CN114172936A - Credible communication method applied to Internet of things equipment - Google Patents

Credible communication method applied to Internet of things equipment Download PDF

Info

Publication number
CN114172936A
CN114172936A CN202111516211.7A CN202111516211A CN114172936A CN 114172936 A CN114172936 A CN 114172936A CN 202111516211 A CN202111516211 A CN 202111516211A CN 114172936 A CN114172936 A CN 114172936A
Authority
CN
China
Prior art keywords
equipment
internet
things
data packet
command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111516211.7A
Other languages
Chinese (zh)
Inventor
罗杰武
林进创
郑日昌
林文件
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHANGXUN COMMUNICATION SERVICE CO LTD
Original Assignee
CHANGXUN COMMUNICATION SERVICE CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHANGXUN COMMUNICATION SERVICE CO LTD filed Critical CHANGXUN COMMUNICATION SERVICE CO LTD
Priority to CN202111516211.7A priority Critical patent/CN114172936A/en
Publication of CN114172936A publication Critical patent/CN114172936A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Cardiology (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a credible communication method applied to equipment of the Internet of things, which comprises the following steps: the Internet of things equipment sends the encrypted heartbeat data packet to a server, and random numbers are added into an FIFO queue; the server confirms the equipment identity information through the received heartbeat data packet, the identity is correct, the latest command number and the latest random number are replaced and recorded, and otherwise, the heartbeat data packet is discarded; when the server sends instruction data to the Internet of things equipment, the instruction data packet is encrypted and then sent to the Internet of things equipment; the Internet of things equipment decrypts the acquired command data packet, confirms identity information, verifies the command number, regenerates the random number to be added into the FIFO queue if the conditions are met, and discards the command data packet if the conditions are not met. The invention improves the safety and solves the hidden danger of replay attack existing in the communication of the Internet of things equipment; compatible with traditional encryption, does not influence the asymmetric encryption of the original transmission process, and can be used in a superposition way.

Description

Credible communication method applied to Internet of things equipment
Technical Field
The invention relates to the technical field of Internet of things, in particular to a credible communication method applied to Internet of things equipment.
Background
When the existing internet of things equipment is communicated with a cloud platform, communication protocols such as TCP/IP, MQTT, HTTP and WS are generally adopted, in order to ensure the safety of communication data, the TCP/IP can be encrypted through SSL, and the MQTT, HTTP and WS can be encrypted through TLS. However, the functions of the internet of things equipment are often single, communication instructions are few, the corresponding relation between the communication ciphertext and the equipment function point is easily obtained through a packet capturing means, and an intruder can achieve the purpose of controlling the internet of things equipment function point by only replaying the communication ciphertext to the internet of things equipment according to the corresponding relation between the communication ciphertext and the function point without decoding the communication ciphertext. In production practice, a scheme of time salting is used for resisting ciphertext replay attack, but an attacker can realize time hijack on equipment through forged network pairs, so that the time salting is bypassed. Therefore, the internet of things equipment only relies on the encryption of the communication content, and huge information safety hidden dangers exist.
The existing internet-of-things equipment communication trusted technology is mainly realized by using encryption communication protocols such as WSS (wireless sensor system) or HTTPS (hypertext transfer protocol secure), the commonly used encryption mode is SSL (secure socket layer) or TLS (thin layer security), which is a type of asymmetric encryption and has better protection capability on communication contents. Taking the SSL HTTPS encrypted communication as an example, the device and the server negotiate a session key first, and then perform a session of key encryption, as shown in fig. 1.
The disadvantages of the prior art are as follows: the method is mainly used for encryption protection of conversation content, but the communication of the Internet of things equipment also has instruction data besides the transmission of content data. The command data is often relatively simple, such as a remotely controllable door access device, which only needs to receive two commands, on and off. It is meaningless to encrypt such a simple instruction, because a hacker does not need to crack the ciphertext, the hacker can directly control the opening and closing of the access control device by copying the ciphertext and using a ciphertext replay mode, thereby causing a serious security accident, such as replay attack shown in fig. 2.
Disclosure of Invention
In order to solve the technical problems, the invention aims to provide a method for the communication security and the credibility of the internet of things equipment, which can judge whether the source of an encryption command is legal and can resist the time hijack and ciphertext replay attack of the equipment.
The purpose of the invention is realized by the following technical scheme:
a method for credible communication of equipment in the Internet of things comprises the following steps:
step A, the Internet of things equipment sends the encrypted heartbeat data packet to a server, and random numbers are added into an FIFO queue;
b, the server confirms the equipment identity information through the received heartbeat data packet, the identity is correct, the latest command number and the latest random number are replaced and recorded, and otherwise, the heartbeat data packet is discarded;
step C, when the server sends instruction data to the Internet of things equipment, the instruction data packet is encrypted and then sent to the Internet of things equipment;
and D, decrypting the obtained command data packet by the Internet of things equipment, confirming identity information, verifying the command number, regenerating a random number by the Internet of things equipment to add the random number into the FIFO queue if the condition is met, and otherwise, discarding the command data packet.
One or more embodiments of the present invention may have the following advantages over the prior art:
the method has the advantages that the concept of the command number is introduced to ensure that the Internet of things equipment is prevented from being attacked by replay, the random number queue is utilized to ensure that the Internet of things equipment can receive commands and send the commands simultaneously, and the length of the concurrent number is less than or equal to the length of the random number queue. On the basis, the existing mainstream encryption technologies such as asymmetric encryption RSA and communication process encryption TLS can be compatible, so that the communication credibility of the Internet of things equipment can be guaranteed.
Drawings
FIG. 1 is a prior art flow diagram;
FIG. 2 is a prior art provided replay attack flow diagram;
fig. 3 is a flow chart of a method for realizing secure and trusted communication of the internet of things equipment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings.
As shown in fig. 3, a flow of a communication trusted method for an internet of things device includes the following steps:
step 10, the Internet of things equipment sends the encrypted heartbeat data packet to a server, and adds a random number into an FIFO queue;
the Internet of things equipment forms heartbeat packet data through the equipment address code, the equipment serial number, the command number and the random number, and the heartbeat packet data are encrypted by the RSA public key and then sent to the server.
Step 20, the server confirms the equipment identity information through the received heartbeat data packet, the identity is correct, the latest command number and the latest random number are replaced and recorded, and otherwise, the heartbeat data packet is discarded;
the server decrypts the data through the RSA secret key and confirms the equipment identity through the equipment address code and the equipment serial number.
The steps 10 and 20 specifically include: forming a heartbeat data packet D by using a serial number function through a device address code MAC, a device serial number ID, a command number N and a random number M
D=fjson(MAC,ID,N,M)
D 'is formed by encrypting D by using RSA algorithm and public key K'
D′=fRAS(D,K)
Adding the random number M into a FIFO (First Input First output) queue, and sending D' to a server through protocols such as MQTT, HTTP and the like. K 'is secret key of server-side RAS'
The decryption process is as follows:
Figure BDA0003398491200000031
the deserialization process is as follows:
Figure BDA0003398491200000032
identity discrimination satisfaction conditions are as follows: { MAC, ID } ═ MACexit,IDexit}。
Step 30, when the server sends instruction data to the Internet of things equipment, encrypting the instruction data packet and sending the encrypted instruction data packet to the Internet of things equipment;
when the equipment of the Internet of things acquires the command data, the command number is increased by 1, and then the command data, the equipment address code, the equipment serial number and the random number form a command data packet, and the command data packet is encrypted by an RSA secret key and then sent to the equipment of the Internet of things.
D 'is formed by making the command number N' ═ N +1, the command data I, the address code MAC, the serial number ID and the random number M of the other devices unchanged
D″=fRAS(fjson(N′,I,MAC,ID,M),K′)
And step 40, the Internet of things equipment decrypts the acquired command data packet, confirms identity information and verifies the command number, if the conditions are met, the Internet of things equipment regenerates the random number and adds the random number into the FIFO queue, and if the conditions are not met, the command data packet is discarded.
The Internet of things equipment decrypts the acquired command data packet through the RSA public key and confirms identity information by using the equipment address code, the equipment serial number and the random number.
The decryption process is as follows:
Figure BDA0003398491200000041
the deserialization process is as follows:
Figure BDA0003398491200000042
the command number is judged to be satisfied: n' > N
After the Internet of things equipment obtains { N ', I, MAC, ID and M } information, identity confirmation is carried out on { MAC, ID } and whether M exists in an FIFO queue is checked, if all M meets the condition, a command I is executed, N is made to be N ', a new random number M ' is generated and added into the FIFO queue, and M is removed from the FIFO queue. If one is not satisfied, the whole information is discarded. The next heartbeat packet data is { MAC, ID, N ', M' } or { MAC, ID, N, M }.
The specific embodiment is as follows:
the device address code MAC, the device serial number ID, the command number N and the random number M form a heartbeat data packet D by using a serial number function, and the heartbeat data packet D is encrypted by using an RAS algorithm and a public key K to obtain D', as shown in the following table 1:
TABLE 1
Figure BDA0003398491200000043
Figure BDA0003398491200000051
The Internet of things equipment adds the random number M into a FIFO (First Input First output) queue and sends D' to the server through protocols such as MQTT and HTTP. The RAS key of the server is K', and the server obtains the heartbeat data packet D by decryption, as shown in table 2 below:
TABLE 2
Figure BDA0003398491200000052
The server extracts the equipment information, the command number and the random number from the heartbeat data packet D through deserialization
Figure BDA0003398491200000053
As shown in Table 3 below
TABLE 3
Figure BDA0003398491200000054
Figure BDA0003398491200000061
And if the equipment address code MAC and the equipment serial number ID are both registered in the server, updating the command number N and the random number M of the equipment corresponding to the server.
D 'is formed by making the command number N' ═ N +1, the command data I, the address code MAC, the serial number ID and the random number M of the other devices unchanged
D″=fRAS(fjson(N ', I, MAC, ID, M), K'); as shown in table 4 below:
TABLE 4
Figure BDA0003398491200000062
Figure BDA0003398491200000071
In step 40, the decryption process is the same as the deserialization process in step 10, step 20 and step 30, and the judgment condition whether to execute the command is as follows: n' > N&&M∈FIFO{M1,M1,...,Mn}. And when the condition is met, making N equal to N ', generating a new random number M' to be added into the FIFO queue, and removing M from the FIFO queue. If one is not satisfied, the whole information is discarded. The next heartbeat packet data is { MAC, ID, N ', M' } or { MAC, ID, N, M }. As shown in table 5 below:
TABLE 5
Figure BDA0003398491200000072
Although the embodiments of the present invention have been described above, the above descriptions are only for the convenience of understanding the present invention, and are not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (8)

1. A method for credible communication applied to equipment of the Internet of things is characterized by comprising the following steps:
step A, the Internet of things equipment sends the encrypted heartbeat data packet to a server, and random numbers are added into an FIFO queue;
b, the server confirms the equipment identity information through the received heartbeat data packet, the identity is correct, the latest command number and the latest random number are replaced and recorded, and otherwise, the heartbeat data packet is discarded;
step C, when the server sends instruction data to the Internet of things equipment, the instruction data packet is encrypted and then sent to the Internet of things equipment;
and D, decrypting the obtained command data packet by the Internet of things equipment, confirming identity information, verifying the command number, regenerating a random number by the Internet of things equipment to add the random number into the FIFO queue if the condition is met, and otherwise, discarding the command data packet.
2. The method for trustable communication of the devices in the internet of things according to claim 1, wherein in the step a: the Internet of things equipment forms heartbeat packet data through the equipment address code, the equipment serial number, the command number and the random number, and the heartbeat packet data are encrypted by the RSA public key and then sent to the server.
3. The method for credible communication applied to equipment in the internet of things according to claim 1, wherein in the step B: the server decrypts the data through the RSA secret key and confirms the equipment identity through the equipment address code and the equipment serial number.
4. The method for the communication trust of the internet of things equipment according to claim 1, wherein the step C specifically comprises: when the equipment of the Internet of things acquires the command data, the command number is increased by 1, and then the command data, the equipment address code, the equipment serial number and the random number form a command data packet, and the command data packet is encrypted by an RSA secret key and then sent to the equipment of the Internet of things.
5. The method for the communication trust of the internet of things equipment according to claim 1, wherein in the step D, the internet of things equipment decrypts the acquired command data packet by using the RSA public key, and confirms the identity information by using the equipment address code, the equipment serial number, and the random number.
6. The method for credible communication of equipment in the internet of things as claimed in claim 1 or 2, wherein the steps a and B specifically comprise: forming a heartbeat data packet D by using a serial number function through a device address code MAC, a device serial number ID, a command number N and a random number M
D=fjson(MAC,ID,N,M)
D 'is formed by encrypting D by using RSA algorithm and public key K'
D′=fRAS(D,K)
Adding a random number M into a FIFO (First Input First output) queue, and sending D' to a server through protocols such as MQTT, HTTP and the like; the secret key of the server RAS is K';
the decryption process is as follows:
Figure FDA0003398491190000021
the deserialization process is as follows:
Figure FDA0003398491190000022
identity discrimination satisfaction conditions are as follows: { MAC, ID } ═ MACexit,IDexit}。
7. The method for credible communication of equipment in the internet of things as claimed in claim 1 or 4, wherein the step C makes the command number N' ═ N +1, the command data is I, and the rest of the equipment address code MAC, the equipment serial number ID and the random number M are not changed, forming D ″
D″=fRAS(fjson(N′,I,MAC,ID,M),K′)。
8. The method for credible communication of Internet of things equipment as claimed in claim 1 or 4, wherein the step C specifically comprises:
the decryption process is as follows:
Figure FDA0003398491190000023
the deserialization process is as follows:
Figure FDA0003398491190000024
the command number is judged to be satisfied: n' > N
After the Internet of things equipment obtains { N ', I, MAC, ID and M } information, performing identity confirmation on { MAC, ID } and checking whether M exists in an FIFO queue, if the M meets the condition, executing a command I, and if N is equal to N ', generating a new random number M ' to be added into the FIFO queue, and removing M from the FIFO queue; if one part does not meet the requirement, discarding the whole information; the next heartbeat packet data is { MAC, ID, N ', M' } or { MAC, ID, N, M }.
CN202111516211.7A 2021-12-08 2021-12-08 Credible communication method applied to Internet of things equipment Pending CN114172936A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111516211.7A CN114172936A (en) 2021-12-08 2021-12-08 Credible communication method applied to Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111516211.7A CN114172936A (en) 2021-12-08 2021-12-08 Credible communication method applied to Internet of things equipment

Publications (1)

Publication Number Publication Date
CN114172936A true CN114172936A (en) 2022-03-11

Family

ID=80485897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111516211.7A Pending CN114172936A (en) 2021-12-08 2021-12-08 Credible communication method applied to Internet of things equipment

Country Status (1)

Country Link
CN (1) CN114172936A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120124367A1 (en) * 2010-11-15 2012-05-17 Trilliant Holdings Inc. System and Method for Securely Communicating Across Multiple Networks Using a Single Radio
CN107835145A (en) * 2016-09-21 2018-03-23 炫彩互动网络科技有限公司 The method and distributed system of a kind of anti-replay-attack
CN109194656A (en) * 2018-09-10 2019-01-11 国家电网有限公司 A kind of method of distribution wireless terminal secure accessing
CN110377268A (en) * 2019-07-25 2019-10-25 中国工商银行股份有限公司 Serial number generation method, device and storage medium
CN112511548A (en) * 2020-12-02 2021-03-16 中电科鹏跃电子科技有限公司 Method and device for preventing replay attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120124367A1 (en) * 2010-11-15 2012-05-17 Trilliant Holdings Inc. System and Method for Securely Communicating Across Multiple Networks Using a Single Radio
CN107835145A (en) * 2016-09-21 2018-03-23 炫彩互动网络科技有限公司 The method and distributed system of a kind of anti-replay-attack
CN109194656A (en) * 2018-09-10 2019-01-11 国家电网有限公司 A kind of method of distribution wireless terminal secure accessing
CN110377268A (en) * 2019-07-25 2019-10-25 中国工商银行股份有限公司 Serial number generation method, device and storage medium
CN112511548A (en) * 2020-12-02 2021-03-16 中电科鹏跃电子科技有限公司 Method and device for preventing replay attack

Similar Documents

Publication Publication Date Title
US10432591B2 (en) Establishing a communication event using secure signaling
US10893076B2 (en) Data compression for communications signalling
JP6495548B2 (en) Computer-implemented encryption method for improving computer network, terminal, system and computer-readable medium for them
US9456002B2 (en) Selective modification of encrypted application layer data in a transparent security gateway
EP3369240B1 (en) Protocol fallback during call signaling
EP3461097B1 (en) Encrypted content detection method and apparatus
CN110266485B (en) Internet of things safety communication control method based on NB-IoT
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
CN113645115B (en) Virtual private network access method and system
KR101089269B1 (en) Attack Detection Method And System with Secure SIP Protocol
US20160191493A1 (en) System and method of authenticating a live video stream
CN102843375B (en) Method for controlling network access based on identification in IP (Internet Protocol) protocol
CN114172936A (en) Credible communication method applied to Internet of things equipment
CN111970281B (en) Routing equipment remote control method and system based on verification server and electronic equipment
CN117201200B (en) Data safety transmission method based on protocol stack
CN116488815A (en) Encryption protocol method and system based on cloud PLC
Liu et al. The research of streaming media mutual digest authentication model based on RTSP protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination