CN114302356A - Communication method, system and storage medium for sharing secret key - Google Patents

Communication method, system and storage medium for sharing secret key Download PDF

Info

Publication number
CN114302356A
CN114302356A CN202111544402.4A CN202111544402A CN114302356A CN 114302356 A CN114302356 A CN 114302356A CN 202111544402 A CN202111544402 A CN 202111544402A CN 114302356 A CN114302356 A CN 114302356A
Authority
CN
China
Prior art keywords
internet
things
server
key
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111544402.4A
Other languages
Chinese (zh)
Inventor
李建国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111544402.4A priority Critical patent/CN114302356A/en
Publication of CN114302356A publication Critical patent/CN114302356A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides a communication method, a system and a storage medium for sharing a secret key, wherein the communication method for sharing the secret key comprises the following steps: the internet of things trust anchor equipment establishes a trust relationship with the limited internet of things equipment; the server is in communication connection with the Internet of things trust anchor device, and acquires a first temporary shared key and a link random number for accessing the limited Internet of things device through the Internet of things trust anchor device; and the server establishes communication connection with the limited Internet of things equipment based on the first temporary shared secret key, the link random number and a PSK _ DTLS protocol. The method and the device can reduce the occupancy rate of the memory and the ROM of the limited Internet of things equipment in the process of realizing end-to-end safe connection based on the symmetric key, improve the security of the key and reduce the performance requirement of the limited Internet of things equipment.

Description

Communication method, system and storage medium for sharing secret key
Technical Field
The application relates to the technical field of communication of the Internet of things, in particular to a communication method, a communication system and a storage medium for sharing a secret key.
Background
The development of 5G networks, low power consumption local/wide area wireless network technologies and adaptive IP technologies has rapidly pushed the emergence of a new class of application networks, the internet of things. In the internet of things, a new type of networking equipment with highly limited computing capacity, memory resources and power supply capacity appears, the equipment can be connected into the internet of things (IoT) based on an IP protocol, but the resource-limited internet of things equipment is limited internet of things equipment.
Specifically, in the resource-restricted internet of things, the restricted internet of things device has the following characteristics: the low computing/storage resources are connected by using a short-distance wireless network with battery power supply and low power consumption, and the IP network technology is adopted and deployed in an open environment without physical protection; a group of Internet of things equipment which is deployed in the same region and realizes a specific task forms an Internet of things local area network; the method comprises the following steps of realizing connection of different networks or heterogeneous networks by using an Internet of things gateway, and accessing an Internet of things local area network to an enterprise local area network or a server on the Internet; the server and the enterprise local area network are in a protected environment with physical protection. The use of IP technology enables a restricted internet of things device to communicate in an end-to-end manner with other restricted internet of things devices or services located in a remote network domain. For example, an IP-enabled sensor device built into the body can transparently send its collected patient's medical data to an electronic health server without any application-level interaction at the internet of things gateway.
In this case, however, the transmitted information may be routed through an untrusted network infrastructure (e.g., the internet) or a wireless local area network (e.g., a bluetooth network). Therefore, in the resource-constrained internet of things, providing peer-to-peer authentication and end-to-end data protection is a key requirement to prevent eavesdropping of sensitive information or malicious triggering of harmful execution tasks.
To provide end-to-end secure connectivity in the internet of things (IoT), variants of traditional end-to-end IP security protocols, such as DTLS, minimum IKEv2, etc., have been proposed for use in constrained internet of things. All these protocol variants take public key cryptography into account in their protocol design. The public key cryptography technology used in the limited internet of things environment has the following disadvantages: a large amount of processing and transmission overhead is generated, large RAM and ROM are required to be occupied for implementation, and the energy consumption is high. Therefore, the limited internet of things device mostly adopts the symmetric key technology to provide end-to-end secure connection.
At present, symmetric key technology is adopted to provide two modes of end-to-end secure connection, namely, DTLS mode (datagram transport layer security), Kerberos mode and Kerberos-like mode, however, the DTLS mode has the following defects: the two communication parties need to safely deploy the symmetric key information on the communication endpoints before establishing the DTLS connection; (2) constrained internet of things devices need to know and share keys with all clients that may communicate with them before deployment. In particular, when a client communicating with a restricted internet of things device cannot be determined in advance, it is a very insecure method to disclose the pre-shared secret of the restricted internet of things device to all clients with which it is potentially possible to communicate.
On the other hand, Kerberos and Kerberos-like approaches have the following disadvantages: (1) the method has the advantages that the Kerberos client protocol needs to be realized on the limited Internet of things equipment, the realization is complex, and further, more memories and ROMs of the limited Internet of things equipment are occupied; (2) the number of transmitted messages is large, the messages are long, and the network bandwidth and the electric energy of the Internet of things are consumed.
Disclosure of Invention
An object of the embodiments of the present application is to provide a communication method, a system, and a storage medium for sharing a secret key, which are used to reduce the occupancy rates of a memory and a ROM of a limited internet of things device, improve the security of the secret key, and reduce the performance requirements of the limited internet of things device in the process of implementing end-to-end secure connection based on a symmetric secret key.
To this end, a first aspect of the present application discloses a shared key-based communication method, which applies the shared key-based communication system, where the system includes a restricted internet of things device, an internet of things trust anchor device, and a server, and the method includes:
the internet of things trust anchor equipment establishes a trust relationship with the limited internet of things equipment;
the server is in communication connection with the Internet of things trust anchor device, and acquires a first temporary shared key and a link random number for accessing the limited Internet of things device through the Internet of things trust anchor device;
and the server establishes communication connection with the limited Internet of things equipment based on the first temporary shared secret key, the link random number and a PSK _ DTLS protocol.
In the first aspect, as an optional implementation manner, the establishing, by the internet of things trust anchor device, a trust relationship with the restricted internet of things device includes:
the restricted internet of things device stores a master symmetric key;
the internet of things trust anchor equipment generates a first data table used for storing information of the limited internet of things equipment, wherein the information of the limited internet of things comprises a master symmetric key, an ID (identity) of the limited internet of things equipment and an IP (Internet protocol) address of the limited internet of things equipment;
the Internet of things trust anchor equipment responds to a certificate deployment instruction to store certificate information;
and the Internet of things trust anchor equipment generates a second data table, and the second data table is used for storing server authority information allowing access to the limited Internet of things equipment.
In the first aspect, as an optional implementation manner, the server permission information includes an ID of an accessible server, an access account, an access password, and an ID of the restricted internet of things device that the server allows to access.
In the first aspect, as an optional implementation manner, the obtaining, by the server, a first temporary shared key and a link random number for accessing the restricted internet of things device through the internet of things trust anchor device includes:
the server establishes TLS (transport layer security) secure connection with the Internet of things trust anchor equipment;
the server and the IOT trust anchor device perform mutual authentication based on the certificate information and the certificate mechanism;
after the server passes authentication and the IOT trust anchor equipment passes authentication, the server sends a key acquisition request to the IOT trust anchor equipment, wherein the key acquisition request carries the ID of the server and the ID of the limited IOT equipment;
the IOT trust anchor device determining whether the server has permission to access the restricted IOT device based on the ID of the server and the second data table;
when the server has the authority of accessing the limited internet of things equipment, the internet of things trust anchor equipment reads the serial number of the limited internet of things equipment based on the first data table;
the IOT trust anchor device generates the first temporary shared key and the link random number based on a serial number of the limited IOT device, a number of a preset key derivation algorithm, an ID of the IOT trust anchor device, identity information of the server, the ID of the limited IOT device and a preset key length;
the internet of things trust anchor equipment sends the first temporary shared secret key and the link random number to the server;
and the server saves the first temporary shared secret key and the link random number based on the ID of the limited Internet of things equipment.
In the first aspect, as an optional implementation manner, an initial value of a serial number of the limited internet of things device is 0;
and after the internet of things trust anchor device sends the first temporary shared key and the link nonce to the server, the method further comprises:
and the IOT trust anchor equipment updates the serial number of the limited IOT equipment.
In the first aspect, as an optional implementation manner, the generating, by the internet of things trust anchor device, the first temporary shared key and the link random number based on the serial number of the limited internet of things device, the number of the preset key derivation algorithm, the ID of the internet of things trust anchor device, the identity information of the server, the ID of the limited internet of things device, and the preset key length by the internet of things trust anchor device includes: encoding a serial number of the limited internet of things device, a number of a preset key derivation algorithm, an ID of the internet of things trust anchor device, identity information of the server, the ID of the limited internet of things device and a preset key length based on a BASE64 encoder, and generating the link random number;
decoding the link random number based on a BASE64 decoder to obtain the ID of the first temporary shared secret key;
and the Internet of things trust anchor equipment takes the ID of the first temporary shared secret key and the master symmetric secret key as input parameters of the SHA256 algorithm, and obtains the first temporary shared secret key through the SHA256 algorithm.
In the first aspect, as an optional implementation manner, the establishing, by the server, a communication connection with the limited internet of things device based on the first temporary shared key and the link random number, PSK _ DTLS protocol includes:
the server sends an authentication request to the limited Internet of things equipment, wherein the authentication request carries the link random number;
the limited internet of things equipment generates a second temporary shared key based on the link random number and the master symmetric key, wherein the second temporary shared key and the first temporary shared key are symmetric keys;
and establishing communication connection with the limited Internet of things equipment based on the second temporary shared secret key and the first temporary shared secret key.
In the first aspect, as an optional implementation manner, after the server sends an authentication request to the restricted internet of things device, before the restricted internet of things device generates a second temporary shared key based on the link random number and the master symmetric key, the method further includes:
the limited Internet of things equipment verifies whether the length of the link random number is within a preset length range;
when the length of the link random number is within a preset length range, the limited internet of things device decodes the link random number based on a Base64 decoder and obtains decoding information;
the limited Internet of things equipment judges whether the length of the decoding information is equal to a preset length threshold value or not;
when the length of the decoding information is equal to the preset length threshold, the limited internet of things equipment compares the decoding information with the information of the limited internet of things equipment to verify whether the decoding information is correct;
and when the decoding information is verified to be correct, executing the limited Internet of things equipment to generate a second temporary shared key based on the link random number and the master symmetric key.
The second aspect of the application discloses a communication system based on a shared key, which comprises a limited internet of things device, an internet of things trust anchor device and a server, wherein the server establishes communication connection with the limited internet of things device through the method of the first aspect of the application.
A third aspect of the present application discloses a storage medium storing computer instructions for executing the shared key based communication method of the first aspect of the present application when the computer instructions are invoked.
Compared with the prior art, the beneficial technical effects of the application are:
according to the embodiment of the application, the key can be shared only between the limited internet of things device Di and the internet of things trust anchor device TA trusted by the limited internet of things device Di through the trust relationship between the internet of things trust anchor device and the limited internet of things device TA, the limited internet of things device Di can realize end-to-end safe communication between the limited internet of things device Di and any server S based on PSK-DTLS on the basis that the limited internet of things device Di does not share the password with the server S, the shared key is only used for generating a temporary shared key and is not transmitted on the network, and therefore the safety of the shared key can be improved. On the other hand, the original PSK-DTLS protocol is slightly modified, and the protocol complexity in the communication process can be reduced.
On the other hand, the key acquisition process is completed through the calculation performance of the trust anchor equipment TA of the internet of things, and the limited internet of things equipment Di can be only used for communicating with the server S, so that the limited internet of things equipment D can be prevented from being addediThe requirement of CPU and memory/ROM, and then the power consumption of the limited Internet of things equipment can not be increased. In another aspect, the method has good expansibility, and can be applied to the environment of large-scale Internet of things.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a communication method based on a shared secret key disclosed in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a communication system sharing a secret key disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a flowchart illustrating a communication method based on a shared secret key according to an embodiment of the present application, where the communication method based on the shared secret key according to the embodiment of the present application is applied to a communication system based on the shared secret key. As shown in fig. 1, a communication method based on a shared key according to an embodiment of the present application includes the following steps:
101. the method comprises the steps that the trust anchor equipment of the Internet of things establishes a trust relationship with the limited Internet of things equipment;
102. the server is in communication connection with the Internet of things trust anchor device, and acquires a first temporary shared key and a link random number for accessing the limited Internet of things device through the Internet of things trust anchor device;
103. and the server establishes communication connection with the limited Internet of things equipment based on the first temporary shared secret key, the link random number and the PSK _ DTLS protocol.
According to the communication method based on the shared key, the key can be shared only between the limited internet of things device Di and the internet of things trust anchor device TA trusted by the limited internet of things device Di through the trust relationship between the internet of things trust anchor device and the limited internet of things device TA, the limited internet of things device Di can realize end-to-end secure communication based on PSK-DTLS between the limited internet of things device Di and any server S on the basis that the limited internet of things device Di does not share the key with the server S, the shared key is only used for generating a temporary shared key and is not transmitted on the network, and therefore the security of the shared key can be improved. On the other hand, the method of the embodiment of the application has small modification on the original PSK-DTLS protocol, and can reduce the protocol complexity in the communication process.
On the other hand, in the embodiment of the application, the key acquisition process is completed through the calculation performance of the trust anchor device TA of the internet of things, and the limited internet of things device Di can be only used for communicating with the server S, so that the limited internet of things device D is not addediThe requirement of CPU and memory/ROM, and then the power consumption of the limited Internet of things equipment can not be increased. In another aspect, the method provided by the embodiment of the application has good expansibility, and can be applied to a large-scale internet of things environment.
In the embodiment of the present application, as an optional implementation manner, step 101: the method for establishing the trust relationship between the IOT trust anchor equipment and the limited IOT equipment comprises the following substeps:
the restricted internet of things device stores a master symmetric key;
the method comprises the steps that the internet of things trust anchor equipment generates a first data table used for storing information of limited internet of things equipment, wherein the information of the limited internet of things comprises a master symmetric key, an ID (identity) of the limited internet of things equipment and an IP (Internet protocol) address of the limited internet of things equipment;
the Internet of things trust anchor equipment responds to the certificate deployment instruction to store certificate information;
and the Internet of things trust anchor equipment generates a second data table, and the second data table is used for storing the server authority information of the equipment with the access limitation of the Internet of things.
In this embodiment, as an optional implementation manner, the server permission information includes an ID of an accessible server, an access account, an access password, and an ID of a restricted internet of things device that the server allows to access.
In this optional implementation manner, optionally, the user may generate the master symmetric key by using a preset key generation algorithm, where the preset key generation algorithm is not limited in this embodiment of the present application. Further optionally, after the master symmetric key is generated, the user may send the master symmetric key to the device manufacturer to delegate the device manufacturer to burn the master symmetric key to the limited internet of things device.
In this optional implementation, optionally, the master symmetric key may also be generated securely by a manufacturer using a preset key generation algorithm, and the manufacturer burns the master symmetric key into the limited internet of things device, and then notifies the user of the master symmetric key by a secure means, such as an encrypted email.
In this optional embodiment, the certificate information is used to implement mutual authentication between the server and the internet of things trust anchor device based on a certificate mechanism, and for this process, please refer to the prior art, which is not described in detail in this embodiment of the present application.
In this optional embodiment, the first data table includes the IP address of the limited internet of things device, and the primary symmetric key and the ID of the limited internet of things device are associated as the primary key. In the optional embodiment, the method is used for matching and accessing the required complete parameter based on a certain parameter in the communication process of the limited internet of things device and the server, so that the communication process of the limited internet of things device and the server is realized based on the complete parameter.
In this optional embodiment, as an example of the first data table, as shown in table 1, DevIP represents an IP address of the limited internet-of-things device, DevID represents an ID of the limited internet-of-things device, DevKey represents a master symmetric key, and SN represents a serial number of the limited internet-of-things device (the serial number of the limited internet-of-things device is used in the following generation process of the link random number).
Figure BDA0003415310950000111
TABLE 1
In this optional embodiment, the second data table is used to request connection with the limited internet of things device at the server, and determine whether the account currently logged in by the server and the server has permission to access the limited internet of things device, for example, when the user a logs in the server, it may be determined that the user a has access permission through the information currently input by the user a and the second data table, and when the user B logs in the server, it may be determined that the user B does not have access permission through the information currently input by the user B and the second data table.
In this optional embodiment, as an example of the second data table, as shown in table 2, ClientID represents an ID of the server, Account represents an access Account, PW represents an access password, and PermitID represents an ID of the restricted internet of things device that the server allows to access.
ClientID Account PW PermitIDS
D1 xxxx xxx {D1、Dn}
.. xxxx xxx {D1、Dn}
Dn xxxx xxx {D1、Dn}
TABLE 2
In the embodiment of the present application, as an alternative implementation, as shown in fig. 2, step 102: the server is in communication connection with the Internet of things trust anchor device, and acquires a first temporary shared key and a link random number for accessing the limited Internet of things device through the Internet of things trust anchor device, and the method comprises the following substeps:
the server establishes TLS (security layer security) security connection with the Internet of things trust anchor equipment;
the server and the Internet of things trust anchor equipment perform mutual authentication based on certificate information and a certificate mechanism;
after the server passes the authentication and the internet of things trust anchor equipment passes the authentication, the server sends a key acquisition request to the internet of things trust anchor equipment, wherein the key acquisition request carries the ID of the server and the ID of the limited internet of things equipment;
the Internet of things trust anchor equipment determines whether the server has the authority of accessing the limited Internet of things equipment or not based on the ID of the server and a second data table;
when the server has the right to access the limited internet of things equipment, the internet of things trust anchor equipment reads the serial number of the limited internet of things equipment based on the first data table;
the internet of things trust anchor equipment generates a first temporary shared key and a link random number based on the serial number of the limited internet of things equipment, the number of a preset key derivation algorithm, the ID of the internet of things trust anchor equipment, the identity information of the server, the ID of the limited internet of things equipment and the length of a preset key;
the internet of things trust anchor equipment sends the first temporary shared secret key and the link random number to a server;
the server stores the first temporary shared secret key and the link random number based on the ID of the limited Internet of things device.
In this optional embodiment, the TLS secure connection between the server and the internet of things trust anchor device is implemented based on an IP protocol, and a specific process thereof refers to the prior art, which is not described in this embodiment of the present application. In this optional implementation manner, please refer to the prior art for a specific process in which the server and the internet of things trust anchor device perform mutual authentication based on certificate information and a certificate mechanism, which is not described in detail in this embodiment of the present application.
In this optional embodiment, optionally, step 102 further includes the following sub-steps:
and when the server has no access right to the limited Internet of things equipment, the Internet of things trust anchor equipment returns access refusing information to the server.
In this alternative embodiment, the preset key derivation algorithm is a secure hash algorithm, for example, the preset key derivation algorithm may be one of SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, and accordingly, the number of the preset key derivation algorithm represents the corresponding number of the secure hash algorithm, for example, when the preset key derivation algorithm is SHA-1, the number of the preset key derivation algorithm is {0x0C, 0x44, 0x4A }, i.e., the number of the preset key derivation algorithm is a 3-byte constant.
In this optional embodiment, optionally, the length of the serial number of the limited internet of things device is 8 bytes, the length of the ID of the internet of things trust anchor device is 1 byte, the length of the identity information of the server is 12 bytes, the length of the ID of the limited internet of things device is 12 bytes, and the length of the preset key is one byte, where it should be noted that the length of the preset key represents the length of the preset first temporary shared key, for example, the length of the preset first temporary shared key is 37.
In this application embodiment, as an optional implementation manner, an initial value of a serial number of the limited internet of things device is 0, and accordingly, after the internet of things trust anchor device sends the first temporary shared key and the link random number to the server, the method in this application embodiment further includes the following steps:
and the internet of things trust anchor equipment updates the serial number of the limited internet of things equipment.
In this optional embodiment, the serial number of the limited internet of things device is updated after the internet of things trust anchor device generates the first temporary shared key and the link random number each time, and thus, the first temporary shared key and the link random number generated each time can be generated based on different serial numbers, so that the first temporary shared key generated each time is different, and the security of the first temporary shared key is further improved.
In this optional implementation manner, optionally, the specific way for the internet of things trust anchor device to update the serial number of the limited internet of things device is as follows:
and after the internet of things trust anchor equipment generates the first temporary shared secret key and the link random number, accumulating the serial number of the limited internet of things equipment by 1.
Exemplarily, assuming that the SN represents a serial number of the restricted internet of things device, the internet of things trust anchor device executes SN +1 after each generation of the first temporary shared key and the link random number.
In this embodiment of the application, as an optional implementation manner, the generating, by the internet of things trust anchor device, the first temporary shared key and the link random number based on the serial number of the limited internet of things device, the number of the preset key derivation algorithm, the ID of the internet of things trust anchor device, the identity information of the server, the ID of the limited internet of things device, and the preset key length includes:
encoding a serial number of the limited internet of things equipment, a number of a preset key derivation algorithm, an ID of the internet of things trust anchor equipment, identity information of a server, an ID of the limited internet of things equipment and a preset key length based on a BASE64 encoder to generate a link random number;
decoding the link random number based on a BASE64 decoder to obtain the ID of the first temporary shared secret key;
the Internet of things trust anchor equipment takes the ID of the first temporary shared secret key and the main symmetric secret key as input parameters of the SHA256 algorithm, and obtains the first temporary shared secret key through the SHA256 algorithm.
In this optional embodiment, please refer to the prior art for a specific working process of the BASE64 encoder and the BASE64 decoder, which is not described in detail in this embodiment.
In this optional embodiment, please refer to the prior art for a specific working process of the SHA256 algorithm, which is not described in detail in this embodiment.
In the embodiment of the present application, as an optional implementation manner, step 103: the server establishes communication connection with the limited Internet of things equipment based on the first temporary shared secret key, the link random number and the PSK _ DTLS protocol, and comprises the following sub-steps:
the server sends an authentication request to the limited Internet of things equipment, wherein the authentication request carries a link random number;
the limited Internet of things equipment generates a second temporary shared key based on the link random number and the master symmetric key, and the second temporary shared key and the first temporary shared key are symmetric keys;
and the server establishes communication connection with the limited Internet of things equipment based on the second temporary shared key, the first temporary shared key and the PSK _ DTLS protocol.
In the embodiment of the application, based on the second temporary shared key, the first temporary shared key, and the PSK _ DTLS protocol, a specific process of establishing a communication connection with the limited internet of things device is as follows:
and judging whether the second temporary shared key is consistent with the first temporary shared key or not based on a PSK-DTLS protocol, and if so, establishing communication connection between the server and the limited Internet of things equipment.
In this optional embodiment, please refer to the prior art for a specific process of the PSK _ DTLS protocol, which is not described in detail in this embodiment.
In an embodiment, as an optional implementation manner, after the server sends the authentication request to the limited internet of things device, before the limited internet of things device generates the second temporary shared key based on the link random number and the master symmetric key, the method of the embodiment of the present application further includes the following sub-steps:
the limited Internet of things equipment verifies whether the length of the link random number is within a preset length range;
when the length of the link random number is within a preset length range, the limited internet of things device decodes the link random number based on a Base64 decoder and obtains decoding information;
the limited Internet of things equipment judges whether the length of the decoding information is equal to a preset length threshold value or not;
when the length of the decoding information is equal to a preset length threshold value, the limited internet of things equipment compares the decoding information with the information of the limited internet of things equipment to verify whether the decoding information is correct or not;
when the decoding information is verified to be correct, the implementation-limited internet-of-things device generates a second temporary shared key based on the link random number and the master symmetric key.
In this optional embodiment, by determining the length of the link random number and the length of the decoding information, the server can be rejected from being connected with the limited internet of things device on the premise that the length of the link random number and the length of the decoding information do not meet the requirement, so that the security of the limited internet of things device is further improved.
In this optional embodiment, the preset length range is 37 to 60 bytes, and accordingly, as an example, if the length of the authentication linking random number of the limited internet-of-things device is 35 bytes, the authentication linking random number is not within the preset length range, at this time, the second temporary shared key is NULL, that is, the limited internet-of-things device does not generate the second temporary shared key, so that the limited internet-of-things device cannot perform communication connection with the server based on the symmetric first temporary shared key and the symmetric second temporary shared key.
In this optional embodiment, the preset length threshold is 37, and accordingly, when the limited internet of things device determines that the length of the decoding information is 36, the length is not equal to 37, and the second temporary shared key is NULL, that is, the limited internet of things device does not generate the second temporary shared key, so that the limited internet of things device cannot perform communication connection with the server based on the symmetric first temporary shared key and the symmetric second temporary shared key.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of a communication system sharing a secret key according to an embodiment of the present disclosure. As shown in fig. 2, the communication system based on a shared key according to the embodiment of the present application includes: the device comprises a limited Internet of things device and a server, wherein the server establishes communication connection with the limited Internet of things device through a communication method based on a shared secret key in the embodiment of the application.
Further, as shown in fig. 2, the schematic structural diagram of the communication system for sharing a secret key further includes a TA for the trust anchor device of the internet of things.
Specifically, in the embodiment of the present application, as shown in fig. 2, the shared key-based communication system includes n limited Internet-of-things devices, a server located on a local area network or on the Internet, and an Internet-of-things trust anchor device, where the server is denoted by S, the Internet-of-things trust anchor device is denoted by TA, and the limited Internet-of-things device Di is denoted by i ═ 0,1,2 … n, and n is the total number of the limited Internet-of-things devices.
More specifically, as shown in fig. 2, n limited internet of things devices Di and an internet of things trust anchor device TA may be in communication connection, where the internet of things trust anchor device TA and the managed limited internet of things devices Di are in the same management domain, and the internet of things trust anchor device TA may be a device with rich resources and has strong calculation, storage and communication capabilities, for example, the internet of things trust anchor device TA may be a server or a dedicated device, optionally, the internet of things trust anchor device TA may also be embedded in other network devices in a modular manner, for example, the internet of things trust anchor device TA may be embedded in an internet of things gateway GW.
In the embodiment of the application, the trust anchor device TA of the internet of things is deployed in an environment with physical protection measures, such as an office building of an enterprise, so that the master symmetric key stored in the trust anchor device TA of the internet of things can be prevented from being leaked based on the physical protection measures.
In this embodiment, as shown in fig. 2, the system of this embodiment may further include an Internet of things gateway GW, where the Internet of things gateway GW is in communication connection with the limited Internet of things device Di in the formulated network domain, and the Internet of things gateway GW serves as an IP packet repeater and connects the limited Internet of things to a local IP network infrastructure or the Internet through a conventional wired or wireless connection.
In this embodiment of the application, optionally, the limited internet of things device Di may communicate with the internet of things gateway GW through limited link layer technologies such as 6LoWPAN, ieee802.15.4, Bluetooth, and LoWAN, and perform communication connection with the internet of things trust anchor device TA or the server S through the internet of things gateway GW.
In the embodiment of the application, the trust anchor device TA of the internet of things is in communication connection with the server S through an IP protocol. On the other hand, the limited internet of things device Di is in communication connection with the server S through the PSK-DTLS protocol.
It should be noted that the restricted internet of things device is an internet of things device located in a resource restricted domain, where network resources accessible by the restricted network domain are restricted. Further, the limited internet of things device can be an intelligent household device, an industrial sensor, an intelligent camera, or other electronic devices depending on the internet of things technology. On the other hand, in the embodiment of the application, the internet of things trust anchor device may be a host, and the server may also be a host.
The system of the embodiment of the application can share the secret key only between the limited internet of things device Di and the internet of things trust anchor device TA trusted by the limited internet of things device Di by executing the communication method based on the shared secret key, the limited internet of things device Di can realize the end-to-end safe communication based on PSK-DTLS between the limited internet of things device Di and any server S on the basis that the limited internet of things device Di does not share the secret key with the server S, and the shared secret key is only used for generating the temporary shared secret key and is not transmitted on the network, so that the safety of the shared secret key can be improved. On the other hand, the method of the embodiment of the application has small modification on the original PSK-DTLS protocol, and can reduce the protocol complexity in the communication process.
On the other hand, in the embodiment of the application, the key acquisition process is completed through the calculation performance of the trust anchor device TA of the internet of things, and the limited internet of things device Di can be only used for communicating with the server S, so that the limited internet of things device D is not addediThe requirement of CPU and memory/ROM, and then the power consumption of the limited Internet of things equipment can not be increased. In another aspect, the system of the embodiment of the application has good expansibility, and can be applied to a large-scale internet of things environment.
EXAMPLE III
The embodiment of the application discloses a storage medium, wherein the storage medium stores computer instructions, and the computer instructions are used for executing the communication method based on the shared secret key in the first embodiment of the application when being called.
The storage medium of the embodiment of the application can only share the key between the limited internet of things device Di and the internet of things trust anchor device TA trusted by the limited internet of things device Di through the trust relationship between the internet of things trust anchor device and the limited internet of things device TA, and the limited internet of things device Di can realize the PSK-DTLS-based end-to-end secure communication between the limited internet of things device Di and any server S on the basis that the limited internet of things device Di does not share the password with the server S, and the shared key is only used for generating a temporary shared key and is not transmitted on the network, so that the security of the shared key can be improved. On the other hand, the method of the embodiment of the application has small modification on the original PSK-DTLS protocol, and can reduce the protocol complexity in the communication process.
On the other hand, in the embodiment of the application, the key acquisition process is completed through the calculation performance of the trust anchor device TA of the internet of things, and the limited internet of things device Di can be only used for communicating with the server S, so that the limited internet of things device D is not addediThe requirement of CPU and memory/ROM, and then the power consumption of the limited Internet of things equipment can not be increased. In another aspect, the storage medium of the embodiment of the application has good expansibility, and can be applied to a large-scale internet of things environment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A communication method based on a shared key is characterized in that the method applies the communication system based on the shared key, the system comprises a limited Internet of things device, an Internet of things trust anchor device and a server, and the method comprises the following steps:
the internet of things trust anchor equipment establishes a trust relationship with the limited internet of things equipment;
the server is in communication connection with the Internet of things trust anchor device, and acquires a first temporary shared key and a link random number for accessing the limited Internet of things device through the Internet of things trust anchor device;
and the server establishes communication connection with the limited Internet of things equipment based on the first temporary shared secret key, the link random number and a PSK _ DTLS protocol.
2. The method of claim 1, wherein the internet of things trust anchor device establishing a trust relationship with the restricted internet of things device comprises:
the restricted internet of things device stores a master symmetric key;
the internet of things trust anchor equipment generates a first data table used for storing information of the limited internet of things equipment, wherein the information of the limited internet of things comprises a master symmetric key, an ID (identity) of the limited internet of things equipment and an IP (Internet protocol) address of the limited internet of things equipment;
the Internet of things trust anchor equipment responds to a certificate deployment instruction to store certificate information;
and the Internet of things trust anchor equipment generates a second data table, and the second data table is used for storing server authority information allowing access to the limited Internet of things equipment.
3. The method of claim 2, wherein the server permission information includes an ID of an accessible server, an access account number, an access password, and an ID of the restricted internet of things device that the server allows access to.
4. The method of claim 2, wherein the server is communicatively coupled to the IOT trust anchor device and obtains, via the IOT trust anchor device, a first temporary shared secret key and a chaining nonce for accessing the restricted IOT device, comprising:
the server establishes TLS (transport layer security) secure connection with the Internet of things trust anchor equipment;
the server and the IOT trust anchor device perform mutual authentication based on the certificate information and the certificate mechanism;
after the server passes authentication and the IOT trust anchor equipment passes authentication, the server sends a key acquisition request to the IOT trust anchor equipment, wherein the key acquisition request carries the ID of the server and the ID of the limited IOT equipment;
the IOT trust anchor device determining whether the server has permission to access the restricted IOT device based on the ID of the server and the second data table;
when the server has the authority of accessing the limited internet of things equipment, the internet of things trust anchor equipment reads the serial number of the limited internet of things equipment based on the first data table;
the IOT trust anchor device generates the first temporary shared key and the link random number based on a serial number of the limited IOT device, a number of a preset key derivation algorithm, an ID of the IOT trust anchor device, identity information of the server, the ID of the limited IOT device and a preset key length;
the internet of things trust anchor equipment sends the first temporary shared secret key and the link random number to the server;
and the server saves the first temporary shared secret key and the link random number based on the ID of the limited Internet of things equipment.
5. The method of claim 4, wherein an initial value of a serial number of the restricted Internet of things device is 0;
and after the internet of things trust anchor device sends the first temporary shared key and the link nonce to the server, the method further comprises:
and the IOT trust anchor equipment updates the serial number of the limited IOT equipment.
6. The method of claim 5, wherein the generating, by the IOT trust anchor device, the first temporary shared key and the linked nonce based on a serial number of the restricted IOT device, a number of a pre-key derivation algorithm, an ID of the IOT trust anchor device, identity information of the server, the ID of the restricted IOT device, and a pre-key length, comprises: encoding a serial number of the limited internet of things device, a number of a preset key derivation algorithm, an ID of the internet of things trust anchor device, identity information of the server, the ID of the limited internet of things device and a preset key length based on a BASE64 encoder, and generating the link random number;
decoding the link random number based on a BASE64 decoder to obtain the ID of the first temporary shared secret key;
and the Internet of things trust anchor equipment takes the ID of the first temporary shared secret key and the master symmetric secret key as input parameters of the SHA256 algorithm, and obtains the first temporary shared secret key through the SHA256 algorithm.
7. The method of claim 6, wherein the server establishing a communication connection with the restricted Internet of things device based on the first temporary shared key and the link random number, PSK _ DTLS protocol, comprises:
the server sends an authentication request to the limited Internet of things equipment, wherein the authentication request carries the link random number;
the limited internet of things equipment generates a second temporary shared key based on the link random number and the master symmetric key, wherein the second temporary shared key and the first temporary shared key are symmetric keys;
and establishing communication connection with the limited Internet of things equipment based on the second temporary shared secret key and the first temporary shared secret key.
8. The method of claim 7, wherein after the server sends an authentication request to the restricted internet of things device, before the restricted internet of things device generates a second temporary shared key based on the link nonce and the master symmetric key, the method further comprises:
the limited Internet of things equipment verifies whether the length of the link random number is within a preset length range;
when the length of the link random number is within a preset length range, the limited internet of things device decodes the link random number based on a Base64 decoder and obtains decoding information;
the limited Internet of things equipment judges whether the length of the decoding information is equal to a preset length threshold value or not;
when the length of the decoding information is equal to the preset length threshold, the limited internet of things equipment compares the decoding information with the information of the limited internet of things equipment to verify whether the decoding information is correct;
and when the decoding information is verified to be correct, executing the limited Internet of things equipment to generate a second temporary shared key based on the link random number and the master symmetric key.
9. A shared key based communication system, the system comprising a restricted internet of things device, an internet of things trust anchor device, and a server, wherein the server establishes a communication connection with the restricted internet of things device by the method according to any one of claims 1 to 8.
10. A storage medium storing computer instructions which, when invoked, perform a shared key based communication method according to any one of claims 1 to 8.
CN202111544402.4A 2021-12-16 2021-12-16 Communication method, system and storage medium for sharing secret key Pending CN114302356A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111544402.4A CN114302356A (en) 2021-12-16 2021-12-16 Communication method, system and storage medium for sharing secret key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111544402.4A CN114302356A (en) 2021-12-16 2021-12-16 Communication method, system and storage medium for sharing secret key

Publications (1)

Publication Number Publication Date
CN114302356A true CN114302356A (en) 2022-04-08

Family

ID=80968292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111544402.4A Pending CN114302356A (en) 2021-12-16 2021-12-16 Communication method, system and storage medium for sharing secret key

Country Status (1)

Country Link
CN (1) CN114302356A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024083235A1 (en) * 2022-10-21 2024-04-25 乐鑫信息科技(上海)股份有限公司 Network configuration method based on wi-fi sensing, embedded chip system, and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024083235A1 (en) * 2022-10-21 2024-04-25 乐鑫信息科技(上海)股份有限公司 Network configuration method based on wi-fi sensing, embedded chip system, and medium

Similar Documents

Publication Publication Date Title
US10601594B2 (en) End-to-end service layer authentication
Yang et al. A survey on security and privacy issues in Internet-of-Things
KR102116399B1 (en) Content security at the service layer
Jiang et al. A Blockchain-Based Authentication Protocol for WLAN Mesh Security Access.
Mahalle et al. Identity authentication and capability based access control (iacac) for the internet of things
Heer et al. Security Challenges in the IP-based Internet of Things
Sathyadevan et al. Protean authentication scheme–a time-bound dynamic keygen authentication technique for iot edge nodes in outdoor deployments
Park et al. Security architecture and protocols for secure MQTT-SN
Wang et al. SDN-based handover authentication scheme for mobile edge computing in cyber-physical systems
Calabretta et al. MQTT-Auth: A token-based solution to endow MQTT with authentication and authorization capabilities
Jia et al. A Blockchain-Assisted Privacy-Aware Authentication scheme for internet of medical things
CN109600747B (en) Dynamic credential authentication key negotiation method for wireless sensor network
JP2016526844A (en) Key establishment for constrained resource devices
Bang et al. An iot inventory before deployment: a survey on iot protocols, communication technologies, vulnerabilities, attacks, and future research directions
Mahalle et al. Identity driven capability based access control (ICAC) scheme for the Internet of Things
Rizzardi et al. Analysis on functionalities and security features of Internet of Things related protocols
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
Pérez et al. A digital envelope approach using attribute-based encryption for secure data exchange in IoT scenarios
Echeverria et al. Authentication and authorization for IoT devices in disadvantaged environments
CN115001686A (en) Global quantum security device and system
Zhang et al. Is Today's End-to-End Communication Security Enough for 5G and Its Beyond?
CN114302356A (en) Communication method, system and storage medium for sharing secret key
Saqib et al. A systematized security and communication protocols stack review for Internet of Things
Meharia et al. A hybrid key management scheme for healthcare sensor networks
Sitenkov Access control in the internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination