TWI733265B - Secure connection system and method of the same - Google Patents

Secure connection system and method of the same Download PDF

Info

Publication number
TWI733265B
TWI733265B TW108144312A TW108144312A TWI733265B TW I733265 B TWI733265 B TW I733265B TW 108144312 A TW108144312 A TW 108144312A TW 108144312 A TW108144312 A TW 108144312A TW I733265 B TWI733265 B TW I733265B
Authority
TW
Taiwan
Prior art keywords
key
authentication
message
terminal device
code
Prior art date
Application number
TW108144312A
Other languages
Chinese (zh)
Other versions
TW202123726A (en
Inventor
馮琪惠
郭泓志
吳建興
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108144312A priority Critical patent/TWI733265B/en
Publication of TW202123726A publication Critical patent/TW202123726A/en
Application granted granted Critical
Publication of TWI733265B publication Critical patent/TWI733265B/en

Links

Images

Abstract

Provided is a secure connection system and a method of the same. The system includes a terminal device and an IoT platform having a keystore and authentication unit. The terminal device has a device code and a device key to send an authentication request message to the authentication unit. The authentication unit receives the authentication request message to send a check code to the terminal device. The terminal device also sends an authentication message including a check code, device code, and hash value of the device key to the authentication unit. The authentication unit receives the authentication message to find a device key corresponding to the device code in the authentication message from the key store, and performs a hash operation on the corresponding device key to obtain the first hash value. Further, the first hash value is compared with the hash value of the device key in the authentication message, and a reply message is sent to the terminal device based on the comparison result.

Description

安全連線系統及方法 Safe connection system and method

本發明關於一種安全連線技術,更詳而言之,係一種應用於物聯網系統中的安全連線系統及方法。 The present invention relates to a secure connection technology, and more specifically, to a secure connection system and method applied in an Internet of Things system.

一般而言,在物聯網系統中的物聯網平台與終端設備之間透過網路連線,使用者可透過物聯網平台控制終端設備或是接收終端設備上傳至物聯網平台的資訊。然而,有心人士可能會藉由冒用物聯網平台或終端設備身份等方式來入侵系統,從而造成破壞或竊取資料。因此,物聯網平台與終端設備之間的通訊必須經過安全認證。 Generally speaking, through a network connection between the IoT platform and the terminal device in the IoT system, the user can control the terminal device through the IoT platform or receive information uploaded by the terminal device to the IoT platform. However, people who are interested may invade the system by fraudulently using the identity of the Internet of Things platform or terminal equipment, thereby causing damage or stealing data. Therefore, the communication between the IoT platform and the terminal device must pass security certification.

現有的安全認證方式是透過一認證中心來負責進行對終端設備進行認證,該方式雖然可防止偽裝終端設備的問題,然而仍可能被人冒用物聯網平台身份。因此,如何提供一種能提供雙向認證的安全連線系統及方法,遂成為業界亟待解決的課題。 The existing security authentication method is responsible for authenticating the terminal device through an authentication center. Although this method can prevent the problem of disguising the terminal device, it may still be fraudulently used as the identity of the Internet of Things platform. Therefore, how to provide a secure connection system and method that can provide two-way authentication has become an urgent issue in the industry.

為解決前述習知技術的種種問題,本發明之一目的,即在於提供一種能提供雙向認證的安全連線系統及方法。 In order to solve the various problems of the aforementioned conventional technology, one purpose of the present invention is to provide a secure connection system and method that can provide two-way authentication.

為了達到前述目的,本發明之安全連線系統包括終端設備以及物聯網平台,其中,物聯網平台包括金鑰庫以及認證單元。 In order to achieve the foregoing objective, the secure connection system of the present invention includes a terminal device and an Internet of Things platform, where the Internet of Things platform includes a key store and an authentication unit.

終端設備具有設備代碼及設備金鑰,並用以發送一要求認證訊息及一認證訊息。金鑰庫儲存設備代碼及設備金鑰。認證單元用以接收該終端設備所發送之要求認證訊息以發送一檢查碼至該終端設備,還用以接收該終端設備所發送之認證訊息以發送一回覆訊息至該終端設備,其中,該認證訊息包括該檢查碼、該設備代碼以及一設備金鑰雜湊值,且該認證單元還用以自該金鑰庫中尋找與該認證訊息中該設備代碼對應的設備金鑰,以對該對應的設備金鑰進行雜湊運算以獲得第一雜湊值,進而將該認證訊息中該設備金鑰雜湊值與該第一雜湊值進行比對,以依據比對結果發送回覆訊息至該終端設備。 The terminal device has a device code and a device key, and is used to send an authentication request message and an authentication message. The key bank stores device codes and device keys. The authentication unit is used to receive the authentication request message sent by the terminal device to send a check code to the terminal device, and is also used to receive the authentication message sent by the terminal device to send a reply message to the terminal device, wherein the authentication The message includes the check code, the device code, and a hash value of the device key, and the authentication unit is also used to find the device key corresponding to the device code in the authentication message from the key library, so as to determine the corresponding The device key is hashed to obtain the first hash value, and the device key hash value in the authentication message is compared with the first hash value to send a reply message to the terminal device according to the comparison result.

於一實施例中,若該比對結果為相同,該認證單元還用以將該檢查碼進行雜湊運算以取得一對話金鑰並將該對話金鑰附於該回覆訊息中。 In one embodiment, if the comparison result is the same, the authentication unit is further used to hash the check code to obtain a conversation key and attach the conversation key to the reply message.

於一實施例中,該終端設備還用以將該檢查碼進行雜湊運算以獲得一第二雜湊值,進而將該第二雜湊值與該回覆訊息中該對話金鑰進行比對。 In one embodiment, the terminal device is further used to perform a hash operation on the check code to obtain a second hash value, and then compare the second hash value with the conversation key in the reply message.

於一實施例中,物聯網平台還包括資料儲存單元,用以接收終端設備所發送的資料訊息,資料訊息係透過對話金鑰加密。 In one embodiment, the Internet of Things platform further includes a data storage unit for receiving data messages sent by the terminal equipment, and the data messages are encrypted with a conversation key.

於一實施例中,物聯網平台還包括控制單元,用以發送命令訊息以控制終端設備,命令訊息係透過對話金鑰加密。 In one embodiment, the Internet of Things platform further includes a control unit for sending a command message to control the terminal device, and the command message is encrypted by the conversation key.

於一實施例中,若該比對結果為不相同,該回覆訊息僅具有表頭或包括可辨識錯誤之值。 In one embodiment, if the comparison results are not the same, the reply message only has a header or includes a value that can identify errors.

於一實施例中,終端設備係預先向物聯網平台註冊以取得設備代碼及設備金鑰。 In one embodiment, the terminal device is registered with the IoT platform in advance to obtain the device code and the device key.

本發明另提供一種安全連線方法,包括:透過一終端設備發送一要求認證訊息;透過一物聯網平台的認證單元接收該要求認證訊息以發送一檢查碼;透過該終端設備接收該檢查碼以發送一認證訊息,該認證訊息包括該檢查碼、設備代碼及設備金鑰雜湊值;透過認證單元接收該認證訊息,以自該物聯網平台的金鑰庫中尋找與該認證訊息中該設備代碼對應的設備金鑰,進而對該對應的設備金鑰進行雜湊運算以獲得一第一雜湊值;以及透過該認證單元將該認證訊息中該設備金鑰雜湊值與該第一雜湊值進行比對,以依據比對結果發送回覆訊息至該終端設備。 The present invention also provides a secure connection method, which includes: sending an authentication request message through a terminal device; receiving the authentication request message through an authentication unit of an Internet of Things platform to send a check code; receiving the check code through the terminal device to Send an authentication message, the authentication message includes the check code, device code, and device key hash value; receive the authentication message through the authentication unit to find the device code in the authentication message from the key library of the Internet of Things platform Corresponding device key, and then perform a hash operation on the corresponding device key to obtain a first hash value; and compare the device key hash value in the authentication message with the first hash value through the authentication unit To send a reply message to the terminal device based on the comparison result.

於一實施例中,若該比對結果相同,則透過該認證單元將檢查碼進行雜湊運算以取得一對話金鑰,並將該對話金鑰附於該回覆訊息中;若該比對結果為不相同,該回覆訊息僅具有表頭或包括可辨識錯誤之值。 In one embodiment, if the comparison result is the same, the check code is hashed through the authentication unit to obtain a conversation key, and the conversation key is attached to the reply message; if the comparison result is Not the same, the reply message only has a header or includes a value that can identify errors.

於一實施例中,本發明的安全連線方法還包括:透過該終端設備接收該回覆訊息,將該檢查碼進行雜湊運算以獲得一第二雜湊值,進而將該第二雜湊值與該回覆訊息中該對話金鑰進行比對。 In an embodiment, the secure connection method of the present invention further includes: receiving the reply message through the terminal device, performing a hash operation on the check code to obtain a second hash value, and then the second hash value and the reply The conversation key in the message is compared.

相較於習知技術,本發明之安全連線系統及方法在終端設備發送一要求認證訊息以請求認證之後,透過物聯網平台的認證單元發送一檢查碼,終端設備再發送包括檢查碼、設備代碼以及設備金鑰雜湊值的回覆訊息,以及認證單元自物聯網平台的金鑰庫中尋找與認證訊息中的設備代碼對應的設備金鑰及進行雜湊運算後,與認證訊息中的設備金鑰雜湊值進行比對,藉由此方式可確認終端設備的身分,以建立物聯網平台與終端設備之間的安全連線。除此之外,還可透過認證單元將檢查碼進行雜湊運 算以取得一對話金鑰,並將對話金鑰附於回覆訊息中以發送至終端設備,終端設備可將先前接收的檢查碼進行雜湊運算並與回覆訊息中的對話金鑰進行比對,如此一來便可確認物聯網平台的身分,達成雙向認證,充分解決了現有技術的問題。 Compared with the prior art, the secure connection system and method of the present invention send a request for authentication message to request authentication by the terminal device, and then send a check code through the authentication unit of the Internet of Things platform, and the terminal device sends the check code, device The reply message of the hash value of the code and the device key, and the authentication unit searches for the device key corresponding to the device code in the authentication message from the key library of the Internet of Things platform, and after hashing, it matches the device key in the authentication message The hash value is compared, and the identity of the terminal device can be confirmed in this way to establish a secure connection between the IoT platform and the terminal device. In addition, the check code can also be mixed and shipped through the authentication unit Calculate to obtain a conversation key, and attach the conversation key to the reply message to send to the terminal device. The terminal device can hash the previously received check code and compare it with the conversation key in the reply message. In this way, the identity of the IoT platform can be confirmed, and mutual authentication can be achieved, which fully solves the problems of the existing technology.

11‧‧‧終端設備 11‧‧‧Terminal equipment

12‧‧‧物聯網平台 12‧‧‧Internet of Things Platform

121‧‧‧金鑰庫 121‧‧‧Key Bank

122‧‧‧認證單元 122‧‧‧Authentication Unit

123‧‧‧資料儲存單元 123‧‧‧Data storage unit

124‧‧‧控制單元 124‧‧‧Control Unit

S1~S5、S51~S53、S6‧‧‧步驟 S1~S5, S51~S53, S6‧‧‧Step

第1圖係為本發明之實施例之安全連線系統的架構示意圖。 FIG. 1 is a schematic diagram of the structure of a secure connection system according to an embodiment of the present invention.

第2圖係為本發明之實施例之安全連線系統的應用示意圖。 Figure 2 is a schematic diagram of the application of the secure connection system according to the embodiment of the present invention.

第3圖係為本發明之實施例之安全連線方法的流程示意圖。 FIG. 3 is a schematic flowchart of a secure connection method according to an embodiment of the present invention.

第4圖係為本發明之實施例之安全連線方法中回覆訊息的流程示意圖。 FIG. 4 is a schematic diagram of the process of replying to a message in the secure connection method according to the embodiment of the present invention.

以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點與功效。本發明亦可藉由其他不同的具體實施例加以施行或應用,本說明書中的各項細節亦可基於不同觀點與應用,在不悖離本發明之精神下進行各種修飾與變更。 The following specific examples illustrate the implementation of the present invention. Those familiar with the art can easily understand the other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied by other different specific embodiments, and various details in this specification can also be based on different viewpoints and applications, and various modifications and changes can be made without departing from the spirit of the present invention.

請參閱第1和2圖,其係為本發明之實施例之安全連線系統的架構示意圖。本發明之安全連線系統包括終端設備11以及物聯網平台12,其中,物聯網平台12包括金鑰庫121以及認證單元122。 Please refer to Figures 1 and 2, which are schematic diagrams of the secure connection system of the embodiment of the present invention. The secure connection system of the present invention includes a terminal device 11 and an Internet of Things platform 12, where the Internet of Things platform 12 includes a key store 121 and an authentication unit 122.

於一實施例中,終端設備11可以是閘道器(gateway),用以包括物聯網中的各種裝置或感測器(sensor)(例如空氣品質感測器或生理感測器等等),或與該各種裝置或感測器相連,而物聯網平台12可例如是伺 服器。終端設備11具有設備代碼及對應的設備金鑰,設備代碼及設備金鑰可由數字、文字或符號組合而成,舉例來說,設備代碼可以是0136,而對應的設備金鑰可以是BFGW6YS8。終端設備11用以發送一要求認證訊息以及一認證訊息。 In an embodiment, the terminal device 11 may be a gateway to include various devices or sensors in the Internet of Things (for example, an air quality sensor or a physiological sensor, etc.), Or connected to the various devices or sensors, and the IoT platform 12 can be, for example, a server Server. The terminal device 11 has a device code and a corresponding device key. The device code and the device key can be a combination of numbers, characters, or symbols. For example, the device code can be 0136, and the corresponding device key can be BFGW6YS8. The terminal device 11 is used to send an authentication request message and an authentication message.

於一實施例中,金鑰庫121儲存設備代碼及設備金鑰。金鑰庫121可例如是記憶體或硬碟,但不以此為限。 In one embodiment, the key store 121 stores device codes and device keys. The key store 121 can be, for example, a memory or a hard disk, but it is not limited thereto.

於一實施例中,認證單元122用以接收終端設備11所發送之一要求認證訊息及產生一檢查碼以發送至終端設備11。檢查碼是由認證單元122產生的亂數碼,可由數字、文字或符號組合而成,舉例來說,檢查碼可以是A2 B3 C4 D7 E5 F9。 In one embodiment, the authentication unit 122 is used to receive an authentication request message sent by the terminal device 11 and generate a check code to send to the terminal device 11. The check code is a random number generated by the authentication unit 122, which can be a combination of numbers, characters or symbols. For example, the check code can be A2 B3 C4 D7 E5 F9.

於一實施例中,終端設備11還用以接收一檢查碼,並用以發送認證訊息至認證單元22,認證訊息包括檢查碼、設備代碼以及設備金鑰雜湊值,其中,終端設備11可利用檢查碼對設備金鑰進行雜湊運算以獲得設備金鑰雜湊值。舉例來說,當檢查碼是A2 B3 C4 D7 E5 F9、設備代碼是0136以及設備金鑰是BFGW6YS8,設備金鑰經過雜湊運算後的設備金鑰雜湊值為47EE78547A522319,則認證訊息可例如是A2B3C4D7E5F9013647EE78547A522319(不含表頭之表示)。下列表1示意了一實施例中的認證訊息。認證訊息有四個欄位,第一欄位為表頭,作為連線網址辨識用;第二欄位為檢查碼,為認證單元產生及發送之檢查碼;第三欄位為設備代碼,作為終端設備11在物聯網平台12之身分識別用;第四欄位為設備金鑰雜湊值,為終端設備11利用檢查碼對終端設備11的設備金鑰進行雜湊運算所獲得者。 In one embodiment, the terminal device 11 is also used to receive a check code and used to send an authentication message to the authentication unit 22. The authentication message includes the check code, the device code, and the device key hash value. The terminal device 11 can use the check The code hashes the device key to obtain the device key hash value. For example, when the check code is A2 B3 C4 D7 E5 F9, the device code is 0136, and the device key is BFGW6YS8, the hash value of the device key after the device key is hashed is 47EE78547A522319, then the authentication message can be, for example, A2B3C4D7E5F9013647EE78547A522319( Excluding the representation of the header). The following Table 1 illustrates the authentication message in an embodiment. The authentication message has four fields. The first field is the header, which is used to identify the connection URL; the second field is the check code, which is the check code generated and sent by the authentication unit; the third field is the device code, which serves as The terminal device 11 is used for identity identification of the Internet of Things platform 12; the fourth field is the device key hash value, which is obtained by the terminal device 11 using the check code to hash the device key of the terminal device 11.

Figure 108144312-A0101-12-0005-7
Figure 108144312-A0101-12-0005-7

於一實施例中,認證單元122還用以接收終端設備11所發送之認證訊息,並依據認證訊息中的設備代碼自金鑰庫121中尋找對應的設備金鑰,以對所尋找到之對應的設備金鑰進行雜湊運算而獲得第一雜湊值,並將該第一雜湊值與認證訊息中的設備金鑰雜湊值進行比對,以依比對結果發送回覆訊息至終端設備11。若比對結果相同,則代表終端設備11通過認證,認證單元122發送包括對話金鑰的回覆訊息。若比對結果不同,則代表終端設備11未通過認證,認證單元122發送不包括對話金鑰的回覆訊息或包括可辨識錯誤的值之回覆訊息。 In one embodiment, the authentication unit 122 is further used to receive the authentication message sent by the terminal device 11, and search for the corresponding device key from the key bank 121 according to the device code in the authentication message, so as to find the corresponding device key. Perform a hash operation on the device key of to obtain the first hash value, and compare the first hash value with the device key hash value in the authentication message, and send a reply message to the terminal device 11 according to the comparison result. If the comparison results are the same, it means that the terminal device 11 has passed the authentication, and the authentication unit 122 sends a reply message including the conversation key. If the comparison result is different, it means that the terminal device 11 has not passed the authentication, and the authentication unit 122 sends a reply message that does not include the conversation key or a reply message that includes a recognizable error value.

於一實施例中,若比對結果相同,認證單元122還用以將其所產生之檢查碼進行雜湊運算以取得一對話金鑰,再將對話金鑰附加於回覆訊息中發送至終端設備11。舉例來說,當檢查碼是A2 B3 C4 D7 E5 F9,則經過雜湊運算後取得的對話金鑰為D13F0BDA22B82908,而回覆訊息可例如是D13F0BDA22B82908(不含表頭之表示)。下列表2示意了一實施例中的回覆訊息。回覆訊息有二個欄位,第一欄位為表頭,作為連線網址辨識用;第二欄位為對話金鑰,作為認證單元使用檢查碼進行雜湊運算所獲得者。如果終端設備11未通過認證單元122的認證,則第二欄位為空或其他可辨識錯誤的值。 In one embodiment, if the comparison result is the same, the authentication unit 122 is further used to hash the generated check code to obtain a conversation key, and then add the conversation key to the reply message and send it to the terminal device 11. . For example, when the check code is A2 B3 C4 D7 E5 F9, the conversation key obtained after hashing is D13F0BDA22B82908, and the reply message can be, for example, D13F0BDA22B82908 (not including the header). Table 2 below shows the reply message in an embodiment. The reply message has two fields. The first field is the header, which is used for identification of the connection URL; the second field is the conversation key, which is obtained by hash calculation using the check code as the authentication unit. If the terminal device 11 fails the authentication of the authentication unit 122, the second field is empty or other values that can identify errors.

Figure 108144312-A0101-12-0006-2
Figure 108144312-A0101-12-0006-2

於一實施例中,終端設備11將先前所接收的檢查碼進行雜湊運算以獲得第二雜湊值,並與回覆訊息中的對話金鑰進行比對。若比對結果相同,則代表此回覆訊息為真物聯網平台12之回覆認證,至此達成雙向認證。 In one embodiment, the terminal device 11 performs a hash operation on the previously received check code to obtain the second hash value, and compares it with the conversation key in the reply message. If the comparison results are the same, it means that the reply message is the reply authentication of the real IoT platform 12, and the mutual authentication has been achieved so far.

於一實施例中,物聯網平台12還包括資料儲存單元123,用以接收終端設備11所發送的資料訊息,資料訊息係透過對話金鑰加密。假如雙向認證成功,終端設備11可對物聯網平台12進行加密數據傳輸至資料儲存單元123儲存,傳輸的數據可以為例如空氣品質感測器的pM2.5資料,或者人的生理感測器血壓記錄資料;資料儲存單元123為NoSQL故可儲存的資料格式依照實際傳輸的數據為主,儲存的資料可供其他物聯網應用服務使用,例如空氣品質監測服務可存取pM2.5資料,健康照護服務可存取血壓記錄資料等等。在一實施例中,資料加密傳輸技術可為AES,但不以此為限。 In one embodiment, the IoT platform 12 further includes a data storage unit 123 for receiving data messages sent by the terminal device 11, and the data messages are encrypted with a conversation key. If the two-way authentication is successful, the terminal device 11 can encrypt the data of the IoT platform 12 and transmit it to the data storage unit 123 for storage. The transmitted data can be, for example, the pM2.5 data of the air quality sensor, or the blood pressure of the human physiological sensor. Record data; the data storage unit 123 is NoSQL, so the data format that can be stored is based on the actual transmitted data. The stored data can be used by other IoT application services, such as air quality monitoring services that can access pM2.5 data, health care The service can access blood pressure records and so on. In an embodiment, the data encryption transmission technology may be AES, but is not limited to this.

於一實施例中,物聯網平台12還包括控制單元124,用以發送命令訊息以控制終端設備11,命令訊息係透過對話金鑰加密。假如雙向認證成功,物聯網平台12也可對終端設備11進行指令控制,由控制單元124將指令加密傳送到終端設備11來進行指令控制,例如:採用RESTful或MQTT協定傳輸指令給終端設備11表示開啟空氣清淨機。 In one embodiment, the IoT platform 12 further includes a control unit 124 for sending a command message to control the terminal device 11, and the command message is encrypted by a conversation key. If the two-way authentication is successful, the IoT platform 12 can also perform command control on the terminal device 11. The control unit 124 encrypts the command and transmits the command to the terminal device 11 for command control, for example: using RESTful or MQTT protocol to transmit the command to the terminal device 11 to indicate Turn on the air purifier.

於一實施例中,資料訊息或命令訊息均可利用對話金鑰來加密,舉例來說,使用對話金鑰如D13F0BDA22B82908採AES128加密。 In one embodiment, the data message or the command message can be encrypted with the conversation key. For example, the conversation key such as D13F0BDA22B82908 is encrypted with AES128.

於一實施例中,若認證單元122所接收之認證訊息中的設備金鑰雜湊值與認證單元122自金鑰庫121所找尋出對應的設備金鑰經雜湊運算後的第一雜湊值的比對結果不同時,則代表終端設備11未通過認證,則認證單元122所發送之回覆訊息包括可辨識錯誤的值,例如0000000000000000(不含表頭之表示)。 In one embodiment, if the ratio of the hash value of the device key in the authentication message received by the authentication unit 122 to the first hash value of the corresponding device key found by the authentication unit 122 from the key library 121 after the hash operation When the results are different, it means that the terminal device 11 has not passed the authentication, and the reply message sent by the authentication unit 122 includes an error-recognizable value, such as 0000000000000000 (excluding the representation of the header).

於一實施例中,終端設備11可預先向物聯網平台12註冊以取得設備代碼及設備金鑰。在另一實施例中,可將設備代碼及/或設備金鑰儲存於終端設備11中之一晶片內。 In one embodiment, the terminal device 11 may register with the IoT platform 12 in advance to obtain the device code and the device key. In another embodiment, the device code and/or device key can be stored in a chip in the terminal device 11.

請參閱第3圖,係為本發明之實施例之安全連線方法的流程示意圖。如圖所示,本發明的安全連線方法包括以下步驟: Please refer to FIG. 3, which is a schematic flowchart of a secure connection method according to an embodiment of the present invention. As shown in the figure, the secure connection method of the present invention includes the following steps:

S1.終端設備發送一要求認證訊息。 S1. The terminal device sends an authentication request message.

S2.物聯網平台的認證單元接收要求認證訊息,及發送一檢查碼。 S2. The authentication unit of the IoT platform receives the authentication request message and sends a check code.

S3.終端設備接收檢查碼,並發送認證訊息,認證訊息包括檢查碼、設備代碼以及設備金鑰雜湊值。 S3. The terminal device receives the check code and sends an authentication message. The authentication message includes the check code, the device code, and the hash value of the device key.

S4.認證單元接收認證訊息,並依據認證訊息中的設備代碼自一金鑰庫中尋找與認證訊息中的設備代碼對應的設備金鑰,以對該對應的設備金鑰進行雜湊運算以獲得第一雜湊值。 S4. The authentication unit receives the authentication message, and searches for the device key corresponding to the device code in the authentication message from a key bank based on the device code in the authentication message, so as to perform a hash operation on the corresponding device key to obtain the first A hash value.

S5.認證單元將認證訊息中設備金鑰雜湊值與第一雜湊值進行比對,以依比對結果發送回覆訊息至終端設備。 S5. The authentication unit compares the hash value of the device key in the authentication message with the first hash value, and sends a reply message to the terminal device according to the comparison result.

在步驟S1~S5中,完成了對終端設備的認證,由於本發明的安全連線方法係應用於前述的安全連線系統中,具體的實施方式請參閱前述說明,於此不再贅述。 In steps S1 to S5, the authentication of the terminal device is completed. Since the secure connection method of the present invention is applied to the aforementioned secure connection system, please refer to the foregoing description for the specific implementation, and will not be repeated here.

請參閱第4圖,係為本發明之實施例之安全連線方法中關於回覆訊息的流程示意圖。於S51中,判斷S5中的比對結果是否相同,若是,進至S52,若否,進至S53。 Please refer to FIG. 4, which is a schematic diagram of the flow of replying messages in the secure connection method of the embodiment of the present invention. In S51, it is judged whether the comparison results in S5 are the same, if yes, go to S52, if not, go to S53.

S53.認證單元所發送之回覆訊息僅具有表頭或包括可辨識錯誤之值。 S53. The reply message sent by the authentication unit only has a header or includes an identifiable error value.

S52.認證單元將檢查碼進行雜湊運算以取得一對話金鑰,並將對話金鑰附於回覆訊息中。 S52. The authentication unit hashes the check code to obtain a conversation key, and attaches the conversation key to the reply message.

S6.終端設備接收具有對話金鑰之回覆訊息,將檢查碼進行雜湊運算以獲得一第二雜湊值,再將第二雜湊值與回覆訊息中的對話金鑰進行比對。 S6. The terminal device receives the reply message with the dialogue key, performs a hash operation on the check code to obtain a second hash value, and then compares the second hash value with the dialogue key in the reply message.

在步驟S5~S6中,完成了對物聯網平台的認證,換句話說,步驟S1~S6達成了雙向認證,終端設備與物聯網平台之間可建立安全連線,並可在之後使用加密方式傳輸設備資料或者其他互動指令。 In steps S5~S6, the authentication of the Internet of Things platform is completed. In other words, steps S1~S6 have reached a two-way authentication. A secure connection can be established between the terminal device and the Internet of Things platform, and encryption can be used later Transmission of equipment data or other interactive instructions.

綜上所述,本發明之安全連線系統及方法在終端設備發送要求認證訊息以請求認證之後,透過物聯網平台的認證單元發送一檢查碼,終端設備發送包括檢查碼、設備代碼以及設備金鑰雜湊值的認證訊息,以及認證單元自物聯網平台的金鑰庫中尋找與認證信息中的設備代碼對應的設備金鑰以進行雜湊運算後,與認證訊息中的設備金鑰雜湊值進行比對,藉由此方式可確認終端設備的身分,以建立物聯網平台與終端設備之間的安全連線。除此之外,還可透過認證單元將檢查碼進行雜湊運算以取得一對話金鑰,並發送包括對話金鑰的回覆訊息,終端設備接收後將先前接收的檢查碼進行雜湊運算並與回覆訊息中的對話金鑰進行比對,如此一來便可確認物聯網平台的身分,達成雙向認證,充分解決了現有技術的問題。進一步地,亦可應用於終端傳輸資料量較少,硬體效能較低的環境。 In summary, the secure connection system and method of the present invention sends a check code through the authentication unit of the Internet of Things platform after the terminal device sends a request for authentication message to request authentication. The terminal device sends a check code, equipment code, and equipment money. The authentication message of the key hash value, and the authentication unit searches for the device key corresponding to the device code in the authentication information from the key library of the Internet of Things platform to perform a hash calculation, and compares it with the device key hash value in the authentication message Yes, in this way, the identity of the terminal device can be confirmed to establish a secure connection between the IoT platform and the terminal device. In addition, the check code can be hashed through the authentication unit to obtain a conversation key, and a reply message including the conversation key can be sent. After receiving the check code, the terminal device will hash the check code previously received and combine it with the reply message In this way, the identity of the IoT platform can be confirmed and mutual authentication can be achieved, which fully solves the problems of the existing technology. Furthermore, it can also be applied to environments where the terminal transmits less data and the hardware performance is lower.

上述實施方式僅為例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與變化。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above-mentioned embodiments are merely illustrative to illustrate the principles and effects of the present invention, and are not intended to limit the present invention. Anyone who is familiar with this technique can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the rights of the present invention should be listed in the scope of patent application described later.

11‧‧‧終端設備 11‧‧‧Terminal equipment

12‧‧‧物聯網平台 12‧‧‧Internet of Things Platform

121‧‧‧金鑰庫 121‧‧‧Key Bank

122‧‧‧認證單元 122‧‧‧Authentication Unit

123‧‧‧資料儲存單元 123‧‧‧Data storage unit

124‧‧‧控制單元 124‧‧‧Control Unit

Claims (12)

一種安全連線系統,包括:終端設備,具有設備代碼及設備金鑰,並用以發送一要求認證訊息及接收一檢查碼以發送一認證訊息,其中,該認證訊息包括該檢查碼、該設備代碼以及一設備金鑰雜湊值;以及物聯網平台,包括:金鑰庫,儲存該設備代碼及該設備金鑰;以及認證單元,用以接收該終端設備所發送之該要求認證訊息以發送該檢查碼至該終端設備,並用以接收該終端設備所發送之該認證訊息以發送一回覆訊息至該終端設備,其中,該認證單元還用以自該金鑰庫中尋找與該認證訊息中該設備代碼對應的設備金鑰,以對該對應的設備金鑰進行雜湊運算以獲得第一雜湊值,進而將該認證訊息中該設備金鑰雜湊值與該第一雜湊值進行比對,以依據比對結果發送該回覆訊息至該終端設備。 A secure connection system includes: a terminal device, which has a device code and a device key, and is used to send an authentication request message and receive a check code to send an authentication message, wherein the authentication message includes the check code and the device code And a device key hash value; and the Internet of Things platform, including: a key store that stores the device code and the device key; and an authentication unit for receiving the authentication request message sent by the terminal device to send the check Code to the terminal device, and used to receive the authentication message sent by the terminal device to send a reply message to the terminal device, wherein the authentication unit is also used to search for the device in the authentication message from the key bank The device key corresponding to the code is used to perform a hash operation on the corresponding device key to obtain the first hash value, and then the device key hash value in the authentication message is compared with the first hash value to compare Send the reply message to the terminal device for the result. 如申請專利範圍第1項所述的安全連線系統,其中,若該比對結果為相同,則該認證單元還用以將該檢查碼進行雜湊運算以取得一對話金鑰,並將該對話金鑰附於該回覆訊息中。 For example, the secure connection system described in item 1 of the scope of patent application, wherein, if the comparison result is the same, the authentication unit is also used to hash the check code to obtain a conversation key, and to transfer the conversation The key is attached to the reply message. 如申請專利範圍第2項所述的安全連線系統,其中,該終端設備還用以將該檢查碼進行雜湊運算以獲得一第二雜湊值,進而將該第二雜湊值與該回覆訊息中該對話金鑰進行比對。 For example, the secure connection system described in item 2 of the scope of patent application, wherein the terminal device is also used to perform a hash operation on the check code to obtain a second hash value, and then the second hash value is combined with the reply message The conversation key is compared. 如申請專利範圍第2項所述的安全連線系統,其中,該物聯網平台還包括: 資料儲存單元,用以接收該終端設備所發送的資料訊息,且該資料訊息係透過該對話金鑰加密。 Such as the secure connection system described in item 2 of the scope of patent application, wherein the IoT platform also includes: The data storage unit is used for receiving the data message sent by the terminal device, and the data message is encrypted by the conversation key. 如申請專利範圍第2項所述的安全連線系統,其中,該物聯網平台還包括:控制單元,用以發送命令訊息以控制該終端設備,且該命令訊息係透過該對話金鑰加密。 For example, in the secure connection system described in item 2 of the scope of patent application, the Internet of Things platform further includes: a control unit for sending a command message to control the terminal device, and the command message is encrypted by the conversation key. 如申請專利範圍第2項所述的安全連線系統,其中,若該比對結果為不相同,該回覆訊息僅具有表頭或包括可辨識錯誤之值。 For example, the secure connection system described in item 2 of the scope of patent application, wherein, if the comparison result is different, the reply message only has a header or includes a value that can identify errors. 如申請專利範圍第1項所述的安全連線系統,其中,該終端設備係預先向該物聯網平台註冊以取得該設備代碼及該設備金鑰。 For example, in the secure connection system described in item 1 of the scope of patent application, the terminal device is registered with the Internet of Things platform in advance to obtain the device code and the device key. 一種安全連線方法,包括:透過一終端設備發送一要求認證訊息;透過一物聯網平台的認證單元接收該要求認證訊息以發送一檢查碼;透過該終端設備接收該檢查碼以發送一認證訊息,其中,該認證訊息包括該檢查碼、設備代碼以及設備金鑰雜湊值;透過該認證單元接收該認證訊息,以自該物聯網平台的金鑰庫中尋找與該認證訊息中該設備代碼對應的設備金鑰,進而對該對應的設備金鑰進行雜湊運算以獲得一第一雜湊值;以及透過該認證單元將該認證訊息中該設備金鑰雜湊值與該第一雜湊值進行比對,以依據比對結果發送回覆訊息至該終端設備。 A secure connection method includes: sending an authentication request message via a terminal device; receiving the authentication request message via an authentication unit of an Internet of Things platform to send a check code; receiving the check code via the terminal device to send an authentication message , Wherein the authentication message includes the check code, device code, and device key hash value; the authentication message is received through the authentication unit to find the device code corresponding to the device code in the authentication message from the key library of the Internet of Things platform And then perform a hash operation on the corresponding device key to obtain a first hash value; and compare the device key hash value in the authentication message with the first hash value through the authentication unit, Based on the comparison result, a reply message is sent to the terminal device. 如申請專利範圍第8項所述的安全連線方法,其中,該終端設備係預先向該物聯網平台註冊以取得該設備代碼及該設備金鑰。 For example, the secure connection method described in item 8 of the scope of patent application, wherein the terminal device is registered with the Internet of Things platform in advance to obtain the device code and the device key. 如申請專利範圍第8項所述的安全連線方法,其中,若該比對結果為相同,則透過該認證單元將該檢查碼進行雜湊運算以取得一對話金鑰,並將該對話金鑰附於該回覆訊息中。 For example, the secure connection method described in item 8 of the scope of patent application, wherein, if the comparison result is the same, the check code is hashed by the authentication unit to obtain a conversation key, and the conversation key Attached to the reply message. 如申請專利範圍第10項所述的安全連線方法,還包括:透過該終端設備接收該回覆訊息,將該檢查碼進行雜湊運算以獲得一第二雜湊值,進而將該第二雜湊值與該回覆訊息中該對話金鑰進行比對。 For example, the secure connection method described in item 10 of the scope of patent application further includes: receiving the reply message through the terminal device, performing a hash operation on the check code to obtain a second hash value, and then adding the second hash value to Compare the conversation key in the reply message. 如申請專利範圍第8項所述的安全連線方法,其中,若該比對結果為不相同,該回覆訊息僅具有表頭或包括可辨識錯誤之值。 For example, the secure connection method described in item 8 of the scope of patent application, wherein, if the comparison results are different, the reply message only has a header or includes a value that can identify errors.
TW108144312A 2019-12-04 2019-12-04 Secure connection system and method of the same TWI733265B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108144312A TWI733265B (en) 2019-12-04 2019-12-04 Secure connection system and method of the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108144312A TWI733265B (en) 2019-12-04 2019-12-04 Secure connection system and method of the same

Publications (2)

Publication Number Publication Date
TW202123726A TW202123726A (en) 2021-06-16
TWI733265B true TWI733265B (en) 2021-07-11

Family

ID=77516981

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108144312A TWI733265B (en) 2019-12-04 2019-12-04 Secure connection system and method of the same

Country Status (1)

Country Link
TW (1) TWI733265B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3937526A1 (en) * 2020-07-07 2022-01-12 Grundfos Holding A/S Enrolment procedure for a device to a cloud storage

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWM583966U (en) * 2019-05-03 2019-09-21 健行學校財團法人健行科技大學 Internet-of-Things encryption device
TW201944756A (en) * 2018-04-17 2019-11-16 香港商阿里巴巴集團服務有限公司 Method and apparatus for communication between internet of things devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201944756A (en) * 2018-04-17 2019-11-16 香港商阿里巴巴集團服務有限公司 Method and apparatus for communication between internet of things devices
TWM583966U (en) * 2019-05-03 2019-09-21 健行學校財團法人健行科技大學 Internet-of-Things encryption device

Also Published As

Publication number Publication date
TW202123726A (en) 2021-06-16

Similar Documents

Publication Publication Date Title
JP7215684B2 (en) Key exchange through a partially trusted third party
US11089032B2 (en) Signed envelope encryption
US20230362163A1 (en) Out-of-band authentication to access web-service with indication of physical access to client device
US20080031458A1 (en) System, methods, and apparatus for simplified encryption
AU2016355271B2 (en) Systems and methods for authenticating network messages
JP2011530201A (en) Anonymous authentication method using pre-shared key, read / write machine, electronic tag and anonymous two-way authentication system using pre-shared key
JP2006254423A (en) Method and system for id crediting of privacy
CN109688098B (en) Method, device and equipment for secure communication of data and computer readable storage medium
US10958630B2 (en) System and method for securely exchanging data between devices
WO2017157161A1 (en) Message anti-forgery implementation method and device
WO2009146655A1 (en) A method, equipment and system for password inputting
US20180013832A1 (en) Health device, gateway device and method for securing protocol using the same
CN112968910B (en) Replay attack prevention method and device
TWI733265B (en) Secure connection system and method of the same
CN103905448B (en) Towards the camera-shooting and recording device entity authentication method of city security protection
US7739500B2 (en) Method and system for consistent recognition of ongoing digital relationships
CN107332658A (en) Interface realizing method and device based on chain type block chain technology
CN107566393A (en) A kind of dynamic rights checking system and method based on trust certificate
CN116709325B (en) Mobile equipment security authentication method based on high-speed encryption algorithm
CN112689014A (en) Double-full-duplex communication method and device, computer equipment and storage medium
TWI546698B (en) Login system based on servers, login authentication server, and authentication method thereof
CN107370728B (en) Instant license generation and verification system and method based on electronic license library
CN110958276B (en) Trusted acquisition and logging method and device based on digital identity of intelligent Internet of things equipment
US10608997B1 (en) Context-based data access control
WO2021196478A1 (en) Method for comparing equality relationship of encryption data, device, computer apparatus, and storage medium