CN114172930A - Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium - Google Patents

Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114172930A
CN114172930A CN202111320092.8A CN202111320092A CN114172930A CN 114172930 A CN114172930 A CN 114172930A CN 202111320092 A CN202111320092 A CN 202111320092A CN 114172930 A CN114172930 A CN 114172930A
Authority
CN
China
Prior art keywords
user terminal
service domain
address
things
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111320092.8A
Other languages
Chinese (zh)
Other versions
CN114172930B (en
Inventor
徐恪
王晓亮
付松涛
凌思通
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202111320092.8A priority Critical patent/CN114172930B/en
Publication of CN114172930A publication Critical patent/CN114172930A/en
Application granted granted Critical
Publication of CN114172930B publication Critical patent/CN114172930B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The application belongs to the technical field of computer networks and relates to a large-scale Internet of things service domain isolated communication method, device, electronic equipment and storage medium. The method introduces access control based on identity to realize logic isolation on topology and performance in the initial state of the service domain of the Internet of things; meanwhile, privacy protection is carried out on data communication services of the service domain by combining key management services, and end-network-cloud data full life period logic isolation of the service domain of the Internet of things is ensured, wherein the isolation comprises three aspects of topology, performance and service. Firstly, establishing a terminal identity identifier at an access network position of an Internet of things terminal by adopting an access network real source address verification technology and a real identity mechanism based on a network address; in the management domain, a network slicing mechanism is defined through software, the different service domains are divided into slices and resources are distributed, and topology and performance isolation of the different service domains is realized; and finally, realizing service isolation based on an access control mechanism, and realizing data encryption by using symmetric key exchange.

Description

Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium
Technical Field
The application belongs to the technical field of computer networks, and particularly relates to a large-scale Internet of things service domain isolated communication method, device, electronic equipment and storage medium.
Background
With the rapid development and wide application of computing technology and network technology, the interconnection of everything brings great convenience and development to the society and economy, and simultaneously, huge user resources, equipment quantity and vulnerability of the equipment become the preferred targets of security attack. How to adopt effective technical means in an open shared network to ensure that service domains of the Internet of things are isolated from each other in an initial state so as to protect data security and privacy in the communication process of different service domains becomes an important problem to be solved in the security research of the Internet of things.
Logic isolation is a general means for solving the problems of core data privacy protection and access control between different service domains in a large-scale distributed system, and ensures that resources in different isolation areas cannot be freely accessed to each other, and only necessary data exchange can be carried out under a controllable condition. With the popularization of SDN technology, SDN-based network slicing becomes one of the main technologies for implementing logic isolation. The network slice is a virtualized end-to-end logical network, is tightly connected with virtualization technology, can provide one or more service carrying networks in the same physical network, and is an efficient mode for network sharing and virtualization management. However, network slices based on SDN alone are not effective against IP address spoofing attacks and do not support service isolation effectively.
A safe and Efficient network slice and a Service-oriented Authentication framework (ES 3A) are based on SDN-based network slices, and are designed for different requirements of Internet of things services, and on the basis, a group key co-quotient technology is adopted to realize data encryption inside the services through a group key. In resisting IP address forgery, ES3A relies on the service layer authentication technology to ensure that the forged IP address still cannot illegally access the service; however, the service layer's resistance against the IP spoofing attack cannot effectively support the SDN network slice-based logical isolation mechanism, because the data packet of the spoofing IP still can bypass the slice mechanism to reach the destination end, consuming the network slice resources, it is impossible to avoid the traffic attacks on network layers such as DDoS.
An expandable Virtual Local Area network (SVLAN) is an improvement to the security problem of the Vxlan technology. Because the Vxlan technology cannot resist the attacks of tampering and counterfeiting aiming at the head of the data packet, an authorization request process is introduced before the data packet is sent by the SVLAN, the forwarded data packet carries an authorization certificate, the intermediate forwarding node can be used as a verifier for verification, and if the verification fails, the head of the data packet is considered to be fake, and then filtering is performed. The SVLAN filters the data packets forged by the source IP from the network layer, which can effectively alleviate the DDoS problem because the data packets sent by unauthorized IP and the data packets tampering with the source IP are filtered in the forwarding process. The SVLAN technology adopts technologies such as fragment routing and the like, is mainly deployed in a data center network, cannot be effectively applied to the field of Internet of things, and realizes end-network-cloud full-life-cycle isolation.
Disclosure of Invention
In view of this, the present disclosure provides a large-scale internet of things service domain isolated communication method, device, electronic device, and storage medium, so as to solve the technical problem in the modification technology.
According to a first aspect of the disclosure, a large-scale internet of things service domain isolated communication method is provided, which includes:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
The utility model provides a large-scale Internet of things service domain isolation communication method, which is characterized in that a distributed service domain center is configured in each management domain, and the distributed service domain center comprises a real identity management module, a resource isolation module, a performance management module, an access control module and an encryption management module. It should be noted that the management domain is a physical concept, and is relatively fixed, such as an intelligent cell, an intelligent campus; the service domain is a logic concept, and can be added into the intelligent campus service domain to control a certain camera on the campus according to dynamic change of service application scenes, such as a certain user on the cell. The purpose of the strong logic isolation mechanism is to provide a dynamically controllable isolation strategy for a dynamically established service domain in a scene of mutual object interconnection. The method comprises the steps of firstly, establishing a distributed identity management and authentication platform based on a real address to ensure the authenticity of the identity of each service domain node; then, on the basis of a real identity mechanism, resources such as link bandwidth, calculation, storage and the like are dynamically allocated to different service domains by combining a software definition technology and a virtual network slicing technology, and logically mutually independent virtual network resources are ensured to be used by a slicing network of each service domain; service access control and communication data encryption mechanisms are then established to ensure complete isolation of communication across service domains.
Optionally, the binding the IPv6 address of the user terminal in the internet of things, the MAC address of the user terminal, and the corresponding switch with each other includes:
(1) storing IPv6 addresses of user terminals in the Internet of things in a distributed manner to service domain centers of the large-scale Internet of things;
(2) each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network in the Internet of things;
(3) and embedding the identification information of the user terminal identity 64 bits after the IPv6 address of the user terminal.
(4) And binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other.
Optionally, the allocating communication of the internet of things according to the real identity of the user terminal in the IPv6 address of the user terminal in the internet of things includes:
(1) before communication, a user terminal sends a communication request to a service domain center of a large-scale Internet of things, wherein the communication request comprises an IP address of the user terminal and an IP address of a target user terminal;
(2) and each service domain center of the Internet of things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service domain, a communication permission instruction is sent to a switch connected with the user terminal, and if the IP address of the user terminal and the IP address of the communication target are not in the same service domain, a rejection instruction is directly sent to the user terminal.
Optionally, the allocating different data stream bandwidths according to the resource usage state of the large-scale internet of things service domain includes:
(1) the method comprises the steps that the center of each service domain of the large-scale Internet of things establishes the mapping relation between the identifier ID of the service domain and the bandwidth information of the service domain on a plurality of switches respectively, wherein the bandwidth information comprises the total bandwidth and the existing bandwidth of the service domain;
(2) when a user terminal sends a communication request, a service domain center judges bandwidth information of an exchanger connected with the user terminal sending the communication request according to an identifier ID, if the existing bandwidth of the service domain is larger than or equal to the bandwidth on the exchanger, the service domain center distributes the bandwidth and sends a bandwidth distribution result to an exchanger port connected with the user terminal sending the communication request, and if the existing bandwidth of the service domain is smaller than the bandwidth on the exchanger, a communication rejection instruction is directly sent to the user terminal sending the communication request.
Optionally, the segmenting the access purpose according to the real identity of the user terminal so that the unauthorized user cannot access the service resource outside the right includes:
(1) the service domain center respectively sets the access authority and the corresponding access mark of each user terminal according to the real identity of the user terminal;
(2) when a user terminal sends a communication request to a service domain center, the service domain center judges the legality of the access request of the user terminal according to the access authority of the user terminal, if the user terminal has the access authority, an access mark of the user terminal is sent to an accessed target, and if the user terminal does not have the access authority, a rejection instruction is directly sent to the user terminal.
Optionally, each user terminal in the same service domain implements encrypted communication by using a key exchange method, including:
(1) the service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain, and the private key is sent to the corresponding user terminal according to the real identity of the user terminal;
(2) the user terminal initiating the communication request encrypts the IP address of the target user terminal by using the public key of the target user terminal according to the IP address of the target user terminal to obtain an encrypted ciphertext, namely authS= Encrypt(IPD);
(3) The user terminal initiating the communication request calculates a hash value K according to the IP address of the target user terminal, the IP address of the user terminal initiating the communication request and the time stamp initiating the communication requestS
KS=H(IPD||IPS||TSTAMP),
Where, | | denotes string concatenation, IPDIndicating the destination user terminal address, IPSIndicating the address of the user terminal initiating the communication request, TSTAMPA presentation time stamp; h () represents a hash algorithm;
(4) the user terminal initiating the communication request sends the hash value KSThe first 128 bits are used as a first symmetric key K of the communication, and the key K is encrypted by using a public key of the target user terminal to obtain a ciphertext RS,RS=Encrypt(K);
(5) User terminal initiating communication request sends cipher text R to target user terminalSAnd ciphertext authS
(6) The target user terminal utilizes the private key of the terminal to encrypt the ciphertext authSDecrypting to obtain the IP address to be authenticated of the target user terminal, comparing the IP address to be authenticated with the IP address of the target user terminal, if the IP address to be authenticated is not the same as the IP address of the target user terminal, directly sending a rejection instruction to the user terminal initiating the communication request, if the IP address to be authenticated is the same as the IP address of the target user terminal, successfully authenticating, and comparing the ciphertext RSDecrypting to obtain a second symmetric key K';
(7) the target user terminal utilizes the second symmetric key K' to encrypt the IP address of the user terminal initiating the communication request to obtain a ciphertext authD,authD=EncryptK′(IPS);
(8) The target user terminal sends the ciphertext auth to the user terminal initiating the communication requestD
(9) The user terminal initiating the communication request uses the first symmetric K to pair the ciphertext authDAnd decrypting, wherein if the IP address of the user terminal initiating the communication request cannot be obtained, the key exchange fails, if the IP address of the user terminal initiating the communication request is obtained, the key exchange succeeds, and the first key K is used as a symmetric key for the data encryption communication.
According to a second aspect of the present disclosure, a large-scale internet of things service domain isolated communication device is provided, including:
the address binding module is used for binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other;
the communication distribution module is used for distributing the communication of the Internet of things before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things;
the bandwidth allocation module is used for allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
the resource segmentation module is used for segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and the communication module is used for each user terminal in the same service domain and adopts a key exchange algorithm to realize encrypted communication.
According to a third aspect of the present disclosure, an electronic device is provided, comprising:
a memory for storing computer-executable instructions;
a processor configured to perform:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
According to a fourth aspect of the present disclosure, a computer-readable storage medium is presented, having stored thereon a computer program for causing a computer to execute:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
The method aims at large-scale cross-service-domain application of the Internet of things, provides a strong logic isolation strategy between end-network-cloud full-life-cycle service domains, and gives consideration to efficiency and robustness. The real source address authentication technology of a source address authentication framework SAVA is used for realizing the real source address authentication between the subnet and the internetwork from the network level, and solving the source address forgery problem; and then topology isolation, performance isolation and service isolation are realized by combining network slicing and key management technologies based on the SDN, so that strong logic isolation is realized, and the network security is improved.
Compared with the prior art, the embodiment of the disclosure has the following advantages:
1. the method comprises the steps of accessing nodes of the Internet of things, transmitting the network to application services, realizing isolation of topology, performance and service of service domains of the Internet of things based on technologies such as network slicing, key management technology and access control of an SDN, and finally realizing strong logic isolation of the full life cycle of data of the Internet of things.
2. The real source address authentication technology is adopted, the source address forgery problem is solved from a network layer, and DDoS flow attack aiming at the network is effectively prevented while a logic isolation mechanism is bypassed by tampering an IP address.
Additional aspects and advantages of the disclosure will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the technical solutions in the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic diagram illustrating connection between a large-scale internet of things service domain center and a user terminal device and a switch according to an embodiment of the disclosure.
Fig. 2 is a schematic diagram illustrating a gateway proxy applying for a real address of a node and maintaining the real address according to an embodiment of the disclosure.
Figure 3 is a schematic diagram illustrating a service domain center implementing resource isolation according to one embodiment of the present disclosure.
Fig. 4 is a schematic diagram illustrating allocation of bandwidth to a user terminal by a service domain center according to an embodiment of the present disclosure.
Fig. 5 is a schematic diagram illustrating a service domain center issuing an access control authorization code for a target user terminal according to an embodiment of the present disclosure.
Fig. 6 is a schematic diagram illustrating a communication key exchange between user terminals according to an embodiment of the present disclosure.
Fig. 7 is a block diagram illustrating a structure of a large-scale internet of things service domain isolated communication device according to an embodiment of the present disclosure.
Fig. 8 is a diagram illustrating steps for a large-scale internet of things service domain isolated communication device to establish strong logical isolation according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
According to an embodiment of the present disclosure, a large-scale internet of things service domain isolated communication method may include the following steps:
in step 1, the IPv6 addresses of the user terminals in the internet of things are stored in a distributed manner to the centers of the service domains of the large-scale internet of things, as shown in fig. 1, and the IPv6 addresses of the user terminals in the internet of things, the MAC addresses of the user terminals, and the corresponding switches are bound to each other.
In one embodiment, the binding the IPv6 address of the user terminal in the internet of things, the MAC address of the user terminal, and the corresponding switch to each other may include the following steps:
(1) storing IPv6 addresses of user terminals in the Internet of things in a distributed manner to service domain centers of the large-scale Internet of things;
(2) each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network in the Internet of things; and a distributed real identity management mechanism is established, and a foundation is provided for providing inter-domain logic isolation for each service domain on public resources. And ensuring the access identity of the user terminal to be real and credible.
(3) And embedding the identification information of the user terminal identity 64 bits after the IPv6 address of the user terminal. Therefore, the identity authentication and traceability of the data packet level are realized, and the authenticity and the credibility of the equipment in the service domain are ensured from the access position. The real address generation process is an existing mechanism and is not in the protection scope of the patent, but it belongs to the protection scope of the patent to use the real address and the corresponding real identity for cross-service domain isolation. Particularly, when the nodes are accessed to the Internet of things in networking modes such as ZigBee, Bluetooth and the like and do not use IPv6 addresses, the nodes are realized by corresponding gateway agents. The gateway applies for a corresponding IPv6 address for each node, and stores the correspondence between the IPv6 address and the real address of the node, as shown in fig. 1, the gateway proxy user terminal device obtains the IPv6 address, and subsequent resource isolation, performance management, and access control are also implemented by the gateway proxy.
(4) And binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other.
In step 2, the communication of the internet of things is distributed before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the internet of things.
In one embodiment, the allocating the communication of the internet of things according to the real identity of the user terminal in the IPv6 address of the user terminal in the internet of things may include:
(1) before communication, a user terminal sends a communication request to a service domain center of a large-scale Internet of things, wherein the communication request comprises an IP address of the user terminal and an IP address of a target user terminal;
(2) and each service domain center of the Internet of things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service domain, a communication permission instruction is sent to a switch connected with the user terminal, and if the IP address of the user terminal and the IP address of the communication target are not in the same service domain, a rejection instruction is directly sent to the user terminal. As shown in fig. 3, the resource isolation module completes virtualization of the network by controlling a plurality of switch ports, specifically, binds the divided network slices with the IP address block of the service domain, and establishes a port filtering policy at each switch, only the traffic of which the source and destination IP belong to one slice can pass through, and the rest of the traffic is directly filtered at the port, thereby realizing resource isolation between each slice.
In step 3, different data stream bandwidths are allocated according to the resource use state of the large-scale internet of things service domain; thereby achieving performance balancing and isolation between service domains.
In an embodiment, the allocating different data stream bandwidths according to the resource usage status of the large-scale internet of things service domain may include:
(1) the method comprises the steps that the center of each service domain of the large-scale Internet of things establishes the mapping relation between the identifier ID of the service domain and the bandwidth information of the service domain on a plurality of switches respectively, wherein the bandwidth information comprises the total bandwidth and the existing bandwidth of the service domain;
(2) when a user terminal sends a communication request, a service domain center judges bandwidth information of an exchanger connected with the user terminal sending the communication request according to an identifier ID, if the existing bandwidth of the service domain is larger than or equal to the bandwidth on the exchanger, the service domain center distributes the bandwidth and sends a bandwidth distribution result to an exchanger port connected with the user terminal sending the communication request, and if the existing bandwidth of the service domain is smaller than the bandwidth on the exchanger, a communication rejection instruction is directly sent to the user terminal sending the communication request. As shown in fig. 4, each service domain center in the network dynamically formulates a related transmission performance rule according to service domain service requirements, establishes a corresponding relationship of < service domain ID, bandwidth >, associates the corresponding relationship with a network slice corresponding to the service domain to form a flow table rule, and issues the flow table rule to an access switch in a management domain, so that each slice provides data transmission service for the service domain by using allocated network resources by controlling the outlet bandwidth of a physical device corresponding to the service domain, and establishes a network channel with guaranteed transmission performance for each service domain on a shared physical facility, thereby ensuring that the transmission performance is met.
In the data transmission process, in order to ensure that the data packet meets the performance requirement when being dynamically transmitted in the network, the service domain center dynamically manages the routing equipment based on the global view of the link in the service domain, and the congestion of a data transmission link is avoided. The Link global view is a record of the connection relationship and the Link capacity among the ports of the routing equipment, and comprises Link information required by each service domain, and Link is set as { Link ═ Link1,Link2,......,LinknThe total bandwidth of each link for each service domain, Remain ═ Remain } { (Remain)1,Remain2,......,RemainnAnd the residual bandwidth of each link of each current service domain. When a communication request is received, the service domain center judges whether the current link bandwidth meets the communication requirement, controls the bandwidth of each service domain according to the link condition, dynamically adjusts the data packet rate injected into the network, and ensures that the global congestion avoidance is realized on the basis of normal service transmission of each network slice.
In step 4, the access purpose is segmented according to the real identity of the user terminal, so that the unauthorized user cannot access the service resources outside the authority; and privacy data are not leaked, illegal operation and control are prevented, and service reliability is improved.
In an embodiment, the splitting the access purpose according to the real identity of the user terminal so that the unauthorized user cannot access the service resource outside the right, as shown in fig. 5, may include the following steps:
(1) the service domain center respectively sets the access authority and the corresponding access mark of each user terminal according to the real identity of the user terminal;
(2) when a user terminal sends a communication request to a service domain center, the service domain center judges the legality of the access request of the user terminal according to the access authority of the user terminal, if the user terminal has the access authority, an access mark of the user terminal is sent to an accessed target, and if the user terminal does not have the access authority, a rejection instruction is directly sent to the user terminal. In order to better realize service isolation and effectively prevent security threats such as illegal intrusion and data leakage, the embodiment of the disclosure divides the security level of the application in the service domain and controls the access of the behavior of the end device based on the real identity and role of the end device, so that a user can only access the application within the security level authorization in the service domain, thereby effectively realizing the service isolation of different application accesses in the service domain. Specifically, as shown in table 1, each device has a corresponding access right, different rights correspond to different rights codes, before communication, the service domain center writes the corresponding relationship between the rights codes and the real identity into the accessed device (or the internet of things gateway of the management device), and the accessed device implements access control of a corresponding level according to the identity rights.
Table 1 real identity based service domain access rights management
Figure BDA0003344888970000091
In step 5, each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
In an embodiment, each user terminal in the same service domain, using a key exchange method to implement encrypted communication, may include the following:
(1) the service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain, and the private key is sent to the corresponding user terminal according to the real identity of the user terminal;
(2) the user terminal initiating the communication request encrypts the IP address of the target user terminal by using the public key of the target user terminal according to the IP address of the target user terminal to obtain an encrypted ciphertext, namely authS= Encrypt(IPD);
(3) The user terminal initiating the communication request calculates a hash value K according to the IP address of the target user terminal, the IP address of the user terminal initiating the communication request and the time stamp initiating the communication requestS
KS=H(IPD||IPS||TSTAMP),
Where, | | denotes string concatenation, IPDIndicating the destination user terminal address, IPSIndicating the address of the user terminal initiating the communication request, TSTAMPA presentation time stamp; h () represents a hash algorithm;
(4) the user terminal initiating the communication request sends the hash value KSThe first 128 bits are used as a first symmetric key K of the communication, and the key K is encrypted by using a public key of the target user terminal to obtain a ciphertext RS,RS=Encrypt(K);
(5) User terminal initiating communication request sends cipher text R to target user terminalSAnd ciphertext authS
(6) The target user terminal utilizes the private key of the terminal to encrypt the ciphertext authSDecrypting to obtain the IP address to be authenticated of the target user terminal, comparing the IP address to be authenticated with the IP address of the target user terminal, if the IP address to be authenticated is not the same as the IP address of the target user terminal, directly sending a rejection instruction to the user terminal initiating the communication request, if the IP address to be authenticated is the same as the IP address of the target user terminal, successfully authenticating, and comparing the ciphertext RSDecrypting to obtain a second symmetric key K';
(7) the target user terminal utilizes the second symmetric key K' to encrypt the IP address of the user terminal initiating the communication request to obtain a ciphertext authD,authD=EncryptK′(IPS);
(8) The target user terminal sends the ciphertext auth to the user terminal initiating the communication requestD
(9) The user terminal initiating the communication request uses the first symmetric K to pair the ciphertext authDAnd decrypting, wherein if the IP address of the user terminal initiating the communication request cannot be obtained, the key exchange fails, if the IP address of the user terminal initiating the communication request is obtained, the key exchange succeeds, and the first key K is used as a symmetric key for the data encryption communication.
The whole key exchange process described above is shown in fig. 6. Public-private key management can be implemented based on existing PKI (public key infrastructure) or the like, in which a public key of each device in a service domain corresponds to an IP address. Each device can apply for a private key belonging to the device to the key management module through the identity information of the device, the nodes in the service domain can complete mutual authentication through the public and private keys, and communication key negotiation is carried out to obtain a symmetric key of the session, wherein the symmetric key is used for encrypting communication data.
An embodiment of the present disclosure provides an inter-domain credibility consensus embodiment using the method, as shown in fig. 1, a network topology of the embodiment is provided, and main parameters related in the embodiment are as follows:
1. in this embodiment, as shown in fig. 1, 2 service domains are deployed at three physical locations, namely, school 1, cell, and school 2, and are respectively a smart campus and a smart cell service domain, where a service domain center of "service domain 1-smart campus" is located in school 1, and a service domain center of "service domain 2-smart cell" is located in a cell. All the devices are connected through the Internet and share the Internet facility. In the embodiment, the number of the user terminals is 4, the user terminal 1 is a student A intelligent watch and belongs to a smart campus and a smart community service area; the user terminal 2 is a cell camera and belongs to an intelligent cell service domain; the user terminal 3 is a student B intelligent watch and belongs to a smart campus and a smart community service area; user terminal 4 is student C intelligence wrist-watch, belongs to intelligent campus service area. The purpose of this embodiment is to establish a strong logic isolation mechanism between service domains for each user terminal device in a world-wide internet scenario.
2. In this embodiment, school 1 represents a campus, and school 1 has a switch supporting real address management and a smart campus service domain center deployed therein. The switch provides a real source address and a real identity verification function, ensures the authenticity and credibility of the access equipment, and controls the port rate according to the service domain center instruction; the service domain center realizes the efficient generation, distribution and identity identification management of the dynamic virtual identity of the equipment, provides virtual network slicing service and realizes the isolation and management of flow; and meanwhile, the device in the service domain is responsible for generating and sending a private key of a communication destination terminal based on the identification, and the private key is used for negotiating a symmetric key. The service domain 1 is provided with a student A wearing the intelligent watch, the student A is also a resident of the intelligent cell (the service domain 2), the intelligent watch belongs to the intelligent cell service domain, and the intelligent watch only has a use right and does not have a management right for equipment of the intelligent cell. Therefore, the user terminal belongs to two service domains, namely a smart campus and a smart cell.
3. In this example, the smart cell environment is configured the same as the service domain 1, and a switch supporting real address management and a smart cell service domain center are deployed. A camera device is deployed, only a user belonging to a service domain of the intelligent cell can access the device, and the device belonging to the intelligent cell and having the identity of an administrator can perform interactive control with the camera.
4. In this embodiment, a switch supporting real address management and user terminal devices (smart watches) used by two students (students B and C) are deployed in the school 2, wherein the student B is also an administrator of the smart cell and belongs to a smart cell service domain, and can communicate with devices in the cell through the smart watch worn by the student B, so that the student B belongs to both the smart campus and the smart cell; student C belongs only to the smart campus service domain.
5. In this embodiment, the internet connects 2 service domains. The strong logic isolation establishment process is shown in fig. 8, wherein the first step is step 1, and the second step is steps 2-5.
Step 1) address binding, and user terminal identity management is realized. The IP prefix is set to 64-bit allocation value, and the address prefix allocated by school 1 is 2001: : 0000, school 2 assigns address prefix 2002: : 0000, the prefix of the cell allocation address is 2003: : 0000, the last 64 bits of the IP address are IPv6 last 64 bits of information containing user information obtained by performing operations such as hashing and encryption on basic information such as a user identity number, and the last 64 bits of information of IPv6 allocated to the student a smart watch are 1000: : 0001, the 64-bit information after IPv6 distributed by the student B smart watch is 2000: : 0002, 64 bits of information behind the IPv6 address allocated to the student C smart watch is 3000: : 0003, the 64-bit information after IPv6 distributed by the camera is 4000: : 0004. as shown in table 1, a corresponding service domain ID and IPv6 post-64-bit correspondence are established. The slice management and key management server synchronizes 64-bit information after IPv6 and corresponding service domain information through the distributed management information.
And 2) communication allocation is carried out, so that resource isolation among the user terminals is realized. The student C request of wisdom campus communicates with the camera of wisdom district, when student C tries to communicate with the camera of wisdom district with own address, service domain center is according to service domain information, wisdom campus and wisdom district belong to different service domains respectively, therefore resource isolation module does not construct corresponding network slice and realizes student C's access request, if student C directly sends the data packet, the data packet is filtered at student C user terminal and the port department that the switch is connected, it can't communicate the interaction to have guaranteed between the different service domains. In contrast, when student a requests communication with student C, the service domain center writes a corresponding allow instruction to the switch, and the packet can interact through the switch.
And step 3) bandwidth allocation is carried out, and performance management during communication of the user terminal is realized. The internal communication of different service domains will correspond to different network slices, allocated to the respective resources. The Link bandwidth from each switch to the internet is 10Gbps, and for the smart campus in the service domain, the total Link bandwidth provided by the switches 1, 2 and 3 for the service domain is Link ═ Link1,Link2,Link3The total bandwidth of school 2 is Link therein3Corresponding to the current remaining bandwidth Remain33 Mbps. The student C requests to communicate with the student A, applies for the rate of 1Mbps, and the intelligent campus service domain sets a rate limiting strategy, such as 1Mbps bandwidth allocation, for a port where the switch 3 of the school 2 is connected with the student C user terminal. Student B and camera belong to the wisdom district with, distribute bandwidth 2Mbps on switch 3 through wisdom district service area center. Two service domains occupy mutually independent network resources, can't cause mutual influence, if the network section that wisdom education corresponds suffers DDoS attack, consume wisdom education's distribution's bandwidth resource at most, surpass the flow of distribution and filtered in switch department, effectively realized the performance assurance.
Step 4), resource segmentation, service isolation: the intelligent cell service domain deploys a service isolation mechanism, and manages equipment in the service domain through identity-based access control. The student A belongs to the intelligent community service domain, can communicate with the camera, look over video content, because the service domain center has written real address and equipment authority (0) into the camera (or manage the thing networking gateway of camera) before the communication, the camera discerns that it does not have the authority of managing the camera, if student A sends and closes the camera instruction, can't pass through the identity access control inspection of camera, effectively prevented unauthorized illegal access.
And 5) communication management is carried out, and encrypted communication between the user terminal equipment of the Internet of things is realized. Finally, all communication data is encrypted to ensure that the traffic cannot be intercepted and utilized by a malicious user (for example, the access control instruction is reused). In smart campuses and smart cells that deploy strong logical isolation mechanisms, all communication data is cryptographically protected. The student B communicates with the camera, and the authentication information is the IP address of the camera of the target user terminal, namely auth, based on the public key of the camera of the target terminalSEncypt (2003:: 4000: 0000: 0000: 0004), current timestamp 3f56425d, compute key KSH (2003:: 4000: 0000: 0000: 0004| | | 2002:: 2000: 0000: 0000: 0002| |3f56425d), the first 128 bits are taken as the symmetric key K of the session, and the key K is encrypted by using a public key to obtain RSEncrypt (K), sending to the destinationRS、authS. The camera head according to its own private key SKDAuth decryptionSAnd after the authentication is successful, decrypting to obtain a symmetric key K ', encrypting the IP address of the student B equipment by using the negotiated key K' through the camera, sending the IP address to the student B, verifying by using the student B, and using the K as the symmetric key for the data encryption communication after the verification is passed. The traffic in the interaction process of the student B and the camera is encrypted through data, even if the traffic is monitored by the student C, the traffic is ciphertext, and since the traffic cannot obtain a symmetric key for communication encryption of the student B and the camera, plaintext data cannot be obtained, and a key exchange mechanism provides guarantee for strong isolation of traffic between service domains.
According to the method and the device, the dynamic change of the large-scale service domain of the Internet of things is fully considered, the safety requirements such as privacy protection and the like need to be established, the inter-service domain isolation strategy based on the real identity as the trust is established through the distributed service domain center, an efficient and reliable service domain strong logic isolation mechanism is provided, the safety of the system can be improved, the communication performance of the device can be guaranteed, and reliable support is provided for the safe communication between the devices of the Internet of things.
Corresponding to the above large-scale internet of things service domain isolated communication method, the present disclosure also provides a large-scale internet of things service domain isolated communication device, as shown in fig. 7, including:
the address binding module is used for binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other;
the communication distribution module is used for distributing the communication of the Internet of things before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things;
the bandwidth allocation module is used for allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
the resource segmentation module is used for segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and the communication module is used for each user terminal in the same service domain and adopts a key exchange algorithm to realize encrypted communication.
An embodiment of the present disclosure also provides an electronic device, including:
a memory for storing computer-executable instructions;
a processor configured to perform:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
An embodiment of the present disclosure also proposes a computer-readable storage medium having stored thereon a computer program for causing a computer to execute:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
It should be noted that, in the embodiment of the present disclosure, the Processor may be a Central Processing Unit (CPU), or may be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the memory may be used for storing the computer program and/or the module, and the processor may realize various functions of the automobile accessory picture data set making apparatus by executing or executing the computer program and/or the module stored in the memory and calling data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device. If the modules/units of the construction device of the wind power system operation stability domain are realized in the form of software functional units and sold or used as independent products, the modules/units can be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method of the embodiments described above can be realized by the present disclosure, and can also be realized by the relevant hardware instructed by a computer program, which can be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments described above can be realized. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, in the drawings of the embodiments of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement the present invention without inventive effort.
While the foregoing is directed to the preferred embodiment of the present disclosure, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (9)

1. A large-scale Internet of things service domain isolated communication method is characterized by comprising the following steps:
binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and a corresponding switch with each other;
according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things, the communication of the Internet of things is distributed before communication;
allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resource outside the authority;
and each user terminal in the same service domain adopts a key exchange algorithm to realize encrypted communication.
2. The large-scale internet of things service domain isolated communication method of claim 1, wherein the binding the IPv6 address of the user terminal in the internet of things, the MAC address of the user terminal, and the corresponding switch to each other comprises:
(1) storing IPv6 addresses of user terminals in the Internet of things in a distributed manner to service domain centers of the large-scale Internet of things;
(2) each service domain center verifies the identity of the user terminal in the service domain access network according to the real source address of the user terminal in the access network in the Internet of things;
(3) and embedding the identification information of the user terminal identity 64 bits after the IPv6 address of the user terminal.
(4) And binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other.
3. The large-scale internet of things service domain isolated communication method of claim 1, wherein the allocating the communication of the internet of things according to the real identity of the user terminal in the IPv6 address of the user terminal in the internet of things comprises:
(1) before communication, a user terminal sends a communication request to a service domain center of a large-scale Internet of things, wherein the communication request comprises an IP address of the user terminal and an IP address of a target user terminal;
(2) and each service domain center of the Internet of things judges the IP address of the user terminal and the IP address of the communication target, if the IP address of the user terminal and the IP address of the communication target are in the same service domain, a communication permission instruction is sent to a switch connected with the user terminal, and if the IP address of the user terminal and the IP address of the communication target are not in the same service domain, a rejection instruction is directly sent to the user terminal.
4. The large-scale internet of things service domain isolated communication method according to claim 1, wherein the allocating different data stream bandwidths according to the resource usage state of the large-scale internet of things service domain comprises:
(1) the method comprises the steps that the center of each service domain of the large-scale Internet of things establishes the mapping relation between the identifier ID of the service domain and the bandwidth information of the service domain on a plurality of switches respectively, wherein the bandwidth information comprises the total bandwidth and the existing bandwidth of the service domain;
(2) when a user terminal sends a communication request, a service domain center judges bandwidth information of an exchanger connected with the user terminal sending the communication request according to an identifier ID, if the existing bandwidth of the service domain is larger than or equal to the bandwidth on the exchanger, the service domain center distributes the bandwidth and sends a bandwidth distribution result to an exchanger port connected with the user terminal sending the communication request, and if the existing bandwidth of the service domain is smaller than the bandwidth on the exchanger, a communication rejection instruction is directly sent to the user terminal sending the communication request.
5. The large-scale internet of things service domain isolated communication method according to claim 1, wherein the splitting of the access purpose according to the real identity of the user terminal to make an unauthorized user unable to access a service resource outside the right comprises:
(1) the service domain center respectively sets the access authority and the corresponding access mark of each user terminal according to the real identity of the user terminal;
(2) when a user terminal sends a communication request to a service domain center, the service domain center judges the legality of the access request of the user terminal according to the access authority of the user terminal, if the user terminal has the access authority, an access mark of the user terminal is sent to an accessed target, and if the user terminal does not have the access authority, a rejection instruction is directly sent to the user terminal.
6. The large-scale internet of things service domain isolated communication method of claim 1, wherein each user terminal in the same service domain adopts a key exchange method to realize encrypted communication, and the method comprises the following steps:
(1) the service domain center generates a pair of public key and private key for each user terminal in the same service domain, and sends the public key to all user terminals in the service domain, and the private key is sent to the corresponding user terminal according to the real identity of the user terminal;
(2) the user terminal initiating the communication request encrypts the IP address of the target user terminal by using the public key of the target user terminal according to the IP address of the target user terminal to obtain an encrypted ciphertext, namely authS=Encrypt(IPD);
(3) The user terminal initiating the communication request calculates a hash value K according to the IP address of the target user terminal, the IP address of the user terminal initiating the communication request and the time stamp initiating the communication requestS
KS=H(IPD||IPS||TSTAMP),
Where, | | denotes string concatenation, IPDIndicating the destination user terminal address, IPSIndicating the address of the user terminal initiating the communication request, TSTAMPA presentation time stamp; h () represents a hash algorithm;
(4) the user terminal initiating the communication request sends the hash value KSThe first 128 bits are used as a first symmetric key K of the communication, and the key K is encrypted by using a public key of the target user terminal to obtain a ciphertext RS,RS=Encrypt(K);
(5) User terminal initiating communication request sends cipher text R to target user terminalSAnd ciphertext authS
(6) The target user terminal utilizes the private key of the terminal to encrypt the ciphertext authSDecrypting to obtain the IP address to be authenticated of the target user terminal, comparing the IP address to be authenticated with the IP address of the target user terminal,if the IP address to be authenticated is not the same as the IP address of the target user terminal, a rejection instruction is directly sent to the user terminal initiating the communication request, if the IP address to be authenticated is the same as the IP address of the target user terminal, the authentication is successful, and the ciphertext R is subjected toSDecrypting to obtain a second symmetric key K';
(7) the target user terminal encrypts the IP address of the user terminal initiating the communication request by using the second symmetric key K' to obtain a ciphertext authD,authD=EncryptK′(IPS);
(8) The target user terminal sends the ciphertext auth to the user terminal initiating the communication requestD
(9) The user terminal initiating the communication request uses the first symmetric K to pair the ciphertext authDAnd decrypting, wherein if the IP address of the user terminal initiating the communication request cannot be obtained, the key exchange fails, if the IP address of the user terminal initiating the communication request is obtained, the key exchange succeeds, and the first key K is used as a symmetric key for the data encryption communication.
7. A large-scale Internet of things service domain isolated communication device is characterized by comprising:
the address binding module is used for binding the IPv6 address of the user terminal in the Internet of things, the MAC address of the user terminal and the corresponding switch with each other;
the communication distribution module is used for distributing the communication of the Internet of things before communication according to the real identity of the user terminal in the IPv6 address of the user terminal in the Internet of things;
the bandwidth allocation module is used for allocating different data stream bandwidths according to the resource use state of the large-scale Internet of things service domain;
the resource segmentation module is used for segmenting the access purpose according to the real identity of the user terminal so that an unauthorized user cannot access the service resources outside the authority;
and the communication module is used for each user terminal in the same service domain and adopts a key exchange algorithm to realize encrypted communication.
8. An electronic device, comprising:
a memory for storing computer-executable instructions;
a processor configured to perform any of the large-scale internet of things service domain isolated communication methods of claims 1-6.
9. A computer-readable storage medium having stored thereon a computer program for causing a computer to perform any of the large-scale internet of things service domain isolated communication methods of claims 1-6.
CN202111320092.8A 2021-11-09 2021-11-09 Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium Active CN114172930B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111320092.8A CN114172930B (en) 2021-11-09 2021-11-09 Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111320092.8A CN114172930B (en) 2021-11-09 2021-11-09 Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114172930A true CN114172930A (en) 2022-03-11
CN114172930B CN114172930B (en) 2023-04-07

Family

ID=80478380

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111320092.8A Active CN114172930B (en) 2021-11-09 2021-11-09 Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114172930B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116055226A (en) * 2023-03-30 2023-05-02 睿至科技集团有限公司 Security early warning method and system based on Internet of things

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209200A (en) * 2012-01-16 2013-07-17 上海耀诚通信科技有限公司 Cloud service switching system and service inquiring and switching method
CN103678572A (en) * 2013-12-09 2014-03-26 中国科学院计算机网络信息中心 Method and system for searching for Internet of Things information based on two layers of DHTs
CN108183925A (en) * 2018-03-14 2018-06-19 成都科木信息技术有限公司 narrow band communication method based on LoT
CN108599968A (en) * 2018-03-14 2018-09-28 成都科木信息技术有限公司 Information broadcast method for city Internet of Things
CN112583583A (en) * 2019-09-28 2021-03-30 英特尔公司 Dynamic sharing in a secure memory environment using edge service sidecars
US20210168125A1 (en) * 2019-11-29 2021-06-03 Sri Ram Kishore Vemulpali Intelligent service layer for separating application from physical networks and extending service layer intelligence over ip across the internet, cloud, and edge networks
CN113206858A (en) * 2021-05-13 2021-08-03 南京邮电大学 Mobile target defense method based on internet of things DDoS attack
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209200A (en) * 2012-01-16 2013-07-17 上海耀诚通信科技有限公司 Cloud service switching system and service inquiring and switching method
CN103678572A (en) * 2013-12-09 2014-03-26 中国科学院计算机网络信息中心 Method and system for searching for Internet of Things information based on two layers of DHTs
CN108183925A (en) * 2018-03-14 2018-06-19 成都科木信息技术有限公司 narrow band communication method based on LoT
CN108599968A (en) * 2018-03-14 2018-09-28 成都科木信息技术有限公司 Information broadcast method for city Internet of Things
CN112583583A (en) * 2019-09-28 2021-03-30 英特尔公司 Dynamic sharing in a secure memory environment using edge service sidecars
US20210168125A1 (en) * 2019-11-29 2021-06-03 Sri Ram Kishore Vemulpali Intelligent service layer for separating application from physical networks and extending service layer intelligence over ip across the internet, cloud, and edge networks
CN113206858A (en) * 2021-05-13 2021-08-03 南京邮电大学 Mobile target defense method based on internet of things DDoS attack
CN113411190A (en) * 2021-08-20 2021-09-17 北京数业专攻科技有限公司 Key deployment, data communication, key exchange and security reinforcement method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116055226A (en) * 2023-03-30 2023-05-02 睿至科技集团有限公司 Security early warning method and system based on Internet of things
CN116055226B (en) * 2023-03-30 2023-05-30 睿至科技集团有限公司 Security early warning method and system based on Internet of things

Also Published As

Publication number Publication date
CN114172930B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
WO2020133655A1 (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario
US8024560B1 (en) Systems and methods for securing multimedia transmissions over the internet
US8082574B2 (en) Enforcing security groups in network of data processors
US8966270B2 (en) Methods and systems for providing controlled access to the internet
Murphy et al. Strong security for active networks
US8909918B2 (en) Techniques to classify virtual private network traffic based on identity
CN102710605A (en) Information security management and control method under cloud manufacturing environment
CN101094394A (en) Method for guaranteeing safe transmission of video data, and video monitoring system
RU2013136403A (en) METHOD AND DEVICE FOR CREATION AND MANAGEMENT OF INFRASTRUCTURE OF DIFFERENT PROTECTION FOR CONTENT-ORIENTED NETWORKS
CN105429962B (en) A kind of general go-between service construction method and system towards encryption data
CN108712364B (en) Security defense system and method for SDN (software defined network)
CN113872944A (en) Block chain-oriented zero-trust security architecture and cluster deployment framework thereof
Tourani et al. TACTIC: Tag-based access control framework for the information-centric wireless edge networks
Xu et al. Expressive bilateral access control for internet-of-things in cloud-fog computing
CN113872760A (en) SM9 key infrastructure and security system
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
CN114172930B (en) Large-scale Internet of things service domain isolated communication method and device, electronic equipment and storage medium
Wang et al. A data plane security model of SR-BE/TE based on zero-trust architecture
Wang et al. T-IP: A self-trustworthy and secure Internet protocol
Spina et al. Lightweight dynamic topic-centric end-to-end security mechanism for MQTT
Hlaing et al. Ensuring content integrity and confidentiality in information-centric secure networks
Lohachab Next generation computing: Enabling multilevel centralized access control using UCON and CapBAC model for securing IoT networks
Fossati et al. Love all, trust few: On trusting intermediaries in HTTP
Zuo et al. A novel software-defined network packet security tunnel forwarding mechanism
Edris et al. Security in network services delivery for 5g enabled d2d communications: Challenges and solutions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant