CN115802348B - Low-power consumption NB-IoT terminal and secure communication mechanism - Google Patents

Low-power consumption NB-IoT terminal and secure communication mechanism Download PDF

Info

Publication number
CN115802348B
CN115802348B CN202310085404.4A CN202310085404A CN115802348B CN 115802348 B CN115802348 B CN 115802348B CN 202310085404 A CN202310085404 A CN 202310085404A CN 115802348 B CN115802348 B CN 115802348B
Authority
CN
China
Prior art keywords
iot
security
encryption
master station
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310085404.4A
Other languages
Chinese (zh)
Other versions
CN115802348A (en
Inventor
陈飞
胡静
张胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinlian Technology Nanjing Co ltd
Original Assignee
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinlian Technology Nanjing Co ltd filed Critical Xinlian Technology Nanjing Co ltd
Priority to CN202310085404.4A priority Critical patent/CN115802348B/en
Publication of CN115802348A publication Critical patent/CN115802348A/en
Application granted granted Critical
Publication of CN115802348B publication Critical patent/CN115802348B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention relates to a low-power consumption NB-IoT terminal, which comprises a terminal processor MCU and an NB-IoT secure communication module integrated by an NB-IoT communication baseband chip and a secure encryption chip, wherein based on a secure application SDK running on an operating system of the NB-IoT communication baseband chip, the secure authentication and data encryption and decryption between the low-power consumption NB-IoT terminal and a corresponding service system master station are realized through the invocation of the secure encryption chip by the secure application SDK; the design optimizes the data encryption and decryption flow, effectively reduces the power consumption, completes all the security operations of the data and the message in the NB-IoT security communication module, realizes the separation of the security function and the business function, and enhances the security and the usability; in addition, the security communication mechanism of the low-power-consumption NB-IoT terminal simplifies the key negotiation and identity authentication flow, reduces the power consumption and realizes the low-power-consumption and secure NB-IoT communication.

Description

Low-power consumption NB-IoT terminal and secure communication mechanism
Technical Field
The invention relates to a low-power consumption NB-IoT terminal and a secure communication mechanism, belonging to the technical field of communication of the internet of things.
Background
The NB-IoT technology has the advantages of low power consumption, strong connection, deep coverage, low cost, etc., and currently, full coverage is basically realized nationally. The terminals of the internet of things such as the NB-IoT intelligent gas meter, the intelligent water meter and the intelligent electric meter are widely deployed and applied in important industries and fields such as gas, water service and electric power, and the level of digitization and intellectualization of key information infrastructure is improved. However, since the NB-IoT internet of things terminals are huge in number and widely distributed and are mostly deployed in outdoor environments with low security such as open air, unattended operation, etc., there is a potential security risk in practical application, and the method is mainly represented by:
(1) The physical environment is unreliable and has weak self-safety protection capability, so that the physical environment is very easy to be hijacked by an attacker, and large-scale network attack is initiated;
(2) The general lack of end-to-end safety authentication and encryption communication mechanisms causes the risk of important data leakage, message forging and malicious replacement of operation instructions, so that service data is not real and even the system is maliciously controlled, and huge economic loss is caused;
(3) The resources such as the self calculation, storage, power consumption and the like of the terminal of the internet of things are limited, and the adoption of the traditional secure communication protocols such as SSL, IPSEC and the like can bring great burden to communication and even cause the breakdown of a service system.
Therefore, a breakthrough in low-power consumption, large-connection and heterogeneous ubiquitous security protection technology applicable to the NB-IoT internet of things terminal is needed to improve the security protection level of the internet of things terminal itself.
In order to reduce the security risk, the NB-IoT internet of things terminal in some industries performs encryption protection on the transmitted data by bypassing the integrated hardware security encryption chip to realize secure transmission of the data, as shown in fig. 1, a specific communication flow is as follows: when the data is uplink, the MCU calls the security encryption chip to encrypt plaintext data and then transmit the encrypted plaintext data to the NB-IoT communication baseband chip, and the NB-IoT communication baseband chip transmits ciphertext data to the service system master station; when the data is down, the service system master station transmits the ciphertext data to the NB-IoT communication baseband chip, the NB-IoT communication baseband chip transmits the ciphertext data to the MCU, and the MCU calls the security encryption chip to decrypt and obtain plaintext data.
The prior art improves the security of NB-IOT terminal communication in a certain program, but has the following disadvantages:
(1) Uplink data firstly goes to the NB-IoT communication baseband chip and then goes to the security encryption chip for security processing and then is transmitted back to the communication baseband chip, the processing flow is complex, and the MCU is frequently interacted with the security encryption chip and the communication baseband chip, so that the power consumption of the terminal can be increased;
(2) The security encryption chip only provides a security algorithm, and the security communication protocol needs to be realized in the MCU or the NB-IoT communication baseband chip, so that the MCU needs to process security service related to security communication and service data, the calculation burden is large, and meanwhile, the risk of communication session key leakage exists;
(3) The adopted DTLS security protocol key negotiation and identity authentication flow is complex, a large number of data packets need to be interacted, the network communication efficiency is low, and the terminal power consumption can be increased;
(4) The bypass integrated security encryption chip occupies more circuit components and use areas, increases power consumption, and is high in cost and not easy to deploy.
Disclosure of Invention
The technical problem to be solved by the invention is to provide the low-power consumption NB-IoT terminal, which adopts a brand new architecture design and can effectively improve the message transmission processing efficiency.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a low-power consumption NB-IoT terminal, which comprises a terminal processor MCU and an NB-IoT secure communication module which are connected with each other, wherein the NB-IoT secure communication module comprises an NB-IoT communication baseband chip, a secure encryption chip and a secure application SDK running on an operating system of the NB-IoT communication baseband chip;
the terminal processor MCU is connected with the NB-IoT communication baseband chip for communication, and based on NB-IoT network connection between the NB-IoT communication baseband chip and the corresponding service system master station, network connection between the terminal processor MCU and the corresponding service system master station through the NB-IoT communication baseband chip is realized;
the security encryption chip is carried with a security communication protocol and a security algorithm comprising preset encryption and decryption algorithms of various types, and the security algorithm is used for providing preset encryption and decryption security verification services for the security communication protocol; the secure communication protocol realizes session key negotiation service and bidirectional identity authentication service based on digital certificates based on preset encryption and decryption secure verification service provided by a secure algorithm;
based on communication connection between the NB-IoT communication baseband chip and the security encryption chip through an on-chip bus, the security application SDK calls a security algorithm and a bottom layer interface provided by a security communication protocol, and the NB-IoT communication baseband chip calls an external interface provided by the security application SDK, the NB-IoT communication baseband chip realizes bidirectional identity authentication and session key negotiation between the low-power consumption NB-IoT terminal and a corresponding service system master station, and further the NB-IoT communication baseband chip provides encryption and decryption for data passing through the NB-IoT communication baseband chip.
As a preferred technical scheme of the invention: the preset encryption and decryption security verification service provided by the security algorithm for the security communication protocol comprises encryption and decryption service, HASH operation service, signature service, verification signature service and random number generation service.
As a preferred technical scheme of the invention: the encryption and decryption algorithms of all preset types contained in the security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm.
As a preferred technical scheme of the invention: the terminal processor MCU and the NB-IoT communication baseband chip communicate through a serial port.
In view of the foregoing, the present invention further provides a secure communication mechanism for a low-power NB-IoT terminal, which adopts a completely new design of communication logic, so as to effectively improve the message transmission processing efficiency and enhance the communication security.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a safe communication mechanism of a low-power consumption NB-IoT terminal, which is based on the following three points that aiming at network connection between a terminal processor MCU and a corresponding service system master station through an NB-IoT communication baseband chip, negotiation of session keys between an NB-IoT safe communication module and the corresponding service system master station is executed according to the following steps A to C, namely, negotiation of the session keys between the NB-IoT terminal and the corresponding service system master station is realized;
1) The encryption and decryption algorithms of all types contained in the security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm;
2) The security encryption chip is stored with an NB-IoT security communication module public key cert1 based on an SM2 national cryptographic algorithm, an NB-IoT security communication module private key Skey1 and a service system master station public key cert2, and the service system master station is stored with a self public key cert2 based on the SM2 national cryptographic algorithm, a private key Skey2 and the NB-IoT security communication module public key cert1;
3) The method comprises the steps that a security application SDK in an NB-IoT security communication module invokes a security algorithm and a bottom layer interface provided by a security communication protocol, and an NB-IoT communication baseband chip invokes an external interface provided by the security application SDK;
step A, NB-IoT secure communication module generates a random number R 1 And generate SN II A II E cert2 (R 1 )‖E Skey1 (H(SN‖A‖E cert2 (R 1 ) B) sending the message to a service system master station, and then entering the step B; where SN represents a session timestamp, A represents an NB-IoT secure communication module identifier field, E cert2 () Represents an encryption function of a public key cert2 of an application service system master station, H () represents a hash operation function based on SM3 cryptographic algorithm, E Skey1 () Representing an encryption function of a private key Skey1 of the applied NB-IoT secure communication module to realize a data signature function, wherein II represents symbol connection;
step B, the service system master station applies the self private key Skey2 to E cert2 (R 1 ) Decrypting to obtain R therein 1 And use NB-IoT secure communication module public key cert1 to E Skey1 (H(SN‖A‖E cert2 (R 1 ) A) for verifying the obtained R 1 Is then used by the service system master to generate a random number R 2 And at dk=r 1 ⊕R 2 The combination, the service system master station obtains the session key DK to generate SN+1 II A II E cert1 (R 2 )‖E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) -) message, resend to NB-IoT secure communication module, then enter step C; wherein E is cert1 () Encryption function representing application of NB-IoT secure communication module public key cert1, realization of data encryption function, E Skey2 () The encryption function of the private key Skey2 of the application service system master station is expressed, and the data signature function is realized;
step C, NB-IoT secure communication module applying its own private key Skey1 to decrypt E cert1 (R 2 ) Obtaining R 2 And uses the public key cert2 of the service system master station to E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) A) for verifying the obtained R 2 And as dk=r 1 ⊕R 2 Combining, NB-IoT secure communication module obtains session key DK。
As a preferred technical scheme of the invention: based on a session key between the NB-IoT terminal and a corresponding service system master station, symmetric encryption transmission is carried out on transmission data by using a session key DK between an NB-IoT communication baseband chip in the NB-IoT secure communication module and the corresponding service system master station based on an SM1 national encryption algorithm or an SM4 national encryption algorithm, wherein the SM1 national encryption algorithm or the SM4 national encryption algorithm realizes symmetric encryption transmission of data based on a hardware encryption mode.
As a preferred technical scheme of the invention: the data packet format transmitted in the session key negotiation process between the NB-IoT secure communication module and the corresponding service system master station sequentially comprises a frame header, a protocol type, a protocol frame version, a frame length, a message sequence number, a control domain, a data object ID, a data domain, a check domain and a frame tail, wherein the data domain sequentially comprises a security scheme quotient number, a security encryption chip ID, a network sequence number, a key sequence number, a command code, a security data domain length and a security data domain, and the security data domain sequentially comprises a random number ciphertext, a signature value and a CRC.
As a preferred technical scheme of the invention: in symmetric encryption transmission of transmission data based on SM1 national encryption algorithm or SM4 national encryption algorithm by using session key DK between NB-IoT communication baseband chip and corresponding service system master station in the NB-IoT secure communication module, the data packet format sequentially comprises frame header, protocol type, protocol frame version, frame length, message sequence number, control domain, data object ID, data domain, check domain and frame tail, wherein the data domain sequentially comprises security scheme quotient number, security encryption chip ID, network sequence number, key sequence number, command code, security data domain length, security data domain, and further the security data domain sequentially comprises message ciphertext and CRC.
Compared with the prior art, the technical scheme has the following technical effects that:
the invention designs a low-power consumption NB-IoT terminal, which comprises a terminal processor MCU and an NB-IoT secure communication module which are connected with each other, wherein the NB-IoT secure communication module is integrated by connecting an NB-IoT communication baseband chip with a secure encryption chip, based on a secure application SDK running on an operating system of the NB-IoT communication baseband chip, the NB-IoT communication baseband chip realizes bidirectional identity authentication and session key negotiation between the low-power consumption NB-IoT terminal and a corresponding service system master station through the invocation of the secure encryption chip by the secure application SDK, and further provides encryption and decryption for data passing through the NB-IoT communication baseband chip; the terminal design architecture optimizes the data encryption and decryption flow, so that uplink and downlink messages do not return, the time for safe processing of the messages is saved, and the power consumption is effectively reduced; the security algorithm and the security communication protocol are integrated into the security encryption chip, all security operations of data and messages are completed in the NB-IoT security communication module, clear separation of security functions and business functions is realized, and security and usability are enhanced; in addition, a safety communication mechanism of the low-power consumption NB-IoT terminal is designed, so that key negotiation and identity authentication flow are simplified, interaction times are reduced, and power consumption is further reduced; such an overall design enables low power consumption, secure NB-IoT communications.
Drawings
Fig. 1 is a schematic diagram of a conventional NB-IoT internet of things terminal connection architecture;
FIG. 2 is a schematic diagram of an architecture for designing a low power NB-IoT terminal connection in accordance with the present invention;
fig. 3 is a schematic diagram of low power NB-IoT terminal data upstream in accordance with the present invention;
fig. 4 is a schematic diagram of low power NB-IoT terminal data downstream in accordance with the present invention;
fig. 5 is a schematic diagram of a session key negotiation flow in the design of the present invention.
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
In practical application, the low-power consumption NB-IoT terminal designed in the invention, as shown in fig. 2, comprises a terminal processor MCU and an NB-IoT secure communication module which are connected with each other, wherein the NB-IoT secure communication module comprises an NB-IoT communication baseband chip, a secure encryption chip and a secure application SDK running on an operating system of the NB-IoT communication baseband chip.
The terminal processor MCU is connected with the NB-IoT communication baseband chip for communication, and based on NB-IoT network connection between the NB-IoT communication baseband chip and the corresponding service system master station, network connection between the terminal processor MCU and the corresponding service system master station through the NB-IoT communication baseband chip is realized.
The security encryption chip is carried with a security communication protocol and a security algorithm comprising preset encryption and decryption algorithms of various types, and the security algorithm is used for providing preset encryption and decryption security verification services for the security communication protocol; the secure communication protocol realizes session key negotiation service and bidirectional identity authentication service based on digital certificates based on preset encryption and decryption secure verification service provided by a secure algorithm.
Based on communication connection between the NB-IoT communication baseband chip and the security encryption chip through an on-chip bus, the security application SDK calls a security algorithm and a bottom layer interface provided by a security communication protocol, and the NB-IoT communication baseband chip calls an external interface provided by the security application SDK, the NB-IoT communication baseband chip realizes bidirectional identity authentication and session key negotiation between the low-power consumption NB-IoT terminal and a corresponding service system master station, and further the NB-IoT communication baseband chip provides encryption and decryption for data passing through the NB-IoT communication baseband chip.
In practical application, the preset encryption and decryption security verification service provided by the security algorithm for the security communication protocol comprises encryption and decryption service, HASH operation service, signature service, verification signature service and random number generation service; the encryption and decryption algorithms of all preset types contained in the security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm; and the terminal processor MCU and the NB-IoT communication baseband chip are designed to communicate through a serial port mode, and interaction is realized based on AT instructions. The AT commands include 3GPP (27.007) debug and dial-up commands, 3GPP (27.005) short message commands, network parameter configuration and communication commands, secure communication commands, and the like.
In practical application, the NB-IoT communication baseband chip invokes an external interface provided by the security application SDK when receiving or transmitting data, does not need to care about an actual security service function, only needs to concentrate on the function of a carrier originally used for data transceiving, and realizes decoupling of a security service layer and a data communication layer.
In practical application, the designed low-power consumption NB-IoT terminal transmits data to the corresponding service system main station in an uplink mode, namely the low-power consumption NB-IoT terminal transmits data to the corresponding service system main station, as shown in fig. 3, namely the following steps are specifically executed.
1) The terminal processor MCU transmits the plaintext data to an NB-IoT communication baseband chip of the NB-IoT secure communication module;
2) The NB-IoT communication baseband chip invokes an identity authentication interface of the security application SDK to perform bidirectional identity authentication between the low-power consumption NB-IoT terminal and the corresponding service system master station;
3) After the identity authentication is passed, the NB-IoT communication baseband chip invokes a key negotiation interface of the security application SDK to perform session key negotiation;
4) The NB-IoT communication baseband chip invokes a data encryption interface of the security application SDK, encrypts data by using a session key and sends the encrypted data to the service system master station.
The corresponding low-power consumption NB-IoT terminal is downlink in data, namely the low-power consumption NB-IoT terminal receives data from the service system master station, as shown in fig. 4, namely the following steps are specifically executed.
1) The NB-IoT communication baseband chip receives ciphertext data from a service system master station;
2) The NB-IoT communication baseband chip invokes a data decryption interface of the security application SDK to decrypt the ciphertext data into plaintext;
3) The NB-IoT communication baseband chip sends the plaintext data to the terminal processor MCU.
Compared with the prior art, the data uplink and downlink safety processing flow provided by the patent is characterized in that the terminal processor MCU only needs to forward or receive data, does not need to frequently interact between the safety encryption chip and the communication baseband chip, and is simple in data transmission flow. The communication baseband chip only needs to transmit and receive data, the required safety function is realized by calling the safety application SDK, and the mechanism can reduce the power consumption of the terminal.
Regarding session key negotiation, in practical application, a secure communication mechanism based on the low-power NB-IoT terminal is specifically designed, and in practical application, initialization is performed at three points as follows.
1) The preset encryption and decryption algorithms of all types contained in the initialization security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm.
2) The initialization security encryption chip stores an NB-IoT security communication module public key cert1 based on an SM2 cryptographic algorithm, an NB-IoT security communication module private key Skey1 and a service system master station public key cert2, and the service system master station stores an SM2 cryptographic algorithm-based self public key cert2, a private key Skey2 and an NB-IoT security communication module public key cert1.
3) Initializing the call of the security application SDK to the underlying interface provided by the security algorithm and the security communication protocol in the NB-IoT security communication module, and calling the external interface provided by the security application SDK by the NB-IoT communication baseband chip.
And then, aiming at network connection between the terminal processor MCU and the corresponding service system master station through the NB-IoT communication baseband chip, according to the following steps A to C, as shown in fig. 5, performing negotiation of session keys between the NB-IoT secure communication module and the corresponding service system master station, namely, realizing negotiation of session keys between the NB-IoT terminal and the corresponding service system master station.
Step A, NB-IoT secure communication module generates a random number R 1 And generate SN II A II E cert2 (R 1 )‖E Skey1 (H(SN‖A‖E cert2 (R 1 ) B) sending the message to a service system master station, and then entering the step B; where SN represents a session timestamp, A represents an NB-IoT secure communication module identifier field, E cert2 () Represents an encryption function of a public key cert2 of an application service system master station, H () represents a hash operation function based on SM3 cryptographic algorithm, E Skey1 () Represents an encryption function of an applied NB-IoT secure communication module private key Skey1, implements a data signature function, and represents a symbol connection.
Step B, the service system master station applies the self private key Skey2 to E cert2 (R 1 ) Decrypting to obtain R therein 1 And use NB-IoT secure communication module public key cert1 to E Skey1 (H(SN‖A‖E cert2 (R 1 ) A) for verifying the obtained R 1 Is then used by the service system master to generate a random number R 2 And at dk=r 1 ⊕R 2 The combination, the service system master station obtains the session key DK to generate SN+1 II A II E cert1 (R 2 )‖E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) -) message, resend to NB-IoT secure communication module, then enter step C; wherein E is cert1 () Encryption function representing application of NB-IoT secure communication module public key cert1, realization of data encryption function, E Skey2 () And the encryption function of the private key Skey2 of the application service system master station is expressed, and the data signature function is realized.
Step C, NB-IoT secure communication module applying its own private key Skey1 to decrypt E cert1 (R 2 ) Obtaining R 2 And uses the public key cert2 of the service system master station to E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) A) for verifying the obtained R 2 And as dk=r 1 ⊕R 2 In combination, the NB-IoT secure communication module obtains the session key DK.
In practical application, further based on a session key between the NB-IoT terminal and a corresponding service system master station, symmetric encryption transmission is performed on transmission data by using a session key DK between an NB-IoT communication baseband chip in the NB-IoT secure communication module and the corresponding service system master station based on an SM1 national encryption algorithm or an SM4 national encryption algorithm, wherein the SM1 national encryption algorithm or the SM4 national encryption algorithm realizes symmetric encryption transmission of data based on a hardware encryption mode.
In practical implementation of the above designed security communication mechanism of the low power consumption NB-IoT terminal, as shown in table 1 below, a data packet format transmitted in a session key negotiation process between the NB-IoT security communication module and a corresponding service system master station sequentially includes a frame header, a protocol type, a protocol frame version, a frame length, a message sequence number, a control field, a data object ID, a data field, a check field, and a frame tail, where the data field sequentially includes a security scheme quotient number, a security encryption chip ID, a network sequence number, a key sequence number, a command code, a security data field length, and a security data field, and the further security data field sequentially includes a random number ciphertext, a signature value, and a CRC.
TABLE 1
Figure SMS_1
In the symmetric encryption transmission of transmission data based on the SM1 national encryption algorithm or the SM4 national encryption algorithm by using the session key DK between the NB-IoT communication baseband chip and the corresponding service system master station in the NB-IoT secure communication module, as shown in table 2 below, a data packet format sequentially includes a frame header, a protocol type, a protocol frame version, a frame length, a message sequence number, a control field, a data object ID, a data field, a check field, and a frame tail, where the data field sequentially includes a security scheme quotient number, a security encryption chip ID, a network sequence number, a key sequence number, a command code, a security data field length, and a security data field, and the security data field sequentially includes a message ciphertext and a CRC.
TABLE 2
Figure SMS_2
In the communication structure of the low-power consumption NB-IoT terminal designed by the technical scheme, the terminal processor MCU does not need to call a security chip, so that effective separation of security and service can be realized, and meanwhile, in the NB-IoT security communication module integrated by the NB-IoT communication baseband chip and the security encryption chip, the security and service can be effectively separated while data security transmission is ensured, meanwhile, the purposes of reducing circuit components, reducing the use area, reducing the cost and being easy to deploy are achieved, namely, the circuit components are effectively reduced.
The technical scheme designs the low-power consumption NB-IoT terminal, which comprises a terminal processor MCU and an NB-IoT secure communication module which are connected with each other, wherein the NB-IoT secure communication module is integrated by connecting an NB-IoT communication baseband chip with a secure encryption chip, based on a secure application SDK running on an operating system of the NB-IoT communication baseband chip, the NB-IoT communication baseband chip realizes bidirectional identity authentication and session key negotiation between the low-power consumption NB-IoT terminal and a master station of a corresponding service system through invoking the secure encryption chip by the secure application SDK, and further provides encryption and decryption for data passing through the NB-IoT communication baseband chip; the terminal design architecture optimizes the data encryption and decryption flow, so that uplink and downlink messages do not return, the time for safe processing of the messages is saved, and the power consumption is effectively reduced; the security algorithm and the security communication protocol are integrated into the security encryption chip, all security operations of data and messages are completed in the NB-IoT security communication module, clear separation of security functions and business functions is realized, and security and usability are enhanced; in addition, a safety communication mechanism of the low-power consumption NB-IoT terminal is designed, so that key negotiation and identity authentication flow are simplified, interaction times are reduced, and power consumption is further reduced; such an overall design enables low power consumption, secure NB-IoT communications.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention.

Claims (7)

1. A secure communication mechanism for a low power NB-IoT terminal, characterized by: the low-power consumption NB-IoT terminal comprises a terminal processor MCU and an NB-IoT secure communication module which are connected with each other, wherein the NB-IoT secure communication module comprises an NB-IoT communication baseband chip, a secure encryption chip and a secure application SDK running on an operating system of the NB-IoT communication baseband chip;
the terminal processor MCU is connected with the NB-IoT communication baseband chip for communication, and based on NB-IoT network connection between the NB-IoT communication baseband chip and the corresponding service system master station, network connection between the terminal processor MCU and the corresponding service system master station through the NB-IoT communication baseband chip is realized;
the security encryption chip is carried with a security communication protocol and a security algorithm comprising preset encryption and decryption algorithms of various types, and the security algorithm is used for providing preset encryption and decryption security verification services for the security communication protocol; the secure communication protocol realizes session key negotiation service and bidirectional identity authentication service based on digital certificates based on preset encryption and decryption secure verification service provided by a secure algorithm;
based on communication connection between the NB-IoT communication baseband chip and the security encryption chip through an on-chip bus, the security application SDK calls a security algorithm and a bottom layer interface provided by a security communication protocol, and the NB-IoT communication baseband chip calls an external interface provided by the security application SDK, the NB-IoT communication baseband chip realizes bidirectional identity authentication and session key negotiation between the low-power consumption NB-IoT terminal and a corresponding service system master station, and further the NB-IoT communication baseband chip provides encryption and decryption for data passing through the NB-IoT communication baseband chip;
the security communication mechanism is based on three points, namely, aiming at network connection between a terminal processor MCU and a corresponding service system master station through an NB-IoT communication baseband chip, according to the following steps A to C, negotiation of a session key between an NB-IoT security communication module and the corresponding service system master station is executed, namely, negotiation of the session key between an NB-IoT terminal and the corresponding service system master station is realized;
1) The encryption and decryption algorithms of all types contained in the security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm;
2) The security encryption chip is stored with an NB-IoT security communication module public key cert1 based on an SM2 national cryptographic algorithm, an NB-IoT security communication module private key Skey1 and a service system master station public key cert2, and the service system master station is stored with a self public key cert2 based on the SM2 national cryptographic algorithm, a private key Skey2 and the NB-IoT security communication module public key cert1;
3) The method comprises the steps that a security application SDK in an NB-IoT security communication module invokes a security algorithm and a bottom layer interface provided by a security communication protocol, and an NB-IoT communication baseband chip invokes an external interface provided by the security application SDK;
step A. NB-IoT secure communication module generates a random number R 1 And generate SN II A II E cert2 (R 1 )‖E Skey1 (H(SN‖A‖E cert2 (R 1 ) A) message sent to the business systemThe master station then enters step B; where SN represents a session timestamp, A represents an NB-IoT secure communication module identifier field, E cert2 () Represents an encryption function of a public key cert2 of an application service system master station, H () represents a hash operation function based on SM3 cryptographic algorithm, E Skey1 () Representing an encryption function of a private key Skey1 of the applied NB-IoT secure communication module to realize a data signature function, wherein II represents symbol connection;
step B, the service system master station applies the self private key Skey2 to E cert2 (R 1 ) Decrypting to obtain R therein 1 And use NB-IoT secure communication module public key cert1 to E Skey1 (H(SN‖A‖E cert2 (R 1 ) A) for verifying the obtained R 1 Is then used by the service system master to generate a random number R 2 And at dk=r 1 ⊕R 2 The combination, the service system master station obtains the session key DK to generate SN+1 II A II E cert1 (R 2 )‖E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) -) message, resend to NB-IoT secure communication module, then enter step C; wherein E is cert1 () Encryption function representing application of NB-IoT secure communication module public key cert1, realization of data encryption function, E Skey2 () The encryption function of the private key Skey2 of the application service system master station is expressed, and the data signature function is realized;
step C.NB-IoT secure communication module applies its own private key Skey1 to decrypt E cert1 (R 2 ) Obtaining R 2 And uses the public key cert2 of the service system master station to E Skey2 (H(SN+1‖A‖E cert1 (R 2 ) A) for verifying the obtained R 2 And as dk=r 1 ⊕R 2 In combination, the NB-IoT secure communication module obtains the session key DK.
2. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 1, wherein: based on a session key between the NB-IoT terminal and a corresponding service system master station, symmetric encryption transmission is carried out on transmission data by using a session key DK between an NB-IoT communication baseband chip in the NB-IoT secure communication module and the corresponding service system master station based on an SM1 national encryption algorithm or an SM4 national encryption algorithm, wherein the SM1 national encryption algorithm or the SM4 national encryption algorithm realizes symmetric encryption transmission of data based on a hardware encryption mode.
3. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 1, wherein: the data packet format transmitted in the session key negotiation process between the NB-IoT secure communication module and the corresponding service system master station sequentially comprises a frame header, a protocol type, a protocol frame version, a frame length, a message sequence number, a control domain, a data object ID, a data domain, a check domain and a frame tail, wherein the data domain sequentially comprises a security scheme quotient number, a security encryption chip ID, a network sequence number, a key sequence number, a command code, a security data domain length and a security data domain, and the security data domain sequentially comprises a random number ciphertext, a signature value and a CRC.
4. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 2, wherein: in symmetric encryption transmission of transmission data based on SM1 national encryption algorithm or SM4 national encryption algorithm by using session key DK between NB-IoT communication baseband chip and corresponding service system master station in the NB-IoT secure communication module, the data packet format sequentially comprises frame header, protocol type, protocol frame version, frame length, message sequence number, control domain, data object ID, data domain, check domain and frame tail, wherein the data domain sequentially comprises security scheme quotient number, security encryption chip ID, network sequence number, key sequence number, command code, security data domain length, security data domain, and further the security data domain sequentially comprises message ciphertext and CRC.
5. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 1, wherein: the preset encryption and decryption security verification service provided by the security algorithm for the security communication protocol comprises encryption and decryption service, HASH operation service, signature service, verification signature service and random number generation service.
6. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 1, wherein: the encryption and decryption algorithms of all preset types contained in the security algorithm are SM1 national encryption algorithm, SM2 national encryption algorithm, SM3 national encryption algorithm and SM4 national encryption algorithm.
7. The secure communication mechanism of a low power NB-IoT terminal in accordance with claim 1, wherein: the terminal processor MCU and the NB-IoT communication baseband chip communicate through a serial port.
CN202310085404.4A 2023-02-09 2023-02-09 Low-power consumption NB-IoT terminal and secure communication mechanism Active CN115802348B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310085404.4A CN115802348B (en) 2023-02-09 2023-02-09 Low-power consumption NB-IoT terminal and secure communication mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310085404.4A CN115802348B (en) 2023-02-09 2023-02-09 Low-power consumption NB-IoT terminal and secure communication mechanism

Publications (2)

Publication Number Publication Date
CN115802348A CN115802348A (en) 2023-03-14
CN115802348B true CN115802348B (en) 2023-05-05

Family

ID=85430582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310085404.4A Active CN115802348B (en) 2023-02-09 2023-02-09 Low-power consumption NB-IoT terminal and secure communication mechanism

Country Status (1)

Country Link
CN (1) CN115802348B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117220878A (en) * 2023-10-20 2023-12-12 合肥合燃华润燃气有限公司 Remote online quantum key management method and system for gas meter

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014539A (en) * 2020-11-23 2021-06-22 杭州安芯物联网安全技术有限公司 Internet of things equipment safety protection system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109038117A (en) * 2017-12-19 2018-12-18 深圳共享电源科技有限公司 A kind of intelligent charge socket based on Internet of Things
CN111817846A (en) * 2020-06-17 2020-10-23 浙江睿朗信息科技有限公司 Lightweight key negotiation communication protocol
CN112767667B (en) * 2020-12-25 2022-04-19 深圳市燃气集团股份有限公司 Safety module based on NB-IoT (NB-IoT), gas meter reading system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014539A (en) * 2020-11-23 2021-06-22 杭州安芯物联网安全技术有限公司 Internet of things equipment safety protection system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
采用NB-IoT技术的实验室智能安防系统设计;蔡丽萍;李汪彪;;宁德师范学院学报(自然科学版)(03);全文 *

Also Published As

Publication number Publication date
CN115802348A (en) 2023-03-14

Similar Documents

Publication Publication Date Title
AU2016266557B2 (en) Secure dynamic communication network and protocol
WO2017092504A1 (en) Router with hardware encryption/decryption function and encryption/decryption method thereof
Sun et al. Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet
CN109274647B (en) Distributed trusted memory exchange method and system
WO2012083828A1 (en) Method, base station and system for implementing local routing
CN104658090B (en) A kind of smart lock of built-in security module and ZigBee wireless communication modules
Kapoor et al. A hybrid cryptography technique for improving network security
CN115802348B (en) Low-power consumption NB-IoT terminal and secure communication mechanism
CN105227298A (en) Based on the intelligent substation message safe transmission implementation method of modified model GCM
Yu et al. Quantum-resistance authentication and data transmission scheme for NB-IoT in 3GPP 5G networks
CN109951378B (en) File encryption transmission and sharing method in instant messaging
CN212343809U (en) Edge type cellular Internet of things private network system
CN111555879B (en) Satellite communication network management channel message encryption and decryption method and system
CN108966217A (en) A kind of secret communication method, mobile terminal and secrecy gateway
CN107040921B (en) Short message encryption system based on point-to-point
Arvandy et al. Design of secure iot platform for smart home system
CN113795023A (en) Bluetooth data transmission encryption method based on chaotic sequence and block encryption
CN114885324A (en) Data security processing system and method applied to 5G terminal in nuclear power station
CN207573392U (en) For the safe data transmission terminal of the Big Dipper of power information acquisition
CN220545151U (en) Logistics data encryption device, system and transmission device
CN113765946B (en) Special network system of edge type honeycomb internet of things
CN214205583U (en) End-to-end external secure communication device based on electric power trusted computing platform communication
CN116760458B (en) Satellite communication data safe transmission method based on non-orthogonal multiple access
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
CN108882232A (en) Authentication code embedded message transmission method between Internet of things devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant