CN117544951A - 5G internet of things security gateway - Google Patents

Abstract

The invention discloses a 5G internet of things security gateway, which comprises: the system comprises a main control processor, a USB module, a WiFi module, an Ethernet module, a serial port control module, a 4G network module, an LED configuration screen and a safety module; the main control processor is used for controlling the USB module, the WiFi module, the Ethernet module and the serial port control module, performing data interaction with the 4G network module and the security module through the USB module, and performing data interaction with the LED configuration screen through the serial port control module; the Ethernet module is used for sending the data to the server; the LED configuration screen is used for displaying data; the 4G network module is used for 4G communication; the security module is used for carrying out password management, data encryption and decryption and digital signature and authentication. The invention adopts domestic cryptographic algorithm, designs a peripheral interface circuit aiming at the main control processor, is convenient for the access and debugging of equipment, has the functions of network interconnection, protocol conversion and the like of a conventional gateway, and can also realize the security functions of gateway key negotiation, identity authentication, encryption transmission and the like.

Description

5G internet of things security gateway

Technical Field

The invention relates to the technical field of encryption communication transmission, in particular to a 5G internet of things security gateway.

Background

As a bridge between a private network and a public network, the IPSec VPN security gateway not only needs to connect two subnets to realize the function of cross-network operation, but also needs to establish a security tunnel on the public network to resist a plurality of attacks and provide a safe and reliable communication environment. Security threats such as communication channel attacks, denial of service attacks, node capture, impersonation attacks, routing protocol attacks and the like are often faced in the communication process.

The CA system fully follows the relevant national standard, adopts the domestic standard algorithm system, and accords with the relevant safety identity authentication interface specification and algorithm standard issued by the national code administration. The CA system is realized by adopting an object-oriented system design scheme and a method, system software is integrally designed and developed, a bottom-layer password card algorithm interface is packaged by a password algorithm engine, the support of different algorithms can be realized by simple configuration, and the support of different unified identity authentication application scenes is met. The interface used by the design conforms to the related specification formulated by the national password administration, provides an open interface, can provide security authentication service for different applications, meets various requirements of different users, and is conveniently combined with the existing application system. The cryptographic algorithm related by the invention uses domestic cryptographic algorithm, uses domestic hardware module and chip, designs and realizes all hardware part and software application development part independently, removes irrelevant module and service program, and ensures operation efficiency, stability and reliability when VPN communication.

Disclosure of Invention

The technical problem to be solved by the invention is to provide the 5G internet of things security gateway which can meet the security requirements of the national security IPSec VPN security gateway in the following 6 aspects:

(1) Confidentiality: the message is only visible to both parties of the communication.

(2) Availability of: and ensuring that the data is truly available.

(3) Non-repudiation: the source of the message can be verified and the sender cannot repudiate.

(4) Robust character: under the network environment with uncertain network, the gateway can adapt to the working environment and can be ensured to work stably.

(5) Integrity: ensuring that the information has not been tampered with.

(6) Freshness: the message is not retransmitted.

In view of this, the present invention provides a 5G internet of things security gateway, which meets the above six security requirements, and requires that the IPSec VPN security gateway not only has the conventional functions of network interconnection, protocol conversion, network management, etc. of the conventional gateway, but also requires that the gateway has the functions of key negotiation, identity authentication, encrypted transmission, integrity verification, etc.

In order to solve the technical problems, an embodiment of the present invention discloses a 5G internet of things security gateway, including: the system comprises a main control processor, a USB module, a WiFi module, an Ethernet module, a serial port control module, a 4G network module, an LED configuration screen and a safety module;

The main control processor is in data connection with the USB module, the WiFi module, the Ethernet module and the serial port control module;

the USB module is in data connection with the 4G network module and the security module;

the serial port control module is in data connection with the LED configuration screen;

the main control processor is used for controlling the USB module, the WiFi module, the Ethernet module and the serial port control module;

the main control processor performs data interaction with the 4G network module and the security module through a USB module;

the main control processor interacts with the LED configuration screen data through a serial port control module;

the Ethernet module is used for sending data to the server;

the LED configuration screen is used for displaying data;

the 4G network module is used for 4G communication;

the security module is used for providing a calling instruction of the password service and carrying out password management, data encryption and decryption, digital signature and authentication.

As an optional implementation manner, in an embodiment of the present invention, the security module includes a data interface, a communication protocol interface, an encryption card, and a memory, and integrates a cryptographic algorithm;

the cryptographic algorithm comprises hard algorithms of SM4, SM3 and SM 2;

The data interface is used for exchanging data with the outside;

the memory is used for storing certificates;

the communication protocol interface comprises an SM2 key pair generation communication protocol interface, a certificate reading and writing communication protocol interface and a password verification communication protocol interface;

the security module presets a communication mechanism and a communication protocol for the encryption card;

and the external terminal calls the cryptographic algorithm to encrypt and decrypt or read and write the certificate according to the communication protocol.

In an optional implementation manner, in an embodiment of the present invention, the external terminal invokes the cryptographic algorithm to encrypt and decrypt according to the communication protocol, including:

s1, checking and signing a CA certificate; the verification signature CA certificate comprises the steps of reading the CA certificate from the encryption card, extracting a CA public key and writing the CA public key into the encryption card;

s2, loading an SM2 signature mode;

s3, loading a public and private key pair, and verifying the legitimacy of the public and private key pair by using a curve verification method;

s4, verifying the client certificate and the server certificate to obtain a verification result; when the signature verification result is successful, starting the IPSec VPN, executing S5, and when the signature verification result is failed, stopping starting the IPSec VPN;

s5, the server and the client carry out algorithm negotiation and key material exchange, a private tunnel is established, communication is carried out according to an encapsulation security load protocol ESP, and encryption and decryption are achieved.

As an optional implementation manner, in the embodiment of the present invention, the server and the client perform algorithm negotiation and key material exchange, establish a private tunnel, perform communication according to an encapsulation security payload protocol ESP, and implement encryption and decryption, including:

s51, the server enters a monitoring state, monitors a connection application of a client, and sends an IKE_SA_INIT request message to the server;

the request message includes a security association payload and a key exchange material;

s52, after receiving the request message of the client IKE_SA_INIT, the server analyzes the request message and sends out an IKE_SA_INIT response message; the response message comprises a certificate application CERTREQ;

s53, the client receives the response message and negotiates with the server to obtain a negotiation result;

the negotiation result comprises that a symmetric algorithm uses SM4 and a hash algorithm uses SM3;

s54, the client encrypts the data load by using the negotiated symmetric algorithm and the negotiated secret key, and sends out an IKE_AUTH request load;

s55, the server receives the IKE_AUTH request load, and decrypts the encrypted load according to the negotiated algorithm and key;

s56, the server generates and transmits an IKE_AUTH response load, and encrypts all data except the ISAKMP protocol by using an SM4 algorithm according to the negotiated key material;

S57, the client receives the IKE_AUTH response load, decrypts the secret state load by using SM4 according to the negotiated algorithm and key material, and signs a server side certificate by using the CA public key; after the server certificate passes the verification, extracting a public key from the server certificate, calling SM2, and verifying AUTH load by using the server public key;

and S58, after the negotiation is completed, the client and the server establish a private tunnel, and communicate according to the encapsulation security load protocol ESP to realize encryption and decryption.

As an optional implementation manner, in an embodiment of the present invention, the communication protocol includes:

a packet protocol header HDR; the data packet protocol header HDR is an ISAKMP protocol header;

security association loads SAi1 and SAr1 for providing suggestions for encryption algorithms;

key exchange payloads KEi and Ker for generating various key materials for IKE and IPSec security associations;

nonce payloads Ni and Nr for generating a key;

notify-1, configured to Notify an initiator network of NAT detection conditions;

notify-2, for informing the NAT detection condition of the responding party;

notify-3, which is used for the initiator to inform the responder of the hash algorithm supported by the initiator;

the certificate request CERTREQ is obtained by hashing the CA public key using the SM3 algorithm;

Encrypting by using an SM4 algorithm;

initiator and responder IDs remain unchanged;

certificates i_cert_sm2 and r_cert_sm2 of clients and servers issued based on SM2-SM 3;

the service selectors TSi and TSr of the initiator and the responder, the TSi containing the initiator port range and the local area network address range, and the TSr containing the responder port range and the local area network address range.

In an optional implementation manner, in the embodiment of the present invention, the method for calculating the negotiated key is:

the data material required for the key exchange method is obtained from the IKE SA INIT exchange,

processing the data material by using a key exchange method to obtain a key seed;

and processing the key seeds to obtain the negotiated key.

As an optional implementation manner, in the embodiment of the present invention, the key exchange method is:

SKEYSEED＝PRF(Ni|Nr，g ^ir )

wherein Ni and Nr are random numbers generated by an initiator and a responder respectively, ni is a first message from IKE_SA_INIT, nr is a second message from IKE_SA_INIT, SKEYSEED is a key seed, PRF is a password generation method, g ^ir Representing the initiator and the responder.

As an optional implementation manner, in an embodiment of the present invention, the security association payload includes first layer data, second layer data, and third layer data;

The first layer data comprises a security association load head and security association load data;

the second layer data includes data for advice header and advice;

the third layer data includes a first transform load, a second transform load, a third transform load, and a fourth transform load.

As an optional implementation manner, in the embodiment of the present invention, the method further includes redesigning the digital certificate based on the SM2 and SM3 algorithms according to the x.509 certificate specification, so as to obtain a new digital certificate;

the new digital certificate is issued in the form of an encryption card, is bound with the encryption card, and is written into a secret storage area of the encryption card.

As an optional implementation manner, in the embodiment of the present invention, the 5G internet of things security gateway further includes a peripheral interface circuit and a radio frequency transceiver;

the user terminal is connected with the gateway through a LAN interface or WiFi in the peripheral interface circuit;

the radio frequency transceiver is used for receiving data sent by the user terminal through a WiFi protocol and sending the data to the LAN interface;

the LAN interface processes the received data to obtain preprocessed data;

decrypting the preprocessed data by using a preset encryption algorithm to obtain decrypted data;

And storing the decrypted data or transmitting the decrypted data to a server by using an Ethernet interface.

Compared with the prior art, the embodiment of the invention has the following beneficial effects:

the method has the functions of user access authentication, high-speed node access authentication, seamless safety switching and the like. Supporting mutual authentication and key negotiation between a user and an Internet of things network; supporting two-way authentication when the high-speed mobile node is accessed to the Internet of things network; the designed access authentication protocol family can resist replay, deception, falsification, counterfeiting and other attacks; all authentication protocol families are designed autonomously, and are realized by adopting a domestic cryptographic algorithm, so that the domestic requirements of core software such as an operating system, a database and the like are met.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a structural block diagram of a security gateway of a 5G internet of things, which is disclosed in the embodiment of the present invention;

Fig. 2 is a schematic overall block diagram of a security gateway architecture of a 5G internet of things, which is disclosed in the embodiment of the present invention;

FIG. 3 is a schematic block diagram of an IPSec VPN protocol workflow disclosed by an embodiment of the invention;

FIG. 4 is a schematic block diagram of an IKEv2 protocol design as disclosed in an embodiment of the present invention;

FIG. 5 is a schematic block diagram of an SA packet according to an embodiment of the disclosure;

FIG. 6 is a schematic block diagram of KE payload data analysis disclosed by an embodiment of the invention;

FIG. 7 is a schematic block diagram of a Notify-3 payload data design disclosed in an embodiment of the present invention;

fig. 8 is a schematic block diagram of a national private VPN architecture disclosed in an embodiment of the present invention;

FIG. 9 is a schematic block diagram of a cryptographic security module disclosed in an embodiment of this invention;

FIG. 10 is a schematic block diagram of a cryptographic security module PBC board disclosed in an embodiment of the present invention;

fig. 11 is a schematic block diagram of a security module circuit board disclosed in an embodiment of the invention.

Detailed Description

In order to make the present invention better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or elements but may, in the alternative, include other steps or elements not expressly listed or inherent to such process, method, article, or device.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.

The invention discloses a 5G internet of things security gateway, which comprises: the system comprises a main control processor, a USB module, a WiFi module, an Ethernet module, a serial port control module, a 4G network module, an LED configuration screen and a safety module; the main control processor is used for controlling the USB module, the WiFi module, the Ethernet module and the serial port control module, performing data interaction with the 4G network module and the security module through the USB module, and performing data interaction with the LED configuration screen through the serial port control module; the Ethernet module is used for sending the data to the server; the LED configuration screen is used for displaying data; the 4G network module is used for 4G communication; the security module is used for carrying out password management, data encryption and decryption and digital signature and authentication. The invention adopts domestic cryptographic algorithm, designs a peripheral interface circuit aiming at the main control processor, is convenient for the access and debugging of equipment, has the functions of network interconnection, protocol conversion and the like of a conventional gateway, and can also realize the security functions of gateway key negotiation, identity authentication, encryption transmission and the like. The following will describe in detail.

Example 1

Referring to fig. 1, fig. 1 is a structural block diagram of a security gateway of a 5G internet of things according to an embodiment of the present invention. The 5G internet of things security gateway described in fig. 1 is oriented to military material management, is used for encrypting communication transmission, meets various requirements of different users, and the like, and the embodiment of the invention is not limited. As shown in fig. 1, the 5G internet of things security gateway may include a main control processor, a USB module, a WiFi module, an ethernet module, a serial control module, a 4G network module, an LED configuration screen, and a security module;

the main control processor is in data connection with the USB module, the WiFi module, the Ethernet module and the serial port control module;

the USB module is in data connection with the 4G network module and the security module;

the serial port control module is in data connection with the LED configuration screen;

the main control processor is used for controlling the USB module, the WiFi module, the Ethernet module and the serial port control module;

the main control processor performs data interaction with the 4G network module and the security module through a USB module;

the main control processor interacts with the LED configuration screen data through a serial port control module;

the Ethernet module is used for sending data to the server;

The LED configuration screen is used for displaying data;

the 4G network module is used for 4G communication;

the security module is used for providing a calling instruction of the password service and carrying out password management, data encryption and decryption, digital signature and authentication.

Optionally, the security module includes a data interface, a communication protocol interface, an encryption card and a memory, and integrates a cryptographic algorithm;

the cryptographic algorithm comprises hard algorithms of SM4, SM3 and SM 2;

the national cipher is the national cipher algorithm identified by the national cipher bureau. Mainly SM1, SM2, SM3, SM4. The SM1 algorithm is not disclosed at present and can only be integrated in a chip. The SM2, SM3 and SM4 algorithms are currently more widely used.

One of the SM2 public key encryption algorithm french public key encryption standards was promulgated by the national institutes of ciphers at 12 in 2010.

SM2 belongs to an asymmetric encryption algorithm, uses public key encryption and private key decryption, and is superior to RSA algorithm in terms of security and operation speed.

SM2 public key encryption is applicable to encrypting data of shorter length, such as session keys and message messages. SM2 public key encryption not only encrypts data, but also provides tamper-proof properties, i.e. tampered or fake ciphertext can be checked and found during decryption, so that messages encrypted by SM2 public key do not require an extra verification mechanism. The length of the message after being encrypted by the SM2 public key is increased by less than 100 bytes, and the encryptor needs to pay attention to the buffer when preparing the buffer.

SM3 belongs to an irreversible encryption algorithm, similar to md5, commonly used for signing.

The SM4 belongs to a symmetric encryption algorithm, can be used for replacing international algorithms such as DES/AES and the like, and has the same key length and packet length as the AES algorithm, and is 128 bits.

The data interface is used for exchanging data with the outside;

the memory is used for storing certificates;

the communication protocol interface comprises an SM2 key pair generation communication protocol interface, a certificate reading and writing communication protocol interface and a password verification communication protocol interface;

the security module presets a communication mechanism and a communication protocol for the encryption card;

and the external terminal calls the cryptographic algorithm to encrypt and decrypt or read and write the certificate according to the communication protocol.

Optionally, the external terminal invokes the cryptographic algorithm to encrypt and decrypt according to the communication protocol, including:

s1, checking and signing a CA certificate; the verification signature CA certificate comprises the steps of reading the CA certificate from the encryption card, extracting a CA public key and writing the CA public key into the encryption card;

s2, loading an SM2 signature mode;

s3, loading a public and private key pair, and verifying the legitimacy of the public and private key pair by using a curve verification method;

s4, verifying the client certificate and the server certificate to obtain a verification result; when the signature verification result is successful, starting the IPSec VPN, executing S5, and when the signature verification result is failed, stopping starting the IPSec VPN;

S5, the server and the client carry out algorithm negotiation and key material exchange, a private tunnel is established, communication is carried out according to an encapsulation security load protocol ESP, and encryption and decryption are achieved.

Optionally, the server and the client perform algorithm negotiation and key material exchange, establish a private tunnel, communicate according to an encapsulation security payload protocol ESP, and implement encryption and decryption, including:

s51, the server enters a monitoring state, monitors a connection application of a client, and sends an IKE_SA_INIT request message to the server;

the request message includes a security association payload and a key exchange material;

s52, after receiving the request message of the client IKE_SA_INIT, the server analyzes the request message and sends out an IKE_SA_INIT response message; the response message comprises a certificate application CERTREQ;

s53, the client receives the response message and negotiates with the server to obtain a negotiation result;

the negotiation result comprises that a symmetric algorithm uses SM4 and a hash algorithm uses SM3;

s54, the client encrypts the data load by using the negotiated symmetric algorithm and the negotiated secret key, and sends out an IKE_AUTH request load;

s55, the server receives the IKE_AUTH request load, and decrypts the encrypted load according to the negotiated algorithm and key;

S56, the server generates and transmits an IKE_AUTH response load, and encrypts all data except the ISAKMP protocol by using an SM4 algorithm according to the negotiated key material;

s57, the client receives the IKE_AUTH response load, decrypts the secret state load by using SM4 according to the negotiated algorithm and key material, and signs a server side certificate by using the CA public key; after the server certificate passes the verification, extracting a public key from the server certificate, calling SM2, and verifying AUTH load by using the server public key;

and S58, after the negotiation is completed, the client and the server establish a private tunnel, and communicate according to the encapsulation security load protocol ESP to realize encryption and decryption.

Optionally, the communication protocol includes:

a packet protocol header HDR; the data packet protocol header HDR is an ISAKMP protocol header;

security association loads SAi1 and SAr1 for providing suggestions for encryption algorithms;

the suggestions for providing encryption algorithms, i.e. which encryption algorithm is selected, including hard algorithms of SM4, SM3 and SM2, etc., are not limited by the present invention.

Key exchange payloads KEi and Ker for generating various key materials for IKE and IPSec security associations;

nonce payloads Ni and Nr for generating a key;

Notify-1, configured to Notify an initiator network of NAT detection conditions;

notify-2, for informing the NAT detection condition of the responding party;

notify-3, which is used for the initiator to inform the responder of the hash algorithm supported by the initiator;

the certificate request CERTREQ is obtained by hashing the CA public key using the SM3 algorithm;

encrypting by using an SM4 algorithm;

initiator and responder IDs remain unchanged;

certificates i_cert_sm2 and r_cert_sm2 of clients and servers issued based on SM2-SM 3;

the service selectors TSi and TSr of the initiator and the responder, the TSi containing the initiator port range and the local area network address range, and the TSr containing the responder port range and the local area network address range.

Optionally, the method for calculating the negotiated key includes:

the data material required for the key exchange method is obtained from the IKE SA INIT exchange,

processing the data material by using a key exchange method to obtain a key seed;

and processing the key seeds to obtain the negotiated key.

Optionally, the key exchange method comprises the following steps:

SKEYSEED＝PRF(Ni|Nr，g ^ir )

wherein Ni and Nr are random numbers generated by an initiator and a responder respectively, ni is a first message from IKE_SA_INIT, nr is a second message from IKE_SA_INIT, SKEYSEED is a key seed, PRF is a password generation method, g ^ir Representing the initiator and the responder.

Optionally, the security association payload includes first layer data, second layer data, and third layer data;

the first layer data comprises a security association load head and security association load data;

the second layer data includes data for advice header and advice;

the third layer data includes a first transform load, a second transform load, a third transform load, and a fourth transform load.

Optionally, the method further includes redesigning the digital certificate based on the SM2 and SM3 algorithms according to the x.509 certificate specification to obtain a new digital certificate;

the new digital certificate is issued in the form of an encryption card, is bound with the encryption card, and is written into a secret storage area of the encryption card.

Optionally, the 5G internet of things security gateway further includes a peripheral interface circuit, a radio frequency transceiver;

the user terminal is connected with the gateway through a LAN interface or WiFi in the peripheral interface circuit;

the radio frequency transceiver is used for receiving data sent by the user terminal through a WiFi protocol and sending the data to the LAN interface;

the LAN interface processes the received data to obtain preprocessed data;

Decrypting the preprocessed data by using a preset encryption algorithm to obtain decrypted data;

and storing the decrypted data or transmitting the decrypted data to a server by using an Ethernet interface.

Example two

Referring to fig. 2, fig. 2 is a schematic overall block diagram of a security gateway architecture of a 5G internet of things according to an embodiment of the present invention. The 5G internet of things security gateway described in fig. 2 is oriented to military material management, is used for encrypting communication transmission, meets various requirements of different users, and the like, and the embodiment of the invention is not limited. As shown in fig. 2, the method includes the following functions:

a) The user terminal can be connected with the gateway through four LAN ports, and also can be connected with the gateway through WiFi. The user terminal may be a computer PC or a video phone terminal, or may be a router of a next stage. If the gateway is used as a server, the user terminal is a SIP, FTP server or KMC.

B) WiFi RF Tranceiver the data sent by the user terminal through the WiFi protocol are respectively sent to the multi-protocol proxy part, the middle is subjected to simple data processing through the LAN interface, and after decryption through an encryption algorithm negotiated with the terminal (IPSec VPN server or client), the data is stored in a storage area for later use or is directly sent to the server through the Ethernet interface according to requirements.

C) Conventional routing functions. Besides the authentication data secret state transmission function, the security gateway of the internet of things keeps all functions and all operations of the traditional router.

D) The SSX0912 security chip provides encryption, decryption and authentication algorithms, the chip provides a data interface, and the outside can control the data exchange with the security chip according to a protocol. The SSX0912 encryption chip integrates the hard algorithms of SM4, SM3 and SM2 and provides a secret storage space for certificate storage, defines a communication mechanism for the encryption card, formulates a communication protocol, provides a calling interface for the outside through the protocol, and can call the encryption algorithm of the SSX0912 encryption card or read and write the certificate only according to the communication protocol by an external terminal. In addition to the communication protocols, there are communication protocol interfaces that generate SM2 key pairs, read and write certificates, verify passwords, etc. The user calling authority is set through the verification password interface so as to ensure the safety of certificate storage. The algorithm is encapsulated into a function interface for StrongSwan calls according to the communication protocol. When the function interface is packaged, the function interface accords with Bulk-Only transmission protocol.

Fig. 3 is a schematic block diagram of an IPSec VPN protocol workflow disclosed in an embodiment of the present invention, where encryption and decryption include the following steps:

S1, checking and signing the CA certificate. The working process is divided into three steps, firstly, a CA certificate is read from an encryption card, a CA public key is extracted, and the CA public key is written into the encryption card.

S2, loading configuration of a signature mode, wherein the configuration is fixed as SM2 signature verification.

And S3, loading a public and private key pair, and performing curve verification to verify the legitimacy of the public and private key pair.

S4, verifying and signing the certificate of the client, wherein the client certificate is the server certificate. The method comprises the steps of firstly reading a certificate by an encryption card, calling an SM2 algorithm, and verifying the certificate by using a CA public key, wherein if verification fails, the IPSecVPN stops starting.

S5, after finishing the preparation work, the server enters a monitoring state and monitors the connection application of the client; the client sends a first request message of ike_sa_init to the server.

S6, the client sends an IKE_SA_INIT request to the server, wherein the request message comprises a security association load and a key exchange material.

And S7, after receiving the IKE_SA_INIT request of the client, the server analyzes the data load and gives an IKE_SA_INIT response, wherein the response comprises a certificate application CERTREQ.

And S8, the client receives the response message. Both parties have now completed the algorithm negotiation and the exchange of the key material, and both the server and the client can then calculate the key material. The symmetric algorithm is negotiated to use SM4 and the hash algorithm uses SM3.

And S9, the client encrypts the data load by using the negotiated symmetric algorithm and the secret key.

And S10, the server receives the IKE_AUTH request load and decrypts the encrypted load according to the negotiated algorithm and key material.

S11, the server generates and transmits an IKE_AUTH response, wherein the response comprises an AUTH load signed by a private key of the server, a server certificate and the like; all data except the ISAKMP protocol are encrypted with the SM4 algorithm according to the negotiated key material, and then the request message is transmitted to the server.

S12, receiving the IKE_AUTH response load, and decrypting the secret state load by using SM4 according to the negotiated algorithm and key material; signing the server-side certificate by using the CA public key; after the server certificate passes the verification, a public key is extracted from the server certificate, SM2 is called, and the server public key is used for verifying AUTH load.

And S13, after the negotiation is completed, the two parties establish a private tunnel and communicate according to an encapsulation security load protocol ESP.

Fig. 4 is a schematic block diagram of an IKEv2 protocol design disclosed in an embodiment of the present invention, where the encryption and decryption are implemented by negotiation based on the IKEv2 protocol. The IKEv2 negotiation process is communicated through the ISAKMP protocol framework structure, and the ISAKMP framework is still used for data packets during the data packet redesign process. FIG. 5 is a schematic block diagram of an SA packet according to an embodiment of the disclosure; FIG. 6 is a schematic block diagram of KE payload data analysis disclosed by an embodiment of the invention; FIG. 7 is a schematic block diagram of a Notify-3 payload data design disclosed in an embodiment of the present invention; the IKEv2 protocol design comprises the following procedures:

S1, a data packet protocol header HDR is an ISAKMP protocol header, and the protocol header is a universal payload header of an ISAKMP payload packet.

S2, security association SAi1 and SAr1, wherein the security association load comprises a plurality of suggestions (proposal), and the suggestions of the algorithm are provided.

The SA payload may be divided into three layers of data, with the data for each layer being as follows.

(1) The first layer, the SA payload header and the SA payload data, the SA payload data is a proposal (proposal), and the proposal is the second layer data.

(2) The second layer, proposal, contains a proposal header and proposal data, which is four transformations.

(3) Four transform payloads, four algorithm suggestions were made, including suggesting that the encryption algorithm use SM4, the integrity protection algorithm use SM3, the pseudo-random number generation algorithm use HMAC-SM3 (a.), the Diffie-Hellman Group still uses 2048bit MODP groups.

And S3, key exchange loads KEi and Ker, wherein the key exchange loads are public values of Diffie-Hellman exchange, and various key materials are generated for IKE and IPSec security association. G of initiator ⁱ The corresponding formula is g ^r 。

And S4, ni and Nr are Nonce loads, and random numbers generated by an initiator or a responder are used for generating keys. The random number generator is modified with the HMAC-SM3 (..) algorithm.

S5, notifying the NAT DETECTION condition of the network of the initiator by using the Notify-1 as the Notify-NAT_detection_SOURCE_IP; notify-

And 2 is Notification-NAT_detection_destination_IP to inform the response party of NAT DETECTION. Notify-3 is Notify-SIGNATURE_HASH_ALGORITHNS, and the initiator informs the responder of the HASH algorithm supported by itself.

S6, CERTREQ is a certificate request, data is obtained by hashing the CA public key, and the SM3 algorithm is used for hashing the CA public key.

S7: SK {..} is changed to sk_sm4 {..}, SK {..} stands for symmetric encryption, instead using the SM4 algorithm.

S8 IDi and IDr are initiator and responder IDs, which remain unchanged.

S9. i_cert_sm2 and r_cert_sm2 are certificates of clients and servers issued based on SM2-SM 3. The public key information of the certificate comes from the encryption card, and the client or the server gateway is used by binding with the encryption card.

S10:AUTH＝SM2-SM3(octets)

octets＝message+nonce+prf(Sk_p，IDx')

The authi value is used in the third message if the initiator, octts=first message+nr+prf (sk_p, IDi') in the second message. IDi' is IDi with fixed header removed.

The authr value is used in the fourth message if it is the responder, octets=second message+ni+prf (sk_p, IDr') in the first message. IDr' is IDr load of the responder with the fixed head removed.

SAi2 and SAr2, comprising a proposal, which is the algorithm used in the ESP packet process. The proposal format is the same as the proposal in the first message, and in the third message, the initiator proposes to use AES for data encryption during ESP encapsulation and hmac_sha_256 for integrity checking. Instead, it is suggested that in ESP communication, the symmetric algorithm uses SM4 and the hash algorithm uses hmac_sm3.

And S12, TSi and TSr are service selectors of the initiator and the responder respectively, wherein the TSi comprises an initiator port range and a local area network address range, and the TSr comprises a responder port range and a local area network address range and is unchanged.

Preferably, the PRF algorithm is a hash algorithm, and the cryptographic material generation process prf+ is as follows:

PRF+(K,S)＝T1|T2|T3|T4…

wherein,

T1＝PRF(K,S|0x01)；

T2＝PRF(K,T1|S|0x02)；

T3＝PRF(K,T2|S|0x03)；

T4＝PRF(K,T3|S|0x04)；

preferably, the shared key of the ike_sa is calculated by:

first, the data material required by the DH algorithm is obtained from the IKE_SA_INIT exchange, and the key seed can be calculated by using the DH algorithm and the PRF algorithm. The key seed is then used to expand out other required key material. The algorithm for generating skeysed is as follows, skeysed=prf (ni|nr, g ^ir ) Ni, nr are random numbers generated by the initiator and the responder, respectively, ni is from a first message of ike_sa_init, and Nr is from a second message of ike_sa_init. Seven keys sk_d, sk_ai, sk_ar, sk_ei, sk_er, sk_pr and sk_pr need to be calculated after the ike_sa_init second message.

Preferably, according to the x.509 certificate specification, the digital certificate is redesigned based on the SM2-SM3 algorithm, the certificate is issued in the form of an encryption card, the certificate is bound with the encryption card once generated, the certificate is written into a secret storage area of the encryption card, a password authentication mechanism is additionally arranged, and the certificate authority is divided into two stages, including a reading authority and a modifying authority. The user only has read rights, and the CA center has read and modify rights.

(1) Version number: the certificate version uses version 2, represented by one byte 0x 02.

(2) Certificate serial number: number of 8 bytes, can distinguish each certificate.

(3) Signature algorithm ID: represented by string 06 08 2a 86 48ce 3d 04 03 02, which is originally an ECDSA algorithm ID, is defined herein as the ID of SM2-SM 3.

(4) Issuer name: the issuer of each certificate is CA, so each certificate in this field is identical, c=ch, o=gmswan, cn=ca, "CH", "GMSwan" and "CA" here are encoded according to ASCII code rules.

(5) Expiration date: the validity period is the date of start and stop.

(6) Body name: the CA certificate body is itself, so the name is c=ch, o=gmswan, cn=ca Server certificate is designed as c=ch, o=gmswan, cn=server, client is designed as c=ch, o=gmswan, cn=client_x (x takes the values 1,2,3 …).

(7) Main body public key: the main public key is from the USB encryption card, the encryption card can generate a public-private key pair, and once generated, the certificate, the public-private key and the encryption card are bound together. After the public-private key pair of the encryption card is updated, the public key is read from the encryption card at the time of issuing the certificate, and then the certificate is issued.

(8) Issuer unique identifier: from a certain fragment in the issuer name, i.e. cn=ca.

(9) Body unique identifier: the center of CA is cn=ca, the Server is designed as cn=server, and the Client is cn=client_x.

(10) Extension field: the length is 66 bytes, and the function is used as a function extension.

(11) Certificate algorithm signature identification: with the signature algorithm ID.

(12) Signature of issuer: the CA center invokes the SM2 algorithm to sign the certificate body tbs certificate, including version, serialNumber, signature, issuer, validity, subject, subjectPublicKeyInfo, issuerUniqueID, subjectUniqueID, extensions, using the CA private key ca_pri_key.

Fig. 8 is a schematic block diagram of a public-private VPN architecture according to an embodiment of the present invention, where parallel multipath hardware is used, including: the system comprises a 4G network module, an LED configuration screen, a password security module and a main control processor. The main controller is connected with the 4G network module and the safety module through the USB, interaction with the LED configuration screen is realized through the serial port, and in addition, a peripheral interface circuit is designed for the main controller, so that the access and the debugging of equipment are facilitated.

FIG. 9 is a schematic block diagram of a cryptographic security module disclosed in an embodiment of this invention; FIG. 10 is a schematic block diagram of a cryptographic security module PBC board disclosed in an embodiment of the present invention; fig. 11 is a schematic block diagram of a security module circuit board disclosed in an embodiment of the invention. Referring to fig. 9, 10 and 11, the main chip U2 of the cryptographic security module is preferably an SSX0912 encryption chip produced by macroelectronics, and the SSX0912 supports the national cryptographic standard and provides the invocation instructions of the cryptographic services for a series of tasks of cryptographic management, data encryption and decryption, and digital signature and authentication.

Preferably, the cryptographic security module supports information interaction mainly through Bulk-only protocol.

Preferentially, the national security IPSec VPN is based on a CA system designed based on the national security IPSec VPN, so that encrypted transmission information between devices is facilitated.

It should be noted that, the 5G internet of things gateway facing military material management provided by the invention reserves rich interfaces, such as a WIFI interface, an Ethernet interface and the like, and is convenient to integrate with an external system.

The apparatus embodiments described above are merely illustrative, in which the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), programmable Read-Only Memory (PROM), erasable programmable Read-Only Memory (Erasable ProgrammableRead Only Memory, EPROM), one-time programmable Read-Only Memory (OTPROM), electrically erasable programmable Read-Only Memory (EEPROM), compact disc Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical disc Memory, magnetic disk Memory, tape Memory, or any other medium that can be used for carrying or storing data that is readable by a computer.

Finally, it should be noted that: the embodiment of the invention discloses a 5G internet of things security gateway which is disclosed as a preferred embodiment of the invention and is only used for illustrating the technical scheme of the invention, but not limiting the technical scheme; although the invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that; the technical scheme recorded in the various embodiments can be modified or part of technical features in the technical scheme can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. The utility model provides a 5G thing networking security gateway which characterized in that includes: the system comprises a main control processor, a USB module, a WiFi module, an Ethernet module, a serial port control module, a 4G network module, an LED configuration screen and a safety module;

the main control processor is in data connection with the USB module, the WiFi module, the Ethernet module and the serial port control module;

the USB module is in data connection with the 4G network module and the security module;

the serial port control module is in data connection with the LED configuration screen;

the main control processor is used for controlling the USB module, the WiFi module, the Ethernet module and the serial port control module;

The main control processor performs data interaction with the 4G network module and the security module through a USB module;

the main control processor interacts with the LED configuration screen data through a serial port control module;

the Ethernet module is used for sending data to the server;

the LED configuration screen is used for displaying data;

the 4G network module is used for 4G communication;

the security module is used for providing a calling instruction of the password service and carrying out password management, data encryption and decryption, digital signature and authentication.

2. The 5G internet of things security gateway of claim 1, wherein the security module comprises a data interface, a communication protocol interface, an encryption card, and a memory, and integrates a cryptographic algorithm;

the cryptographic algorithm comprises hard algorithms of SM4, SM3 and SM 2;

the data interface is used for exchanging data with the outside;

the memory is used for storing certificates;

the communication protocol interface comprises an SM2 key pair generation communication protocol interface, a certificate reading and writing communication protocol interface and a password verification communication protocol interface;

the security module presets a communication mechanism and a communication protocol for the encryption card;

and the external terminal calls the cryptographic algorithm to encrypt and decrypt or read and write the certificate according to the communication protocol.

3. The 5G internet of things security gateway of claim 2, wherein the external terminal invoking the cryptographic algorithm to encrypt and decrypt according to the communication protocol comprises:

s1, checking and signing a CA certificate; the verification signature CA certificate comprises the steps of reading the CA certificate from the encryption card, extracting a CA public key and writing the CA public key into the encryption card;

s2, loading an SM2 signature mode;

s3, loading a public and private key pair, and verifying the legitimacy of the public and private key pair by using a curve verification method;

s4, verifying the client certificate and the server certificate to obtain a verification result; when the signature verification result is successful, starting the IPSec VPN, executing S5, and when the signature verification result is failed, stopping starting the IPSec VPN;

s5, the server and the client carry out algorithm negotiation and key material exchange, a private tunnel is established, communication is carried out according to an encapsulation security load protocol ESP, and encryption and decryption are achieved.

4. A security gateway for 5G internet of things according to claim 3, wherein the server and the client perform algorithm negotiation and key material exchange, establish a private tunnel, communicate according to an encapsulating security payload protocol ESP, and implement encryption and decryption, comprising:

s51, the server enters a monitoring state, monitors a connection application of a client, and sends an IKE_SA_INIT request message to the server;

The request message includes a security association payload and a key exchange material;

s52, after receiving the request message of the client IKE_SA_INIT, the server analyzes the request message and sends out an IKE_SA_INIT response message; the response message comprises a certificate application CERTREQ;

s53, the client receives the response message and negotiates with the server to obtain a negotiation result;

the negotiation result comprises that a symmetric algorithm uses SM4 and a hash algorithm uses SM3;

s54, the client encrypts the data load by using the negotiated symmetric algorithm and the negotiated secret key, and sends out an IKE_AUTH request load;

s55, the server receives the IKE_AUTH request load, and decrypts the encrypted load according to the negotiated algorithm and key;

s56, the server generates and transmits an IKE_AUTH response load, and encrypts all data except the ISAKMP protocol by using an SM4 algorithm according to the negotiated key material;

s57, the client receives the IKE_AUTH response load, decrypts the secret state load by using SM4 according to the negotiated algorithm and key material, and signs a server side certificate by using the CA public key; after the server certificate passes the verification, extracting a public key from the server certificate, calling SM2, and verifying AUTH load by using the server public key;

And S58, after the negotiation is completed, the client and the server establish a private tunnel, and communicate according to the encapsulation security load protocol ESP to realize encryption and decryption.

5. The 5G internet of things security gateway of claim 2, wherein the communication protocol comprises:

a packet protocol header HDR; the data packet protocol header HDR is an ISAKMP protocol header;

security association loads SAi1 and SAr1 for providing suggestions for encryption algorithms;

key exchange payloads KEi and Ker for generating various key materials for IKE and IPSec security associations;

nonce payloads Ni and Nr for generating a key;

notify-1, configured to Notify an initiator network of NAT detection conditions;

notify-2, for informing the NAT detection condition of the responding party;

notify-3, which is used for the initiator to inform the responder of the hash algorithm supported by the initiator;

the certificate request CERTREQ is obtained by hashing the CA public key using the SM3 algorithm;

encrypting by using an SM4 algorithm;

initiator and responder IDs remain unchanged;

certificates i_cert_sm2 and r_cert_sm2 of clients and servers issued based on SM2-SM 3;

the service selectors TSi and TSr of the initiator and the responder, the TSi containing the initiator port range and the local area network address range, and the TSr containing the responder port range and the local area network address range.

6. The 5G internet of things security gateway of claim 5, wherein the security association payload comprises first layer data, second layer data, and third layer data;

the first layer data comprises a security association load head and security association load data;

the second layer data includes data for advice header and advice;

the third layer data includes a first transform load, a second transform load, a third transform load, and a fourth transform load.

7. The 5G internet of things security gateway of claim 2, wherein the negotiated key is calculated by:

the data material required for the key exchange method is obtained from the IKE SA INIT exchange,

processing the data material by using a key exchange method to obtain a key seed;

and processing the key seeds to obtain the negotiated key.

8. The 5G internet of things security gateway of claim 6, wherein the key exchange method is:

SKEYSEED＝PRF(Ni|Nr，g ^ir )

wherein Ni and Nr are random numbers generated by an initiator and a responder respectively, ni is a first message from IKE_SA_INIT, nr is a second message from IKE_SA_INIT, SKEYSEED is a key seed, PRF is a password generation method, g ^ir Representing the initiator and the responder.

9. The 5G internet of things security gateway of claim 1, wherein the method further comprises redesigning the digital certificate based on the SM2, SM3 algorithm according to an x.509 certificate specification to obtain a new digital certificate;

the new digital certificate is issued in the form of an encryption card, is bound with the encryption card, and is written into a secret storage area of the encryption card.

10. The 5G internet of things security gateway of claim 1, further comprising a peripheral interface circuit, a radio frequency transceiver; the method comprises the steps of,

the peripheral interface circuit is used for data interaction with the user terminal, and the user terminal is connected with the gateway through a LAN interface or WiFi in the peripheral interface circuit;

the radio frequency transceiver is used for receiving data sent by the user terminal through a WiFi protocol and sending the data to the LAN interface;

the LAN interface processes the received data to obtain preprocessed data;

decrypting the preprocessed data by using a preset encryption algorithm to obtain decrypted data;

and storing the decrypted data or transmitting the decrypted data to a server by using an Ethernet interface.