in a preset access gateway certificate, calling a key negotiation response submodule when the verification is passed, and otherwise, returning the identity authentication failure of the access gateway to the access gateway;
the key negotiation response submodule is used for generating a random number of the edge Internet of things agent, calculating the key negotiation request message and the random number of the edge Internet of things agent to obtain a key, a first agent check value and a second agent check value, and packaging a key negotiation material containing the random number of the edge Internet of things agent and the second agent check value into a key negotiation response message to be sent to the access gateway;
the session confirmation submodule is used for receiving a session confirmation message sent by the access gateway based on the key negotiation response message, analyzing the session confirmation message and extracting a verification code, and when the verification code is wrong, the negotiation with the access gateway fails; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, and otherwise, failing to negotiate the key.
Preferably, the key agreement response sub-module includes:
a key agreement material obtaining unit, configured to obtain a key agreement material from the key agreement request message;
the edge internet of things agent key generation unit is used for generating a random number of an edge internet of things agent and calculating a key negotiation material in the key negotiation request message based on the random number of the edge internet of things agent, an edge internet of things agent ID, a private key of the edge internet of things agent and a public key of an access gateway to obtain a key, a first agent check value and a second agent check value;
and the edge Internet of things agent signing and packaging unit is used for signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the second agent check value by adopting a private key of the edge Internet of things agent to generate a signature value, and packaging the signature value and the key negotiation material into a key negotiation response message to be sent to the access gateway.
Preferably, the second verification module includes:
the authentication application message sending unit is used for sending an authentication application message to the Internet of things management platform;
the confirmation and initiation authentication unit is used for receiving an authentication request sent by the Internet of things management platform based on the authentication application message and storing the random number of the Internet of things management platform in the authentication request; the system is also used for generating a random number of the edge Internet of things agent, generating a verification message after signing the random number of the Internet of things management platform and the random number of the edge Internet of things agent, and sending the verification message to the Internet of things management platform;
and the authentication result returning unit is used for receiving a response authentication message sent by the Internet of things management platform based on the verification message, authenticating the identity of the Internet of things management platform based on the response authentication message, and transmitting service data with the Internet of things management platform after the identity of the Internet of things management platform passes the authentication.
Based on the same invention concept, the invention provides a safety protection method of a power distribution internet of things, which comprises the following steps:
bidirectional identity authentication and key agreement are carried out between the edge Internet of things agent and the access gateway;
and after the bidirectional identity authentication and key agreement between the edge Internet of things agent and the access gateway are successful, the edge Internet of things agent and the Internet of things management platform perform bidirectional identity authentication, and after the bidirectional identity authentication and key agreement are successful, the edge Internet of things agent and the Internet of things management platform perform service data transmission.
Preferably, the bidirectional identity authentication and key agreement between the edge internet of things proxy and the access gateway includes:
the edge Internet of things agent encapsulates the edge Internet of things agent equipment certificate into a session application message and sends the session application message to the access gateway;
the edge internet of things agent receives a key negotiation request message sent by an access gateway based on the session application message, verifies the key negotiation request message based on a public key in a preset access gateway certificate, and returns the identity authentication failure of the access gateway to the access gateway when the verification fails, otherwise, the operation is executed:
generating a random number of a marginal Internet of things agent, calculating the key negotiation request message and the random number of the marginal Internet of things agent to obtain a key, a first agent check value and a second agent check value, and meanwhile packaging a key negotiation material containing the random number of the marginal Internet of things agent and the second agent check value into a key negotiation response message to be sent to an access gateway;
the edge Internet of things agent receives a session confirmation message sent by an access gateway based on a key negotiation response message, analyzes the session confirmation message and extracts a verification code, and when the verification code is wrong, the negotiation with the access gateway fails; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, otherwise, failing in key agreement.
Preferably, the generating a random number of the edge internet of things proxy, calculating the key negotiation request message and the random number of the edge internet of things proxy to obtain a key, a first proxy check value and a second proxy check value, and encapsulating the random number of the edge internet of things proxy and the second proxy check value into a key negotiation response message to send to the access gateway includes:
acquiring a key negotiation material from the key negotiation request message;
generating a random number of the edge Internet of things agent, and calculating based on the random number of the edge Internet of things agent, an ID (identity) of the edge Internet of things agent, a private key of the edge Internet of things agent and a public key of an access gateway and a key negotiation material in the key negotiation request message to obtain a key, a first agent check value and a second agent check value;
and signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the verification value of the second agent by adopting a private key of the edge Internet of things agent to generate a signature value, and meanwhile, packaging the signature value and the key negotiation material into a key negotiation response message and sending the key negotiation response message to the access gateway.
Preferably, the bidirectional identity authentication is performed between the edge internet of things agent and the internet of things management platform, and after the bidirectional identity authentication is performed, the service data transmission is performed between the edge internet of things agent and the internet of things management platform, and the method includes the following steps:
the edge Internet of things agent sends an authentication application message to the Internet of things management platform;
receiving an authentication request sent by the Internet of things management platform based on the authentication application message, and storing a random number of the Internet of things management platform in the authentication request;
generating a random number of a marginal Internet of things agent, signing the random number of the Internet of things management platform and the random number of the marginal Internet of things agent, generating a verification message and sending the verification message to the Internet of things management platform;
and receiving a response authentication message sent by the IOT management platform based on the verification message, authenticating the identity of the IOT management platform based on the response authentication message, and transmitting service data with the IOT management platform after the identity of the IOT management platform passes the authentication.
Based on the same inventive concept, the invention also provides an access gateway, which is used for a safety protection device and comprises:
the system comprises a gateway and a verification module of an edge Internet of things agent, wherein the verification module of the gateway and the edge Internet of things agent is in communication connection with the edge Internet of things agent used for a safety protection device and is used for performing bidirectional identity authentication and key agreement with the edge Internet of things agent.
Preferably, the authentication module of the gateway and the edge internet of things agent includes:
the identity authentication submodule of the edge Internet of things agent is used for receiving a session application message sent by the edge Internet of things agent, analyzing the session application message to obtain an edge Internet of things agent equipment certificate and verifying the edge Internet of things agent equipment certificate, and extracting a signature public key of the edge Internet of things agent after verification;
the key negotiation request submodule is used for generating a random number of an access gateway, generating a key negotiation request message based on the random number of the access gateway and sending the key negotiation request message to the edge Internet of things agent;
the key negotiation confirming submodule is used for receiving a key negotiation response message sent by the edge Internet of things agent based on the key negotiation request message, verifying the key negotiation response message based on a signature public key of the edge Internet of things agent, and extracting key negotiation materials in the key negotiation response message after verification; and the gateway is further configured to calculate the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and when the second agent check value is consistent with the second gateway check value in the key negotiation material, generate a session confirmation message from the first gateway check value and send the session confirmation message to the edge internet of things agent.
Preferably, the key agreement request sub-module includes:
a random number generating unit, configured to generate a random number of an access gateway;
and the key negotiation request message generation unit is used for signing a key negotiation material containing the random number of the access gateway, the distinguishable identification of the session and the ID of the access gateway by adopting a private key of the access gateway, packaging the signature value and the key negotiation material into a key negotiation request message and sending the key negotiation request message to the edge Internet of things agent.
Preferably, the key agreement confirmation sub-module includes:
a gateway verification message signature value unit, configured to receive a key agreement response message sent by an edge internet of things agent based on the key agreement request message, verify a signature value of the key agreement response message based on a signature public key of the edge internet of things agent, and obtain a key agreement material of the key agreement response message after verification is passed, where the key agreement material includes a second agent check value;
a gateway key generation unit, configured to calculate based on a key negotiation material, a random number of an access gateway, an access gateway ID, a public key of an edge internet of things proxy, and a private key of the access gateway, in the key negotiation response message, except for the second proxy check value, to obtain a key, a first gateway check value, and a second gateway check value;
a session confirmation message generating unit, configured to compare the second gateway check value with the second agent check value, and if the second gateway check value is equal to the second agent check value, encapsulate the first gateway check value into a session confirmation message and send the session confirmation message to the edge internet of things agent; if not, the error code is encapsulated into a session confirmation message and the session confirmation message is sent to the edge Internet of things agent.
Based on the same invention concept, the invention also provides a safety protection method of the power distribution internet of things, which comprises the following steps:
the access gateway and the edge Internet of things proxy perform bidirectional identity authentication and key agreement.
Preferably, the bidirectional identity authentication and key agreement between the access gateway and the edge internet of things proxy includes:
the access gateway receives a session application message sent by the edge Internet of things agent, analyzes the session application message to obtain an edge Internet of things agent equipment certificate and verifies the edge Internet of things agent equipment certificate, and extracts a signature public key of the edge Internet of things agent after verification;
generating a random number of an access gateway, generating a key negotiation request message based on the random number of the access gateway, and sending the key negotiation request message to an edge Internet of things agent;
receiving a key negotiation response message sent by the edge Internet of things agent based on the key negotiation request message, verifying the key negotiation response message based on a signature public key of the edge Internet of things agent, and extracting key negotiation materials in the key negotiation response message after verification;
and calculating the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and generating a session confirmation message from the first gateway check value to the edge Internet of things agent when the second agent check value is consistent with the second gateway check value in the key negotiation material.
Preferably, the generating a key negotiation request message based on the random number of the access gateway and sending the key negotiation request message to the edge internet of things proxy includes:
and signing the key negotiation material containing the random number of the access gateway, the distinguishable identification of the session and the ID of the access gateway by adopting a private key of the access gateway, packaging the signature value and the key negotiation material into a key negotiation request message, and sending the key negotiation request message to the edge Internet of things agent.
Preferably, the calculating the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and when the second proxy check value is consistent with the second gateway check value in the key negotiation material, generating a session confirmation message from the first gateway check value and sending the session confirmation message to the edge internet of things proxy includes:
calculating based on a key negotiation material, the random number of the access gateway, the ID of the access gateway, the public key of the edge Internet of things agent and the private key of the access gateway except the second agent check value in the key negotiation response message to obtain a key, a first gateway check value and a second gateway check value;
comparing the second gateway check value with a second agent check value in the key negotiation material, and if the second gateway check value and the second agent check value are equal, packaging the first gateway check value into a session confirmation message and sending the session confirmation message to the edge Internet of things agent; if not, the error code is encapsulated into a session confirmation message and the session confirmation message is sent to the edge Internet of things agent.
Based on the same inventive concept, the invention also provides an internet of things management platform, which is used for a safety protection device and comprises: the platform and the verification module of the edge Internet of things agent;
the platform and the verification module of the edge Internet of things agent are in communication connection with the edge Internet of things agent used for the safety protection device;
and the platform and the verification module of the edge Internet of things agent are used for performing bidirectional identity authentication with the edge Internet of things agent, and performing service data transmission with the edge Internet of things agent after the authentication is passed.
Preferably, the verification module of the platform and the edge internet of things agent includes:
the system comprises an authentication request initiating unit, an authentication request sending unit and an authentication request sending unit, wherein the authentication request initiating unit is used for receiving an authentication application message sent by an edge Internet of things agent, generating a random number of an Internet of things management platform, packaging the random number of the Internet of things management platform into an authentication request and sending the authentication request to the edge Internet of things agent;
and the authentication request response unit is used for receiving a verification message sent by the edge Internet of things agent based on the authentication request, verifying the verification message by using an edge Internet of things agent certificate, generating a response authentication message by signing a random number sent by the edge Internet of things agent after verification, and sending the response authentication message to the edge Internet of things agent.
Based on the same invention concept, the invention also provides a safety protection method of the power distribution internet of things, which comprises the following steps:
and the Internet of things management platform and the edge Internet of things agent perform bidirectional identity authentication, and after the authentication is passed, the Internet of things management platform and the edge Internet of things agent perform service data transmission.
Preferably, the bidirectional identity authentication between the internet of things management platform and the edge internet of things agent is performed, and after the authentication is passed, the service data transmission between the internet of things management platform and the edge internet of things agent is performed, including:
the method comprises the steps that an Internet of things management platform receives an authentication application message sent by an edge Internet of things agent and generates a random number of the Internet of things management platform;
packaging the random number of the Internet of things management platform into an authentication request, and sending the authentication request to the edge Internet of things agent;
and receiving a verification message sent by the edge IOT agent based on the authentication request, verifying the verification message by using an edge IOT agent certificate, and generating a response authentication message to the edge IOT agent by signing a random number sent by the edge IOT agent after verification.
The technical scheme provided by the invention has the following beneficial effects:
the invention provides an edge internet of things agent for a safety protection device, which is in communication connection with an access gateway and an internet of things management platform for the safety protection device respectively, wherein a first verification module in the edge internet of things agent is used for performing bidirectional identity authentication and key agreement with the access gateway; risks such as counterfeiting the access of the edge Internet of things agent and leakage when the edge Internet of things agent interacts data with the access gateway are effectively avoided; meanwhile, a second verification module in the edge Internet of things agent is used for performing bidirectional identity authentication with the Internet of things management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful, and performing service data transmission with the Internet of things management platform after the bidirectional identity authentication and the key agreement are passed, so that the safe access of a large number of edge Internet of things agents to the Internet of things management platform is ensured, the data safety is ensured when the service data interaction is performed with the Internet of things management platform, and the safe and stable operation of the power distribution Internet of things is ensured.
The access gateway for the safety protection device, provided by the invention, is in communication connection with the verification module of the edge Internet of things agent and the edge Internet of things agent for the safety protection device, and is used for performing bidirectional identity authentication and key agreement with the edge Internet of things agent, so that the management of a large number of edge Internet of things agents is realized, the access of the edge Internet of things agents is prevented from being forged, and the safety when the gateway interacts data with the edge Internet of things agent is improved.
According to the Internet of things management platform for the safety protection device, the Internet of things management platform and the verification module of the edge Internet of things agent are in communication connection with the edge Internet of things agent for the safety protection device and are used for performing bidirectional identity authentication with the edge Internet of things agent, and after the authentication is passed, the business data transmission is performed with the edge Internet of things agent, so that the data safety during business data interaction between the Internet of things management platform and the edge Internet of things agent is realized, and the safe and stable operation of the power distribution Internet of things is guaranteed.
Drawings
Fig. 1 is a schematic diagram of a power distribution internet of things architecture in the prior art;
FIG. 2 is a schematic diagram of an edge agent for a safety device according to the present invention;
FIG. 3 is a schematic diagram of a first verification module of the present invention;
FIG. 4 is a schematic diagram of an access gateway for a security device according to the present invention;
FIG. 5 is a schematic diagram of a verification module of a gateway and an edge Internet of things agent according to the present invention;
FIG. 6 is a diagram of a key agreement confirmation sub-module according to the present invention;
FIG. 7 is a schematic view of an IOT management platform for a safety device according to the present invention;
FIG. 8 is a schematic diagram of a verification module for a platform and an edge Internet of things agent according to the present invention;
fig. 9 is a schematic diagram of an edge internet of things agent securely accessing an internet of things management platform according to the present invention;
fig. 10 is a flowchart illustrating authentication and key agreement between an edge internet of things proxy and an access gateway according to the present invention;
fig. 11 is a flowchart illustrating authentication between the edge internet of things agent and the internet of things management platform according to the present invention.
Detailed Description
For a better understanding of the present invention, reference is made to the following description taken in conjunction with the accompanying drawings and examples.
Example 1: as shown in fig. 2, the present invention provides an edge internet of things agent, which is used for a security device and is respectively in communication connection with an access gateway and an internet of things management platform for the security device, and the edge internet of things agent includes: a first authentication module and a second authentication module;
the first verification module is used for performing bidirectional identity authentication and key agreement with the access gateway;
and the second verification module is used for performing bidirectional identity authentication with the IOT management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful, and performing service data transmission with the IOT management platform after the authentication.
The invention effectively avoids the risks of counterfeiting the access of the edge Internet of things agent and leakage when the edge Internet of things agent interacts data with the access gateway; the safety access of a large number of edge Internet of things agents to the Internet of things management platform is ensured, the data safety is ensured when the agents interact service data with the Internet of things management platform, and the safe and stable operation of the power distribution Internet of things is ensured.
In an embodiment, the first verification module shown in fig. 3 includes:
the session application submodule is used for encapsulating the edge Internet of things proxy equipment certificate into a session application message and sending the session application message to the access gateway;
the gateway identity authentication sub-module is used for receiving a key negotiation request message sent by the access gateway based on the session application message, verifying the key negotiation request message based on a public key in a preset access gateway certificate, calling a key negotiation response sub-module when the verification is passed, and otherwise, returning the identity authentication failure of the access gateway to the access gateway;
the key negotiation response submodule is used for generating a random number of the edge Internet of things agent, calculating the key negotiation request message and the random number of the edge Internet of things agent to obtain a key, a first agent check value and a second agent check value, and packaging a key negotiation material containing the random number of the edge Internet of things agent and the second agent check value into a key negotiation response message to be sent to the access gateway;
the session confirmation submodule is used for receiving a session confirmation message sent by the access gateway based on the key negotiation response message, analyzing the session confirmation message and extracting a verification code, and when the verification code is wrong, the negotiation with the access gateway fails; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, and otherwise, failing to negotiate the key.
Wherein, the key negotiation response submodule includes:
a key agreement material obtaining unit, configured to obtain a key agreement material from the key agreement request message;
the edge physical distribution agent key generation unit is used for generating a random number of an edge physical distribution agent, and calculating a key negotiation material in the key negotiation request message based on the random number of the edge physical distribution agent, an edge physical distribution agent ID, a private key of the edge physical distribution agent and a public key of an access gateway to obtain a key, a first agent check value and a second agent check value;
and the edge Internet of things agent signing and packaging unit is used for signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the second agent check value by adopting a private key of the edge Internet of things agent to generate a signature value, and packaging the signature value and the key negotiation material into a key negotiation response message to be sent to the access gateway.
The second verification module in this embodiment includes:
the authentication application message sending unit is used for sending an authentication application message to the Internet of things management platform;
the confirmation and initiation authentication unit is used for receiving an authentication request sent by the Internet of things management platform based on the authentication application message and storing the random number of the Internet of things management platform in the authentication request; the system is also used for generating a random number of the edge Internet of things agent, generating a verification message after signing the random number of the Internet of things management platform and the random number of the edge Internet of things agent and sending the verification message to the Internet of things management platform;
and the authentication result returning unit is used for receiving a response authentication message sent by the Internet of things management platform based on the verification message, authenticating the identity of the Internet of things management platform based on the response authentication message, and transmitting service data with the Internet of things management platform after the identity of the Internet of things management platform passes the authentication.
Based on the same invention concept, the invention also provides a safety protection method of the power distribution internet of things, which comprises the following steps:
bidirectional identity authentication and key agreement are carried out between the edge Internet of things agent and the access gateway;
and after the bidirectional identity authentication and key agreement between the edge Internet of things agent and the access gateway are successful, the edge Internet of things agent and the Internet of things management platform perform bidirectional identity authentication, and after the bidirectional identity authentication and key agreement are successful, the edge Internet of things agent and the Internet of things management platform perform service data transmission.
The bidirectional identity authentication and key agreement are carried out between the edge Internet of things agent and the access gateway, and the method comprises the following steps:
the edge Internet of things agent encapsulates the edge Internet of things agent equipment certificate into a session application message and sends the session application message to the access gateway;
the edge internet of things agent receives a key negotiation request message sent by an access gateway based on the session application message, verifies the key negotiation request message based on a public key in a preset access gateway certificate, and returns the identity authentication failure of the access gateway to the access gateway when the verification fails, otherwise, the operation is executed:
generating a random number of a marginal Internet of things agent, calculating the key negotiation request message and the random number of the marginal Internet of things agent to obtain a key, a first agent check value and a second agent check value, and meanwhile packaging a key negotiation material containing the random number of the marginal Internet of things agent and the second agent check value into a key negotiation response message to be sent to an access gateway;
the edge Internet of things agent receives a session confirmation message sent by an access gateway based on a key negotiation response message, analyzes the session confirmation message and extracts a verification code, and when the verification code is wrong, the negotiation with the access gateway fails; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, and otherwise, failing to negotiate the key.
The generating a random number of the edge internet of things agent, calculating the key negotiation request message and the random number of the edge internet of things agent to obtain a key, a first agent check value and a second agent check value, and encapsulating the random number of the edge internet of things agent and the second agent check value into a key negotiation response message to be sent to an access gateway includes:
acquiring a key negotiation material from the key negotiation request message;
generating a random number of the edge Internet of things agent, and calculating based on the random number of the edge Internet of things agent, an ID (identity) of the edge Internet of things agent, a private key of the edge Internet of things agent and a public key of an access gateway and a key negotiation material in the key negotiation request message to obtain a key, a first agent check value and a second agent check value;
and signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the second agent check value by adopting a private key of the edge Internet of things agent to generate a signature value, and meanwhile, packaging the signature value and the key negotiation material into a key negotiation response message and sending the message to the access gateway.
The edge internet of things agent and the internet of things management platform carry out bidirectional identity authentication, and after the authentication, the edge internet of things agent and the internet of things management platform carry out service data transmission, and the method comprises the following steps:
the edge Internet of things agent sends an authentication application message to the Internet of things management platform;
receiving an authentication request sent by the Internet of things management platform based on the authentication application message, and storing a random number of the Internet of things management platform in the authentication request;
generating a random number of a marginal Internet of things agent, signing the random number of the Internet of things management platform and the random number of the marginal Internet of things agent, generating a verification message and sending the verification message to the Internet of things management platform;
and receiving a response authentication message sent by the IOT management platform based on the verification message, authenticating the identity of the IOT management platform based on the response authentication message, and transmitting service data with the IOT management platform after the identity of the IOT management platform passes the authentication.
Example 2: as shown in fig. 4, the present invention further provides an access gateway, where the access gateway is used for a security protection device, and includes:
the system comprises a gateway and a verification module of an edge Internet of things agent, wherein the verification module of the gateway and the edge Internet of things agent is in communication connection with the edge Internet of things agent used for a safety protection device and is used for performing bidirectional identity authentication and key agreement with the edge Internet of things agent.
As shown in fig. 5, the verification module for the gateway and the edge internet of things agent in this embodiment includes:
the identity authentication submodule of the edge Internet of things agent is used for receiving a session application message sent by the edge Internet of things agent, analyzing the session application message to obtain an edge Internet of things agent equipment certificate and verifying the edge Internet of things agent equipment certificate, and extracting a signature public key of the edge Internet of things agent after verification;
the key negotiation request submodule is used for generating a random number of an access gateway, generating a key negotiation request message based on the random number of the access gateway and sending the key negotiation request message to the edge Internet of things agent;
the key negotiation confirming submodule is used for receiving a key negotiation response message sent by the edge Internet of things agent based on the key negotiation request message, verifying the key negotiation response message based on a signature public key of the edge Internet of things agent, and extracting key negotiation materials in the key negotiation response message after verification; and the gateway is further configured to calculate the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and when the second agent check value is consistent with the second gateway check value in the key negotiation material, generate a session confirmation message from the first gateway check value and send the session confirmation message to the edge internet of things agent.
The key agreement request submodule includes:
a random number generating unit, configured to generate a random number of an access gateway;
and the key negotiation request message generation unit is used for signing a key negotiation material containing the random number of the access gateway, the distinguishable identification of the session and the ID of the access gateway by adopting a private key of the access gateway, packaging the signature value and the key negotiation material into a key negotiation request message and sending the key negotiation request message to the edge Internet of things agent.
As shown in fig. 6, the key agreement confirmation sub-module includes:
a gateway verification message signature value unit, configured to receive a key agreement response message sent by an edge internet of things agent based on the key agreement request message, verify a signature value of the key agreement response message based on a signature public key of the edge internet of things agent, and obtain a key agreement material of the key agreement response message after verification is passed, where the key agreement material includes a second agent check value;
a gateway key generation unit, configured to calculate based on a key negotiation material, a random number of an access gateway, an access gateway ID, a public key of an edge internet of things proxy, and a private key of the access gateway, in the key negotiation response message, except for the second proxy check value, to obtain a key, a first gateway check value, and a second gateway check value;
a session confirmation message generating unit, configured to compare the second gateway check value with the second agent check value, and if the second gateway check value is equal to the second agent check value, encapsulate the first gateway check value into a session confirmation message and send the session confirmation message to the edge internet of things agent; if not, the error code is encapsulated into a session confirmation message and the session confirmation message is sent to the edge Internet of things agent.
Based on the same invention concept, the invention also provides a safety protection method of the power distribution internet of things, which comprises the following steps:
the access gateway and the edge Internet of things proxy perform bidirectional identity authentication and key agreement.
In an embodiment, the bidirectional identity authentication and key agreement between the access gateway and the edge internet of things proxy includes:
the access gateway receives a session application message sent by the edge Internet of things agent, analyzes the session application message to obtain an edge Internet of things agent equipment certificate and verifies the edge Internet of things agent equipment certificate, and extracts a signature public key of the edge Internet of things agent after verification;
generating a random number of an access gateway, generating a key negotiation request message based on the random number of the access gateway, and sending the key negotiation request message to an edge Internet of things agent;
receiving a key negotiation response message sent by the edge Internet of things agent based on the key negotiation request message, verifying the key negotiation response message based on a signature public key of the edge Internet of things agent, and extracting key negotiation materials in the key negotiation response message after verification;
and calculating the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and generating a session confirmation message from the first gateway check value to the edge Internet of things agent when the second agent check value is consistent with the second gateway check value in the key negotiation material.
In an embodiment, the generating a key agreement request message based on the random number of the access gateway and sending the key agreement request message to the edge internet of things proxy includes:
and signing a key negotiation material containing the random number of the access gateway, the distinguishable identification of the session and the ID of the access gateway by adopting a private key of the access gateway, packaging the signature value and the key negotiation material into a key negotiation request message, and sending the key negotiation request message to the edge Internet of things agent.
In an embodiment, the calculating the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value, and a second gateway check value, and when the second proxy check value is consistent with a second gateway check value in the key negotiation material, generating a session confirmation message from the first gateway check value, and sending the session confirmation message to an edge internet of things proxy includes:
calculating based on a key negotiation material, the random number of the access gateway, the ID of the access gateway, the public key of the edge Internet of things agent and the private key of the access gateway except the second agent check value in the key negotiation response message to obtain a key, a first gateway check value and a second gateway check value;
comparing the second gateway check value with a second agent check value in the key negotiation material, and if the second gateway check value and the second agent check value are equal, packaging the first gateway check value into a session confirmation message and sending the session confirmation message to the edge Internet of things agent; if not, the error code is encapsulated into a session confirmation message and the session confirmation message is sent to the edge Internet of things agent.
Example 3: as shown in fig. 7, the present invention further provides an internet of things management platform for a safety protection device, including: the platform and the verification module of the edge Internet of things agent;
the platform is in communication connection with a verification module of the edge Internet of things agent and the edge Internet of things agent for the safety protection device;
and the platform and the verification module of the edge Internet of things agent are used for performing bidirectional identity authentication with the edge Internet of things agent, and performing service data transmission with the edge Internet of things agent after the authentication is passed.
As shown in fig. 8, the verification module of the platform and the edge internet of things agent includes:
the system comprises an authentication request initiating unit, an authentication request sending unit and an authentication request sending unit, wherein the authentication request initiating unit is used for receiving an authentication application message sent by an edge Internet of things agent, generating a random number of an Internet of things management platform, packaging the random number of the Internet of things management platform into an authentication request and sending the authentication request to the edge Internet of things agent;
and the authentication request response unit is used for receiving a verification message sent by the edge Internet of things agent based on the authentication request, verifying the verification message by using an edge Internet of things agent certificate, generating a response authentication message by signing a random number sent by the edge Internet of things agent after verification, and sending the response authentication message to the edge Internet of things agent.
Based on the same invention concept, the invention also provides a safety protection method of the power distribution internet of things, which comprises the following steps:
and the Internet of things management platform and the edge Internet of things agent perform bidirectional identity authentication, and after the authentication is passed, the Internet of things management platform and the edge Internet of things agent perform service data transmission.
In an embodiment, the bidirectional identity authentication between the internet of things management platform and the edge internet of things agent is performed, and after the authentication is passed, the service data transmission between the internet of things management platform and the edge internet of things agent is performed, and the method includes:
the method comprises the steps that an Internet of things management platform receives an authentication application message sent by an edge Internet of things agent and generates a random number of the Internet of things management platform;
encapsulating the random number of the Internet of things management platform into an authentication request, and sending the authentication request to an edge Internet of things agent;
and receiving a verification message sent by the edge Internet of things agent based on the authentication request, verifying the verification message by using an edge Internet of things agent certificate, generating a response authentication message by signing a random number sent by the edge Internet of things agent after verification, and sending the response authentication message to the edge Internet of things agent.
Example 4: as shown in fig. 9, when accessing the internet of things management platform, the edge internet of things agent first passes through an access gateway (hereinafter referred to as "gateway") to complete identity mutual authentication and session key negotiation with the gateway, and then can access the internet of things management platform. The invention carries out legality control on the identity of the edge Internet of things agent accessing the Internet of things management platform, and generates the session key for service interaction data protection in a negotiation mode, thereby ensuring the access safety of the edge Internet of things agent.
(1) Identity authentication and key agreement of edge internet of things proxy and gateway
In the key negotiation process of the edge Internet of things agent and the gateway, the access authentication of the edge Internet of things agent and the gateway is completed at the same time, and the access authentication adopts the following mode: the method comprises the steps that a gateway certificate is preset when the edge physical association agent leaves factory initialization, the edge physical association agent certificate is sent to a gateway, and the gateway determines the legality of the edge physical association agent certificate in a mode of verifying the edge physical association agent certificate; the edge Internet of things agent applies a preset gateway certificate, verifies a negotiation message signature value sent by the gateway by adopting an SM2 signature algorithm, and determines the legality of the gateway, so that the bidirectional identity authentication of the gateway and the edge Internet of things agent is completed.
The method comprises the steps of transmitting key negotiation materials such as equipment ID, random numbers, signature values and the like between an edge internet of things agent and a gateway, carrying out signature protection on the key negotiation materials by using an SM2 signature algorithm, completing key negotiation between the edge internet of things agent and the gateway through processes such as session application, key negotiation request, key negotiation response, session confirmation and the like, and using a negotiated key for encryption and decryption operation of interactive data between the edge internet of things agent and the gateway.
(2) Identity authentication of edge Internet of things agent and Internet of things management platform
After the identity authentication and the key agreement are completed by the edge Internet of things agent and the gateway, the bidirectional identity authentication of the edge Internet of things agent and the Internet of things management platform is required before the service data interaction with the Internet of things management platform is carried out. After network connection is established between the Internet of things management platform and the edge Internet of things agent, the edge Internet of things agent sends an authentication application message to the Internet of things management platform, the Internet of things management platform generates a random number R1 and sends the random number R1 to the edge Internet of things agent, and the edge Internet of things agent takes a random number R2 from a security chip and signs the random number R1+ R2 and sends the signed random number R2 to the Internet of things management platform. And the IOT management platform verifies the signature validity by using the edge IOT agent certificate, and the identity authentication of the IOT management platform to the edge IOT agent is completed after the verification. And then the physical connection management platform signs the random number R2 of the edge physical connection agent and sends a signature result to the edge physical connection agent, the edge physical connection agent verifies the correctness of the signature of the physical connection management platform, and the identity authentication of the edge physical connection agent on the physical connection management platform is completed after the verification.
Before the business data interaction of the edge Internet of things agent and the Internet of things management platform, the identity authentication technology based on a digital certificate is adopted to realize the bidirectional identity authentication of the Internet of things management platform and the edge Internet of things agent, and meanwhile, the firewall and the data isolation component also provide corresponding access control measures, thereby effectively avoiding the situation that the operation safety of the power distribution Internet of things system is threatened by counterfeiting the access of the edge Internet of things agent.
The embodiment specifically describes a secure access method of an edge internet of things agent according to the attached drawings:
(1) As shown in fig. 10, the process of identity authentication and key agreement between the edge internet of things proxy and the gateway includes:
1) Session application
After the edge Internet of things agent establishes a TCP link with the gateway, the edge Internet of things agent sends a 'session application' message to the gateway, and the message comprises the certificate information of the edge Internet of things agent.
2) Key agreement request
After receiving the 'session application' message, the gateway firstly obtains the identity certificate of the edge Internet of things agent by analyzing the message, verifies the validity of the identity certificate, and extracts the signature public key of the edge Internet of things agent after the verification is successful.
Then generating a random number Ra, using the random number Ra and a session distinguishable identifier Se and the like as key negotiation materials, signing the key negotiation materials by using a gateway identity key to generate signature data, packaging the signature data into a 'key negotiation request' message and sending the message to an edge Internet of things agent.
3) Key agreement response
After receiving the 'key negotiation request' message, the edge internet of things agent firstly verifies the signature value of the negotiation message by using a preset gateway certificate, and then acquires information such as a random number Ra generated by the gateway and a session distinguishable identifier Se.
Then the edge internet of things agent generates a random number Rb, and keys and check values Sb2 and Sb3 are calculated together with Ra, se, gateway ID, edge internet of things agent ID, gateway public key, edge internet of things agent private key and the like.
And finally, signing Rb, se, the ID of the edge Internet of things agent and Sb3 together by using the identity key of the edge Internet of things agent to generate signature data. And encapsulating the information into a 'key negotiation response' message and sending the message to the gateway.
4) Session confirmation
After receiving the 'key negotiation response' message, the gateway firstly verifies the signature value, and acquires Rb, se, the edge Internet of things agent ID and Sb3 after the verification is passed.
Then calculating key and check values Sa2 and Sa3 together with the gateway random numbers Ra and Se, the gateway ID, the edge Internet of things agent public key and the gateway private key;
comparing the generated Sa3 with Sb3 in the response message;
if the Sa2 is equal to the edge Internet of things agent, the Sa2 is encapsulated into a 'session confirmation' message and sent to the edge Internet of things agent;
if not, the error code is encapsulated into a 'session confirmation' message and sent to the edge Internet of things agent.
5) Edge internet of things proxy authentication
After receiving the 'session confirmation' message, the edge Internet of things agent firstly identifies an authentication result according to the error code, and if the error code is not 0, the gateway verification is failed; if the error code is 0, the obtained Sa2 is compared with the Sb2 of the edge Internet of things agent, and if the obtained Sa2 is consistent with the Sb2 of the edge Internet of things agent, the negotiation is completed.
And the identity authentication and key agreement process of the edge Internet of things agent and the gateway is completed.
(2) As shown in fig. 11, the identity authentication process between the edge internet of things agent and the internet of things management platform includes:
1) The edge Internet of things agent initiates an authentication application message to the Internet of things management platform;
2) The physical connection management platform acquires a random number R1 from the power distribution encryption authentication device and sends the random number R1 to the edge physical connection agent;
3) The edge internet of things agent takes a random number R2 from the security chip, signs the R1+ R2 and sends the signed random number to the internet of things management platform, and meanwhile, the edge internet of things agent stores the R1;
4) The method comprises the steps that an IOT management platform verifies the signature effectiveness of an edge IOT agent by using an edge IOT agent certificate, the identity of the IOT management platform to the edge IOT agent is verified, then the IOT management platform signs a random number R2 of the edge IOT agent, and the result is sent to the edge IOT agent;
5) And the edge Internet of things agent verifies the correctness of the signature of the Internet of things management platform, and after verification, the edge Internet of things agent authenticates the identity of the Internet of things management platform and returns authentication confirmation information.
The invention designs the identity authentication and key agreement process of the edge Internet of things agent access gateway and the identity authentication method of the Internet of things management platform, effectively avoids the risks of counterfeiting the access of the edge Internet of things agent and the leakage of the interactive data of the edge Internet of things agent and the gateway and the like, ensures the safe access and the interactive data safety of a large-scale number of edge Internet of things agents, and ensures the safe and stable operation of the power distribution Internet of things.
The abbreviations in FIG. 1 of the present invention are explained:
FTU (Feeder Terminal Unit): the feeder switch monitoring terminal is a switch monitoring device which is arranged on a 10KV circuit breaker and a load switch. The main function is to collect the electrical parameters of the circuit where each switch is located and transmit the information to the superior system; monitoring the line running state, reporting in time when the line is in fault, waiting for an instruction sent by a superior system to carry out on/off control of a switch, and executing a master station remote control command.
DTU (Distribution Terminal Unit): the system is a data acquisition and monitoring terminal device which is arranged at a conventional switching station (station), an outdoor small-sized switching station, a ring main unit, a small-sized transformer substation, a box-type transformer substation and the like. The remote control device has the functions of completing position signals of switching equipment consisting of a switching station and the like, executing a master station remote control command, and performing switching-on and switching-off operations on the switch.
TTU (transducer Terminal Unit): the terminal device is arranged beside transformer equipment such as a distribution transformer, a box transformer and the like and is used for monitoring the running state of the transformer. The TTU is mainly used for collecting and processing various parameters such as electric quantity and the like on the low-voltage side of the distribution transformer, transmitting the parameters to the superior level, monitoring the running condition of the transformer, reporting the parameters in time when the transformer fails, and realizing local and remote centralized reactive power automatic compensation and other control functions on the capacitor bank.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The present invention is not limited to the above embodiments, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present invention are included in the scope of the claims of the present invention which are filed as the application.

Claims (10)

1. An edge internet of things agent, wherein the edge internet of things agent is used for a safety protection device and is respectively in communication connection with an access gateway and an internet of things management platform for the safety protection device, and the edge internet of things agent comprises: a first authentication module and a second authentication module;
the first verification module is used for performing bidirectional identity authentication and key agreement with the access gateway;
the second verification module is used for performing bidirectional identity authentication with the Internet of things management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful, and performing service data transmission with the Internet of things management platform after the bidirectional identity authentication and the key agreement with the access gateway are successful;
the second authentication module comprising:
the authentication application message sending unit is used for sending an authentication application message to the Internet of things management platform;
the confirmation and initiation authentication unit is used for receiving an authentication request sent by the Internet of things management platform based on the authentication application message and storing the random number of the Internet of things management platform in the authentication request; the system is also used for generating a random number of the edge Internet of things agent, generating a verification message after signing the random number of the Internet of things management platform and the random number of the edge Internet of things agent and sending the verification message to the Internet of things management platform;
and the authentication result returning unit is used for receiving a response authentication message sent by the Internet of things management platform based on the verification message, authenticating the identity of the Internet of things management platform based on the response authentication message, and transmitting service data with the Internet of things management platform after the identity of the Internet of things management platform passes the authentication.
2. The edge internet of things proxy of claim 1, wherein the first authentication module comprises:
the session application submodule is used for encapsulating the edge Internet of things proxy equipment certificate into a session application message and sending the session application message to the access gateway;
the gateway identity authentication submodule is used for receiving a key negotiation request message sent by the access gateway based on the session application message, verifying the key negotiation request message based on a public key in a preset access gateway certificate, calling a key negotiation response submodule when the verification is passed, and otherwise, returning the identity authentication failure of the access gateway to the access gateway;
the key negotiation response submodule is used for generating a random number of the edge Internet of things agent, calculating the key negotiation request message and the random number of the edge Internet of things agent to obtain a key, a first agent check value and a second agent check value, and packaging a key negotiation material containing the random number of the edge Internet of things agent and the second agent check value into a key negotiation response message to be sent to the access gateway;
the session confirmation submodule is used for receiving a session confirmation message sent by the access gateway based on the key negotiation response message, analyzing the session confirmation message and extracting a verification code, and when the verification code is wrong, the negotiation with the access gateway fails; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, and otherwise, failing to negotiate the key.
3. The edge internet of things agent of claim 2 wherein the key agreement response submodule comprises:
a key agreement material obtaining unit, configured to obtain a key agreement material from the key agreement request message;
the edge physical distribution agent key generation unit is used for generating a random number of an edge physical distribution agent, and calculating a key negotiation material in the key negotiation request message based on the random number of the edge physical distribution agent, an edge physical distribution agent ID, a private key of the edge physical distribution agent and a public key of an access gateway to obtain a key, a first agent check value and a second agent check value;
and the edge Internet of things agent signing and packaging unit is used for signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the second agent check value by adopting a private key of the edge Internet of things agent to generate a signature value, and packaging the signature value and the key negotiation material into a key negotiation response message to be sent to the access gateway.
4. A safety protection method for a power distribution Internet of things is characterized by comprising the following steps:
bidirectional identity authentication and key agreement are carried out between the edge Internet of things agent and the access gateway;
when the bidirectional identity authentication and the key negotiation between the edge Internet of things agent and the access gateway are successful, the edge Internet of things agent and the Internet of things management platform perform bidirectional identity authentication, and after the bidirectional identity authentication and the key negotiation are successful, the edge Internet of things agent and the Internet of things management platform perform service data transmission;
the edge internet of things agent and the internet of things management platform carry out bidirectional identity authentication, and after the authentication, the edge internet of things agent and the internet of things management platform carry out service data transmission, and the method comprises the following steps:
the edge Internet of things agent sends an authentication application message to the Internet of things management platform;
receiving an authentication request sent by the Internet of things management platform based on the authentication application message, and storing a random number of the Internet of things management platform in the authentication request;
generating a random number of a marginal Internet of things agent, signing the random number of the Internet of things management platform and the random number of the marginal Internet of things agent, generating a verification message and sending the verification message to the Internet of things management platform;
and receiving a response authentication message sent by the Internet of things management platform based on the verification message, authenticating the identity of the Internet of things management platform based on the response authentication message, and transmitting service data with the Internet of things management platform after the identity of the Internet of things management platform passes the authentication.
5. The method of claim 4, wherein the bidirectional identity authentication and key agreement between the edge Internet of things proxy and the access gateway comprises:
the edge Internet of things agent encapsulates the edge Internet of things agent equipment certificate into a session application message and sends the session application message to the access gateway;
the edge internet of things agent receives a key negotiation request message sent by an access gateway based on the session application message, verifies the key negotiation request message based on a public key in a preset access gateway certificate, and returns the identity authentication failure of the access gateway to the access gateway when the verification fails, otherwise, the operation is executed:
generating a random number of a marginal Internet of things agent, calculating the key negotiation request message and the random number of the marginal Internet of things agent to obtain a key, a first agent check value and a second agent check value, and meanwhile packaging a key negotiation material containing the random number of the marginal Internet of things agent and the second agent check value into a key negotiation response message to be sent to an access gateway;
the edge Internet of things agent receives a session confirmation message sent by an access gateway based on a key negotiation response message, analyzes the session confirmation message and extracts a verification code, and when the verification code is wrong, the negotiation with the access gateway is failed; and when the verification code is correct, comparing a first gateway check value in the verification code with the first proxy check value, if the first gateway check value is the same as the first proxy check value, using the current key as a session key when the ciphertext is transmitted, and otherwise, failing to negotiate the key.
6. The method of claim 5, wherein the generating a random number of the edge IOT agent, calculating the key negotiation request message and the random number of the edge IOT agent to obtain a key, a first agent check value and a second agent check value, and encapsulating the random number of the edge IOT agent and the second agent check value into a key negotiation response message to be sent to an access gateway comprises:
acquiring a key negotiation material from the key negotiation request message;
generating a random number of the edge Internet of things agent, and calculating based on the random number of the edge Internet of things agent, an ID (identity) of the edge Internet of things agent, a private key of the edge Internet of things agent and a public key of an access gateway and a key negotiation material in the key negotiation request message to obtain a key, a first agent check value and a second agent check value;
and signing the key negotiation material containing the random number generated by the edge Internet of things agent, the ID of the edge Internet of things agent, the distinguishable identification of the session and the verification value of the second agent by adopting a private key of the edge Internet of things agent to generate a signature value, and meanwhile, packaging the signature value and the key negotiation material into a key negotiation response message and sending the key negotiation response message to the access gateway.
7. An access gateway, for use in a security device, comprising:
the gateway and edge Internet of things agent verification module is in communication connection with an edge Internet of things agent used for a safety protection device and is used for performing bidirectional identity authentication and key agreement with the edge Internet of things agent;
the gateway and edge Internet of things agent verification module comprises:
the identity authentication submodule of the edge Internet of things agent is used for receiving a session application message sent by the edge Internet of things agent, analyzing the session application message to obtain an edge Internet of things agent equipment certificate and verifying the edge Internet of things agent equipment certificate, and extracting a signature public key of the edge Internet of things agent after verification;
the key negotiation request submodule is used for generating a random number of an access gateway, generating a key negotiation request message based on the random number of the access gateway and sending the key negotiation request message to the edge Internet of things agent;
the key negotiation confirming submodule is used for receiving a key negotiation response message sent by the edge Internet of things agent based on the key negotiation request message, verifying the key negotiation response message based on a signature public key of the edge Internet of things agent, and extracting key negotiation materials in the key negotiation response message after verification; and the gateway is further configured to calculate the random number of the access gateway and the key negotiation material to obtain a key, a first gateway check value and a second gateway check value, and when the second proxy check value is consistent with the second gateway check value in the key negotiation material, generate a session confirmation message from the first gateway check value and send the session confirmation message to the edge internet of things proxy.
8. The access gateway of claim 7, wherein the key agreement request submodule comprises:
a random number generating unit, configured to generate a random number of an access gateway;
and the key negotiation request message generation unit is used for signing a key negotiation material containing the random number of the access gateway, the distinguishable identification of the session and the ID of the access gateway by adopting a private key of the access gateway, packaging a signature value and the key negotiation material into a key negotiation request message and sending the key negotiation request message to the edge Internet of things agent.
9. The access gateway of claim 7, wherein the key agreement confirmation sub-module comprises:
a gateway verification message signature value unit, configured to receive a key agreement response message sent by an edge internet of things agent based on the key agreement request message, verify a signature value of the key agreement response message based on a signature public key of the edge internet of things agent, and obtain a key agreement material of the key agreement response message after verification is passed, where the key agreement material includes a second agent check value;
a gateway key generation unit, configured to calculate based on a key negotiation material, a random number of an access gateway, an access gateway ID, a public key of an edge internet of things proxy, and a private key of the access gateway, in the key negotiation response message, except for the second proxy check value, to obtain a key, a first gateway check value, and a second gateway check value;
a session confirmation message generating unit, configured to compare the second gateway check value with the second agent check value, and if the second gateway check value is equal to the second agent check value, encapsulate the first gateway check value into a session confirmation message and send the session confirmation message to the edge internet of things agent; if not, the error code is encapsulated into a session confirmation message and the session confirmation message is sent to the edge Internet of things agent.
10. The utility model provides an thing allies oneself with management platform which characterized in that, thing allies oneself with management platform is used for safety device, includes: the platform and the verification module of the edge Internet of things agent;
the platform and the verification module of the edge Internet of things agent are in communication connection with the edge Internet of things agent used for the safety protection device;
the platform and the verification module of the edge Internet of things agent are used for performing bidirectional identity authentication with the edge Internet of things agent, and performing service data transmission with the edge Internet of things agent after the authentication is passed;
the verification module of the platform and the edge Internet of things agent comprises:
the system comprises an authentication request initiating unit, an authentication request sending unit and an authentication request sending unit, wherein the authentication request initiating unit is used for receiving an authentication application message sent by a marginal Internet of things agent, generating a random number of an Internet of things management platform, packaging the random number of the Internet of things management platform into an authentication request and sending the authentication request to the marginal Internet of things agent;
and the authentication request response unit is used for receiving a verification message sent by the edge Internet of things agent based on the authentication request, verifying the verification message by using an edge Internet of things agent certificate, generating a response authentication message by signing a random number sent by the edge Internet of things agent after verification, and sending the response authentication message to the edge Internet of things agent.
CN202010258123.0A 2020-04-03 2020-04-03 Edge Internet of things agent, access gateway, internet of things management platform and safety protection method Active CN113556307B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010258123.0A CN113556307B (en) 2020-04-03 2020-04-03 Edge Internet of things agent, access gateway, internet of things management platform and safety protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010258123.0A CN113556307B (en) 2020-04-03 2020-04-03 Edge Internet of things agent, access gateway, internet of things management platform and safety protection method

Publications (2)

Publication Number Publication Date
CN113556307A CN113556307A (en) 2021-10-26
CN113556307B true CN113556307B (en) 2022-12-13

Family

ID=78129246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010258123.0A Active CN113556307B (en) 2020-04-03 2020-04-03 Edge Internet of things agent, access gateway, internet of things management platform and safety protection method

Country Status (1)

Country Link
CN (1) CN113556307B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422588B (en) * 2022-01-19 2023-12-19 南京南瑞信息通信科技有限公司 Security autonomous realization system and method for authenticating terminal access by edge internet of things agent
CN114726576A (en) * 2022-03-03 2022-07-08 山东鲁软数字科技有限公司 Edge Internet of things agent basic service safety management system
CN114697104A (en) * 2022-03-28 2022-07-01 国网山东省电力公司信息通信公司 Identification access method based on edge Internet of things agent data interaction terminal
CN114978591B (en) * 2022-04-15 2024-02-23 国网上海能源互联网研究院有限公司 Domain network data interaction system and method based on safety protection
CN115118449B (en) * 2022-05-13 2023-06-27 国网浙江省电力有限公司信息通信分公司 Energy internet-oriented safe and efficient interactive edge proxy server
CN115085943B (en) * 2022-08-18 2023-01-20 南方电网数字电网研究院有限公司 Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions
CN115695053A (en) * 2023-01-03 2023-02-03 国网浙江省电力有限公司金华供电公司 Access system of power distribution internet of things
CN117714214B (en) * 2024-02-05 2024-05-03 国网上海能源互联网研究院有限公司 Data transmission security protection method and device, electronic equipment and medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10833876B2 (en) * 2016-10-28 2020-11-10 Apple Inc. Protection of the UE identity during 802.1x carrier hotspot and Wi-Fi calling authentication
CN109088848A (en) * 2018-06-04 2018-12-25 佛吉亚好帮手电子科技有限公司 A kind of intelligent network connection automobile information method for security protection
CN108881224A (en) * 2018-06-19 2018-11-23 南方电网科学研究院有限责任公司 A kind of encryption method and relevant apparatus of electrical power distribution automatization system
KR102168682B1 (en) * 2018-08-30 2020-10-23 가천대학교 산학협력단 Authenticating method and apparatus
CN109194656A (en) * 2018-09-10 2019-01-11 国家电网有限公司 A kind of method of distribution wireless terminal secure accessing
CN109560928A (en) * 2018-12-03 2019-04-02 西安沣源智能装备科技有限公司 A kind of encryption method based on state's net cryptographic protocol
CN109714344B (en) * 2018-12-28 2021-08-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent networking automobile information safety platform based on' end-pipe-cloud
CN110838939B (en) * 2019-10-11 2022-04-08 许继集团有限公司 Scheduling method based on lightweight container and edge Internet of things management platform

Also Published As

Publication number Publication date
CN113556307A (en) 2021-10-26

Similar Documents

Publication Publication Date Title
CN113556307B (en) Edge Internet of things agent, access gateway, internet of things management platform and safety protection method
US20230017740A1 (en) Electric Border Gateway Device and Method for Chaining and Storage of Sensing Data Based on the Same
CN109257327B (en) Communication message safety interaction method and device for power distribution automation system
CN106789015B (en) Intelligent power distribution network communication safety system
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN107046531B (en) Data processing method and system for accessing data of monitoring terminal to power information network
CN102111265A (en) Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN114244527B (en) Block chain-based electric power Internet of things equipment identity authentication method and system
CN104850091A (en) Secure power supply for an industrial control system
CN103095731A (en) REST security system based on signature mechanism
CN103647788A (en) Node safety authentication method in smart grid
CN104283675A (en) Concentrator, electricity meter and message processing method of concentrator and electricity meter
CN110493222A (en) A kind of power automation terminal remote management method and system
CN115001717B (en) Terminal equipment authentication method and system based on identification public key
CN107968745A (en) One kind is based on dynamic token double factor Quick Response Code open-door system and implementation method
CN104038931B (en) Adapted electrical communication system and its communication means based on LTE network
CN113542212B (en) Virtual power plant peak shaving instruction safety authentication method
CN110300110A (en) A kind of encryption and decryption control method, charging pile and charging equipment
CN111435389A (en) Power distribution terminal operation and maintenance tool safety protection system
CN106357648A (en) Core network system, system and method for trunking service registration of trunking terminal
CN114157509B (en) Encryption method and device with SSL and IPsec based on cryptographic algorithm
CN110532794A (en) A kind of electric energy method for processing business, device, equipment and readable storage medium storing program for executing
CN115664712A (en) Data grading safe interaction method and system for distributed energy and low-voltage distribution network
CN114189858B (en) Asymmetric encryption-based power 5G public network secure transmission method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant