TWI747659B - Iot system and privacy authorization method - Google Patents

Iot system and privacy authorization method Download PDF

Info

Publication number
TWI747659B
TWI747659B TW109143839A TW109143839A TWI747659B TW I747659 B TWI747659 B TW I747659B TW 109143839 A TW109143839 A TW 109143839A TW 109143839 A TW109143839 A TW 109143839A TW I747659 B TWI747659 B TW I747659B
Authority
TW
Taiwan
Prior art keywords
node
server
public key
certificate
private
Prior art date
Application number
TW109143839A
Other languages
Chinese (zh)
Other versions
TW202224378A (en
Inventor
賴昌祈
張明信
黃筱珊
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109143839A priority Critical patent/TWI747659B/en
Application granted granted Critical
Publication of TWI747659B publication Critical patent/TWI747659B/en
Publication of TW202224378A publication Critical patent/TW202224378A/en

Links

Images

Abstract

A IoT system and a privacy authorization method are provided. In the method, multiple private key values are generated based on ECC. ECC includes the ECQV algorithm. A sever public key of the server is generated based on ECC through the private key value of the server. The node public key is generated based on ECC through the server public key and the private key value of the node. The sever and the node belong to the IoT of blockchain. The identification code of the server is encoded through the node public key, to generate the node certificate. The node certificate would be published on the IoT of the blockchain. Accordingly, safe privacy authorization can be implemented in the open and non-trust based IoT world.

Description

物聯網系統及隱私授權方法Internet of things system and privacy authorization method

本發明是有關於一種資料授權機制,且特別是有關於一種是用於區塊鏈(blockchain)的物聯網系統及隱私授權方法。 The present invention relates to a data authorization mechanism, and particularly relates to an Internet of Things system and privacy authorization method used in a blockchain.

根據國際研究暨顧問機構預測,2020年全球企業用物聯網(IoT)市場的端點數量將成長至58億件,較2019年增加21%。如何強化物聯網之間龐大的敏感機密資料的儲存與安全交換傳輸,如何降低物聯網的資料被竊取的風險,且如何在一個零信任的網路上建構一個安全的物聯網隱私授權與區塊鏈正確資料驗證的系統,是相關業者及研究人員的當前急迫的目標之一。 According to forecasts by international research and consulting institutions, the number of endpoints in the global enterprise Internet of Things (IoT) market will grow to 5.8 billion in 2020, an increase of 21% from 2019. How to strengthen the storage and secure exchange and transmission of huge sensitive and confidential data between the Internet of Things, how to reduce the risk of data theft of the Internet of Things, and how to construct a secure Internet of Things privacy authorization and blockchain on a zero-trust network A system of correct data verification is one of the current urgent goals of relevant industry and researchers.

有鑑於此,本發明提供一種物聯網系統及隱私授權方法,結合密碼學及區塊鏈來強化資料認證及授權。 In view of this, the present invention provides an Internet of Things system and a privacy authorization method that combines cryptography and blockchain to strengthen data authentication and authorization.

本發明實施例的隱私授權方法適用於一區塊鏈的物聯網,並包括(但不僅限於)下列步驟:基於橢圓曲線密碼學(Elliptic-curve cryptography,ECC)隨機產生多個私鑰值(private key value)。橢圓曲線密碼學包括ECQV(Elliptic Curve Qu-Vanstone)演算法。基於橢圓曲線密碼學透過伺服器的私鑰值產生伺服器的伺服器公鑰(public key)。基於橢圓曲線密碼學透過伺服器公鑰及節點的私鑰值產生節點的節點公鑰。伺服器及節點屬於區塊鏈的物聯網。透過節點公鑰對伺服器的身分識別碼編碼以產生節點的節點憑證。將節點憑證公佈於區塊鏈的物聯網中。 The privacy authorization method of the embodiment of the present invention is applicable to a blockchain Internet of Things, and includes (but not limited to) the following steps: Based on Elliptic-curve cryptography (Elliptic-curve) cryptography (ECC) randomly generates multiple private key values (private key values). Elliptic curve cryptography includes ECQV (Elliptic Curve Qu-Vanstone) algorithm. Based on elliptic curve cryptography, the server public key is generated through the server's private key value. Based on elliptic curve cryptography, the node public key of the node is generated through the server public key and the node's private key value. Servers and nodes belong to the Internet of Things of the blockchain. Encode the server's identity code through the node's public key to generate the node's node certificate. Publish node credentials in the Internet of Things on the blockchain.

本發明實施例的物聯網系統適用於區塊鏈的物聯網,並包括(但不僅限於)節點、憑證管理中心及伺服器。節點用於收集感測資料。憑證管理中心用於核發原始憑證。伺服器用於基於橢圓曲線密碼學隨機產生多個私鑰值,基於橢圓曲線密碼學透過伺服器的私鑰值產生伺服器的伺服器公鑰,基於橢圓曲線密碼學透過伺服器公鑰及節點的私鑰值產生節點的節點公鑰,透過節點公鑰對伺服器的身分識別碼編碼以產生節點的節點憑證,並將節點憑證公佈於區塊鏈的物聯網中。橢圓曲線密碼學包括ECQV演算法。 The Internet of Things system of the embodiment of the present invention is applicable to the Internet of Things of the blockchain, and includes (but is not limited to) a node, a certificate management center, and a server. The node is used to collect sensing data. The certificate management center is used to issue original certificates. The server is used to randomly generate multiple private key values based on elliptic curve cryptography, generate the server public key of the server based on elliptic curve cryptography through the private key value of the server, and use the server public key and node based on elliptic curve cryptography The private key value of the node generates the node public key of the node, the identity code of the server is encoded by the node public key to generate the node certificate of the node, and the node certificate is published in the blockchain of the Internet of Things. Elliptic curve cryptography includes the ECQV algorithm.

基於上述,依據本發明實施例的物聯網系統及隱私授權方法,使用橢圓曲線密碼學分別產生伺服器公鑰及節點公鑰,使用節點公鑰以原始憑證進一步產生對應節點的節點憑證,並將結點憑證發布在區塊鏈中以供身分確認。藉此,可避免使用會話金鑰(Session Key)作為加密協商金鑰,從而避免頻繁使用金鑰交換而增加資料被破解的機會,進而防止隱私資料被竊取,並確保節點對節點資料傳遞的安全。 Based on the above, according to the IoT system and privacy authorization method of the embodiments of the present invention, elliptic curve cryptography is used to generate the server public key and the node public key respectively, and the node public key is used to further generate the node certificate of the corresponding node with the original certificate, and The node certificate is published in the blockchain for identity verification. In this way, it is possible to avoid using the Session Key as the encryption negotiation key, thereby avoiding frequent use of key exchange and increasing the chance of data being cracked, thereby preventing the theft of private data, and ensuring the security of node-to-node data transfer .

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。 In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

1:系統 1: system

10:物聯網 10: Internet of Things

20、30:群組代理伺服器 20, 30: Group proxy server

25、35:群組隱私資料庫 25, 35: Group privacy database

40A1~40An、40B1~40Bm:節點 40A1~40An, 40B1~40Bm: node

41:感測器 41: Sensor

60:憑證管理中心 60: Certificate Management Center

70:區塊鏈 70: Blockchain

S101~S105、S200~S208、S301~S311:步驟 S101~S105, S200~S208, S301~S311: steps

圖1是依據本發明一實施例的物聯網的系統架構圖。 FIG. 1 is a system architecture diagram of the Internet of Things according to an embodiment of the present invention.

圖2是依據本發明一實施例的身分認證階段的流程圖。 Fig. 2 is a flowchart of an identity authentication phase according to an embodiment of the present invention.

圖3是依據本發明一實施例的金鑰產生階段的流程圖。 FIG. 3 is a flowchart of a key generation stage according to an embodiment of the invention.

圖4是依據本發明一實施例的資料授權階段的流程圖。 Fig. 4 is a flowchart of a data authorization stage according to an embodiment of the present invention.

圖1是依據本發明一實施例的物聯網的系統架構圖。請參照圖1,此系統1包括(但不僅限於)群組代理伺服器20,30、群組隱私資料庫25,35、節點40A1~40An,40B1~40Bm(m、n為正整數)、感測器41及憑證管理中心60。 FIG. 1 is a system architecture diagram of the Internet of Things according to an embodiment of the present invention. Please refer to Figure 1. This system 1 includes (but is not limited to) group proxy servers 20, 30, group privacy databases 25, 35, nodes 40A1~40An, 40B1~40Bm (m and n are positive integers), sensor Detector 41 and credential management center 60.

群組代理伺服器20,30可以是各類型電腦系統(例如,桌上型或筆記型電腦、伺服器、智慧型手機或平板電腦)。物聯網群組代理伺服器20,30可連線到物聯網10。在一實施例中,物聯網群組代理伺服器20,30隸屬於兩個群組。例如,物聯網群組代理伺服器20屬於群組A,物聯網群組代理伺服器30屬於群組B。 The group proxy servers 20 and 30 may be various types of computer systems (for example, desktop or notebook computers, servers, smart phones or tablet computers). The Internet of Things group proxy server 20, 30 can be connected to the Internet of Things 10. In one embodiment, the Internet of Things group proxy servers 20, 30 belong to two groups. For example, the Internet of Things group proxy server 20 belongs to group A, and the Internet of Things group proxy server 30 belongs to group B.

群組隱私資料庫25,35分別連接物聯網群組代理伺服器20,30。群組隱私資料庫25,35可以是儲存伺服器或各類型儲存器 (例如,固態硬碟(SSD)、傳統硬碟(HDD)或快取記憶體)。 The group privacy database 25, 35 is respectively connected to the Internet of Things group proxy server 20, 30. Group privacy databases 25, 35 can be storage servers or various types of storage (For example, solid state drive (SSD), traditional hard drive (HDD) or cache memory).

節點40A1~40An,40B1~40Bm可以是路由器、中繼站或交換器。節點40A1~40An,40B1~40Bm可連線到物聯網10。在一實施例中,各節點40A1~40An,40B1~40Bm分別收集對應感測器41的感測資料(例如,相關於天氣、力量、電性、聲音、其他物理、機械或軟體狀態)。在一些實施例中,節點40A1~40An屬於群組A,且節點40B1~40Bm屬於群組B。 Nodes 40A1~40An, 40B1~40Bm can be routers, relay stations or switches. Nodes 40A1~40An, 40B1~40Bm can be connected to the Internet of Things 10. In one embodiment, each node 40A1-40An, 40B1-40Bm collects the sensing data of the corresponding sensor 41 (for example, related to weather, power, electricity, sound, other physical, mechanical, or software states). In some embodiments, the nodes 40A1-40An belong to group A, and the nodes 40B1-40Bm belong to group B.

憑證管理中心(Certificate Authority,CA)60用於管理、認證並核發憑證,且其運作可由電腦系統實現。數位憑證的作用是證明憑證中列出的使用者合法擁有憑證中列出的公開金鑰。 The Certificate Authority (CA) 60 is used to manage, authenticate and issue certificates, and its operation can be realized by a computer system. The function of a digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate.

下文中,將搭配系統1中的各項裝置說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。 Hereinafter, various devices in the system 1 will be used to illustrate the method according to the embodiment of the present invention. Each process of the method can be adjusted accordingly according to the implementation situation, and is not limited to this.

圖2是依據本發明一實施例的身分認證階段的流程圖。請參照圖2,物聯網10中的節點40A1~40An,40B1~40Bm的身分認證階段是節點40A1~40An,40B1~40Bm對可信賴的憑證系統建立身分註冊機制產生身分憑證方法的流程階段,群組代理伺服器20,30取得憑證管理中心憑證後再以ECQV(Elliptic Curve Qu-Vanstone)或其他橢圓曲線密碼學(Elliptic-curve cryptography,ECC)相關演算法,自行產生多組公私鑰的代理憑證機制,進行再分配給物聯網10中的節點40A1~40An,40B1~40Bm使用。 Fig. 2 is a flowchart of an identity authentication phase according to an embodiment of the present invention. Please refer to Figure 2. The identity authentication stage of the nodes 40A1~40An, 40B1~40Bm in the Internet of Things 10 is the process stage of the method of generating identity certificates for the nodes 40A1~40An, 40B1~40Bm to establish an identity registration mechanism for a trusted certificate system. After obtaining the certificate of the certificate management center, the proxy server 20, 30 uses ECQV (Elliptic Curve Qu-Vanstone) or other Elliptic-curve cryptography (ECC) related algorithms to generate multiple sets of proxy certificates with public and private keys. The mechanism is redistributed to the nodes 40A1~40An and 40B1~40Bm in the Internet of Things 10.

具體而言,群組代理伺服器20,30分別向憑證管理中心 60申請原始憑證請求(步驟S101)。憑證管理中心60可核發原始憑證給對應群組代理伺服器20,30(步驟S102)。節點40A1~40An,40B1~40Bm可向群組代理伺服器20,30提出註冊申請以請求加入群組(步驟S103)。群組代理伺服器20,30可依據註冊申請對節點40A1~40An,40B1~40Bm核發註冊序號及讀取隱私資料庫25,35的存取密碼(步驟S104)。 Specifically, the group proxy servers 20 and 30 respectively report to the certificate management center 60 Apply for an original certificate request (step S101). The certificate management center 60 may issue the original certificate to the corresponding group proxy server 20, 30 (step S102). The nodes 40A1-40An, 40B1-40Bm may submit a registration application to the group proxy server 20, 30 to request to join the group (step S103). The group proxy server 20, 30 can issue the registration serial number and read the access password of the privacy database 25, 35 to the nodes 40A1-40An, 40B1-40Bm according to the registration application (step S104).

接著,群組代理伺服器20,30可分別利用憑證管理中心60核發之原始憑證使用ECQV或其他ECC相關演算法再自行產生多組的節點憑證給各節點40A1~40An,40B1~40Bm(步驟S105)。具體而言,圖3是依據本發明一實施例的金鑰產生階段的流程圖。請參照圖3,下文以群組代理伺服器20為例,但群組代理伺服器30可實現相同或相似程序。針對憑證申請(步驟S200),群組代理伺服器20基於ECC隨機生成多個私鑰值(private key value)(步驟S201)。ECC是一種建立公開金鑰加密的演算法,也就是非對稱加密。公鑰加密,是現代網路安全或信任鏈的基礎。公鑰加密的一大特色是通訊終端的雙方各自具有一對公私鑰,這對公私鑰有特定數學關係。此外,通訊終端各自儲存自己的私鑰,並公開自己的公鑰。即便第三方惡意取得任一者的公鑰,也無法順利解密。而ECC是將橢圓曲線上的離散對數問題引入公私鑰之間的特定數學關係。此外,除了ECQV,諸如ECDH(Elliptic Curve Diffie-Hellman)、EdDSA(Edwards-curve Digital Signature Algorithm)等演算法都是屬於ECC。 Then, the group proxy servers 20, 30 can respectively use the original certificate issued by the certificate management center 60 to use ECQV or other ECC-related algorithms to generate multiple sets of node certificates for each node 40A1~40An, 40B1~40Bm (step S105 ). Specifically, FIG. 3 is a flowchart of the key generation phase according to an embodiment of the present invention. Referring to FIG. 3, the group proxy server 20 is taken as an example below, but the group proxy server 30 can implement the same or similar procedures. For the certificate application (step S200), the group proxy server 20 randomly generates a plurality of private key values based on the ECC (step S201). ECC is an algorithm for establishing public key encryption, that is, asymmetric encryption. Public key encryption is the foundation of modern network security or the chain of trust. A major feature of public key encryption is that the two parties of the communication terminal each have a pair of public and private keys, which have a specific mathematical relationship between the public and private keys. In addition, the communication terminals each store their own private keys and disclose their own public keys. Even if a third party maliciously obtains any one's public key, it cannot be decrypted smoothly. And ECC introduces the discrete logarithm problem on the elliptic curve into a specific mathematical relationship between public and private keys. In addition, in addition to ECQV, algorithms such as ECDH (Elliptic Curve Diffie-Hellman) and EdDSA (Edwards-curve Digital Signature Algorithm) are all ECC.

群組代理伺服器20可基於ECC而透過自己的私鑰值產生的伺服器公鑰(public key)(步驟S202)。例如,群組代理伺服器20對自己的私鑰值及橢圓曲線上的多個參數基點中的一者點乘運算以產生屬於伺服器的伺服器公鑰。群組代理伺服器20可傳送伺服器公鑰和自己的身分識別碼(例如,名稱、組織、國家、用途、期限等)給憑證管理中心60(步驟S203)。 The group proxy server 20 can generate a server public key through its own private key value based on ECC (step S202). For example, the group proxy server 20 multiplies its own private key value and one of multiple parameter base points on the elliptic curve to generate a server public key belonging to the server. The group proxy server 20 may send the server public key and its own identification code (for example, name, organization, country, purpose, period, etc.) to the certificate management center 60 (step S203).

憑證管理中心60可依據ECC驗證群組代理伺服器20所產生之伺服器公鑰(步驟S204),並依據驗證結果核發原始憑證給群組代理伺服器20(步驟S205)。群組代理伺服器20可選擇群組A當中的一個節點40A1,40A2,...或40An的私鑰值(步驟S206),並基於ECC透過伺服器公鑰及受選的節點(以節點40A1為例,但不以此為限)的私鑰值產生此節點40A1的節點公鑰(步驟S207)。例如,群組代理伺服器20對節點40A1的私鑰值及橢圓曲線上的多個參數基點中的一者點乘運算以產生屬於節點40A1的節點公鑰。 The certificate management center 60 can verify the server public key generated by the group proxy server 20 according to the ECC (step S204), and issue the original certificate to the group proxy server 20 according to the verification result (step S205). The group proxy server 20 can select the private key value of a node 40A1, 40A2,... or 40An in the group A (step S206), and based on the ECC through the server public key and the selected node (the node 40A1 As an example, but not limited to this), the node public key of the node 40A1 is generated from the private key value (step S207). For example, the group proxy server 20 multiplies the private key value of the node 40A1 and one of the multiple parameter base points on the elliptic curve to generate the node public key belonging to the node 40A1.

群組代理伺服器20可透過此節點公鑰對屬於伺服器的身分識別碼及其他憑證所需資料編碼以產生節點40A1的節點憑證(例如,編碼所產生的憑證值)(步驟S208)。即,透過私鑰值對節點公鑰施加數位簽章以產生節點憑證。物聯網10中的所有群組與所有節點40A1~40An的節點憑證將公佈於區塊鏈的物聯網10中,以供所有節點40A1~40An,40B1~40Bm查詢以確認身分。 The group proxy server 20 can generate the node certificate of the node 40A1 (for example, the certificate value generated by the encoding) by encoding the identity code of the server and other required data for the certificate through the node public key (step S208). That is, a digital signature is applied to the public key of the node through the private key value to generate the node certificate. The node credentials of all groups in the Internet of Things 10 and all nodes 40A1~40An will be published in the Internet of Things 10 of the blockchain for all nodes 40A1~40An, 40B1~40Bm to query to confirm their identities.

圖4是依據本發明一實施例的資料授權階段的流程圖。請參照圖4,節點40A1~40An,40B1~40Bm收集所屬感測器41偵 測的感測資料可製作成隱私授權表單。隱私授權表單內容包含有授權項目、授權項目的資料內容、授權資料的感測時間、及授權項目的權限等。群組代理伺服器20,30利用申請授權的節點40A1~40An,40B1~40Bm的所屬群組代理伺服器20,30的非對稱公鑰對授權的隱私表單資料加密,將隱私授權表單寫入申請授權的節點40A1~40An,40B1~40Bm的群組代理伺服器20,30的隱私資料庫25,35中,申請授權的節點40A1~40An,40B1~40Bm可以自己的註冊序號與存取密碼來解密,以達到短時間內有效率得到授權隱私資料的目的。 Fig. 4 is a flowchart of a data authorization stage according to an embodiment of the present invention. Please refer to Figure 4, nodes 40A1~40An, 40B1~40Bm collect their own sensor 41 detection The sensed data can be made into a privacy authorization form. The content of the privacy authorization form includes the authorization items, the data content of the authorization items, the sensing time of the authorization data, and the permissions of the authorization items, etc. The group proxy server 20, 30 uses the asymmetric public key of the group proxy server 20, 30 of the node 40A1~40An, 40B1~40Bm to which the authorization is applied to encrypt the data of the authorized privacy form, and writes the privacy authorization form into the application Authorized nodes 40A1~40An, 40B1~40Bm in the privacy database 25, 35 of the group proxy server 20, 30, applying for authorization nodes 40A1~40An, 40B1~40Bm can decrypt their own registration number and access password , In order to achieve the purpose of obtaining authorized private information efficiently in a short time.

舉例而言,群組A的節點40A1的感測器41偵測以取得感測資料。節點40A1將使用自己的節點憑證所作成的簽章及註冊所得的存取密碼加密感測資料後傳送至群組A的隱私資料庫25中集中儲存保管(步驟S301)。 For example, the sensor 41 of the node 40A1 of the group A detects to obtain the sensing data. The node 40A1 encrypts the sensed data with the signature made by its own node certificate and the registered access password and sends it to the privacy database 25 of the group A for centralized storage and storage (step S301).

假設群組B的節點40B1向群組A申請節點40A1的感測器資料的授權(即,發出存取要求)(步驟S302)。群組A的群組代理伺服器20可將節點40A1的感測器41的感測資料從群組A的隱私資料庫25中讀出,並以節點40A1的註冊所得的存取密碼解密加密的感測資料(步驟S303)。群組A的群組代理伺服器20以對應群組A的群組憑證(例如,原始憑證)與節點40A1的節點憑證對節點40A1的感測器41所取得的感測資料製作公開金鑰加密算法(例如,橢圓曲線數位簽章算法(Elliptic Curve Digital Signature Algorithm,ECDSA)、RSA加密演算法、或數位簽章算法(Digital Signature Algorithm,DSA))的簽章,並將簽章與節點40A1的感測器41的感測資料以群組B的群組代理伺服器30的非對稱(Asymmetric)加密(例如,RSA、ElGamal、或Rabin)公鑰加密,並將加密所產生的隱私授權資料傳送給群組B(步驟S304)。 Assume that the node 40B1 of the group B applies to the group A for the authorization of the sensor data of the node 40A1 (that is, sends an access request) (step S302). The group proxy server 20 of group A can read the sensor data of the sensor 41 of the node 40A1 from the privacy database 25 of the group A, and decrypt the encrypted data with the access password obtained from the registration of the node 40A1 Sensing data (step S303). The group proxy server 20 of the group A uses the group certificate (for example, the original certificate) corresponding to the group A and the node certificate of the node 40A1 to make public key encryption for the sensor data obtained by the sensor 41 of the node 40A1 Algorithm (for example, Elliptic Curve Digital Signature Algorithm (ECDSA), RSA encryption algorithm, or Digital Signature Algorithm (Digital Signature Algorithm) Signature Algorithm, DSA)), and encrypt the signature and the sensing data of the sensor 41 of the node 40A1 with the asymmetric (Asymmetric) encryption of the group proxy server 30 of the group B (for example, RSA, ElGamal) , Or Rabin) public key encryption, and the privacy authorization data generated by the encryption is sent to group B (step S304).

群組B之群組代理伺服器30將群組A的節點40A1的隱私授權資料以非對稱加密私鑰(例如,RSA私鑰,並對應於步驟S304所用的RSA)解密,並從隱私區塊鏈70中讀取群組A的群組憑證與節點40A1的節點憑證,以對群組A與節點40A1的簽章進行驗證,進而確認其身分與隱私授權資料(步驟S305)。 The group proxy server 30 of the group B decrypts the private authorization data of the node 40A1 of the group A with the asymmetric encryption private key (for example, the RSA private key, and corresponds to the RSA used in step S304), and obtains it from the privacy block The chain 70 reads the group certificate of the group A and the node certificate of the node 40A1 to verify the signature of the group A and the node 40A1, and then confirm its identity and privacy authorization data (step S305).

最後,群組B的群組代理伺服器30可將群組A的節點40A1的隱私授權資料以節點40B1註冊的存取密碼加密後傳送給節點40B1(步驟S306)。 Finally, the group proxy server 30 of the group B can encrypt the privacy authorization data of the node 40A1 of the group A with the access password registered by the node 40B1 and send it to the node 40B1 (step S306).

針對一對多授權,假設群組B的節點40B1向群組A申請節點40A1、節點40A2與節點40A3之所有感測器41的感測資料包裹的授權(步驟S307)。 For one-to-many authorization, suppose that the node 40B1 of the group B applies to the group A for the authorization of the sensing data package of all the sensors 41 of the node 40A1, the node 40A2, and the node 40A3 (step S307).

群組A的群組代理伺服器20將節點40A1、節點40A2與節點40A3之所有感測器41的感測資料從群組A的隱私資料庫25中讀出,並以40A1、節點40A2與節點40A3的註冊所得的存取密碼解密加密的感測資料(步驟S308)。群組A的群組代理伺服器20以對應群組A的群組憑證與節點40A1、節點40A2與節點A340各自的節點憑證分別對節點40A1、節點40A2與節點40A3的感測器41的感測資料製作公開金鑰加密算法的簽章,並分別將簽章 與節點40A1、節點40A2與節點40A3的感測器41的感測資料以群組B的群組代理伺服器30的非對稱加密公鑰(例如,RSA供要)加密,並將加密所產生的隱私授權資料傳送給群組B(步驟S309)。 The group proxy server 20 of the group A reads the sensing data of all the sensors 41 of the node 40A1, the node 40A2, and the node 40A3 from the privacy database 25 of the group A, and uses the 40A1, the node 40A2 and the node The access password obtained from the registration of 40A3 decrypts the encrypted sensing data (step S308). The group proxy server 20 of group A uses the group certificate corresponding to group A and the node certificate of node 40A1, node 40A2, and node A340 to sense the sensor 41 of node 40A1, node 40A2, and node 40A3, respectively Make the signatures of the public key encryption algorithm for the data, and sign them separately The sensing data of the sensor 41 of the node 40A1, the node 40A2, and the node 40A3 is encrypted with the asymmetric encryption public key (for example, RSA supply) of the group proxy server 30 of the group B, and the encrypted data is generated The privacy authorization data is sent to group B (step S309).

群組B之群組代理伺服器30分別將群組A的節點40A1、節點40A2與節點40A3的隱私授權資料以群組B的非對稱加密私鑰(例如,RSA私鑰)解密,並從隱私區塊鏈70中讀取群組A的群組憑證與節點40A1、節點40A2與節點40A3各自的節點憑證,以對群組A與節點40A1、節點40A2與節點40A3的簽章進行驗證,進而確認身分與隱私授權資料(步驟S310)。 The group proxy server 30 of the group B decrypts the private authorization data of the nodes 40A1, 40A2, and 40A3 of the group A with the asymmetric encryption private key (for example, the RSA private key) of the group B, and obtains the information from the privacy Read the group certificate of group A and the respective node certificates of node 40A1, node 40A2 and node 40A3 in the blockchain 70 to verify the signatures of group A and node 40A1, node 40A2 and node 40A3, and then confirm Identity and privacy authorization data (step S310).

最後,群組B的群組代理伺服器30可將群組A的節點40A1、節點40A2與節點40A3的隱私授權資料以節點40B1註冊的存取密碼加密後傳送給節點40B1(步驟S311)。 Finally, the group proxy server 30 of the group B can encrypt the privacy authorization data of the nodes 40A1, 40A2, and 40A3 of the group A with the access password registered by the node 40B1 and send it to the node 40B1 (step S311).

綜上所述,在本發明實施例的物聯網系統及隱私授權方法中,由代理伺服器管理物聯網的節點群組,建立隱式憑證ECC相關演算法之身分驗證機制於物聯網之區塊鏈系統。物聯網節點的授權方法為使用ECC相關演算法的憑證的多重身分確認方式,並連結錨定的區塊鏈系統,使節點之間無須不斷產生會議金鑰(Session Key)來進行隱私資料的交換傳輸,從達成快速隱私資料互相存取授權與驗證的特點。 To sum up, in the Internet of Things system and privacy authorization method of the embodiments of the present invention, the proxy server manages the node group of the Internet of Things, and establishes the identity verification mechanism of the implicit certificate ECC-related algorithm in the block of the Internet of Things. Chain system. The authorization method for IoT nodes is a multi-identity verification method using certificates of ECC-related algorithms, and is connected to an anchored blockchain system, so that nodes do not need to continuously generate session keys to exchange private data Transmission, from achieving the characteristics of authorization and verification for fast mutual access of private data.

本發明實施例更包括以下特點及功效: The embodiments of the present invention further include the following features and effects:

本發明實施例由群組代理伺服器向憑證管理中心申請發行原始憑證,再自行產生多組ECC相關演算法的節點憑證分配給 節點使用的代理憑證機制。此外,所有節點的節點憑證將公布於物聯網之區塊鏈系統中。利用ECC相關演算法產生的多組節點憑證與原始憑證進行多重身分驗證,即可證實原節點授權的安全性,並具有快速授權隱私資料的優勢。 In the embodiment of the present invention, the group proxy server applies to the certificate management center for the issuance of original certificates, and then generates multiple sets of node certificates for ECC-related algorithms and distributes them to The proxy credential mechanism used by the node. In addition, the node credentials of all nodes will be published in the blockchain system of the Internet of Things. Using multiple sets of node certificates and original certificates generated by ECC related algorithms for multiple identity verification can verify the security of the original node authorization and has the advantage of quickly authorizing private data.

本發明實施例的群組代理伺服器使用憑證管理中心簽發的憑證,對節點產生的隱私授權資料進行包裹授權。而節點透過對應節點憑證與原始憑證進行多重身分確認。本發明實施例提供多節點授權隱私資料的包裹結構,進行節點之間的身分確認與隱私資料集體授權,以達到多節點對多節點直接隱私資料授權的目的。 The group proxy server of the embodiment of the present invention uses the certificate issued by the certificate management center to perform package authorization on the privacy authorization data generated by the node. The node performs multiple identity verification through the corresponding node certificate and the original certificate. The embodiment of the present invention provides a package structure for multi-node authorization of private data to perform identity verification between nodes and collective authorization of private data, so as to achieve the purpose of multi-nodes directly authorizing multi-node private data.

本發明實施例利用非對稱式密碼系統的安全特性,只要節點雙方建立身分驗證,即可以群組代理伺服器的非對稱加密公鑰,提供多次的隱私授權資料傳輸,進而減少一般使用會話金鑰來授權資料,更避免頻繁使用金鑰交換增加資料被破解的機會。藉此,可防止隱私資料被竊取,並確保節點對節點資料授權傳輸的安全。 The embodiment of the present invention utilizes the security features of the asymmetric cryptographic system. As long as both nodes establish identity verification, the asymmetric encryption public key of the group proxy server can be grouped to provide multiple transmissions of privacy authorization data, thereby reducing the general use of session funds. The key is used to authorize data, which avoids frequent use of key exchange and increases the chance of data being cracked. In this way, privacy data can be prevented from being stolen, and the security of the node's authorized transmission of node data can be ensured.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。 Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be subject to those defined by the attached patent scope.

20:群組代理伺服器 20: Group proxy server

S200~S208:步驟 S200~S208: steps

Claims (8)

一種隱私授權方法,適用於一區塊鏈(blockchain)的物聯網(Internet of Things,IoT),包括:基於一橢圓曲線密碼學(Elliptic-curve cryptography,ECC)隨機產生多個私鑰值(private key value),其中該橢圓曲線密碼學包括ECQV(Elliptic Curve Qu-Vanstone)演算法;基於該橢圓曲線密碼學透過一伺服器的一該私鑰值產生該伺服器的一伺服器公鑰(public key);基於該橢圓曲線密碼學透過該伺服器公鑰及一節點的一該私鑰值產生該節點的一節點公鑰,其中該伺服器及該節點屬於該區塊鏈的物聯網;透過該節點公鑰對該伺服器的身分識別碼編碼以產生該節點的一節點憑證;將該節點憑證公佈於該區塊鏈的物聯網中;透過該節點對所收集的感測資料以對應的該節點憑證及該存取密碼加密,並儲存在該隱私資料庫,其中該感測資料是由一感測器所取得;反應於一存取要求,以對應該節點憑證及一群組憑證對該感測資料製作公開金鑰加密算法的簽章;透過一非對稱(Asymmetric)加密公鑰對該簽章及該感測資料加密,以產生一隱私授權資料;透過該非對稱加密公鑰對應的一非對稱加密私鑰解密該隱私 授權資料,並透過該群組憑證及該節點憑證對該簽章驗證;以及依據驗證結果對該隱私授權資料以發出該存取要求的另一節點的存取密碼加密。 A privacy authorization method, applicable to a blockchain (Internet of Things, IoT), including: randomly generating multiple private key values (private keys) based on an elliptic curve cryptography (Elliptic-curve cryptography, ECC) key value), wherein the elliptic curve cryptography includes the ECQV (Elliptic Curve Qu-Vanstone) algorithm; based on the elliptic curve cryptography, a server public key (public key); Based on the elliptic curve cryptography, a node public key of the node is generated through the server public key and a private key value of a node, wherein the server and the node belong to the Internet of Things of the blockchain; The node’s public key encodes the server’s identity code to generate a node certificate for the node; publishes the node certificate in the Internet of Things of the blockchain; and corresponds to the sensor data collected through the node The node certificate and the access password are encrypted and stored in the privacy database, where the sensing data is obtained by a sensor; it responds to an access request to correspond to the node certificate and a group of certificate pairs The sensing data is used to create a signature of the public key encryption algorithm; the signature and the sensing data are encrypted by an asymmetric (Asymmetric) encryption public key to generate a private authorization data; the corresponding data is generated by the asymmetric encryption public key An asymmetrically encrypted private key to decrypt the privacy The authorization data is verified by the group certificate and the node certificate; and the private authorization data is encrypted with the access password of another node that issued the access request according to the verification result. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟包括:對該伺服器的該私鑰值及一橢圓曲線上的多個參數基點中的一者點乘運算以產生該伺服器的該伺服器公鑰。 The privacy authorization method according to claim 1, wherein the step of generating the server public key of the server includes: the private key value of the server and one of a plurality of parameter base points on an elliptic curve Multiply to generate the server public key of the server. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟之後,更包括:傳送該伺服器公鑰及該身分識別碼至一憑證管理中心;透過該憑證管理中心依據該橢圓曲線密碼學驗證該伺服器公鑰;以及依據驗證結果核發一原始憑證給該伺服器。 The privacy authorization method according to claim 1, wherein after the step of generating the server public key of the server, it further includes: transmitting the server public key and the identity code to a certificate management center; managing through the certificate The center verifies the server public key based on the elliptic curve cryptography; and issues an original certificate to the server based on the verification result. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟之前,更包括:透過該伺服器接收來自該節點的一註冊申請;以及依據該註冊申請對該節點核發註冊序號及讀取一隱私資料庫的存取密碼。 The privacy authorization method according to claim 1, wherein before the step of generating the server public key of the server, it further comprises: receiving a registration application from the node through the server; and the node according to the registration application Issue the registration serial number and read the access password for a private database. 一種物聯網系統,適用於一區塊鏈的物聯網,包括:一節點,用於收集一感測資料;一憑證管理中心,用於核發一原始憑證;一伺服器,用於基於一橢圓曲線密碼學隨機產生多個私鑰值, 基於該橢圓曲線密碼學透過該伺服器的一該私鑰值產生該伺服器的一伺服器公鑰,基於該橢圓曲線密碼學透過該伺服器公鑰及該節點的一該私鑰值產生該節點的一節點公鑰,透過該節點公鑰對該伺服器的身分識別碼編碼以產生該節點的一節點憑證,並將該節點憑證公佈於該區塊鏈的物聯網中,其中該橢圓曲線密碼學包括ECQV演算法;一第二節點;以及一第二伺服器,其中該節點對所收集的該感測資料以對應的該節點憑證及該存取密碼加密,並儲存在該隱私資料庫,其中該感測資料是由一感測器所取得,反應於來自該第二節點的一存取要求,該伺服器以對應該節點憑證及一群組憑證對該感測資料製作公開金鑰加密算法的簽章,該伺服器透過一非對稱加密公鑰對該簽章及該感測資料加密以產生一隱私授權資料,該第二伺服器透過該非對稱加密公鑰對應的一非對稱加密私鑰解密該隱私授權資料並透過該群組憑證及該節點憑證對該簽章驗證,該第二伺服器依據驗證結果對該隱私授權資料以發出該存取要求的該第二節點的存取密碼加密後傳送給該第二節點。 An Internet of Things system suitable for a blockchain Internet of Things, including: a node for collecting a sensed data; a certificate management center for issuing an original certificate; a server for based on an elliptic curve Cryptography randomly generates multiple private key values, A server public key of the server is generated based on the elliptic curve cryptography through a private key value of the server, and the server public key is generated based on the elliptic curve cryptography through the server public key and a private key value of the node A node public key of a node, through which the node public key encodes the identity code of the server to generate a node certificate of the node, and publish the node certificate in the Internet of Things of the blockchain, where the elliptic curve Cryptography includes ECQV algorithm; a second node; and a second server, wherein the node encrypts the collected sensing data with the corresponding node certificate and the access password, and stores it in the privacy database , Wherein the sensing data is obtained by a sensor and responding to an access request from the second node. The server generates a public key for the sensing data with the corresponding node certificate and a group of certificates Encryption algorithm signature, the server encrypts the signature and the sensing data with an asymmetric encryption public key to generate a private authorization data, the second server uses an asymmetric encryption corresponding to the asymmetric encryption public key The private key decrypts the private authorization data and verifies the signature through the group certificate and the node certificate. The second server sends the access request to the private authorization data according to the verification result of the second node. The password is encrypted and sent to the second node. 如請求項5所述的物聯網系統,其中該伺服器對該伺服器的該私鑰值及一橢圓曲線上的多個參數基點中的一者點乘運算以產生該伺服器公鑰。 The Internet of Things system according to claim 5, wherein the server generates the server public key by multiplying one of the private key value of the server and one of a plurality of parameter base points on an elliptic curve. 如請求項5所述的物聯網系統,其中該伺服器傳送該伺服器公鑰及該身分識別碼至該憑證管理中心,該憑證管理中心依據該橢圓曲線密碼學驗證該伺服器公鑰,且該憑證管理中心依據驗證結果核發一原始憑證給該伺服器。 The Internet of Things system according to claim 5, wherein the server transmits the server public key and the identification code to the certificate management center, and the certificate management center verifies the server public key according to the elliptic curve cryptography, and The certificate management center issues an original certificate to the server based on the verification result. 如請求項5所述的物聯網系統,其中該伺服器接收來自該節點的一註冊申請,且該伺服器依據該註冊申請對該節點核發註冊序號及讀取一隱私資料庫的存取密碼。 The Internet of Things system according to claim 5, wherein the server receives a registration application from the node, and the server issues a registration serial number to the node and reads an access password for a private database according to the registration application.
TW109143839A 2020-12-11 2020-12-11 Iot system and privacy authorization method TWI747659B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Publications (2)

Publication Number Publication Date
TWI747659B true TWI747659B (en) 2021-11-21
TW202224378A TW202224378A (en) 2022-06-16

Family

ID=79907751

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Country Status (1)

Country Link
TW (1) TWI747659B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053058A1 (en) * 2011-10-10 2013-04-18 Certicom Corp. Generating implicit certificates
US20170250822A1 (en) * 2016-02-25 2017-08-31 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method of managing implicit certificates using a distributed public keys infrastructure
CN108390851A (en) * 2018-01-05 2018-08-10 郑州信大捷安信息技术股份有限公司 A kind of secure remote control system and method for industrial equipment
US20190036906A1 (en) * 2017-07-28 2019-01-31 SmartAxiom, Inc. System and method for iot security
US10380362B2 (en) * 2015-05-22 2019-08-13 Iot And M2M Technologies, Llc Cryptographic unit for public key infrastructure (PKI) operations
TWI732247B (en) * 2019-07-16 2021-07-01 中華電信股份有限公司 Method to display the validation of certificate at signing time

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053058A1 (en) * 2011-10-10 2013-04-18 Certicom Corp. Generating implicit certificates
US10380362B2 (en) * 2015-05-22 2019-08-13 Iot And M2M Technologies, Llc Cryptographic unit for public key infrastructure (PKI) operations
US20170250822A1 (en) * 2016-02-25 2017-08-31 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method of managing implicit certificates using a distributed public keys infrastructure
US20190036906A1 (en) * 2017-07-28 2019-01-31 SmartAxiom, Inc. System and method for iot security
CN108390851A (en) * 2018-01-05 2018-08-10 郑州信大捷安信息技术股份有限公司 A kind of secure remote control system and method for industrial equipment
TWI732247B (en) * 2019-07-16 2021-07-01 中華電信股份有限公司 Method to display the validation of certificate at signing time

Also Published As

Publication number Publication date
TW202224378A (en) 2022-06-16

Similar Documents

Publication Publication Date Title
Ding et al. A novel attribute-based access control scheme using blockchain for IoT
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
TW201914254A (en) Method, apparatus and system for data encryption and decryption
CN110959163B (en) Computer-implemented system and method for enabling secure storage of large blockchains on multiple storage nodes
CN101212293B (en) Identity authentication method and system
US11228450B2 (en) Method and apparatus for performing multi-party secure computing based-on issuing certificate
WO2019110018A1 (en) Message authentication method for communication network system, communication method and communication network system
Su et al. A financial data security sharing solution based on blockchain technology and proxy re-encryption technology
CN114710275B (en) Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment
Liu et al. Efficient decentralized access control for secure data sharing in cloud computing
Mao et al. BTAA: Blockchain and TEE Assisted Authentication for IoT Systems
Lv et al. Heterogeneous cross-domain identity authentication scheme based on proxy resignature in cloud environment
Zhang et al. A Lightweight Cross-Domain Authentication Protocol for Trusted Access to Industrial Internet
TWI747659B (en) Iot system and privacy authorization method
CN115001673A (en) Key processing method, device and system based on unified multi-domain identifier
CN114091009A (en) Method for establishing secure link by using distributed identity
Ashraf et al. Lightweight and authentic symmetric session key cryptosystem for client–server mobile communication
Tanwar et al. Design and implementation of a secure hierarchical trust model for PKI
Vegendla et al. Implementation of an RFID key management system for DASH7
Hsu et al. ECDSA Certificate Enrollment and Authentication for SCEP Protocol in Smart Grid PKI
Thangavel et al. A survey on provable data possession in cloud storage
Benrebbouh et al. Enhancing Security and Authentication in IoT-based Energy Internet using Post-Quantum Blockchain
Renner et al. Towards key management challenges in the smart grid
Chang et al. A dependable storage service system in cloud environment
JP7377495B2 (en) Cryptographic systems and methods