WO2018076798A1 - 一种传输数据的方法和装置 - Google Patents

一种传输数据的方法和装置 Download PDF

Info

Publication number
WO2018076798A1
WO2018076798A1 PCT/CN2017/092883 CN2017092883W WO2018076798A1 WO 2018076798 A1 WO2018076798 A1 WO 2018076798A1 CN 2017092883 W CN2017092883 W CN 2017092883W WO 2018076798 A1 WO2018076798 A1 WO 2018076798A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
puzzle
base station
message
iot device
Prior art date
Application number
PCT/CN2017/092883
Other languages
English (en)
French (fr)
Inventor
康鑫
王海光
雷中定
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018076798A1 publication Critical patent/WO2018076798A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present application relates to the field of communications, and in particular, to a method and apparatus for transmitting data.
  • the Internet of Things (IoT) is an important application scenario for the 5th-generation (5G) mobile communication system.
  • the number of IoT devices varies from one form to another, and the data transmission mode is different from that of traditional mobile devices such as mobile phones.
  • the data of the mobile phone user is mainly sent in the form of a stream, and multiple data packets are sent for a period of time.
  • a large number of IoT devices (such as smart meters) sleep most of the time, and may only send one small packet for a while.
  • Sending data in the traditional mode that is, sending data by establishing a connection and re-establishing a security context, will result in high cost of data transmission, which is not conducive to operators expanding their business scope and expanding their business to low-cost IoT services.
  • the 5G network introduces a new architecture and transmission mode for the small data mode of IoT.
  • the network does not need to establish a security context through additional signaling for data authentication, allowing the IoT device to not authenticate, Establish a connection and send small packets directly to the cellular network.
  • this mechanism is abused, the attacker can use a large number of controlled IoT devices to send small packets to the cellular network in a way that does not require authentication and does not require a security context to be established, which is highly prone to distributed denial of service ( Distributed denial of service (DDoS) attacks, causing network congestion and even paralyzing the network.
  • DDoS Distributed denial of service
  • a method for sending a puzzle to a IoT device by a base station reduces the impact of a DDoS attack on a network device, that is, the base station sends a problem through a broadcast message, and the IoT device that receives the broadcast message needs a calculation problem, and then answers and waits
  • the transmitted data is sent to the base station together, and the calculation problem can prolong the period in which the IoT device sends data, thereby reducing the impact of the DDoS attack on the network device.
  • the current base station only sends one problem at a time. If the difficulty of the problem is small, the IoT device can calculate the answer in a small amount of time, and cannot effectively reduce the impact of the DDoS attack on the network device. Large, IoT devices take a lot of time to send a small packet, which greatly affects the work of normal IoT devices.
  • the present application provides a method and an apparatus for transmitting data.
  • the IoT device After receiving a plurality of different difficulty challenges sent by a base station, the IoT device selects a problem that matches the size of the data to be sent from among multiple puzzles. Therefore, the impact of DDoS attacks on network devices can be effectively reduced, and the impact of the problem on normal IoT devices can be reduced.
  • a method for transmitting data comprising: a base station transmitting a broadcast message including a plurality of puzzles, wherein the plurality of puzzles are different in difficulty; the base station receives first data from an IoT device, first An indication of the puzzle and an answer to the first puzzle, wherein the first difficulty is that the IoT device is determined from the plurality of puzzles according to a size of the first data; The difficulty of a puzzle matches the size of the first data, and when the answer to the first puzzle is correct, the first data or the data decrypted by the first data is sent to the core network device; or The base station prohibits sending the first data or the data after decrypting the first data to the core network device when the difficulty of the first puzzle does not match the size of the first data; or the base station is in the When the answer to the first puzzle is incorrect, the first data or the data decrypted by the first data is prohibited from being sent to the core network device.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent, thereby improving The efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of the DDoS attack on the core network.
  • the method further includes: the base station transmitting the broadcast message including signature information, where the signature information is used by the IoT device to verify the integrity of the broadcast message and whether the sender of the broadcast message is The base station. This prevents the IoT device from being spoofed by illegal messages.
  • the method further includes: when the difference between the first time and the second time is less than a preset time threshold, the base station processes the first data, the indication information of the first puzzle, and the An answer to a puzzle, wherein the first moment is a moment when the base station sends the broadcast message, and the second moment is an indication that the base station receives the first data and the first puzzle And the moment of the message of the answer to the first puzzle.
  • the base station can prevent the base station from being subjected to the replay attack of the hijacked IoT device by verifying whether the difference between the first time and the second time is less than a preset time threshold.
  • the method further includes: the base station receiving integrity verification information from the IoT device, where the integrity verification information is used to verify integrity of the first message and whether the sender of the first message is In the IoT device, the first message is a message that carries the first data, the indication information of the first puzzle, and the answer of the first puzzle; the base station passes the integrity verification of the first message.
  • the core determines that the sending end of the first message is the IoT device, and the difficulty of the first puzzle matches the size of the first data, and when the answer of the first puzzle is correct, the core is The network device sends the first data or the data after decrypting the first data; or the difficulty of the base station in the first puzzle matches the size of the first data, and the answer of the first puzzle When correct, the integrity verification message is sent to the core network device. Thereby, the base station or the core network device can be prevented from being spoofed by illegal messages.
  • the method further includes: the base station sending the broadcast message including the first indication information, where the first indication information is used to indicate that the IoT device that receives the broadcast message is determined from the multiple puzzles
  • the base station sending the broadcast message including the first indication information, where the first indication information is used to indicate that the IoT device that receives the broadcast message is determined from the multiple puzzles
  • the difficulty of matching the size of the data to be sent Therefore, the correspondence between the size of the data to be transmitted and the difficulty of the puzzle can be flexibly determined.
  • the method further includes: the base station sending the broadcast message that includes the second indication information, where the second indication information is used to indicate that the IoT device that receives the broadcast message simultaneously sends the The answer to one of the multiple puzzles. Therefore, the base station can flexibly determine whether the IoT device needs a calculation problem according to actual conditions.
  • a method for transmitting data comprising: an IoT device receiving a broadcast message including a plurality of puzzles from a base station; the IoT device determining a first one of the plurality of puzzles according to a size of the first data Solving and calculating an answer to the first puzzle, the difficulty of the first puzzle is matched with the size of the first data; the IoT device transmitting the first data, the first puzzle to the base station The indication information and the answer to the first puzzle.
  • the IoT device determines a difficulty corresponding to the difficulty from the plurality of puzzles according to the size of the data to be sent, and calculates an answer to the puzzle. The answer is then sent to the base station along with the data to be sent, thereby extending the period of data transmission, and further The impact of the computational problem on the transmission data is reduced, and the impact of the DDoS attack initiated by the IoT device on the base station and the core network device is reduced.
  • the method further includes: the IoT device receiving, by the base station, the broadcast message including signature information, where the signature information is used to verify integrity of the broadcast message and whether a sender of the broadcast message is Determining, by the IoT device, when the integrity verification of the broadcast message passes, and determining that the sending end of the broadcast message is the base station, determining, according to the size of the first data, from the plurality of puzzles The first problem is described. This prevents the IoT device from being spoofed by illegal messages.
  • the method further includes: the IoT device sending integrity verification information to the base station, where the integrity verification information is used to verify integrity of the first message and whether the sending end of the first message is In the IoT device, the first message is a message that carries the first data, the indication information of the first puzzle, and the answer of the first puzzle.
  • the base station or the core network device can be prevented from being spoofed by illegal messages.
  • the method further includes: receiving, by the IoT device, the broadcast message that includes the first indication information from the base station; and determining, by the IoT device, the difficulty and the plurality of puzzles according to the first indication information The problem of matching the size of the first data. Therefore, the correspondence between the size of the data to be transmitted and the difficulty of the puzzle can be flexibly determined.
  • the method further includes: the IoT device receiving, by the base station, the broadcast message that includes the second indication information; the IoT device determining, according to the second indication information, that the multiple is sent when sending data The answer to a puzzle in a puzzle. Therefore, the base station can flexibly determine whether the IoT device needs a calculation problem according to actual conditions.
  • the present application provides an apparatus for transmitting data, and the apparatus may implement the functions performed by a base station in the method related to the foregoing aspect, and the functions may be implemented by using hardware or by executing corresponding software by hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a transceiver configured to support the apparatus to perform the corresponding functions of the above methods.
  • the transceiver is used to support communication between the device and other devices.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the application provides a device for transmitting data, which can implement the functions performed by the IoT device in the method related to the above aspect, and the function can be implemented by hardware or by executing corresponding software through hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a transceiver configured to support the apparatus to perform the corresponding functions of the above methods.
  • the transceiver is used to support communication between the device and other devices.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the present application provides a computer storage medium for storing computer software instructions for use in the base station described above, including a program designed to perform the above aspects.
  • the present application provides a computer storage medium for storing computer software instructions for use in the above IoT device, including a program designed to perform the above aspects.
  • the present application provides a communication chip in which instructions are stored that, when run on a base station, cause the communication chip to perform the methods of the various aspects described above.
  • the present application provides a communication chip in which instructions are stored that, when run on an IoT device, cause the communication chip to perform the methods of the various aspects described above.
  • the base station transmits multiple difficulty levels.
  • the broadcast message of the puzzle the IoT device receiving the broadcast message needs to determine a difficulty that matches the size of the data to be sent, thereby improving the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of the DDoS attack on the core network.
  • FIG. 1 is a schematic diagram of one possible network architecture to which the present application is applied;
  • FIG. 2 is a schematic diagram of a digital signature and verification process
  • 3 is a schematic diagram of an identity-based cryptosystem
  • FIG. 5 is a schematic flowchart of another method for transmitting data provided by the present application.
  • FIG. 6 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 7 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 8 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 9 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 10 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 11 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 13 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • FIG. 14 is a schematic flowchart of still another method for transmitting data provided by the present application.
  • 15 is a schematic structural diagram of a possible base station provided by the present application.
  • 16 is a schematic structural diagram of another possible base station provided by the present application.
  • FIG. 17 is a schematic structural diagram of a possible IoT device provided by the present application.
  • FIG. 18 is a schematic structural diagram of another possible IoT device provided by the present application.
  • Figure 1 applies to a schematic diagram of one possible network architecture of the present application.
  • the network architecture may include a base station 10, an IoT device 20, an IoT device 30, and a core network device 40.
  • the arrows shown in Figure 1 indicate that communication is possible between the device and the device.
  • the IoT device 20 can be, for example, a sensor.
  • the IoT device 30 can be, for example, a smart meter.
  • the base station 10 can be a base station in a 2G communication system, a base station in a 3G or 4G communication system, or a base station in a future 5G communication system. .
  • the network architecture shown in FIG. 1 is only intended to help those skilled in the art to better understand the present application and not to limit the scope of the application.
  • IoT devices are described in FIG. 1, a larger number of IoT devices or a smaller number of IoT device devices may be included in the present application, and the type of the IoT device is not limited in this application.
  • the information transmitted between the IoT device and the base station may be plain text or cipher text.
  • the IoT device and the base station need to send the message before sending the message.
  • the message is signed for processing.
  • the encryption and decryption method and the signature method involved in the present application are briefly described below with reference to FIGS. 2 to 3.
  • Asymmetric encryption is a type of cryptographic algorithm in which a pair of keys is required, one for the private key and the other for the public key. These two keys are mathematically related.
  • the information obtained by encrypting with a user key can only be decrypted by using the decryption key of the user. If you know one of them, you can't figure out another one. Therefore, if one of a pair of keys is disclosed, it does not endanger the secret nature of the other.
  • the private key is held by the key pair owner and cannot be advertised.
  • the public key is the key pair issued to the holder by the holder, so the public key is called the public key; the undisclosed key is the private key.
  • the encryption key is public, this is used by the client to upload the encrypted data to the private key owner.
  • This is called public key encryption.
  • the data encrypted with the public key can only be decrypted using the private key.
  • the private key is used to decrypt the public.
  • Key encrypted data Common public key encryption algorithms are: RSA (an acronym by the inventors Rivest, Shmir, and Adleman) algorithm, ElGamal, backpack algorithm, Rabin (special case of RSA), elliptic curve cryptography (ECC) .
  • RSA an acronym by the inventors Rivest, Shmir, and Adleman
  • ElGamal backpack algorithm
  • Rabin special case of RSA
  • ECC elliptic curve cryptography
  • the most widely used is the RSA algorithm, which is a well-known public key encryption algorithm.
  • the decryption key is public
  • the information encrypted with the private key can be decrypted with the public key, and the client can verify that the data or file published by the party holding the private key is complete and accurate, and the recipient can know the information. It does come from someone who owns a private key.
  • This is called a digital signature.
  • the public key is in the form of a digital certificate.
  • an installer downloaded from the Internet generally has a digital signature of the program creator, which can prove that the program was indeed published by the author (company) and not forged by a third party and has not been tampered with (identification/verification). .
  • FIG. 2 is a schematic diagram of digital signature and verification.
  • the sender encrypts the digest that needs to transmit text by using the private key, and the obtained ciphertext is called a digital signature (referred to as “signature”) of the transmission process, wherein the abstract of the transmitted text is Obtained after hashing (HASH) calculations (such as SHA1 and SHA2) for the text to be transferred.
  • signature digital signature
  • HASH hashing
  • the receiving party that is, the party receiving the data, after obtaining the transmitted text, needs to confirm whether the text is the content sent by the sender, and has been tampered with in the middle. Therefore, the receiver can decrypt the signature with the public key it holds (the data encrypted by one key in the key pair must be decrypted using another key), and the summary of the transmitted text is obtained, and then used and sent.
  • the same HASH algorithm calculates the digest value and compares it with the decrypted digest. If the two are found to be identical, the transmitted text has not been tampered with.
  • a public certificate of all senders can be managed by a unified certificate authority, and these public keys are authenticated and encrypted.
  • This institution is also known as the certificate agency (CA).
  • the encrypted public key is the certificate, also known as the CA certificate.
  • the certificate contains a lot of information, the most important is the applicant's public key.
  • the certificate needs to be decrypted to obtain the certificate.
  • Public key decryption needs to use the public key in the CA's "unified key pair". This public key is also the CA root certificate we often say. Usually we need to go to the certificate authority to download and install the corresponding data. The client, such as the browser above. This public key only needs to be installed once. With this public key, you can decrypt the certificate, get the sender's public key, then decrypt the signature sent by the sender, get the digest, recalculate the digest, and compare to verify the integrity of the data content.
  • Identity-based cryptography includes identity based signature (IBS) and identity based encryption (IBE).
  • Each user has its own public-private key pair, where the public key is a meaningful string (identity), such as an email address, phone number, etc.; the user's private key is a private key generator (PKG) According to the user identity (ID) and PKG's primary private key generation, PKG participation is not required in the signature process.
  • Signature verification only requires signature, message, identity and master public key.
  • the traditional public key infrastructure (PKI) mechanism differs from the IBC in that a user in a PKI has a pair of different public and private keys.
  • the public key is a random string.
  • the certificate center needs to sign the public key to confirm a public key. It belongs to a user, and the certificate needs to be verified during the signing or encryption process.
  • users Alice and Bob each have their own public-private key pair, and PKG generates Alice's private key based on Alice's ID Alice and PKG's global secret key (GSK).
  • GSK Alice Alice uses his private key to sign the message that needs to be transmitted.
  • No PKG participation is required in the signature process.
  • Bob only needs signature, message, ID Alice and public public key (GPK) to verify the signature sent by Alice . ).
  • FIG. 4 is a schematic flowchart of a method for transmitting data provided by the present application. As shown in FIG. 4, the method 100 includes:
  • the base station sends a broadcast message that includes multiple puzzles, where the multiple challenges are different in difficulty.
  • the method for generating a puzzle can refer to the method for generating a puzzle in the prior art, and details are not described herein again.
  • the base station can set the correspondence between the difficulty of the puzzle and the size of the data to be uploaded according to the actual situation. For example, for a fixed-size data, when the base station determines that the threat of the DDoS attack is large, the data can be set to a difficult problem. Therefore, the transmission period of the IoT device can be prolonged; when the base station determines that the current threat of the DDoS attack is small, the data can be set to correspond to a low difficulty problem, thereby shortening the transmission period of the IoT device.
  • the base station may send the broadcast message every t seconds, or may send the broadcast message according to actual needs (for example, the current base station is subjected to a DDoS attack).
  • the broadcast message sent by the base station further includes signature information (Sig_BS), where the signature information is used by the IoT device to verify the integrity of the broadcast message and whether the sending end of the broadcast message is the base station. This prevents the IoT device from being spoofed by illegal messages.
  • Sig_BS signature information
  • the broadcast message sent by the base station further includes timestamp information (TS), where the timestamp information is used to record the sending time of the broadcast message, and the message sent by the IoT device to the base station also carries the timestamp information, and the base station receives the After the message sent by the IoT device, determining whether the message is a replay attack message according to the time when the message of the IoT device is received (ie, the second time) and the time indicated by the timestamp information (ie, the first time), When the difference between the first time and the second time is less than or equal to the preset time threshold, the base station may determine that the message is a normal message, and when the difference between the first time and the second time is greater than a preset time threshold, the base station The message can be determined to be a replay attack message, thereby preventing the base station from being subjected to a replay attack by the hijacked IoT device.
  • TS timestamp information
  • the broadcast message sent by the base station further includes first indication information, where the first indication information is used to indicate that the IoT device that receives the broadcast message determines the difficulty from the plurality of puzzles to match the size of the data to be sent.
  • the puzzle ie, the first indication information indicates the correspondence between the difficulty of the puzzle and the size of the data to be transmitted). Therefore, the correspondence between the size of the data to be transmitted and the difficulty of the puzzle can be flexibly determined.
  • the broadcast message sent by the base station further includes second indication information (P_Ind), where the second indication information is used to indicate whether the IoT device that receives the broadcast message needs to calculate a puzzle.
  • P_Ind may be set to 1 to indicate that the IoT device receiving the broadcast message needs to calculate a puzzle and send the answer together with the data to be sent;
  • Setting P_Ind to 0 is used to indicate that the IoT device that receives the broadcast message can send data to the base station without calculating a problem, so that it is possible to flexibly determine whether the IoT device needs a computational problem.
  • the IoT device determines a first puzzle from the plurality of puzzles according to a size of the first data, and calculates an answer of the first puzzle, where a difficulty of the first puzzle matches a size of the first data.
  • the IoT device After receiving the broadcast message, the IoT device determines a first problem from a plurality of puzzles carried by the broadcast message according to the size of the first data (ie, the current data to be sent), and the difficulty of the first puzzle matches the size of the first data.
  • the IoT device may determine the first problem according to a preset correspondence in the IoT device, that is, the correspondence between the difficulty of the puzzle and the size of the data to be uploaded, or may be based on the indication information indicating the correspondence carried in the broadcast message. Determine the first problem.
  • the size of the first data may be the size of the data before encryption or the size of the encrypted data.
  • the first data is the size of the encrypted data, so that the base station does not need to decrypt the received data to determine whether the size of the received data matches the difficulty of the IoT device selection challenge, and improves the base station anti-DDoS. The ability to attack.
  • the IoT device sends the first data, the indication information of the first puzzle, and the answer of the first puzzle to the base station.
  • the IoT device further sends integrity verification information to the base station, where the integrity verification information is used to verify the integrity of the first message and whether the sender of the first message is the IoT device, where the first
  • the message is a message carrying the first data, the indication information of the first puzzle, and the answer of the first puzzle.
  • the integrity verification information may be, for example, a message authentication code (MAC), or a certificate (Device_Certi) and a signature (Sig) of the IoT device.
  • the base station determines that the difficulty of the first problem matches the size of the first data, and after the answer to the first puzzle is correct, the base station may send the first message to the core network after successfully verifying the integrity of the first message according to the integrity verification message.
  • the base station may also send the integrity verification message to the core network device, so that the core network device can verify the integrity of the first message, thereby preventing the base station or the core network device from being spoofed by illegal messages.
  • the base station verifies whether the difficulty of the first puzzle matches the size of the first data, and whether the answer to the first puzzle is correct.
  • the first data or the data decrypted from the first data is prohibited from being transmitted to the core network device.
  • the base station After receiving the message carrying the first data, the indication information of the first puzzle, and the answer of the first puzzle, the base station determines the difficulty of the IoT device selection according to the indication information of the first puzzle, and verifies the first problem. Difficulty and Whether the size of the first data matches, and whether the answer to the first puzzle is correct. Only when the difficulty of the first puzzle matches the size of the first data, and the answer to the first puzzle is correct, the base station sends the first data to the core network device, and if the first data is encrypted data, the base station may also After the first data is decrypted, the decrypted data is sent to the core network device.
  • the base station sends a broadcast message including a plurality of difficult puzzles, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of the DDoS attack on the core network.
  • FIG. 5 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 5, the method 200 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp information, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to set the k1 bit in RAND1 Covering can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes identifier information (Device_ID) of the IoT device, a timestamp (TS), indication information of the puzzle selected by the IoT device (PZ#), and an IoT device selected.
  • the carried TS, SDS-PDU represents unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, K). If the PS is incorrect, If the IoT device may be hijacked, the data carried by the first message is deleted; if the difficulty of the problem indicated by PZ# does not match the size of the En (SDS-PDU, K), the IoT device may be hijacked, and then deleted.
  • the generated K is then used to verify the MAC, and the authentication is followed by K decryption En (SDS-PDU, K).
  • the base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends a small data processing function (SDS-PDU) to a serving small data handling function (Serving SDHF).
  • SDS-PDU small data processing function
  • Server SDHF serving small data handling function
  • Serving SDHF belongs to the core network equipment.
  • Serving SDHF forwards the small data message (SDS-PDU) to the gateway small data handling function (Gateway SDHF).
  • Gateway SDHF belongs to the core network equipment.
  • the Gateway SDHF forwards the small data message (SDS-PDU) to an application server (AS) or a service capability server (SCS).
  • AS application server
  • SCS service capability server
  • the SCS/AS After receiving the small data message (SDS-PDU), the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the confirmation message sent by the SCS/AS, the Gateway SDH forwards the message to the Serving SDHF.
  • the Serving SDHF After receiving the acknowledgement message sent by the Gateway SDH, the Serving SDHF forwards the acknowledgement message to the base station.
  • the base station After receiving the acknowledgement message sent by the Serving SDHF, the base station forwards the acknowledgement message to the IoT device.
  • S208, S209, S210, and S211 are optional steps.
  • the foregoing method for generating and using the symmetric key K is merely an example, and other methods for generating a symmetric key by using the characteristics of the IBS (ie, the two-party ID) are It can be applied to this application.
  • the base station and the IoT device both preset an public and private key based on the IBS.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 6 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 6, the method 300 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID) of the base station, the certificate (BS_Certi) of the base station, the time stamp (TS), the second indication information (P_Ind), and multiple puzzles with different difficulty levels (Puzzles). And the signature of the base station (Sig_BS).
  • BS_ID identity information
  • BS_Certi certificate
  • TS time stamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS, Rand2,..)), where TS is the timestamp information, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1, specifically by setting 0 or 1.
  • . H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using a public key of the base station (BS's Public Key) to determine the integrity of the broadcast message and determine the Whether the broadcast message is sent by the base station. If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • BS's Public Key a public key of the base station
  • the IoT device sends a first message to the base station, where the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ). #), the answer to the puzzle selected by the IoT device (PS), the small data En (SDS-PDU, BS's Public Key) based on the public key encryption of the base station, and the signature (Sig) of the IoT device, where the first message
  • the TS is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, BS's Public Key), if the PS does not If the IoT device is hijacked, the data carried by the first message is deleted; if the difficulty of the problem indicated by PZ# does not match the size of the En (SDS-PDU, BS's Public Key), the IoT device may be If the PS is correct, the data of the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, BS's Public Key), the Sig is verified, and the private key is used after the verification is passed. Decrypt small packet SDS-PDU. The base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends the decrypted small data (SDS-PDU) to the Serving SDHF.
  • SDS-PDU decrypted small data
  • Serving SDHF forwards the SDS-PDU to the Gateway SDHF.
  • Gateway SDHF forwards the SDS-PDU to the SCS/AS.
  • the SCS/AS After receiving the SDS-PDU, the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards the signal to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S308, S309, S310, and S311 are optional steps.
  • the base station and the IoT device are preset with a certificate-based public and private key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 7 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 7, the method 400 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1. Live can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes identifier information (Device_ID) of the IoT device, a time stamp (TS), indication information of the puzzle selected by the IoT device (PZ#), and an IoT device selected.
  • the TS in the TS is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and The first message is subjected to subsequent processing; if the difference between the second time and the first time is greater than the time threshold, determining that the first message is an illegal message, the data carried by the first message may be deleted, thereby preventing the base station from being hijacked Replay attack on IoT devices.
  • a time threshold if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and The first message is subjected to subsequent processing; if the difference between the second time and the first time is greater than the time threshold, determining that the first message is an
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, S-SDHF-ID), if If the PS is incorrect, the IoT device may be hijacked, and the data carried by the first message is deleted; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, S-SDHF-ID), If the IoT device may be hijacked, the data carried by the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, S-SDHF-ID), it is forwarded to Serving SDHF. Encrypted data En (SDS-PDU, S-SDHF-ID). The base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends the encrypted small data En (SDS-PDU, S-SDHF-ID), the identifier of the IoT device (Device_ID), and the signature of the IoT device (Sig) to the Serving SDHF.
  • SDS-PDU the encrypted small data En
  • S-SDHF-ID the identifier of the IoT device
  • Sig the signature of the IoT device
  • the Serving SDHF After receiving the above information, the Serving SDHF first verifies the Sig by Device_ID, and after verifying, the En (SDS-PDU, S-SDHF-ID) is decrypted by using the private key of the Serving SDHF.
  • S407 Serving SDHF forwards the small data (SDS-PDU) to the Gateway SDHF.
  • SDS-PDU small data
  • the Gateway SDHF forwards the SDS-PDU to the SCS/AS.
  • the SCS/AS After receiving the SDS-PDU, the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards the signal to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • the base station After receiving the Ack sent by the Serving SDHF, the base station forwards the Ack to the IoT device.
  • S409, S410, S411, and S412 are optional steps.
  • the base station and the IoT device both preset the public and private keys based on the IBS.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of the DDoS attack on the core network.
  • FIG. 8 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 8, the method 500 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID) of the base station, the certificate (BS_Certi) of the base station, the time stamp (TS), the second indication information (P_Ind), and multiple puzzles with different difficulty levels (Puzzles). And the signature of the base station (Sig_BS).
  • BS_ID identity information
  • BS_Certi certificate
  • TS time stamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp information, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to set the k1 bit in RAND1 Covering can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device sends a first message to the base station, where the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ). #), the answer to the puzzle selected by the IoT device (PS), the small data En (SDS-PDU, S-SDHF's Public Key) based on the Serving SDHF, and the signature of the IoT device (Sig), where the first The TS in the message is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the identifier information (Device_ID) of the IoT device
  • TS time stamp
  • Device_Certi the certificate of the IoT device
  • PZ indication information of the puzzle selected by the IoT device
  • # the answer to the puzzle selected by the IoT
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, S-SDHF's Public Key), if If the PS is incorrect, it indicates that the IoT device may be hijacked, and the data carried by the first message is deleted; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, S-SDHF's Public Key), If the IoT device may be hijacked, the data carried by the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, S-SDHF's Public Key), it is forwarded to Serving SDHF. Encrypted data En (SDS-PDU, S-SDHF's Public Key). The base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify
  • the base station sends a small data message (Device_ID, Device_Certi, En (SDS-PDU, S-SDHF's Public Key), Sig) to the Serving SDHF.
  • a small data message (Device_ID, Device_Certi, En (SDS-PDU, S-SDHF's Public Key), Sig) to the Serving SDHF.
  • the Serving SDHF After receiving the above message, the Serving SDHF first verifies the Sig by Device_ID, and after verifying, the En (SDS-PDU, S-SDHF's Public Key) is decrypted by using the private key of the Serving SDHF.
  • S507 Serving SDHF forwards small data (SDS-PDUs) to Gateway SDHF.
  • SDS-PDUs small data
  • Gateway SDHF forwards the SDS-PDU to the SCS/AS.
  • the SCS/AS After receiving the SDS-PDU, the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards the signal to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S509, S510, S511, and S512 are optional steps.
  • the base station and the IoT device both preset a certificate-based public and private key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 9 is a schematic flowchart of still another method for transmitting data according to the present application. As shown in FIG. 9, the method 600 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1. Live can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes identifier information (Device_ID) of the IoT device, a time stamp (TS), indication information of the puzzle selected by the IoT device (PZ#), and the selected by the IoT device.
  • the TS, SDS-PDU carried in the above broadcast message received by the device indicates unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and The first message is subjected to subsequent processing; if the difference between the second time and the first time is greater than the time threshold, determining that the first message is an illegal message, the data carried by the first message may be deleted, thereby preventing the base station from being hijacked Replay attack on IoT devices.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, AS-ID), if the PS does not Correct, indicating that the IoT device may be hijacked, delete the data carried by the first message; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, AS-ID), the IoT device may be If the PS is correct, the data of the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, AS-ID), the symmetric key K is calculated by using the characteristics of the IBS.
  • K e (xH (BS_ID), H (Device_ID)).
  • the generated MAC is then used to verify the MAC and verify that the encrypted data En (SDS-PDU, AS-ID) is forwarded to the Serving SDHF.
  • the base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends the encrypted small data En (SDS-PDU, AS-ID) to the Serving SDHF.
  • S606 Serving SDHF forwards En (SDS-PDU, AS-ID) to Gateway SDHF.
  • the Gateway SDHF forwards the En (SDS-PDU, AS-ID) to the SCS/AS.
  • the SCS/AS After receiving the En (SDS-PDU, AS-ID), the SCS/AS decrypts the En (SDS-PDU, AS-ID) by using the private key of the SCS or the AS.
  • the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards the packet to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • the base station After receiving the Ack sent by the Serving SDHF, the base station forwards the Ack to the IoT device.
  • S609, S610, S611, and S612 are optional steps.
  • the base station and the IoT device both preset the public and private keys based on the IBS.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 10 is a schematic flowchart of still another method for transmitting data according to the present application. As shown in FIG. 10, the method 700 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID) of the base station, the certificate of the base station (BS_Certi), the time stamp (TS), the second indication information (P_Ind), and multiple puzzles with different difficulty levels (Puzzles). And the signature of the base station (Sig_BS).
  • BS_ID identity information
  • BS_Certi certificate of the base station
  • TS time stamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1. Live can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using a public key of the base station (BS's Public Key) to determine the integrity of the broadcast message and determine the Whether the broadcast message is sent by the base station. If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • BS's Public Key a public key of the base station
  • the IoT device sends a first message to the base station, where the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ).
  • the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ).
  • the TS in the first message is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, SCS/AS's Public Key), if If the PS is incorrect, it indicates that the IoT device may be hijacked, and the data carried by the first message is deleted; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, SCS/AS's Public Key), If the IoT device may be hijacked, the data carried by the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, SCS/AS's Public Key), the IoT device is utilized.
  • the public key verifies the Sig, and the verification forwards the encrypted data En (SDS-PDU, SCS/AS's Public Key) to the Serving SDHF.
  • the base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends the encrypted small data En (SDS-PDU, SCS/AS's Public Key) to the Serving SDHF.
  • S706 Serving SDHF forwards En (SDS-PDU, SCS/AS's Public Key to Gateway SDHF.
  • the Gateway SDHF forwards the En (SDS-PDU, SCS/AS's Public Key) to the SCS/AS.
  • the SCS/AS After receiving the En (SDS-PDU, SCS/AS's Public Key), the SCS/AS decrypts the En (SDS-PDU, SCS/AS's Public Key) using the private key of the SCS or the AS.
  • the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards the Ack to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S709, S710, S711, and S712 are optional steps.
  • the base station and the IoT device both preset a certificate-based public and private key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 11 is a schematic flowchart of still another method for transmitting data according to the present application. As shown in FIG. 11, the method 800 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1. Live can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes identifier information (Device_ID) of the IoT device, a time stamp (TS), indication information of the puzzle selected by the IoT device (PZ#), and the selected by the IoT device.
  • the TS is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the small data SDS-PDU may also be encrypted using the public key of the SCS (ie, the ID of the SCS).
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. Time threshold if second If the difference between the time and the first time is less than or equal to the time threshold, determine that the first message is a legal message, and perform subsequent processing on the first message; if the difference between the second time and the first time is greater than the time threshold The first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be protected from the replay attack of the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, AS-ID), if the PS does not Correct, indicating that the IoT device may be hijacked, delete the data carried by the first message; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, AS-ID), the IoT device may be If the PS is correct, the data carried by the first message is deleted; if the PS is correct and the difficulty of the challenge indicated by PZ# matches the size of the En (SDS-PDU, AS-ID), the encrypted data is forwarded to the Serving SDHF.
  • the base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends the encrypted small data En (SDS-PDU, AS-ID), Device_ID, and Sig to the Serving SDHF.
  • the Serving SDHF forwards the En (SDS-PDU, AS-ID) to the Gateway SDHF.
  • Gateway SDHF forwards the En (SDS-PDU, AS-ID) to the SCS/AS.
  • the SCS/AS After receiving the En (SDS-PDU, AS-ID), the SCS/AS decrypts the En (SDS-PDU, AS-ID) by using the private key of the AS.
  • the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH receives the Ack sent by the SCS/AS and forwards it to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S810, S811, S812, and S813 are optional steps.
  • the base station and the IoT device both preset the public and private keys based on the IBS.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 12 is a schematic flowchart of still another method for transmitting data according to the present application. As shown in FIG. 12, the method 900 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1. Live can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzles of different difficulty correspond to different numbers allowed to be uploaded. According to the size.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ).
  • the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the certificate of the IoT device (Device_Certi), and the indication information of the puzzle selected by the IoT device (PZ).
  • the TS in the first message is the TS carried in the broadcast message received by the IoT device, and the SDS-PDU indicates unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, SCS/AS's Public Key), if If the PS is incorrect, it indicates that the IoT device may be hijacked, and the data carried by the first message is deleted; if the difficulty indicated by the PZ# does not match the size of the En (SDS-PDU, SCS/AS's Public Key), If the IoT device may be hijacked, the data carried by the first message is deleted; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, SCS/AS's Public Key), it is forwarded to Serving SDHF. Encrypted data.
  • the base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends En (SDS-PDU, SCS/AS's Public Key), Device_Certi, and Sig to Serving SDHF.
  • the Serving SDHF forwards the En (SDS-PDU, SCS/AS's Public Key) to the Gateway SDHF.
  • Gateway SDHF forwards En (SDS-PDU, SCS/AS's Public Key) to SCS/AS.
  • the SCS/AS After receiving the En (SDS-PDU, SCS/AS's Public Key), the SCS/AS decrypts En (SDS-PDU, SCS/AS's Public Key) using the private key of the SCS/AS.
  • the SCS/AS sends an acknowledgement message (Ack) to the Gateway SDHF.
  • Ack acknowledgement message
  • the Gateway SDH receives the Ack sent by the SCS/AS and forwards it to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S910, S911, S912, and S913 are optional steps.
  • the base station and the IoT device are preset with a certificate-based public and private key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device receiving the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 13 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 13, the method 1000 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID), the timestamp (TS), the second indication information (P_Ind) of the base station, multiple puzzles with different difficulties (Puzzles), and the signature of the base station (Sig_BS). ).
  • BS_ID identity information
  • TS timestamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS,Rand2,..)), where TS is the timestamp information, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to set the k1 bit in RAND1 Covering can be achieved by setting it to 0 or 1.
  • H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS_ID to determine the integrity of the broadcast message and determine whether the broadcast message is sent by the base station. . If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes the identifier information (Device_ID) of the IoT device, the time stamp (TS), the indication information of the puzzle selected by the IoT device (PZ#), and the selected by the IoT device.
  • the TS, SDS-PDU carried in the broadcast message represents unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, K). If the PS is incorrect, If the IoT device may be hijacked, the data carried by the first message is deleted; if the difficulty of the problem indicated by PZ# does not match the size of the En (SDS-PDU, K), the IoT device may be hijacked, and then deleted. The data carried by the first message; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, K), small data is sent to Serving SDHF. The base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • the base station sends a small data message (Device_ID, En (SDS-PDU, K), MAC) to the Serving SDHF.
  • a small data message (Device_ID, En (SDS-PDU, K), MAC)
  • the Serving SDHF After receiving the small data message, the Serving SDHF obtains credentials from the Credential Repository according to the Device_ID, and the credential is the symmetric key K.
  • Gateway SDHF forwards the SDS-PDU to the SCS/AS.
  • the SCS/AS After receiving the SDS-PDU, the SCS/AS sends an Ack to the Gateway SDHF.
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards it to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • the base station presets an IBS-based public-private key
  • the IoT device and the credential memory preset a symmetric key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • FIG. 14 is a schematic flowchart of another method for transmitting data according to the present application. As shown in FIG. 14, the method 1100 includes:
  • the base station periodically sends a broadcast message, where the broadcast message carries the identity information (BS_ID) of the base station, the certificate (BS_Certi) of the base station, the time stamp (TS), the second indication information (P_Ind), and multiple puzzles with different difficulty levels (Puzzles). And the signature of the base station (Sig_BS).
  • BS_ID identity information
  • BS_Certi certificate
  • TS time stamp
  • P_Ind second indication information
  • Sig_BS signature of the base station
  • Puzzle 2 (Rand2',k2,H(TS, Rand2,..)), where TS is the timestamp information, RAND1 is the random number 1, RAND1' is processed after RAND1, and the processing method is to cover the k1 bit in RAND1, specifically by setting 0 or 1.
  • . H() is a hash function.
  • Puzzle 2 is the same.
  • the difficulty of different Puzzles is different.
  • the Puzzle of different difficulty corresponds to the size of different data allowed to be uploaded.
  • the foregoing embodiment is only an example, and multiple difficulty modes are also generated by other methods in the prior art, and details are not described herein again.
  • the base station can send the above broadcast message every t seconds, wherein P_Ind is used to indicate that a calculation difficulty is not required. For example, if the base station suffers from a DoS attack, P_Ind can be set to 1, indicating that a computational difficulty is required; if the base station is not subject to a DoS attack, P_Ind can be set to 0, indicating that no computational difficulty is required.
  • Sig_BS is the signature of the base station for the message.
  • the IoT device After receiving the broadcast message sent by the base station, if the IoT device has data to be uploaded, the IoT device first verifies the Sig_BS by using the BS's Public Key to determine the integrity of the broadcast message and determine whether the broadcast message is the base station. dispatched. If the verification passes, then determine if you need to calculate the puzzle based on P_Ind. If the problem needs to be calculated, the difficulty of the difficulty can be determined from a plurality of difficult puzzles according to the preset correspondence and the size of the data to be sent. For example, the IoT device determines that the Puzzle 1 needs to be calculated.
  • the IoT device sends a first message to the base station, where the first message includes identifier information (Device_ID) of the IoT device, a timestamp (TS), indication information of the puzzle selected by the IoT device (PZ#), and an identifier selected by the IoT device.
  • the TS, SDS-PDU carried in the broadcast message represents unencrypted data.
  • the base station After receiving the first message, the base station first verifies whether the difference between the time when the first message is received (ie, the second time) and the time indicated by the TS (ie, the first time) is less than or equal to a preset. a time threshold, if the difference between the second time and the first time is less than or equal to the time threshold, determining that the first message is a legal message, and performing subsequent processing on the first message; if the second time is the first time If the difference is greater than the time threshold, the first message is determined to be an illegal message, and the data carried by the first message may be deleted, so that the base station may be prevented from being replayed by the hijacked IoT device.
  • the base station After the base station successfully verifies the TS (ie, determines that the first message is a legitimate message), it further verifies whether the PS is correct and whether the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, K). If the PS is incorrect, If the IoT device may be hijacked, the data carried by the first message is deleted; if the difficulty of the problem indicated by PZ# does not match the size of the En (SDS-PDU, K), the IoT device may be hijacked, and then deleted. The data carried by the first message; if the PS is correct, and the difficulty of the challenge indicated by PZ# matches the size of En (SDS-PDU, K), small data is sent to Serving SDHF. The base station can verify the PS and then verify the PZ#, or verify the PZ# and then verify the PS.
  • S1105 The base station sends a small data message (Device_ID, En (SDS-PDU, K), MAC) to the Serving SDHF.
  • Device_ID En (SDS-PDU, K), MAC
  • the Serving SDHF After receiving the small data message, the Serving SDHF obtains credentials from the Credential Repository according to the Device_ID, and the credential is the symmetric key K.
  • Gateway SDHF forwards the SDS-PDU to the SCS/AS.
  • the SCS/AS After receiving the SDS-PDU, the SCS/AS sends an Ack to the Gateway SDHF.
  • the Gateway SDH After receiving the Ack sent by the SCS/AS, the Gateway SDH forwards it to the Serving SDHF.
  • the Serving SDHF After receiving the Ack sent by the Gateway SDH, the Serving SDHF forwards the Ack to the base station.
  • S1010, S1011, S1012, and S1013 are optional steps.
  • the base station presets a certificate-based public and private key
  • the IoT device and the credential memory preset a symmetric key.
  • the base station sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent. Can improve the efficiency of data transmission.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of DDoS attacks or other attacks on the core network.
  • each device such as a base station and an IoT device, includes hardware structures and/or software modules for performing respective functions in order to implement the above functions.
  • each device such as a base station and an IoT device
  • the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
  • the present application may divide a functional unit into a base station, an IoT device, or the like according to the above method example.
  • each functional unit may be divided according to each function, or two or more functions may be integrated into one processing unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the present application is schematic, and is only a logical function division, and the actual implementation may have another division manner.
  • FIG. 15 shows a possible structural diagram of the base station involved in the above embodiment.
  • the base station 1000 includes a processing unit 1002 and a communication unit 1003.
  • the processing unit 1002 is configured to control and control the action of the base station 1000.
  • the processing unit 1002 is configured to support the base station 1000 to perform S140 of FIG. 4, and the processing unit 1002 is further configured to support the base station 1000 to perform S204 of FIG. 5, and/or Other processes of the techniques described herein.
  • Communication unit 1003 is used to support communication between base station 1000 and other network entities, such as with the IoT device shown in FIG.
  • the base station 1000 may further include a storage unit 1001 for storing program codes and data of the base station 1000.
  • the processing unit 1002 may be a processor or a controller, for example, may be a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (application-specific). Integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1003 may be a transceiver, a transceiver circuit, or the like.
  • the base station involved in the present application may be the base station shown in FIG. 16.
  • the base station 1010 includes a processor 1012, a transceiver 1013, and a memory 1011.
  • the base station 1010 may further include a bus 1014.
  • the transceiver 1013, the processor 1012, and the memory 1011 may be connected to each other through a bus 1014;
  • the bus 1014 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA). Bus, etc.
  • the bus 1014 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 16, but it does not mean that there is only one bus or one type of bus.
  • the base station provided by the present application sends a broadcast message including multiple puzzles with different difficulties, and the IoT device that receives the broadcast message needs to determine a difficulty that matches the size of the data to be sent, thereby improving data transmission. effectiveness.
  • the base station After receiving the data sent by the IoT device, the indication information of the puzzle, and the answer to the puzzle, if the difficulty of the puzzle matches the size of the data and the answer is correct, the base station sends the data to the core network; if the difficulty of the puzzle is related to the data If the size does not match or the answer is incorrect, the data is not sent to the core network, thus avoiding the impact of the DDoS attack on the core network.
  • FIG. 17 shows a possible structural diagram of the IoT device involved in the above embodiment.
  • the IoT device 1100 includes a processing unit 1102 and a communication unit 1103.
  • the processing unit 1102 is configured to perform control management on the action of the IoT device 1100.
  • the processing unit 1102 is configured to support the IoT device 1100 to perform S120 of FIG. 4, and the processing unit 1102 is further configured to support the IoT device 1100 to perform S202 of FIG. 5, and / or other processes for the techniques described herein.
  • the communication unit 1103 is for supporting communication between the IoT device 1100 and other network entities, such as communication with the base station shown in FIG.
  • the IoT device 1100 may further include a storage unit 1101 for storing program codes and data of the IoT device 1100.
  • the processing unit 1102 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1103 can be a transceiver, a transceiver circuit, or the like.
  • the IoT device involved in the present application may be the IoT device shown in FIG. 18.
  • the IoT device 1110 includes a processor 1112, a transceiver 1113, and a memory 1111.
  • the IoT device 1110 may also include a bus 1114.
  • the transceiver 1113, the processor 1112, and the memory 1111 may be connected to each other through a bus 1114; the bus 1114 may be a PCI bus or an EISA bus or the like.
  • the bus 1114 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 18, but it does not mean that there is only one bus or one type of bus.
  • the IoT device After receiving the broadcast message including multiple puzzles sent by the base station, the IoT device provided by the present application determines a difficulty corresponding to the difficulty from the plurality of puzzles according to the size of the data to be sent, and calculates an answer to the puzzle. The answer is sent to the base station along with the data to be sent, thereby extending the period of data transmission, thereby reducing the difficulty of calculation. The impact on the transmission of data, while reducing the impact of the DDoS attack on the base station and the core network equipment caused by the hijacking of the IoT device to the base station.
  • transceivers may include a transmitter and a receiver.
  • the transceiver may further include an antenna, and the number of antennas may be one or more.
  • the memory can be a separate device or integrated into the processor.
  • the above various devices or parts of the device can be integrated into the chip for implementation, such as integration into a baseband chip.
  • the network device or the terminal device in the device and the method embodiment are completely corresponding, and the corresponding steps are performed by the corresponding module, for example, the sending module method or the step sent by the transmitter performing the method embodiment, and the receiving module or the receiver performing the method embodiment
  • the steps of receiving, except for transmitting and receiving, may be performed by a processing module or processor.
  • a processing module or processor For the function of the specific module, reference may be made to the corresponding method embodiment, which is not described in detail.
  • the present application also provides a communication chip in which instructions are stored, which when executed on the base station 1500 or the base station 1600, cause the communication chip to perform the method corresponding to the base station in the various implementations described above.
  • the present application also provides a communication chip in which instructions are stored, which when executed on the IoT device 1700 or the IoT device 1800, cause the communication chip to perform the method corresponding to the IoT device in the various implementations described above.
  • the size of the sequence number of each process does not mean the order of execution sequence, and the order of execution of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the present application.
  • the steps of a method or algorithm described in connection with the present disclosure may be implemented in a hardware or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium can be located in a base station. Additionally, the ASIC can be located in an IoT device. Of course, the processor and the storage medium can also exist as discrete components in the base station and IoT device.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in or transmitted by a computer readable storage medium.
  • the computer instructions may be from a website site, computer, server or data center via a wired (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) Another website site, computer, server, or data center for transmission.
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a digital versatile disc (DVD), or a semiconductor medium (eg, a solid state disk, SSD)) and so on.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请公开了一种传输数据的方法和装置,该方法包括:基站发送包括多个难题puzzle的广播消息,其中,所述多个难题的难度不同;所述基站从物联网IoT设备接收第一数据、第一难题的指示信息和所述第一难题的答案,其中,所述第一难题是所述IoT设备根据所述第一数据的大小从所述多个难题中确定的;所述基站在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向核心网设备发送所述第一数据或者对所述第一数据解密后的数据。本申请提供的传输数据的方法和装置,IoT设备从多个难度不同的难题中确定第一难题,可以在减小DDOS攻击对核心网设备的影响的同时减少难题对正常IoT设备的影响。

Description

一种传输数据的方法和装置 技术领域
本申请涉及通信领域,尤其涉及一种传输数据的方法和装置。
背景技术
物联网(internet of things,IoT)是第五代(5th-generation,5G)移动通信系统的一大重要应用场景。IoT设备数量众多,形态各异,数据发送模式也不同于传统的移动设备如手机。手机用户的数据主要以流的形式发送,一段时间内会发送多个数据包。而数量众多的IoT设备(例如智能电表)大多数时间处于睡眠状态,一段时间可能只发送一个小数据包。采用传统的模式发送数据,即通过建立连接并重建安全上下文的方式发送数据,将会造成数据发送的成本高,不利于运营商扩大营业范围,将业务拓展至低成本的IoT服务。因此,5G网络引入了针对IoT这种小数据模式的新的架构和传输方式,在新的传输方式下,网络对数据认证不需要通过额外的信令建立安全上下文,允许IoT设备不认证,不建立连接,直接向蜂窝网络发送小数据包。但是如果这种机制被滥用,攻击者利用大量被控制的IoT设备,在这种不需要认证和不需要建立安全上下文的方式下,向蜂窝网络发送小数据包,极易产生分布式拒绝服务(distributed denial of service,DDoS)攻击,使网络拥塞,甚至使网络瘫痪。
现有技术通过基站向IoT设备发送难题(puzzle)的方法降低DDoS攻击对网络设备的影响,即,基站通过广播消息发送难题,接收到该广播消息的IoT设备需要计算难题之后,将答案与待发送的数据一起发送给基站,计算难题可以延长IoT设备发送数据的周期,从而降低了DDoS攻击对网络设备的影响。
然而,当前基站每次仅发送一种难题,如果该难题的难度较小,IoT设备花费很少的时间即可计算出答案,无法有效降低DDoS攻击对网络设备的影响,如果该难题的难度较大,IoT设备需要花费大量的时间才能发送一个小数据包,这大大影响了正常IoT设备的工作。
发明内容
有鉴于此,本申请提供了一种传输数据的方法和装置,IoT设备接收到基站发送的多个不同难度的难题后,从多个难题中选择与待发送的数据的大小相匹配的难题,从而可以有效降低DDoS攻击对网络设备的影响,同时减小难题对正常IoT设备的影响。
一方面,提供了一种传输数据的方法,该方法包括:基站发送包括多个难题的广播消息,其中,所述多个难题的难度不同;所述基站从IoT设备接收第一数据、第一难题的指示信息和所述第一难题的答案,其中,所述第一难题是所述IoT设备根据所述第一数据的大小从所述多个难题中确定的;所述基站在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者所述基站在所述第一难题的难度与所述第一数据的大小不匹配时,禁止向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者所述基站在所述第一难题的答案不正确时,禁止向核心网设备发送所述第一数据或者对所述第一数据解密后的数据。
根据本申请提供的传输数据的方法,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击对核心网的影响。
可选地,该方法还包括:所述基站发送包括签名信息的所述广播消息,所述签名信息用于所述IoT设备验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站。从而可以防止IoT设备被非法消息欺骗。
可选地,该方法还包括:所述基站在第一时刻与第二时刻的差值小于预设的时间阈值时,处理所述第一数据、所述第一难题的指示信息和所述第一难题的答案,其中,所述第一时刻是所述基站发送所述广播消息的时刻,所述第二时刻是所述基站接收到承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息的时刻。
本申请提供的传输数据的方法,基站通过验证第一时刻与第二时刻的差值是否小于预设的时间阈值,可以防止基站受到被劫持的IoT设备的重放攻击。
可选地,该方法还包括:所述基站从所述IoT设备接收完整性验证信息,所述完整性验证信息用于验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息为承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息;所述基站在所述第一消息的完整性验证通过,且确定所述第一消息的发送端是所述IoT设备,且所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者所述基站在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述完整性验证消息。从而可以防止基站或核心网设备被非法消息欺骗。
可选地,该方法还包括:所述基站发送包括第一指示信息的所述广播消息,所述第一指示信息用于指示接收到所述广播消息的IoT设备从所述多个难题中确定难度与待发送的数据的大小匹配的难题。从而可以灵活确定待发送的数据的大小与难题的难度的对应关系。
可选地,该方法还包括:所述基站发送包括第二指示信息的所述广播消息,所述第二指示信息用于指示接收到所述广播消息的IoT设备在发送数据时同时发送所述多个难题中的一个难题的答案。从而基站可以根据实际情况灵活确定IoT设备是否需要计算难题。
另一方面,提供了一种传输数据的方法,该方法包括:IoT设备从基站接收包括多个难题的广播消息;所述IoT设备根据第一数据的大小从所述多个难题中确定第一难题并计算出所述第一难题的答案,所述第一难题的难度与所述第一数据的大小匹配;所述IoT设备向所述基站发送所述第一数据、所述第一难题的指示信息和所述第一难题的答案。
根据本申请提供的传输数据的方法,IoT设备接收到基站发送的包括多个难题的广播消息后,根据待发送数据的大小从该多个难题中确定对应难度的难题,计算出该难题的答案后将该答案与待发送的数据一起发送给基站,从而延长了数据发送的周期,进而 减小了计算难题对传输数据造成的影响,同时减小了因IoT设备被劫持向基站发起DDoS攻击对基站和核心网设备的影响。
可选地,该方法还包括:所述IoT设备从基站接收包括签名信息的所述广播消息,所述签名信息用于验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站;所述IoT设备在所述广播消息的完整性验证通过,且确定所述广播消息的发送端是所述基站时,根据所述第一数据的大小从所述多个难题中确定所述第一难题。从而可以防止IoT设备被非法消息欺骗。
可选地,该方法还包括:所述IoT设备向所述基站发送完整性验证信息,所述完整性验证信息用于验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息是承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息。从而可以防止基站或核心网设备被非法消息欺骗。
可选地,该方法还包括:所述IoT设备从所述基站接收包括第一指示信息的所述广播消息;所述IoT设备根据所述第一指示信息从所述多个难题中确定难度与所述第一数据的大小匹配的难题。从而可以灵活确定待发送的数据的大小与难题的难度的对应关系。
可选地,该方法还包括:所述IoT设备从所述基站接收包括第二指示信息的所述广播消息;所述IoT设备根据所述第二指示信息确定在发送数据时同时发送所述多个难题中的一个难题的答案。从而基站可以根据实际情况灵活确定IoT设备是否需要计算难题。
再一方面,本申请提供了一种传输数据的装置,该装置可以实现上述方面所涉及的方法中基站所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的单元或模块。
在一种可能的设计中,该装置的结构中包括处理器和收发器,该处理器被配置为支持该装置执行上述方法中相应的功能。该收发器用于支持该装置与其它装置之间的通信。该装置还可以包括存储器,该存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
再一方面,本申请提供了一种传输数据的装置,该装置可以实现上述方面所涉及的方法中IoT设备所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的单元或模块。
在一种可能的设计中,该装置的结构中包括处理器和收发器,该处理器被配置为支持该装置执行上述方法中相应的功能。该收发器用于支持该装置与其它装置之间的通信。该装置还可以包括存储器,该存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。
再一方面,本申请提供了一种计算机存储介质,用于储存为上述基站所用的计算机软件指令,其包含用于执行上述方面所设计的程序。
再一方面,本申请提供了一种计算机存储介质,用于储存为上述IoT设备所用的计算机软件指令,其包含用于执行上述方面所设计的程序。
再一方面,本申请提供了一种通信芯片,其中存储有指令,当其在基站上运行时,使得所述通信芯片执行上述各个方面的方法。
再一方面,本申请提供了一种通信芯片,其中存储有指令,当其在IoT设备上运行时,使得所述通信芯片执行上述各个方面的方法。
相比于现有技术,根据本申请提供的传输数据的方法,基站发送包括多个难度不同 的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击对核心网的影响。
附图说明
图1是适用本申请的一种可能的网络架构的示意图;
图2是是数字签名和验证过程的示意图;
图3是基于身份的密码机制的示意图;
图4是本申请提供的一种传输数据的方法的示意性流程图;
图5是本申请提供的另一种传输数据的方法的示意性流程图;
图6是本申请提供的再一种传输数据的方法的示意性流程图;
图7是本申请提供的再一种传输数据的方法的示意性流程图;
图8是本申请提供的再一种传输数据的方法的示意性流程图;
图9是本申请提供的再一种传输数据的方法的示意性流程图;
图10是本申请提供的再一种传输数据的方法的示意性流程图;
图11是本申请提供的再一种传输数据的方法的示意性流程图;
图12是本申请提供的再一种传输数据的方法的示意性流程图;
图13是本申请提供的再一种传输数据的方法的示意性流程图;
图14是本申请提供的再一种传输数据的方法的示意性流程图;
图15是本申请提供的一种可能的基站的结构示意图;
图16是本申请提供的另一种可能的基站的结构示意图;
图17是本申请提供的一种可能的IoT设备的结构示意图;
图18是本申请提供的另一种可能的IoT设备的结构示意图。
具体实施方式
下面将结合附图,对本申请中的技术方案进行描述。
图1适用本申请的一种可能的网络架构的示意图。如图1所示,该网络架构可以包括基站10、IoT设备20、IoT设备30和核心网设备40。图1中所示出的箭头表示设备与设备之间可以进行通信。IoT设备20例如可以是传感器,IoT设备30例如可以是智能电表,基站10可以是2G通信系统中的基站,也可以是3G或4G通信系统中的基站,还可以是未来5G通信系统中的基站。
图1所示的网络架构只是为了帮助本领域技术人员更好地理解本申请,而非限制本申请的范围。例如,图1中虽然只描述了两个IoT设备,但本申请中还可以包括更多数量的IoT设备或者更少数量的IoT设备设备,本申请对于IoT设备的类型也不作限定。
本申请中,IoT设备与基站之间传输的信息可以是明文,也可以是密文,为了保证IoT设备和基站能够识别被篡改的消息或者非法消息,IoT设备与基站在发送消息前需要对待发送的消息进行签名处理。为方便理解,下面结合图2至图3对本申请中涉及的加解密方法和签名方法进行简要描述。
1、非对称加密(asymmetric cryptography)
非对称加密是一种密码学算法类型,在这种密码学方法中,需要一对密钥,一个是私人密钥,另一个则是公开密钥。这两个密钥是数学相关,用某用户密钥加密后所得的信息,只能用该用户的解密密钥才能解密。如果知道了其中一个,并不能计算出另外一个。因此如果公开了一对密钥中的一个,并不会危害到另外一个的秘密性质。私钥是密钥对所有者持有,不可公布,公钥是密钥对持有者公布给他人的,因此称公开的密钥为公钥;不公开的密钥为私钥。
如果加密密钥是公开的,这用于客户给私钥所有者上传加密的数据,这被称作为公开密钥加密,用公钥加密的数据只能使用私钥解密,私钥用来解密公钥加密的数据。常见的公钥加密算法有:RSA(由发明者Rivest、Shmir和Adleman姓氏首字母缩写而来)算法、ElGamal、背包算法、Rabin(RSA的特例)、椭圆曲线加密算法(elliptic curve cryptography,ECC)。使用最广泛的是RSA算法,是著名的公开金钥加密算法。
如果解密密钥是公开的,用私钥加密的信息,可以用公钥对其解密,用于客户验证持有私钥一方发布的数据或文件是完整准确的,接收者由此可知这条信息确实来自于拥有私钥的某人,这被称作数字签名,公钥的形式就是数字证书。例如,从网上下载的安装程序,一般都带有程序制作者的数字签名,可以证明该程序的确是该作者(公司)发布的而不是第三方伪造的且未被篡改过(身份认证/验证)。
2、数字签名及其验证
图2是数字签名和验证的示意图。如图2所示,发送方使用私钥对需要传输文本的摘要进行加密,得到的密文即被称为该次传输过程的数字签名(简称为“签名”),其中,传输文本的摘要是对需要传输的文本做哈希(HASH)计算(例如SHA1和SHA2)后得到的。
接收方,即收到数据的一方拿到该传输文本后,需要确认该文本是否就是发送方所发出的内容,中途是否曾经被篡改。因此接收方可以拿自己持有的公钥对签名进行解密(密钥对中的一种密钥加密的数据必定能使用另一种密钥解密),得到了传输文本的摘要,然后使用与发送方同样的HASH算法计算摘要值,再与解密得到的摘要做对比,如果发现二者完全一致,则说明传输文本没有被篡改过。
在签名的过程中,接收方需要自己保管好公钥,但是每一个发送方都有一个公钥,那么接收方需要保存非常多的公钥,这根本就管理不过来。并且本地保存的公钥有可能被篡改替换,无从发现。那么为了解决这个问题,可以由一个统一的证书管理机构来管理所有发送方的公钥,并对这些公钥进行认证和加密。这个机构也就是我们常说的证书代理机构(certificate agency,CA)。认证加密后的公钥,即是证书,又称为CA证书,证书中包含了很多信息,最重要的是申请者的公钥。CA机构在给公钥加密时,用的是一个统一的密钥对,在加密公钥时,用的是其中的私钥。这样,申请者拿到证书后,在发送数据时,用自己的私钥生成签名,将签名、证书和发送内容一起发给对方,对方拿到了证书后,需要对证书解密以获取到证书中的公钥,解密需要用到CA机构的“统一密钥对”中的公钥,这个公钥也就是我们常说的CA根证书,通常需要我们到证书颁发机构去下载并安装到相应的收取数据的客户端,如浏览器上面。这个公钥只需要安装一次。有了这个公钥之后,就可以解密证书,拿到发送方的公钥,然后解密发送方发过来的签名,获取摘要,重新计算摘要,作对比,以验证数据内容的完整性。
3、基于身份的密码机制
基于身份的密码机制(identity-based cryptography,IBC)包括基于身份的签名技术(identity based signature,IBS)和基于身份的加密技术(identity based encryption,IBE)。每个用户拥有自己的公私钥对,其中公钥为有意义的字符串(身份),例如邮箱(email)地址、电话号码等;用户的私钥由私钥生成中心(private key generator,PKG)根据用户身份(ID)和PKG的主私钥生成,签名过程中无需PKG参与,签名验证只需要签名、消息、身份和主公钥。传统公钥基础设施(public key infrastructure,PKI)机制与IBC的不同在于,PKI中用户拥有一对不同的公私钥,公钥为随机字符串,需要证书中心对公钥签名来确认某个公钥是属于某个用户的,签名或加密过程中需要验证证书。
如图3所示的基于身份的密码机制的示意图,用户Alice和Bob分别拥有自己的公私钥对,PKG根据Alice的IDAlice和PKG的主私钥(global secret key,GSK)生成Alice的私钥SKAlice,Alice使用其私钥对需要传输的消息进行签名,签名过程中无需PKG参与,Bob对Alice发送的签名进行验证时只需要签名、消息、IDAlice和主公钥(global public key,GPK)。
上文举例介绍了可以应用于本申请的加解密方法和签名方法,应理解,本申请还可以应用其它的加解密方法和签名方法。下面,将结合图4详细介绍根据本申请的传输数据的方法。
图4是本申请提供的传输数据的方法的示意性流程图。如图4所示,该方法100包括:
S110,基站发送包括多个难题的广播消息,其中,所述多个难题的难度不同。
基站发送广播消息前事先生成多个难度不同的难题,不同难度的难题对应不同的允许上传数据的大小。生成难题的方法可以参照现有技术中的难题生成方法,在此不再赘述。
基站可以根据实际情况设置难题的难度与允许上传数据的大小的对应关系,例如,对于一个大小固定的数据,当基站判断当前受到DDoS攻击的威胁较大时,可以设置该数据对应高难度的难题,从而可以延长IoT设备的发送周期;当基站判断当前受到DDoS攻击的威胁较小时,可以设置该数据对应低难度的难题,从而可以缩短IoT设备的发送周期。
基站可以每隔t秒发送该广播消息,也可以根据实际需要(例如当前基站遭受DDoS攻击)发送该广播消息。
可选地,基站发送的广播消息还包括签名信息(Sig_BS),该签名信息用于IoT设备验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站。从而可以防止IoT设备被非法消息欺骗。
可选地,基站发送的广播消息还包括时间戳信息(TS),该时间戳信息用于记录该广播消息的发送时间,IoT设备向基站发送的消息也携带该时间戳信息,基站接收到该IoT设备发送的消息后,根据接收到该IoT设备的消息的时刻(即,第二时刻)以及该时间戳信息所指示的时刻(即,第一时刻)确定该消息是否为重放攻击消息,当第一时刻与第二时刻的差值小于或等于预设的时间阈值时,基站可以确定该消息为正常消息,当第一时刻与第二时刻的差值大于预设的时间阈值时,基站可以确定该消息为重放攻击消息,从而可以防止基站受到被劫持的IoT设备的重放攻击。
可选地,基站发送的广播消息还包括第一指示信息,该第一指示信息用于指示接收到所述广播消息的IoT设备从所述多个难题中确定难度与待发送的数据的大小匹配的难题(即,该第一指示信息指示难题的难度与待发送的数据的大小的对应关系)。从而可以灵活确定待发送的数据的大小与难题的难度的对应关系。
可选地,基站发送的广播消息还包括第二指示信息(P_Ind),该第二指示信息用于指示接收到该广播消息的IoT设备是否需要计算难题。例如,当基站受到DDoS攻击时,可以将P_Ind设置为1,用于指示接收到该广播消息的IoT设备需要计算难题并将答案与待发送的数据一起发送;当基站没有受到DDoS攻击时,可以将P_Ind设置为0,用于指示接收到该广播消息的IoT设备无需计算难题即可向基站发送数据,从而可以灵活确定IoT设备是否需要计算难题。
S120,IoT设备根据第一数据的大小从所述多个难题中确定第一难题并计算出所述第一难题的答案,所述第一难题的难度与所述第一数据的大小匹配。
IoT设备接收到该广播消息后根据第一数据(即,当前的待发送数据)的大小从广播消息携带的多个难题中确定第一难题,第一难题的难度与第一数据的大小匹配。IoT设备可以根据预设在该IoT设备内的对应关系(即,难题的难度与允许上传数据的大小的对应关系)确定第一难题,也可以根据广播消息中携带的指示该对应关系的指示信息确定第一难题。
本申请中,第一数据的大小可以是加密前的数据的大小,也可以是加密后的数据的大小。优选地,该第一数据为加密后的数据的大小,从而基站无需对接收到的数据进行解密即可判断接收到的数据的大小与IoT设备选择的难题的难度是否匹配,提高了基站抗DDoS攻击的能力。
S130,IoT设备向所述基站发送所述第一数据、所述第一难题的指示信息和所述第一难题的答案。
可选地,IoT设备还向基站发送完整性验证信息,该完整性验证信息用于验证第一消息的完整性以及该第一消息的发送端是否为所述IoT设备,其中,所述第一消息是承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息。该完整性验证信息例如可以是消息认证码(message authentication code,MAC),也可以是所述IoT设备的证书(Device_Certi)和签名(Sig)。基站确定第一难题的难度与第一数据的大小匹配,且第一难题的答案正确之后,基站可以根据该完整性验证消息成功验证第一消息的完整性后将第一消息发送给核心网,基站也可以将该完整性验证消息发送给核心网设备,以便于核心网设备验证第一消息的完整性,从而可以防止基站或核心网设备被非法消息欺骗。
S140,基站验证第一难题的难度与第一数据的大小是否匹配,以及第一难题的答案是否正确,
当第一难题的难度与第一数据的大小不匹配时,禁止向核心网设备发送该第一数据或者对该第一数据解密后的数据;或者
当第一难题的答案不正确时,禁止向核心网设备发送该第一数据或者对该第一数据解密后的数据。
基站接收到承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息后,根据第一难题的指示信息确定IoT设备选择的难题,并验证第一难题的难度与 第一数据的大小是否匹配,以及第一难题的答案是否正确。只有当第一难题的难度与第一数据的大小匹配,且第一难题的答案正确时,基站才向核心网设备发送该第一数据,如果该第一数据是加密的数据,基站还可以将该第一数据解密后向核心网设备发送解密后的数据。
因此,根据本申请提供的传输数据的方法,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击对核心网的影响。
上文结合图1至图4详细介绍了根据本申请的传输数据的方法,但本申请不限于此,下面,将基于上面所述的本申请涉及的共性方面,对本申请进一步详细说明。
图5为本申请提供的另一种传输数据的方法的示意性流程图,如图5所示,该方法200包括:
S201,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳信息,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S202,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(puzzle solution,PS)。同时利用IBS的特点计算对称密钥K,即K=e(xH(Device_ID),H(BS_ID))。
S203,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于对称密钥K加密的小数据En(SDS-PDU,K)以及基于K生成的MAC,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S204,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,K)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,K)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,K)的大小匹配,则利用IBS的特点计算对称密钥K,即K=e(xH(BS_ID),H(Device_ID))。然后利用生成的K验证MAC,验证通过后利用K解密En(SDS-PDU,K)。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S205,基站将小数据消息(SDS-PDU)发送给服务小数据处理功能(serving small data handling function,Serving SDHF)。Serving SDHF属于核心网设备。
S206,Serving SDHF将小数据消息(SDS-PDU)转发给网关小数据处理功能(gateway small data handling function,Gateway SDHF)。Gateway SDHF属于核心网设备。
S207,Gateway SDHF将小数据消息(SDS-PDU)转发给应用服务器(application server,AS)或者服务提供服务器(service capability server,SCS)。
S208,SCS/AS收到小数据消息(SDS-PDU)后发送确认消息(Ack)给Gateway SDHF。
S209,Gateway SDH收到SCS/AS发送的确认消息后,转发给Serving SDHF。
S210,Serving SDHF收到Gateway SDH发送的确认消息后,转发给基站。
S211,基站收到Serving SDHF发送的确认消息后,转发给IoT设备。
上述步骤中,S208、S209、S210和S211为可选步骤,此外,上述生成和使用对称密钥K的方法仅是举例说明,其它利用IBS的特点(即双方ID)生成对称密钥的方法都可以应用于本申请。方法200中,基站和IoT设备均预置了基于IBS的公私钥。
因此,根据本申请的传输数据的方法200,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或者其它攻击对核心网的影响。
图6为本申请提供的再一种传输数据的方法的示意性流程图,如图6所示,该方法300包括:
S301,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、基站的证书(BS_Certi)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS, Rand2,..)),其中TS为时间戳信息,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S302,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过基站的公钥(BS’s Public Key)验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S303,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备的证书(Device_Certi)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于基站的公钥加密的小数据En(SDS-PDU,BS’s Public Key)以及IoT设备的签名(Sig),其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S304,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,BS’s Public Key)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,BS’s Public Key)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,BS’s Public Key)的大小匹配,则验证Sig,验证通过后利用其私钥解密小数据包SDS-PDU。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S305,基站将解密后的小数据(SDS-PDU)发送给Serving SDHF。
S306,Serving SDHF将SDS-PDU转发给Gateway SDHF。
S307,Gateway SDHF将SDS-PDU转发给SCS/AS。
S308,SCS/AS收到SDS-PDU后发送确认消息(Ack)给Gateway SDHF。
S309,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S310,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S311,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S308、S309、S310和S311为可选步骤,此外,方法300中,基站和IoT设备均预置了基于证书的公私钥。
因此,根据本申请的传输数据的方法300,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图7为本申请提供的再一种传输数据的方法的示意性流程图,如图7所示,该方法400包括:
S401,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S402,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S403,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于Serving SDHF的公钥(即Serving SDHF的ID)加密的小数据En(SDS-PDU,S-SDHF-ID)以及IoT设备的签名(Sig),其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S404,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该 第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,S-SDHF-ID)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,S-SDHF-ID)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,S-SDHF-ID)的大小匹配,则向Serving SDHF转发加密的数据En(SDS-PDU,S-SDHF-ID)。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S405,基站将加密的小数据En(SDS-PDU,S-SDHF-ID)、IoT设备的标识(Device_ID)和IoT设备的签名(Sig)发送给Serving SDHF。
S406,Serving SDHF接收到上述信息后,首先通过Device_ID验证Sig,验证通过后利用Serving SDHF的私钥解密En(SDS-PDU,S-SDHF-ID)。
S407,Serving SDHF将小数据(SDS-PDU)转发给Gateway SDHF。
S408,Gateway SDHF将SDS-PDU转发给SCS/AS。
S409,SCS/AS收到SDS-PDU后发送确认消息(Ack)给Gateway SDHF。
S410,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S411,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S412,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S409、S410、S411和S412为可选步骤,此外,方法400中,基站和IoT设备均预置了基于IBS的公私钥。
因此,根据本申请的传输数据的方法400,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击对核心网的影响。
图8为本申请提供的再一种传输数据的方法的示意性流程图,如图8所示,该方法500包括:
S501,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、基站的证书(BS_Certi)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳信息,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S502,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过基站的公钥(BS’s Public Key)验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S503,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备的证书(Device_Certi)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于Serving SDHF的公钥加密的小数据En(SDS-PDU,S-SDHF’s Public Key)以及IoT设备的签名(Sig),其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S504,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,S-SDHF’s Public Key)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,S-SDHF’s Public Key)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,S-SDHF’s Public Key)的大小匹配,则向Serving SDHF转发加密的数据En(SDS-PDU,S-SDHF’s Public Key)。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S505,基站将小数据消息(Device_ID,Device_Certi,En(SDS-PDU,S-SDHF’s Public Key),Sig)发送给Serving SDHF。
S506,Serving SDHF接收到上述消息后,首先通过Device_ID验证Sig,验证通过后利用Serving SDHF的私钥解密En(SDS-PDU,S-SDHF’s Public Key)。
S507,Serving SDHF将小数据(SDS-PDU)转发给Gateway SDHF。
S508,Gateway SDHF将SDS-PDU转发给SCS/AS。
S509,SCS/AS收到SDS-PDU后发送确认消息(Ack)给Gateway SDHF。
S510,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S511,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S512,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S509、S510、S511和S512为可选步骤,此外,方法500中,基站和IoT设备均预置了基于证书的公私钥。
因此,根据本申请的传输数据的方法500,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图9为本申请提供的再一种传输数据的方法的示意性流程图,如图9所示,该方法600包括:
S601,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S602,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。同时利用IBS的特点计算对称钥K,即K=e(xH(Device_ID),H(BS_ID))。
S603,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于AS的公钥(即AS的ID)加密的小数据En(SDS-PDU,AS-ID)以及基于K生成的MAC,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S604,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该 第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小匹配,则利用IBS的特点计算对称密钥K,即K=e(xH(BS_ID),H(Device_ID))。然后利用生成的K,验证MAC,验证通过后向Serving SDHF转发加密的数据En(SDS-PDU,AS-ID)。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S605,基站将加密的小数据En(SDS-PDU,AS-ID)发送给Serving SDHF。
S606,Serving SDHF将En(SDS-PDU,AS-ID)转发给Gateway SDHF。
S607,Gateway SDHF将En(SDS-PDU,AS-ID)转发给SCS/AS。
S608,SCS/AS接收到En(SDS-PDU,AS-ID)后,使用SCS或AS的私钥解密En(SDS-PDU,AS-ID)。
S609,SCS/AS发送确认消息(Ack)给Gateway SDHF。
S610,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S611,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S612,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S609、S610、S611和S612为可选步骤,此外,方法600中,基站和IoT设备均预置了基于IBS的公私钥。
因此,根据本申请的传输数据的方法600,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图10为本申请提供的再一种传输数据的方法的示意性流程图,如图10所示,该方法700包括:
S701,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、基站的证书(BS_Certi)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S702,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过基站的公钥(BS’s Public Key)验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S703,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备的证书(Device_Certi)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于AS或SCS的公钥加密的小数据En(SDS-PDU,SCS/AS’s Public Key)以及基于IoT设备的私钥生成的Sig,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S704,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小匹配,则利用IoT设备的公钥验证Sig,验证通过后向Serving SDHF转发加密的数据En(SDS-PDU,SCS/AS’s Public Key)。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S705,基站将加密的小数据En(SDS-PDU,SCS/AS’s Public Key)发送给Serving SDHF。
S706,Serving SDHF将En(SDS-PDU,SCS/AS’s Public Key转发给Gateway SDHF。
S707,Gateway SDHF将En(SDS-PDU,SCS/AS’s Public Key)转发给SCS/AS。
S708,SCS/AS接收到En(SDS-PDU,SCS/AS’s Public Key)后,使用SCS或AS的私钥解密En(SDS-PDU,SCS/AS’s Public Key)。
S709,SCS/AS发送确认消息(Ack)给Gateway SDHF。
S710,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S711,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S712,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S709、S710、S711和S712为可选步骤,此外,方法700中,基站和IoT设备均预置了基于证书的公私钥。
因此,根据本申请的传输数据的方法700,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图11为本申请提供的再一种传输数据的方法的示意性流程图,如图11所示,该方法800包括:
S801,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S802,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S803,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于AS的公钥(即AS的ID)加密的小数据En(SDS-PDU,AS-ID)以及基于IoT设备的私钥生成的Sig,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。上述实施例仅是举例说明,也可使用SCS的公钥(即SCS的ID)对小数据SDS-PDU进行加密。
S804,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二 时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,AS-ID)的大小匹配,则向Serving SDHF转发加密的数据。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S805,基站将加密的小数据En(SDS-PDU,AS-ID)、Device_ID以及Sig发送给Serving SDHF。
S806,Serving SDHF利用Device_ID验证Sig。
S807,验证通过后,Serving SDHF将En(SDS-PDU,AS-ID)转发给Gateway SDHF。
S808,Gateway SDHF将En(SDS-PDU,AS-ID)转发给SCS/AS。
S809,SCS/AS接收到En(SDS-PDU,AS-ID)后,使用AS的私钥解密En(SDS-PDU,AS-ID)。
S810,SCS/AS发送确认消息(Ack)给Gateway SDHF。
S811,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S812,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S813,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S810、S811、S812和S813为可选步骤,此外,方法800中,基站和IoT设备均预置了基于IBS的公私钥。
因此,根据本申请的传输数据的方法800,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图12为本申请提供的再一种传输数据的方法的示意性流程图,如图12所示,该方法900包括:
S901,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数 据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S902,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S903,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备的证书(Device_Certi)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于AS或SCS的公钥加密的小数据En(SDS-PDU,SCS/AS’s Public Key)以及基于IoT设备的私钥生成的Sig,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S904,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,SCS/AS’s Public Key)的大小匹配,则向Serving SDHF转发加密的数据。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S905,基站将En(SDS-PDU,SCS/AS’s Public Key)、Device_Certi以及Sig发送给Serving SDHF。
S906,Serving SDHF利用IoT设备的公钥验证Sig。
S907,验证通过后,Serving SDHF将En(SDS-PDU,SCS/AS’s Public Key)转发给Gateway SDHF。
S908,Gateway SDHF将En(SDS-PDU,SCS/AS’s Public Key)转发给SCS/AS。
S909,SCS/AS接收到En(SDS-PDU,SCS/AS’s Public Key)后,使用SCS/AS的私钥解密En(SDS-PDU,SCS/AS’s Public Key)。
S910,SCS/AS发送确认消息(Ack)给Gateway SDHF。
S911,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S912,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S913,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S910、S911、S912和S913为可选步骤,此外,方法900中,基站和IoT设备均预置了基于证书的公私钥。
因此,根据本申请的传输数据的方法900,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图13为本申请提供的另一种传输数据的方法的示意性流程图,如图13所示,该方法1000包括:
S1001,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS,Rand2,..)),其中TS为时间戳信息,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S1002,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS_ID验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S1003,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于预置的对称密钥K加密的小数据En(SDS-PDU,K)以及基于K生成的MAC,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S1004,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,K)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,K)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,K)的大小匹配,则向Serving SDHF发送小数据。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S1005,基站将小数据消息(Device_ID,En(SDS-PDU,K),MAC)发送给Serving SDHF。
S1006,Serving SDHF接收到小数据消息后,根据Device_ID从信任状存储器(Credential Repository)获取信任状(credentials),该信任状即对称密钥K。
S1007,Serving SDHF获取K后,利用K验证MAC,验证通过后使用K解密En(SDS-PDU,K)。
S1008,Serving SDHF将SDS-PDU转发给Gateway SDHF。
S1009,Gateway SDHF将SDS-PDU转发给SCS/AS。
S1010,SCS/AS收到SDS-PDU后发送Ack给Gateway SDHF。
S1011,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S1012,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S1013,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S1010、S1011、S1012和S1013为可选步骤。方法1000中,基站预置了基于IBS的公私钥,IoT设备和信任状存储器预置了对称密钥。
因此,根据本申请的传输数据的方法1000,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
图14为本申请提供的另一种传输数据的方法的示意性流程图,如图14所示,该方法1100包括:
S1101,基站周期性发送广播消息,该广播消息携带基站的标识信息(BS_ID)、基站的证书(BS_Certi)、时间戳(TS)、第二指示信息(P_Ind)、多个难度不同的难题(Puzzles)以及基站的签名(Sig_BS)。
基站在发送广播消息前生成多个难度不同的难题,如Puzzle 1,Puzzle 2,…,Puzzle N,其生成方式为Puzzle 1=(Rand1’,k1,H(TS,Rand1,..)),Puzzle 2=(Rand2’,k2,H(TS, Rand2,..)),其中TS为时间戳信息,RAND1为随机数1,RAND1’处理过后的RAND1,其处理方式为把RAND1中的k1位盖住,具体可通过设为0或者1来实现。H()为哈希函数。Puzzle 2同理。不同的Puzzle的难度不同,不同难度的Puzzle对应不同的允许上传的数据的大小。上述实施例仅是举例说明,还可以通过现有技术的其它方法生成多个难度不同的难题,在此不再赘述。
基站可以每隔t秒发送上述广播消息,其中,P_Ind用于指示需不需要计算难题。例如,如果基站遭受DoS攻击,可将P_Ind设为1,表示需要计算难题;如果基站未遭受DoS攻击,可将P_Ind设为0,表示不需要计算难题。Sig_BS为基站对该消息的签名。
S1102,IoT设备接收到基站发送的上述广播消息后,如果该IoT设备有需要上传的数据,则首先通过BS’s Public Key验证Sig_BS,以确定该广播消息的完整性以及确定该广播消息是否为该基站发出的。如果验证通过,然后根据P_Ind确定是否需要计算难题。如果需要计算难题,则可以根据预设的对应关系以及待发送的数据的大小从多个难度不同的难题中确定难度合适的难题。例如,IoT设备确定需要计算Puzzle 1,计算方式可以是基于接收到的Rand1’尝试被盖住k1位的数字,每次尝试需要计算一次H(TS,RAND’,..),直到找到H(TS,RAND’,..)=H(TS,RAND1,..),然后将找到的这个随机数作为答案(Puzzle Solution,PS)。
S1103,IoT设备向基站发送第一消息,该第一消息包括IoT设备的标识信息(Device_ID)、时间戳(TS)、IoT设备所选择的难题的指示信息(PZ#)、IoT设备所选择的难题的答案(PS)、基于预置的对称密钥K加密的小数据En(SDS-PDU,K)以及基于K生成的MAC,其中,第一消息中的TS为该IoT设备接收到的上述广播消息中携带的TS,SDS-PDU表示未加密的数据。
S1104,基站接收到第一消息后,首先验证接收到该第一消息的时刻(即,第二时刻)与TS所指示的时刻(即,第一时刻)的差值是否小于或等于预设的时间阈值,如果第二时刻与第一时刻的差值小于或等于该时间阈值,则确定该第一消息为合法消息,并对该第一消息进行后续处理;如果第二时刻与第一时刻的差值大于该时间阈值,则确定该第一消息为非法消息,可以删除该第一消息承载的数据,从而可以避免基站受到被劫持的IoT设备的重放攻击。
基站成功验证TS(即,确定该第一消息为合法消息)之后,进一步验证PS是否正确以及PZ#指示的难题的难度与En(SDS-PDU,K)的大小是否匹配,如果PS不正确,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PZ#指示的难题的难度与En(SDS-PDU,K)的大小不匹配,说明该IoT设备可能被劫持,则删除该第一消息承载的数据;如果PS正确,且PZ#指示的难题的难度与En(SDS-PDU,K)的大小匹配,则向Serving SDHF发送小数据。基站可以先验证PS再验证PZ#,也可以先验证PZ#再验证PS。
S1105,基站将小数据消息(Device_ID,En(SDS-PDU,K),MAC)发送给Serving SDHF。
S1106,Serving SDHF接收到小数据消息后,根据Device_ID从信任状存储器(Credential Repository)获取信任状(credentials),该信任状即对称密钥K。
S1107,Serving SDHF获取K后,利用K验证MAC,验证通过后使用K解密En(SDS-PDU,K)。
S1108,Serving SDHF将SDS-PDU转发给Gateway SDHF。
S1109,Gateway SDHF将SDS-PDU转发给SCS/AS。
S1110,SCS/AS收到SDS-PDU后发送Ack给Gateway SDHF。
S1111,Gateway SDH收到SCS/AS发送的Ack后,转发给Serving SDHF。
S1112,Serving SDHF收到Gateway SDH发送的Ack后,转发给基站。
S1113,基站收到Serving SDHF发送的Ack后,转发给IoT设备。
上述步骤中,S1010、S1011、S1012和S1013为可选步骤。方法1100中,基站预置了基于证书的公私钥,IoT设备和信任状存储器预置了对称密钥。
因此,根据本申请的传输数据的方法1000,基站发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击或其它攻击对核心网的影响。
上述实施例主要从各个设备之间交互的角度对本申请的方案进行了介绍。可以理解的是,各个设备,例如基站、IoT设备为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
本申请可以根据上述方法示例对基站、IoT设备等进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。需要说明的是,本申请中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
在采用集成的单元的情况下,图15示出了上述实施例中所涉及的基站的一种可能的结构示意图。基站1000包括:处理单元1002和通信单元1003。处理单元1002用于对基站1000的动作进行控制管理,例如,处理单元1002用于支持基站1000执行图4的S140,处理单元1002还可以用于支持基站1000执行图5的S204,和/或用于本文所描述的技术的其它过程。通信单元1003用于支持基站1000与其它网络实体的通信,例如与图4中示出的IoT设备之间的通信。基站1000还可以包括存储单元1001,用于存储基站1000的程序代码和数据。
其中,处理单元1002可以是处理器或控制器,例如可以是中央处理器(central processing unit,CPU),通用处理器,数字信号处理器(digital signal processor,DSP),专用集成电路(application-specific integrated circuit,ASIC),现场可编程门阵列(fieldprogrammable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1003可以是收发器、收发电路等。
当处理单元1002为处理器,通信单元1003为收发器,存储单元1001为存储器时,本申请所涉及的基站可以为图16所示的基站。
参阅图16所示,该基站1010包括:处理器1012、收发器1013、存储器1011。可选的,基站1010还可以包括总线1014。其中,收发器1013、处理器1012以及存储器1011可以通过总线1014相互连接;总线1014可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线1014可以分为地址总线、数据总线、控制总线等。为便于表示,图16中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
因此,本申请提供的基站,发送包括多个难度不同的难题的广播消息,接收到该广播消息的IoT设备需要从中确定一个难度与待发送的数据的大小匹配的难题,从而可以提高数据传输的效率。基站接收到IoT设备发送的数据、难题的指示信息和难题的答案后,如果难题的难度与该数据的大小匹配,并且该答案正确,则向核心网发送该数据;如果难题的难度与该数据的大小不匹配或者该答案不正确,则禁止向核心网发送该数据,从而避免了DDoS攻击对核心网的影响。
在采用集成的单元的情况下,图17示出了上述实施例中所涉及的IoT设备的一种可能的结构示意图。IoT设备1100包括:处理单元1102和通信单元1103。处理单元1102用于对IoT设备1100的动作进行控制管理,例如,处理单元1102用于支持IoT设备1100执行图4的S120,处理单元1102还可以用于支持IoT设备1100执行图5的S202,和/或用于本文所描述的技术的其它过程。通信单元1103用于支持IoT设备1100与其它网络实体的通信,例如与图4中示出的基站之间的通信。IoT设备1100还可以包括存储单元1101,用于存储IoT设备1100的程序代码和数据。
其中,处理单元1102可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1103可以是收发器、收发电路等。
当处理单元1102为处理器,通信单元1103为收发器,存储单元1101为存储器时,本申请所涉及的IoT设备可以为图18所示的IoT设备。
参阅图18所示,该IoT设备1110包括:处理器1112、收发器1113、存储器1111。可选的,IoT设备1110还可以包括总线1114。其中,收发器1113、处理器1112以及存储器1111可以通过总线1114相互连接;总线1114可以是PCI总线或EISA总线等。所述总线1114可以分为地址总线、数据总线、控制总线等。为便于表示,图18中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
因此,本申请提供的IoT设备,接收到基站发送的包括多个难题的广播消息后,根据待发送数据的大小从该多个难题中确定对应难度的难题,计算出该难题的答案后将该答案与待发送的数据一起发送给基站,从而延长了数据发送的周期,进而减小了计算难 题对传输数据造成的影响,同时减小了因IoT设备被劫持向基站发起DDoS攻击对基站和核心网设备的影响。
应理解,上述收发器可以包括发射机和接收机。收发器还可以进一步包括天线,天线的数量可以为一个或多个。存储器可以是一个单独的器件,也可以集成在处理器中。上述的各个器件或部分器件可以集成到芯片中实现,如集成到基带芯片中实现。
装置和方法实施例中的网络设备或终端设备完全对应,由相应的模块执行相应的步骤,例如发送模块方法或发射器执行方法实施例中发送的步骤,接收模块或接收器执行方法实施例中接收的步骤,除发送接收外的其它步骤可以由处理模块或处理器执行。具体模块的功能可以参考相应的方法实施例,不再详述。
本申请还提供了一种通信芯片,其中存储有指令,当其在基站1500或基站1600上运行时,使得所述通信芯片执行上述各种实现方式中基站对应的方法。
本申请还提供了一种通信芯片,其中存储有指令,当其在IoT设备1700或IoT设备1800上运行时,使得所述通信芯片执行上述各种实现方式中IoT设备对应的方法。
在本申请各个实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请的实施过程构成任何限定。
另外,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。
结合本申请公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(random access memory,RAM)、闪存、只读存储器(read only memory,ROM)、可擦除可编程只读存储器(erasable programmable ROM,EPROM)、电可擦可编程只读存储器(electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于基站中。另外,该ASIC可以位于IoT设备中。当然,处理器和存储介质也可以作为分立组件存在于基站和IoT设备中。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者通过所述计算机可读存储介质进行传输。所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,数字通用光盘(digital versatile disc,DVD)、或者半导体介质(例如固态硬盘(solid state disk, SSD))等。
以上所述的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。

Claims (22)

  1. 一种传输数据的方法,其特征在于,包括:
    基站发送包括多个难题puzzle的广播消息,其中,所述多个难题的难度不同;
    所述基站从物联网IoT设备接收第一数据、第一难题的指示信息和所述第一难题的答案,其中,所述第一难题是所述IoT设备根据所述第一数据的大小从所述多个难题中确定的;
    所述基站在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者
    所述基站在所述第一难题的难度与所述第一数据的大小不匹配时,禁止向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者
    所述基站在所述第一难题的答案不正确时,禁止向核心网设备发送所述第一数据或者对所述第一数据解密后的数据。
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    所述基站发送包括签名信息的所述广播消息,所述签名信息用于所述IoT设备验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站。
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:
    所述基站在第一时刻与第二时刻的差值小于预设的时间阈值时,处理所述第一数据、所述第一难题的指示信息和所述第一难题的答案,其中,所述第一时刻是所述基站发送所述广播消息的时刻,所述第二时刻是所述基站接收到承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息的时刻。
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:
    所述基站从所述IoT设备接收完整性验证信息,所述完整性验证信息用于验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息为承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息;
    所述基站在所述第一消息的完整性验证通过,且确定所述第一消息的发送端是所述IoT设备,且所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者
    所述基站在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述完整性验证消息。
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述方法还包括:
    所述基站发送包括第一指示信息的所述广播消息,所述第一指示信息用于指示接收到所述广播消息的IoT设备从所述多个难题中确定难度与待发送的数据的大小匹配的难题。
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述方法还包括:
    所述基站发送包括第二指示信息的所述广播消息,所述第二指示信息用于指示接收到所述广播消息的IoT设备在发送数据时同时发送所述多个难题中的一个难题的答案。
  7. 一种传输数据的方法,其特征在于,包括:
    物联网IoT设备从基站接收包括多个难题puzzle的广播消息;
    所述IoT设备根据第一数据的大小从所述多个难题中确定第一难题并计算出所述第一难题的答案,所述第一难题的难度与所述第一数据的大小匹配;
    所述IoT设备向所述基站发送所述第一数据、所述第一难题的指示信息和所述第一难题的答案。
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:
    所述IoT设备从基站接收包括签名信息的所述广播消息,所述签名信息用于验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站;
    所述IoT设备在所述广播消息的完整性验证通过,且确定所述广播消息的发送端是所述基站时,根据所述第一数据的大小从所述多个难题中确定所述第一难题。
  9. 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:
    所述IoT设备向所述基站发送完整性验证信息,所述完整性验证信息用于验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息是承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息。
  10. 根据权利要求7至9中任一项所述的方法,其特征在于,所述方法还包括:
    所述IoT设备从所述基站接收包括第一指示信息的所述广播消息;
    所述IoT设备根据所述第一指示信息从所述多个难题中确定难度与所述第一数据的大小匹配的难题。
  11. 根据权利要求7至10中任一项所述的方法,其特征在于,所述方法还包括:
    所述IoT设备从所述基站接收包括第二指示信息的所述广播消息;
    所述IoT设备根据所述第二指示信息确定在发送数据时同时发送所述多个难题中的一个难题的答案。
  12. 一种传输数据的装置,其特征在于,所述装置包括处理单元和通信单元,
    所述处理单元用于通过所述通信单元发送包括多个难题puzzle的广播消息,其中,所述多个难题的难度不同;以及用于通过所述通信单元从物联网IoT设备接收第一数据、第一难题的指示信息和所述第一难题的答案,其中,所述第一难题是所述IoT设备根据所述第一数据的大小从所述多个难题中确定的;以及用于在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者在所述第一难题的难度与所述第一数据的大小不匹配时,禁止向核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者在所述第一难题的答案不正确时,禁止向核心网设备所述第一数据或者对所述第一数据解密后的数据。
  13. 根据权利要求12所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元发送包括签名信息的所述广播消息,所述签名信息用于所述IoT设备验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站。
  14. 根据权利要求12或13所述的装置,其特征在于,所述处理单元还用于:
    在第一时刻与第二时刻的差值小于预设的时间阈值时,处理所述第一数据、所述第一难题的指示信息和所述第一难题的答案,其中,所述第一时刻是所述基站发送所述广播消息的时刻,所述第二时刻是所述基站接收到承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息的时刻。
  15. 根据权利要求12至14中任一项所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元从所述IoT设备接收完整性验证信息,所述完整性验证信息用于 验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息为承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息;以及用于在所述第一消息的完整性验证通过,且确定所述第一消息的发送端是所述IoT设备,且所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述第一数据或者对所述第一数据解密后的数据;或者在所述第一难题的难度与所述第一数据的大小匹配,且所述第一难题的答案正确时,向所述核心网设备发送所述完整性验证消息。
  16. 根据权利要求12至15中任一项所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元发送包括第一指示信息的所述广播消息,所述第一指示信息用于指示接收到所述广播消息的IoT设备从所述多个难题中确定难度与待发送的数据的大小匹配的难题。
  17. 根据权利要求12至16中任一项所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元发送包括第二指示信息的所述广播消息,所述第二指示信息用于指示接收到所述广播消息的IoT设备在发送数据时同时发送所述多个难题中的一个难题的答案。
  18. 一种传输数据的装置,其特征在于,所述装置包括处理单元和通信单元,
    所述处理单元用于通过所述通信单元从基站接收包括多个难题puzzle的广播消息;以及用于根据第一数据的大小从所述多个难题中确定第一难题并计算出所述第一难题的答案,所述第一难题的难度与所述第一数据的大小匹配;以及用于通过所述通信单元向所述基站发送所述第一数据、所述第一难题的指示信息和所述第一难题的答案。
  19. 根据权利要求18所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元从基站接收包括签名信息的所述广播消息,所述签名信息用于验证所述广播消息的完整性以及所述广播消息的发送端是否为所述基站;以及用于在所述广播消息的完整性验证通过,且确定所述广播消息的发送端是所述基站时,根据所述第一数据的大小从所述多个难题中确定所述第一难题。
  20. 根据权利要求18或19所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元向所述基站发送完整性验证信息,所述完整性验证信息用于验证第一消息的完整性以及所述第一消息的发送端是否为所述IoT设备,所述第一消息是承载所述第一数据、所述第一难题的指示信息和所述第一难题的答案的消息。
  21. 根据权利要求18至20中任一项所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元从所述基站接收包括第一指示信息的所述广播消息;
    以及用于根据所述第一指示信息从所述多个难题中确定难度与所述第一数据的大小匹配的难题。
  22. 根据权利要求18至21中任一项所述的装置,其特征在于,所述处理单元还用于:
    通过所述通信单元从所述基站接收包括第二指示信息的所述广播消息;
    以及用于根据所述第二指示信息确定在发送数据时同时发送所述多个难题中的一 个难题的答案。
PCT/CN2017/092883 2016-10-31 2017-07-14 一种传输数据的方法和装置 WO2018076798A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610933023.7 2016-10-31
CN201610933023.7A CN108011856B (zh) 2016-10-31 2016-10-31 一种传输数据的方法和装置

Publications (1)

Publication Number Publication Date
WO2018076798A1 true WO2018076798A1 (zh) 2018-05-03

Family

ID=62023178

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/092883 WO2018076798A1 (zh) 2016-10-31 2017-07-14 一种传输数据的方法和装置

Country Status (2)

Country Link
CN (1) CN108011856B (zh)
WO (1) WO2018076798A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887971A (zh) * 2019-11-30 2021-06-01 华为技术有限公司 数据传输方法和装置
US11882449B1 (en) 2019-11-21 2024-01-23 Cable Television Laboratories, Inc. Systems and methods for protecting cellular network messages

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109003083A (zh) * 2018-07-27 2018-12-14 山东渔翁信息技术股份有限公司 一种基于区块链的ca认证方法、装置及电子设备
CN111552270B (zh) * 2020-04-29 2021-07-16 北京汽车股份有限公司 用于车载诊断的安全认证和数据传输方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143494A (zh) * 2011-03-25 2011-08-03 华为终端有限公司 数据上报方法、数据上报装置和m2m设备
CN103297961A (zh) * 2012-03-05 2013-09-11 上海贝尔股份有限公司 一种用于设备间安全通信的设备与系统
WO2016155112A1 (zh) * 2015-04-03 2016-10-06 宇龙计算机通信科技(深圳)有限公司 一种物联网设备的认证方法及终端

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8321955B2 (en) * 2003-08-26 2012-11-27 Wu-Chang Feng Systems and methods for protecting against denial of service attacks
CN1985460B (zh) * 2004-01-09 2012-12-12 科尔街有限公司 用于ocsp和分布式ocsp的通信有效实时凭证
KR100828372B1 (ko) * 2005-12-29 2008-05-08 삼성전자주식회사 서비스 거부 공격으로부터 서버를 보호하는 방법 및 장치
CN101778387B (zh) * 2010-01-08 2012-06-27 西安电子科技大学 抵抗无线局域网接入认证拒绝服务攻击的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143494A (zh) * 2011-03-25 2011-08-03 华为终端有限公司 数据上报方法、数据上报装置和m2m设备
CN103297961A (zh) * 2012-03-05 2013-09-11 上海贝尔股份有限公司 一种用于设备间安全通信的设备与系统
WO2016155112A1 (zh) * 2015-04-03 2016-10-06 宇龙计算机通信科技(深圳)有限公司 一种物联网设备的认证方法及终端

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11882449B1 (en) 2019-11-21 2024-01-23 Cable Television Laboratories, Inc. Systems and methods for protecting cellular network messages
CN112887971A (zh) * 2019-11-30 2021-06-01 华为技术有限公司 数据传输方法和装置
CN112887971B (zh) * 2019-11-30 2023-03-21 华为技术有限公司 数据传输方法和装置

Also Published As

Publication number Publication date
CN108011856B (zh) 2020-05-08
CN108011856A (zh) 2018-05-08

Similar Documents

Publication Publication Date Title
WO2018045817A1 (zh) 移动网络的认证方法、终端设备、服务器和网络认证实体
JP5307191B2 (ja) 無線通信機器とサーバとの間でのデータの安全なトランザクションのためのシステムおよび方法
CN109559122A (zh) 区块链数据传输方法及区块链数据传输系统
US11044084B2 (en) Method for unified network and service authentication based on ID-based cryptography
CN102355663B (zh) 基于分离机制网络的可信域间快速认证方法
KR20170035665A (ko) 키 교환 장치 및 방법
CN109309566B (zh) 一种认证方法、装置、系统、设备及存储介质
WO2018076798A1 (zh) 一种传输数据的方法和装置
CN110753321A (zh) 一种车载tbox与云服务器的安全通信方法
CN112291179B (zh) 一种实现设备认证的方法、系统及装置
Liu et al. LVAP: Lightweight V2I authentication protocol using group communication in VANET s
Noh et al. Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks
CN112602290A (zh) 一种身份验证方法及装置
WO2022135392A1 (zh) 身份鉴别方法、装置、设备、芯片、存储介质及程序
CN104243452A (zh) 一种云计算访问控制方法及系统
WO2022135391A1 (zh) 身份鉴别方法、装置、存储介质、程序、及程序产品
CN115022850A (zh) 一种d2d通信的认证方法、装置、系统、电子设备及介质
WO2022135394A1 (zh) 身份鉴别方法、装置、存储介质、程序、及程序产品
WO2022135379A1 (zh) 一种身份鉴别方法和装置
EP4270866A1 (en) Identity authentication method and apparatus, device, chip, storage medium, and program
TWI761243B (zh) 群組即時通訊的加密系統和加密方法
WO2022135377A1 (zh) 身份鉴别方法、装置、设备、芯片、存储介质及程序
WO2022135385A1 (zh) 一种身份鉴别方法和装置
WO2022135418A1 (zh) 一种身份鉴别方法和装置
WO2022135386A1 (zh) 一种身份鉴别方法和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17864393

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17864393

Country of ref document: EP

Kind code of ref document: A1