CN113612605A - Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology - Google Patents

Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology Download PDF

Info

Publication number
CN113612605A
CN113612605A CN202110882439.1A CN202110882439A CN113612605A CN 113612605 A CN113612605 A CN 113612605A CN 202110882439 A CN202110882439 A CN 202110882439A CN 113612605 A CN113612605 A CN 113612605A
Authority
CN
China
Prior art keywords
terminal
key
identity authentication
internet
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110882439.1A
Other languages
Chinese (zh)
Other versions
CN113612605B (en
Inventor
王丙磊
胡缙
王建礼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202110882439.1A priority Critical patent/CN113612605B/en
Publication of CN113612605A publication Critical patent/CN113612605A/en
Application granted granted Critical
Publication of CN113612605B publication Critical patent/CN113612605B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Electromagnetism (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an identity authentication method for enhancing an MQTT protocol by using a symmetric cryptographic technique, which comprises the following steps: identity authentication for the first time: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key filling machine fills a quantum key into a quantum security chip, simultaneously records the corresponding relation between the storage filling security chip and the key, the terminal of the Internet of things calls the quantum key in the chip to construct an identity authentication request message to the platform of the Internet of things, the platform of the Internet of things obtains symmetry for decryption and compares identities, a login token is generated after authentication is successful, and a verification message is returned to the terminal; and (3) identity authentication for the second time: the Internet of things platform applies for a secret key according to the terminal ID and constructs an identity authentication request message to the terminal; and the terminal decrypts and verifies the platform ID and the login token. The invention also provides a system and equipment corresponding to the method. The invention has the advantages that: and identity authentication is carried out by using a key set symmetric algorithm in the quantum security chip, one time pad is used, a digital certificate is not required to be issued and authenticated by a third party, and the security is higher.

Description

Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
Technical Field
The invention belongs to the technical field of safety application products, and particularly relates to an identity authentication method for enhancing an MQTT protocol by using a symmetric password technology.
Background
The MQTT (Message queue Telemetry Transport) Protocol is a communication Protocol based on a publish/subscribe mode, and is constructed on a TCP/IP (Transmission Control Protocol/Internet Protocol) Protocol. The MQTT can provide real-time reliable message service for connected terminals with less codes and limited bandwidth.
In the MQTT protocol, a server (which may be referred to as an MQTT server) needs to authenticate an accessed terminal (which may be referred to as an MQTT terminal). And after the authentication is successful, the MQTT terminal publishes or subscribes the message through the MQTT server. In order to improve the Security of data transmission in the authentication process, the prior art generally adopts a TLS (Transport Layer Security) protocol for authentication. Before authentication, the MQTT terminal and the MQTT server need to apply for respective certificates and import the certificates into the self-device. TLS protocol authentication tool
The body process comprises the following steps: the MQTT terminal sends negotiation information to the MQTT server, the negotiation information comprises an encryption algorithm candidate list, a compression algorithm candidate list and the like, the MQTT server determines target negotiation information (such as an encryption algorithm and a compression algorithm) required to be used from the received negotiation information, then sends the certificate of the MQTT server and the target negotiation information to the MQTT terminal, and informs the MQTT terminal of providing the certificate. The MQTT terminal verifies the certificate of the MQTT server, and after the certificate passes the verification, the certificate of the MQTT terminal can be sent to the MQTT server. And the MQTT server verifies the certificate of the MQTT terminal, and after the certificate passes the verification, the MQTT terminal is judged to be successfully authenticated. After the authentication is completed, the MQTT terminal and the MQTT server can transmit service data according to the target negotiation information.
However, when performing authentication, both the MQTT terminal and the MQTT server need to apply for a certificate, import the certificate into their own devices, and need to manage the imported certificate, which increases the processing complexity of the MQTT terminal and the MQTT server in the authentication process.
In order to solve the above problems, patent application with publication number CN108599939A discloses an authentication method, which can be applied to a message queue telemetry transmission MQTT terminal, where the MQTT terminal can send an authentication request to an MQTT server, obtain a verification string according to a pre-stored private key and an encrypted string sent by the MQTT server, and send the verification string to the MQTT server. The MQTT server applying the authentication method can encrypt the acquired random character string according to the public key corresponding to the MQTT terminal to obtain an encrypted character string, and sends the encrypted character string to the MQTT terminal, and then can obtain the authentication result of the MQTT terminal according to the random character string and the received verification character string. Based on the above processing, the MQTT terminal and the MQTT server can realize the authentication of the MQTT terminal without performing the operations of applying, importing and managing the certificate, and the processing complexity of the MQTT terminal and the MQTT server in the authentication process can be reduced.
In the prior art, in the MQTT protocol, a channel must be established based on a public and private key system to realize the identity authentication function based on the protocol, and the existing scheme cannot resist the influence of attacks on the safety of equipment of the Internet of things under the increasingly severe environment of network attacks.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize secure MQTT protocol identity authentication to resist the increasingly severe condition that Internet equipment is attacked.
The invention solves the technical problems through the following technical means: an identity authentication method for enhancing an MQTT protocol by using a symmetric cryptographic technique comprises the following steps:
s1, first identity authentication: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key charging machine completes charging and storage of a quantum key generated by the quantum random number generator to the quantum secure chip, simultaneously records the corresponding relation between the storage charging secure chip and the key, and the terminal of the internet of things calls the quantum key stored in the built-in integrated or external secure chip to construct an identity authentication request message: the method comprises the steps that a key serial number + a terminal ID + a ciphertext (a time-varying parameter + a terminal ID + a terminal preset password) is sent to an Internet of things platform, the Internet of things platform obtains a key symmetrical to a terminal charging key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the key serial number to decrypt, compares the terminal ID with the terminal preset password in an identity authentication request message, simultaneously saves the time-varying parameter sent by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication is unsuccessful;
s2, second identity authentication: the Internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the method comprises the steps that a key serial number + a cipher text (time-varying parameters + a platform ID + a login token) are combined to generate the login token according to a terminal ID reported by a terminal during first identity authentication and the time-varying parameters, and an identity authentication request message is sent to the terminal; the terminal obtains a key symmetrical to the corresponding charging key according to the key serial number to decrypt the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when identity authentication is carried out for the first time, and starts to send the message to the Internet of things platform after the verification is successful.
As a further optimized technical solution, a validity period may be set after each authentication is finished.
As a technical solution for further optimization,
s1, first identity authentication, comprising the following steps:
s11, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the encryption mode of the ciphertext is completed by adopting a symmetric algorithm, and the encryption key is the key B taken out in S1;
s13, the terminal sends the identity authentication request message constructed in the step S12 to the externally exposed proxy address of the platform of the Internet of things;
s14, the Internet of things platform acquires a key B' symmetrical to the key B according to the terminal ID and the key serial number Z in the initial identity authentication request message to the sub-password management service system;
s15, the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: the method comprises the steps of obtaining a time-varying parameter, a terminal ID and a terminal preset password, comparing the decrypted terminal ID with the terminal preset password with a terminal ID stored in a background and a terminal preset password stored in an Internet of things platform in advance, determining the identity of the terminal, returning a verification success message OX00 to the terminal by using CONNACK in an MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to an MQTT manual if the verification is unsuccessful.
As a technical solution for further optimization,
s2, second identity authentication, comprising the following steps:
s21, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s22, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the following steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption key of the ciphertext is a chip key W taken out of S21, the login token is generated by the time-varying parameter and the terminal ID stored in the terminal for the first identity authentication, an Internet of things platform is built by PUBLISH to carry out a terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
s23, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication, and if the verification result is passed, the terminal considers that the Internet of things platform is credible, and then can send data to the Internet of things platform.
The invention also provides an identity authentication system for enhancing the MQTT protocol by using the symmetric cryptographic technology, which comprises the following modules:
the first identity authentication module: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key charging machine completes charging and storage of a quantum key generated by the quantum random number generator to the quantum secure chip, simultaneously records the corresponding relation between the storage charging secure chip and the key, and the terminal of the internet of things calls the quantum key stored in the built-in integrated or external secure chip to construct an identity authentication request message: the method comprises the steps that a key serial number + a terminal ID + a ciphertext (a time-varying parameter + a terminal ID + a terminal preset password) is sent to an Internet of things platform, the Internet of things platform obtains a key symmetrical to a terminal charging key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the key serial number to decrypt, compares the terminal ID with the terminal preset password in an identity authentication request message, simultaneously saves the time-varying parameter sent by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication is unsuccessful;
the second identity authentication module: the Internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the method comprises the steps that a key serial number + a cipher text (time-varying parameters + a platform ID + a login token) are combined to generate the login token according to a terminal ID reported by a terminal during first identity authentication and the time-varying parameters, and an identity authentication request message is sent to the terminal; the terminal obtains a key symmetrical to the corresponding charging key according to the key serial number to decrypt the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when identity authentication is carried out for the first time, and starts to send the message to the Internet of things platform after the verification is successful.
As a further optimized technical solution, the first identity authentication module includes:
a terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the method comprises the following steps that (1) a key serial number Z + a terminal ID + a ciphertext (a time-varying parameter + the terminal ID + a terminal preset password), a symmetric algorithm is adopted as an encryption mode of the ciphertext, and an encryption key is a key B taken out of a terminal key request unit;
an initial identity authentication request message sending unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the Internet of things platform;
a symmetric key acquisition unit: the Internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z in the initial identity authentication request message;
a decryption unit: the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: the method comprises the steps of obtaining a time-varying parameter + a terminal ID + a terminal preset password, comparing the decrypted terminal ID with the terminal preset password with a terminal ID stored in a background and a terminal preset password stored in an Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in an MQTT message and storing the time-varying parameter sent by the terminal, and if the verification is unsuccessful, returning a non-0 message according to an MQTT manual.
As a further optimized technical solution, the second-time identity authentication module includes:
a platform key requesting unit: the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
the second identity authentication request message construction unit: the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption key of the ciphertext is a chip key W taken out of a platform key request unit, the login token is generated by the time-varying parameter and the terminal ID stored in the terminal for the first identity authentication, an Internet of things platform is built by PUBLISH to carry out a terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
a symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a serial number C is obtained from a security chip according to the key serial number C in the identity authentication request message, and the security chip returns the decryption key W';
a decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication, and if the verification platform ID and the login token pass, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
The invention also provides an identity authentication system for enhancing the MQTT protocol by using the symmetric cryptography, which is applied to the Internet of things terminal and comprises the following components:
identity authentication for the first time:
s31, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the ciphertext is encrypted by adopting a symmetric algorithm, and the encryption key is the key B taken out in S1;
s33, the terminal sends the constructed identity authentication request message to the externally exposed proxy address of the platform of the Internet of things;
s34, the terminal receives a verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is not successful, a non-0 message is returned according to the MQTT manual;
and (3) identity authentication for the second time:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', decryption verification is carried out through the verification platform ID and the login token, whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication or not is mainly verified, and if the verification result is passed, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
The invention also provides an internet of things terminal, which comprises a processor and a computer readable storage medium, wherein the computer readable storage medium is used for storing a computer program, and the processor is used for causing the internet of things terminal to execute the steps of claim 8 when the computer program stored on the computer readable storage medium is executed.
The invention also provides an identity authentication method for enhancing the MQTT protocol by using the symmetric cryptography, which is applied to the platform of the Internet of things and comprises the following steps:
identity authentication for the first time:
s301, the Internet of things platform obtains a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z in an initial identity authentication request message sent by the Internet of things terminal;
s302, the Internet of things platform receives a secret key B 'returned by the quantum password management service system, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: time-varying parameter + terminal ID + terminal preset password, comparing the decrypted terminal ID with the terminal preset password with the terminal ID stored in the background and the terminal preset password stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification is unsuccessful;
and (3) identity authentication for the second time:
s401, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s402, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), the encryption algorithm of the ciphertext adopts a two-party agreed algorithm, the encryption key is a chip key W taken out in S6, the login token is generated by the time-varying parameter and the terminal ID which are stored in the terminal for the first identity authentication, an internet of things platform is built by PUBLISH to carry out an identity authentication mechanism on the terminal, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD.
The invention also provides an internet of things platform comprising a processor and a computer readable storage medium, the computer readable storage medium storing a computer program, the processor being configured to cause the internet of things platform to perform the steps of claim 10 when executing the computer program stored on the computer readable storage medium.
The invention has the advantages that:
(1) the problem of the network attack increasingly severe environment influence the safety of the Internet of things equipment is solved, and the problem of identity authentication of the Internet of things terminal equipment is solved: and carrying out identity authentication by using a quantum security chip built-in key set symmetric algorithm, and authenticating one key at a time.
(2) Based on this scheme, the security performance of authentication greatly promotes: a. the security threat brought by future quantum computers and quantum algorithms is prevented; the method comprises the following steps of preventing a public key cryptographic algorithm based on a large-factor decomposition problem from being decoded: using quantum symmetric keys, cannot be deciphered by factorization; security threat brought by quantum computers appearing in the future is prevented: the quantum security password is used for encryption transmission, and theoretically, the encryption transmission is completely safe and credible; preventing the threat of quantum algorithm possibly appearing in the future to the existing password system: the quantum security password is used for encrypted transmission, and the quantum security key is a true random number generated by a quantum random number generator and cannot be deciphered through an algorithm.
(3) Third party issuance and certification without digital certificates: the method provides a certificate-free authentication mode, reduces participation of a third party: the entity authentication of both users is performed using an entity authentication protocol based on the SM4 without a third party issuing a certificate. The number of participants in the process is reduced, and the risk of the three-party agreement is reduced.
(4) The development technology is easy to realize: the quantum security chip is a feasible existing technology, the security authentication based on the quantum symmetric key is also a realizable technology, the mail encryption password for encrypting the mail can be generated by using a quantum random number, the technology is mature, and the security is high.
(5) The commonality is strong, ductility is good: the method has few places for transforming the platform of the Internet of things, improves the safety mainly by adding a quantum key service system, and has strong universality. The invention can be integrated on a quantum password management service system, provides a functional interface for the outside and has good extensibility.
(6) The network security capability is remarkably improved: the invention can defend against the existing attack mode and possible quantum computing threat in the future, and can greatly reduce the economic loss caused by information leakage.
(7) The terminal safety capability is remarkably upgraded: the invention can greatly enhance the security of the terminal, and has clear requirements for metering terminals such as electric meters, water meters and the like and fields with very high security fields according to two hundred million terminals at present. The improvement cost of a single table is estimated to be 25 yuan at present, the permeability is about 10% according to the number of two hundred million terminals of an air foil Internet of things, and the future market expectation of 2.5 hundred million can be supported.
(8) The improvement cost is low: the invention can be modified on the existing system, the platform side can be directly butted with the management platform, the equipment side can be butted by adopting an integrated SIM card or a safety module, and the modification cost is low.
Drawings
FIG. 1 is a schematic general flowchart of a method for enhancing identity authentication of MQTT protocol by using symmetric cryptography according to an embodiment of the present invention;
FIG. 2 is a system diagram of a method for enhancing identity authentication using symmetric cryptography using the MQTT protocol according to an embodiment of the present invention;
FIG. 3 is a timing diagram of the transmission of identity authentication using symmetric cryptography enhanced MQTT protocol according to an embodiment of the present invention;
FIG. 4 is a detailed flowchart of the first authentication according to the first embodiment;
FIG. 5 is a detailed flowchart of the second authentication according to the first embodiment;
FIG. 6 is a detailed flowchart of the first authentication in the second embodiment;
FIG. 7 is a detailed flowchart of the second authentication in the second embodiment;
FIG. 8 is a detailed flowchart of the first authentication in the third embodiment;
fig. 9 is a detailed flowchart of the second authentication in the third embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The invention provides an identity authentication method for enhancing an MQTT protocol by using a symmetric cryptography technology, which is applied to an identity authentication system, wherein the identity authentication system comprises a quantum random number generator, a quantum exchange cipher machine, a quantum key charging machine, a quantum key management service system, an Internet of things terminal, a secure key chip and an Internet of things platform.
The terminal of the internet of things can be a publisher in the MQTT protocol or a subscriber in the MQTT protocol. The internet of things platform can be an agent in the MQTT protocol. In the process that the internet of things terminal is accessed into the internet of things platform, the internet of things platform needs to authenticate the internet of things terminal, if the authentication is passed, the internet of things terminal can transmit service data with the internet of things platform, for example, the internet of things terminal can issue messages through the internet of things platform, and also can subscribe messages issued by other internet of things terminals through the internet of things platform. The identity authentication method for enhancing the MQTT protocol by using the symmetric cryptography is used in the process that the terminal of the Internet of things is accessed to the platform of the Internet of things.
The quantum random number generator is used for generating a quantum key;
the quantum exchange cipher machine receives a quantum key sent by the quantum random number generator and is used for providing key service, a key is stored in the quantum exchange cipher machine in advance, the key is the key pre-generated by the quantum random number generator and is stored in the quantum exchange cipher machine, and the key in the quantum safety chip is a symmetric key;
the quantum key filling machine is connected with the output end of the quantum exchange cipher machine and is used for filling the quantum key;
the quantum password management service system is used for realizing data interaction with the Internet of things platform through a network, is directly connected with the quantum password switch and is used for providing a secret key distribution function based on the identity of the security chip.
The terminal of the Internet of things is a device which is connected with a sensing network layer and a transmission network layer in the Internet of things and realizes data acquisition and data transmission to the network layer. It is responsible for data acquisition, preliminary processing, encryption, transmission and other functions. The terminal can be suitable for the integration of a quantum security chip in the form of an SIM card U disk.
The quantum security chip can be in the forms of an SIM card, a U disk and the like, stores a quantum security key, and has the following principle: the quantum security chip is initialized before use (pre-charging cipher), the quantum security chip is charged with quantum security keys through a quantum key charging machine, and the charged keys of each quantum security chip and the keys preset in the quantum exchange cipher machine are symmetric keys (namely keys corresponding to one another). Each quantum security chip has its own serial number, and each quantum key has its own serial number, as long as provide quantum security chip's serial number and quantum key serial number, just can find corresponding key in the quantum exchange crypto engine to through built-in or external in thing networking device or the equipment module of thing networking device.
The Internet of things platform provides the functions of authentication, authentication and equipment data access of the Internet of things terminal equipment based on the MQTT protocol, can finish the function of acquiring a key corresponding to the terminal integrated security chip through interaction with the key management service platform, and can finish the functions of authentication of the terminal identity and encryption and decryption of uplink and downlink messages according to the key stored in the chip in the terminal.
The identity authentication means that the entity authentication between the internet of things terminal and the internet of things platform is realized by using a built-in secret key of the electronic security chip. The authentication mode adopts the specification of 'GB _ T15843.2 entity authentication protocol mechanism three-two-time transmission authentication'.
As shown in fig. 1 and fig. 2, the identity authentication method using the symmetric cryptography to enhance MQTT protocol includes the following steps:
s1, first identity authentication: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key filling machine completes filling and storage of a quantum key generated by the quantum random number generator to the quantum secure chip, and simultaneously records the corresponding relation between the storage filling secure chip and the key. The terminal of the internet of things calls a quantum key stored in a built-in integrated or external security chip to construct an identity authentication request message, and the identity authentication request message is sent according to the requirement of an authentication protocol GB _ T15843.2: a secret key serial number + a terminal ID + a cryptograph (time-varying parameter + a terminal ID + a terminal preset password) to an Internet of things platform, wherein the terminal ID is a unique identity which is allocated to a terminal by the Internet of things platform, the Internet of things platform acquires a secret key which is symmetrical to a terminal charging secret key from a quantum password management service system connected with a quantum exchange cipher machine according to the terminal ID and the secret key serial number to decrypt, compares the terminal ID and the terminal preset password in an identity authentication request message, stores the time-varying parameter sent by the terminal at the same time, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message OX00 to the terminal by using CONNACK of MQTT, if the verification success message is unsuccessful, returns a non-0 message according to an MQTT manual, wherein the terminal preset password refers to the Internet of things platform which is pre-allocated to the terminal in advance, and a password for logging by a user is generally burnt in the system at the terminal, basically all the components are put in at the manufacturing stage of the equipment;
s2, second identity authentication: the Internet of things platform applies for a filling key matched with a terminal and a corresponding key serial number according to a terminal ID vector sub-password management service system, and starts to construct an identity authentication request message, because no terminal exists in MQTT messages and has an identity message mechanism for the Internet of things platform, a PUBLISH message mechanism is used, a first subscription subject after all terminals log in is the identity authentication of the Internet of things platform, and the identity authentication request message is constructed according to the requirement of GB _ T15843.2: the method comprises the steps that a key serial number + a ciphertext (a time-varying parameter + a platform ID + a login token) is generated by combining an SM4 algorithm and the login token according to a terminal ID reported by a terminal during first identity authentication and the time-varying parameter, and an identity authentication request message is sent to the terminal; the terminal obtains a key symmetrical to the corresponding charging key according to the key serial number to decrypt the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when identity authentication is carried out for the first time, and starts to send the message to the Internet of things platform after the verification is successful.
In order to simplify the authentication time, a validity period can be set after each authentication is finished, and if the validity period is 3 days or 1 day, the authentication is not required to be carried out every time the message is sent.
As shown in the architecture diagram of fig. 2, the quantum password management service system initially fills a secret key into the internet of things terminal, the internet of things terminal is integrated with the security chip, the internet of things terminal performs information interaction with the internet of things platform, the interaction information is identity authentication and uplink and downlink message encryption based on the filled secret key, and the internet of things platform performs information interaction of device secret key acquisition with the quantum password management service system.
As shown in fig. 3 to 5, the detailed process of identity authentication is as follows:
s1, first identity authentication, comprising the following steps:
s11, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the encryption mode of the ciphertext can be completed by adopting symmetric algorithms such as SM4, and the encryption key is the key B taken out of S1;
s13, the terminal sends the identity authentication request message constructed in the step S12 to the externally exposed proxy address of the platform of the Internet of things;
s14, the Internet of things platform acquires a key B' symmetrical to the key B according to the terminal ID and the key serial number Z in the initial identity authentication request message to the sub-password management service system;
s15, the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: time-varying parameter + terminal ID + terminal preset password, comparing the decrypted terminal ID with the terminal preset password with the terminal ID stored in the background and the terminal preset password stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification is unsuccessful;
s2, second identity authentication, comprising the following steps:
s21, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s22, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the following steps that a key serial number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption algorithm of the ciphertext adopts a two-party agreed algorithm, SM4 can be adopted, the encryption key is a chip key W taken out of S21, the login token is jointly generated by the time-varying parameter stored by terminal first identity authentication and a terminal ID, at the moment, terminal one-way connection is completed, the terminal is in a connection state, an MQTT message system does not have an Internet of things platform to terminal identity authentication mechanism, a PUBLISH is used for building the mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
s23, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', decryption verification is carried out through the verification platform ID and the login token, whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication or not is mainly verified, if the verification result is passed, the terminal considers that the platform of the Internet of things is credible, and data can be sent to the platform of the Internet of things.
The embodiment further provides a software module corresponding to the above identity authentication, including:
the first-time identity authentication module and the second-time identity authentication module.
The first identity authentication module comprises:
a terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the encryption method of the cipher text can be completed by adopting symmetric algorithms such as SM4 and the like, and the encryption key is a key B taken out of the terminal key request unit;
an initial identity authentication request message sending unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the Internet of things platform;
a symmetric key acquisition unit: the Internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z in the initial identity authentication request message;
a decryption unit: the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: time-varying parameter + terminal ID + terminal preset password, comparing the decrypted terminal ID with the terminal preset password with the terminal ID stored in the background and the terminal preset password stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in the MQTT message and storing the time-varying parameter sent by the terminal, and if the verification is unsuccessful, returning a non-0 message according to the MQTT manual;
the second identity authentication module comprises:
a platform key requesting unit: the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
the second identity authentication request message construction unit: the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the following steps that a key serial number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption algorithm of the ciphertext adopts a two-party agreed algorithm, SM4 can be adopted, the encryption key is a chip key W taken out from a platform key request unit, the login token is generated by the time-varying parameter and a terminal ID which are stored by terminal first identity authentication, at the moment, terminal one-way connection is completed, the terminal is in a connection state, an MQTT message system does not have an Internet of things platform to terminal identity authentication mechanism, a PUBLISH is used for building the mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
a symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a serial number C is obtained from a security chip according to the key serial number C in the identity authentication request message, and the security chip returns the decryption key W';
a decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication, and if the verification platform ID and the login token pass, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
Example two
The invention provides an identity authentication method for enhancing an MQTT protocol by using a symmetric cryptography technology, which is applied to a terminal of the Internet of things and comprises the following steps of:
identity authentication for the first time:
s31, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the encryption mode of the ciphertext can be completed by adopting symmetric algorithms such as SM4, and the encryption key is the key B taken out of S1;
s33, the terminal sends the constructed identity authentication request message to the externally exposed proxy address of the platform of the Internet of things;
s34, the terminal receives a verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is not successful, a non-0 message is returned according to the MQTT manual;
and (3) identity authentication for the second time:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', decryption verification is carried out through the verification platform ID and the login token, whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication or not is mainly verified, if the verification result is passed, the terminal considers that the platform of the Internet of things is credible, and data can be sent to the platform of the Internet of things.
The embodiment also provides an internet of things terminal, which includes a processor and a computer-readable storage medium, where the computer-readable storage medium is used for storing a computer program, and the processor is used for executing the computer program stored in the computer-readable storage medium, so that the internet of things terminal performs the steps of the first identity authentication and the second identity authentication.
EXAMPLE III
The invention provides an identity authentication method for enhancing an MQTT protocol by using a symmetric cryptographic technique, which is applied to an Internet of things platform, and as shown in figures 8 and 9, the identity authentication method comprises the following steps:
identity authentication for the first time:
s301, the Internet of things platform obtains a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z in an initial identity authentication request message sent by the Internet of things terminal;
s302, the Internet of things platform receives a secret key B 'returned by the quantum password management service system, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: time-varying parameter + terminal ID + terminal preset password, comparing the decrypted terminal ID with the terminal preset password with the terminal ID stored in the background and the terminal preset password stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification is unsuccessful;
and (3) identity authentication for the second time:
s401, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s402, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the steps that a key serial number C + a ciphertext (time-varying parameter + platform ID + login token), the encryption algorithm of the ciphertext adopts a two-party agreed algorithm, SM4 can be adopted, the encryption key is a chip key W taken out of S6, the login token is generated by the time-varying parameter and a terminal ID which are stored in terminal first identity authentication, at the moment, terminal one-way connection is completed, the terminal is in a connection state, an MQTT message system does not have an internet of things platform to terminal identity authentication mechanism, a PUBLISH is used for building the mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD.
The embodiment also provides an internet of things platform, which includes a processor and a computer-readable storage medium, where the computer-readable storage medium is used for storing a computer program, and the processor is used for executing the computer program stored on the computer-readable storage medium, so that the internet of things platform performs the steps of the first identity authentication and the second identity authentication.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (11)

1. An identity authentication method for enhancing MQTT protocol by using symmetric cryptographic technology is characterized in that: the method comprises the following steps:
s1, first identity authentication: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key charging machine completes charging and storage of a quantum key generated by the quantum random number generator to the quantum secure chip, simultaneously records the corresponding relation between the storage charging secure chip and the key, and the terminal of the internet of things calls the quantum key stored in the built-in integrated or external secure chip to construct an identity authentication request message: the method comprises the steps that a key serial number + a terminal ID + a ciphertext (a time-varying parameter + a terminal ID + a terminal preset password) is sent to an Internet of things platform, the Internet of things platform obtains a key symmetrical to a terminal charging key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the key serial number to decrypt, compares the terminal ID with the terminal preset password in an identity authentication request message, simultaneously saves the time-varying parameter sent by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication is unsuccessful;
s2, second identity authentication: the Internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the method comprises the steps that a key serial number + a cipher text (time-varying parameters + a platform ID + a login token) are combined to generate the login token according to a terminal ID reported by a terminal during first identity authentication and the time-varying parameters, and an identity authentication request message is sent to the terminal; the terminal obtains a key symmetrical to the corresponding charging key according to the key serial number to decrypt the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when identity authentication is carried out for the first time, and starts to send the message to the Internet of things platform after the verification is successful.
2. The method for identity authentication using symmetric cryptography to augment MQTT protocol according to claim 1, wherein: a validity period may be set after each authentication.
3. The method for identity authentication using symmetric cryptography to augment MQTT protocol according to claim 1, wherein: s1, first identity authentication, comprising the following steps:
s11, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the encryption mode of the ciphertext is completed by adopting a symmetric algorithm, and the encryption key is the key B taken out in S1;
s13, the terminal sends the identity authentication request message constructed in the step S12 to the externally exposed proxy address of the platform of the Internet of things;
s14, the Internet of things platform acquires a key B' symmetrical to the key B according to the terminal ID and the key serial number Z in the initial identity authentication request message to the sub-password management service system;
s15, the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: the method comprises the steps of obtaining a time-varying parameter, a terminal ID and a terminal preset password, comparing the decrypted terminal ID with the terminal preset password with a terminal ID stored in a background and a terminal preset password stored in an Internet of things platform in advance, determining the identity of the terminal, returning a verification success message OX00 to the terminal by using CONNACK in an MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to an MQTT manual if the verification is unsuccessful.
4. The method for identity authentication using symmetric cryptography to augment MQTT protocol according to claim 1, wherein: s2, second identity authentication, comprising the following steps:
s21, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s22, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the following steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption key of the ciphertext is a chip key W taken out of S21, the login token is generated by the time-varying parameter and the terminal ID stored in the terminal for the first identity authentication, an Internet of things platform is built by PUBLISH to carry out a terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
s23, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication, and if the verification result is passed, the terminal considers that the Internet of things platform is credible, and then can send data to the Internet of things platform.
5. An identity authentication system for enhancing MQTT protocol by using symmetric cryptography is characterized in that: the system comprises the following modules:
the first identity authentication module: the terminal of the internet of things is connected with the platform of the internet of things: the quantum key charging machine completes charging and storage of a quantum key generated by the quantum random number generator to the quantum secure chip, simultaneously records the corresponding relation between the storage charging secure chip and the key, and the terminal of the internet of things calls the quantum key stored in the built-in integrated or external secure chip to construct an identity authentication request message: the method comprises the steps that a key serial number + a terminal ID + a ciphertext (a time-varying parameter + a terminal ID + a terminal preset password) is sent to an Internet of things platform, the Internet of things platform obtains a key symmetrical to a terminal charging key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the key serial number to decrypt, compares the terminal ID with the terminal preset password in an identity authentication request message, simultaneously saves the time-varying parameter sent by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication is unsuccessful;
the second identity authentication module: the Internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the method comprises the steps that a key serial number + a cipher text (time-varying parameters + a platform ID + a login token) are combined to generate the login token according to a terminal ID reported by a terminal during first identity authentication and the time-varying parameters, and an identity authentication request message is sent to the terminal; the terminal obtains a key symmetrical to the corresponding charging key according to the key serial number to decrypt the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when identity authentication is carried out for the first time, and starts to send the message to the Internet of things platform after the verification is successful.
6. The system of claim 5 for identity authentication using symmetric cryptography enhanced MQTT protocol, wherein: the first identity authentication module comprises:
a terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the method comprises the following steps that (1) a key serial number Z + a terminal ID + a ciphertext (a time-varying parameter + the terminal ID + a terminal preset password), a symmetric algorithm is adopted as an encryption mode of the ciphertext, and an encryption key is a key B taken out of a terminal key request unit;
an initial identity authentication request message sending unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the Internet of things platform;
a symmetric key acquisition unit: the Internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z in the initial identity authentication request message;
a decryption unit: the quantum password management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain a decrypted ciphertext: the method comprises the steps of obtaining a time-varying parameter + a terminal ID + a terminal preset password, comparing the decrypted terminal ID with the terminal preset password with a terminal ID stored in a background and a terminal preset password stored in an Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in an MQTT message and storing the time-varying parameter sent by the terminal, and if the verification is unsuccessful, returning a non-0 message according to an MQTT manual.
7. The system of claim 5 for identity authentication using symmetric cryptography enhanced MQTT protocol, wherein: the second identity authentication module comprises:
a platform key requesting unit: the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
the second identity authentication request message construction unit: the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), an encryption key of the ciphertext is a chip key W taken out of a platform key request unit, the login token is generated by the time-varying parameter and the terminal ID stored in the terminal for the first identity authentication, an Internet of things platform is built by PUBLISH to carry out a terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
a symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a serial number C is obtained from a security chip according to the key serial number C in the identity authentication request message, and the security chip returns the decryption key W';
a decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication, and if the verification platform ID and the login token pass, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
8. An identity authentication method for enhancing MQTT protocol by using a symmetric cryptographic technology is applied to a terminal of the Internet of things, and is characterized in that: the method comprises the following steps:
identity authentication for the first time:
s31, the terminal acquires the key request in the security chip, and the security chip returns the key B of the chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the content format of the MQTT connection message Connect: the key sequence number Z + the terminal ID + the ciphertext (the time-varying parameter + the terminal ID + the terminal preset password), the ciphertext is encrypted by adopting a symmetric algorithm, and the encryption key is the key B taken out in S1;
s33, the terminal sends the constructed identity authentication request message to the externally exposed proxy address of the platform of the Internet of things;
s34, the terminal receives a verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is not successful, a non-0 message is returned according to the MQTT manual;
and (3) identity authentication for the second time:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, a symmetric decryption key of a chip key W corresponding to a key sequence number C is obtained from the security chip according to the key sequence number C in the identity authentication request message, and the security chip returns a decryption key W';
s42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', decryption verification is carried out through the verification platform ID and the login token, whether the login token is generated by the time-varying parameter and the terminal ID which are sent by the first identity authentication or not is mainly verified, and if the verification result is passed, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
9. An internet of things terminal comprising a processor and a computer-readable storage medium storing a computer program, the internet of things terminal comprising: the processor is configured to execute the computer program stored on the computer-readable storage medium to cause the terminal of the internet of things to perform the steps of claim 8.
10. An identity authentication method for enhancing an MQTT protocol by using a symmetric cryptographic technology is applied to an Internet of things platform and is characterized in that: the method comprises the following steps:
identity authentication for the first time:
s301, the Internet of things platform obtains a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z in an initial identity authentication request message sent by the Internet of things terminal;
s302, the Internet of things platform receives a secret key B 'returned by the quantum password management service system, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: time-varying parameter + terminal ID + terminal preset password, comparing the decrypted terminal ID with the terminal preset password with the terminal ID stored in the background and the terminal preset password stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by using CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification is unsuccessful;
and (3) identity authentication for the second time:
s401, the Internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns a chip key W matched with the terminal and a serial number C of the chip key W to the Internet of things platform;
s402, the Internet of things platform constructs an identity authentication request message applied to the terminal: the method comprises the steps that a key sequence number C + a ciphertext (time-varying parameter + platform ID + login token), the encryption algorithm of the ciphertext adopts a two-party agreed algorithm, the encryption key is a chip key W taken out in S6, the login token is generated by the time-varying parameter and the terminal ID which are stored in the terminal for the first identity authentication, an internet of things platform is built by PUBLISH to carry out an identity authentication mechanism on the terminal, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD.
11. An internet of things platform comprising a processor and a computer readable storage medium storing a computer program, the internet of things platform comprising: the processor, when executing the computer program stored on the computer readable storage medium, is configured to cause the internet of things platform to perform the steps of claim 10.
CN202110882439.1A 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology Active CN113612605B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110882439.1A CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110882439.1A CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Publications (2)

Publication Number Publication Date
CN113612605A true CN113612605A (en) 2021-11-05
CN113612605B CN113612605B (en) 2023-09-26

Family

ID=78306520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110882439.1A Active CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Country Status (1)

Country Link
CN (1) CN113612605B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095183A (en) * 2022-01-23 2022-02-25 杭州字节信息技术有限公司 Client dual authentication method, terminal equipment and storage medium
CN114095168A (en) * 2021-11-24 2022-02-25 安徽国盾量子云数据技术有限公司 Communication method based on quantum key and encryption communication terminal thereof
CN114170709A (en) * 2021-12-07 2022-03-11 中国建设银行股份有限公司 Money box management method and system based on Internet of things
CN114285890A (en) * 2021-12-10 2022-04-05 西安广和通无线通信有限公司 Cloud platform connection method, device, equipment and storage medium
CN114531238A (en) * 2022-04-24 2022-05-24 中电信量子科技有限公司 Secret key safe filling method and system based on quantum secret key distribution
CN114710299A (en) * 2022-06-07 2022-07-05 杭州雅观科技有限公司 Lightweight authentication method suitable for cloud LED lighting energy-saving system
CN115102710A (en) * 2022-05-06 2022-09-23 广州运通数达科技有限公司 Internet of things equipment secure access method and equipment in digital RMB consumption scene
WO2023141998A1 (en) * 2022-01-28 2023-08-03 Oppo广东移动通信有限公司 Device authentication method and apparatus, and device, storage medium and program product
CN117395001A (en) * 2023-12-11 2024-01-12 合肥工业大学 Internet of vehicles secure communication method and system based on quantum key chip
CN117579276A (en) * 2024-01-16 2024-02-20 浙江国盾量子电力科技有限公司 Quantum encryption method for feeder terminal and quantum board card module

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170272944A1 (en) * 2016-03-17 2017-09-21 M2MD Technologies, Inc. Method and system for managing security keys for user and M2M devices in a wireless communication network environment
CN107846447A (en) * 2017-09-21 2018-03-27 烽火通信科技股份有限公司 A kind of method of the home terminal access message-oriented middleware based on MQTT agreements
CN111314366A (en) * 2020-02-25 2020-06-19 广州致远电子有限公司 MQTT protocol-based secure login system and method
US20200280436A1 (en) * 2019-03-01 2020-09-03 John A. Nix Public key exchange with authenticated ecdhe and security against quantum computers
CN112532671A (en) * 2019-09-19 2021-03-19 阿里巴巴集团控股有限公司 Acquisition method, configuration method, edge computing cluster and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170272944A1 (en) * 2016-03-17 2017-09-21 M2MD Technologies, Inc. Method and system for managing security keys for user and M2M devices in a wireless communication network environment
CN107846447A (en) * 2017-09-21 2018-03-27 烽火通信科技股份有限公司 A kind of method of the home terminal access message-oriented middleware based on MQTT agreements
US20200280436A1 (en) * 2019-03-01 2020-09-03 John A. Nix Public key exchange with authenticated ecdhe and security against quantum computers
CN112532671A (en) * 2019-09-19 2021-03-19 阿里巴巴集团控股有限公司 Acquisition method, configuration method, edge computing cluster and device
CN111314366A (en) * 2020-02-25 2020-06-19 广州致远电子有限公司 MQTT protocol-based secure login system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
原磊;: "量子密钥数字证书系统及其应用", 信息安全研究, no. 06 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095168B (en) * 2021-11-24 2024-02-23 安徽国盾量子云数据技术有限公司 Communication method based on quantum key and encrypted communication terminal thereof
CN114095168A (en) * 2021-11-24 2022-02-25 安徽国盾量子云数据技术有限公司 Communication method based on quantum key and encryption communication terminal thereof
CN114170709A (en) * 2021-12-07 2022-03-11 中国建设银行股份有限公司 Money box management method and system based on Internet of things
CN114285890A (en) * 2021-12-10 2022-04-05 西安广和通无线通信有限公司 Cloud platform connection method, device, equipment and storage medium
CN114285890B (en) * 2021-12-10 2024-03-15 西安广和通无线通信有限公司 Cloud platform connection method, device, equipment and storage medium
CN114095183A (en) * 2022-01-23 2022-02-25 杭州字节信息技术有限公司 Client dual authentication method, terminal equipment and storage medium
WO2023141998A1 (en) * 2022-01-28 2023-08-03 Oppo广东移动通信有限公司 Device authentication method and apparatus, and device, storage medium and program product
CN114531238A (en) * 2022-04-24 2022-05-24 中电信量子科技有限公司 Secret key safe filling method and system based on quantum secret key distribution
CN115102710A (en) * 2022-05-06 2022-09-23 广州运通数达科技有限公司 Internet of things equipment secure access method and equipment in digital RMB consumption scene
CN114710299A (en) * 2022-06-07 2022-07-05 杭州雅观科技有限公司 Lightweight authentication method suitable for cloud LED lighting energy-saving system
CN117395001B (en) * 2023-12-11 2024-02-20 合肥工业大学 Internet of vehicles secure communication method and system based on quantum key chip
CN117395001A (en) * 2023-12-11 2024-01-12 合肥工业大学 Internet of vehicles secure communication method and system based on quantum key chip
CN117579276A (en) * 2024-01-16 2024-02-20 浙江国盾量子电力科技有限公司 Quantum encryption method for feeder terminal and quantum board card module
CN117579276B (en) * 2024-01-16 2024-03-29 浙江国盾量子电力科技有限公司 Quantum encryption method for feeder terminal and quantum board card module

Also Published As

Publication number Publication date
CN113612605B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
CN113612605B (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
JP7119040B2 (en) Data transmission method, device and system
US10243742B2 (en) Method and system for accessing a device by a user
CN110380852B (en) Bidirectional authentication method and communication system
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
KR102124413B1 (en) System and method for identity based key management
CN113630407B (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
CN101978650B (en) A system and method of secure network authentication
US8527762B2 (en) Method for realizing an authentication center and an authentication system thereof
CN104506534A (en) Safety communication secret key negotiation interaction scheme
CN103763631A (en) Authentication method, server and television
CN111756529B (en) Quantum session key distribution method and system
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN113285803B (en) Mail transmission system and transmission method based on quantum security key
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN112637136A (en) Encrypted communication method and system
CN109981292B (en) SM9 algorithm-based authentication method, device and system
CN113452687B (en) Method and system for encrypting sent mail based on quantum security key
CN108259486B (en) End-to-end key exchange method based on certificate
CN107104888B (en) Safe instant messaging method
KR100456624B1 (en) Authentication and key agreement scheme for mobile network
CN113438074B (en) Decryption method of received mail based on quantum security key
CN116233832A (en) Verification information sending method and device
CN112822015B (en) Information transmission method and related device
CN114928503A (en) Method for realizing secure channel and data transmission method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant