CN115883082A - Credible communication method and system for industrial Internet of things equipment - Google Patents

Credible communication method and system for industrial Internet of things equipment Download PDF

Info

Publication number
CN115883082A
CN115883082A CN202211549171.0A CN202211549171A CN115883082A CN 115883082 A CN115883082 A CN 115883082A CN 202211549171 A CN202211549171 A CN 202211549171A CN 115883082 A CN115883082 A CN 115883082A
Authority
CN
China
Prior art keywords
server
private key
data
ree
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211549171.0A
Other languages
Chinese (zh)
Inventor
王子鹏
田直
王昂哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yangtze Delta Region Institute of Tsinghua University Zhejiang
Original Assignee
Yangtze Delta Region Institute of Tsinghua University Zhejiang
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yangtze Delta Region Institute of Tsinghua University Zhejiang filed Critical Yangtze Delta Region Institute of Tsinghua University Zhejiang
Priority to CN202211549171.0A priority Critical patent/CN115883082A/en
Publication of CN115883082A publication Critical patent/CN115883082A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Computer And Data Communications (AREA)

Abstract

A method and a system for credible communication of industrial Internet of things equipment belong to the technical field of industrial Internet of things. The invention is based on REE and TEE system architecture, and the method comprises the following steps: step 1, writing an equipment private key into a storage of a TEE end from the REE end; step 2, the TEE end completes the protocol data packet processing and returns to the REE end; step 3, establishing a trusted channel between the REE end and the server; and 4, the REE end sends the processed protocol data packet to the server through a trusted channel. The method and the system can effectively guarantee the credibility of the communication between the Internet of things equipment and the server, and have higher universality and lower cost.

Description

Credible communication method and system for industrial Internet of things equipment
Technical Field
The invention relates to the technical field of industrial Internet of things, in particular to a method and a system for trusted communication of industrial Internet of things equipment.
Background
The engineering construction field, along with the development of informatization, the state is on the stage of relevant regulations, has proposed wisdom building site theory, and the construction of wisdom building site relies on internet of things, and technologies such as mobile network, BIM technique, big data, artificial intelligence let the building site possess comprehensive perception function, and the data of accurately acquiring in real time such as "people", "mechanical equipment", "environment" analyze and predict data, can effectively assist managers to make a decision, realize intelligent management. And the analysis of the data needs to be carried out on the server, so how to safely and reliably upload the data collected by the equipment to the server is very important.
In the industrial internet of things scene, the following scheme is generally adopted to ensure the trusted communication between the equipment and the server:
1. burning a private key of the equipment and a public key of the server off line;
2. the device encrypts data using a server public key;
3. the server side decrypts by using a server private key, packages data by using an equipment public key and then sends the data to the client side;
4. after the symmetric key is negotiated, both parties use the symmetric key to carry out encryption communication.
The scheme ensures the authenticity and the network privacy of the equipment through the private key file of the equipment. However, the private key is stored in the file system of the device, which easily causes the leakage of the private key file, and at this time, the server cannot verify the authenticity of the data; in addition, the device manufacturer needs to provide data such as data package, signature encryption and the like, and the universality is poor.
Disclosure of Invention
The invention aims to solve the problems in the prior art, and provides a method and a system for trusted communication of industrial Internet of things equipment, which can effectively guarantee the credibility of communication between the Internet of things equipment and a server, and are higher in universality and lower in cost.
The purpose of the invention is realized by the following technical scheme:
a credible communication method for industrial Internet of things equipment is based on REE and TEE system architecture and comprises the following steps:
step 1, writing an equipment private key into a storage of a TEE end from the REE end;
step 2, the TEE end completes protocol data packet processing and returns to the REE end;
step 3, establishing a trusted channel between the REE end and a server;
and 4, the REE end sends the processed protocol data packet to the server through the trusted channel.
The invention avoids the leakage of the secret key by finishing the protocol data packet processing at the TEE end, the REE end is only responsible for receiving and transmitting data, and the encryption transmission of the data is realized by establishing a trusted channel between the REE end and the server, thereby avoiding the data leakage.
Preferably, step 1 specifically includes:
step 1.1, calling a CA (certificate Authority) interface of the REE end and starting writing a private key;
step 1.2, after the TA of the TEE end receives the private key data, verifying the validity of the private key data;
step 1.3, writing the private key data into a safe storage after the validity verification of the private key data passes;
and step 1.4, the TA returns a calling result to the REE end.
Preferably, the step 2 specifically includes:
step 2.1, the REE end calls a CA interface to start protocol packet packaging;
step 2.2, the TA of the TEE end processes data through safe storage, encryption and signature services;
and 2.3, the TA returns the processed data to the REE end through the CA.
Preferably, the step 3 specifically includes:
step 3.1, the REE end generates a random number A and sends the random number A to the server with a version number and an encryption mode;
step 3.2, after verifying that the version number and the encryption mode are available, the server generates a random number B and sends the random number B to the REE end with a certificate;
step 3.3, after the REE end verifies that the certificate is available, the random number A and the random number B are encrypted by using a public key in the certificate to generate a random number C, and the random number C is sent to the server;
step 3.4, the server decrypts the random number C by using the private key in the certificate;
and 3.5, generating a session key consisting of random numbers A, B and C between the REE end and the server.
Preferably, the method further comprises, before the step 1: when the equipment is produced, a credible authentication mechanism is established between the REE end and the server by adopting an asymmetric algorithm secret key, the private key is stored in the equipment, and the public key is stored in the server.
The invention also provides a system for credible communication of industrial Internet of things equipment, which is based on the REE and TEE system architecture and comprises the following components:
the private key storage module is used for writing the equipment private key into the storage of the TEE end from the REE end;
the protocol data packet processing module is used for finishing protocol data packet processing through the TEE end;
the trusted channel establishing module is used for establishing a trusted channel between the REE end and the server;
and the data sending module is used for sending the processed protocol data packet to the server through the REE terminal.
Preferably, the private key storage module includes:
the storage starting unit is used for calling the CA interface of the REE end and starting writing the private key;
the private key verification unit is used for verifying the validity of the private key data;
the private key writing unit is used for writing the private key data into the secure storage after the validity verification of the private key data passes;
and the result feedback unit is used for returning a calling result to the REE end.
Preferably, the protocol data packet processing module includes:
the processing starting unit is used for calling a CA interface of the REE end to start protocol packet packaging;
the data processing unit is used for processing data through safe storage, encryption and signature services provided by the TA;
and the data feedback unit is used for returning the processed data to the REE end through CA.
Preferably, the trusted channel establishing module includes:
the random number generating unit is used for generating a random number and establishing a session key with the server;
a certificate verifying unit configured to verify a certificate of the server;
and the encryption and decryption unit is used for encrypting and decrypting data when the server performs data interaction with the server according to the conversation secret key.
The invention has the advantages that:
1. the trusted communication between the Internet of things equipment and the server is realized based on the general Trustzone technology under the ARM, the universality is higher, and the cost is lower;
2. services such as safe storage, data packaging, data encryption, data signature and the like are completed at the TEE end, and the REE end is only responsible for receiving and sending data, so that the leakage of secret keys and communication details is avoided;
3. the communication between the REE end and the server realizes the encrypted communication of the data by establishing a trusted channel, and the data leakage is avoided.
Drawings
Fig. 1 is a flowchart of a trusted communication method for industrial internet of things devices according to the present invention;
FIG. 2 is a schematic diagram of an architecture upon which the present invention is based;
fig. 3 is a schematic diagram of establishing a trusted channel according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
The invention is based on ARM Trustzone technology, the Internet of things equipment generally adopts ARM chips, the Trustzone is defined by ARM authorities, and provides a scheme of hardware design, so that protection and isolation of hardware resources at the chip level can be provided, the Trustzone is widely applied in the field of ARM mainstream chips at present, a Trusted Execution Environment based on the ARM Trustzone technology is realized, REE (Trusted Execution Environment) and TEE (Rich Execution Environment) are isolated in the chip, the REE cannot directly access the content of data in the TEE, only interface service provided by TA (Trusted Application) can be accessed, and isolation of private data and key algorithm is realized. Specifically, for example, as shown in fig. 1, the device activation and registration, the personnel information synchronization, the attendance report, and the OTA upgrade service of the REE (linux/android) end all need to call the TA interface service of the TEE end through the CA program, so that the private key storage, RSA encryption/decryption, and other related privacy services of these functions are completed at the TEE end, that is, the REE end program does not participate in the key agreement, key storage, and encryption/decryption processes, and even if the REE end program is maliciously damaged, the secret key and communication details cannot be obtained, so that the system security risk can be effectively avoided.
Specifically, as shown in fig. 2, based on the architecture, the invention provides a trusted communication method for industrial internet of things devices, which includes the following steps:
step 1, writing an equipment private key into a storage of a TEE end from the REE end so as to avoid the private key leakage; the specific process is as follows:
step 1.1, calling a CA interface of the REE end and starting to write in a private key; the writing process is triggered and started at the REE end, and private key data are sent to a TA program of the TEE end through a CA interface;
step 1.2, after the TA of the TEE end receives the private key data, verifying the validity of the private key data to avoid the private key data from being tampered at the REE end and ensure the credibility of the private key data;
step 1.3, after the validity verification of the private key data is passed, writing the private key data into the safe storage of the TEE end;
and step 1.4, the TA returns a calling result to the REE end, namely, the TA notifies that the encryption service of the corresponding private key is available.
Step 2, the TEE end completes the protocol data packet processing, and the specific process is as follows:
step 2.1, the REE end calls a CA interface to start protocol packet packaging; the data processing flow is triggered and started at the REE end, and the data to be processed is sent to a TA program of the TEE end through a CA interface;
step 2.2, the TA of the TEE end processes the data through safe storage, encryption and signature service to complete the package of the protocol package;
and 2.3, the TA returns the processed data to the REE end through the CA.
Step 3, establishing a trusted channel between the REE end and the server to realize encrypted transmission of data, avoiding data leakage, and also realizing trusted communication between the REE end and the server; the specific process is shown in fig. 3:
step 3.1, the REE end generates a random number A and sends the random number A to the server with a version number and an encryption mode, the server judges whether the random number A is an available/supported encryption mode, and if the random number A and the encryption mode are available, the next operation is continued;
step 3.2, after verifying that the version number and the encryption mode are available, the server generates a random number B and sends the random number B to the REE end with a certificate;
step 3.3, after the REE terminal verifies that the certificate is available, the random number A and the random number B are encrypted by using a public key in the certificate to generate a random number C, and the random number C is sent to the server;
step 3.4, the server decrypts the random number C by using the private key in the certificate, and at the moment, the REE end and the server respectively have three random numbers A, B and C;
and 3.5, generating a session key consisting of random numbers A, B and C between the REE end and the server, and transmitting data through the session key.
Before establishing a trusted channel, in order to prevent man-in-the-middle attacks, a trusted authentication mechanism needs to be established between the device and the server, which is generally realized by presetting an authentication key into the device in advance during device production, and an asymmetric algorithm key is adopted, wherein a private key is stored in the device, and a public key is stored in the server.
And 4, the REE end transmits the processed protocol data packet to the server after passing through the trusted channel and being encrypted by using the session key.
The invention also provides a system for credible communication of industrial Internet of things equipment, which comprises the following steps:
the private key storage module is used for writing the equipment private key into the storage of the TEE end from the REE end; the private key storage module specifically comprises:
the storage starting unit is used for calling the CA interface of the REE end and starting writing in the private key;
the private key verification unit is used for verifying the validity of the private key data;
the private key writing unit is used for writing the private key data into the secure storage after the validity verification of the private key data passes;
and the result feedback unit is used for returning a calling result to the REE end.
The protocol data packet processing module is used for finishing protocol data packet processing through the TEE end; the protocol data packet processing module specifically comprises:
the processing starting unit is used for calling a CA interface of the REE end to start protocol packet packaging;
the data processing unit is used for processing data through safe storage, encryption and signature services provided by the TA;
and the data feedback unit is used for returning the processed data to the REE end through CA.
The trusted channel establishing module is used for establishing a trusted channel between the REE end and the server; the trusted channel establishing module specifically includes:
the random number generating unit is used for generating a random number and establishing a session key with the server;
a certificate verifying unit configured to verify a certificate of the server;
and the encryption and decryption unit is used for encrypting and decrypting data when the server performs data interaction with the server according to the session key.
And the data sending module is used for sending the processed protocol data packet to the server through the REE terminal.
The working mode of the system is as above, the method for trusted communication of the industrial internet of things equipment comprises the steps of firstly writing an equipment private key into a TEE end through the private key storage module, then carrying out processing such as related data packaging, encryption and the like through the TEE end by the protocol data packet processing module, and finally establishing a trusted channel between the REE end and a server through the trusted channel establishing module to realize encrypted transmission of data.
In summary, the present invention mainly writes the private key into the storage of the TEE end through the interface, so that the read-write operation of the private key cannot be performed at the REE end, and all the operations related to the private key can only be completed in the TEE security system, thereby achieving the security protection of the private key. The data interaction between the equipment and the server is packaged and sent according to a communication protocol format which is appointed in advance, in order to provide the safety, uniqueness, integrity and feasibility of the data, the packaging, encryption and signature operations of the data are all carried out in a TA program of a TEE end, and the REE end is only responsible for data receiving and sending. In addition, a trusted channel is established between the REE end and the server, so that data transmission is carried out in an encryption mode, and data leakage is avoided. Therefore, the credible communication between the Internet of things equipment and the server is ensured.
The above description is only a preferred embodiment of the present invention, and the present invention is not limited to the above embodiment, and any changes or substitutions that can be easily made by those skilled in the art within the technical scope of the present invention should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (9)

1. A method for credible communication of industrial Internet of things equipment is based on REE and TEE system architectures and is characterized by comprising the following steps:
step 1, writing an equipment private key into a storage of a TEE end from the REE end;
step 2, the TEE end completes protocol data packet processing and returns to the REE end;
step 3, establishing a trusted channel between the REE end and the server;
and 4, the REE end sends the processed protocol data packet to the server through the trusted channel.
2. The method for the trusted communication of the industrial internet of things equipment according to claim 1, wherein the step 1 specifically comprises:
step 1.1, calling a CA interface of the REE end and starting to write in a private key;
step 1.2, after the TA of the TEE end receives the private key data, verifying the validity of the private key data;
step 1.3, writing the private key data into a safe storage after the validity verification of the private key data passes;
and step 1.4, the TA returns a calling result to the REE end.
3. The method for the trusted communication of the industrial internet of things equipment according to claim 1, wherein the step 2 specifically comprises:
step 2.1, the REE end calls a CA interface to start protocol packet packaging;
step 2.2, the TA of the TEE end processes data through safe storage, encryption and signature services;
and 2.3, the TA returns the processed data to the REE end through the CA.
4. The method for the trusted communication of the industrial internet of things equipment according to claim 1, wherein the step 3 specifically comprises:
step 3.1, the REE end generates a random number A and sends the random number A to the server with a version number and an encryption mode;
step 3.2, after verifying that the version number and the encryption mode are available, the server generates a random number B and sends the random number B to the REE end with a certificate;
step 3.3, after the REE terminal verifies that the certificate is available, the random number A and the random number B are encrypted by using a public key in the certificate to generate a random number C, and the random number C is sent to the server;
step 3.4, the server decrypts the random number C by using the private key in the certificate;
and 3.5, generating a session key consisting of random numbers A, B and C between the REE end and the server.
5. The method for trusted communication of industrial internet of things equipment according to claim 1, further comprising, before the step 3: when the equipment is produced, a credible authentication mechanism is established between the REE end and the server by adopting an asymmetric algorithm secret key, the private key is stored in the equipment, and the public key is stored in the server.
6. The utility model provides a system for industry thing networking equipment credible communication, is based on REE, TEE system architecture, includes:
the private key storage module is used for writing the equipment private key into the storage of the TEE end from the REE end;
the protocol data packet processing module is used for finishing protocol data packet processing through the TEE end;
the trusted channel establishing module is used for establishing a trusted channel between the REE end and the server;
and the data sending module is used for sending the processed protocol data packet to the server through the REE terminal.
7. The system for trusted communication of industrial internet of things devices according to claim 6, wherein the private key storage module comprises:
the storage starting unit is used for calling the CA interface of the REE end and starting writing in the private key;
the private key verification unit is used for verifying the validity of the private key data;
the private key writing unit is used for writing the private key data into the secure storage after the validity verification of the private key data passes;
and the result feedback unit is used for returning a calling result to the REE end.
8. The system for trusted communication of industrial internet of things devices according to claim 6, wherein the protocol packet processing module comprises:
the processing starting unit is used for calling a CA interface of the REE end to start protocol packet packaging;
the data processing unit is used for processing data through safe storage, encryption and signature services provided by the TA;
and the data feedback unit is used for returning the processed data to the REE end through CA.
9. The system for trusted communication of industrial internet of things devices according to claim 6, wherein the trusted channel establishing module comprises:
the random number generating unit is used for generating a random number and establishing a session key with the server;
a certificate verification unit for verifying a certificate of the server;
and the encryption and decryption unit is used for encrypting and decrypting data when the server performs data interaction with the server according to the session key.
CN202211549171.0A 2022-12-05 2022-12-05 Credible communication method and system for industrial Internet of things equipment Pending CN115883082A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211549171.0A CN115883082A (en) 2022-12-05 2022-12-05 Credible communication method and system for industrial Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211549171.0A CN115883082A (en) 2022-12-05 2022-12-05 Credible communication method and system for industrial Internet of things equipment

Publications (1)

Publication Number Publication Date
CN115883082A true CN115883082A (en) 2023-03-31

Family

ID=85765866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211549171.0A Pending CN115883082A (en) 2022-12-05 2022-12-05 Credible communication method and system for industrial Internet of things equipment

Country Status (1)

Country Link
CN (1) CN115883082A (en)

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
US10601801B2 (en) Identity authentication method and apparatus
CN107040513B (en) Trusted access authentication processing method, user terminal and server
CN102572817B (en) Method and intelligent memory card for realizing mobile communication confidentiality
CN112039918B (en) Internet of things credible authentication method based on identification cryptographic algorithm
CN105553951A (en) Data transmission method and data transmission device
CN112087304B (en) Heterogeneous fusion method and device of trusted computing environment and related equipment
CN105162808A (en) Safety login method based on domestic cryptographic algorithm
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN104424446A (en) Safety verification and transmission method and system
CN107094156A (en) A kind of safety communicating method and system based on P2P patterns
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN109495441A (en) Access authentication method, device, relevant device and computer readable storage medium
CN116614599A (en) Video monitoring method, device and storage medium for secure encryption
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
CN105704711A (en) Method for ensuring call communication security, device and user terminal
CN104243452A (en) Method and system for cloud computing access control
CN111654503A (en) Remote control method, device, equipment and storage medium
CN110611679A (en) Data transmission method, device, equipment and system
CN114928503B (en) Method for realizing secure channel and data transmission method
CN108737087B (en) Protection method for mailbox account password and computer readable storage medium
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN116232632A (en) Mobile terminal SSLVPN secure tunnel application method and system
CN113676330B (en) Digital certificate application system and method based on secondary secret key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination