CN115733696A - Terminal safe access method for edge computing node of power satellite internet of things - Google Patents
Terminal safe access method for edge computing node of power satellite internet of things Download PDFInfo
- Publication number
- CN115733696A CN115733696A CN202211460001.5A CN202211460001A CN115733696A CN 115733696 A CN115733696 A CN 115733696A CN 202211460001 A CN202211460001 A CN 202211460001A CN 115733696 A CN115733696 A CN 115733696A
- Authority
- CN
- China
- Prior art keywords
- computing node
- edge computing
- key
- terminal
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a terminal security access method of an edge computing node of an electric power satellite Internet of things, which comprises the following steps: s1, registering the terminal equipment, and generating and distributing an identification key of the terminal equipment by an edge computing node; s2, performing access authentication on the access edge computing node of the terminal equipment; and S3, establishing a virtual safe channel between the terminal equipment allowed to be accessed and the edge computing node. The method and the system can ensure the safety of the access of the terminal of the sensing layer of the Internet of things, prevent the access of illegal and fake terminals and effectively ensure the reliable operation of the power satellite network.
Description
Technical Field
The invention relates to the field of information security of the Internet of things, in particular to a terminal security access method of an edge computing node of the Internet of things of a power satellite.
Background
The power satellite Internet of things is a power Internet of things infrastructure constructed by a power grid company for realizing power facility communication in a non-network coverage area based on a satellite channel, and is a novel power Internet of things application based on satellite communication. Different from traditional emergency communication of power satellites, the number of communication nodes of the power satellite internet of things is larger, and more satellite communication channels are needed for supporting. Meanwhile, the sensing layer of the power satellite internet of things has massive access of sensing terminal equipment, so that pressure is brought to access control of a satellite communication terminal.
The sensing terminal equipment on the power satellite Internet of things sensing layer is deployed in power equipment or facilities in environments with extremely weak network signals, rare people and remote positions, and due to the fact that the environments are severe and the manual operation and maintenance period is long, the sensing layer terminal equipment has certain potential safety hazards. Satellite communication becomes public network due to satellite commercial use, an attacker can impersonate or replace sensing equipment accessed to a satellite network, and the risk is formed on the authenticity of electric power data collected and returned by the sensing equipment, so that the safety and stability of electric power production are seriously affected; meanwhile, an attacker can also attack the Internet of things of the electric power satellite by means of the unattended sensing equipment, even paralysis of the Internet of things of the electric power satellite can be caused, and the safe production application of electric power is directly blocked.
Therefore, a terminal security access method for an electric satellite internet of things edge computing node is needed, which can solve the above problems.
Disclosure of Invention
In view of the above, the present invention aims to overcome the defects in the prior art, and provides a terminal security access method for an edge computing node of an electric power satellite internet of things, which can ensure the security of the terminal access of an internet of things sensing layer, prevent the terminal access from being illegal and fake, and effectively ensure the reliable operation of an electric power satellite network.
The invention discloses a terminal security access method of an edge computing node of an electric power satellite Internet of things, which comprises the following steps:
s1, equipment registration is carried out on terminal equipment, and an identification key of the terminal equipment is generated and distributed by an edge computing node;
s2, performing access authentication on the access edge computing node of the terminal equipment;
and S3, establishing a virtual security channel between the terminal equipment allowing access and the edge computing node.
Further, the step S1 specifically includes:
the first step is as follows: the terminal equipment sends the MAC, the serial number SN, the category and the model of the equipment to the edge computing node;
the second step is that: the edge computing node inquires equipment registration information and performs information verification on the terminal equipment which applies for access; if the verification is passed, the equipment registration is completed, and the edge computing node identification and the node public key GPK are sent to the terminal equipment;
the third step: the terminal equipment generates a random number in the security chip as a session key skey;
the fourth step: SM2 encryption is carried out on the session key skey in the security chip by using an edge computing node public key GPK to generate a ciphertext C1;
the fifth step: randomly generating an SM2 key pair (usk, UPK) in a security chip, encrypting and caching a private key usk in a chip key area, outputting a self-defined public key UPK of a terminal, and sending a ciphertext C1 and the public key UPK generated by the terminal to an edge computing node;
and a sixth step: after receiving the ciphertext C1, the edge computing node decrypts the ciphertext by using a private key gsk to obtain a session key skey; the edge computing node inputs the MAC, the serial number SN and the skey of the terminal equipment into a key generating module of the edge computing node;
the seventh step: the secret key generation module randomly generates an SM2 secret key pair (hsk, HPK) as a hidden secret key, calculates an adjoint public key APK = UPK + HPK, calculates an SM3 value of the adjoint public key and the terminal identification to generate a secret key coefficient sigma, and calculates to obtain a distributed private key dsk corresponding to the terminal equipment T = σ · gsk + hsk, where gsk is the private key of the edge compute node; and encrypted by the session key skey to obtain a ciphertext csk T And returns to the terminal device;
eighth step: terminal equipment will csk T Inputting the security chip, decrypting csk with the cached session key skey T To obtain dsk T Then compounding the terminal private key tsk with the cached custom private key factor to obtain the terminal private key tsk T =dsk T + usk, and then the terminal private key tsk is encrypted by the device encryption key T And storing the key in a key area of the security chip, so as to complete the registration of the terminal equipment and the application and distribution of the key.
Further, performing access authentication on the access edge computing node of the terminal device specifically includes:
the first step is as follows: the method comprises the steps that terminal equipment is accessed to an edge computing node, and an access request is sent to the edge computing node;
the second step is that: the edge computing node inquires the white list of the equipment, confirms whether the terminal applying for access is legal equipment, generates a 32-byte random number as a session ID if the terminal applying for access is legal equipment, and returns the session ID to the terminal equipment; if the equipment is not legal, the access is refused;
the third step: the terminal equipment uses an identification private key stored in an equipment security chip to carry out SM2 signature on the current Time and the session ID, and sends a signature value sig, the current Time, an accompanying public key APK and an equipment identification to an edge computing node as authentication data of the access application;
the fourth step: after receiving the access application authentication data of the terminal, the edge computing node calculates a public key TPK of the terminal in a key generation module through the equipment identifier, the APK and a public key GPK of the edge computing node, verifies the signature by using an SM2 signature verification protocol with the terminal public key TPK, the signature value sig and the signature time, and can confirm that the equipment identifier applied for access is real if the verification passes;
the fifth step: and the edge computing node verifies the difference between the signature time of the application and the current time, if the signature time is within the allowed time range, the access is allowed, otherwise, the access application is refused.
Further, establishing a virtual secure channel between the terminal device allowed to access and the edge computing node specifically includes:
the first step is as follows: after the terminal equipment and the edge computing node finish access authentication, the terminal equipment generates a random number R1 of 32 bytes in a security chip, encrypts the random number R1 by using a public key GPK of the edge computing node through SM2 to obtain a ciphertext C2, and sends the ciphertext C2 to the edge computing node;
the second step is that: the edge computing node receives the data packet, decrypts C2 by adopting a private key gsk of the node to obtain a random number R1, generates a random number R2 with 16 bytes, encrypts by adopting SM2 by using an identification public key of the terminal equipment to obtain a ciphertext C3, and returns the ciphertext to the terminal equipment;
the third step: the edge computing node takes the high 16 bytes of the random number R1 as an initial vector and the low 16 bytes as a key, and encrypts the random number R2 by adopting a CBC mode of an SM4 cryptographic algorithm to obtain a 16-byte ciphertext, namely a session key between the random number R1 and the session key, and caches the 16-byte ciphertext in a security key area of the edge computing node for a symmetric key of communication data between the random number R2 and the session key;
the fourth step: and the terminal equipment receives the ciphertext C3 and inputs the ciphertext into the security chip, the identification private key tsk of the terminal equipment is used for decrypting the C3 to obtain a random number R2, the random numbers R1 and R2 are encrypted according to the same method in the third step to obtain a 16-byte session key, the session key is cached in the key area and used for encrypting and decrypting the data when the session key is communicated with the edge computing node, and the establishment of the virtual security channel is completed.
Further, the method also comprises the following steps: performing access authentication on source data of data collected by terminal equipment, specifically comprising:
the first step is as follows: the terminal equipment adds a timestamp to the acquired data, and calculates a hash value of the data as a data fingerprint of the acquired data by adopting a SM3 cryptographic algorithm;
secondly, the terminal equipment inputs the data fingerprint into a security chip of the equipment, and the chip calls an identification private key to carry out SM2 cryptographic algorithm signature on the data fingerprint;
thirdly, the terminal equipment packs the source data, the signature value, the timestamp, the accompanying public key and the equipment identification and sends the packed source data, the signature value, the timestamp, the accompanying public key and the equipment identification to the edge computing node through the encryption of a secure channel;
fourthly, the edge computing node decrypts the received data packet and unpacks the data packet, the device identifier, the APK and the GPK are computed in the key generation module to obtain an identifier public key of the terminal device, the source data signature is verified by using the identifier public key and a SM2 signature verification protocol, if the source data signature passes through the identifier public key and the SM2 signature verification protocol, the source data is real and is not tampered, and then a timestamp is verified to determine the freshness of the data;
and fifthly, if the verification is passed, the source data passes the authentication, otherwise, the source data is fake or falsified data, and the data is discarded or alarm information is sent to the cloud center.
The invention has the beneficial effects that: according to the terminal safe access method of the electric power satellite Internet of things edge computing node, access authentication is achieved on the electric power sensing terminal of the sensing layer by the electric power satellite Internet of things edge computing node, and safety and reliability of data transmission source equipment are guaranteed; the data uploaded by the sensing equipment requires the data acquisition equipment to carry out signature containing a timestamp, so that the authenticity and integrity of the data sent by the equipment are ensured, and the replay and copy attacks of the data are avoided; and data which cannot be verified are forbidden to enter the power satellite Internet of things, so that the transmission pressure on the power satellite network is reduced, the attack on the power satellite Internet of things network through a sensing layer terminal sensing network is prevented, and the reliable operation of the power satellite network is effectively guaranteed.
Drawings
The invention is further described below with reference to the following figures and examples:
fig. 1 is a schematic diagram of a terminal access identification key generation and distribution process according to the present invention;
fig. 2 is a schematic diagram illustrating a terminal access authentication process according to the present invention;
FIG. 3 is a schematic diagram illustrating a virtual secure channel establishment procedure according to the present invention;
FIG. 4 is a schematic diagram of a source data authentication process according to the present invention.
Detailed Description
The invention is further described in the following description with reference to the drawings, in which:
the invention discloses a terminal security access method of an edge computing node of an electric power satellite Internet of things, which comprises the following steps:
s1, registering the terminal equipment, and generating and distributing an identification key of the terminal equipment by an edge computing node; in this embodiment, the terminal device is a sensing terminal device;
s2, performing access authentication on the access edge computing node of the terminal equipment;
and S3, establishing a virtual safe channel between the terminal equipment allowed to be accessed and the edge computing node.
The edge computing node of the power satellite internet of things uses an edge internet of things proxy gateway as a field information communication hub, collects data of each monitoring module, completes operation according to strategies and algorithms, and uploads the data to a master station background. The edge Internet of things proxy gateway can realize access, forwarding, intelligent analysis and processing of narrow-band data such as sensors and the like and wide-band data such as pictures and the like. The edge Internet of things agent comprises a central processing unit, a CPU, a memory, an Ethernet interface, an RS-485 interface, a small wireless module (433, wiFi, 4G, loRa) and the like, and can support expansion.
The edge internet of things proxy gateway is constructed to form an edge computing node of the power satellite internet of things, the edge computing node is accessed to various power sensing terminals such as a channel monitoring unit, a body monitoring unit, a microclimate unit, a tower inclination unit, a wire temperature measuring unit, a galloping monitoring unit, an sag monitoring unit, a windage monitoring unit and an icing monitoring unit, data collected by the sensing terminals are converged and fused at the edge computing node, the scattered transmission of various sensing terminals is reduced, and the convergence, uploading and intelligent operation of the data at the edge computing node are realized. Therefore, the safety of the edge computing node is the key of the power satellite internet of things safety system, and the terminal access safety is the core of the safety of the edge computing node.
In the embodiment, in step S1, when a sensing device first accesses an edge computing node of an internet of things of a power satellite, the edge computing node needs to perform device registration with the edge computing node, and the edge computing node generates and distributes an identification key of a sensing terminal device for the sensing device; as shown in fig. 1, the method specifically includes:
the first step is as follows: the terminal equipment sends the MAC, the serial number SN, the category and the model of the equipment to the edge computing node;
the second step: the edge computing node inquires equipment registration information and performs information verification on the terminal equipment which applies for access; if the verification is passed, the equipment registration is completed, and the edge computing node identification and the node public key GPK are sent to the terminal equipment;
the third step: the terminal equipment generates a random number in the security chip as a session key skey;
the fourth step: SM2 encryption is carried out on the session key skey in the security chip by using an edge computing node public key GPK to generate a ciphertext C1;
the fifth step: randomly generating an SM2 key pair (usk, UPK) in a security chip, encrypting and caching a private key usk in a chip key area, outputting a self-defined public key UPK of a terminal, and sending a ciphertext C1 and the public key UPK generated by the terminal to an edge computing node;
and a sixth step: after receiving the ciphertext C1, the edge computing node decrypts the ciphertext by using a private key gsk to obtain a session key skey; the edge computing node inputs the MAC, the serial number SN and the skey of the terminal equipment into a key generating module of the edge computing node; the key generation module can adopt the existing PCI-E password card;
the seventh step: the key generation module randomly generates an SM2 key pair (hsk, HPK) as a hidden key, calculates a concomitant public key APK = UPK + HPK, calculates an SM3 value from the concomitant public key and a terminal identifier (MAC address + equipment serial number SN), generates a key coefficient sigma, and calculates to obtain a distributed private key dsk corresponding to the terminal equipment T = σ · gsk + hsk, where gsk is the private key of the edge compute node; and encrypted by a session key skey to obtain a ciphertext csk T And returns to the terminal equipment;
the eighth step: terminal equipment will csk T Inputting the security chip, decrypting csk by using the cached session key skey T To obtain dsk T Then compounding the terminal private key tsk with the cached custom private key factor to obtain the terminal private key tsk T =dsk T + usk, and then the terminal private key tsk is encrypted by the device encryption key T And storing the data in a key area of the security chip, so as to complete registration of the terminal equipment and application and distribution of the key.
In this embodiment, in step S2, when the sensing terminal device accesses the edge computing network node, the node needs to authenticate the validity of the accessed device, and it is ensured that only the legal and authorized device allows access. The method for performing access authentication on the access edge computing node of the terminal equipment by adopting an authentication protocol combining an identifier-based certificateless public key system and a national secret SM2 cryptographic algorithm, as shown in fig. 2, specifically comprises the following steps:
the first step is as follows: the method comprises the steps that terminal equipment is accessed to an edge computing node, and an access request is sent to the edge computing node; the request includes, but is not limited to, the MAC address and serial number SN of the device;
the second step is that: the edge computing node inquires the white list of the equipment, confirms whether the terminal applying for access is legal equipment, generates a 32-byte random number as a session ID if the terminal applying for access is legal equipment, and returns the session ID to the terminal equipment; if the equipment is not legal, the access is refused;
the third step: the terminal equipment uses an identification private key stored in an equipment security chip to carry out SM2 signature on the current Time and the session ID, and sends a signature value sig, the current Time, an accompanying public key APK and an equipment identification (MAC address + equipment serial number SN) to an edge computing node as authentication data of an access application;
the fourth step: after receiving the access application authentication data of the terminal, the edge computing node calculates a public key TPK of the terminal in a key generation module through the equipment identifier, the APK and a public key GPK of the edge computing node, verifies the signature by using an SM2 signature verification protocol according to the terminal public key TPK, the signature value sig and the signature time, and can confirm that the sensing equipment identifier (MAC + SN) applying for access is real rather than fake if the verification is passed;
the fifth step: and the edge computing node verifies the difference between the signature time of the application and the current time, if the signature time is within the allowed time range, the access is allowed, otherwise, the legal application which is possibly copied by an attacker is used for the application, and the access application is refused.
In this embodiment, in step S3, after the sensing terminal device completes access authentication, it needs to negotiate a session key with the edge computing node, establish a virtual secure channel, and encrypt data transmitted between the sensing terminal device and the edge computing node by using a secret SM4 cryptographic algorithm. The establishment of the secure channel is also a key negotiation protocol based on the combination of an identified certificateless public key system and a SM2 cryptographic algorithm. As shown in fig. 3, the method for establishing a virtual secure channel between a terminal device allowed to access and an edge computing node specifically includes:
the first step is as follows: after the terminal equipment and the edge computing node finish access authentication, the terminal equipment generates a random number R1 of 32 bytes in a security chip, encrypts the random number R1 by using a public key GPK of the edge computing node through SM2 to obtain a ciphertext C2, and sends the ciphertext C2 to the edge computing node;
the second step: the edge computing node receives the data packet, decrypts C2 by adopting a private key gsk of the node to obtain a random number R1, generates a random number R2 with 16 bytes, encrypts by adopting SM2 by using an identification public key of the terminal equipment to obtain a ciphertext C3, and returns the ciphertext to the terminal equipment; the identification public key is realized based on a certificateless identification public key system;
the third step: the edge computing node takes the high 16 bytes of the random number R1 as an initial vector and the low 16 bytes as a key, and encrypts the random number R2 by adopting a CBC mode of an SM4 cryptographic algorithm to obtain a 16-byte ciphertext, namely a session key between the random number R1 and the session key, and caches the 16-byte ciphertext in a security key area of the edge computing node for a symmetric key of communication data between the random number R2 and the session key;
the fourth step: and the terminal equipment receives the ciphertext C3 and inputs the ciphertext into the security chip, the identification private key tsk of the terminal equipment is used for decrypting the C3 to obtain a random number R2, the random numbers R1 and R2 are encrypted according to the same method in the third step to obtain a session key of 16 bytes, and the session key is cached in a key area and is used as a key for encrypting and decrypting data when communicating with the edge computing node, so that the establishment of the virtual security channel is completed.
In this embodiment, the present invention performs access authentication on source data of data acquired by a sensing terminal device, in addition to device access authentication, that is, the data uploaded by the acquisition terminal needs to pass through the acquisition device and add a timestamp and perform SM2 signature, so as to ensure source authenticity, integrity and timeliness of the source data, and prevent data impersonation, data tampering and copying of historical data for attack. As shown in fig. 4, the method for performing access authentication on source data of data collected by a terminal device specifically includes:
the first step is as follows: the terminal equipment adds a timestamp to the acquired data, and adopts a SM3 cryptographic algorithm to calculate a hash value of the data as a data fingerprint of the acquired data;
secondly, the terminal equipment inputs the data fingerprint into a security chip of the equipment, and the chip calls an identification private key to carry out SM2 cryptographic algorithm signature on the data fingerprint;
thirdly, the terminal equipment packs the source data, the signature value, the timestamp, the accompanying public key and the equipment identification (MAC + SN) and sends the source data, the signature value, the timestamp, the accompanying public key and the equipment identification (MAC + SN) to the edge computing node through the security channel encryption;
fourthly, the edge computing node decrypts the received data packet and unpacks the data packet, the device identifier, the APK and the GPK are computed in the key generation module to obtain an identifier public key of the terminal device, the source data signature is verified by using the identifier public key and a SM2 signature verification protocol, if the source data signature passes through the identifier public key and the SM2 signature verification protocol, the source data is real and is not tampered, and then a timestamp is verified to determine the freshness of the data;
and fifthly, if the verification is passed, the source data passes the authentication, otherwise, the source data is fake or falsified data, and the data is discarded or alarm information is sent to the cloud center. And finally, performing data cleaning and data compression on the verified source data at the edge computing gateway, and uploading the data after computing processing to a cloud data center through the power satellite internet of things.
Finally, the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all of them should be covered in the claims of the present invention.
Claims (5)
1. A terminal security access method for an electric power satellite Internet of things edge computing node is characterized in that: the method comprises the following steps:
s1, registering the terminal equipment, and generating and distributing an identification key of the terminal equipment by an edge computing node;
s2, performing access authentication on the access edge computing node of the terminal equipment;
and S3, establishing a virtual security channel between the terminal equipment allowing access and the edge computing node.
2. The terminal secure access method of the power satellite internet of things edge computing node as claimed in claim 1, wherein: the step S1 specifically includes:
the first step is as follows: the terminal equipment sends the MAC, the serial number SN, the category and the model of the equipment to the edge computing node;
the second step is that: the edge computing node inquires equipment registration information and performs information verification on the terminal equipment which applies for access; if the verification is passed, equipment registration is completed, and the edge computing node identification and the node public key GPK are sent to the terminal equipment;
the third step: the terminal equipment generates a random number in the security chip as a session key skey;
the fourth step: SM2 encryption is carried out on the session key skey in the security chip by using an edge computing node public key GPK to generate a ciphertext C1;
the fifth step: randomly generating an SM2 key pair (usk, UPK) in a security chip, encrypting and caching a private key usk in a chip key area, outputting a self-defined public key UPK of a terminal, and sending a ciphertext C1 and the public key UPK generated by the terminal to an edge computing node;
and a sixth step: after receiving the ciphertext C1, the edge computing node decrypts the ciphertext by using a private key gsk to obtain a session key skey; the edge computing node inputs the MAC, the serial number SN and the skey of the terminal equipment into a key generation module of the edge computing node;
the seventh step: the secret key generation module randomly generates an SM2 secret key pair (hsk, HPK) as a hidden secret key, calculates an adjoint public key APK = UPK + HPK, calculates an SM3 value of the adjoint public key and the terminal identification to generate a secret key coefficient sigma, and calculates to obtain a distributed private key dsk corresponding to the terminal equipment T = σ · gsk + hsk, where gsk is the private key of the edge compute node; and encrypted by the session key skey to obtain a ciphertext csk T And returns to the terminal device;
eighth step: terminal equipment will csk T Inputting the security chip, decrypting csk with the cached session key skey T To obtain dsk T Then compounding the terminal private key tsk with the cached custom private key factor to obtain the terminal private key tsk T =dsk T + usk, terminal private key tsk is encrypted by using device encryption key T And storing the key in a key area of the security chip, so as to complete the registration of the terminal equipment and the application and distribution of the key.
3. The terminal secure access method of the power satellite internet of things edge computing node as claimed in claim 1, wherein: performing access authentication on the access edge computing node of the terminal device, specifically comprising:
the first step is as follows: the method comprises the steps that terminal equipment is accessed to an edge computing node, and an access request is sent to the edge computing node;
the second step: the edge computing node inquires the white list of the equipment, confirms whether the terminal applying for access is legal equipment, generates a 32-byte random number as a session ID if the terminal applying for access is legal equipment, and returns the session ID to the terminal equipment; if the equipment is not legal, the access is refused;
the third step: the terminal equipment uses an identification private key stored in an equipment security chip to carry out SM2 signature on the current Time and the session ID, and sends a signature value sig, the current Time, an accompanying public key APK and an equipment identification to an edge computing node as authentication data of the access application;
the fourth step: after receiving the access application authentication data of the terminal, the edge computing node calculates a public key TPK of the terminal in a key generation module through the equipment identifier, the APK and a public key GPK of the edge computing node, verifies the signature by using an SM2 signature verification protocol with the terminal public key TPK, the signature value sig and the signature time, and can confirm that the equipment identifier applied for access is real if the verification passes;
the fifth step: and the edge computing node verifies the difference between the signature time of the application and the current time, if the signature time is within the allowed time range, the application is allowed to be accessed, otherwise, the application is refused to be accessed.
4. The terminal secure access method of the power satellite internet of things edge computing node as claimed in claim 1, wherein: establishing a virtual secure channel between a terminal device allowed to access and an edge computing node, specifically including:
the first step is as follows: after the terminal equipment and the edge computing node finish access authentication, the terminal equipment generates a random number R1 of 32 bytes in a security chip, encrypts the random number R1 by using a public key GPK of the edge computing node through SM2 to obtain a ciphertext C2, and sends the ciphertext C2 to the edge computing node;
the second step: the edge computing node receives the data packet, decrypts the C2 by adopting a private key gsk of the node to obtain a random number R1, generates a random number R2 with 16 bytes, encrypts by adopting an SM2 by using an identification public key of the terminal equipment to obtain a ciphertext C3, and returns the ciphertext C3 to the terminal equipment;
the third step: the edge computing node takes the high 16 bytes of the random number R1 as an initial vector and the low 16 bytes as a key, encrypts the random number R2 by adopting a CBC mode of an SM4 cryptographic algorithm to obtain a 16-byte ciphertext, namely a session key between the two, caches the 16-byte ciphertext in a security key area of the node, and is used as a symmetric key of communication data between the two;
the fourth step: and the terminal equipment receives the ciphertext C3 and inputs the ciphertext into the security chip, the identification private key tsk of the terminal equipment is used for decrypting the C3 to obtain a random number R2, the random numbers R1 and R2 are encrypted according to the same method in the third step to obtain a session key of 16 bytes, and the session key is cached in a key area and is used as a key for encrypting and decrypting data when communicating with the edge computing node, so that the establishment of the virtual security channel is completed.
5. The terminal secure access method of the power satellite internet of things edge computing node as claimed in claim 1, wherein: further comprising: performing access authentication on source data of data collected by terminal equipment, specifically comprising:
the first step is as follows: the terminal equipment adds a timestamp to the acquired data, and adopts a SM3 cryptographic algorithm to calculate a hash value of the data as a data fingerprint of the acquired data;
secondly, the terminal equipment inputs the data fingerprint into a security chip of the equipment, and the chip calls an identification private key to carry out SM2 cryptographic algorithm signature on the data fingerprint;
thirdly, the terminal equipment packs the source data, the signature value, the timestamp, the accompanying public key and the equipment identification and sends the packed source data, the signature value, the timestamp, the accompanying public key and the equipment identification to the edge computing node through the encryption of a secure channel;
fourthly, the edge computing node decrypts the received data packet and unpacks the data packet, the device identifier, the APK and the GPK are computed in the key generation module to obtain an identifier public key of the terminal device, the identifier public key and the SM2 signature verification protocol are used for verifying the source data signature, if the source data signature passes through, the source data is real and is not tampered, and then the timestamp is verified to determine the freshness of the data;
and fifthly, if the verification is passed, the source data passes the authentication, otherwise, the source data is fake or falsified data, and the data is discarded or alarm information is sent to the cloud center.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211460001.5A CN115733696A (en) | 2022-11-17 | 2022-11-17 | Terminal safe access method for edge computing node of power satellite internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211460001.5A CN115733696A (en) | 2022-11-17 | 2022-11-17 | Terminal safe access method for edge computing node of power satellite internet of things |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115733696A true CN115733696A (en) | 2023-03-03 |
Family
ID=85297110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211460001.5A Pending CN115733696A (en) | 2022-11-17 | 2022-11-17 | Terminal safe access method for edge computing node of power satellite internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115733696A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319119A (en) * | 2023-05-26 | 2023-06-23 | 广东广宇科技发展有限公司 | Accompanying type iterative communication verification method |
-
2022
- 2022-11-17 CN CN202211460001.5A patent/CN115733696A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319119A (en) * | 2023-05-26 | 2023-06-23 | 广东广宇科技发展有限公司 | Accompanying type iterative communication verification method |
| CN116319119B (en) * | 2023-05-26 | 2023-09-26 | 广东广宇科技发展有限公司 | Accompanying type iterative communication verification method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111835752B (en) | Lightweight authentication method based on equipment identity and gateway | |
| CN107919956B (en) | End-to-end safety guarantee method in cloud environment facing to Internet of things | |
| CN105530238B (en) | Computer-implemented system and method for secure session establishment and encrypted exchange of data | |
| US8600063B2 (en) | Key distribution system | |
| US8181262B2 (en) | Network user authentication system and method | |
| CN106453326B (en) | A kind of certification of CAN bus and access control method | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| JP2001524777A (en) | Data connection security | |
| CN110932854B (en) | Block chain key distribution system and method for Internet of things | |
| CN113037478B (en) | Quantum key distribution system and method | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| CN112165386B (en) | Data encryption method and system based on ECDSA | |
| CN109639438B (en) | SCADA network industrial information encryption method based on digital signature | |
| CN112134849B (en) | Dynamic trusted encryption communication method and system for intelligent substation | |
| KR101481403B1 (en) | Data certification and acquisition method for vehicle | |
| CN112565302A (en) | Communication method, system and equipment based on security gateway | |
| CN111147257A (en) | Identity authentication and information confidentiality method, monitoring center and remote terminal unit | |
| CN115733696A (en) | Terminal safe access method for edge computing node of power satellite internet of things | |
| CN114401153B (en) | Authentication method and system of intelligent well lid equipment | |
| CN115085943A (en) | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions | |
| CN101192927A (en) | Authorization based on identity confidentiality and multiple authentication method | |
| KR101645705B1 (en) | Method for authentication between devices | |
| CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
| CN115333757A (en) | Block chain authentication access realization method based on terminal encryption transmission gateway | |
| CN117714203B (en) | Method for realizing wireless security gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |