CN113612605B - Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology - Google Patents

Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology Download PDF

Info

Publication number
CN113612605B
CN113612605B CN202110882439.1A CN202110882439A CN113612605B CN 113612605 B CN113612605 B CN 113612605B CN 202110882439 A CN202110882439 A CN 202110882439A CN 113612605 B CN113612605 B CN 113612605B
Authority
CN
China
Prior art keywords
terminal
key
identity authentication
internet
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110882439.1A
Other languages
Chinese (zh)
Other versions
CN113612605A (en
Inventor
王丙磊
胡缙
王建礼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202110882439.1A priority Critical patent/CN113612605B/en
Publication of CN113612605A publication Critical patent/CN113612605A/en
Application granted granted Critical
Publication of CN113612605B publication Critical patent/CN113612605B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention provides a method for enhancing MQTT protocol identity authentication by using symmetric cryptography, which comprises the following steps: first identity authentication: internet of things terminal to Internet of things platform: the quantum key filling machine fills the quantum key into the quantum security chip, records and stores the corresponding relation between the filling security chip and the key, the internet of things terminal invokes the quantum key in the chip for constructing an identity authentication request message to the internet of things platform, the internet of things platform obtains symmetry for decryption, compares identities, generates a login token after authentication is successful, and returns an authentication message to the terminal; and (3) second identity authentication: the internet of things platform applies for a secret key according to the terminal ID and constructs an identity authentication request message to the terminal; the terminal decrypts and verifies the platform ID and the login token. The invention also provides a system and equipment corresponding to the method. The invention has the advantages that: the identity authentication is carried out by using a symmetric algorithm of a key set in the quantum security chip, one-time encryption is carried out, a third party is not required to issue and authenticate a digital certificate, and the security is improved.

Description

Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
Technical Field
The invention belongs to the technical field of security application products, and particularly relates to a method for enhancing MQTT protocol identity authentication by using a symmetric cryptographic technology.
Background
The MQTT (Message Queuing Telemetry Transport, message queue telemetry transport) protocol is a publish/subscribe mode based communication protocol that builds on the TCP/IP (Transmission Control Protocol/Internet Protocol ) protocol. The MQTT can provide real-time reliable message service to connected terminals with less codes and limited bandwidth.
In the MQTT protocol, a server (which may be referred to as an MQTT server) needs to authenticate an accessed terminal (which may be referred to as an MQTT terminal). After successful authentication, the MQTT terminal publishes or subscribes to the message through the MQTT server. In order to improve the security of data transmission in the authentication process, the prior art generally adopts TLS (Transport Layer Security, secure transport layer) protocol for authentication. Before authentication, the MQTT terminal and the MQTT server need to apply for the respective certificates and import the certificates into their own devices. TLS protocol authentication tool
The body process comprises the following steps: the MQTT terminal sends negotiation information to the MQTT server, the negotiation information comprises an encryption algorithm candidate list, a compression algorithm candidate list and the like, the MQTT server determines target negotiation information (such as an encryption algorithm and a compression algorithm which need to be used) which needs to be used from the received negotiation information, then sends a certificate of the MQTT server and the target negotiation information to the MQTT terminal, and informs the MQTT terminal of providing the certificate. The MQTT terminal verifies the certificate of the MQTT server, and after the verification is passed, the certificate of the MQTT terminal can be sent to the MQTT server. And the MQTT server verifies the certificate of the MQTT terminal, and after the verification is passed, the authentication of the MQTT terminal is judged to be successful. After authentication is completed, the MQTT terminal and the MQTT server can transmit service data according to the target negotiation information.
However, when authentication is performed, both the MQTT terminal and the MQTT server need to apply for certificates, introduce the certificates into their own devices, and manage the imported certificates, which increases the processing complexity of the MQTT terminal and the MQTT server in the authentication process.
In order to solve the above problems, the patent application with publication number CN108599939a discloses an authentication method, which can be applied to an MQTT terminal for message queue telemetry transmission, wherein the MQTT terminal can send an authentication request to an MQTT server, obtain an authentication character string according to a prestored private key and an encrypted character string sent by the MQTT server, and send the authentication character string to the MQTT server. The MQTT server applying the authentication method can encrypt the acquired random character string according to the public key corresponding to the MQTT terminal to obtain an encrypted character string, and send the encrypted character string to the MQTT terminal, and then can obtain the authentication result of the MQTT terminal according to the random character string and the received authentication character string. Based on the processing, the MQTT terminal and the MQTT server can realize the authentication of the MQTT terminal without the operations of applying, importing and managing certificates, and the processing complexity of the MQTT terminal and the MQTT server in the authentication process can be reduced.
In the prior art, the MQTT protocol is required to rely on a public-private key system to establish a channel so as to realize an identity authentication function based on the protocol, and the prior scheme cannot resist the influence of the attack on the safety of the Internet of things equipment under the increasingly severe environment of network attack.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize secure MQTT protocol identity authentication so as to resist the situation that increasingly severe Internet equipment is attacked.
The invention solves the technical problems by the following technical means: a method for enhancing MQTT protocol identity authentication by using symmetric cryptography includes the following steps:
s1, first identity authentication: internet of things terminal to Internet of things platform: the quantum key filling machine completes filling and storing of the quantum key generated by the quantum random number generator to the quantum security chip, simultaneously records and stores the corresponding relation between the filling security chip and the key, and the internet of things terminal calls the quantum key stored in the internal integrated or external security chip to be used for constructing an identity authentication request message: the method comprises the steps that a secret key serial number, a terminal ID and a ciphertext (time-varying parameter, terminal ID and a terminal preset password) are transmitted to an Internet of things platform, the Internet of things platform obtains a secret key symmetrical to a terminal filling secret key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the secret key serial number, decrypts, compares the terminal ID and the terminal preset password in an identity authentication request message, simultaneously stores a time-varying parameter transmitted by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication success message is unsuccessful;
S2, second identity authentication: the internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the key serial number + ciphertext (time-varying parameter + platform ID + login token), login token combine to produce according to terminal ID and time-varying parameter that the terminal station reports at the time of first identity authentication, and send the identity authentication request message to the terminal station; the terminal obtains a key symmetrical to the corresponding filling key according to the key serial number, decrypts the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when the first identity authentication is performed, and starts to send the message to the Internet of things platform after the verification is successful.
As a further optimized technical scheme, a validity period can be set after each authentication is finished.
As a further technical solution for the optimization,
s1, performing first identity authentication, including the following steps:
s11, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text is completed by adopting a symmetric algorithm, and the encryption key is a key B taken out from S1;
S13, the terminal sends the identity authentication request message constructed in the step S12 to the proxy address exposed to the outside of the Internet of things platform;
s14, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
s15, the quantum cryptography management service system returns a secret key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of carrying out time-varying parameter, terminal ID and terminal preset password, comparing the decrypted terminal ID with the terminal preset password, storing the terminal ID in the background and the terminal preset password stored in the internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameter is unsuccessful.
As a further technical solution for the optimization,
s2, performing second identity authentication, including the following steps:
s21, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
S22, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the key serial number C+ ciphertext (time-varying parameter+platform ID+login token), wherein the encryption key of the ciphertext is a chip key W extracted in S21, the login token is jointly generated by the time-varying parameter saved by the terminal for the first time of identity authentication and the terminal ID, the PUBLISH is used for building an internet of things platform to carry out the terminal identity authentication mechanism, a second time of identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
s23, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
s24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the login token through the verification platform ID, mainly verifies whether the login token is generated together with the time-varying parameter sent by the first identity authentication and the terminal ID, and if the login token passes, the terminal considers that the Internet of things platform is credible, and can send data to the Internet of things platform.
The invention also provides a system for enhancing the MQTT protocol identity authentication by using the symmetric cryptography, which comprises the following modules:
The first identity authentication module: internet of things terminal to Internet of things platform: the quantum key filling machine completes filling and storing of the quantum key generated by the quantum random number generator to the quantum security chip, simultaneously records and stores the corresponding relation between the filling security chip and the key, and the internet of things terminal calls the quantum key stored in the internal integrated or external security chip to be used for constructing an identity authentication request message: the method comprises the steps that a secret key serial number, a terminal ID and a ciphertext (time-varying parameter, terminal ID and a terminal preset password) are transmitted to an Internet of things platform, the Internet of things platform obtains a secret key symmetrical to a terminal filling secret key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the secret key serial number, decrypts, compares the terminal ID and the terminal preset password in an identity authentication request message, simultaneously stores a time-varying parameter transmitted by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, returns a verification success message to the terminal, and returns an unsuccessful message if the authentication success message is unsuccessful;
and a second identity authentication module: the internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: the key serial number + ciphertext (time-varying parameter + platform ID + login token), login token combine to produce according to terminal ID and time-varying parameter that the terminal station reports at the time of first identity authentication, and send the identity authentication request message to the terminal station; the terminal obtains a key symmetrical to the corresponding filling key according to the key serial number, decrypts the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when the first identity authentication is performed, and starts to send the message to the Internet of things platform after the verification is successful.
As a further optimized technical solution, the first identity authentication module includes:
terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text adopts a symmetric algorithm, and the encryption key is a key B taken out from a terminal key request unit;
an initial authentication request message transmitting unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the internet of things platform;
symmetric key acquisition unit: the internet of things platform obtains a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
decryption unit: the quantum cryptography management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain decrypted ciphertext: the method comprises the steps of determining the identity of a terminal by comparing a time-varying parameter, a terminal ID and a terminal preset password, comparing the decrypted terminal ID with the terminal preset password stored in the background and the terminal preset password stored in the Internet of things platform in advance, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification success message OX00 is unsuccessful.
As a further optimized technical solution, the second identity authentication module includes:
platform key request unit: the method comprises the steps that an internet of things platform obtains a chip key matched with a terminal from a quantum password management service system according to a terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
the second authentication request message construction unit: the internet of things platform constructs an identity authentication request message applied to a terminal: the encryption key of the cipher text is a chip key W taken out of a platform key request unit, the login token is jointly generated by a time-varying parameter saved by the terminal for the first time identity authentication and a terminal ID, a PUBLISH is used for building an internet of things platform to terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
Decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the login token passes, the terminal considers that the Internet of things platform is trusted and can send data to the Internet of things platform.
The invention also provides a system for enhancing the MQTT protocol identity authentication by using the symmetric cryptographic technology, which is applied to the terminal of the Internet of things and comprises the following steps:
first identity authentication:
s31, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text adopts a symmetric algorithm, and the encryption key is a key B taken out from S1;
s33, the terminal sends a constructed identity authentication request message to the proxy address exposed to the outside of the Internet of things platform;
s34, the terminal receives the verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is unsuccessful, a non-0 message is returned according to the MQTT manual;
And (3) second identity authentication:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
s42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the authentication platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the authentication is passed, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
The invention also provides an internet of things terminal comprising a processor and a computer readable storage medium, the computer readable storage medium storing a computer program, the processor being adapted to cause the internet of things terminal to perform the steps of claim 8 when executing the computer program stored on the computer readable storage medium.
The invention also provides a method for enhancing the MQTT protocol identity authentication by using the symmetric cryptographic technology, which is applied to the platform of the Internet of things and comprises the following steps:
first identity authentication:
S301, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z vector sub-password management service system in an initial identity authentication request message sent by an internet of things terminal;
s302, the internet of things platform receives a secret key B 'returned by the quantum password management service system, and decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of (1) time-varying parameters+terminal ID+terminal preset passwords, comparing the decrypted terminal ID with the terminal preset passwords stored in the background and the terminal preset passwords stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameters sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameters are unsuccessful;
and (3) second identity authentication:
s401, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
s402, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the encryption algorithm of the secret key sequence number C+ ciphertext (time-varying parameter+platform ID+login token) adopts a two-party agreement algorithm, the encryption key is a chip secret key W taken out in S6, the login token is jointly generated by the time-varying parameter saved by the terminal for the first time and the terminal ID, the PUBLISH is used for building an Internet of things platform for terminal identity authentication mechanism, a second time identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD.
The invention also provides an internet of things platform, comprising a processor and a computer readable storage medium, wherein the computer readable storage medium is used for storing a computer program, and the processor is used for enabling the internet of things platform to execute the steps of claim 10 when executing the computer program stored on the computer readable storage medium.
The invention has the advantages that:
(1) The problem of network attack increasingly severe environment influences safety of the Internet of things equipment and identity authentication of the Internet of things terminal equipment is solved: and (3) carrying out identity authentication by using a symmetric algorithm of a built-in key set of the quantum security chip, and authenticating one key at a time.
(2) Based on this scheme, the security performance of authentication promotes greatly: a. the security threat brought by a future quantum computer and a quantum algorithm is prevented; (1) the public key cryptographic algorithm based on the large factor decomposition problem is prevented from being deciphered: the quantum symmetric key cannot be decoded by large factorization; (2) the security threat brought by the quantum computer in the future is prevented: the quantum security password is used for encryption transmission, and the method is completely safe and credible in theory; (3) the threat of a quantum algorithm possibly appearing in the future to an existing password system is prevented: the quantum security cipher is used for encryption transmission, and the quantum security key is a true random number generated by a quantum random number generator and cannot be deciphered by an algorithm.
(3) Third party issuance and authentication without digital certificates: (1) and a certification mode without certificates is provided, so that participation of a third party is reduced: the entity authentication protocol based on SM4 is used for entity authentication of both users, and a third party issuing a certificate is not needed. The participants of the process are reduced, and the risk of the three-party agreement is reduced.
(4) The development technology is easy to realize: the quantum security chip is a feasible technology, the security authentication based on the quantum symmetric key is also a technology which can be realized, the mail encryption password used for encrypting the mail can be generated by using a quantum random number, the technology is mature, and the security is high.
(5) The universality is strong, and the ductility is good: the invention has few places for modifying the internet of things platform, mainly improves the safety by adding the quantum key service system, and has strong universality. The invention can be integrated on a quantum cryptography management service system, and has good ductility and provides a functional interface to the outside.
(6) The network security capability is remarkably improved: the invention can defend against the existing attack mode and possible quantum computing threat in the future, and can greatly reduce the economic loss caused by information leakage.
(7) The terminal security capability is obviously upgraded: the invention can greatly enhance the safety of the terminal, and according to the current two hundred million terminals, the terminal has clear requirements for metering terminals such as ammeter, water meter and the like and very high fields in the safety field. The transformation cost of the single sheet is estimated to be 25 yuan at present, the permeability is about 10% according to the number of two hundred million terminals of the antenna, and the market expectation of 2.5 hundred million can be supported in the future.
(8) The reconstruction cost is low: the invention can be modified on the existing system, the platform side can be directly connected with the management platform, the equipment side can be connected with the management platform by adopting an integrated SIM card or a safety module, and the modification cost is low.
Drawings
FIG. 1 is a general flow diagram of a method for enhancing MQTT protocol identity authentication using symmetric cryptography in accordance with an embodiment of the present invention;
FIG. 2 is a system diagram of a method for enhancing MQTT protocol identity authentication using symmetric cryptography employing an embodiment of the present invention;
FIG. 3 is a timing diagram of an enhanced MQTT protocol transport identity authentication employing symmetric cryptography in accordance with an embodiment of the present invention;
FIG. 4 is a detailed flow chart of the first authentication in the first embodiment;
FIG. 5 is a detailed flowchart of the second authentication in the first embodiment;
FIG. 6 is a detailed flow chart of the first authentication in the second embodiment;
FIG. 7 is a detailed flow chart of the second authentication in the second embodiment;
FIG. 8 is a detailed flow chart of the first authentication in the third embodiment;
fig. 9 is a detailed flowchart of the second authentication in the third embodiment.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
The invention provides an MQTT protocol identity authentication method enhanced by using a symmetric cryptographic technology, which is applied to an identity authentication system.
The terminal of the Internet of things can be a publisher in the MQTT protocol or a subscriber in the MQTT protocol. The internet of things platform may be an agent in the MQTT protocol. In the process that the internet of things terminal is connected to the internet of things platform, the internet of things platform needs to authenticate the internet of things terminal, if authentication is passed, the internet of things terminal can carry out service data transmission with the internet of things platform, for example, the internet of things terminal can issue messages through the internet of things platform, and also can subscribe messages issued by other internet of things terminals through the internet of things platform. The symmetric cryptography-based enhanced MQTT protocol identity authentication is used in the process that the terminal of the Internet of things accesses the platform of the Internet of things.
A quantum random number generator for generating a quantum key;
the quantum exchange cipher machine is used for receiving the quantum key sent by the quantum random number generator and providing key service, the key is prestored in the quantum exchange cipher machine, and the key is a key which is generated by the quantum random number generator and is stored in the quantum exchange cipher machine, and the key in the quantum exchange cipher machine and the key in the quantum security chip are symmetric keys;
The quantum key filling machine is connected with the output end of the quantum exchange cipher machine and is used for filling the quantum key;
the quantum cipher management service system realizes data interaction with the internet of things platform through a network, and is directly connected with the quantum cipher switch and used for providing a key distribution function based on the identity of the security chip.
The terminal of the Internet of things is equipment for connecting the sensing network layer and the transmission network layer in the Internet of things to collect data and send the data to the network layer. It is responsible for various functions such as data acquisition, preliminary processing, encryption, transmission, etc. The terminal can be adapted to the integration of the quantum security chip in the form of a SIM card U disk.
The quantum security chip can be in the forms of a SIM card, a USB flash disk and the like, stores quantum security keys and has the principle that: the quantum security chip is initialized (pre-filled with passwords) before being used, the quantum security chip is filled with quantum security keys through a quantum key filling machine, and the keys filled with each quantum security chip and the preset keys in the quantum exchange passwords are symmetric keys (namely keys in one-to-one correspondence). Each quantum security chip has own serial number, and each quantum key has own serial number, so that a corresponding key can be found in the quantum exchange cipher machine as long as the serial number of the quantum security chip and the serial number of the quantum key are provided, and the corresponding key is built in or externally connected to the Internet of things equipment or an equipment module of the Internet of things equipment.
The internet of things platform provides functions of authentication, authentication and equipment data access of the internet of things terminal equipment based on the MQTT protocol, can complete the acquisition function of a key corresponding to the terminal integrated security chip through interaction with the key management service platform, and can complete the encryption and decryption functions of terminal identity authentication and uplink and downlink messages according to the key stored in the terminal.
The identity authentication refers to entity authentication between the terminal of the Internet of things and the platform of the Internet of things by using a built-in key of the quantum security chip. The authentication mode adopts the specification of 'GB_T 15843.2 entity authentication protocol mechanism three-two-time transfer authentication of two-way authentication'.
As shown in fig. 1 and 2, the MQTT protocol identity authentication method enhanced using symmetric cryptography includes the steps of:
s1, first identity authentication: internet of things terminal to Internet of things platform: the quantum key filling machine is used for filling and storing the quantum key generated by the quantum random number generator into the quantum security chip, and simultaneously recording and storing the corresponding relation between the filling security chip and the key. The terminal of the internet of things calls a quantum key stored in an internal integrated or external security chip to be used for constructing an identity authentication request message, and sends the identity authentication request message according to the authentication protocol GB_T 15843.2 requirement: the method comprises the steps that a secret key serial number, a terminal ID and a ciphertext (time-varying parameter, terminal ID and terminal preset password) are transmitted to an Internet of things platform, the terminal ID is a unique identity mark distributed to a terminal by the Internet of things platform, the Internet of things platform obtains a secret key symmetrical to a terminal filling secret key from a quantum password management service system connected with a quantum exchange password machine according to the terminal ID and the secret key serial number, decrypts the secret key, compares the terminal ID and the terminal preset password in an identity authentication request message, simultaneously stores the time-varying parameter transmitted by the terminal, generates a login token according to the terminal ID and the time-varying parameter after authentication is successful, and returns a verification success message OX00 to the terminal by using CONNACK of an MQTT, if not successful, returns a non-0 message according to an MQTT manual, wherein the terminal preset password refers to the pre-distribution of the Internet of things platform, and the password for user registration is generally burnt in the system at the terminal of the Internet of things, and is basically put into the system at the equipment manufacturing stage;
S2, second identity authentication: the internet of things platform applies for a filling key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message, and since no terminal-to-internet of things platform identity message mechanism exists in the MQTT message, the first subscription subject after all terminals log in is internet of things platform identity authentication by utilizing a PUBLISH message mechanism, and the identity authentication request message is constructed according to the GB_T 15843.2 requirement: secret key serial number + ciphertext (time-varying parameter + platform ID + login token), ciphertext adopt SM4 algorithm, login token according to terminal ID and time-varying parameter combination generation that terminal report when authenticating for the first time, and send the identity authentication request message to the terminal; the terminal obtains a key symmetrical to the corresponding filling key according to the key serial number, decrypts the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when the first identity authentication is performed, and starts to send the message to the Internet of things platform after the verification is successful.
In order to simplify the authentication time, an expiration date may be set after each authentication end, for example, the expiration date is 3 days or 1 day, and it is not necessary to authenticate each time a message is sent.
As shown in the architecture diagram of fig. 2, the quantum cryptography management service system charges the key into the internet of things terminal, the internet of things terminal is integrated with the security chip, the internet of things terminal and the internet of things platform perform information interaction, the interaction information is based on identity authentication of the charged key and encryption of uplink and downlink messages, and the internet of things platform and the quantum cryptography management service system perform information interaction of equipment key acquisition.
As shown in fig. 3 to 5, the detailed procedure of identity authentication is as follows:
s1, performing first identity authentication, including the following steps:
s11, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text can be completed by adopting symmetric algorithms such as SM4 and the like, and the encryption key is a key B taken out from S1;
s13, the terminal sends the identity authentication request message constructed in the step S12 to the proxy address exposed to the outside of the Internet of things platform;
s14, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
S15, the quantum cryptography management service system returns a secret key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of (1) time-varying parameters+terminal ID+terminal preset passwords, comparing the decrypted terminal ID with the terminal preset passwords stored in the background and the terminal preset passwords stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameters sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameters are unsuccessful;
s2, performing second identity authentication, including the following steps:
s21, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
s22, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the encryption algorithm of the cipher text adopts a double-party agreement algorithm, SM4 can be adopted, the encryption key is a chip key W taken out in S21, the login token is jointly generated by a time-varying parameter saved by the terminal for the first time of identity authentication and a terminal ID, the terminal is connected in a one-way mode, the MQTT message system has no mechanism for the identity authentication of the terminal by the Internet of things platform, the mechanism is adopted by PUBLISH, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
S23, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
s24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the authentication platform ID and the login token, mainly verifies whether the login token is generated together with the time-varying parameter sent by the first identity authentication and the terminal ID, and if the authentication is passed, the terminal considers that the Internet of things platform is trusted, and can send data to the Internet of things platform.
The embodiment also provides a software module corresponding to the identity authentication, which comprises:
a first authentication module and a second authentication module.
The first identity authentication module comprises:
terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text can be completed by adopting symmetric algorithms such as SM4 and the like, and the encryption key is a key B taken out from a terminal key request unit;
An initial authentication request message transmitting unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the internet of things platform;
symmetric key acquisition unit: the internet of things platform obtains a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
decryption unit: the quantum cryptography management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain decrypted ciphertext: the method comprises the steps of (1) time-varying parameters+terminal ID+terminal preset passwords, comparing the decrypted terminal ID with the terminal preset passwords stored in the background and the terminal preset passwords stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameters sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification success message OX00 is unsuccessful;
the second identity authentication module comprises:
platform key request unit: the method comprises the steps that an internet of things platform obtains a chip key matched with a terminal from a quantum password management service system according to a terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
The second authentication request message construction unit: the internet of things platform constructs an identity authentication request message applied to a terminal: the encryption algorithm of the cipher text adopts a double-party agreement algorithm, SM4 can be adopted, the encryption key is a chip key W taken out from a platform key request unit, the login token is jointly generated by a time-varying parameter saved by the terminal for the first time identity authentication and a terminal ID, at the moment, the terminal is in a connected state, an MQTT message system does not have a mechanism for authenticating the terminal by an Internet of things platform, the mechanism is adopted by PUBLISH, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the login token passes, the terminal considers that the Internet of things platform is trusted and can send data to the Internet of things platform.
Example two
The invention provides a method for enhancing MQTT protocol identity authentication by using a symmetric cryptographic technique, which is applied to an Internet of things terminal, as shown in fig. 6 and 7, and comprises the following steps:
first identity authentication:
s31, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the encryption mode of the cipher text can be completed by adopting symmetric algorithms such as SM4 and the like, and the encryption key is a key B taken out from S1;
s33, the terminal sends a constructed identity authentication request message to the proxy address exposed to the outside of the Internet of things platform;
s34, the terminal receives the verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is unsuccessful, a non-0 message is returned according to the MQTT manual;
and (3) second identity authentication:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
S42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the authentication platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the authentication is passed, the terminal considers that the Internet of things platform is trusted, and can send data to the Internet of things platform.
The embodiment also provides an internet of things terminal, which comprises a processor and a computer readable storage medium, wherein the computer readable storage medium is used for storing a computer program, and the processor is used for enabling the internet of things terminal to execute the steps of the first identity authentication and the second identity authentication when executing the computer program stored on the computer readable storage medium.
Example III
The invention provides a method for enhancing MQTT protocol identity authentication by using a symmetric cryptographic technique, which is applied to an Internet of things platform, as shown in fig. 8 and 9, and comprises the following steps:
first identity authentication:
s301, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z vector sub-password management service system in an initial identity authentication request message sent by an internet of things terminal;
S302, the internet of things platform receives a secret key B 'returned by the quantum password management service system, and decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of (1) time-varying parameters+terminal ID+terminal preset passwords, comparing the decrypted terminal ID with the terminal preset passwords stored in the background and the terminal preset passwords stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameters sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameters are unsuccessful;
and (3) second identity authentication:
s401, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
s402, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the encryption algorithm of the cipher key sequence number C+ cipher text (time-varying parameter+platform ID+login token) adopts a double-party agreement algorithm, the encryption key can adopt SM4, the encryption key is a chip key W taken out in S6, the login token is jointly generated by the time-varying parameter saved by the terminal for the first time of identity authentication and the terminal ID, the terminal unidirectional connection is completed at this time, the terminal is in a connection state, the MQTT message system does not have an authentication mechanism of the terminal by the Internet of things platform, the mechanism is adopted by PUBLISH, a second authentication request message is pushed to the terminal, and the authentication request message is put into PAYLOAD.
The embodiment also provides an internet of things platform, which comprises a processor and a computer readable storage medium, wherein the computer readable storage medium is used for storing a computer program, and the processor is used for enabling the internet of things platform to execute the steps of the first identity authentication and the second identity authentication when executing the computer program stored on the computer readable storage medium.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (11)

1. A method for enhancing the identity authentication of an MQTT protocol by using a symmetric cryptography is characterized in that: comprising the following steps:
s1, first identity authentication: internet of things terminal to Internet of things platform: the quantum key filling machine completes filling and storing of the quantum key generated by the quantum random number generator to the quantum security chip, simultaneously records and stores the corresponding relation between the filling security chip and the key, and the internet of things terminal calls the quantum key stored in the internal integrated or external security chip to be used for constructing an identity authentication request message: the secret key serial number, the terminal ID and the ciphertext are transmitted to an Internet of things platform, wherein the ciphertext is: the method comprises the steps that a time-varying parameter, a terminal ID and a terminal preset password are obtained from a quantum password management service system connected with a quantum exchange password machine by an Internet of things platform according to the terminal ID and a key serial number to decrypt a key symmetrical to a terminal filling key, the terminal ID and the terminal preset password in an identity authentication request message are compared, meanwhile, the time-varying parameter sent by the terminal is saved, a login token is generated according to the terminal ID and the time-varying parameter after authentication is successful, and an authentication success message is returned to the terminal, if the authentication success message is unsuccessful, an unsuccessful message is returned;
S2, second identity authentication: the internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: key sequence number + ciphertext, ciphertext is: the time-varying parameter, the platform ID and the login token are combined according to the terminal ID reported by the terminal in the first identity authentication, and the login token sends the identity authentication request message to the terminal; the terminal obtains a key symmetrical to the corresponding filling key according to the key serial number, decrypts the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when the first identity authentication is performed, and starts to send the message to the Internet of things platform after the verification is successful.
2. The method for enhancing MQTT protocol identity authentication using symmetric cryptography as set forth in claim 1, wherein: a validity period may be set after each authentication is completed.
3. The method for enhancing MQTT protocol identity authentication using symmetric cryptography as set forth in claim 1, wherein: s1, performing first identity authentication, including the following steps:
S11, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s12, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the key serial number Z+terminal ID+ciphertext is: the encryption mode of the ciphertext is completed by adopting a symmetric algorithm, and the encryption key is a key B taken out from S1;
s13, the terminal sends the identity authentication request message constructed in the step S12 to the proxy address exposed to the outside of the Internet of things platform;
s14, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
s15, the quantum cryptography management service system returns a secret key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of carrying out time-varying parameter, terminal ID and terminal preset password, comparing the decrypted terminal ID with the terminal preset password, storing the terminal ID in the background and the terminal preset password stored in the internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in the MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameter is unsuccessful.
4. The method for enhancing MQTT protocol identity authentication using symmetric cryptography as set forth in claim 1, wherein: s2, performing second identity authentication, including the following steps:
s21, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
s22, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the cipher text of the key serial number C+ is: the encryption key of the ciphertext is a chip key W extracted in S21, the login token is jointly generated by the time-varying parameter saved by the terminal for the first time identity authentication and the terminal ID, the PUBLISH is used for building an Internet of things platform to carry out the terminal identity authentication mechanism, a second time identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
s23, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
S24, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the login token through the verification platform ID, mainly verifies whether the login token is generated together with the time-varying parameter sent by the first identity authentication and the terminal ID, and if the login token passes, the terminal considers that the Internet of things platform is credible, and can send data to the Internet of things platform.
5. An enhanced MQTT protocol identity authentication system using symmetric cryptography, characterized by: comprises the following modules:
the first identity authentication module: internet of things terminal to Internet of things platform: the quantum key filling machine completes filling and storing of the quantum key generated by the quantum random number generator to the quantum security chip, simultaneously records and stores the corresponding relation between the filling security chip and the key, and the internet of things terminal calls the quantum key stored in the internal integrated or external security chip to be used for constructing an identity authentication request message: the secret key serial number, the terminal ID and the ciphertext are transmitted to an Internet of things platform, wherein the ciphertext is: the method comprises the steps that a time-varying parameter, a terminal ID and a terminal preset password are obtained from a quantum password management service system connected with a quantum exchange password machine by an Internet of things platform according to the terminal ID and a key serial number to decrypt a key symmetrical to a terminal filling key, the terminal ID and the terminal preset password in an identity authentication request message are compared, meanwhile, the time-varying parameter sent by the terminal is saved, a login token is generated according to the terminal ID and the time-varying parameter after authentication is successful, and an authentication success message is returned to the terminal, if the authentication success message is unsuccessful, an unsuccessful message is returned;
And a second identity authentication module: the internet of things platform applies for a charging key matched with the terminal and a corresponding key serial number according to the terminal ID vector sub-password management service system, and starts to construct an identity authentication request message: key sequence number + ciphertext, ciphertext is: the time-varying parameter, the platform ID and the login token are combined according to the terminal ID reported by the terminal in the first identity authentication, and the login token sends the identity authentication request message to the terminal; the terminal obtains a key symmetrical to the corresponding filling key according to the key serial number, decrypts the identity authentication request message, verifies the platform ID and the login token, determines that the login token is generated by the Internet of things platform according to the terminal ID and the time-varying parameter during authentication when the first identity authentication is performed, and starts to send the message to the Internet of things platform after the verification is successful.
6. The MQTT protocol authentication system using symmetric cryptography as set forth in claim 5, wherein: the first identity authentication module comprises:
terminal key requesting unit: the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
an initial identity authentication request message construction unit: the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the key serial number Z+terminal ID+ciphertext is: the encryption mode of the ciphertext adopts a symmetric algorithm, and the encryption key is a key B taken out from a terminal key request unit;
An initial authentication request message transmitting unit: the terminal sends an identity authentication request message constructed by an initial identity authentication request message construction unit to an externally exposed proxy address of the internet of things platform;
symmetric key acquisition unit: the internet of things platform obtains a secret key B' symmetrical to the secret key B according to the terminal ID and the secret key serial number Z vector sub-password management service system in the initial identity authentication request message;
decryption unit: the quantum cryptography management service system returns a key B 'to the Internet of things platform, and the Internet of things platform decrypts the initial identity authentication request message by using the key B' to obtain decrypted ciphertext: the method comprises the steps of determining the identity of a terminal by comparing a time-varying parameter, a terminal ID and a terminal preset password, comparing the decrypted terminal ID with the terminal preset password stored in the background and the terminal preset password stored in the Internet of things platform in advance, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameter sent by the terminal, and returning a non-0 message according to the MQTT manual if the verification success message OX00 is unsuccessful.
7. The MQTT protocol authentication system using symmetric cryptography as set forth in claim 5, wherein: the second identity authentication module comprises:
Platform key request unit: the method comprises the steps that an internet of things platform obtains a chip key matched with a terminal from a quantum password management service system according to a terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
the second authentication request message construction unit: the internet of things platform constructs an identity authentication request message applied to a terminal: the cipher text of the key serial number C+ is: the encryption key of the ciphertext is a chip key W taken out of a platform key request unit, the login token is jointly generated by the time-varying parameter stored by the terminal for the first time identity authentication and the terminal ID, the PUBLISH is used for building an internet of things platform to carry out terminal identity authentication mechanism, a second identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD;
symmetric key acquisition unit: the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
decryption unit: the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification through the verification platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the login token passes, the terminal considers that the Internet of things platform is trusted and can send data to the Internet of things platform.
8. A method for enhancing MQTT protocol identity authentication by using symmetric cryptography is applied to an Internet of things terminal and is characterized in that: comprising the following steps:
first identity authentication:
s31, the terminal acquires a key request in the security chip, and the security chip returns a key B of a chip key serial number Z;
s32, the terminal constructs an initial identity authentication request message according to the MQTT connection message Connect content format: the key serial number Z+terminal ID+ciphertext is: the encryption mode of the ciphertext adopts a symmetric algorithm, and the encryption key is the key B extracted in S31;
s33, the terminal sends a constructed identity authentication request message to the proxy address exposed to the outside of the Internet of things platform;
s34, the terminal receives the verification success message OX00 returned by the Internet of things platform, and if the verification success message OX00 is unsuccessful, a non-0 message is returned according to the MQTT manual;
and (3) second identity authentication:
s41, the terminal receives an identity authentication request message pushed by the Internet of things platform, acquires a symmetric decryption key of a chip key W corresponding to the sequence number C from the security chip according to the sequence number C of the key in the identity authentication request message, and returns the decryption key W';
s42, the terminal decrypts the ciphertext in the identity authentication request message by using the decryption key W', performs decryption verification on the authentication platform ID and the login token, mainly verifies whether the login token is generated by the time-varying parameter sent by the first identity authentication and the terminal ID together, and if the authentication is passed, the terminal considers that the Internet of things platform is credible and can send data to the Internet of things platform.
9. An internet of things terminal comprising a processor and a computer readable storage medium for storing a computer program, characterized in that: the processor is configured to execute a computer program stored on a computer readable storage medium, so as to cause the terminal of the internet of things to perform the steps of claim 8.
10. A method for enhancing MQTT protocol identity authentication by using symmetric cryptography is applied to an Internet of things platform and is characterized in that: comprising the following steps:
first identity authentication:
s301, the internet of things platform acquires a secret key B' symmetrical to the secret key B according to a terminal ID and a secret key serial number Z vector sub-password management service system in an initial identity authentication request message sent by an internet of things terminal;
s302, the internet of things platform receives a secret key B 'returned by the quantum password management service system, and decrypts the initial identity authentication request message by using the secret key B' to obtain a decrypted ciphertext: the method comprises the steps of (1) time-varying parameters+terminal ID+terminal preset passwords, comparing the decrypted terminal ID with the terminal preset passwords stored in the background and the terminal preset passwords stored in the Internet of things platform in advance, determining the identity of the terminal, simultaneously returning a verification success message OX00 to the terminal by utilizing CONNACK in an MQTT message, storing the time-varying parameters sent by the terminal, and returning a non-0 message according to the MQTT manual if the time-varying parameters are unsuccessful;
And (3) second identity authentication:
s401, the internet of things platform acquires a chip key matched with the terminal from the quantum password management service system according to the terminal ID, and the quantum password management service system returns the chip key W matched with the terminal and a serial number C of the chip key W to the internet of things platform;
s402, the platform of the Internet of things constructs an identity authentication request message applied to the terminal: the cipher text of the key serial number C+ is: the encryption algorithm of the ciphertext adopts a double-party agreement algorithm, the encryption key is a chip key W extracted in S6, the login token is jointly generated by the time-varying parameter stored by the terminal for the first time of identity authentication and the terminal ID, the PUBLISH is used for building an internet of things platform to carry out the terminal identity authentication mechanism, a second time of identity authentication request message is pushed to the terminal, and the identity authentication request message is put into PAYLOAD.
11. An internet of things platform comprising a processor and a computer readable storage medium for storing a computer program, characterized in that: the processor is configured to execute a computer program stored on a computer readable storage medium to cause an internet of things platform to perform the steps of claim 10.
CN202110882439.1A 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology Active CN113612605B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110882439.1A CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110882439.1A CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Publications (2)

Publication Number Publication Date
CN113612605A CN113612605A (en) 2021-11-05
CN113612605B true CN113612605B (en) 2023-09-26

Family

ID=78306520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110882439.1A Active CN113612605B (en) 2021-08-02 2021-08-02 Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology

Country Status (1)

Country Link
CN (1) CN113612605B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095168B (en) * 2021-11-24 2024-02-23 安徽国盾量子云数据技术有限公司 Communication method based on quantum key and encrypted communication terminal thereof
CN114285890B (en) * 2021-12-10 2024-03-15 西安广和通无线通信有限公司 Cloud platform connection method, device, equipment and storage medium
CN114095183B (en) * 2022-01-23 2022-05-03 杭州字节信息技术有限公司 Client dual authentication method, terminal equipment and storage medium
WO2023141998A1 (en) * 2022-01-28 2023-08-03 Oppo广东移动通信有限公司 Device authentication method and apparatus, and device, storage medium and program product
CN114531238B (en) * 2022-04-24 2022-07-19 中电信量子科技有限公司 Secret key safe filling method and system based on quantum secret key distribution
CN115102710A (en) * 2022-05-06 2022-09-23 广州运通数达科技有限公司 Internet of things equipment secure access method and equipment in digital RMB consumption scene
CN114710299B (en) * 2022-06-07 2022-08-30 杭州雅观科技有限公司 Lightweight authentication method suitable for cloud LED lighting energy-saving system
CN117395001B (en) * 2023-12-11 2024-02-20 合肥工业大学 Internet of vehicles secure communication method and system based on quantum key chip
CN117579276B (en) * 2024-01-16 2024-03-29 浙江国盾量子电力科技有限公司 Quantum encryption method for feeder terminal and quantum board card module

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846447A (en) * 2017-09-21 2018-03-27 烽火通信科技股份有限公司 A kind of method of the home terminal access message-oriented middleware based on MQTT agreements
CN111314366A (en) * 2020-02-25 2020-06-19 广州致远电子有限公司 MQTT protocol-based secure login system and method
CN112532671A (en) * 2019-09-19 2021-03-19 阿里巴巴集团控股有限公司 Acquisition method, configuration method, edge computing cluster and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10158991B2 (en) * 2016-03-17 2018-12-18 M2MD Technologies, Inc. Method and system for managing security keys for user and M2M devices in a wireless communication network environment
US11343084B2 (en) * 2019-03-01 2022-05-24 John A. Nix Public key exchange with authenticated ECDHE and security against quantum computers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846447A (en) * 2017-09-21 2018-03-27 烽火通信科技股份有限公司 A kind of method of the home terminal access message-oriented middleware based on MQTT agreements
CN112532671A (en) * 2019-09-19 2021-03-19 阿里巴巴集团控股有限公司 Acquisition method, configuration method, edge computing cluster and device
CN111314366A (en) * 2020-02-25 2020-06-19 广州致远电子有限公司 MQTT protocol-based secure login system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
量子密钥数字证书系统及其应用;原磊;;信息安全研究(第06期) *

Also Published As

Publication number Publication date
CN113612605A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
CN113612605B (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
JP7119040B2 (en) Data transmission method, device and system
CN106357649B (en) User identity authentication system and method
CN110380852B (en) Bidirectional authentication method and communication system
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
CN113630407B (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
US9866387B2 (en) Method and system for accessing device by a user
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
CN110912686B (en) Method and system for negotiating secret key of security channel
CN108964897B (en) Identity authentication system and method based on group communication
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN110808829A (en) SSH authentication method based on key distribution center
CN113452687B (en) Method and system for encrypting sent mail based on quantum security key
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
CN112311543B (en) GBA key generation method, terminal and NAF network element
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN108259486B (en) End-to-end key exchange method based on certificate
CN111065097B (en) Channel protection method and system based on shared secret key in mobile internet
Hou et al. Lightweight and privacy-preserving charging reservation authentication protocol for 5G-V2G
CN107104888B (en) Safe instant messaging method
CN104243435A (en) Communication method for HTTP based on OAuth
CN117098123A (en) Quantum key-based Beidou short message encryption communication system
KR100456624B1 (en) Authentication and key agreement scheme for mobile network
CN108965266B (en) User-to-User identity authentication system and method based on group key pool and Kerberos

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant