CN113810422A - Emqx browser architecture-based secure connection method for data of internet of things platform device - Google Patents
Emqx browser architecture-based secure connection method for data of internet of things platform device Download PDFInfo
- Publication number
- CN113810422A CN113810422A CN202111103069.3A CN202111103069A CN113810422A CN 113810422 A CN113810422 A CN 113810422A CN 202111103069 A CN202111103069 A CN 202111103069A CN 113810422 A CN113810422 A CN 113810422A
- Authority
- CN
- China
- Prior art keywords
- internet
- equipment
- things platform
- data
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000005540 biological transmission Effects 0.000 claims abstract description 19
- 238000011161 development Methods 0.000 claims abstract description 8
- 238000004364 calculation method Methods 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 9
- 238000013461 design Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 6
- 230000002457 bidirectional effect Effects 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 7
- 230000007547 defect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 206010000210 abortion Diseases 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an Emqx broker architecture-based data security connection method for an internet of things platform device, which is used for accessing the device into a scene of an internet of things platform and specifically comprises the following operations: firstly, a developer acquires an SDK data packet from an Internet of things platform; then, developing an equipment APP according to the development rule of the SDK data packet and the corresponding service of the equipment; then, programming the APP into the equipment; then, starting an equipment APP, and establishing connection between the equipment and the Internet of things platform through the equipment APP; and finally, carrying out data security connection transmission with the Internet of things platform through the equipment APP.
Description
Technical Field
The invention belongs to the technical field of computer information data security, and particularly relates to an Emqx broker architecture-based data security connection method for an Internet of things platform device.
Background
With the aim of building three types and two networks proposed by national power grid companies, the internet of things platform fully applies modern information technologies and advanced communication technologies such as mobile interconnection and artificial intelligence around each link of an electric power system to realize the internet of everything and man-machine interaction in each link of the electric power system, different types of equipment are accessed in large quantity in the building of the internet of things platform, the safety of equipment data is particularly important, if insufficient safety is considered or a leak exists in the building process of the internet of things platform, safety risks are brought to equipment manufacturers, and therefore safety schemes need to be considered in each link of equipment access, equipment data reporting, equipment connecting channels and the like.
The access protocols of the equipment are numerous, the most widely used protocol at present is the MQTT protocol, the MQTT protocol is a lightweight agent-based publish/subscribe message transmission protocol, and the design concept is open, simple, lightweight and easy to implement. These characteristics make it suitable for use in a restricted environment, MQTT possesses the characteristics of this protocol:
● provide one-to-many message publishing, decoupling applications using a publish/subscribe message schema;
● message transmission that is masked against payload content;
● provide network connectivity using TCP/IP;
● there are three message publishing qualities of service:
at most once, message publishing is completely dependent on the underlying TCP/IP network. Message loss or duplication can occur. This level can be used in situations where environmental sensor data is missing a read record for a time, since a second transmission will occur in the near future;
at least once to ensure that messages arrive, but message repetition may occur;
check "once only", ensure that the message arrives once. This level can be used in situations where message duplication or loss can lead to incorrect results in a billing system;
● small size transmission, small overhead (fixed length header is 2 bytes), minimized protocol exchange to reduce network traffic;
● use the Last Will and maintenance feature to inform the mechanism about client aborts on various parties.
Emqx (Erlang/Enterprise/Elastic MQTT Broker) is an open source Internet of things MQTT message server developed based on the Erlang/OTP platform. MQTT is a Lightweight (Lightweight), publish-subscribe mode (PubSub) messaging protocol for internet of things. The Emqx design target is to realize high reliability, support MQTT connection for bearing massive Internet of things terminals and support low-delay message routing among massive Internet of things devices, namely stably bearing massive MQTT client connection and supporting 50-100-ten-thousand connections by a single server node; distributed node clustering, fast low-delay message routing, single clustering supporting 1000 ten thousand scale routing; the message server is internally expanded, and supports customization of various authentication modes and efficient storage of messages to a back-end database; the system comprises complete Internet of things protocol support, MQTT-SN, CoAP, LwM2M, WebSocket or private protocol support.
When the Internet of things platform is built, the Emqx browser can be used as an open source MQTT message server for supporting a device connection protocol and completing device access, protocol analysis and device management. It has the following drawbacks and needs:
a. in the construction of an internet of things platform, equipment safety certification connection and equipment service data safety are basic requirements and important links, and a set of complete safety scheme is required.
b. At present, an open source thing networking platform based on an Emqx broker is adopted, the safety connection is not perfect, the Emqx broker is used as an open source MQTT message server and provides basic safety plug-ins, but the scheme needs to perfect the safety function of each plug-in according to the design and safety requirements of the thing networking platform.
In addition, when the internet of things platform is manufactured, if the platform is designed, developed and manufactured completely based on the open source Emqx browser message server, the scheme has the following defects in the aspect of safety:
the TLS safety connection supported by the Emqx is only a technical support, the service conditions are insufficient, for example, no clear method exists in the aspects of how the certificate is generated, according to what dimension, how the certificate is issued, how the certificate is matched with the use of the Internet of things platform, and the like, and the Internet of things platform is required to be combined with the service of the Internet of things platform to carry out service scheme design;
the MQTT protocol supports user name and password verification, but the user name and password verification is only supported insufficiently, so that the phenomenon of unauthorized access control can occur, and the risk of disclosure can be caused, for example, after the user passes the authentication, the information of the user equipment is monitored;
the plug-in of the emqx rule engine only supports data stream type calculation in a plaintext format, and plaintext transmission data in a network has potential safety hazards of plaintext leakage.
Disclosure of Invention
The invention provides a secure data connection method for an internet of things platform based on an Emqx broker framework based on the defects and requirements in the prior art, and the secure defects of each technical point in the analysis are improved by using a set of security mechanism designed by the invention, so that the data security problem of the internet of things platform based on the Emqx broker framework is solved.
The specific implementation content of the invention is as follows:
the invention provides an Emqx broker architecture-based data security connection method for an internet of things platform device, which is used for accessing the device into a scene of an internet of things platform and specifically comprises the following operations: firstly, a developer acquires an SDK data packet from an Internet of things platform; then, developing an equipment APP according to the development rule of the SDK data packet and the corresponding service of the equipment; then, programming the APP into the equipment; then, starting an equipment APP, and establishing connection between the equipment and the Internet of things platform through the equipment APP; and finally, carrying out data security connection transmission with the Internet of things platform through the equipment APP.
In order to better implement the invention, further, the specific steps of establishing connection between the device and the internet of things platform and performing data security connection transmission are as follows:
step 1: the method comprises the steps that a certificate module is arranged on an internet of things platform, connection authentication between equipment and the internet of things platform is conducted through the certificate module, when the equipment is connected with the internet of things platform, the internet of things platform analyzes and checks a certificate of the equipment through a certificate management function, a safe connection channel is allowed to be established between the equipment and the internet of things platform after the certificate authentication is passed, and otherwise, the equipment connection fails;
step 2: modifying an Emqx _ auth _ mysql plug-in on the Internet of things platform by combining the data structure design of the Internet of things platform, checking the correctness of a connection message according to the username data, the en _ password data and the ClientID data in the connection message, and enabling the equipment to be used for accessing the Internet of things platform only if the authentication is successful;
and step 3: for equipment which is successfully accessed to the Internet of things platform, generating a unique public and private key of a user by using a matching tool of the Internet of things platform when uploading service data, and asymmetrically encrypting the uploaded data;
and 4, step 4: sending the encrypted service data to an Internet of things platform; and setting a rule engine in the Internet of things platform, decrypting the encrypted service data through the rule engine, performing rule calculation, and finally encrypting the calculation result of the rule calculation again and then transferring the ciphertext data stream to an upper-layer service system.
In order to better implement the present invention, further, in step 1, when the device is online connected to an Emqx broker message server of the internet of things platform, an MQTT connection channel is established on top of the TCP/IP protocol; the IOT platform is designed to MQTT to start bidirectional SSL/TLS secure connection, when the connection authentication of the equipment is carried out, a server side and a client side are required to need certificates, and both sides need to carry out identity authentication so as to ensure that both sides involved in communication are trusted.
In order to better realize the method, a ClientID is further generated according to the rules of an Internet of things platform and an SDK in the process of developing the APP of the equipment, and the ClientID comprises equipment identification information; in the step 2, when the device establishes the connection, the connection message contains the ternary information of the user name, the en _ password and the ClientID; for the Emqx _ auth _ mysql plug-in, ClientID authentication is added on the basis of user password authentication to carry out two-layer authentication; the two-layer verification specifically comprises the following steps: the first layer verifies the correctness of the user name/password, and the second layer authenticates the ownership relationship between the equipment and the tenant, thereby preventing the tenant from connecting other equipment in an unauthorized manner.
In order to better implement the present invention, further, in step 3, the encryption algorithm is to encrypt the original plaintext a to obtain a ciphertext B, and the specific encryption formula is:
b = { crypto } + SM2(a + SM3(a) + random number);
in the formula, { crypto } is a fixed string for splicing, SM2 () is a national secret algorithm, and SM3 () is a national secret algorithm.
In order to better implement the present invention, further, in step 4, the tenant creates a rule of a rule engine through an interface of an internet of things platform, where the rule of the rule engine includes public and private key information of an encryption and decryption algorithm; in the actual decryption process, the decryption operation is carried out by analyzing the public and private keys of the rule. The rule comprises public and private key information of an encryption algorithm;
for encrypted service data uploaded by equipment, decrypting an original text by using a private key in a rule, and then performing rule calculation; and then, after the calculated result is encrypted by the public key again, the flow is transferred to an upper-layer service system. The data of all network transmission links are ensured to be transmitted after being encrypted through the process.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention starts from the point that the safety risk of the equipment is mainly when the equipment is accessed and in the data transmission process of the equipment, and designs a whole set of mechanism. Designing a TLS certificate generating, issuing and using mechanism, and verifying and signing a data channel by using a Transport Layer Security (TLS) mechanism to construct a data Security channel; when the message server is connected, authenticating a user name/password of a tenant of the Internet of things platform by using an emqx _ auth _ mysql plug-in, and performing two-layer verification by combining a ClientID generated by the development component of the Internet of things platform; the encryption and decryption of the data transmission by using a national encryption algorithm are designed, the requirement of a rule engine data format is met, and the encryption and the circulation of the data in the whole transmission process are realized.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
fig. 2 is a schematic diagram of the connection between the equipment and the internet of things platform.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and therefore should not be considered as a limitation to the scope of protection. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
In the description of the present invention, it is to be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1:
the embodiment provides an empqx browser architecture-based data security connection method for an internet of things platform device, which is used for accessing the device into a scene of an internet of things platform, and specifically operates as follows, as shown in fig. 1: firstly, a developer acquires an SDK data packet from an Internet of things platform; then, developing an equipment APP according to the development rule of the SDK data packet and the corresponding service of the equipment; then, programming the APP into the equipment; then, starting an equipment APP, and establishing connection between the equipment and the Internet of things platform through the equipment APP; and finally, carrying out data security connection transmission with the Internet of things platform through the equipment APP.
The working principle is as follows: the scheme encapsulates and links in the whole process, and is convenient for users to achieve the effects of safety and convenience in use. The TLS security certificate generation mechanism is realized in the Internet of things platform, and when the SDK is downloaded, the SDK is downloaded to a developer along with the SDK for use; when an APP is developed based on the SDK, equipment metadata information generated by equipment added in the Internet of things platform needs to be configured, and based on the metadata information and account information of a user, two-layer verification authentication can be realized when the APP is accessed to the Internet of things platform after being started; the data encryption transmission and decryption are realized in the SDK sending interface and the Internet of things platform.
Example 2:
in this embodiment, on the basis of the above embodiment 1, as shown in fig. 2, the security access step includes:
1. a user registers an account number of an internet of things platform, a background of the internet of things platform generates a unique TLS security certificate for a tenant according to tenant management rules, and the security certificate can be used for authentication of a security connection channel established between the tenant and the internet of things platform when all devices of the internet of things platform access to the cloud.
2. After the tenant establishes the product and equipment metadata information on the platform of the internet of things, the tenant completes the development work on the side of the platform of the internet of things, and can acquire certificates, equipment triple information, equipment development SDK and the like from the interface of the platform of the internet of things for the equipment side to issue information data.
3. After the APP is developed on the side of the equipment based on the service, the side of the equipment can be programmed to the equipment to run and is ready to be connected to enter the Internet of things platform. When the equipment is connected with the IOT platform, the IOT platform analyzes and checks the certificate of the equipment through the certificate management function, and after certificate authentication is passed, the equipment and the IOT platform are allowed to establish a safe connection channel, otherwise, the equipment connection fails.
4. After a safe connection channel is established, access information (user name, password and ClientID) of the equipment is verified, a unique generation rule of the ClientID is designed for an instrumented platform SDK, the ClientID generation principle is that triple information accessed by the equipment is spliced, two-layer verification is carried out by combining the user name and the password, the correctness of the user name/the password is verified on one layer, the ownership relationship between the equipment and the tenant is authenticated on the second layer, the tenant is prevented from being connected with other equipment in an unauthorized way, and meanwhile, malicious users are prevented from randomly simulating access.
5. After the equipment is connected to the Internet of things platform, the business data can be reported, and meanwhile, the data are circulated on the Internet of things platform through the rule engine. The Internet of things platform is provided with a GMtool which encapsulates a national cryptographic algorithm and is used for generating a public and private key based on the national cryptographic algorithm SM2+ SM3, and the public key can be used for encrypting and transmitting data when the data is reported by equipment; and then when the IOT platform uses the rule engine to create rules, writing a rule SQL statement to decrypt data by using a private key, then performing rule operation, encrypting the operated result again by using a public key, and finally transferring the encrypted data to a service system to prevent data leakage.
The working principle is as follows: as shown in fig. 2, there are three main links in the connection process:
1. when the device is connected with an Emqx broker message server on line, an MQTT connection channel is established on a TCP/IP protocol, for the safety of the connection channel, an Internet of things platform is designed to enable bidirectional SSL/TLS safety connection for the MQTT, a server side and a client side are required to be certified when communication certification is carried out, and both sides carry out identity certification to ensure that both sides involved in communication are trusted, strong certification is carried out when the device is connected, session confidentiality and safety are ensured, data in encrypted communication is difficult to tamper and not found, and data integrity is ensured. The device APP establishes a bidirectional trusted MQTT/TLS secure channel with an Emqx browser of the Internet of things platform based on a client certificate, tenant devices are connected to the cloud without paying attention to the internal details of the secure channel, and only paying attention to service development according to the guidance instruction of the SDK, so that safe and efficient services can be obtained, and the efficiency and the safety of the devices connected to the Internet of things platform are improved. The TLS technology is open source and widely applied to the field of computers, and the patent lies in that a set of certificate rules are designed on the business of an internet of things platform, a certificate is generated in the background by taking a tenant as a dimension, the operation difficulty of the tenant is reduced, and the certificate can be directly obtained from the platform for use.
2. When a tenant uses the SDK to develop the APP on the equipment side, the ClientID is generated according to the Internet of things platform and the rule of the SDK, the ClientID comprises equipment identification information, and when the equipment establishes connection, the connection message comprises the ternary information of the username, the en _ password and the ClientID. By optimizing and modifying the Emqx _ auth _ mysql plug-in, the plug-in can identify the equipment identification information in the ClientID, and perform two-layer verification by combining user name/password data, wherein one layer verifies the correctness of the user name/password, and the second layer authenticates the ownership relationship of the equipment and the tenant, thereby preventing the tenant from connecting other equipment without the right. The native plug-in only supports user name and password verification and cannot verify business, the method adds ClientID authentication on the basis of user password verification to perform two-layer verification, wherein one layer verifies the correctness of the user name/password, the ClientID comprises equipment triple information and is associated with business, and the other layer authenticates the ownership relationship of the equipment and the tenant, so that the tenant is prevented from connecting other equipment beyond the right, and meanwhile, the malicious user is prevented from randomly simulating access.
3. The internet of things platform designs a set of data encryption and decryption mechanism, when a tenant develops on the equipment side, the tenant generates a set of public private keys (private key/public key) of a national encryption algorithm by using GMTool, the public private keys are a pair of asymmetric encryption and decryption character strings, the public key character strings are used for encryption, and the private key character strings are used for decryption. The equipment service data is encrypted from an original plaintext A to a ciphertext B, and the formula is as follows:
b = { crypto } + SM2(a + SM3(a) + random number);
the device APP encrypts and acquires device data by using a public key and sends the device data to the Internet of things platform, so that the data of the device is encrypted, only a correspondingly generated private key can be decrypted, and the private key is only known to be kept by a tenant and has no safety risk; the tenant can create a rule of the rule engine through the interface of the internet of things platform, the rule can contain public and private key information, and a public and private key of the rule SQL is analyzed and used for encryption and decryption before and after calculation of the rule engine; an newly-added emqx _ rule _ engine plug-in supports a fusion encryption algorithm of the exquisitent company based on the national cipher SM2+ SM3, the algorithm fuses the two national cipher algorithms SM2 and SM3, and is more complex and safer, and the encryption and decryption efficiency is close to that of SM 2. When the rule calculation is carried out on the equipment data, firstly, the private key is used for decrypting the data, then, the rule calculation is carried out on the original JSON format data, after the calculation is hit, the calculation hit result data is encrypted by the public key, the equipment data meeting the tenant service requirement is encrypted and transferred to the tenant middleware or http service, and therefore the data flowing out of the internet of things platform is encrypted and has no safety risk. In summary, the principle is data encryption transmission, rule calculation after decryption, and circulation after re-encryption. The working process is as follows: a. firstly, generating a public key and a private key by using a tool; b. when the equipment reports data, the data are encrypted by using a designed encryption algorithm; c. the rule engine of the Internet of things platform originally does not support the operation of encrypted data, and the optimization by the method supports the calculation and extraction of the rule engine after the encrypted data is decrypted; d. and finally, the calculation result is encrypted and transferred to a service system.
The rule engine rule SQL supports data calculation, but if the data is transmitted in a plaintext, the data can be acquired through a packet capturing tool, and the risk of information leakage exists; if the transmission is encrypted, the native rule engine plug-in does not support the encryption and decryption data streaming function based on the cryptographic algorithm. The method is characterized in that an asymmetric encryption and decryption algorithm is designed based on the state cipher, a rule engine plug-in is modified to support the algorithm to analyze cipher text data, then rule operation is carried out, meanwhile, the optimized support is also provided to transfer the data after operation to an upper-layer service system in an encryption flow mode again, so that cipher text transmission is guaranteed in each network flow link of the data, and the safety of equipment service data is guaranteed.
Other parts of this embodiment are the same as those of embodiment 1, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (6)
1. A secure connection method for equipment data of an Internet of things platform based on an Emqx browser architecture is used for accessing the equipment into a scene of the Internet of things platform, and is characterized by comprising the following specific operations: firstly, a developer acquires an SDK data packet from an Internet of things platform; then, developing an equipment APP according to the development rule of the SDK data packet and the corresponding service of the equipment; then, programming the APP into the equipment; then, starting an equipment APP, and establishing connection between the equipment APP and the Internet of things platform; and finally, carrying out data security connection transmission with the Internet of things platform through the equipment APP.
2. The method for securely connecting the device data of the internet of things platform based on the Emqx browser architecture as claimed in claim 1, wherein the specific steps of establishing the connection between the device and the internet of things platform and performing the secure connection transmission of the data are as follows:
step 1: the method comprises the steps that a certificate module is arranged on an internet of things platform, connection authentication between equipment and the internet of things platform is conducted through the certificate module, when the equipment is connected with the internet of things platform, the internet of things platform analyzes and checks a certificate of the equipment through a certificate management function, a safe connection channel is allowed to be established between the equipment and the internet of things platform after the certificate authentication is passed, and otherwise, the equipment connection fails;
step 2: modifying an Emqx _ auth _ mysql plug-in on the Internet of things platform by combining the data structure design of the Internet of things platform, checking the correctness of a connection message according to the username data, the en _ password data and the ClientID data in the connection message, and enabling the equipment to be used for accessing the Internet of things platform only if the authentication is successful;
and step 3: for equipment which is successfully accessed to the Internet of things platform, generating a unique public and private key of a user by using a matching tool of the Internet of things platform when uploading service data, and asymmetrically encrypting the uploaded data;
and 4, step 4: sending the encrypted service data to an Internet of things platform; and setting a rule engine in the Internet of things platform, decrypting the encrypted service data through the rule engine, performing rule calculation, and finally encrypting the calculation result of the rule calculation again and then transferring the ciphertext data stream to an upper-layer service system.
3. The secure connection method for the device data of the internet of things platform based on the Emqx broker architecture according to claim 2, wherein in the step 1, when the device is online connected with the Emqx broker message server of the internet of things platform, an MQTT connection channel is established on a TCP/IP protocol; the IOT platform is designed to MQTT to start bidirectional SSL/TLS secure connection, when the connection authentication of the equipment is carried out, a server side and a client side are required to need certificates, and both sides need to carry out identity authentication so as to ensure that both sides involved in communication are trusted.
4. The secure connection method for the equipment data of the internet of things platform based on the Emqx browser architecture as claimed in claim 2, wherein in the process of developing the equipment APP, a ClientID is generated according to the rules of the internet of things platform and the SDK, and the ClientID comprises equipment identification information; in the step 2, when the device establishes the connection, the connection message contains the ternary information of the user name, the en _ password and the ClientID; for the Emqx _ auth _ mysql plug-in, ClientID authentication is added on the basis of user password authentication to carry out two-layer authentication; the two-layer verification specifically comprises the following steps: the first layer verifies the correctness of the user name/password, and the second layer authenticates the ownership relationship between the equipment and the tenant, thereby preventing the tenant from connecting other equipment in an unauthorized manner.
5. The secure data connection method for the internet of things platform device based on the Emqx broker architecture as claimed in claim 2, wherein in step 3, the encryption algorithm is to encrypt an original plaintext a to obtain a ciphertext B, and the specific encryption formula is as follows:
b = { crypto } + SM2(a + SM3(a) + random number);
in the formula, { crypto } is a fixed string for splicing, SM2 () is a national secret algorithm, and SM3 () is a national secret algorithm.
6. The secure data connection method for the internet of things platform device based on the Emqx browser architecture as claimed in claim 5, wherein in the step 4, the tenant creates a rule of a rule engine through the interface of the internet of things platform, and the rule of the rule engine includes public and private key information of an encryption and decryption algorithm; in the actual decryption process, the public and private keys of the rule are analyzed to perform decryption operation; the rule comprises public and private key information of an encryption algorithm;
for encrypted service data uploaded by equipment, decrypting an original text by using a private key in a rule, and then performing rule calculation; and then, after the calculated result is encrypted by the public key again, the flow is transferred to an upper-layer service system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103069.3A CN113810422A (en) | 2021-09-18 | 2021-09-18 | Emqx browser architecture-based secure connection method for data of internet of things platform device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103069.3A CN113810422A (en) | 2021-09-18 | 2021-09-18 | Emqx browser architecture-based secure connection method for data of internet of things platform device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113810422A true CN113810422A (en) | 2021-12-17 |
Family
ID=78896038
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111103069.3A Pending CN113810422A (en) | 2021-09-18 | 2021-09-18 | Emqx browser architecture-based secure connection method for data of internet of things platform device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810422A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117131094A (en) * | 2023-10-23 | 2023-11-28 | 大唐融合通信股份有限公司 | Rule engine, implementation method, equipment and storage medium for Internet of things scene |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014038926A1 (en) * | 2012-09-07 | 2014-03-13 | Mimos Berhad | A system and method of mutual trusted authentication and identity encryption |
| CN108377207A (en) * | 2018-05-19 | 2018-08-07 | 济南浪潮高新科技投资发展有限公司 | A kind of access of platform of internet of things equipment and configuration method |
| CN109088731A (en) * | 2018-09-04 | 2018-12-25 | 杭州涂鸦信息技术有限公司 | A kind of Internet of Things cloud communication means and its device |
| CN113127914A (en) * | 2021-05-12 | 2021-07-16 | 国网山西省电力公司电力科学研究院 | Electric power Internet of things data security protection method |
-
2021
- 2021-09-18 CN CN202111103069.3A patent/CN113810422A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014038926A1 (en) * | 2012-09-07 | 2014-03-13 | Mimos Berhad | A system and method of mutual trusted authentication and identity encryption |
| CN108377207A (en) * | 2018-05-19 | 2018-08-07 | 济南浪潮高新科技投资发展有限公司 | A kind of access of platform of internet of things equipment and configuration method |
| CN109088731A (en) * | 2018-09-04 | 2018-12-25 | 杭州涂鸦信息技术有限公司 | A kind of Internet of Things cloud communication means and its device |
| CN113127914A (en) * | 2021-05-12 | 2021-07-16 | 国网山西省电力公司电力科学研究院 | Electric power Internet of things data security protection method |
Non-Patent Citations (1)
| Title |
|---|
| 幸大树 等: "基于Emqx broker架构的物联平台设备数据安全研究", 《科技资讯》, vol. 19, no. 12, pages 54 - 57 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117131094A (en) * | 2023-10-23 | 2023-11-28 | 大唐融合通信股份有限公司 | Rule engine, implementation method, equipment and storage medium for Internet of things scene |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| WO2017129089A1 (en) | Wireless network connecting method and apparatus, and storage medium | |
| CN113132388B (en) | Data security interaction method and system | |
| CN102685749B (en) | Wireless safety authentication method orienting to mobile terminal | |
| CN104639534A (en) | Website safety information uploading method and browser device | |
| CN102893575B (en) | By means of the disposal password of IPSEC and IKE the 1st edition certification | |
| Oktian et al. | BorderChain: Blockchain-based access control framework for the Internet of Things endpoint | |
| CN102811225B (en) | A kind of SSL middle-agent accesses method and the switch of WEB resource | |
| CN111181912B (en) | Browser identifier processing method and device, electronic equipment and storage medium | |
| CN115085943B (en) | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN109587100A (en) | A kind of cloud computing platform user authentication process method and system | |
| Ranjan et al. | Security analysis of TLS authentication | |
| CN103716280B (en) | data transmission method, server and system | |
| CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
| Hassani Karbasi et al. | SINGLETON: A lightweight and secure end-to-end encryption protocol for the sensor networks in the Internet of Things based on cryptographic ratchets | |
| CN113810422A (en) | Emqx browser architecture-based secure connection method for data of internet of things platform device | |
| Zhang et al. | A systematic approach to formal analysis of QUIC handshake protocol using symbolic model checking | |
| JP4963425B2 (en) | Session key sharing system, third party organization device, request side device, and response side device | |
| Jonsson et al. | RSA authentication in Internet of Things: Technical limitations and industry expectations | |
| Gazdag et al. | Quantum-Resistant MACsec and IPsec for Virtual Private Networks | |
| Jain | “Sec-KeyD” an efficient key distribution protocol for critical infrastructures | |
| Ghilen et al. | Incorporation and model checking of a quantum authentication and key distribution scheme in EAP-TLS | |
| WO2016141513A1 (en) | Service processing method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |