KR20240000161A - Method, device and system for dds communication - Google Patents

Abstract

A DDS communication method is disclosed. The DDS communication method according to the present invention includes receiving node information including identification information and domain ID from a plurality of nodes that want to connect to a gateway and participate in DDS communication, and nodes having the same domain ID among the plurality of nodes. transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID; configuring, by the gateway, a network for nodes having the domain ID to exchange packets; and, The gateway receives authentication information generated using the group key from a specific node having the domain ID, performs authentication using the authentication information, and, if the authentication is successful, sends the packet received from the specific node to the It includes transmitting to another node having a domain ID.

Description

DDS communication method, device and system {METHOD, DEVICE AND SYSTEM FOR DDS COMMUNICATION}

The present invention relates to a DDS communication method, device, and system for providing DDS communication in a large-scale network environment such as 5G and LTE.

Data Distribution Service (DDS) (hereinafter referred to as DDS) provides a publish-subscribe communication protocol for real-time communication in a distributed environment. The publication-subscription method has strengths in terms of performance, scalability, and availability, and is used in various fields such as defense, transportation, medicine, and robotics. For example, ROS2, which is widely used as an operating system for robots, uses DDS as the basic communication middleware.

In a typical DDS communication method, an auto-discovery function is used to automatically find participants to distribute data in real time in a distributed environment. The Auto-Discovery function is a function where participants find other participants to distribute data to by periodically transmitting a PDP (Participant Discovery Protocol) message through multicast.

The Auto-Discovery function provides the advantage of automatically finding and connecting to other participants through multicast. However, as more participants are added, the number of packets increases significantly, so it is difficult to expand efficiently, that is, there is a problem with availability, and there is also a problem that it cannot be used in an environment where multicast is not supported.

Additionally, the Auto-Discovery function, which allows participants to automatically participate in data distribution, has the problem that DDoS attacks such as Network Flooding attacks and Network Reflection Attacks using manipulated discovery packets are possible.

Therefore, the current DDS communication is only used in limited and closed systems such as national defense, transportation, medicine, and robots, but there is a problem that it is difficult to apply in open and large-scale network environments such as 5G and LTE.

The present invention is intended to solve the above-mentioned problems, and the purpose of the present invention is to provide a DDS communication method, device, and system for providing DDS communication in a large-scale network environment such as 5G and LTE.

The DDS communication method according to the present invention includes receiving node information including identification information and domain ID from a plurality of nodes that want to connect to a gateway and participate in DDS communication, and nodes having the same domain ID among the plurality of nodes. transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID; configuring, by the gateway, a network for nodes having the domain ID to exchange packets; and, The gateway receives authentication information generated using the group key from a specific node having the domain ID, performs authentication using the authentication information, and, if the authentication is successful, sends the packet received from the specific node to the It includes transmitting to another node having a domain ID.

In this case, the identification information includes identification information of the participant terminal, and the identification information of the participant terminal may be a terminal unique identification number (IMEI).

Meanwhile, the step of receiving node information including the identification information and domain ID includes authenticating the node that transmitted the node information using the identification information and instance IDs sequentially assigned to nodes generated in the participant terminal. May include steps.

Meanwhile, the step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID includes updating the group key when a new node participates in the domain corresponding to the domain ID, and updating the group key with the updated group key. It may include transmitting to nodes having the domain ID.

Meanwhile, in the step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID, when a new node joins the domain corresponding to the domain ID, the node information of the new node is transmitted to the domain ID. Branching may include transmitting to nodes.

Meanwhile, the step of configuring a network for nodes having the same domain ID to exchange packets involves configuring the network so that only nodes having the same domain ID exchange packets and packet exchange with nodes having different domain IDs is blocked. It may include steps.

In this case, the step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID includes transmitting interface information for the node to connect to the node that has successfully authenticated, and transmitting the same domain ID to the node. The step of configuring the network so that only nodes with the same domain ID exchange packets and packet exchange with nodes with different domain IDs is blocked includes the step of creating a tunnel that virtually connects interfaces to which nodes with the same domain ID will connect. It can be included.

Meanwhile, the authentication information may include an authentication code received from the specific node when the specific node connects to the gateway.

In this case, the authentication code is generated using node information of the specific node and a group key held by the specific node, and the step of performing the authentication includes a group key corresponding to the domain ID held by the gateway and It may include authenticating the authentication code received from the specific node using node information of the specific node.

Meanwhile, the authentication information may include an authentication token received from the specific node along with the packet when the specific node transmits a packet to nodes having the domain ID.

In this case, the authentication token is generated using node information of the specific node and a group key held by the specific node, and the step of performing the authentication includes a group key corresponding to the domain ID held by the gateway and It may include authenticating the authentication token received from the specific node using node information of the specific node.

In this case, the authentication token may further include at least one of a time stamp and a sequence number.

Meanwhile, if the authentication is successful, transmitting the packet received from the specific node to another node having the domain ID includes transmitting the public key of the gateway to the nodes having the domain ID, and, the authentication token. If authentication is successful, it may include generating a double encryption token by encrypting the authentication token with the private key of the gateway.

In this case, if the authentication is successful, the step of transmitting the packet received from the specific node to another node having the domain ID includes inserting the double encryption token into the packet received with the authentication token and having the domain ID. It may include transmitting to another node.

Meanwhile, the DDS communication system receives node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication, and sends the domain ID to nodes having the same domain ID among the plurality of nodes. A control server that transmits node information of nodes having and a group key corresponding to the domain ID, and nodes having the domain ID configure a network for exchanging packets, and the group is transferred from a specific node having the domain ID. It includes a gateway that receives authentication information generated using a key, performs authentication using the authentication information, and, when the authentication is successful, transmits a packet received from the specific node to another node having the domain ID. .

In this case, the identification information includes identification information of the participant terminal, and the identification information of the participant terminal may be a terminal unique identification number (IMEI).

Meanwhile, the control server can authenticate the node that transmitted the node information using the identification information and an instance ID sequentially assigned to nodes generated in the participant terminal.

Meanwhile, when a new node joins the domain corresponding to the domain ID, the control server may update the group key and transmit the updated group key to nodes having the domain ID.

Meanwhile, when a new node joins the domain corresponding to the domain ID, the control server may transmit node information of the new node to nodes having the domain ID.

Meanwhile, the DDS communication device includes a gateway that provides a plurality of interfaces to which a plurality of nodes can connect, a communication unit that receives node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication; and a control unit that transmits node information of nodes having the domain ID and a group key corresponding to the domain ID to nodes having the same domain ID among the plurality of nodes through the communication unit, and the gateway is, Nodes having the domain ID configure a network for exchanging packets, receive authentication information generated using the group key from a specific node having the domain ID, and perform authentication using the authentication information, If authentication is successful, the packet received from the specific node can be transmitted to another node with the domain ID.

According to the present invention, by supporting data exchange between nodes participating in the same domain based on the policy created in the DDS communication system, DDS can be implemented without using the Auto-Discovery function and even in an environment where multicast is not supported. It can enable communication and prevent the number of packets from increasing exponentially even if the number of participant terminals or nodes increases. Accordingly, it has clear advantages in availability and scalability compared to conventional DDS communication methods, and has the advantage of enabling DDS communication even in open and large-scale network environments such as 5G and LTE.

Figure 1 is a block diagram for explaining a DDS communication system according to the present invention.
Figure 2 is a flowchart for explaining the DDS communication method of the DDS communication system according to the present invention.
Figure 3 is a flowchart for explaining the overall operation of the DDS communication system and nodes. The description will be made with reference to FIGS. 2 and 3 together.
Figure 4 is a diagram for explaining a method for authenticating a node according to the present invention.
Figure 5 is a diagram to explain how a gateway configures a network.
Figure 6 is a diagram illustrating the primary authentication process performed when a node first connects to a gateway according to the present invention.
Figure 7 is a diagram illustrating a secondary authentication process performed when a node transmits a packet to another node according to the present invention.
Figure 8 is a diagram for explaining a DDS communication device according to another embodiment of the present invention.

Hereinafter, embodiments disclosed in the present specification will be described in detail with reference to the attached drawings. However, identical or similar components will be assigned the same reference numbers regardless of reference numerals, and duplicate descriptions thereof will be omitted. The suffixes “module” and “part” for components used in the following description are given or used interchangeably only for the ease of preparing the specification, and do not have distinct meanings or roles in themselves. Additionally, in describing the embodiments disclosed in this specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in this specification, the detailed descriptions will be omitted. In addition, the attached drawings are only for easy understanding of the embodiments disclosed in this specification, and the technical idea disclosed in this specification is not limited by the attached drawings, and all changes included in the spirit and technical scope of the present invention are not limited. , should be understood to include equivalents or substitutes.

Terms containing ordinal numbers, such as first, second, etc., may be used to describe various components, but the components are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

When a component is said to be "connected" or "connected" to another component, it is understood that it may be directly connected to or connected to the other component, but that other components may exist in between. It should be. On the other hand, when it is mentioned that a component is “directly connected” or “directly connected” to another component, it should be understood that there are no other components in between.

Singular expressions include plural expressions unless the context clearly dictates otherwise. In this application, terms such as “comprise” or “have” are intended to designate the presence of features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, but are not intended to indicate the presence of one or more other features. It should be understood that this does not exclude in advance the possibility of the existence or addition of elements, numbers, steps, operations, components, parts, or combinations thereof.

In implementing the present invention, the components may be subdivided for convenience of explanation, but these components may be implemented in one device or module, or one component may be divided into multiple devices or modules. It can also be implemented.

DDS communication is network middleware that simplifies complex networks and is designed to handle responses between participants. In addition, the present invention provides a DDS communication system that supports DDS communication in a large-scale network environment including 5G or LTE by expanding the simplified DDS middleware design based on a software-defined boundary.

Figure 1 is a block diagram for explaining a DDS communication system according to the present invention.

The DDS communication system according to the present invention includes a gateway 100 and a control server 200 and can support communication between multiple nodes.

The gateway 100 is connected to a plurality of participant terminals 1110, 1120, and 1130 and can transmit/receive data to and from the participant terminals. Here, the participant terminal may be a terminal (or server) subscribed to a communication service (mobile communication service such as 5G or LTE, Internet service, etc.) provided by a communication service provider.

Nodes may be driven in a plurality of participant terminals 1110, 1120, and 1130, and one or more nodes may be driven in one participant terminal. For example, while a participant terminal refers to a device (hardware) such as a smartphone or PC, a node may refer to an operating system, application, process, program, etc. that runs on the device (hardware). In the DDS communication system, the entity that transmits and receives data is the node, and the gateway 100 can transmit/receive data with the node running on the participant terminal.

The control server 200 may communicate with the gateway 100 and a plurality of nodes connected to the gateway 100. Additionally, the control server 200 can support communication between nodes participating in the same domain and create policies to improve security even without auto-discovery. These policies are distributed to a plurality of nodes and gateways 100 connected to the DDS communication system, and each of the plurality of nodes transmits/transmits data to other nodes participating in the same domain based on the policy generated by the control server 200. can receive

Meanwhile, the control server 200 may include a communication unit for communicating with an external device, a control unit for controlling the overall operation of the control server, and a memory for storing programs or commands for operating the control server.

The gateway 100 can set communication paths for multiple nodes connected to the gateway 100. Specifically, the gateway 100 may configure a network for nodes belonging to the same domain to exchange packets, based on the policy created by the control server 200. That is, the gateway 100 can create a tunnel through which packets can be exchanged between nodes belonging to the same domain among a plurality of nodes connected to the gateway 100. And this tunnel is logically created by the gateway 100 based on a policy created in the control server 200 rather than by a physical connection between ports, and may be called a virtual tunnel.

Figure 2 is a flowchart for explaining the DDS communication method of the DDS communication system according to the present invention.

The DDS communication method of the DDS communication system according to the present invention includes receiving node information including identification information and domain ID of the node from a plurality of nodes that want to connect to the gateway and participate in DDS communication (S210), a plurality of nodes A step of transmitting node information of nodes having domain IDs and a group key corresponding to the domain ID to nodes having the same domain ID (S220), where the gateway establishes a network for nodes having domain IDs to exchange packets. Configuring step (S230), and the gateway receives authentication information generated using a group key from a specific node having a domain ID, performs authentication using the authentication information, and receives the authentication information from the specific node when authentication is successful. It may include transmitting the packet to another node having the domain ID (S240).

Figure 3 is a flowchart for explaining the overall operation of the DDS communication system and nodes. The description will be made with reference to FIGS. 2 and 3 together.

For authentication, node 1210 may transmit node information to the control server 200 (S305). Here, the node information may include identification information including identification information of the participant terminal and identification information of the node running on the participant terminal.

Specifically, the identification information of the participant terminal is uniquely assigned to the participant terminal using the communication service. For example, the identification information of the participant terminal may be a universally unique identifier (UUID) of the participant terminal. Meanwhile, as previously explained, the DDS communication system can support DDS communication in a large-scale network environment including 5G or LTE. In this case, the universally unique identifier (UUID) of the participant terminal includes the terminal unique identification number (International Mobile Equipment Identity (IMEI) may be used.

Meanwhile, the identification information of the node may include at least one of a host ID and an app ID. Here, the host ID is uniquely assigned to the participant terminal on which the node is running, and may include, for example, a MAC address, IPv4 address, universally unique identifier (UUID), etc. Additionally, the App ID is used to identify a node running on a participant terminal, and may be, for example, an App ID, which is a process ID managed by an operating system (Linux, Unix, Windows, etc.).

Meanwhile, node information may further include a domain ID. Here, the domain ID is identification information of the domain in which the node will participate, and the control server 200 supports communication between nodes based on the domain ID.

Meanwhile, node information may further include an instance ID. Here, the instance ID is sequentially assigned to nodes that are created (starting operation) in the participant terminal. For example, when a participant terminal creates a node for the first time, it may give that node an instance ID of 0x01, and when it creates a second node, it may grant an instance ID of 0x02 to that node.

Next, the control server 200 may connect to the gateway 100 and receive node information including identification information and domain ID from a plurality of nodes that want to participate in DDS communication (S210).

Specifically, the control server 200 performs strict authentication because it does not trust the nodes and participant terminals. Therefore, the control server 200 can perform authentication using identification information instead of using IP or port.

In this case, the control unit 120 can authenticate the node that transmitted the node information using the identification information of the participant terminal and the identification information of the node (S310). This will be explained with reference to Figure 4.

Figure 4 is a diagram for explaining a method for authenticating a node according to the present invention.

The control server 200 may compare the identification information of the participant terminal with the identification information of the participant terminal pre-registered in the control server 200, and if they match, determine that the identification information of the participant terminal is authenticated (S410). Additionally, the control server 200 may compare the received identification information of the node with the identification information of a plurality of nodes pre-registered in the control server 200, and if they match, determine that the identification information of the node is authenticated (S420). . And when the identification information of the node and the identification information of the participant terminal are authenticated, the control server 200 may determine that the authentication of the node that transmitted the corresponding node information was successful.

In addition, when the node information further includes an instance ID, the control server 200 provides the node information using the identification information of the participant terminal, the node identification information, and the instance ID sequentially assigned to the nodes generated in the participant terminal. The transmitting node can be authenticated (S430).

Specifically, the control server 200 can authenticate the node by checking the increase or decrease in the instance ID. More specifically, the control server 200 stores node information (app ID and instance ID) of nodes received from one participant terminal in memory, and selects the instance ID in the previously received node information and the instance in the currently received node information. You can authenticate the node using the ID.

For example, referring to FIG. 4, the control server 200 receives first node information including an instance ID of 1 from the node (node #1) first driven in a specific participant terminal (participant terminal #1). And, the received first node information can be stored in memory. Next, the control server 200 may receive second node information including an instance ID of 2 from a newly operated node (node #2) in the same participant terminal (participant terminal #1). Additionally, the instance ID is preset to increase by 1, and the control server 200 knows the preset increase/decrease amount (increase by 1). In this case, the control server 200 uses the fact that the first node information includes an instance ID of 1, the second node information includes an instance ID of 2, and the instance ID is increased by 1, to create a newly driven node ( It can be determined that authentication for node #2) was successful.

On the other hand, if node information that is different from the preset increase/decrease amount (for example, increases by 1) is received, the control server 200 may determine that authentication for the corresponding node has failed.

Meanwhile, assume that a hacker (hacker #1) who has stolen the identification information or host ID of a specific participant terminal (participant terminal #1) transmits third node information including the stolen information to the control server 200. However, since the hacker (hacker #1) cannot know the instance ID of a specific participant terminal (participant terminal #1), the correct instance ID cannot be included in the node information, and the control server 200 uses the third node information to It may be determined that authentication for the hacker has failed. Additionally, the control server 200 third node information can be stored in memory as a blacklist.

Returning to FIGS. 2 and 3, if authentication of the node transmitting node information is successful, the control server 200 may update the group key of the domain in which the node participates (S310). Specifically, if the node information transmitted by the node 1210 includes a specific domain ID, the control server 200 determines that the new node 1210 has participated in the domain corresponding to the specific domain ID, and You can update the group key. In other words, the group key used in the domain can be updated whenever a new node joins the domain.

However, it is not limited to this, and the group key corresponding to the domain ID may be implemented in such a way that it is periodically updated. Additionally, when the node 1210 participates in a specific domain for the first time, the control server 200 may generate a new group key corresponding to the domain ID.

Meanwhile, if authentication of the node is successful, the control server 200 may transmit first policy information to the node 1210 that succeeded in authentication (S315). Here, the first policy information may include gateway interface information that the corresponding node can access. Additionally, the interface information may include the IP and port of the gateway.

Meanwhile, the control server 200 may transmit second policy information to the gateway 100 (S320). Here, the second policy information may include an updated (or newly created) group key and node information of the node 1210 that successfully authenticated. The node information that the control server 200 transmits to the gateway 100 may include identification information of the participant terminal of the node that successfully authenticated, identification information of the node, and domain ID, and may additionally include the IP of the node that successfully authenticated. It can be included.

Meanwhile, the control server 200 may transmit third policy information to the node 1210 that has successfully authenticated. Specifically, the control server 200 provides node information of the nodes with the same domain ID and a group key corresponding to the same domain ID to nodes with the same domain ID among a plurality of nodes that want to connect to the gateway and participate in DDS communication. Can be transmitted (S220, S325, S330). For example, if there are 1st to 100th nodes, and the 1st to 30th nodes try to join the first domain with the first domain ID, the control server 200 connects the 2nd to 30th nodes to the first node. The node information of the 29th node and the group key corresponding to the first domain may be transmitted, and the node information of the 1st to 29th nodes and the group key corresponding to the first domain may be transmitted to the 30th node.

Meanwhile, the node information of other nodes transmitted by the control server 200 may include identification information of the participant terminal of the node that successfully authenticated, node identification information, and domain ID, and may additionally include the IP of the node that successfully authenticated. can do.

Meanwhile, the control server 200 may transmit only newly updated information to the gateway 100 or the node. For example, when a new node participates in a specific domain, the control server 200 may transmit node information of the new node to nodes having the same domain ID as the new node. Also, as described above, the group key can be updated when a new node joins the domain, and the control server 200 can transmit the updated group key to nodes with the corresponding domain ID when a new node joins the domain. there is. For example, when the 30th node newly joins the first domain to which the 1st to 29th nodes belong, the control server 200 updates the group key of the first domain, and the gateway 100 and the first node The node information and the updated group key of the 30th node can be transmitted to the 29th to 29th nodes. However, the node information of the 1st to 29th nodes and the updated group key must be transmitted to the newly joined 30th node.

Meanwhile, a plurality of nodes and control servers 200 connected to the gateway 100 and participating in communication can perform the operations described above. Accordingly, the control server 200 receives node information from a plurality of nodes, performs authentication for the node, and transmits information on the interface to which the node can access and a generated (updated) group key to the node that has successfully authenticated, The node information of the node that successfully authenticated and the generated (updated) group key can be transmitted to the gateway 100. Accordingly, the gateway 100 can store node information and group keys for each domain of a plurality of nodes connected to the gateway 100 and participating in communication, and the stored information can be updated each time a new node participates. Additionally, node information of other nodes having the same domain ID and group key corresponding to the domain ID may be stored in nodes that have successfully authenticated, and the stored information may be updated whenever a new node participates.

Meanwhile, when the node information and group key of the successfully authenticated node are received, the gateway 100 can configure a network for nodes having the same domain ID to exchange packets (S230). This will be explained with reference to FIG. 5 .

Figure 5 is a diagram to explain how a gateway configures a network.

The gateway 100 may update the network policy based on the domain ID. The network packet policy may include a policy for at least one of routing and switching and a firewall policy. In addition, updating the network policy means configuring the network so that only nodes with the same domain ID exchange packets and packet exchange with nodes with different domain IDs is blocked, based on the node information of the newly joined node. You can.

More specifically, the gateway 100 can set a network policy using 5 tuples (source IP, source port, destination IP, destination port, protocol) and domain ID. Figure 5a shows the physical configuration of the gateway 100, and the gateway 100 has a plurality of interfaces that can be accessed by a plurality of nodes 510, 520, 530, and 540 that want to participate in DDS communication by connecting to the gateway. It may include (111, 112, 113, 114). In this case, the gateway 100 is a network for the nodes 510, 520, and 540 participating in the same domain 560 (i.e., nodes with the same domain ID) to exchange packets, as shown in FIG. 5B. can be configured. The network constructed here is a virtual network, and standard technologies that can create virtual networks such as IPSec VPN, SSL VPN, and Open vSwitch can be used.

That is, the gateway 100, based on the interface information transmitted to the nodes 510, 520, and 540 with the same domain ID, interfaces ( A tunnel that virtually connects 111, 112, and 114) can be created. This tunnel supports communication between interfaces 111, 112, and 114 connected by nodes 510, 520, and 540 with the same domain ID, and with the interface 113 connected by nodes with different domain IDs. Block communication. That is, since nodes with the same domain ID are connected through virtual tunneling based on the domain ID, efficient DDS communication is possible by configuring nodes with the same domain ID on the same network.

Returning to FIGS. 2 and 3, the gateway 100 receives authentication information generated using a group key from a specific node having the same domain ID, performs authentication using the authentication information, and, if authentication is successful, A packet received from a specific node can be transmitted to another node with the same domain ID (S240).

Authentication performed in S240 may include primary authentication performed when the node first connects to the gateway and secondary authentication performed when the node transmits a packet to another node through the gateway. First, the first authentication process will be described with reference to FIG. 6 along with FIGS. 2 and 3.

Figure 6 is a diagram illustrating the primary authentication process performed when a node first connects to a gateway according to the present invention.

Currently, the node information of the first node 510 and the group key of the domain to which the first node belongs are transmitted to the gateway 100 (S610). Additionally, node information on nodes participating in the same domain as the first node is transmitted to the gateway 100.

In addition, the first node 510 includes interface information of a gateway to which the first node 510 can connect, node information of another node having the same domain ID as the first node 510, and a group key corresponding to the same domain ID ( The group key of the domain to which the first node belongs is being transmitted (S620).

Meanwhile, the first node 510 may transmit an authentication code to the gateway 100 (S335, S630). Specifically, the first node 510 may generate an authentication code using node information of the first node and a group key (group key of the domain to which the first node belongs) held by the first node. For example, an authentication code can be generated using a host ID, app ID, domain ID, and group key. In this case, the first node 510 can connect to the corresponding interface using the interface information (IP and port) received from the control server 200 and transmit an authentication code to the gateway through the connected interface.

Here, the authentication code is a message authentication code (MAC) generated by combining node information of the first node 510 and a group key held by the first node, and may be, for example, HMAC (Hashed MAC). . In this case, the first node 510 may generate an authentication code by encrypting the node information of the first node 510 with a group key held by the first node.

Additionally, the first node 510 may generate an authentication code by additionally using a time stamp indicating the current time along with node information and group key. Timestamps can be used to prevent replay attacks.

Meanwhile, the gateway 100 may receive an authentication code from the first node 510. Currently explaining the primary authentication process, the gateway 100 may receive an authentication code from the first node 510 when the first node 510 connects to the gateway 100.

Additionally, the gateway 100 may perform authentication on the first node 510 using authentication information (authentication code) received from the first node 510 (S340, S640). Specifically, the gateway 100 uses the node information of the first node and a group key corresponding to the domain ID (domain ID of the domain to which the first node belongs) held by the gateway to receive information from the first node 510. You can authenticate the authentication code.

Specifically, the gateway 100 may store node information of nodes having a specific domain ID (domain ID of the domain to which the first node belongs). And the gateway 100 decrypts the authentication code received from the first node 510 using the group key (group key of the domain to which the first node belongs) held by the gateway to obtain node information of the first node 510. It can be extracted. Additionally, the gateway 100 may compare the extracted node information with the node information of the first node held by the gateway, and if they match, determine that authentication for the first node 510 was successful.

On the other hand, decryption using the group key held by the gateway is not possible, the node information transmitted by the first node 510 does not match the node information held by the gateway, or more than a preset time has elapsed from the time stamp included in the authentication code. In one case, the gateway may determine that authentication for the first node 510 failed. If authentication fails, the first node 510 cannot participate in DDS communication.

Meanwhile, if authentication with the first node 510 is successful, the gateway 100 may transmit the gateway's public key to the first node 510 (S345, S650). The gateway 100 may transmit the public key of the gateway not only to the first node 510 but also to other nodes that succeed in authentication.

Next, the secondary authentication process performed when a node transmits a packet to another node through a gateway will be described with reference to FIG. 7 along with FIGS. 2 and 3.

Figure 7 is a diagram illustrating a secondary authentication process performed when a node transmits a packet to another node according to the present invention.

The first node 510 may generate an authentication token using node information of the first node and a group key (group key of the domain to which the first node belongs) held by the first node. For example, an authentication token can be generated using a host ID, app ID, domain ID, and group key.

Here, the authentication token is a message authentication code (MAC) generated by combining node information of the first node 510 and a group key held by the first node, and may be, for example, HMAC (Hashed MAC). . In this case, the first node 510 may generate an authentication token by encrypting the node information of the first node 510 with a group key held by the first node.

Additionally, the first node 510 may generate an authentication token by additionally using a sequence number along with node information and group key. Sequence numbers can be used to prevent replay attacks. However, it is not limited to this, and the authentication token may include at least one of a time stamp and a sequence number.

Meanwhile, the first node 510 may generate a packet containing data to be transmitted to nodes having the same domain ID. Additionally, the first node 510 may insert the generated authentication token into a packet containing data and transmit it to the gateway 100. That is, the first node 510 may transmit an authentication token along with a packet for DDS communication (S350, S710), and in this case, the authentication token may be inserted into the packet.

Meanwhile, the gateway 100 may receive an authentication token from the first node 510. Specifically, when the first node 510 transmits a packet to nodes having the same domain ID, the gateway 100 may receive an authentication token along with the packet from the first node.

Additionally, the gateway 100 may perform authentication for the first node 510 using authentication information (authentication token) received from the first node 510. Specifically, the gateway 100 uses the node information of the first node and a group key corresponding to the domain ID (domain ID of the domain to which the first node belongs) held by the gateway to receive information from the first node 510. Authentication tokens can be authenticated.

Specifically, the gateway 100 extracts node information of the first node 510 by decrypting the authentication token received from the first node 510 with a group key (group key of the domain to which the first node belongs) held by the gateway. can do. Additionally, the gateway 100 may compare the extracted node information with the node information of the first node held by the gateway, and if they match, determine that authentication for the first node 510 was successful.

On the other hand, decryption using the group key held by the gateway is not possible, the node information transmitted by the first node 510 does not match the node information held by the gateway, or more than a preset time has elapsed from the time stamp included in the authentication token. Alternatively, if an error occurs in the sequence number, the gateway 100 may determine that authentication for the packet received with the authentication token has failed. If authentication fails, the gateway 100 may not transmit the packet and may request the control server 200 to update the group key of the domain in which the first node 510 participates.

Meanwhile, if authentication of the authentication token is successful, the gateway 100 may generate a double encryption token by encrypting the authentication token with the gateway's private key (S355, S720). Additionally, the gateway 100 may transmit the double encryption token along with the packet transmitted by the first node 510 to other nodes having the same domain ID as the first node 510 (S360, S730). In this case, the gateway 100 may insert a double encryption token into the packet received along with the authentication token and transmit it to another node having the same domain ID as the first node 510.

Meanwhile, the gateway's public key is distributed to nodes that have successfully authenticated, and accordingly, the gateway's public key is also transmitted to other nodes (1220, 520) that have the domain ID of the domain in which the first node participated.

And other nodes 1220 and 520 may receive packets and double encryption tokens from the gateway 100. Additionally, other nodes 1220 and 520 can authenticate the double encryption token using the public key of the gateway, the group key of the domain to which it belongs, and the node information of the node having the same domain ID as the node (S365, S740).

Specifically, other nodes 1220 and 520 can authenticate the dual encryption token and extract the authentication token by decrypting the dual encryption token using the gateway's public key. Next, the other nodes 1220 and 520 may authenticate the authentication token using the group key corresponding to the domain ID and the node information of the first node. Additionally, if the node information of the first node in the authentication token matches the node information of the first node held by the other nodes (1220, 520), the other nodes (1220, 520) read the data received along with the double encryption token or You can save it.

On the other hand, decryption using the public key of the gateway held by other nodes (1220, 520) is impossible, decryption is impossible using the group key held by other nodes (1220, 520), or the node transmitted by the first node (510) The information does not match the node information held by other nodes (1220, 520), or more than a preset time has elapsed from the time stamp included in the authentication token. If an error occurs in the sequence number included in the authentication token, the other nodes 1220 and 520 may determine that authentication for the dual encryption token has failed. If authentication fails, the first node 510 cannot read or store the data received with the double encryption token, and the other nodes 1220 and 520 cannot update the group key of the participating domain on the control server 200. You can request it.

Meanwhile, another node 1220 may also transmit a packet to the first node 1210. That is, the other node 1220 can generate an authentication token using the node information of the other node 1220 and the group key held by the other node 1220, and transmit the authentication token along with a packet for DDS communication (S370). .

In this case, the gateway 100 may receive an authentication token from another node 1220, authenticate the authentication token, and then generate a double encryption token using its private key (S375). Additionally, the gateway 100 may transmit the generated double encryption token to the first node 1210 having the same domain ID as the other node 1220 (S380). The first node 1210 may receive a packet and a double encryption token from the gateway 100. Also, the first node 1210 is owned by the first node 1210. The double encryption token can be authenticated using the public key of the gateway, the group key of the domain to which the first node 1210 belongs, and the node information of the other node 1220 (S385).

Meanwhile, in the previous embodiment, it was explained that the gateway 100 generates a double encryption token using its own private key, and the node decrypts the double encryption token using the public key received from the gateway 100, but it is not limited to this. Alternatively, the node may decrypt the double encryption token using the shared key received from the gateway 100. Specifically, the gateway 100 may distribute the shared key encrypted with its own private key to the nodes while distributing the public key of the gateway 100 to the nodes in advance. In this case, nodes can obtain the shared key by decrypting the encrypted shared key using a pre-distributed public key. And nodes can decrypt the double-encrypted token using the shared key. When using a shared key in this way, performance degradation that may occur in public key-based encryption/decryption can be prevented.

Figure 8 is a diagram for explaining a DDS communication device according to another embodiment of the present invention.

1 to 7 illustrate a DDS communication system including a control server 200 and a gateway 100. However, it is not limited to this, and the DDS communication system can be implemented as a single device. Therefore, the DDS communication device 800 can perform the operations of the DDS communication system described above.

Specifically, the DDS communication device 800 may include a communication unit 810, a control unit 820, a memory 830, and a gateway 840.

The communication unit 810 includes a communication circuit for communicating with an external device, and can connect to the gateway 840 to transmit/receive data with a plurality of nodes that want to participate in DDS communication. The communication unit 810 may receive node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication. Additionally, the communication unit 810, under the control of the control unit 820, may transmit node information of the nodes having the same domain ID and a group key corresponding to the same domain ID to nodes having the same domain ID among the plurality of nodes. .

The control unit 820 can control the overall operation of the DDS communication device 800. Additionally, the control unit 820 creates a policy and distributes it to a plurality of nodes, authenticates authentication information (authentication code, authentication token) received from the nodes, and encrypts the authentication token with the private key of the DDS communication device 800 to perform double encryption. You can generate a token and send the generated double encryption token to the node along with the packet.

The memory 830 may store programs or commands for operating the DDS communication device 800. Additionally, the memory 830 may store node information of a plurality of nodes, group keys for each domain, node information for each domain, private key of the gateway 840, etc.

Meanwhile, the gateway 840 may include a gateway control unit that controls the operation of the gateway 840 and a gateway memory that stores programs or commands for the operation of the gateway 840. Meanwhile, the gateway control unit and gateway memory may not be provided separately, in which case the control unit 820 and memory 830 described above may be used as the gateway control unit and gateway memory, respectively.

Meanwhile, the gateway 840 may further include a plurality of interfaces to which a plurality of nodes can access. Additionally, the gateway 840 can configure a network for nodes with the same domain ID to exchange packets by creating a tunnel that virtually connects interfaces connected by nodes with the same domain ID. In addition, the gateway 840 receives authentication information generated using a group key from a specific node having the same domain ID, performs authentication using the authentication information, and, if authentication is successful, sends the packet received from the specific node to the same domain. It can be transmitted to another node with an ID.

According to the present invention, by supporting data exchange between nodes participating in the same domain based on the policy created in the DDS communication system, an environment in which multicast is not supported and without using the auto-discovery function DDS communication can also be enabled, and the number of packets can be prevented from increasing exponentially even if the number of participant terminals or nodes increases. Accordingly, it has clear advantages in availability and scalability compared to conventional DDS communication methods, and has the advantage of enabling DDS communication even in open and large-scale network environments such as 5G and LTE. Accordingly, by designing the DDS standard, which causes problems when applied to large-scale communication networks, to be expanded based on software-defined boundaries, it is possible to provide a terminal-centered open network communication system using DDS communication in large-scale wireless network environments such as 5G and LTE. there is.

In addition, according to the present invention, since the operation of the control server and gateway replaces the existing auto-discovery function, it has the advantage that it is impossible to transmit a manipulated discovery packet, and since there is no act of searching for a participant, the network It has the advantage of preventing flooding attacks.

Additionally, according to the present invention, by applying ID-based identity verification and high-level authentication technology instead of authenticating multiple nodes based on IP and port, multiple terminals connected to a large-scale wireless network environment can be flexibly and effectively authenticated. There is an advantage.

Additionally, according to the present invention, a gateway that supports data exchange between nodes with the same domain ID authenticates the authentication information received from the node, thereby determining whether the node has been hacked and whether packets are being transmitted/received by the same domain ID. It has the advantage of being able to support integrity DDS communication by verifying whether there is a replay attack.

Additionally, according to the present invention, by going through a double encryption process of encrypting the authentication token with the gateway's private key, it is possible to authenticate that the packet has passed through the gateway and whose integrity has been verified by the gateway. Since the double encryption token can simultaneously verify the identity of the packet sender (node) and the packet forwarder (gateway), it has the advantage of effectively preventing attacks by hackers or other intruders.

The above-described present invention can be implemented as computer-readable code on a program-recorded medium. Computer-readable media includes all types of recording devices that store data that can be read by a computer system. Examples of computer-readable media include HDD (Hard Disk Drive), SSD (Solid State Disk), SDD (Silicon Disk Drive), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. There is. Additionally, the computer may include a control unit. Accordingly, the above detailed description should not be construed as restrictive in all respects and should be considered illustrative. The scope of the present invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the present invention are included in the scope of the present invention.

Claims (20)

Receiving node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication;
transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID to nodes having the same domain ID among the plurality of nodes;
Configuring, by the gateway, a network for nodes having the domain ID to exchange packets; and
The gateway receives authentication information generated using the group key from a specific node having the domain ID, performs authentication using the authentication information, and, if the authentication is successful, sends a packet received from the specific node. Transmitting to another node having the domain ID; including
DDS communication method. According to clause 1,
The identification information includes identification information of the participant terminal,
The identification information of the participant terminal is the terminal unique identification number (IMEI).
DDS communication method. According to clause 1,
The step of receiving node information including the identification information and domain ID,
Authenticating the node that transmitted the node information using the identification information and an instance ID sequentially assigned to nodes generated in the participant terminal; comprising;
DDS communication method. According to clause 1,
The step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID is,
When a new node participates in the domain corresponding to the domain ID, updating the group key and transmitting the updated group key to nodes having the domain ID; comprising
DDS communication method. According to clause 1,
The step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID is,
When a new node participates in the domain corresponding to the domain ID, transmitting node information of the new node to nodes having the domain ID; comprising
DDS communication method. According to clause 1,
The step of configuring a network for nodes having the domain ID to exchange packets is,
Configuring the network so that only nodes having the same domain ID exchange packets and packet exchange with nodes having different domain IDs is blocked;
DDS communication method. According to clause 6,
The step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID is,
Transmitting information about the interface to which the node will connect to the node that has successfully authenticated,
The step of configuring the network so that only nodes with the same domain ID exchange packets and packet exchange with nodes with different domain IDs is blocked,
Comprising: creating a tunnel virtually connecting interfaces to which nodes having the same domain ID will connect;
DDS communication method. According to clause 1,
The authentication information is,
Containing an authentication code received from the specific node when the specific node connects to the gateway
DDS communication method. According to clause 8,
The authentication code is,
Generated using node information of the specific node and a group key held by the specific node,
The steps for performing the authentication are:
Authenticating the authentication code received from the specific node using a group key corresponding to the domain ID and node information of the specific node held by the gateway, comprising:
DDS communication method. According to clause 1,
The authentication information is,
When the specific node transmits a packet to nodes having the domain ID, it includes an authentication token received from the specific node along with the packet.
DDS communication method. According to clause 10,
The authentication token is,
Generated using node information of the specific node and a group key held by the specific node,
The steps for performing the authentication are:
Authenticating the authentication token received from the specific node using the group key corresponding to the domain ID and node information of the specific node held by the gateway; comprising:
DDS communication method. According to clause 11,
The authentication token further includes at least one of a timestamp and a sequence number.
DDS communication method. According to clause 11,
If the authentication is successful, the step of transmitting the packet received from the specific node to another node having the domain ID is,
transmitting the public key of the gateway to nodes having the domain ID; and
If authentication of the authentication token is successful, generating a double encryption token by encrypting the authentication token with the private key of the gateway; comprising:
DDS communication method. According to clause 13,
If the authentication is successful, the step of transmitting the packet received from the specific node to another node having the domain ID is,
Inserting the double encryption token into the packet received together with the authentication token and transmitting it to another node having the domain ID; comprising
DDS communication method. Receive node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication, and send node information of nodes having the domain ID to nodes having the same domain ID among the plurality of nodes. and a control server transmitting a group key corresponding to the domain ID. and
Nodes having the domain ID configure a network for exchanging packets, receive authentication information generated using the group key from a specific node having the domain ID, and perform authentication using the authentication information, A gateway that transmits the packet received from the specific node to another node having the domain ID if the authentication is successful;
DDS communication system. According to clause 15,
The identification information includes identification information of the participant terminal,
The identification information of the participant terminal is the terminal unique identification number (IMEI).
DDS communication system. According to claim 15,
The control server is,
Authenticating the node that transmitted the node information using the identification information and the instance ID sequentially assigned to the nodes generated in the participant terminal
DDS communication system. According to clause 15,
The control server is,
When a new node participates in the domain corresponding to the domain ID, the group key is updated and the updated group key is transmitted to nodes having the domain ID.
DDS communication system. According to clause 15,
The control server is,
When a new node joins the domain corresponding to the domain ID, the node information of the new node is transmitted to nodes having the domain ID.
DDS communication system. A gateway providing a plurality of interfaces to which a plurality of nodes can connect;
a communication unit that receives node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication; and
A control unit transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID to nodes having the same domain ID among the plurality of nodes through the communication unit,
The gateway is,
Nodes with the domain ID configure a network to exchange packets,
Authentication information generated using the group key is received from a specific node having the domain ID, authentication is performed using the authentication information, and if authentication is successful, a packet received from the specific node is sent to the node having the domain ID. transmitting to other nodes
DDS communication device.

Images