CN113946845A - Internet of things equipment offline session method and device and storage medium - Google Patents

Internet of things equipment offline session method and device and storage medium Download PDF

Info

Publication number
CN113946845A
CN113946845A CN202111158449.7A CN202111158449A CN113946845A CN 113946845 A CN113946845 A CN 113946845A CN 202111158449 A CN202111158449 A CN 202111158449A CN 113946845 A CN113946845 A CN 113946845A
Authority
CN
China
Prior art keywords
internet
point
authentication
things
things equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111158449.7A
Other languages
Chinese (zh)
Inventor
聂旭文
王婷
李克勤
麻志毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced Institute of Information Technology AIIT of Peking University
Hangzhou Weiming Information Technology Co Ltd
Original Assignee
Advanced Institute of Information Technology AIIT of Peking University
Hangzhou Weiming Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Advanced Institute of Information Technology AIIT of Peking University, Hangzhou Weiming Information Technology Co Ltd filed Critical Advanced Institute of Information Technology AIIT of Peking University
Priority to CN202111158449.7A priority Critical patent/CN113946845A/en
Publication of CN113946845A publication Critical patent/CN113946845A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/16Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Software Systems (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an off-line conversation method of Internet of things equipment, which is applied to an Internet of things system and relates to an edge end gateway, and comprises the following steps: when receiving an equipment identifier sent by the Internet of things equipment for an edge end gateway, generating a first random number according to a random number creation function; performing point multiplication operation in an elliptic curve based on a first random number to generate a first random point; and sending the first random point to the Internet of things equipment, and performing offline authentication on the Internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.

Description

Internet of things equipment offline session method and device and storage medium
Technical Field
The invention relates to the technical field of communication, in particular to an off-line conversation method and device for Internet of things equipment and a storage medium.
Background
With the rapid development of the technology and application of the internet of things, a large amount of internet of things equipment is accessed to the internet. As shown in fig. 1, a large amount of low-cost, low-power-consumption and small-storage internet-of-things equipment is accessed to edge-end equipment; the edge terminal equipment is used as a gateway to collect data of accessed Internet of things equipment; the access end forwards the Internet of things equipment data collected and sent by the edge end to the platform end. In this architecture, if a device authentication and encryption mechanism is lacked, a malicious attacker can forge devices, intercept device data, generate dirty/false data, affect the accuracy of data, and cause information leakage, so how to effectively block the malicious attacker is a current urgent matter for researchers to solve.
In the prior art, the secure communication of the internet of things mainly comprises an equipment authentication scheme and an encryption communication scheme. The traditional internet of things equipment authentication mainly has two modes: one is a mode based on a public key cryptosystem, which can solve both device authentication and encrypted communication, but the communication between devices requires a certificate management center to issue a certificate, and is not suitable for an offline environment. The other is a password encryption mode, equipment passwords are preset in a unified mode, an authentication mechanism of the mode is weak, an independent encryption communication scheme is needed to ensure communication safety, if symmetric encryption is adopted, keys need to be preset in the equipment in a unified mode, and once the keys are leaked, all the equipment is affected; if a public key cryptography is adopted, the same problem as the first method is encountered. The existing scheme based on the national cryptographic algorithm can solve the problems, but the required storage space and the calculated amount are large, and the method is not suitable for the Internet of things equipment with limited resources.
Disclosure of Invention
The embodiment of the application provides an Internet of things device offline conversation method, an Internet of things device offline conversation device and a storage medium. The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key/critical elements nor delineate the scope of such embodiments. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
In a first aspect, an embodiment of the present application provides an offline session method for an internet of things device, which is applied to an edge gateway, and the method includes:
when receiving an equipment identifier sent by the Internet of things equipment for an edge end gateway, generating a first random number according to a random number creation function;
performing point multiplication operation in an elliptic curve based on a first random number to generate a first random point;
and sending the first random point to the Internet of things equipment, and performing offline authentication on the Internet of things equipment based on the first random point.
Optionally, performing offline authentication with the internet of things device based on the first random point includes:
when a first authentication point sent by the Internet of things equipment aiming at the edge end gateway is received, calculating an Internet of things equipment public key based on the equipment identification;
calculating a second authentication point according to the first random number and the public key of the Internet of things equipment;
and judging whether the Internet of things equipment passes the authentication according to the first authentication point and the second authentication point.
Optionally, calculating the device public key of the internet of things based on the device identifier includes:
acquiring a first main public key and a second main public key which are sent by a platform side key generation center aiming at an edge side gateway;
acquiring a preset character string;
splicing the equipment identifier and a preset character string to generate a spliced field;
calculating the hash value of the splicing field according to a secure hash function;
performing point multiplication on the hash value and the first main public key, and summing the value subjected to point multiplication and the second main public key to generate an Internet of things equipment public key;
the computing formula of the public key of the Internet of things equipment is as follows: PK ═ HASH (ID | |0x01) ] PubKey1+ PubKey 2; the HASH is a secure HASH function, the ID is an internet of things device, 0x01 is a preset character string, the PubKey1 is a first master public key, and the PubKey2 is a second master public key.
Optionally, determining whether the internet of things device passes authentication according to the first authentication point and the second authentication point includes:
when the first authentication point is the same as the second authentication point, determining that the equipment of the Internet of things passes authentication;
alternatively, the first and second electrodes may be,
and when the first authentication point is different from the second authentication point, determining that the equipment authentication of the Internet of things is not passed.
Optionally, the method further comprises:
when the IOT equipment passes the authentication, generating a second random number according to a random number creating function;
performing point multiplication operation in the elliptic curve based on the second random number to generate a second random point;
sending the second random point to the Internet of things equipment;
calculating a first secret common point according to the second random number and the public key of the Internet of things equipment;
extracting the abscissa in the first secret common point as a negotiation key;
and carrying out encryption communication with the Internet of things equipment according to the negotiation key and the symmetric encryption algorithm.
In a second aspect, an embodiment of the present application provides an internet of things device offline session method, which is applied to an internet of things device, and the method includes:
receiving a first random point sent by an edge end gateway aiming at the Internet of things equipment;
acquiring an equipment private key sent by a platform side key generation center aiming at the Internet of things equipment;
calculating a first authentication point according to the device private key and the first random point;
and sending the first authentication point to the edge end gateway.
Optionally, the method further comprises:
receiving a second random point sent by the edge end gateway aiming at the Internet of things equipment;
calculating a second secret common point according to the device private key and the second random point;
extracting the abscissa in the second secret common point as a negotiation key;
and carrying out encryption communication with the edge end gateway according to the negotiation key and the symmetric encryption algorithm.
In a third aspect, an embodiment of the present application provides an internet of things device offline session method, which is applied to a platform side key generation center, and the method includes:
when the Internet of things system is initialized, generating a first master private key and a second master private key according to a random number creating function;
performing point multiplication operation in an elliptic curve according to the first main private key and the second main private key to generate a first main public key and a second main public key;
when new Internet of things equipment is added, generating equipment identification aiming at the Internet of things equipment;
calculating a device private key according to the device identification, the first master private key and the second master private key;
the first master public key, the second master public key and the equipment private key are sent to the Internet of things equipment through a preset safety channel;
and sending the first main public key and the second main public key to the edge end gateway.
In a fourth aspect, an embodiment of the present application provides an offline session device for internet of things devices, which is applied to an edge gateway, and the device includes:
the device comprises a random number creating module, a random number generating module and a random number generating module, wherein the random number creating module is used for generating a first random number according to a random number creating function when receiving a device identifier sent by the Internet of things device aiming at an edge end gateway;
the random point generating module is used for performing point multiplication operation in an elliptic curve based on a first random number to generate a first random point;
and the offline authentication module is used for sending the first random point to the Internet of things equipment and performing offline authentication on the Internet of things equipment based on the first random point.
In a fourth aspect, embodiments of the present application provide a computer storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a system architecture diagram of an internet of things device session according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of an offline session method of an internet of things device applied to an edge gateway according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a device authentication process provided in the present application;
fig. 4 is a schematic diagram of a key agreement process provided in the present application;
fig. 5 is a schematic flowchart of an offline session method of an internet of things device applied to an internet of things device according to an embodiment of the present application;
fig. 6 is a schematic flowchart of an offline session method of an internet of things device of a platform-side key generation center according to the present application;
fig. 7 is a schematic device diagram of an internet of things device offline session apparatus applied to an edge gateway according to the present application;
fig. 8 is a schematic structural diagram of a gateway device according to an embodiment of the present application.
Detailed Description
The following description and the drawings sufficiently illustrate specific embodiments of the invention to enable those skilled in the art to practice them.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
In the description of the present invention, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The application provides an Internet of things device offline session method, an Internet of things device offline session device and a storage medium, and aims to solve the problems in the related technical problems. In the technical scheme provided by the application, because the elliptic curve password improvement algorithm of the identification is adopted to realize the functions of equipment authentication and communication encryption, the calculation of the equipment only needs one elliptic curve point multiplication operation, the space requirement only needs few storage spaces to complete the storage function, the safety and credibility of the identity of the equipment in the Internet of things can be guaranteed while the lightweight algorithm is realized, the safety of data transmission is protected, and the detailed description is carried out by adopting an exemplary embodiment.
The method for offline conversation of the internet of things device provided by the embodiment of the present application will be described in detail below with reference to fig. 1 to 6. The method can be implemented by relying on a computer program and can run on an internet of things device offline conversation device based on a von neumann architecture. The computer program may be integrated into the application or may run as a separate tool-like application.
Referring to fig. 1, a schematic flow chart of an offline session method of an internet of things device is provided for the embodiment of the present application, and is applied to an edge gateway. As shown in fig. 1, the method of the embodiment of the present application may include the following steps:
s101, when receiving an equipment identifier sent by the Internet of things equipment for an edge end gateway, generating a first random number according to a random number creation function;
in the embodiment of the present application, the calculation formula in the form of P' ═ n ] P represents a point multiplication operation in an elliptic curve; hash () represents a secure Hash function, and the output is converted to a large integer; and | | represents a string splicing operation.
Generally, before the edge gateway receives the device identifier, when the internet of things system is initialized, the platform side key generation center generates a random number k according to a random number creation function1,k2As the master private key, k1Is a first master private key, k2The platform side key generation center is a second master private key according to the first master private key k1With a second master private key k2Performing point multiplication operation in an elliptic curve to generate a first main public key and a second main public key, wherein the calculation formula of the first main public key is as follows: PubKey1=[k1]P, the calculation formula of the second master public key is: PubKey2=[k2]P, at which point initialization is complete.
When new internet of things equipment is added, a platform end secret key generation center generates an equipment identification ID aiming at the internet of things equipment, and the platform end secret key generation center calculates an equipment secret key sk according to the equipment identification ID, a first main secret key and a second main secret key, wherein the calculation formula of the equipment secret key sk is as follows:
sk=Hash(ID||0x01)·k1+k2 mod N。
the platform side key generation center sends the first main public key, the second main public key and the equipment private key to the Internet of things equipment through a preset safety channel, and sends the first main public key and the second main public key to the edge side gateway.
Further, the internet of things equipment discovers the gateway through a preset authentication gateway IP, and the internet of things equipment sends the equipment identification ID of the internet of things equipment to the edge end gateway.
In a possible implementation manner, the edge gateway receives an equipment identifier sent by the internet of things equipment for the edge gateway, and generates a first random number r according to a random number creation function.
S102, performing point multiplication operation in an elliptic curve based on a first random number to generate a first random point;
in a possible implementation manner, after generating the first random number r, the edge gateway performs a point multiplication operation in the elliptic curve based on the first random number to generate a first random point, where a calculation formula of the first random point is: RP ═ r ] P.
S103, the first random point is sent to the Internet of things equipment, and offline authentication is conducted on the Internet of things equipment based on the first random point.
In a possible implementation manner, the edge gateway sends the first random point RP to the internet of things device, and performs offline authentication with the internet of things device based on the first random point.
Further, after the internet of things device receives the first random point RP, the platform-side key generation center obtains a device private key sk sent by the internet of things device, then a first authentication point AP is calculated according to the device private key sk and the first random point RP, and finally the first authentication point AP is sent to the edge-side gateway. The calculation formula of the first authentication point AP is: AP ═ sk RP.
Specifically, when offline authentication is performed on the internet of things device based on the first random point, the edge gateway first receives the first authentication point AP sent by the internet of things device for the edge gateway, calculates the public key of the internet of things device based on the device identifier ID, then calculates the second authentication point AP 'according to the first random number r and the public key of the internet of things device, and finally determines whether the internet of things device passes the authentication according to the first authentication point AP and the second authentication point AP'.
Specifically, when the edge gateway calculates the public key of the internet of things device based on the device identification ID, the edge gateway first obtains the first master public key PubKey1 and the second master public key PubKey2 sent by the platform side key generation center for the edge gateway, then obtains the preset character string 0x01, then splices the device identification and the preset character string to generate a spliced field, then calculates the hash value of the spliced field according to the secure hash function, and finally performs point multiplication on the hash value and the first master public key, and performs summation on the value after the point multiplication and the second master public key to generate the public key of the internet of things device.
The calculation formula of the public key PK of the Internet of things equipment is as follows: PK ═ Hash (ID | |0x01)]PubKey1+PubKey2. The HASH is a secure HASH function, the ID is an internet of things device, 0x01 is a preset character string, the PubKey1 is a first master public key, and the PubKey2 is a second master public key.
Wherein, the second authentication point calculation formula is: AEP' ═ r PK.
Specifically, when the edge end gateway judges whether the internet of things equipment passes the authentication according to the first authentication point AP and the second authentication point AP ', when the first authentication point AP is the same as the second authentication point AP', the edge end gateway determines that the internet of things equipment passes the authentication; or when the first authentication point AP is different from the second authentication point AP', the edge end gateway determines that the equipment authentication of the internet of things does not pass.
For example, as shown in fig. 3, fig. 3 is a schematic diagram of an apparatus authentication flow provided in the present application, an apparatus discovers a gateway by presetting an authentication gateway IP, the apparatus sends an apparatus identifier ID of the apparatus to the gateway, the gateway receives the apparatus identifier ID, the gateway generates a random number r and calculates a random point RP ═ r ] P, the gateway sends the random point RP to the apparatus, and the apparatus calculates an authentication point based on an apparatus private key: the AP is [ sk ] RP and is sent to the gateway, the gateway receives the authentication point AP, and the gateway calculates the device public key based on the received device identification ID
PK=[Hash(ID||0x01)]PubKey1+PubKey2The gateway calculates an authentication comparison point AP' ═ r based on the random number r and the device public key PK]And the PK, the gateway compares the authentication point AP with the authentication comparison point AP', if the two are the same, the authentication is passed, otherwise, the authentication is not passed.
For example, as shown in fig. 4, fig. 4 is a schematic diagram of a key agreement flow provided by the present application, where a gateway generates a random number m and calculates a random point MP as [ m ] P, the gateway sends the random point MP to a device, the device receives the random point MP and calculates a secret common point SP as [ sk ] MP, an abscissa x of the SP is taken as a negotiation key, the gateway calculates a secret common point SP ' ═ m ] PK based on the random number m and the device public key PK, an abscissa x ' of the SP ' is taken as the negotiation key, and both parties perform encryption communication with a symmetric encryption algorithm based on the negotiation key.
Further, when the internet of things equipment passes the authentication, the edge end gateway firstly generates a second random number m according to the random number creating function, then performs point multiplication operation in an elliptic curve based on the second random number to generate a second random point MP, then sends the second random point MP to the internet of things equipment, secondly calculates a first secret common point SP ' according to the second random number m and the internet of things equipment public key PK, then extracts an abscissa x ' in the first secret common point SP ' as a negotiation key, and finally performs encryption communication with the internet of things equipment according to the negotiation key and a symmetric encryption algorithm.
Wherein, the calculation formula of the second random point MP is: MP ═ m ] P.
Wherein, the calculation formula of the second secret common point is: SP' ═ m PK.
Further, the internet of things device firstly receives a second random point MP sent by the edge end gateway aiming at the internet of things device, then the internet of things device calculates a second secret common point SP according to the device private key and the second random point MP, then the internet of things device extracts an abscissa x in the second secret common point as a negotiation key, and finally the internet of things device carries out encryption communication with the edge end gateway according to the negotiation key and a symmetric encryption algorithm.
Alternatively, in the case of extremely limited device resources, the device can be encrypted by performing an exclusive or operation on the negotiation key and the plaintext.
In the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
Referring to fig. 5, a schematic flow chart of an offline session method of an internet of things device is provided for the embodiment of the present application, and is applied to the internet of things device. As shown in fig. 5, the method of the embodiment of the present application may include the following steps:
s201, receiving a first random point sent by an edge end gateway aiming at the Internet of things equipment;
s202, acquiring an equipment private key sent by a platform side key generation center aiming at the Internet of things equipment;
s203, calculating a first authentication point according to the device private key and the first random point;
and S204, sending the first authentication point to the edge end gateway.
S205, receiving a second random point sent by the edge end gateway aiming at the Internet of things equipment;
s206, calculating a second secret common point according to the device private key and the second random point;
s207, extracting the abscissa in the second secret common point as a negotiation key;
and S208, carrying out encryption communication with the edge end gateway according to the negotiation key and the symmetric encryption algorithm.
When equipment is authenticated, when an edge gateway (hereinafter referred to as gateway) needs to authenticate the equipment, the equipment firstly sends an identification ID of the equipment to the gateway, the gateway generates a random number r, calculates a random point RP (r) P, and sends the point RP to the equipment; after the device receives the point RP, calculating an authentication point AP (application point) (sk) SP, and sending the point AP to a gateway; the gateway calculates a public key PK under an ECC public key cryptosystem based on the identification ID of the equipment:
PK=[Hash(ID||0x01)]PubKey1+PubKey2then, based on the device public key PK, an authentication point AP' is calculated as [ r ═ r]And the PK compares the received authentication points AP, if the two points are the same, the authentication is passed, otherwise, the authentication is not passed.
During key agreement, after the gateway passes the authentication of the device, a random number m is generated, a random point MP is calculated to be [ m ] P, the random point MP is sent to the device, the gateway calculates a secret common point SP to be [ m ] PK based on a device public key PK, and an abscissa x of the secret common point SP is serialized to obtain an agreement key; after receiving the random point MP, the device generates a secret common point SP ' ═ sk ] MP by using its own device private key sk, and also serializes the abscissa x ' of the common point SP ' to obtain the negotiation key.
In the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
Referring to fig. 6, a schematic flow chart of an offline session method of an internet of things device is provided for the embodiment of the present application, and is applied to a platform-side key generation center. As shown in fig. 6, the method of the embodiment of the present application may include the following steps:
s301, when the Internet of things system is initialized, generating a first master private key and a second master private key according to a random number creating function;
s302, performing point multiplication operation in an elliptic curve according to the first main private key and the second main private key to generate a first main public key and a second main public key;
s303, when a new Internet of things device is added, generating a device identifier for the Internet of things device;
s304, calculating a device private key according to the device identification, the first master private key and the second master private key;
s305, sending the first master public key, the second master public key and the equipment private key to the Internet of things equipment through a preset secure channel;
s306, the first main public key and the second main public key are sent to the edge end gateway.
In a possible implementation manner, the platform-side key generation center first selects a secure elliptic curve and generates related public parameters, including parameters a, b, and q of the elliptic curve, and a base point P and an order N. Subsequently generating a random number k1,k2As a master private key and calculates a point PubKey1=[k1]P, point PubKey2=[k2]P, taking two points as the master public key.
For a device, firstly generating a device identification ID for the device; and generating a private key sk of the equipment according to the equipment identification ID: sk ═ Hash (D | | |0x01) · k1+k2mod N; in the ECC public key cryptography, the public key is PK ═ sk]P. of the deviceThe identification ID and the private key are preset in the equipment.
In the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Fig. 7 is a schematic structural diagram of an offline session apparatus of an internet of things device according to an exemplary embodiment of the present invention, which is applied to an edge gateway. The off-line session device of the internet of things equipment can be realized by software, hardware or a combination of the software and the hardware to become all or part of the gateway equipment. The device 1 comprises a random number creating module 10, a random point generating module 20 and an off-line authentication module 30.
The random number creating module 10 is configured to generate a first random number according to a random number creating function when receiving a device identifier sent by the internet of things device for the edge gateway;
a random point generating module 20, configured to perform a point multiplication operation in an elliptic curve based on a first random number to generate a first random point;
the offline authentication module 30 is configured to send the first random point to the internet of things device, and perform offline authentication with the internet of things device based on the first random point.
It should be noted that, when the internet of things device offline conversation apparatus provided in the foregoing embodiment executes the internet of things device offline conversation method, only the division of the functional modules is used for illustration, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the internet of things device offline conversation apparatus provided by the above embodiment and the internet of things device offline conversation method embodiment belong to the same concept, and details of the implementation process are found in the method embodiment, and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
The invention also provides a computer readable medium, on which program instructions are stored, and when the program instructions are executed by a processor, the method for offline conversation of the internet of things device provided by the above method embodiments is implemented. The invention also provides a computer program product containing instructions which, when run on a computer, cause the computer to execute the method for offline conversation of internet of things devices of the above-mentioned method embodiments.
Fig. 8 is a schematic diagram of an internal structure of a gateway device in an embodiment. As shown in fig. 8, the gateway device includes a processor, a nonvolatile storage medium, a memory, and a network interface connected through a system bus. The non-volatile storage medium of the gateway device stores an operating system, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions can enable the processor to realize a data transmission method when being executed by the processor. The processor of the gateway device is used for providing calculation and control capability and supporting the operation of the whole gateway device. The memory of the gateway device may have stored therein computer readable instructions that, when executed by the processor, may cause the processor to perform a data transmission method. The network interface of the gateway device is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the structure shown in fig. 8 is a block diagram of only a portion of the structure associated with the present application and does not constitute a limitation on the gateway device to which the present application applies, and that a particular gateway device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.
In one embodiment, a gateway device is proposed, the gateway device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
when receiving an equipment identifier sent by the Internet of things equipment for an edge end gateway, generating a first random number according to a random number creation function;
performing point multiplication operation in an elliptic curve based on a first random number to generate a first random point;
and sending the first random point to the Internet of things equipment, and performing offline authentication on the Internet of things equipment based on the first random point.
In one embodiment, when the processor performs offline authentication with the internet of things device based on the first random point, the following steps are specifically performed:
when a first authentication point sent by the Internet of things equipment aiming at the edge end gateway is received, calculating an Internet of things equipment public key based on the equipment identification;
calculating a second authentication point according to the first random number and the public key of the Internet of things equipment;
and judging whether the Internet of things equipment passes the authentication according to the first authentication point and the second authentication point.
In one embodiment, when the processor performs the calculation of the internet of things device public key based on the device identifier, the following steps are specifically performed:
acquiring a first main public key and a second main public key which are sent by a platform side key generation center aiming at an edge side gateway;
acquiring a preset character string;
splicing the equipment identifier and a preset character string to generate a spliced field;
calculating the hash value of the splicing field according to a secure hash function;
performing point multiplication on the hash value and the first main public key, and summing the value subjected to point multiplication and the second main public key to generate an Internet of things equipment public key;
the computing formula of the public key of the Internet of things equipment is as follows: PK ═ HASH (ID | |0x01) ] PubKey1+ PubKey 2; the HASH is a secure HASH function, the ID is an internet of things device, 0x01 is a preset character string, the PubKey1 is a first master public key, and the PubKey2 is a second master public key.
In one embodiment, when the processor determines whether the internet of things device passes authentication according to the first authentication point and the second authentication point, the processor specifically executes the following steps:
when the first authentication point is the same as the second authentication point, determining that the equipment of the Internet of things passes authentication;
alternatively, the first and second electrodes may be,
and when the first authentication point is different from the second authentication point, determining that the equipment authentication of the Internet of things is not passed.
In one embodiment, the processor further performs the steps of:
when the IOT equipment passes the authentication, generating a second random number according to a random number creating function;
performing point multiplication operation in the elliptic curve based on the second random number to generate a second random point;
sending the second random point to the Internet of things equipment;
calculating a first secret common point according to the second random number and the public key of the Internet of things equipment;
extracting the abscissa in the first secret common point as a negotiation key;
and carrying out encryption communication with the Internet of things equipment according to the negotiation key and the symmetric encryption algorithm.
In the embodiment of the application, when receiving an equipment identifier sent by the internet of things equipment to the edge end gateway, the edge end gateway generates a first random number according to a random number creation function, then performs point multiplication operation in an elliptic curve based on the first random number to generate a first random point, and finally sends the first random point to the internet of things equipment and performs offline authentication with the internet of things equipment based on the first random point. Therefore, the device authentication and communication encryption functions are realized through the elliptic curve password improvement algorithm of the identification, so that the calculation of the device only needs one elliptic curve point multiplication operation, the space requirement only needs few storage space to complete the storage function, and the identity safety and credibility of the equipment of the Internet of things can be guaranteed while the lightweight algorithm is realized, and the safety of data transmission is protected.
It will be understood by those skilled in the art that all or part of the processes in the methods of the embodiments described above may be implemented by instructing relevant hardware through a computer program, and the program for the offline session of the internet of things device may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and is not to be construed as limiting the scope of the present application, so that the present application is not limited thereto, and all equivalent variations and modifications can be made to the present application.

Claims (10)

1. An offline session method for internet of things equipment is applied to an edge gateway, and is characterized by comprising the following steps:
when receiving an equipment identifier sent by the Internet of things equipment aiming at the edge end gateway, generating a first random number according to a random number creation function;
performing point multiplication operation in an elliptic curve based on the first random number to generate a first random point;
and sending the first random point to the Internet of things equipment, and performing offline authentication on the Internet of things equipment based on the first random point.
2. The method of claim 1, wherein the performing offline authentication with the internet of things device based on the first random point comprises:
when a first authentication point sent by the Internet of things equipment for the edge end gateway is received, calculating an Internet of things equipment public key based on the equipment identification;
calculating a second authentication point according to the first random number and the public key of the Internet of things equipment;
and judging whether the Internet of things equipment passes the authentication according to the first authentication point and the second authentication point.
3. The method of claim 2, wherein the computing an internet of things device public key based on the device identification comprises:
acquiring a first main public key and a second main public key which are sent by a platform side key generation center aiming at the edge side gateway;
acquiring a preset character string;
splicing the equipment identification and the preset character string to generate a spliced field;
calculating the hash value of the splicing field according to a secure hash function;
performing point multiplication on the hash value and the first main public key, and generating an internet of things equipment public key after the point-multiplied value and the second main public key are summed;
the computing formula of the public key of the Internet of things equipment is as follows: PK ═ HASH (ID | |0x01) ] PubKey1+ PubKey 2; the HASH is a secure HASH function, the ID is an internet of things device, 0x01 is a preset character string, the PubKey1 is a first master public key, and the PubKey2 is a second master public key.
4. The method of claim 2, wherein the determining whether the internet of things device is authenticated according to the first authentication point and the second authentication point comprises:
when the first authentication point is the same as the second authentication point, determining that the Internet of things equipment passes authentication;
alternatively, the first and second electrodes may be,
and when the first authentication point is different from the second authentication point, determining that the equipment authentication of the Internet of things is not passed.
5. The method of claim 4, further comprising:
when the Internet of things equipment passes the authentication, generating a second random number according to a random number creating function;
performing point multiplication operation in an elliptic curve based on the second random number to generate a second random point;
sending the second random point to the Internet of things equipment;
calculating a first secret common point according to the second random number and the public key of the Internet of things equipment;
extracting the abscissa in the first secret common point as a negotiation key;
and carrying out encryption communication with the Internet of things equipment according to the negotiation key and the symmetric encryption algorithm.
6. An Internet of things equipment offline conversation method is applied to Internet of things equipment and is characterized by comprising the following steps:
receiving a first random point sent by an edge end gateway aiming at the Internet of things equipment;
acquiring an equipment private key sent by a platform side key generation center aiming at the Internet of things equipment;
calculating a first authentication point according to the device private key and the first random point;
and sending the first authentication point to the edge end gateway.
7. The method of claim 6, further comprising:
receiving a second random point sent by the edge end gateway aiming at the Internet of things equipment;
calculating a second secret common point according to the device private key and the second random point;
extracting the abscissa in the second secret common point as a negotiation key;
and carrying out encryption communication with the edge end gateway according to the negotiation key and the symmetric encryption algorithm.
8. An Internet of things equipment offline session method is applied to a platform-side key generation center, and is characterized by comprising the following steps:
when the Internet of things system is initialized, generating a first main private key and a second main private key according to a random number creating function;
performing point multiplication operation in an elliptic curve according to the first main private key and the second main private key to generate a first main public key and a second main public key;
when new Internet of things equipment is added, generating equipment identification aiming at the Internet of things equipment;
calculating a device private key according to the device identification, the first master private key and the second master private key;
the first master public key, the second master public key and the equipment private key are sent to the Internet of things equipment through a preset safety channel;
and sending the first main public key and the second main public key to an edge end gateway.
9. The utility model provides a thing networking device off-line conversation device, is applied to edge end gateway, its characterized in that, the device includes:
the random number creating module is used for generating a first random number according to a random number creating function when receiving an equipment identifier sent by the Internet of things equipment aiming at the edge end gateway;
a random point generating module, configured to perform a point multiplication operation in an elliptic curve based on the first random number to generate a first random point;
and the offline authentication module is used for sending the first random point to the Internet of things equipment and performing offline authentication on the Internet of things equipment based on the first random point.
10. A computer storage medium, characterized in that it stores a plurality of instructions adapted to be loaded by a processor and to perform the method steps according to any of claims 1-8.
CN202111158449.7A 2021-09-28 2021-09-28 Internet of things equipment offline session method and device and storage medium Pending CN113946845A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111158449.7A CN113946845A (en) 2021-09-28 2021-09-28 Internet of things equipment offline session method and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111158449.7A CN113946845A (en) 2021-09-28 2021-09-28 Internet of things equipment offline session method and device and storage medium

Publications (1)

Publication Number Publication Date
CN113946845A true CN113946845A (en) 2022-01-18

Family

ID=79329027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111158449.7A Pending CN113946845A (en) 2021-09-28 2021-09-28 Internet of things equipment offline session method and device and storage medium

Country Status (1)

Country Link
CN (1) CN113946845A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668203A (en) * 2023-08-02 2023-08-29 浙江大华技术股份有限公司 Device authentication method, internet of things device, authentication platform and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668203A (en) * 2023-08-02 2023-08-29 浙江大华技术股份有限公司 Device authentication method, internet of things device, authentication platform and readable storage medium
CN116668203B (en) * 2023-08-02 2023-10-20 浙江大华技术股份有限公司 Device authentication method, internet of things device, authentication platform and readable storage medium

Similar Documents

Publication Publication Date Title
Srinivas et al. Designing anonymous signature-based authenticated key exchange scheme for Internet of Things-enabled smart grid systems
US10601801B2 (en) Identity authentication method and apparatus
He et al. A strong user authentication scheme with smart cards for wireless communications
CN106341232B (en) A kind of anonymous entity discrimination method based on password
EP2106090A1 (en) A method, system and network device for mutual authentication
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN105721153B (en) Key exchange system and method based on authentication information
Wang et al. A secure and efficient multiserver authentication and key agreement protocol for internet of vehicles
CN114362993B (en) Block chain assisted Internet of vehicles security authentication method
CN112733129B (en) Trusted access method for server out-of-band management
CN108390866B (en) Trusted remote certification method and system based on double-agent bidirectional anonymous authentication
CN110336664A (en) Information service entities cross-domain authentication method based on SM2 cryptographic algorithm
Meng et al. Fast secure and anonymous key agreement against bad randomness for cloud computing
Zhao et al. Fuzzy identity-based dynamic auditing of big data on cloud storage
Khan et al. Resource efficient authentication and session key establishment procedure for low-resource IoT devices
CN113364595B (en) Power grid private data signature aggregation method and device and computer equipment
KR101131929B1 (en) Public key-based authentication apparatus and method for authentication
CN112422516B (en) Trusted connection method and device based on power edge calculation and computer equipment
CN114095162A (en) Connection verification method and device for certificateless power consumption information acquisition system
CN113946845A (en) Internet of things equipment offline session method and device and storage medium
Zhong et al. Authentication and key agreement based on anonymous identity for peer-to-peer cloud
CN116170144B (en) Smart power grid anonymous authentication method, electronic equipment and storage medium
US11240661B2 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN110557260A (en) SM9 digital signature generation method and device
CN115442037A (en) Account management method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination