CN115776390A - MQTT protocol identity authentication and data encryption method based on state password - Google Patents

MQTT protocol identity authentication and data encryption method based on state password Download PDF

Info

Publication number
CN115776390A
CN115776390A CN202211378487.8A CN202211378487A CN115776390A CN 115776390 A CN115776390 A CN 115776390A CN 202211378487 A CN202211378487 A CN 202211378487A CN 115776390 A CN115776390 A CN 115776390A
Authority
CN
China
Prior art keywords
topic
key
client
mqtt
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211378487.8A
Other languages
Chinese (zh)
Other versions
CN115776390B (en
Inventor
刘泽超
梁涛
孙若尘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Engineering University
Original Assignee
Harbin Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Engineering University filed Critical Harbin Engineering University
Priority to CN202211378487.8A priority Critical patent/CN115776390B/en
Publication of CN115776390A publication Critical patent/CN115776390A/en
Application granted granted Critical
Publication of CN115776390B publication Critical patent/CN115776390B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明属于MQTT协议技术领域,具体涉及一种基于国密的MQTT协议身份认证与数据加密方法。本发明使用SM2算法对MQTT协议中密钥K1、username、password的密文进行数字签名,不仅达到了身份认证的效果,还保证了数据的真实性和不可抵赖性;使用SM4算法对MQTT协议中的username、password和主题消息等关键数据进行加密,增加了数据的机密性,解决了数据泄露的问题;使用SM3算法保证了MQTT协议中主题消息的完整性,防止数据被非法篡改。

Figure 202211378487

The invention belongs to the technical field of MQTT protocol, and in particular relates to a national secret-based MQTT protocol identity authentication and data encryption method. The present invention uses the SM2 algorithm to digitally sign the ciphertext of the key K1, username, and password in the MQTT protocol, which not only achieves the effect of identity authentication, but also ensures the authenticity and non-repudiation of the data; Key data such as username, password, and topic messages are encrypted to increase data confidentiality and solve the problem of data leakage; the SM3 algorithm is used to ensure the integrity of topic messages in the MQTT protocol and prevent data from being illegally tampered with.

Figure 202211378487

Description

一种基于国密的MQTT协议身份认证与数据加密方法A MQTT protocol identity authentication and data encryption method based on national secret

技术领域technical field

本发明属于MQTT协议技术领域,具体涉及一种基于国密的MQTT协议身份认证与数据加密方法。The invention belongs to the technical field of MQTT protocol, and in particular relates to a national secret-based MQTT protocol identity authentication and data encryption method.

背景技术Background technique

随着物联网技术的飞速发展,物联网安全问题也面临严峻的挑战。MQTT是ISO标准下基于发布/订阅方式的物联网传输协议,因其轻量、简单、开放和易于实现的特点适用于低功耗和网络带宽有限的IoT场景。鉴于传统MQTT协议缺乏足够的安全防护机制,因此提出一种有效的MQTT协议保护措施具有重要意义。With the rapid development of the Internet of Things technology, the security of the Internet of Things is also facing severe challenges. MQTT is an IoT transmission protocol based on the publish/subscribe method under the ISO standard. It is suitable for IoT scenarios with low power consumption and limited network bandwidth because of its lightweight, simple, open and easy-to-implement features. In view of the lack of sufficient security protection mechanisms in the traditional MQTT protocol, it is of great significance to propose an effective MQTT protocol protection measure.

国密算法是由我国密码管理局认定和公布的密码算法标准及其应用规范,是我国在密码核心领域自主研发的一套数据加密处理系列算法。已经颁布的国密算法有:对称加密算法(SM1、SM4)、非对称加密算法(SM2、SM9)、散列密码算法(SM3)等。国家目前正大力推广自主可控的国密算法,国密算法的普及对提升我国网络信息安全与自主可控水平具有重要的意义。The National Secret Algorithm is a cryptographic algorithm standard and its application specification recognized and published by the Cryptography Administration of my country. It is a set of data encryption processing series algorithms independently developed by my country in the core field of cryptography. The national secret algorithms that have been promulgated include: symmetric encryption algorithm (SM1, SM4), asymmetric encryption algorithm (SM2, SM9), hash password algorithm (SM3), etc. The country is currently vigorously promoting the independent and controllable national secret algorithm. The popularization of the national secret algorithm is of great significance to improve the level of network information security and independent control in our country.

MQTT(消息队列遥测传输)协议是一种基于代理的发布/订阅模式的消息传输协议,属于TCP/IP协议之上的应用层协议。在智能医疗、智能家居、电力设备监测等很多方面已广泛使用。MQTT协议有三种角色:订阅端、发布端和MQTT Broker,订阅端与发布端统称为客户端,MQTT Broker为代理服务器。订阅端向MQTT Broker发送订阅主题;发布端向MQTTBroker发布主题内容;MQTT Broker则负责转发消息。由于MQTT协议中的数据在传输过程中一直以明文传输,数据安全得不到保障。所以本发明利用SM2算法、SM3算法、SM4算法对MQTT协议增加身份认证与数据加密的功能,解决MQTT协议的安全问题。The MQTT (Message Queue Telemetry Transmission) protocol is a message transmission protocol based on the agent-based publish/subscribe mode, which belongs to the application layer protocol above the TCP/IP protocol. It has been widely used in many aspects such as smart medical care, smart home, and power equipment monitoring. The MQTT protocol has three roles: the subscriber, the publisher and the MQTT Broker. The subscriber and the publisher are collectively referred to as the client, and the MQTT Broker is the proxy server. The subscriber sends subscription topics to MQTT Broker; the publisher publishes topic content to MQTT Broker; MQTT Broker is responsible for forwarding messages. Since the data in the MQTT protocol is always transmitted in plain text during transmission, data security cannot be guaranteed. Therefore, the present invention uses the SM2 algorithm, the SM3 algorithm, and the SM4 algorithm to add the functions of identity authentication and data encryption to the MQTT protocol to solve the security problem of the MQTT protocol.

发明内容Contents of the invention

本发明的目的在于提供一种基于国密的MQTT协议身份认证与数据加密方法。The purpose of the present invention is to provide a method for identity authentication and data encryption of the MQTT protocol based on national secrets.

一种基于国密的MQTT协议身份认证与数据加密方法,在身份认证阶段,在CONNECT数据包发送之前,客户端先与MQTT Broker进行连接;A national secret-based MQTT protocol identity authentication and data encryption method, in the identity authentication stage, before the CONNECT packet is sent, the client first connects with the MQTT Broker;

客户端在其私钥SKc中随机选出16个字节组成一组数K1,通过MQTT Broker的证书公钥PKs对K1进行加密,生成C1;将客户端证书和C1发送给MQTT Broker;The client randomly selects 16 bytes from its private key SK c to form a set of numbers K1, encrypts K1 through the certificate public key PK s of the MQTT Broker, and generates C1; sends the client certificate and C1 to the MQTT Broker;

MQTT Broker通过自身私钥SKs对C1进行解密获得客户端信息,用SKs对C1进行签名,生成σ1;令C1'=C1,将C1'和σ1发送给客户端;MQTT Broker decrypts C1 with its own private key SK s to obtain client information, and signs C1 with SK s to generate σ1; set C1'=C1, and send C1' and σ1 to the client;

客户端将接收到的C1'与本地C1进行比照,如果完全相同,则用PKs对签名σ1进行验证;在签名验证通过后,客户端用SKc对C1'进行签名,生成σ2,并将C1'和σ2发送给MQTTBroker;The client compares the received C1' with the local C1, and if they are exactly the same, it uses PK s to verify the signature σ1; after the signature verification is passed, the client signs C1' with SK c to generate σ2, and sends C1' and σ2 are sent to MQTTBroker;

MQTT Broker将接收到的C1'和本地C1进行比照,如果完全相同,则通过客户端证书公钥PKc对签名σ2进行验证;在签名验证通过后返回验证结果,K1为客户端与MQTTBroker之间的SM4对称密钥;MQTT Broker compares the received C1' with the local C1. If they are identical, the signature σ2 is verified by the client certificate public key PK c ; the verification result is returned after the signature verification is passed, and K1 is the connection between the client and MQTT Broker The SM4 symmetric key;

客户端首先对username和password进行加密,生成Cup;再通过自身私钥SKc对Cup进行签名,生成σup,并将Cup和σup放入CONNECT数据包中发送至MQTT Broker;The client first encrypts username and password to generate C up ; then signs C up with its own private key SK c to generate σ up , puts C up and σ up into the CONNECT packet and sends it to MQTT Broker;

MQTT Broker收到CONNECT数据包后首先通过客户端证书公钥PKc验证签名σup;签名验证通过后解密密文Cup,得到username和password,在身份验证通过后返回CONNACK给客户端。After MQTT Broker receives the CONNECT packet, it first verifies the signature σ up through the client certificate public key PK c ; after the signature verification is passed, it decrypts the ciphertext C up to obtain the username and password, and returns CONNACK to the client after the identity verification is passed.

进一步地,所述客户端通过SM2算法生成C1、σ1、σ2和σup,通过SM4算法生成CupFurther, the client generates C1, σ1, σ2 and σ up through the SM2 algorithm, and generates C up through the SM4 algorithm.

进一步地,在关键密钥组件获取阶段,客户端发送ClientID和订阅主题Topic给MQTT Broker;MQTT Broker查看本地是否有相同的Topic;如果本地没有相同的Topic,则生成KeyTopic,然后通过K1加密KeyTopic,生成密文CKeyTopic,并将CKeyTopic发送给客户端;如果本地有相同的Topic,则直接通过K1加密KeyTopic,生成密文CKeyTopic并发送给客户端。Further, in the key key component acquisition phase, the client sends the Client ID and the subscription topic Topic to the MQTT Broker; the MQTT Broker checks whether there is the same Topic locally; if there is no same Topic locally, it generates a Key Topic , and then encrypts it through K1 Key Topic , generate ciphertext C KeyTopic , and send C KeyTopic to the client; if there is the same topic locally, encrypt Key Topic directly through K1, generate ciphertext C KeyTopic and send it to the client.

进一步地,所述MQTT Broker通过SM3算法生成KeyTopic,KeyTopic=H(Topic||K1||SKs),通过SM4算法生成密文CKeyTopic,CKeyTopic=EK1(KeyTopic)。Further, the MQTT Broker generates the Key Topic through the SM3 algorithm, Key Topic =H(Topic||K1||SK s ), and generates the ciphertext C KeyTopic through the SM4 algorithm, C KeyTopic =E K1 (KeyTopic).

进一步地,在数据传输阶段,订阅端发送SUBSCRIBE数据包给MQTT Broker,订阅主题内容;Further, in the data transmission phase, the subscriber sends a SUBSCRIBE packet to the MQTT Broker to subscribe to the subject content;

发布端生成16个字节的随机数R,并计算H(R||Topic||KeyTopic),以该散列值的前16个字节作为数据加密密钥Key,对与Topic对应的内容进行加密生成密文Cmess;发布端发送给MQTT Broker的PUBLISH数据包中的内容为PUBLISH(Topic,Cmess+R+H(Cmess||R||KeyTopic));The publisher generates a 16-byte random number R, and calculates H(R||Topic||Key Topic ), uses the first 16 bytes of the hash value as the data encryption key Key, and encrypts the content corresponding to the Topic Encrypt to generate the ciphertext C mess ; the content in the PUBLISH packet sent by the publisher to the MQTT Broker is PUBLISH(Topic,C mess +R+H(C mess ||R||Key Topic ));

订阅端接收到MQTT Broker转发的PUBLISH数据包后计算H(Cmess||R||KeyTopic),将之与接收到PUBLISH数据包中的H(Cmess||R||KeyTopic)对比;如果相同,则计算H(R||Topic||KeyTopic),并取前16个字节作为解密密钥Key解密消息Cmess,至此得到消息明文。The subscriber calculates H(C mess ||R||Key Topic ) after receiving the PUBLISH packet forwarded by the MQTT Broker, and compares it with the H(C mess ||R||Key Topic ) in the received PUBLISH packet; If they are the same, calculate H(R||Topic||Key Topic ), and take the first 16 bytes as the decryption key Key to decrypt the message C mess , so far the plaintext of the message is obtained.

进一步地,所述发布端通过SM3算法计算H(R||Topic||KeyTopic),通过SM4算法生成密文Cmess;所述订阅端通过SM3算法计算H(Cmess||R||KeyTopic)和H(R||Topic||KeyTopic)。Further, the publishing end calculates H(R||Topic||Key Topic ) through the SM3 algorithm, and generates the ciphertext C mess through the SM4 algorithm; the subscriber calculates H(C mess ||R||Key Topic through the SM3 algorithm Topic ) and H(R||Topic||Key Topic ).

本发明的有益效果在于:The beneficial effects of the present invention are:

本发明使用SM2算法对MQTT协议中密钥K1、username、password的密文进行数字签名,不仅达到了身份认证的效果,还保证了数据的真实性和不可抵赖性;使用SM4算法对MQTT协议中的username、password和主题消息等关键数据进行加密,增加了数据的机密性,解决了数据泄露的问题;使用SM3算法保证了MQTT协议中主题消息的完整性,防止数据被非法篡改。The present invention uses the SM2 algorithm to digitally sign the ciphertext of the key K1, username, and password in the MQTT protocol, which not only achieves the effect of identity authentication, but also ensures the authenticity and non-repudiation of the data; Key data such as username, password, and topic messages are encrypted to increase data confidentiality and solve the problem of data leakage; the SM3 algorithm is used to ensure the integrity of topic messages in the MQTT protocol and prevent data from being illegally tampered with.

附图说明Description of drawings

图1为本发明的流程图。Fig. 1 is a flowchart of the present invention.

图2为本发明中身份认证时序图。Fig. 2 is a sequence diagram of identity authentication in the present invention.

图3为本发明中关键密钥组件获取与数据传输时序图。Fig. 3 is a sequence diagram of key key component acquisition and data transmission in the present invention.

具体实施方式Detailed ways

下面结合附图对本发明做进一步描述。The present invention will be further described below in conjunction with the accompanying drawings.

本发明是为了解决MQTT协议的数据安全问题,增加了MQTT协议的身份认证和数据加密功能。在传统的MQTT协议中,MQTT Broker仅仅通过username和password对发布端/订阅端进行身份认证,但是username和password都是以明文传输,容易被攻击者非法获取。此外MQTT协议中所有交互的数据都是以明文传输,安全性较低。针对以上问题,本发明提出一种基于国密算法的MQTT协议身份认证和数据加密方法。In order to solve the data security problem of the MQTT protocol, the present invention adds functions of identity authentication and data encryption of the MQTT protocol. In the traditional MQTT protocol, MQTT Broker only authenticates the publisher/subscriber through username and password, but username and password are transmitted in plain text, which is easy to be illegally obtained by attackers. In addition, all interactive data in the MQTT protocol is transmitted in plain text, which has low security. In view of the above problems, the present invention proposes a MQTT protocol identity authentication and data encryption method based on the national secret algorithm.

本发明分为三个阶段:身份认证阶段、关键密钥组件获取阶段、数据传输阶段。具体步骤如下:The present invention is divided into three stages: an identity authentication stage, a key key component acquisition stage, and a data transmission stage. Specific steps are as follows:

一、身份认证阶段。在发送消息之前增加身份认证功能,保证接入MQTT Broker的发布端与订阅端是可信任的。1. Identity authentication stage. Add an identity authentication function before sending a message to ensure that the publisher and subscriber connected to the MQTT Broker are trustworthy.

1)在CONNECT数据包发送之前,发布端和订阅端(以下简称客户端)先与MQTTBroker进行连接。1) Before the CONNECT packet is sent, the publisher and the subscriber (hereinafter referred to as the client) first connect to the MQTT Broker.

步骤1:客户端在其私钥SKc中随机选出16个字节组成一组数K1,通过MQTT Broker的证书公钥PKs对K1进行加密(SM2算法)生成C1,将客户端证书和C1发送给MQTT Broker。Step 1: The client randomly selects 16 bytes from its private key SK c to form a set of numbers K1, encrypts K1 through the certificate public key PK s of the MQTT Broker (SM2 algorithm) to generate C1, and converts the client certificate and C1 sends to MQTT Broker.

步骤2:MQTT Broker通过自身私钥SKs对C1进行解密获得客户端信息。用SKs对C1进行签名生成σ1(SM2算法),令C1'=C1,将C1'和σ1发送给客户端。Step 2: MQTT Broker decrypts C1 with its own private key SK s to obtain client information. Use SK s to sign C1 to generate σ1 (SM2 algorithm), set C1'=C1, and send C1' and σ1 to the client.

步骤3:客户端将接收到的C1'与本地C1进行比照,如果完全相同,则用PKs对签名σ1进行验证,在签名验证通过后,客户端用SKc对C1'进行签名生成σ2(SM2算法),将C1'和σ2发送给MQTT Broker。Step 3: The client compares the received C1' with the local C1. If they are exactly the same, use PK s to verify the signature σ1. After the signature verification is passed, the client uses SK c to sign C1' to generate σ2( SM2 algorithm), send C1' and σ2 to MQTT Broker.

步骤4:MQTT Broker将接收到的C1'和本地C1进行比照,如果完全相同,则通过客户端证书公钥PKc对签名σ2进行验证,在签名验证通过后返回验证结果,K1为客户端与MQTTBroker之间的SM4对称密钥。Step 4: The MQTT Broker compares the received C1' with the local C1. If they are identical, the signature σ2 is verified by the client certificate public key PK c , and the verification result is returned after the signature verification is passed. K1 is the client and SM4 symmetric key between MQTTBrokers.

2)发送CONNECT数据包2) Send CONNECT packet

步骤5:客户端首先对username和password进行加密(SM4算法),即Cup=EK1(username&password)),再通过自身私钥SKc对Cup进行签名生成σup(SM2算法)将Cup和σup放入CONNECT数据包中发送至MQTT Broker;Step 5: The client first encrypts username and password (SM4 algorithm), that is, C up = E K1 (username&password)), and then signs C up with its own private key SK c to generate σ up ( SM2 algorithm) to convert C up and σ up are put into the CONNECT packet and sent to MQTT Broker;

步骤6:MQTT Broker收到CONNECT数据包后首先通过客户端证书公钥PKc验证签名σup,签名验证通过后解密密文Cup得到的username和password,即username&password=DK1(Cup)。在身份验证通过后返回CONNACK给客户端。Step 6: After receiving the CONNECT packet, the MQTT Broker first verifies the signature σ up through the client certificate public key PK c , and after the signature verification is passed, decrypts the ciphertext C up to obtain the username and password, that is, username&password=D K1 (C up ). Return CONNACK to the client after the authentication is passed.

二、关键密钥组件获取阶段。由于MQTT协议中MQTT Broker只起到转发消息的作用,而不对消息进行解密,所以关键密钥组件获取阶段使得发布端与订阅端获取相同的关键密钥组件,用于组装相同的SM4对称密钥。2. The key key component acquisition stage. Since the MQTT Broker in the MQTT protocol only plays the role of forwarding messages and does not decrypt messages, the key key component acquisition phase enables the publisher and subscriber to obtain the same key key component for assembling the same SM4 symmetric key .

步骤7:在订阅端SUBSCRIBE数据包和发布端PUBLISH数据包发送前,客户端发送ClientID和订阅主题Topic给MQTT Broker。Step 7: Before sending the SUBSCRIBE data packet at the subscriber end and the PUBLISH data packet at the publisher end, the client sends the Client ID and subscription topic Topic to the MQTT Broker.

步骤8:MQTT Broker查看本地是否有相同的Topic,如果没有,则计算KeyTopic=H(Topic||K1||SKs)(SM3算法),然后通过K1加密KeyTopic(SM4算法)生成密文CKeyTopic=EK1(KeyTopic)将CKeyTopic发送给客户端。如果有,则直接通过K1加密KeyTopic(SM4算法)生成密文CKeyTopic并发送给客户端。Step 8: MQTT Broker checks whether there is the same Topic locally, if not, calculate Key Topic = H(Topic||K1||SK s ) (SM3 algorithm), and then encrypt Key Topic (SM4 algorithm) through K1 to generate ciphertext C KeyTopic = E K1 (KeyTopic) sends C KeyTopic to the client. If yes, then directly generate the ciphertext C KeyTopic through K1 encryption Key Topic (SM4 algorithm) and send it to the client.

步骤9:订阅端接收到密文CKeyTopic并解密,即KeyTopic=DK1(CKeyTopic)。Step 9: The subscriber receives and decrypts the ciphertext C KeyTopic , that is, Key Topic = D K1 (C KeyTopic ).

三、数据传输阶段。Third, the data transmission stage.

步骤10:订阅端发送SUBSCRIBE数据包给MQTT Broker,订阅主题内容。Step 10: The subscriber sends a SUBSCRIBE packet to the MQTT Broker to subscribe to the topic content.

步骤11:发布端生成16个字节的随机数R,并计算H(R||Topic||KeyTopic)(SM3算法),以该散列值的前16个字节作为数据加密密钥Key,对对应Topic的内容进行加密生成密文Cmess(SM4算法),发布端发送给MQTT Broker的PUBLISH数据包中的内容为PUBLISH(Topic,Cmess+R+H(Cmess||R||KeyTopic))。Step 11: The publisher generates a 16-byte random number R, and calculates H(R||Topic||Key Topic ) (SM3 algorithm), and uses the first 16 bytes of the hash value as the data encryption key Key , encrypt the content of the corresponding Topic to generate the ciphertext C mess (SM4 algorithm), and the content in the PUBLISH packet sent by the publisher to the MQTT Broker is PUBLISH(Topic,C mess +R+H(C mess ||R|| Key Topic )).

步骤12:订阅端接收到MQTT Broker转发的PUBLISH数据包后计算H(Cmess||R||KeyTopic)(SM3算法),将之与接收到PUBLISH数据包中的H(Cmess||R||KeyTopic)对比,如果相同,则计算H(R||Topic||KeyTopic)(SM3算法)并取前16个字节作为解密密钥Key解密消息Cmess。至此得到消息明文。Step 12: After receiving the PUBLISH packet forwarded by the MQTT Broker, the subscriber calculates H(C mess ||R||Key Topic ) (SM3 algorithm), and compares it with the H(C mess ||R ||Key Topic ), if they are the same, calculate H(R||Topic||Key Topic ) (SM3 algorithm) and take the first 16 bytes as the decryption key Key to decrypt the message C mess . So far, the plain text of the message has been obtained.

与现有技术相比,本发明的有益效果是:使用SM2算法对MQTT协议中密钥K1、username、password的密文进行数字签名,不仅达到了身份认证的效果,还保证了数据的真实性和不可抵赖性;使用SM4算法对MQTT协议中的username、password和主题消息等关键数据进行加密,增加了数据的机密性,解决了数据泄露的问题;使用SM3算法保证了MQTT协议中主题消息的完整性,防止数据被非法篡改。Compared with the prior art, the beneficial effect of the present invention is: use the SM2 algorithm to digitally sign the ciphertexts of keys K1, username, and password in the MQTT protocol, which not only achieves the effect of identity authentication, but also ensures the authenticity of the data and non-repudiation; use the SM4 algorithm to encrypt key data such as username, password, and topic messages in the MQTT protocol, which increases data confidentiality and solves the problem of data leakage; uses the SM3 algorithm to ensure the security of topic messages in the MQTT protocol Integrity, preventing data from being tampered with illegally.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (6)

1.一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:在身份认证阶段,在CONNECT数据包发送之前,客户端先与MQTT Broker进行连接;1. A MQTT protocol identity authentication and data encryption method based on national secrets, characterized in that: in the identity authentication stage, before the CONNECT packet is sent, the client is connected to the MQTT Broker earlier; 客户端在其私钥SKc中随机选出16个字节组成一组数K1,通过MQTT Broker的证书公钥PKs对K1进行加密,生成C1;将客户端证书和C1发送给MQTT Broker;The client randomly selects 16 bytes from its private key SK c to form a set of numbers K1, encrypts K1 through the certificate public key PK s of the MQTT Broker, and generates C1; sends the client certificate and C1 to the MQTT Broker; MQTT Broker通过自身私钥SKs对C1进行解密获得客户端信息,用SKs对C1进行签名,生成σ1;令C1'=C1,将C1'和σ1发送给客户端;MQTT Broker decrypts C1 with its own private key SK s to obtain client information, and signs C1 with SK s to generate σ1; set C1'=C1, and send C1' and σ1 to the client; 客户端将接收到的C1'与本地C1进行比照,如果完全相同,则用PKs对签名σ1进行验证;在签名验证通过后,客户端用SKc对C1'进行签名,生成σ2,并将C1'和σ2发送给MQTTBroker;The client compares the received C1' with the local C1, and if they are exactly the same, it uses PK s to verify the signature σ1; after the signature verification is passed, the client signs C1' with SK c to generate σ2, and sends C1' and σ2 are sent to MQTTBroker; MQTT Broker将接收到的C1'和本地C1进行比照,如果完全相同,则通过客户端证书公钥PKc对签名σ2进行验证;在签名验证通过后返回验证结果,K1为客户端与MQTT Broker之间的SM4对称密钥;The MQTT Broker compares the received C1' with the local C1. If they are identical, the signature σ2 is verified by the client certificate public key PK c ; the verification result is returned after the signature verification is passed, and K1 is the difference between the client and the MQTT Broker. SM4 symmetric key between; 客户端首先对username和password进行加密,生成Cup;再通过自身私钥SKc对Cup进行签名,生成σup,并将Cup和σup放入CONNECT数据包中发送至MQTT Broker;The client first encrypts username and password to generate C up ; then signs C up with its own private key SK c to generate σ up , puts C up and σ up into the CONNECT packet and sends it to MQTT Broker; MQTT Broker收到CONNECT数据包后首先通过客户端证书公钥PKc验证签名σup;签名验证通过后解密密文Cup,得到username和password,在身份验证通过后返回CONNACK给客户端。After MQTT Broker receives the CONNECT packet, it first verifies the signature σ up through the client certificate public key PK c ; after the signature verification is passed, it decrypts the ciphertext C up to obtain the username and password, and returns CONNACK to the client after the identity verification is passed. 2.根据权利要求1所述的一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:所述客户端通过SM2算法生成C1、σ1、σ2和σup,通过SM4算法生成Cup2. A kind of MQTT protocol identity authentication and data encryption method based on national secret according to claim 1, it is characterized in that: described client generates C1, σ1, σ2 and σ up by SM2 algorithm, generates C by SM4 algorithm up . 3.根据权利要求1所述的一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:在关键密钥组件获取阶段,客户端发送ClientID和订阅主题Topic给MQTT Broker;MQTT Broker查看本地是否有相同的Topic;如果本地没有相同的Topic,则生成KeyTopic,然后通过K1加密KeyTopic,生成密文CKeyTopic,并将CKeyTopic发送给客户端;如果本地有相同的Topic,则直接通过K1加密KeyTopic,生成密文CKeyTopic并发送给客户端。3. The MQTT protocol identity authentication and data encryption method based on national secrets according to claim 1, characterized in that: in the key key component acquisition phase, the client sends Client ID and subscription topic Topic to MQTT Broker; MQTT Broker checks whether there is the same topic locally; if there is no same topic locally, generate a Key Topic , then encrypt the Key Topic with K1, generate ciphertext C KeyTopic , and send C KeyTopic to the client; if there is the same topic locally, Then directly encrypt the Key Topic through K1, generate the ciphertext C KeyTopic and send it to the client. 4.根据权利要求3所述的一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:所述MQTT Broker通过SM3算法生成KeyTopic,KeyTopic=H(Topic||K1||SKs),通过SM4算法生成密文CKeyTopic,CKeyTopic=EK1(KeyTopic)。4. A kind of MQTT protocol identity authentication and data encryption method based on national secret according to claim 3, it is characterized in that: described MQTT Broker generates Key Topic by SM3 algorithm, Key Topic =H(Topic||K1|| SK s ), generate ciphertext C KeyTopic through the SM4 algorithm, C KeyTopic =E K1 (KeyTopic). 5.根据权利要求1所述的一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:在数据传输阶段,订阅端发送SUBSCRIBE数据包给MQTT Broker,订阅主题内容;5. The MQTT protocol identity authentication and data encryption method based on national secrets according to claim 1, characterized in that: in the data transmission stage, the subscriber sends a SUBSCRIBE data packet to the MQTT Broker to subscribe to the subject content; 发布端生成16个字节的随机数R,并计算H(R||Topic||KeyTopic),以该散列值的前16个字节作为数据加密密钥Key,对与Topic对应的内容进行加密生成密文Cmess;发布端发送给MQTT Broker的PUBLISH数据包中的内容为PUBLISH(Topic,Cmess+R+H(Cmess||R||KeyTopic));The publisher generates a 16-byte random number R, and calculates H(R||Topic||Key Topic ), uses the first 16 bytes of the hash value as the data encryption key Key, and encrypts the content corresponding to the Topic Encrypt to generate the ciphertext C mess ; the content in the PUBLISH packet sent by the publisher to the MQTT Broker is PUBLISH(Topic,C mess +R+H(C mess ||R||Key Topic )); 订阅端接收到MQTT Broker转发的PUBLISH数据包后计算H(Cmess||R||KeyTopic),将之与接收到PUBLISH数据包中的H(Cmess||R||KeyTopic)对比;如果相同,则计算H(R||Topic||KeyTopic),并取前16个字节作为解密密钥Key解密消息Cmess,至此得到消息明文。The subscriber calculates H(C mess ||R||Key Topic ) after receiving the PUBLISH packet forwarded by the MQTT Broker, and compares it with the H(C mess ||R||Key Topic ) in the received PUBLISH packet; If they are the same, calculate H(R||Topic||Key Topic ), and take the first 16 bytes as the decryption key Key to decrypt the message C mess , so far the plaintext of the message is obtained. 6.根据权利要求5所述的一种基于国密的MQTT协议身份认证与数据加密方法,其特征在于:所述发布端通过SM3算法计算H(R||Topic||KeyTopic),通过SM4算法生成密文Cmess;所述订阅端通过SM3算法计算H(Cmess||R||KeyTopic)和H(R||Topic||KeyTopic)。6. A kind of MQTT protocol identity authentication and data encryption method based on national secret according to claim 5, it is characterized in that: described publishing end calculates H(R||Topic||Key Topic ) through SM3 algorithm, through SM4 The algorithm generates the ciphertext C mess ; the subscriber calculates H(C mess ||R||Key Topic ) and H(R||Topic||Key Topic ) through the SM3 algorithm.
CN202211378487.8A 2022-11-04 2022-11-04 MQTT protocol identity authentication and data encryption method based on national secret Active CN115776390B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211378487.8A CN115776390B (en) 2022-11-04 2022-11-04 MQTT protocol identity authentication and data encryption method based on national secret

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211378487.8A CN115776390B (en) 2022-11-04 2022-11-04 MQTT protocol identity authentication and data encryption method based on national secret

Publications (2)

Publication Number Publication Date
CN115776390A true CN115776390A (en) 2023-03-10
CN115776390B CN115776390B (en) 2024-04-09

Family

ID=85388788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211378487.8A Active CN115776390B (en) 2022-11-04 2022-11-04 MQTT protocol identity authentication and data encryption method based on national secret

Country Status (1)

Country Link
CN (1) CN115776390B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118540167A (en) * 2024-07-26 2024-08-23 中国交通信息科技集团有限公司 IPK-based MQTT protocol identity authentication method and data transmission method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107708112A (en) * 2017-11-02 2018-02-16 重庆邮电大学 A kind of encryption method suitable for MQTT SN agreements
WO2018112327A1 (en) * 2016-12-15 2018-06-21 Convida Wireless, Llc Methods of concurrency control for block transfer in coap publish-subscribe architecture
US20190174208A1 (en) * 2017-12-05 2019-06-06 The Government of the United States of America, as represented by the Secretary of Homeland Security Systems and Methods for Integrating First Responder Technologies
CN113098863A (en) * 2021-03-31 2021-07-09 郑州信大捷安信息技术股份有限公司 TLS + MQTT protocol-based Internet of things double-authentication method and system
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
CN114553548A (en) * 2022-02-24 2022-05-27 北京百度网讯科技有限公司 Communication method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018112327A1 (en) * 2016-12-15 2018-06-21 Convida Wireless, Llc Methods of concurrency control for block transfer in coap publish-subscribe architecture
CN107708112A (en) * 2017-11-02 2018-02-16 重庆邮电大学 A kind of encryption method suitable for MQTT SN agreements
US20190174208A1 (en) * 2017-12-05 2019-06-06 The Government of the United States of America, as represented by the Secretary of Homeland Security Systems and Methods for Integrating First Responder Technologies
CN113098863A (en) * 2021-03-31 2021-07-09 郑州信大捷安信息技术股份有限公司 TLS + MQTT protocol-based Internet of things double-authentication method and system
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
CN114553548A (en) * 2022-02-24 2022-05-27 北京百度网讯科技有限公司 Communication method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JAIDIP KOTAK: ""A comparative analysis on security of MQTT brokers"", 《IEEE》, 30 June 2020 (2020-06-30) *
郝志强等: ""工业领域网络流量安全分析关键技术研究"", 《工业信息安全》, 18 March 2022 (2022-03-18) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118540167A (en) * 2024-07-26 2024-08-23 中国交通信息科技集团有限公司 IPK-based MQTT protocol identity authentication method and data transmission method
CN118540167B (en) * 2024-07-26 2024-10-29 中国交通信息科技集团有限公司 An identity authentication method and data transmission method of MQTT protocol based on IPK

Also Published As

Publication number Publication date
CN115776390B (en) 2024-04-09

Similar Documents

Publication Publication Date Title
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
US12010216B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
US20230421394A1 (en) Secure authentication of remote equipment
CN101626294A (en) Certifying method based on identity, method, equipment and system for secure communication
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
CN106789042A (en) User in IBC domains accesses the authentication key agreement method of the resource in PKI domains
CN106301788A (en) A kind of group key management method supporting authenticating user identification
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN106549858B (en) Instant messaging encryption method based on identification password
WO2010025638A1 (en) Method, equipment and system of peer to peer live broadcast stream transfer
CN112020038A (en) Domestic encryption terminal suitable for rail transit mobile application
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN116707826A (en) CoAP protocol identity authentication and data encryption method based on national secret
CN115766066A (en) Data transmission method, device, secure communication system and storage medium
CN115776390B (en) MQTT protocol identity authentication and data encryption method based on national secret
Saverimoutou et al. Which secure transport protocol for a reliable HTTP/2-based web service: TLS or QUIC?
CN107104888B (en) A Secure Instant Messaging Method
CN104618362A (en) Method and device for session message interaction between resource server and client side
CN106487502B (en) A password-based lightweight key agreement method
CN113918971B (en) Block chain-based message transmission method, device, equipment and readable storage medium
CN116405206A (en) Security gateway data encryption method, decryption method and security gateway
CN116760530A (en) A lightweight authentication key agreement method for power Internet of Things terminals
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
CN118540167B (en) An identity authentication method and data transmission method of MQTT protocol based on IPK
CN118157859B (en) Equipment safety communication method and equipment based on national secret safety chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant