CN114614984B - Time-sensitive network secure communication method based on cryptographic algorithm - Google Patents

Time-sensitive network secure communication method based on cryptographic algorithm Download PDF

Info

Publication number
CN114614984B
CN114614984B CN202210210365.1A CN202210210365A CN114614984B CN 114614984 B CN114614984 B CN 114614984B CN 202210210365 A CN202210210365 A CN 202210210365A CN 114614984 B CN114614984 B CN 114614984B
Authority
CN
China
Prior art keywords
message
snmp
tsn
key
pdu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210210365.1A
Other languages
Chinese (zh)
Other versions
CN114614984A (en
Inventor
王浩
赵明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN202210210365.1A priority Critical patent/CN114614984B/en
Publication of CN114614984A publication Critical patent/CN114614984A/en
Application granted granted Critical
Publication of CN114614984B publication Critical patent/CN114614984B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a time-sensitive network secure communication method based on a cryptographic algorithm, and belongs to the technical field of communication. Introducing a time sensitive network CNC, adopting an SM2 authentication algorithm and an SM3 hash algorithm to carry out identity authentication and key negotiation on the TSN switch, verifying whether the TSN switch is trusted or not and distributing a session key. And generating a message authentication code between TSN switches by adopting an SM3 hash algorithm, and realizing end-to-end secure communication by adopting an SM4 encryption/decryption algorithm. The method realizes a set of independently controllable safe transmission protocols on time-sensitive network standards and cryptographic algorithms while reducing the storage space and communication overhead as much as possible, and fundamentally ensures the safety, reliability and controllability in the industrial communication process, which is a problem to be solved at present.

Description

Time-sensitive network secure communication method based on cryptographic algorithm
Technical Field
The invention belongs to the technical field of communication, and relates to a time-sensitive network security communication method based on a cryptographic algorithm.
Background
While optimizing the communication performance of an industrial network, the safety becomes a key problem for restricting the popularization of time-sensitive network communication application, and the TSN standard is used as a set of industrial network protocols which are continuously developed and mature, so that a set of autonomous and controllable safety mechanism is needed to be established, and the safety problem in the industrial communication process is fundamentally ensured.
The current research on time-sensitive network security mainly focuses on the problems of configuration and scheduling of TSN key protocols, and does not have excessive depth in the security field. Meanwhile, due to the complexity of the implementation of the security function, a specific security scheme or a password technology is not specified in the time-sensitive network standard to ensure the secure communication of the time-sensitive network, a set of security system architecture suitable for the time-sensitive network is needed, and the security communication of the time-sensitive network is ensured by aiming at the identity authentication, key management and secure data stream transmission of the time-sensitive network, realizing the end-to-end secure data transmission by utilizing a related encryption algorithm and a hash algorithm, defining a key management mechanism in the data encryption verification process and completing the distribution and updating of keys.
The cryptographic algorithm is a core technology for guaranteeing information security, and plays a key role in the process of guaranteeing industrial network security data transmission. The national cipher administration publishes a plurality of national cipher algorithms which are respectively applicable to different application scenes, wherein an SM2 public key cipher algorithm can be used for digital signature and security authentication, an SM3 hash algorithm can be used for verifying generation of a message authentication code and a random number, and an SM4 block cipher algorithm can be used for realizing encryption/decryption of data so as to ensure confidentiality of the data. The national encryption algorithm SM2 and SM3 are combined, so that identity authentication and key negotiation can be effectively performed, and the security is high; the national encryption algorithm SM3 and SM4 are combined, so that the generation of the message authentication code and the encryption and decryption of data can be performed, and the method has high independence.
Aiming at the problems, a session negotiation and safety communication scheme based on a national encryption algorithm is designed in combination with the safety technical requirements of the time-sensitive network in the industrial Internet industry alliance standard, so as to solve the problem of the safety threat of the time-sensitive network. The method realizes a set of independently controllable safe transmission protocols on time-sensitive network standards and cryptographic algorithms while reducing the storage space and communication overhead as much as possible, and fundamentally ensures the safety, reliability and controllability in the industrial communication process, which is a problem to be solved at present.
Disclosure of Invention
In view of the above, the present invention aims to provide a time-sensitive network secure communication method based on a cryptographic algorithm.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a time sensitive network secure communication method based on a cryptographic algorithm, the method comprising the steps of:
s1: initializing a time sensitive network;
time sensitive network deployment is composed of time sensitive network flow generator and multiple TSN switches connected by wireA time sensitive wired network; simultaneously configuring a time-sensitive network CNC, wherein the CNC can load parameters required by a device state control unit; firstly, a TSN exchanger needs to acquire topology related information of adjacent equipment by using an LLDP protocol, the information is stored in a management information base MIB in the form of LLDP message, and then TSN CNC acquires the topology related information stored in the MIB through the SNMP protocol, wherein the topology related information comprises object identifier OID information of each TSN exchanger, and the object identifier includes equipment system name and equipment IP address; using these OID information as the ID of TSN switch i I is more than or equal to 1 and n is the sum of all TSN switches connected to the network;
SNMPv3 defines a new message format including an IP header, UDP header, version, header data, security parameters, context Engine ID, context name, and SNMP PDU;
the fields in SNMP messages are defined as follows:
version: representing the version of SNMP, and the SNMPv3 message corresponds to a field value of 2;
header data: the description content of the security mode adopted by the message comprises the maximum message size which can be supported by the message sender;
safety parameters: security information including related information of the SNMP entity engine, a user name, authentication parameters, and encryption parameters;
context EngineID: an SNMP unique identifier that, along with the PDU type, determines to which application should be sent;
context Name: MIB view for determining Context EngineID pair managed device;
SNMPv3PDU: contains PDU type, request identifier and variable binding list; wherein the SNMPv3PDU includes GetRequest PDU, getNextRequest PDU, setRequest PDU, response PDU, trap PDU, getblock request PDU, and InformRequest PDU;
the command names, corresponding codes and functions for identifying different PDUs are as follows:
GetRequest is coded as 0 and functions as: the management station sends the agent to inquire the value of the appointed variable;
GetNextRequest encodes a 1, functions as: the management station sends the agent to inquire the value of the next variable;
response code 2, functions: the agent sends back an execution result to the management station;
SetRequest codes 3, functions: the management station sends the agent to set the value of a certain variable maintained by the agent;
GetBulkRequest encodes 4, functions: the management station transmits batch information to the agent;
InformaRequest is coded as 5, and functions as: the management station transmits a parameter processing request to the management station;
trap code is 6, and functions are: a warning message proxied to the management station;
report code 7, functions: snmpv2 is undefined; snmpv3 is defined to initiate a report when the PDU portion of the message cannot be decrypted;
the header includes:
msgID: a message identifier for identifying the PDU; the value range is 0 to 2 31 -1;
msgMaxSize: representing the maximum message size supported by the message sender, the range of values is 484-2 31 -1;
msgfrags: an 8-bit group string containing several flags, with 3 characteristic bits: reportableFlag, privFlag, authFlag;
msgSecurityModel: a message security model for identifying a security model used by a sender to generate the message, the sender and the receiver having to employ the same security model;
msgSecurityParamters: the security parameters, the user name, the message authentication code MAC and the encryption parameters generated by the security subsystem of the sender are used for protecting the security of message transmission, and the security subsystem of the receiver is used for carrying out security processing such as decryption and authentication on the message;
contextEngineid: an identifier uniquely identifying the SNMP entity; for an incoming message, this field is used to determine to which application to submit the PDU for processing; for outgoing messages, this value is provided by the upper layer application and represents that application;
contextName: the name of the context in which the carried management object is located;
PDU: a PDU with an object binding list;
wherein the last three fields contextEngineID, contextName and the PDU are collectively referred to as a scanned PDU;
the function name to be called when the management end and the proxy end perform data interaction is as follows:
the function name is snmp_pdu_create, which is used for creating an SNMP message;
the function name is snmp_add_var, which is used for filling SNMP message;
the function name is snmp_send, which is used for sending SNMP message;
the function name is snmp_synch_response, which is used for receiving and reading SNMP messages;
the function name is snmp_close, which is used for closing the session and releasing the space occupied by the PDU;
s2: identity authentication;
s21: the TSN CNC sends a get-request data packet to the TSN switch to acquire MIB information, analyzes OID information in the MIB, generates a public-private key pair (KeyD, keyB) by using an SM2 public key algorithm, and sends the public-private key pair to the TSN switch;
s22: the TSN exchanger end calls the snmp_pdu_create function to create an SNMP message, and generates a random number N through a random number generator i Using an authenticated public Key D Identification ID through SM2 encryption authentication algorithm i Random number N i Encryption is carried out to generate identity authentication information C i =SM2 KeyD (ID i ||N i ) Calling a snmp_add_var function to fill encrypted identity authentication information into the PDU;
s23: using authenticated public Key Key D Identification ID through SM3 hash algorithm i And random number N i Processing to generate a message authentication code tag=sm3 KeyD (ID i ||N i ) Calling the snmp_add_var function inserts the generated message authentication code into the msg authentication parameters field and generates identity authentication information C i The message authentication code TAG is constructed into identity authentication Request information Request i =C i TAG, call snmpThe send function sends the SNMP message to the TSN CNC;
s24: the TSN CNC side receives and reads the SNMP message through the snmp_sync_response, and uses an authentication private Key Key B Decrypting the read identity authentication information through SM2 algorithm to obtain an identity ID i ' and random number N i ' first judge ID i ' legitimacy, using authentication public Key Key D Identification ID through SM3 hash algorithm i ' random number N i 'processing, obtaining a message authentication code TAG' =sm3 KeyD (ID i '||N i ') if tag=tag', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation flow cannot be performed;
the TSN switch completes the identity authentication process, and key negotiation is carried out between the TSN switch and the TSN CNC through the TSN CNC identity authentication.
Optionally, the key negotiation specifically includes:
s31: the TSN CNC end calls a snmp_pdu_create function to create an SNMP message, and generates a session key K for the field device s And stores, the random number generator generates a random number R i
S32: TSN CNC pairs of acquired random numbers N i ' self-generated random number R i Generated session key K s Splicing, and using an authentication private Key Key B Spliced data (N) is subjected to SM2 algorithm i '||R i ||K s ) Encryption is performed to generate encryption information e=sm2 KeyB (N i '||R i ||K s ) Using an authenticated public Key D Spliced data (N) is subjected to SM3 hash algorithm i '||R i ) Processing is performed to generate a message authentication code mac=sm3 KeyD (N i '||R i ) Calling a snmp_add_var function to fill encryption information E into the PDU, and inserting a generated message authentication code MAC into the call snmp_send function to send the PDU to the TSN switch;
s33: the TSN exchanger receives and reads PDU through snmp_sync_response, and uses authentication public key Key D to read message through SM3 hash algorithmThe authentication code MAC' is processed to obtain (N) i '||R i ) Verify N i '=N i Whether or not it is true, if so, storing the random number R i ' and decrypting the received encrypted information by SM2 algorithm by using authentication public key KeyD to obtain session key K s Using session key K s For random number R by SM2 algorithm i ' encryption, generation of key agreement confirmation informationCalling a snmp_add_var function to fill key negotiation confirmation information into the PDU, calling the snmp_send function to send an SNMP message to the TSN CNC, and if not, discarding the message;
s34: the TSN CNC receives and reads the SNMP message through the snmp_sync_response, and uses the session key K s Decrypting the read key negotiation confirmation information through SM2 algorithm to obtain a random number R i ' and verify R i '=R i If so, the key negotiation is successful, otherwise, the key negotiation fails;
the key negotiation process is completed between the TSN switch and the TSN CNC of the time sensitive network, and the TSN switch utilizes the successfully negotiated session key K s Subsequent secure communications are conducted.
Optionally, the secure communication specifically includes:
s41: TSN exchanger 1 analyzes TSN data frame, obtains data load, uses session key K s Encrypting a plaintext M through an SM4 encryption algorithm to generate a ciphertext C;
s42: TSN switch 1 uses session key K s Generating an SM3 message authentication code Tag through an SM3 hash algorithm, and sending a security control field, a ciphertext C and the message authentication code Tag as a security communication message E to the TSN switch 2;
s43: after the TSN switch 2 obtains the message, firstly, the security control field is analyzed, if the security control field is displayed as 01, the message is indicated to be encrypted, otherwise, the message is directly forwarded;
s44: TSN switch 2 uses session key K s Generating an SM3 message authentication code Tag 'through an SM3 hash algorithm, verifying whether tag=tag' is satisfied, executing a decryption program if so, otherwise, discarding the message;
s45: the TSN switch 2 uses the session key K to authenticate a successful message via the message authentication code s Decrypting the ciphertext C through an SM4 decryption algorithm to obtain a TSN plaintext;
the time sensitive network completes the safety communication process, and the message after the encryption processing of the port of the TSN switch 1 is decrypted at the port of the TSN switch 2, so that the confidentiality and the integrity of data transmission are ensured.
The invention has the beneficial effects that:
the problem of time-sensitive network security threat is solved. The method realizes a set of independently controllable safe transmission protocol on the time-sensitive network standard and the cryptographic algorithm while reducing the storage space and the communication overhead as much as possible, and fundamentally ensures the safety, reliability and controllability in the industrial communication process.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objects and other advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the specification.
Drawings
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in the following preferred detail with reference to the accompanying drawings, in which:
FIG. 1 is a time-sensitive network security topology;
FIG. 2 is a system initialization data interaction flow;
FIG. 3 is an SNMPv3 message format;
FIG. 4 is a time-sensitive network identity authentication process;
FIG. 5 is a time-sensitive network key agreement flow diagram;
FIG. 6 is a time sensitive network frame format;
FIG. 7 is a message construction format;
fig. 8 is a flow chart of time-sensitive network secure communications.
Detailed Description
Other advantages and effects of the present invention will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present invention with reference to specific examples. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be noted that the illustrations provided in the following embodiments merely illustrate the basic idea of the present invention by way of illustration, and the following embodiments and features in the embodiments may be combined with each other without conflict.
Wherein the drawings are for illustrative purposes only and are shown in schematic, non-physical, and not intended to limit the invention; for the purpose of better illustrating embodiments of the invention, certain elements of the drawings may be omitted, enlarged or reduced and do not represent the size of the actual product; it will be appreciated by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The same or similar reference numbers in the drawings of embodiments of the invention correspond to the same or similar components; in the description of the present invention, it should be understood that, if there are terms such as "upper", "lower", "left", "right", "front", "rear", etc., that indicate an azimuth or a positional relationship based on the azimuth or the positional relationship shown in the drawings, it is only for convenience of describing the present invention and simplifying the description, but not for indicating or suggesting that the referred device or element must have a specific azimuth, be constructed and operated in a specific azimuth, so that the terms describing the positional relationship in the drawings are merely for exemplary illustration and should not be construed as limiting the present invention, and that the specific meaning of the above terms may be understood by those of ordinary skill in the art according to the specific circumstances.
In the time sensitive network, most of functions are realized by various TSN applications deployed at an application layer, for example, network users realize allocation of network resources and acquisition of network information through an API (application program interface) opened by a northbound interface of a control layer, and the capability of the time sensitive network is provided for the users as required, so that an attacker can gradually influence the whole TSN network due to the attack of the application layer, and the whole TSN network needs to be prevented in advance.
The time sensitive network application layer security threats include:
spoofing: an attacker can disguise as a TSN controller, and frauds information such as user data (user key, certificate and the like), SLA, business logic and the like, so that preparation is made for further attack behaviors;
and (3) repudiation: a user or administrator may deny that he has performed a malicious network policy, such as configuring a particular network policy;
information leakage: after obtaining the user authentication information, an attacker can disguise as a legal user, and a fake information stream is injected into the network through the TSN application so as to obtain more network data;
the application itself loopholes: an attacker may prepare for further attacks by taking advantage of the TSN application's own vulnerabilities (e.g., code defects, etc.) to obtain corresponding network resources (e.g., SLAs, user data, business logic, etc.). In addition, the third party malicious application can masquerade as a legal application program to acquire corresponding network resources.
In this context, we have devised a time-sensitive network secure communication scheme based on a cryptographic algorithm, after identity authentication and key agreement are performed between TSN CNC and TSN switches, secure data transmission is performed between TSN switches, so as to ensure integrity and confidentiality of time-sensitive network data stream transmission.
As shown in fig. 1, the workflow is as follows:
(1) Building a time-sensitive network safety communication network model;
(2) Initializing equipment, namely loading parameters required by an equipment state control unit by TSN CNC;
(3) The TSN CNC carries out identity authentication and key negotiation on the TSN switch by adopting SM2/SM3 according to the equipment parameters;
(4) And the two TSN switches adopt SM3/SM4 to realize secret communication.
The innovation of the method provided by the scheme is that: 1. introducing a time-sensitive network CNC in the step (3), carrying out identity authentication and key negotiation on the TSN switch by adopting an SM2 authentication algorithm and an SM3 hash algorithm, verifying whether the TSN switch is trusted and distributing a session key. 2. And (3) generating a message authentication code between TSN switches in the step (4) by adopting an SM3 hash algorithm, and realizing end-to-end secure communication by adopting an SM4 encryption/decryption algorithm.
Identity authentication (I)
The identity authentication scheme based on the cryptographic algorithms SM2 and SM3 designed in the text is mainly divided into a time-sensitive network initialization and identity authentication process. The time sensitive network initialization includes parameter process needed by initial equipment state control unit after the time sensitive network is successfully built, identity authentication mainly authenticates validity of TSN switch, and subsequent key negotiation and safety communication flow can be carried out only through the TSN switch with the identity authentication.
1. System initialization
The time sensitive network deploys a time sensitive wired network composed of a time sensitive network flow generator and a plurality of TSN switches through wired connection. And simultaneously, configuring a time-sensitive network CNC, wherein the CNC loads parameters required by the equipment state control unit. Firstly, the TSN exchanger needs to acquire topology related information of adjacent equipment by using LLDP protocol, the information is stored in a Management Information Base (MIB) in the form of LLDP message, then TSN CNC acquires the topology related information stored in the MIB by using SNMP protocol, the information comprises OID (object identifier) information of each TSN exchanger, such as equipment system name, equipment IP address and the like, and the OID information is used as the identity ID of the TSN exchanger i (1.ltoreq.i.ltoreq.n), n being the sum of all TSN switches accessing the network. A specific interaction flow is shown in fig. 2.
SNMPv3 defines a new message format as shown in fig. 3.
The main fields in SNMP messages are defined as follows:
version: the SNMP version is indicated, and the SNMPv3 message corresponds to a field value of 2.
Header data: mainly contains description contents of maximum message size which can be supported by message sender, security mode adopted by message and the like.
Safety parameters: the security information comprises related information of the SNMP entity engine, a user name, authentication parameters, encryption parameters and the like.
Context EngineID: the SNMP unique identifier, along with the PDU type, determines which application should be addressed.
Context Name: for determining MIB view of Context engineering id versus managed device.
SNMPv3PDU: including PDU type, request identifier, variable binding list, etc. Wherein the SNMPv3PDU includes GetRequest PDU, getNextRequest PDU, setRequest PDU, response PDU, trap PDU, getblock request PDU, and InformRequest PDU.
The command names, corresponding codes and functional specifications identifying the different PDUs are shown in table 1.
Table 1 command names, corresponding codes and functional description of different PDUs
The header consists of the following parts:
-msgID: a message identifier for identifying the PDU. The value range is 0 to 2 31 -1;
-msgMaxSize: representing the maximum message size supported by the message sender, the range of values is 484-2 31 -1;
-msgfrags: an 8-bit group string containing several flags, with 3 characteristic bits: reportableFlag, privFlag, authFlag.
-msgSecurityModel: a message security model that identifies the security model that the sender uses to generate the message, the sender and the recipient must employ the same security model.
-msgSecurityParamters: security parameters, such as user name, message Authentication Code (MAC), encryption parameters, etc., generated by the sender's security subsystem are used to secure the transmission of the message, and the receiver's security subsystem is used to decrypt and authenticate the message.
-contextEngineID: an identifier uniquely identifying the SNMP entity. For an incoming message, this field is used to determine to which application to submit the PDU for processing; for outgoing messages, this value is provided by the upper layer application and represents that application.
-contextName: name of the context in which the carried management object is located.
-PDU: PDU with object binding list.
The last three of these fields (contextEngineID, contextName and PDU) are collectively referred to as a scaled PDU.
The names and functions of functions to be called when the management end and the proxy end interact data are shown in table 2.
Table 2 system initialization function call table
Function name Action
snmp_pdu_create Creation of SNMP messages
snmp_add_var Populating SNMP messages
snmp_send Sending SNMP message
snmp_synch_response Receiving and reading SNMP message
snmp_close Closing session and freeing space occupied by PDU
2. Identity authentication
The scheme flow of time-sensitive network identity authentication designed herein is shown in fig. 4. The method mainly comprises the following steps:
step one: the TSN CNC sends a get-request data packet to the TSN switch to acquire MIB information, analyzes OID information in the MIB, generates a public-private key pair (KeyD, keyB) by using an SM2 public key algorithm, and sends the public-private key pair to the TSN switch;
step two: the TSN exchanger end calls the snmp_pdu_create function to create an SNMP message, and generates a random number N through a random number generator i Using an authenticated public Key D Identification ID through SM2 encryption authentication algorithm i Random number N i Encryption is carried out to generate identity authentication information C i =SM2 KeyD (ID i ||N i ) Calling a snmp_add_var function to fill encrypted identity authentication information into the PDU;
step three: using authenticated public Key Key D Identification ID through SM3 hash algorithm i And random number N i Processing to generate a message authentication code tag=sm3 KeyD (ID i ||N i ) Calling the snmp_add_var function inserts the generated message authentication code into the msg authentication parameters field and generates identity authentication information C i The message authentication code TAG is constructed into identity authentication Request information Request i =C i The TAG is used for calling a snmp_send function to send an SNMP message to a TSN CNC;
step four: the TSN CNC side receives and reads the SNMP message through the snmp_sync_response, and uses an authentication private Key Key B Decrypting the read identity authentication information through SM2 algorithm to obtain an identity ID i ' and random number N i ' first judge ID i ' legitimacy, using authentication public Key Key D By SM3 hash algorithm pairIdentity ID i ' random number N i 'processing, obtaining a message authentication code TAG' =sm3 KeyD (ID i '||N i ') if tag=tag', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation flow cannot be performed.
Namely, the TSN switch completes the identity authentication process, and the TSN switch through TSN CNC identity authentication performs a key negotiation flow with the TSN CNC.
(II) Key agreement
The key negotiation scheme based on the cryptographic algorithms SM2 and SM3 designed herein mainly comprises the process of generating session keys and confirming, and the security parameters required for the subsequent secure communication in the time-sensitive network.
1. Key agreement
The scheme flow of the time-sensitive network key agreement devised herein is shown in fig. 5. The method mainly comprises the following steps:
step one: the TSN CNC end calls a snmp_pdu_create function to create an SNMP message, and generates a session key K for the field device s And stores, the random number generator generates a random number R i
Step two: TSN CNC pairs of acquired random numbers N i ' self-generated random number R i Generated session key K s Splicing, and using an authentication private Key Key B Spliced data (N) is subjected to SM2 algorithm i '||R i ||K s ) Encryption is performed to generate encryption information e=sm2 KeyB (N i '||R i ||K s ) Using an authenticated public Key D Spliced data (N) is subjected to SM3 hash algorithm i '||R i ) Processing is performed to generate a message authentication code mac=sm3 KeyD (N i '||R i ) Calling a snmp_add_var function to fill encryption information E into the PDU, and inserting a generated message authentication code MAC into the call snmp_send function to send the PDU to the TSN switch;
step three: the TSN exchanger receives and reads PDU through snmp_sync_response, uses authentication public key Key D to hash through SM3Processing the read message authentication code MAC' by a method to obtain (N) i '||R i ) Verify N i '=N i Whether or not it is true, if so, storing the random number R i ' and decrypting the received encrypted information by SM2 algorithm by using authentication public key KeyD to obtain session key K s Using session key K s For random number R by SM2 algorithm i ' encryption, generation of key agreement confirmation informationCalling a snmp_add_var function to fill key negotiation confirmation information into the PDU, calling the snmp_send function to send an SNMP message to the TSN CNC, and if not, discarding the message;
step four: the TSN CNC receives and reads the SNMP message through the snmp_sync_response, and uses the session key K s Decrypting the read key negotiation confirmation information through SM2 algorithm to obtain a random number R i ' and verify R i '=R i If so, the key negotiation is successful, otherwise, the key negotiation fails.
Namely, the key negotiation process is completed between the TSN switch and the TSN CNC of the time sensitive network, and the TSN switch utilizes the successfully negotiated session key K s Subsequent secure communications are conducted.
(III) secure communications
The secure communication scheme based on the SM3 and SM4 algorithms mainly comprises a time sensitive network data encryption and data decryption process. The TSN exchanger adopts SM3 algorithm to generate message authentication code in data encryption stage, and adopts SM4 algorithm to encrypt data, so as to ensure the integrity and confidentiality of time sensitive network transmission data. The SM4 algorithm adopts an ECB mode to encrypt and decrypt, and the encryption algorithm and the key round expansion algorithm both adopt 32 rounds of nonlinear iterative structures.
The time sensitive network frame format is substantially the same as the conventional ethernet, and is defined according to the IEEE 802.1Q standard, and an 802.1Q tag with a length of 4 bytes is added to the frame format of the conventional ethernet. The tag has defined therein a Tag Protocol Identification (TPID), a priority (PCP), a canonical format indication bit (CFI), and a virtual local area network number (VLAN-ID), the frame format of which is shown in fig. 6.
In the time-sensitive network secure communication process, the MAC layer message format needs to be constructed in advance, and the specific message construction format is shown in fig. 7.
When analyzing the TSN data frame, firstly, the TSN data load can be obtained, encryption is carried out on the data load to generate ciphertext, 1 byte of data is filled before the data load to serve as a safety control field, the safety control field is all 0 in default, when the encryption of the data load is completed, the last position is 1, the fact that the message is encrypted is indicated, meanwhile, the generated message authentication code is filled after the data load to carry out safety verification, and the whole is used as a message of safety communication to be sent to a receiver. After receiving the message, the other end first checks the security control field part, verifies the message authentication code, and executes the decryption program after the authentication is successful.
The overall time-sensitive network security communication flow is shown in fig. 8.
Step one: TSN exchanger 1 analyzes TSN data frame, obtains data load, uses session key K s Encrypting a plaintext M through an SM4 encryption algorithm to generate a ciphertext C;
step two: TSN switch 1 uses session key K s Generating an SM3 message authentication code Tag through an SM3 hash algorithm, and sending a security control field, a ciphertext C and the message authentication code Tag as a security communication message E to the TSN switch 2;
step three: after the TSN switch 2 obtains the message, firstly, the security control field is analyzed, if the security control field is displayed as 01, the message is indicated to be encrypted, otherwise, the message is directly forwarded;
step four: TSN switch 2 uses session key K s Generating an SM3 message authentication code Tag 'through an SM3 hash algorithm, verifying whether tag=tag' is satisfied, executing a decryption program if so, otherwise, discarding the message;
step five: message successfully authenticated by message authentication code (TSN) exchangeThe machine 2 uses the session key K s And decrypting the ciphertext C through an SM4 decryption algorithm to obtain a TSN plaintext.
Namely, the time-sensitive network completes the security communication process, and the message after the encryption processing of the port of the TSN switch 1 is decrypted at the port of the TSN switch 2, so that the confidentiality and the integrity of data transmission are ensured.
Finally, it is noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the present invention, which is intended to be covered by the claims of the present invention.

Claims (3)

1. A time sensitive network safety communication method based on a national cryptographic algorithm is characterized in that: the method comprises the following steps:
s1: initializing a time sensitive network;
the time sensitive network deploys a time sensitive wired network formed by a time sensitive network flow generator and a plurality of TSN switches through wired connection; simultaneously configuring a time-sensitive network CNC, wherein the CNC can load parameters required by a device state control unit; firstly, a TSN exchanger needs to acquire topology related information of adjacent equipment by using an LLDP protocol, the information is stored in a management information base MIB in the form of LLDP messages, and then a TSNCNC acquires the topology related information stored in the MIB through the SNMP protocol, wherein the topology related information comprises object identifier OID information of each TSN exchanger, and the object identifier includes equipment system names and equipment IP addresses; using these OID information as the ID of TSN switch i I is more than or equal to 1 and n is the sum of all TSN switches connected to the network;
SNMPv3 defines a new message format including an IP header, UDP header, version, header data, security parameters, contextEngineID, contextname, and SNMPPDU;
the fields in SNMP messages are defined as follows:
version: representing the version of SNMP, and the SNMPv3 message corresponds to a field value of 2;
header data: the description content of the security mode adopted by the message comprises the maximum message size which can be supported by the message sender;
safety parameters: security information including related information of the SNMP entity engine, a user name, authentication parameters, and encryption parameters;
ContextEngineID: an SNMP unique identifier that, along with the PDU type, determines to which application should be sent;
ContextName: a MIB view for determining a ContextEngineID pair managed device;
SNMPv3PDU: contains PDU type, request identifier and variable binding list; wherein SNMPv3PDU includes GetRequestPDU, getNextRequestPDU, setRequestPDU, responsePDU, trapPDU, getBulkRequest x PDU and infrmrequestpdu;
the command names, corresponding codes and functions for identifying different PDUs are as follows:
GetRequest is coded as 0 and functions as: the management station sends the agent to inquire the value of the appointed variable;
GetNextRequest encodes a 1, functions as: the management station sends the agent to inquire the value of the next variable;
response code 2, functions: the agent sends back an execution result to the management station;
SetRequest codes 3, functions: the management station sends the agent to set the value of a certain variable maintained by the agent;
GetBulkRequest encodes 4, functions: the management station transmits batch information to the agent;
InformaRequest is coded as 5, and functions as: the management station transmits a parameter processing request to the management station;
trap code is 6, and functions are: a warning message proxied to the management station;
report code 7, functions: snmpv2 is undefined; snmpv3 is defined to initiate a report when the PDU portion of the message cannot be decrypted;
the header includes:
msgID: a message identifier for identifying the PDU; the value range is 0 to 2 31 -1;
msgMaxSize: representing the maximum message size supported by the message sender, the range of values is 484-2 31 -1;
msgfrags: an 8-bit group string containing several flags, with 3 characteristic bits: reportableFlag, privFlag, authFlag;
msgSecurityModel: a message security model for identifying a security model used by a sender to generate the message, the sender and the receiver having to employ the same security model;
msgSecurityParamters: the security parameters, the user name, the message authentication code MAC and the encryption parameters generated by the security subsystem of the sender are used for protecting the security of message transmission and the security subsystem of the receiver is used for decrypting and authenticating the message;
contextEngineid: an identifier uniquely identifying the SNMP entity; for an incoming message, this field is used to determine to which application to submit the PDU for processing; for outgoing messages, this value is provided by the upper layer application and represents that application;
contextName: the name of the context in which the carried management object is located;
PDU: a PDU with an object binding list;
wherein the last three fields contextEngineID, contextName and the PDU are collectively referred to as a scopedPDU;
the function name to be called when the management end and the proxy end perform data interaction is as follows:
the function name is snmp_pdu_create, which is used for creating an SNMP message;
the function name is snmp_add_var, which is used for filling SNMP message;
the function name is snmp_send, which is used for sending SNMP message;
the function name is snmp_synch_response, which is used for receiving and reading SNMP messages;
the function name is snmp_close, which is used for closing the session and releasing the space occupied by the PDU;
s2: identity authentication;
s21: the TSNCNC sends a get-request data packet to the TSN switch to acquire MIB information, analyzes OID information in the MIB, generates a public-private key pair (KeyD, keyB) by using an SM2 public key algorithm, and sends the public-private key pair (KeyD, keyB) to the TSN switch;
s22: the TSN exchanger end calls the snmp_pdu_create function to create an SNMP message, and generates a random number N through a random number generator i Using an authenticated public Key D Identification ID through SM2 encryption authentication algorithm i Random number N i Encryption is carried out to generate identity authentication information C i =SM2 KeyD (ID i ||N i ) Calling a snmp_add_var function to fill encrypted identity authentication information into the PDU;
s23: using authenticated public Key Key D Identification ID through SM3 hash algorithm i And random number N i Processing to generate a message authentication code tag=sm3 KeyD (ID i ||N i ) Calling the snmp_add_var function inserts the generated message authentication code into the msg authentication parameters field and generates identity authentication information C i The message authentication code TAG is constructed into identity authentication Request information Request i =C i The TAG is called, and the snmp_send function is called to send an SNMP message to the TSNCNC;
s24: the TSNCNC side receives and reads the SNMP message through the snmp_sync_response, and uses an authentication private Key B Decrypting the read identity authentication information through SM2 algorithm to obtain an identity ID i ' and random number N i ' first judge ID i ' legitimacy, using authentication public Key Key D Identification ID through SM3 hash algorithm i ' random number N i 'processing, obtaining a message authentication code TAG' =sm3 KeyD (ID i '||N i ') if tag=tag', the identity authentication is successful, otherwise, the identity authentication fails, the snmp_colse function is called to close the session, and the subsequent key negotiation flow cannot be performed;
the TSN switch completes the identity authentication process, and the TSN switch which passes through the TSNCNC identity authentication carries out key negotiation with the TSNCNC.
2. The time-sensitive network security communication method based on the cryptographic algorithm as in claim 1, wherein: the key agreement is specifically:
s31: the TSNCNC end calls a snmp_pdu_create function to create an SNMP message, and generates a session key K for the field device s And stores, the random number generator generates a random number R i
S32: TSNCNC pairs the acquired random number N i ' self-generated random number R i Generated session key K s Splicing, and using an authentication private Key Key B Spliced data (N) is subjected to SM2 algorithm i '||R i ||K s ) Encryption is performed to generate encryption information e=sm2 KeyB (N i '||R i ||K s ) Using an authenticated public Key D Spliced data (N) is subjected to SM3 hash algorithm i '||R i ) Processing is performed to generate a message authentication code mac=sm3 KeyD (N i '||R i ) Calling a snmp_add_var function to fill encryption information E into the PDU, and inserting a generated message authentication code MAC into the call snmp_send function to send the PDU to the TSN switch;
s33: the TSN exchanger receives and reads PDU through snmp_sync_response, uses authentication public key Key D to process the read message authentication code MAC' through SM3 hash algorithm to obtain (N) i '||R i ) Verify N i '=N i Whether or not it is true, if so, storing the random number R i ' and decrypting the received encrypted information by SM2 algorithm by using authentication public key KeyD to obtain session key K s Using session key K s For random number R by SM2 algorithm i ' encryption, generation of key agreement confirm information ack=sm2 KS (R i '), call the snmp_add_var function to fill the key negotiation confirmation information into PDU, call the snmp_send function to send SNMP message to TSNCNC, if not, discard the message;
s34: the TSNCNC receives and reads the SNMP message through the snmp_sync_response and uses the session key K s Decrypting the read key negotiation confirmation information through SM2 algorithm to obtain a random number R i ' and checkingSyndrome R of i '=R i If so, the key negotiation is successful, otherwise, the key negotiation fails;
the key negotiation process is completed between the TSN switch and the TSNCNC of the time sensitive network, and the TSN switch utilizes the successfully negotiated session key K s Subsequent secure communications are conducted.
3. The time-sensitive network security communication method based on the cryptographic algorithm as in claim 2, wherein: the secure communication is specifically:
s41: TSN exchanger 1 analyzes TSN data frame, obtains data load, uses session key K s Encrypting a plaintext M through an SM4 encryption algorithm to generate a ciphertext C;
s42: TSN switch 1 uses session key K s Generating an SM3 message authentication code Tag through an SM3 hash algorithm, and sending a security control field, a ciphertext C and the message authentication code Tag as a security communication message E to the TSN switch 2;
s43: after the TSN switch 2 obtains the message, firstly, the security control field is analyzed, if the security control field is displayed as 01, the message is indicated to be encrypted, otherwise, the message is directly forwarded;
s44: TSN switch 2 uses session key K s Generating an SM3 message authentication code Tag 'through an SM3 hash algorithm, verifying whether tag=tag' is satisfied, executing a decryption program if so, otherwise, discarding the message;
s45: the TSN switch 2 uses the session key K to authenticate a successful message via the message authentication code s Decrypting the ciphertext C through an SM4 decryption algorithm to obtain a TSN plaintext;
the time sensitive network completes the safety communication process, and the message after the encryption processing of the port of the TSN switch 1 is decrypted at the port of the TSN switch 2, so that the confidentiality and the integrity of data transmission are ensured.
CN202210210365.1A 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm Active CN114614984B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210210365.1A CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210210365.1A CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Publications (2)

Publication Number Publication Date
CN114614984A CN114614984A (en) 2022-06-10
CN114614984B true CN114614984B (en) 2023-08-29

Family

ID=81861693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210210365.1A Active CN114614984B (en) 2022-03-04 2022-03-04 Time-sensitive network secure communication method based on cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN114614984B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225333B (en) * 2022-06-23 2023-05-12 中国电子科技集团公司第三十研究所 TSN encryption method and system based on software definition

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6813255B1 (en) * 1999-08-24 2004-11-02 Alcatel Method to assign upstream timeslots and codes to a network terminal and medium access controller to perform such a method
CN108965171A (en) * 2018-07-19 2018-12-07 重庆邮电大学 Industrial wireless WIA-PA network and time-sensitive network conversion method and device
CN111327540A (en) * 2020-02-25 2020-06-23 重庆邮电大学 Deterministic scheduling method for industrial time-sensitive network data
CN112332940A (en) * 2020-11-06 2021-02-05 北京东土科技股份有限公司 Data transmission method based on time synchronization network and related equipment
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6741856B2 (en) * 2000-08-14 2004-05-25 Vesuvius Inc. Communique system for virtual private narrowcasts in cellular communication networks
US7103772B2 (en) * 2003-05-02 2006-09-05 Giritech A/S Pervasive, user-centric network security enabled by dynamic datagram switch and an on-demand authentication and encryption scheme through mobile intelligent data carriers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6813255B1 (en) * 1999-08-24 2004-11-02 Alcatel Method to assign upstream timeslots and codes to a network terminal and medium access controller to perform such a method
CN108965171A (en) * 2018-07-19 2018-12-07 重庆邮电大学 Industrial wireless WIA-PA network and time-sensitive network conversion method and device
CN111327540A (en) * 2020-02-25 2020-06-23 重庆邮电大学 Deterministic scheduling method for industrial time-sensitive network data
CN112332940A (en) * 2020-11-06 2021-02-05 北京东土科技股份有限公司 Data transmission method based on time synchronization network and related equipment
CN113709191A (en) * 2021-10-27 2021-11-26 之江实验室 Method for safely adjusting deterministic time delay

Also Published As

Publication number Publication date
CN114614984A (en) 2022-06-10

Similar Documents

Publication Publication Date Title
US7865727B2 (en) Authentication for devices located in cable networks
Haverinen et al. Extensible authentication protocol method for global system for mobile communications (GSM) subscriber identity modules (EAP-SIM)
EP2437469B1 (en) Method and apparatus for establishing a security association
AU2004297933B2 (en) System and method for provisioning and authenticating via a network
JP4002035B2 (en) A method for transmitting sensitive information using unsecured communications
Bersani et al. The EAP-PSK protocol: A pre-shared key extensible authentication protocol (EAP) method
CN111245862A (en) System for safely receiving and sending terminal data of Internet of things
CN113904809B (en) Communication method, device, electronic equipment and storage medium
CN116318678A (en) Multi-factor internet of things terminal dynamic group access authentication method
CN114614984B (en) Time-sensitive network secure communication method based on cryptographic algorithm
Maccari et al. Security analysis of IEEE 802.16
CN213938340U (en) 5G application access authentication network architecture
Trimintzios et al. WiFi and WiMAX secure deployments
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
CN114386020A (en) Quick secondary identity authentication method and system based on quantum security
Manulis et al. Authenticated wireless roaming via tunnels: Making mobile guests feel at home
Haverinen et al. Rfc 4186: Extensible authentication protocol method for global system for mobile communications (gsm) subscriber identity modules (eap-sim)
WO2021236078A1 (en) Simplified method for onboarding and authentication of identities for network access
Sithirasenan et al. EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability
CN112954679B (en) DH algorithm-based LoRa terminal secure access method
Jacobsen A Modular Security Analysis of EAP and IEEE 802.11
Otrok et al. Improving the security of SNMP in wireless networks
Bersani et al. RFC 4764: The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant