WO2020244295A1 - Distributed ledger technology-based sensor network security management method and security system - Google Patents

Distributed ledger technology-based sensor network security management method and security system Download PDF

Info

Publication number
WO2020244295A1
WO2020244295A1 PCT/CN2020/082417 CN2020082417W WO2020244295A1 WO 2020244295 A1 WO2020244295 A1 WO 2020244295A1 CN 2020082417 W CN2020082417 W CN 2020082417W WO 2020244295 A1 WO2020244295 A1 WO 2020244295A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
sink node
node
sensor
identity
Prior art date
Application number
PCT/CN2020/082417
Other languages
French (fr)
Chinese (zh)
Inventor
沈国锋
周明拓
Original Assignee
中国科学院上海微系统与信息技术研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院上海微系统与信息技术研究所 filed Critical 中国科学院上海微系统与信息技术研究所
Publication of WO2020244295A1 publication Critical patent/WO2020244295A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

A distributed ledger technology-based sensor network security management method and security system. The method comprises: selecting a top layer server and a regional server as alliance chain nodes to build an alliance chain and store a distributed ledger; generating an asymmetric key for a sensor node and a sink node of a lower layer of the regional server, solidifying a private key in a memory, and writing a public key into the alliance chain; uploading data collected by the sensor node to the regional server by means of the sink node, and after passing verification, storing a data set in a database under a chain of the regional server, encrypting same, calculating a hash value of the data set and writing same into the alliance chain as a storage certificate; and decrypting the data set and calculating the hash value thereof, then comparing to the storage certificate to verify the correctness thereof, and returning a uniform resource locator. The security management method provides a centralized and effective device management mechanism and data security verification for large-scale sensor networks, and solves the problem of data sharing access control.

Description

基于分布式账本技术的传感网的安全管理方法及安全系统Security management method and security system of sensor network based on distributed ledger technology 技术领域Technical field
本发明属于物联网技术领域,具体涉及一种基于分布式账本技术的传感网的安全管理方法及安全系统。The invention belongs to the technical field of the Internet of Things, and specifically relates to a security management method and a security system of a sensor network based on distributed ledger technology.
背景技术Background technique
无线传感网技术在环境监测和治理中发挥着重要作用。无线传感网(Wireless Sensor Network,WSN)是指利用一组广泛空间分布的专用传感器监测和记录环境的物理信息,并在一个中心位置处理收集到的数据[孙韩林,张鹏,闫峥,等.一种基于云计算的无线传感网体系结构[J].计算机应用研究,2013,30(12):3720-3723]。无线传感网由节点为基本单位构成,分为传感节点和汇聚节点。其中传感节点搭载一个或多个传感器,包含无线电收发器和微控制器,使用电池或集成的能量收集器(如光伏发电板)供电。汇聚节点负责收集区域内传感节点的数据,通过广域网将数据发送到后台服务器。Wireless sensor network technology plays an important role in environmental monitoring and governance. Wireless Sensor Network (Wireless Sensor Network, WSN) refers to the use of a group of widely distributed dedicated sensors to monitor and record the physical information of the environment, and to process the collected data in a central location [Sun Hanlin, Zhang Peng, Yan Zheng, Etc. A wireless sensor network architecture based on cloud computing[J]. Computer Application Research, 2013,30(12):3720-3723]. The wireless sensor network is composed of nodes as the basic unit, which is divided into sensor nodes and sink nodes. Among them, the sensor node is equipped with one or more sensors, including a radio transceiver and a microcontroller, and is powered by a battery or an integrated energy harvester (such as a photovoltaic power generation panel). The sink node is responsible for collecting the data of the sensor nodes in the area and sending the data to the back-end server through the wide area network.
大规模部署的传感网中存在设备管理和数据安全的问题。网络首先需要验证合法的数据输入设备,抵御恶意设备;数据在采集、传输和存储的过程中,环境监测网中的监管方和被监管方由于存在利益冲突,可能导致传感设备遭受破坏,数据受到人为篡改,因此需要采用数据安全机制保障数据可信。同时,监测数据的隐私保护也是一个挑战。此外,传感网的广泛分布特性在一点程度上也增加了管理维护难度。例如在申请号为CN201710265307.8的专利文件所公开的一种基于数字证书以及CA认证体系的联盟链权限控制方法,以水环境监测为例,各地方级的水质监测站点大多委托第三方公司规划设计,缺乏统一标准,特别是企业排污口的监测点,由企业自行安装后政府部门验收。系统结构方面,采集到的监测数据通过公网上传到水务局机房,各地之间、上下级之间的数据彼此孤立,原始数据在共享、审计方面存在不足。同时,地方自建的水务监测系统具有潜在的数据篡改、造假风险,这大大降低了数据的可信度,难以最大程度发挥自动监测网的监管治理作用。There are equipment management and data security issues in large-scale deployment of sensor networks. The network first needs to verify legal data input devices to resist malicious devices; during the process of data collection, transmission, and storage, the supervisor and the supervised party in the environmental monitoring network may cause damage to the sensing equipment due to conflicts of interest. Subject to human tampering, data security mechanisms need to be adopted to ensure data credibility. At the same time, the privacy protection of monitoring data is also a challenge. In addition, the wide distribution of the sensor network also increases the difficulty of management and maintenance to a certain extent. For example, the patent document with the application number CN201710265307.8 discloses a method for controlling the authority of alliance chain based on digital certificate and CA certification system. Taking water environment monitoring as an example, most local-level water quality monitoring sites entrust third-party companies to plan The design lacks a unified standard, especially the monitoring points of the sewage outlets of the enterprises, which are checked and accepted by the government after the enterprises install them. In terms of system structure, the collected monitoring data is uploaded to the computer room of the Water Affairs Bureau through the public network. The data between different regions and between the superior and the subordinate is isolated from each other, and the original data is insufficient in sharing and auditing. At the same time, the local self-built water monitoring system has potential risks of data tampering and falsification, which greatly reduces the credibility of data and makes it difficult to maximize the supervision and governance role of the automatic monitoring network.
无线传感网(如环境监测传感网)中的节点在地理上广泛分布,大规模的 监测网中往往涉及多层监管关系,因此如何实施大规模的设备管理,保证数据在采集、传输和存储中的安全性,以及在支持数据共享的同时保护数据隐私是几大难点。The nodes in wireless sensor networks (such as environmental monitoring sensor networks) are widely distributed geographically. Large-scale monitoring networks often involve multi-layer supervision relationships. Therefore, how to implement large-scale equipment management to ensure that data is collected, transmitted, and Security in storage and protecting data privacy while supporting data sharing are several major difficulties.
一种现有技术是采用传统的中心化CA机制和云存储。例如,申请号为CN201710132078.2的专利文件公开了一种物联网中海量异构传感数据的分布式存储系统和方法,且申请号为CN201810138502.9的专利文件所公开了一种基于云计算和无线传感器网络的山洪灾害监测系统。基于私有云技术部署的环境监测传感网可使管理者获得集中的控制权,但在性能和成本上存在不足。在这种模式下,传感数据采集后经过加密,直接传输到云计算机房进行处理和存储,可以有效防止数据的篡改和伪造。但是将分散在地理位置上的数据传输到云计算中心必须保证可靠的网络连接;支持大规模传感节点接入的云计算服务器也需要较大的成本投入,因此在现有的大规模环境传感网中,使用云计算模式难以在数据安全和效率成本之间取得平衡。此外,利用中心化服务器实现节点身份验证、节点管理和接入控制等安全机制存在单点失败的风险,云服务器也可能成为明确的攻击目标。An existing technology is to use the traditional centralized CA mechanism and cloud storage. For example, the patent document with application number CN201710132078.2 discloses a distributed storage system and method for massive heterogeneous sensor data in the Internet of Things, and the patent document with application number CN201810138502.9 discloses a cloud-based computing And wireless sensor network mountain torrent disaster monitoring system. The environmental monitoring sensor network deployed based on private cloud technology allows managers to obtain centralized control, but there are deficiencies in performance and cost. In this mode, the sensor data is collected after being encrypted and directly transmitted to the cloud computer room for processing and storage, which can effectively prevent data tampering and forgery. However, it is necessary to ensure reliable network connection to transmit data scattered in geographical locations to the cloud computing center; cloud computing servers that support large-scale sensor node access also require a large cost investment, so transmission in the existing large-scale environment In the sensor network, it is difficult to strike a balance between data security and efficiency costs using cloud computing. In addition, the use of centralized servers to implement security mechanisms such as node authentication, node management, and access control has the risk of a single point of failure, and cloud servers may also become clear targets.
另一种现有技术是按区域管理的传感网,例如,申请号为CN201210569403.9的专利文件公开了一种分布式无线传感网络,通过在各地设立分布式服务器,采用区域自治的部署方式可以均衡网络流量,降低建设成本,消除单点失败风险,但管理权限也因此下放,引入了数据篡改的风险,因此在全局管控、数据共享、数据可靠性方面也存在不足,使得密集监测数据难以发挥最大效益[赵阔,邢永恒,《区块链技术驱动下的物联网安全研究综述》,信息网络安全,2017(5):1-6.以及王传正,《无线传感网数据存储与访问技术研究》,南京邮电大学,2012.]。Another existing technology is a sensor network managed by region. For example, the patent document with application number CN201210569403.9 discloses a distributed wireless sensor network, which adopts regional autonomous deployment by setting up distributed servers in various places The method can balance network traffic, reduce construction costs, and eliminate the risk of single points of failure. However, the management authority is also decentralized, which introduces the risk of data tampering. Therefore, there are also deficiencies in global control, data sharing, and data reliability, which makes intensive monitoring of data It is difficult to maximize the benefits [Zhao Kuo, Xing Yongheng, "Summary of Internet of Things Security Research Driven by Blockchain Technology", Information Network Security, 2017(5): 1-6. and Wang Chuanzheng, "Wireless Sensor Network Data Storage and Visiting Technology Research, Nanjing University of Posts and Telecommunications, 2012.].
综上,使用云计算模式部署传感网存在成本缺陷和单点失败风险,而区域自治传感网存在数据安全性和可管理性不足的问题。In summary, the use of cloud computing mode to deploy sensor networks has cost defects and single-point failure risks, while regional autonomous sensor networks have insufficient data security and manageability.
其中,分布式账本技术是一种不需要被任何中心化主体存储或者确认的数据记录方式。分布式账本技术中的联盟链具有去中心化、自治、信息不可篡改的特性。单节点视角中,数据由非对称密钥加密后存储到联盟链中,通过Hash链的形式首尾相连,因此历史数据加密存储且无法被篡改;从整体角 度来看,联盟链是一种私有网络,各节点经过许可后参与数据记录,通过共识机制在无需信任的基础上构建起一致可信的数据记录。将分布式账本技术作为支撑技术引入到无线传感网中,相比使用传统数据库及证书颁发机构(CA)的方案可以有效降低数据篡改的风险,解决数据隐私问题,保证数据安全,同时联盟链中的智能合约为数据共享和审计提供了灵活有效的手段。但是目前在实际运用过程中,尚不存在为实现安全性增强而定制化设计的区块链网络的部署和智能合约(链码)的编写。因此现有的采用联盟链技术的传感网不能实现安全增强或是提供的可控的数据分享功能。Among them, distributed ledger technology is a data recording method that does not need to be stored or confirmed by any centralized entity. The consortium chain in distributed ledger technology has the characteristics of decentralization, autonomy, and information that cannot be tampered with. In the single-node perspective, data is encrypted by an asymmetric key and stored in the consortium chain, which is connected end to end in the form of a Hash chain, so historical data is encrypted and stored and cannot be tampered with; from the overall point of view, the consortium chain is a private network , Each node participates in data recording after permission, and builds a consistent and credible data record on the basis of no trust through the consensus mechanism. Introducing distributed ledger technology as a supporting technology into the wireless sensor network can effectively reduce the risk of data tampering, solve data privacy issues, and ensure data security compared to the traditional database and certificate authority (CA) scheme. The smart contract in QQ provides a flexible and effective means for data sharing and auditing. However, in the actual application process, there is no custom-designed blockchain network deployment and smart contract (chain code) writing for achieving security enhancement. Therefore, the existing sensor network using alliance chain technology cannot achieve security enhancement or provide a controllable data sharing function.
发明内容Summary of the invention
本发明旨在提供一种基于分布式账本技术的传感网的安全管理方法及安全系统,从而为大规模传感网络提供集中有效的设备管理机制,提供数据安全性验证,解决数据共享访问控制的问题。The present invention aims to provide a security management method and security system for a sensor network based on distributed ledger technology, thereby providing a centralized and effective device management mechanism for a large-scale sensor network, providing data security verification, and solving data sharing access control The problem.
为了实现上述目的,本发明提供了一种基于分布式账本技术的传感网的安全管理方法,包括:In order to achieve the above objective, the present invention provides a security management method for a sensor network based on distributed ledger technology, including:
S1:选定一个顶层服务器和多个区域服务器作为联盟链节点来搭建联盟链,并在其上存储分布式账本;S1: Select a top-level server and multiple regional servers as alliance chain nodes to build the alliance chain, and store distributed ledgers on it;
S2:为所述区域服务器下层的每个传感节点和汇聚节点各生成一对非对称密钥,将私钥固化在汇聚节点和传感节点的存储器中,并将公钥及其地址写入到联盟链中;S2: Generate a pair of asymmetric keys for each sensor node and sink node in the lower layer of the regional server, solidify the private key in the memory of the sink node and the sensor node, and write the public key and its address To the alliance chain;
S3:传感节点采集数据,将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证;S3: The sensor node collects data, uploads the data collected by the sensor node to the sink node and obtains the data set of the sink node, and then uploads it to the regional server for data verification. After the verification is passed, the data of the sink node The set is stored in the off-chain database of the regional server and encrypted. At the same time, the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof;
S4:解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。S4: Decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, then compare the hash value with the evidence in step S3 to verify the correctness of the shared data set, and Return the uniform resource locator of the shared data set to realize data sharing.
优选地,该基于分布式账本技术的传感网的安全管理方法还包括步骤S31:在进行所述步骤S3中的数据验证的过程中,若发现异常,则将异常信息写入 联盟链。Preferably, the security management method of the sensor network based on distributed ledger technology further includes step S31: in the process of data verification in step S3, if an abnormality is found, the abnormal information is written into the alliance chain.
在所述步骤S1中,所述联盟链根据联盟链上运行的安全业务分为多个不同参数的独立侧链。In the step S1, the consortium chain is divided into multiple independent side chains with different parameters according to the security services running on the consortium chain.
在所述步骤S1中,所述顶层服务器和区域服务器通过被授权来被选定作为联盟链节点,各联盟链节点采用共识算法来实现该分布式账本的共识。In the step S1, the top-level server and the regional server are authorized to be selected as alliance chain nodes, and each alliance chain node adopts a consensus algorithm to realize the consensus of the distributed ledger.
所述共识算法为轻量化算法。The consensus algorithm is a lightweight algorithm.
在所述步骤S2中,所述将公钥及其地址写入到联盟链中,包括:In the step S2, the writing the public key and its address into the consortium chain includes:
S21:用户使用身份管理智能合约向所述传感网录入许可加入的汇聚节点的公钥和地址,汇聚节点上线并向区域服务器注册身份;S21: The user uses the identity management smart contract to enter the public key and address of the sink node that is permitted to join in the sensor network, the sink node goes online and registers the identity with the regional server;
S22:步骤S22:每个汇聚节点读取其周边的传感节点,传感节点苏醒并接入汇聚节点。S22: Step S22: Each sink node reads its surrounding sensor nodes, and the sensor nodes wake up and access the sink node.
在步骤S21中,所述注册身份包括:汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息采用汇聚节点的私钥进行加密,作为消息负载,并签名负载的hash值,并验证发送方身份,随后,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信息的真实性,并在验证通过时完成注册身份;In step S21, the registration identity includes: the sink node first sends an encrypted request registration information to the regional server, and the encrypted request registration information is encrypted with the sink node's private key as the message payload, and the payload is signed hash value and verify the identity of the sender, then, the regional server verifies the authenticity of the requested registration information according to the entered public key of the sink node, and completes the registration identity when the verification is passed;
在所述步骤S22中,所述接入汇聚节点,包括:传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与所述请求注册信息的加密方式相同;汇聚节点验证所述身份验证请求的真实性,并在验证通过时使传感节点接入汇聚节点。In the step S22, the access to the sink node includes: the sensor node sends an encrypted identity verification request to the sink node, and the encryption method of the identity verification request is the same as the encryption method of the requested registration information; The node verifies the authenticity of the identity verification request, and enables the sensor node to access the sink node when the verification passes.
在所述步骤S3中,所述汇聚节点的数据验证用于校验传感器节点采集的数据来源和完整性,并在校验通过后,通过使用自身私钥签名数据负载的摘要来得到汇聚节点的数据集。In the step S3, the data verification of the sink node is used to verify the source and integrity of the data collected by the sensor node, and after the verification is passed, the sink node's data is obtained by signing the digest of the data load with its own private key. data set.
在所述步骤S3中,数据验证、hash值计算和写入区块链的操作均运行所述区域服务器上的一可信执行环境中。In the step S3, the operations of data verification, hash value calculation, and writing to the blockchain all run in a trusted execution environment on the regional server.
所述步骤S4通过一数据共享智能合约实现,且所述数据共享的范围、时限和访问者身份可以通过使用该数据共享智能合约来预先设定。The step S4 is implemented by a data sharing smart contract, and the scope, time limit, and visitor identity of the data sharing can be preset by using the data sharing smart contract.
另一方面,本发明还提供一种基于分布式账本技术的传感网的安全系统,所述传感网包括自下而上分层架构的传感节点、汇聚节点、区域服务器和顶 层服务器,包括联盟链以及部署在该联盟链上的设备信任传递功能模块,安全存储功能模块、数据访问控制功能模块;On the other hand, the present invention also provides a sensor network security system based on distributed ledger technology. The sensor network includes a bottom-up hierarchical structure of sensor nodes, aggregation nodes, regional servers, and top-level servers. Including the alliance chain and the device trust transfer function module, the safe storage function module, and the data access control function module deployed on the alliance chain;
所述联盟链包括联盟链节点和建立在联盟链节点之间的区块链网络,联盟链节点为选定的顶层服务器和区域服务器;The alliance chain includes alliance chain nodes and a blockchain network established between the alliance chain nodes, and the alliance chain nodes are selected top-level servers and regional servers;
设备信任传递功能模块包括非对称密钥生成器和身份管理智能合约,所述非对称密钥生成器设置为对区域服务器下层的每个传感节点和汇聚节点各生成一对唯一的非对称密钥,所述身份管理智能合约设置为将汇聚节点和传感节点的公钥及其地址写入到联盟链中;The device trust transfer function module includes an asymmetric key generator and an identity management smart contract. The asymmetric key generator is set to generate a pair of unique asymmetric keys for each sensor node and sink node in the lower layer of the regional server. The identity management smart contract is set to write the public keys and addresses of the sink node and the sensor node into the alliance chain;
所述安全存储功能模块包括数据上传模块,其设置为将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证;The secure storage function module includes a data upload module, which is configured to upload the data collected by the sensor node to the sink node and obtain the data set of the sink node, and then upload it to the regional server to verify the data. Then the data set of the sink node is stored in the off-chain database of the regional server and encrypted, and the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof;
所述数据访问控制功能模块设置为解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。The data access control function module is configured to decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, and then compare the hash value with the certificate in step S3 to verify the sharing Correctness of the data set, and return the uniform resource locator of the shared data set to realize data sharing.
所述安全存储功能模块还包括异常上报模块,其设置为在数据上传模块进行数据验证的过程中,若发现异常,则将该信息写入联盟链。The safe storage function module also includes an abnormality reporting module, which is configured to write the information into the alliance chain if an abnormality is found during the data verification process of the data upload module.
所述联盟链分为多个不同参数的独立侧链。The alliance chain is divided into multiple independent side chains with different parameters.
所述身份管理智能合约包括汇聚节点身份注册模块和传感节点身份验证模块,汇聚节点身份注册模块设置为向所述传感网录入许可加入的汇聚节点的公钥和地址,并使汇聚节点在上线时向区域服务器注册身份;所述传感节点身份验证模块设置为使每个汇聚节点读取其周边的传感节点,并使传感节点在苏醒时接入汇聚节点。The identity management smart contract includes a sink node identity registration module and a sensor node identity verification module. The sink node identity registration module is set to enter into the sensor network the public key and address of the sink node that is permitted to join, and make the sink node in When going online, register the identity with the regional server; the sensor node identity verification module is configured to enable each sink node to read its surrounding sensor nodes, and make the sensor node access the sink node when it wakes up.
所述汇聚节点身份注册模块被进一步配置为:使汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息采用汇聚节点的私钥进行加密,作为消息负载,并签名负载的hash值,并验证发送方身份,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信 息的真实性,并在验证通过时完成注册身份;The sink node identity registration module is further configured to: make the sink node first send an encrypted request registration information to the regional server, and the encrypted request registration information is encrypted with the sink node's private key as the message payload and signed Load the hash value and verify the identity of the sender, the regional server verifies the authenticity of the requested registration information according to the entered public key of the sink node, and completes the registration identity when the verification passes;
所述汇聚节点身份注册模块被进一步配置为:使传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与所述请求注册信息的加密方式相同,汇聚节点验证所述身份验证请求的真实性,并在验证通过时使传感节点接入汇聚节点。The sink node identity registration module is further configured to: cause the sensor node to send an encrypted identity verification request to the sink node, the encryption method of the identity verification request is the same as the encryption method of the requested registration information, and the sink node verifies that The authenticity of the identity verification request is described, and the sensor node is connected to the sink node when the verification is passed.
本发明在区域自治部署的传感网的基础上引入分布式账本技术,为汇聚节点和传感节点生成非对称密钥,将私钥固化在节点存储器中,公钥写入区块链,并采用身份管理智能合约,建立从区域管理者到汇聚节点,再到传感节点的信任传递链,以进行可信身份的传递,解决分布式物联网组织中的集中管理问题,保障数据传输安全;数据经签名、加密后存储到区域服务器,并将数据摘要写入联盟链作为存证,由此,提供了数据安全性验证;借助分布式账本技术,消除不同区域间数据共享的障碍,通过一数据共享智能合约允许数据拥有者灵活设置数据访问权限、共享范围和时限,解决了数据共享访问控制,而且利用存证校验共享数据,确保数据可信。数据上传过程中,区域服务器上的关键操作在一可信执行环境下运行,确保代码和数据不被篡改。The present invention introduces distributed ledger technology on the basis of regional autonomous deployment of sensor networks, generates asymmetric keys for the convergence node and sensor nodes, solidifies the private key in the node memory, and writes the public key to the blockchain, and Use identity management smart contracts to establish a trust transfer chain from regional managers to aggregation nodes and then to sensor nodes to transfer trusted identities, solve the problem of centralized management in distributed IoT organizations, and ensure data transmission security; After the data is signed and encrypted, it is stored in the regional server, and the data summary is written into the alliance chain as a storage certificate, thereby providing data security verification; with the help of distributed ledger technology, the barriers to data sharing between different regions are eliminated, through a Data sharing smart contracts allow data owners to flexibly set data access permissions, sharing scope and time limit, which solves data sharing access control, and uses deposit certificates to verify shared data to ensure data credibility. During the data upload process, key operations on the regional server run in a trusted execution environment to ensure that the code and data are not tampered with.
附图说明Description of the drawings
图1是一种典型的传感网的结构示意图。Figure 1 is a schematic diagram of a typical sensor network.
图2是根据本发明的一个实施例的基于分布式账本技术的传感网的安全管理方法的流程图。Fig. 2 is a flowchart of a security management method for a sensor network based on distributed ledger technology according to an embodiment of the present invention.
图3是根据本发明的一个实施例的基于分布式账本技术的传感网的安全系统的结构示意图。Fig. 3 is a schematic structural diagram of a sensor network security system based on distributed ledger technology according to an embodiment of the present invention.
具体实施方式Detailed ways
下面结合附图,给出本发明的较佳实施例,并予以详细描述,使能更好地理解本发明的功能、特点。Hereinafter, in conjunction with the accompanying drawings, the preferred embodiments of the present invention are given and described in detail, so as to better understand the functions and characteristics of the present invention.
在描述具体发明内容前,首先说明传感网系统的构成。在大规模传感网中,包含但不限于以下要素:传感节点,汇聚节点,区域服务器和区域管理 者,顶层服务器和全局管理者,联盟链。Before describing the specific content of the invention, first explain the composition of the sensor network system. In a large-scale sensor network, it includes but is not limited to the following elements: sensor nodes, aggregation nodes, regional servers and regional managers, top-level servers and global managers, and alliance chains.
如图1所示为一种典型的传感网,其示出了传感网的网络拓扑和组成要素,该传感网与现有的分层架构的传感网结构基本一致,包括自下而上分层架构的多个传感节点Sen_i、多个汇聚节点Sink_j、多个区域服务器Org_k和一个顶层服务器Adm。其中,传感节点Sen_i是数据产生者,通过传感器直接感知物理世界的变量,一般以低功耗低成本为设计目的;汇聚节点收集传感节点的数据,转发到后台处理中心,相比传感节点具有更充裕的能源和算力;区域服务器负责接收和处理大规模传感网中部分区域的传感数据,并通过对应区域服务器的区域管理者(即实际管理组织或人员)来维护和管理本区域内传感网设施;顶层服务器是上级组织部门设立的服务器,不实际参与传感数据的处理和存储,但运行相关监管业务,全局管理者使用其所拥有的顶层服务器在业务上监督和审查完整传感网,领导和管辖区域管理者。此外,多个区域服务器Org_k和一个顶层服务器Adm之间可以设置一联盟链Chain,其具有去中心化、信息不可篡改等特性。Figure 1 shows a typical sensor network, which shows the network topology and components of the sensor network. The sensor network is basically consistent with the existing layered sensor network structure, including the following The upper layered architecture has multiple sensor nodes Sen_i, multiple sink nodes Sink_j, multiple regional servers Org_k, and a top-level server Adm. Among them, the sensor node Sen_i is the data producer, which directly perceives the variables of the physical world through the sensor, and is generally designed for low power consumption and low cost; the aggregation node collects the data of the sensor node and forwards it to the background processing center. The node has more abundant energy and computing power; the regional server is responsible for receiving and processing the sensor data of some areas in the large-scale sensor network, and it is maintained and managed by the regional manager (that is, the actual management organization or personnel) of the corresponding regional server Sensor network facilities in this area; the top-level server is a server set up by the higher-level organizational department. It does not actually participate in the processing and storage of sensor data, but runs related supervision services. The global manager uses the top-level server owned by it to supervise and operate the business. Review the complete sensor network, leadership and regional managers. In addition, a consortium chain can be set up between multiple regional servers Org_k and a top-level server Adm, which has the characteristics of decentralization and non-tampering information.
本发明提出一种基于分布式账本技术的传感网的安全管理方法,其用于实现传感网设备管理和数据访问控制功能。该基于分布式账本技术的传感网的安全管理方法如图2所示,具体包括以下步骤:The present invention proposes a sensor network security management method based on distributed ledger technology, which is used to implement sensor network device management and data access control functions. The security management method of the sensor network based on distributed ledger technology is shown in Figure 2, which specifically includes the following steps:
步骤S1:联盟链部署。选定一个顶层服务器和多个区域服务器作为联盟链节点来搭建联盟链,并在其上存储分布式账本。Step S1: Consortium chain deployment. Select a top-level server and multiple regional servers as alliance chain nodes to build the alliance chain, and store distributed ledgers on it.
其中,该联盟链包括联盟链节点和建立在联盟链节点之间的区块链网络(即专用高速网络,一般为高速以太网或蜂窝网),其根据在联盟链上运行的安全业务分为多个不同参数的独立侧链(通道)以适应业务特点,例如设备管理链以实现设备管理机制,数据存储链以实现传感数据摘要的存证,数据共享链以实现数据访问控制。联盟链采用准入许可机制,因此顶层服务器和区域服务器通过被授权来被选定作为联盟链节点。各联盟链节点参与分布式账本的构建过程,并采用共识算法来实现该分布式账本的共识,其中分布式账本的共识是指分布式账本的数据在多个节点上达成一致的共识,在各节点上存储为一致的多份账本。由于联盟链采用准入许可机制来使各个联盟链节点相对可信,因此所采用的共识算法不需要是工作量证明(PoW)机制,而可以是 采用比如拜占庭容错(PBFT)的轻量化算法,进而降低对系统硬件的要求。Among them, the alliance chain includes alliance chain nodes and a blockchain network established between alliance chain nodes (that is, a dedicated high-speed network, generally high-speed Ethernet or cellular network), which is divided into security services running on the alliance chain Multiple independent side chains (channels) with different parameters to adapt to business characteristics, such as device management chain to realize device management mechanism, data storage chain to realize the storage of sensor data summary, and data sharing chain to realize data access control. The consortium chain adopts an access permission mechanism, so the top-level server and regional server are authorized to be selected as consortium chain nodes. Each alliance chain node participates in the construction process of the distributed ledger, and adopts a consensus algorithm to realize the consensus of the distributed ledger. The consensus of the distributed ledger means that the data of the distributed ledger reaches a consensus on multiple nodes. The nodes are stored as multiple consistent ledgers. Since the consortium chain uses an admission permission mechanism to make each consortium chain node relatively credible, the consensus algorithm used does not need to be a proof of work (PoW) mechanism, but can be a lightweight algorithm such as Byzantine Fault Tolerance (PBFT). Then reduce the requirements for system hardware.
此外,所述步骤S1还包括:在所述联盟链上部署智能合约,用于操作区块链上的分布式账本的数据,该智能合约包括身份管理智能合约和数据共享智能合约,分别用于下文的传感网的初始化和身份验证以及数据共享。In addition, the step S1 also includes: deploying a smart contract on the consortium chain for operating the data of the distributed ledger on the blockchain. The smart contract includes an identity management smart contract and a data sharing smart contract, which are respectively used for The initialization and identity verification and data sharing of the sensor network below.
步骤S2:身份标识、传感网的初始化和身份验证。Step S2: Identity identification, initialization and identity verification of the sensor network.
为所述选定的区域服务器下层的每个传感节点和汇聚节点各生成一对非对称密钥,以用于这些传感节点和汇聚节点在联盟链的身份标识;将私钥固化在汇聚节点和传感节点的存储器中,其作为隐秘、唯一、不可更改的身份验证信息用于证明持有者的身份,只有汇聚节点和传感节点自身的程序可以读取;并将公钥及其地址写入到联盟链中,其中地址是基于公钥计算出的唯一的识别码,公钥及其地址作为汇聚节点和传感节点的身份标识被公开并用于管理传感节点和汇聚节点;新部署的传感网节点苏醒后,请求身份验证,通过比对联盟链上的节点信息逐级进行身份验证,注册为合法节点,完成传感网的初始化。A pair of asymmetric keys is generated for each sensor node and sink node in the lower layer of the selected area server to use for the identity of these sensor nodes and sink nodes in the alliance chain; the private key is fixed in the sink In the memory of nodes and sensor nodes, it is used as secret, unique and unchangeable identity verification information to prove the identity of the holder, and only the program of the sink node and the sensor node can read it; and the public key and its The address is written into the consortium chain, where the address is a unique identification code calculated based on the public key. The public key and its address are disclosed as the identification of the sink node and the sensor node and used to manage the sensor node and the sink node; new After the deployed sensor network node wakes up, it requests identity verification, performs identity verification step by step by comparing the node information on the alliance chain, registers as a legal node, and completes the initialization of the sensor network.
所述将公钥及其地址写入到联盟链中,通过一身份管理智能合约实现,并采用密码学身份验证方法以实现用户-汇聚节点-传感节点的信任传递,具体包括:The writing of the public key and its address into the consortium chain is realized through an identity management smart contract, and a cryptographic identity verification method is adopted to realize the trust transfer of user-sink node-sensor node, which specifically includes:
步骤S21:用户(即区域管理者)使用身份管理智能合约向所述传感网录入许可加入的汇聚节点的公钥和地址,汇聚节点上线并向区域服务器注册身份。由此,实现了用户、汇聚节点与身份管理智能合约的交互。Step S21: The user (ie, the area manager) uses the identity management smart contract to enter the public key and address of the sink node that is permitted to join in the sensor network, the sink node goes online and registers the identity with the area server. In this way, the interaction between users, aggregation nodes and identity management smart contracts is realized.
在步骤S21中,所述传感网,一般设计为受限、低速率、多跳的无线网。用户通过各自的用户密钥使用对应的业务权限的所述身份管理智能合约,其中,所述业务权限为全局服务器预先设定的。In step S21, the sensor network is generally designed as a limited, low-rate, multi-hop wireless network. The user uses the identity management smart contract of the corresponding business authority through the respective user key, wherein the business authority is preset by the global server.
所述注册身份包括:汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息采用汇聚节点的私钥进行加密,作为消息负载,并签名消息负载的hash值,该对消息负载的hash值的签名操作用于验证信息完整性,并验证发送方身份,消息负载中还包括时间戳,用于防止重放攻击;随后,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信息的真实性,并在验证通过时完成注册身份。The registration identity includes: the sink node first sends an encrypted request registration information to the regional server, the encrypted request registration information is encrypted with the sink node's private key as the message payload, and the hash value of the message payload is signed. The signature operation on the hash value of the message payload is used to verify the integrity of the information and verify the identity of the sender. The message payload also includes a timestamp to prevent replay attacks; then, the regional server is based on the entered aggregation node The public key verifies the authenticity of the requested registration information, and completes the registration identity when the verification passes.
步骤S22:每个汇聚节点读取其周边的传感节点,传感节点苏醒并接入汇聚节点。Step S22: Each sink node reads its surrounding sensor nodes, and the sensor nodes wake up and access the sink node.
在步骤S22中,每个汇聚节点通过与智能合约交互,查询所述联盟链上的数据来读取其周边的传感节点。In step S22, each sink node interacts with a smart contract to query the data on the alliance chain to read its surrounding sensor nodes.
所述接入汇聚节点,包括:传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与上文的汇聚节点向区域服务器发送的请求注册信息的加密方式相同;汇聚节点验证所述身份验证请求的真实性,并在验证通过时使传感节点接入汇聚节点,从而可以为传感节点执行数据转发任务。此外,若验证不通过,则在多次尝试失败后将该传感节点的地址列入黑名单,拒绝再次连接。由此,完成了传感节点的身份验证,根据该身份验证抵御恶意节点的加入。The access to the sink node includes: the sensor node sends an encrypted identity verification request to the sink node, and the encryption method of the identity verification request is the same as the encryption method of the registration information request sent by the sink node to the regional server; The sink node verifies the authenticity of the identity verification request, and enables the sensor node to access the sink node when the verification passes, so that the sensor node can perform data forwarding tasks. In addition, if the verification fails, the address of the sensor node will be blacklisted after multiple failed attempts, and the connection will be refused again. Thus, the identity verification of the sensor node is completed, and the joining of malicious nodes is resisted according to the identity verification.
在本实施例中,所述经过加密的请求注册信息为:In this embodiment, the encrypted registration request information is:
Sign Sink_j(Hash(data))|E pri_Sink_k(data)|Add sink_j,data=Add sink_j|registerRequest|TimeStamp Sign Sink_j (Hash(data))|E pri_Sink_k (data)|Add sink_j ,data=Add sink_j |registerRequest|TimeStamp
其中,Sign sink_j()为汇聚节点sink_j的签名操作,Hash(·)为哈希操作;data为消息负载;E pri_sink_j(·)为使用汇聚节点sink_j的私钥加密;Add sink_j为汇聚节点sink_j的地址标识;registerRequest为请求注册信息,Timestamp为时间戳。 Among them, Sign sink_j () is the signature operation of the sink node sink_j, Hash(·) is the hash operation; data is the message payload; E pri_sink_j (·) is encryption using the private key of the sink node sink_j; Add sink_j is the sink node sink_j Address identification; registerRequest is the request registration information, Timestamp is the timestamp.
所述经过加密的身份验证请求为:The encrypted identity verification request is:
Sign Sen_i(Hash(data))|E pri_Sink_j(data)|Add Sen_i,data=Add Sen_i|Authentication Request|TimeStamp, Sign Sen_i (Hash(data))|E pri_Sink_j (data)|Add Sen_i ,data=Add Sen_i |Authentication Request|TimeStamp,
其中,Sign sen_i()为传感节点sen_i的签名操作,Hash(·)为哈希操作;data为消息负载;E pri_sen_i(·)为使用传感节点sen_i的私钥加密;Add sen_i为传感节点sen_i的地址标识;Authentication Request为身份验证请求,Timestamp为时间戳。下表给出了本实施例中所用到的符号及其含义。 Among them, Sign sen_i () is the signature operation of the sensor node sen_i, Hash (·) is the hash operation; data is the message payload; E pri_sen_i (·) is the encryption using the private key of the sensor node sen_i; Add sen_i is the sensor The address identifier of the node sen_i; Authentication Request is the authentication request, and Timestamp is the timestamp. The following table shows the symbols and their meanings used in this embodiment.
表1 实施例中所用的符号标记及其含义说明Table 1 Symbols used in the embodiments and their meanings
Figure PCTCN2020082417-appb-000001
Figure PCTCN2020082417-appb-000001
Figure PCTCN2020082417-appb-000002
Figure PCTCN2020082417-appb-000002
步骤S3:数据上传。传感节点采集数据,将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证。Step S3: Data upload. The sensor node collects data, uploads the data collected by the sensor node to the sink node for data verification, and obtains the data set of the sink node, and then uploads it to the regional server for data verification. After the verification is passed, the data set of the sink node is stored It is encrypted in the off-chain database of the regional server, and the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof.
其中,汇聚节点的数据验证用于校验传感器节点采集的数据来源和完整性,并在校验通过后,通过使用自身私钥签名数据负载的摘要后来得到汇聚节点的数据集。区域服务器的数据验证用于验证汇聚节点的数据集的合法性。所述链下数据库采用一数据库口令加密。Among them, the data verification of the sink node is used to verify the source and integrity of the data collected by the sensor node, and after the verification is passed, the data set of the sink node is obtained by signing the digest of the data load with its own private key. The data verification of the regional server is used to verify the validity of the data set of the sink node. The off-chain database is encrypted with a database password.
因此,上述主要通信消息和操作表示为:Therefore, the above main communication messages and operations are expressed as:
其中,传递到汇聚节点的传感节点的数据集为:Among them, the data set of the sensor node passed to the sink node is:
Sen_i->sink_j:Sign Sen_i(Hash(data_sen_i|TimeStamp))|data_sen_i|TimeStamp, Sen_i->sink_j:Sign Sen_i (Hash(data_sen_i|TimeStamp))|data_sen_i|TimeStamp,
路由到区域服务器的汇聚节点的数据集为:The data set of the sink node routed to the regional server is:
Sink_j->Org_k:Sign Sink_j(Hash(data_sink_j|TimeStamp))|data_sink_j|TimeStamp, Sink_j->Org_k:Sign Sink_j (Hash(data_sink_j|TimeStamp))|data_sink_j|TimeStamp,
区域服务器发送给联盟链的hash值为:The hash value sent by the regional server to the alliance chain is:
Org_k->Chian:Sign Org_k(Hash([Sign sink_k(Hash(data_sink_j|TimeStamp))])), Org_k->Chian:Sign Org_k (Hash([Sign sink_k (Hash(data_sink_j|TimeStamp))])),
存储在区域服务器的链下数据库中的汇聚节点的数据集为:The data set of the sink node stored in the off-chain database of the regional server is:
Org_k->Database:E symKey([Hash(data_sink_j|TimeStamp)|data_sink_j|TimeStamp])。 Org_k->Database:E symKey ([Hash(data_sink_j|TimeStamp)|data_sink_j|TimeStamp]).
各个符号标记的含义如表1所示。The meaning of each symbol mark is shown in Table 1.
在该步骤S3中,数据传输过程的机密性和完整性由外部传输协议(如HTTPS,MQTT)加密来保障,无需在本发明所述安全机制中额外考虑。In this step S3, the confidentiality and integrity of the data transmission process are protected by external transmission protocols (such as HTTPS, MQTT) encryption, and no additional consideration is required in the security mechanism of the present invention.
在本实施例中,存证的间隔颗粒度可以根据实际情况,按照时间间隔划分或者按照数据大小划分。为保证区域服务器运行结果的可信,数据验证、hash值计算和写入区块链的操作均运行区域服务器上的一可信执行环境中,由硬件层面确保代码和数据未被篡改。可信执行环境是指由区域服务器处理器提供的硬件级安全技术,可以为程序和数据提供隔离的运行空间,确保执行结果可信,例如,Intel SGX是一种可用的可信执行环境技术,可以在硬件层面确保代码和数据不被侵害。In this embodiment, the interval granularity of the deposit may be divided according to the actual situation, according to the time interval or according to the data size. In order to ensure the credibility of the operating results of the regional server, the operations of data verification, hash value calculation and writing to the blockchain all run in a trusted execution environment on the regional server, and the hardware level ensures that the code and data have not been tampered with. The trusted execution environment refers to the hardware-level security technology provided by the regional server processor, which can provide an isolated operating space for programs and data to ensure the credibility of execution results. For example, Intel SGX is an available trusted execution environment technology. It can ensure that the code and data are not violated at the hardware level.
此外,所述步骤S3还包括步骤S31:异常上报。在进行所述步骤S3中的数据验证的过程中,若发现异常,如数据受到篡改、某节点掉线等,则将异常信息写入联盟链,由此传递到全网,以供故障处理业务处理。In addition, the step S3 further includes a step S31: abnormal report. In the process of data verification in step S3, if an abnormality is found, such as data being tampered with, a certain node is offline, etc., the abnormal information is written into the alliance chain, and then transmitted to the entire network for fault handling services deal with.
由此,在发生异常情况如数据受到篡改、某节点掉线等时,区域服务器可以及时将异常情况写入联盟链并传递到整个联盟链,以供传感网运维部收到消息后及时勘察维修。As a result, in the event of an abnormal situation such as data being tampered with, a node is offline, etc., the regional server can write the abnormal situation to the alliance chain in time and pass it to the entire alliance chain for the sensor network operation and maintenance department to receive the message in time Survey and maintenance.
步骤S4:数据访问控制。解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。Step S4: Data access control. Decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, then compare the hash value with the evidence in step S3 to verify the correctness of the shared data set, and return to all The uniform resource locator of the shared data set is described to realize data sharing.
具体地,所述共享数据集为[data_sink_j|TimeStamp],具体所述解密通过执行D symKey([Hash(data_sink_j|TimeStamp)|data_sink_j|TimeStamp])操作来实现,其中D symKey(·)为使用一对称密钥symKey解密,Hash(·)为哈希操作,Data_Sink_j为汇聚节点j的数据集,Timestamp为时间戳。 Specifically, the shared data set is [data_sink_j|TimeStamp], and the decryption is specifically implemented by performing D symKey ([Hash(data_sink_j|TimeStamp)|data_sink_j|TimeStamp]) operation, where D symKey (·) is a Symmetric key symKey decryption, Hash(·) is a hash operation, Data_Sink_j is the data set of sink node j, and Timestamp is a timestamp.
进一步地,所述步骤S4通过一数据共享智能合约实现,且所述数据共享的范围、时限和访问者身份可以通过使用该数据共享智能合约来预先设定,以达到维护数据所有权的目的,而获取共享数据集的操作本身也将在区块链中留下记录,这赋予了数据共享的安全性和可追溯性。Further, the step S4 is implemented through a data sharing smart contract, and the scope, time limit and visitor identity of the data sharing can be preset by using the data sharing smart contract to achieve the purpose of maintaining data ownership, and The operation of obtaining the shared data set itself will also leave a record in the blockchain, which gives the data sharing security and traceability.
在实际应用中,共享数据集的共享可以由数据拥有者主动披露,或者由用户(即全局管理者或其他区域管理者)发起访问请求。无论受何种动机驱动,数据拥有者可以通过上述数据共享智能合约来指定数据共享的范围、时限和访问者身份。具有访问权限的用户通过使用数据共享智能合约,触发对应的区域服务器上的数据读取程序,由于区域服务器上的链下数据库是用口令加密的,数据读取程序正常启动时从区域管理服务器上获得该口令,因此数据读取程序获得所述S4中的链下数据库的读取权限,进而得到共享数据集,并利用链上存储的数据摘要校验数据完整性和可信性,并向数据请求者返回该共享数据集的统一资源定位符。In practical applications, the sharing of the shared data set can be actively disclosed by the data owner, or the user (ie, the global manager or other regional managers) can initiate an access request. No matter what the motivation is, the data owner can specify the scope, time limit and visitor identity of the data sharing through the above data sharing smart contract. Users with access rights use the data sharing smart contract to trigger the data reading program on the corresponding regional server. Since the off-chain database on the regional server is encrypted with a password, the data reading program will be accessed from the regional management server when it starts normally. Obtain the password, so the data reading program obtains the read permission of the off-chain database in the S4, and then obtains the shared data set, and uses the data digest stored on the chain to verify the integrity and credibility of the data, and send it to the data The requester returns the uniform resource locator of the shared data set.
本发明还提出了一种用于实现上述安全管理方法的传感网的安全系统,包括:联盟链,以及部署在联盟链上的设备信任传递功能模块2,安全存储功能模块3、数据访问控制功能模块4,如图3所示。The present invention also proposes a sensor network security system for realizing the above-mentioned security management method, including: alliance chain, and device trust transfer function module 2 deployed on the alliance chain, safe storage function module 3, and data access control Function module 4, as shown in Figure 3.
所述联盟链1包括联盟链节点和建立在联盟链节点之间的采用准入许可机制的区块链网络,联盟链节点为选定的区域服务器和顶层服务器。该联盟链1根据安全业务分为多个通道。其采用分布式账本技术来存储分布式账本。此外,联盟链采用轻量级的数据共识算法,减少对硬件资源的消耗。由此,联盟链借助其去中心化和信息不可篡改特性,作为本发明的传感网的安全系统的可信基础,进而支持该系统中其他模块,为其提供信息存证、信息共享等功能。The alliance chain 1 includes alliance chain nodes and a blockchain network established between the alliance chain nodes and adopting an access permission mechanism. The alliance chain nodes are selected regional servers and top-level servers. The alliance chain 1 is divided into multiple channels according to security services. It uses distributed ledger technology to store distributed ledger. In addition, the alliance chain adopts a lightweight data consensus algorithm to reduce the consumption of hardware resources. As a result, the alliance chain, with its decentralization and non-tamperable characteristics of information, serves as the trusted basis of the security system of the sensor network of the present invention, and then supports other modules in the system, providing it with functions such as information storage and information sharing. .
所述设备信任传递模块2包括非对称密钥生成器和身份管理智能合约, 用于管理传感节点和汇聚节点。The device trust transfer module 2 includes an asymmetric key generator and an identity management smart contract, which is used to manage sensor nodes and sink nodes.
所述非对称密钥生成器设置为对区域服务器下层的每个传感节点和汇聚节点各生成一对唯一的非对称密钥,其中私钥被固化在存储器中,公钥及其地址被作为传感节点和汇聚节点的身份标识被公开,其中地址是基于公钥计算出的唯一的识别码。The asymmetric key generator is set to generate a pair of unique asymmetric keys for each sensor node and sink node in the lower layer of the regional server, wherein the private key is solidified in the memory, and the public key and its address are used as The identities of sensor nodes and sink nodes are disclosed, and the address is a unique identification code calculated based on the public key.
所述身份管理智能合约设置为将汇聚节点和传感节点的公钥及其地址写入到联盟链中,其包括汇聚节点身份注册模块和传感节点身份验证模块。The identity management smart contract is configured to write the public keys and addresses of the sink node and the sensor node into the consortium chain, which includes the sink node identity registration module and the sensor node identity verification module.
所述汇聚节点身份注册模块设置为向所述传感网录入许可加入的汇聚节点的公钥和地址,并使汇聚节点在上线时向区域服务器注册身份。其中,所述传感网,一般设计为受限、低速率、多跳的无线网。所述身份管理智能合约内设有对应其多种业务权限的用户密钥,所述业务权限为全局服务器预先设定的。The sink node identity registration module is configured to enter the public key and address of the sink node that is permitted to join into the sensor network, and make the sink node register its identity with the regional server when it goes online. Among them, the sensor network is generally designed as a limited, low-rate, multi-hop wireless network. The identity management smart contract contains user keys corresponding to its multiple service permissions, and the service permissions are preset by the global server.
所述汇聚节点身份注册模块被进一步配置为:使汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息采用汇聚节点的私钥进行加密,作为消息负载,并签名负载的hash值,该对消息负载的hash值的签名操作用于验证信息完整性,并验证发送方身份,消息负载中还包括时间戳,用于防止重放攻击;随后,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信息的真实性,并在验证通过时完成注册身份。The sink node identity registration module is further configured to: make the sink node first send an encrypted request registration information to the regional server, and the encrypted request registration information is encrypted with the sink node's private key as the message payload and signed The hash value of the payload. The signature operation of the hash value of the message payload is used to verify the integrity of the message and verify the identity of the sender. The message payload also includes a timestamp to prevent replay attacks; subsequently, the regional server is based on the input The public key of the sink node verifies the authenticity of the requested registration information, and completes the registration identity when the verification passes.
所述传感节点身份验证模块设置为使每个汇聚节点读取其周边的传感节点,并使传感节点在苏醒时接入汇聚节点。所述汇聚节点身份注册模块被进一步配置为:使传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与上文的汇聚节点向区域服务器发送的请求注册信息类似;汇聚节点验证所述身份验证请求的真实性。若验证通过,汇聚节点为传感节点执行数据转发任务;若传感节点地址不在汇聚节点的列表中,则在多次尝试失败后将该传感节点网络地址列入黑名单,拒绝再次连接。The sensor node identity verification module is configured to enable each sink node to read its surrounding sensor nodes and enable the sensor nodes to access the sink node when they wake up. The sink node identity registration module is further configured to: make the sensor node send an encrypted identity verification request to the sink node, and the encryption method of the identity verification request is similar to the request registration information sent by the sink node to the regional server above ; The sink node verifies the authenticity of the identity verification request. If the verification is passed, the sink node performs the data forwarding task for the sensor node; if the sensor node address is not in the sink node's list, the sensor node network address will be blacklisted after repeated attempts and refused to connect again.
由此,通过上述设备信任传递功能模块,汇聚节点上线后首先向区域服务器注册身份,然后接受传感节点的接入并验证身份。通过设备信任传递功能模块,设备的信任从区域服务器传递到汇聚节点,再到传感节点。Therefore, through the above-mentioned device trust transfer function module, the sink node first registers its identity with the regional server after it goes online, and then accepts the access of the sensor node and verifies its identity. Through the device trust transfer function module, the trust of the device is transferred from the regional server to the sink node, and then to the sensor node.
所述安全存储功能模块3,包括数据上传模块和异常上报模块。The safe storage function module 3 includes a data uploading module and an abnormality reporting module.
其中,数据上传模块对应于上文的步骤S3,设置为将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证。其中,所述数据验证、hash值计算和写入区块链的操作均运行在区域服务器上的一可信执行环境中,由硬件层面确保代码和数据未被篡改。可信执行环境是指由区域服务器处理器提供的硬件级安全技术,可以为程序和数据提供隔离的运行空间,确保执行结果可信。Among them, the data upload module corresponds to step S3 above. It is set to upload the data collected by the sensor node to the sink node for data verification to obtain the data set of the sink node, and then upload it to the regional server for data verification. After passing, the data set of the sink node is stored in the off-chain database of the regional server and encrypted, and the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof. Wherein, the operations of data verification, hash value calculation, and writing to the blockchain all run in a trusted execution environment on the regional server, and the hardware level ensures that the code and data have not been tampered with. The trusted execution environment refers to the hardware-level security technology provided by the regional server processor, which can provide an isolated operating space for programs and data, and ensure the credibility of execution results.
异常上报模块与所述数据上传模块相连,其对应于上文的步骤S31,设置为在数据上传模块进行数据验证的过程中,若发现异常,则将该信息写入联盟链,传递到全网,以供故障处理业务处理。The abnormality reporting module is connected to the data uploading module, which corresponds to step S31 above, and is set to write the information to the alliance chain if an abnormality is found during the data verification process of the data uploading module and transmit it to the entire network , For troubleshooting business processing.
由此,无线传感网的数据加密后存储在区域服务器上,且数据的摘要写入联盟链以维持数据分散存储的数据安全性和可信性。同时,在汇聚节点和区域服务器进行数据验证的过程中,若发现异常情况,安全存储功能模块将异常信息写入区块链网络,传递到全网,以供维护部门实地检修和勘察。As a result, the data of the wireless sensor network is encrypted and stored on the regional server, and the summary of the data is written into the alliance chain to maintain the data security and credibility of the distributed data storage. At the same time, in the process of data verification between the convergence node and the regional server, if an abnormal situation is found, the secure storage function module writes the abnormal information into the blockchain network and transmits it to the entire network for on-site inspection and survey by the maintenance department.
所述数据访问控制功能模块4对应于上文所述的步骤S4,设置为解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。优选地,该数据访问控制功能模块为一数据共享智能合约,所述数据共享的范围、时限和访问者身份可以通过使用该数据共享智能合约来预先设定,以达到维护数据所有权的目的。由此,实现了向联盟链内的有合法身份其他联盟链节点分享数据。The data access control function module 4 corresponds to the step S4 mentioned above, and is configured to decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, and then compare the hash value with all the data. The certificate in step S3 is used to verify the correctness of the shared data set, and the uniform resource locator of the shared data set is returned to realize data sharing. Preferably, the data access control function module is a data sharing smart contract, and the data sharing scope, time limit and visitor identity can be preset by using the data sharing smart contract to achieve the purpose of maintaining data ownership. As a result, it is possible to share data with other alliance chain nodes with legal identities in the alliance chain.
以上所述的,仅为本发明的较佳实施例,并非用以限定本发明的范围,本发明的上述实施例还可以做出各种变化。即凡是依据本发明申请的权利要求书及说明书内容所作的简单、等效变化与修饰,皆落入本发明专利的权利要求保护范围。本发明未详尽描述的均为常规技术内容。The foregoing descriptions are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Various changes can be made to the foregoing embodiments of the present invention. That is to say, all simple and equivalent changes and modifications made in accordance with the claims of the present invention and the content of the description fall within the protection scope of the patent of the present invention. What is not described in detail in the present invention is conventional technical content.

Claims (15)

  1. 一种基于分布式账本技术的传感网的安全管理方法,其特征在于,包括:A security management method for a sensor network based on distributed ledger technology, which is characterized in that it includes:
    步骤S1:选定一个顶层服务器和多个区域服务器作为联盟链节点来搭建联盟链,并在其上存储分布式账本;Step S1: Select a top-level server and multiple regional servers as alliance chain nodes to build the alliance chain, and store distributed ledgers on it;
    步骤S2:为所述区域服务器下层的每个传感节点和汇聚节点各生成一对非对称密钥,将私钥固化在汇聚节点和传感节点的存储器中,并将公钥及其地址写入到联盟链中;Step S2: Generate a pair of asymmetric keys for each sensor node and sink node in the lower layer of the regional server, solidify the private key in the memory of the sink node and the sensor node, and write the public key and its address Enter into the alliance chain;
    步骤S3:传感节点采集数据,将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证;Step S3: The sensor node collects data, uploads the data collected by the sensor node to the sink node and obtains the data set of the sink node, and then uploads it to the regional server to verify its data. After the verification is passed, the data set of the sink node The data set is stored in the off-chain database of the regional server and encrypted, and the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof;
    步骤S4:解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。Step S4: Decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, and then compare the hash value with the evidence in step S3 to verify the correctness of the shared data set, And return the uniform resource locator of the shared data set to realize data sharing.
  2. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,还包括步骤S31:在进行所述步骤S3中的数据验证的过程中,若发现异常,则将异常信息写入联盟链。The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that it further comprises step S31: in the process of data verification in step S3, if an abnormality is found, the The exception information is written into the alliance chain.
  3. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,在所述步骤S1中,所述联盟链根据联盟链上运行的安全业务分为多个不同参数的独立侧链。The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that, in the step S1, the alliance chain is divided into a plurality of different parameters according to the security services running on the alliance chain The independent side chain.
  4. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,在所述步骤S1中,所述顶层服务器和区域服务器通过被授权来被选定作为联盟链节点,各联盟链节点采用共识算法来实现该分布式账本的共识。The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that, in the step S1, the top-level server and the regional server are authorized to be selected as alliance chain nodes , Each alliance chain node adopts a consensus algorithm to realize the consensus of the distributed ledger.
  5. 根据权利要求4所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,所述共识算法为轻量化算法。The security management method of a sensor network based on distributed ledger technology according to claim 4, wherein the consensus algorithm is a lightweight algorithm.
  6. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法, 其特征在于,在所述步骤S2中,所述将公钥及其地址写入到联盟链中,包括:The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that, in the step S2, the writing the public key and its address into the consortium chain includes:
    步骤S21:用户使用身份管理智能合约向所述传感网录入许可加入的汇聚节点的公钥和地址,汇聚节点上线并向区域服务器注册身份;Step S21: The user uses the identity management smart contract to enter the public key and address of the sink node that is permitted to join in the sensor network, the sink node goes online and registers the identity with the regional server;
    步骤S22:步骤S22:每个汇聚节点读取其周边的传感节点,传感节点苏醒并接入汇聚节点。Step S22: Step S22: Each sink node reads its surrounding sensor nodes, and the sensor nodes wake up and access the sink node.
  7. 根据权利要求6所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,在步骤S21中,所述注册身份包括:汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息采用汇聚节点的私钥进行加密,作为消息负载,并签名负载的hash值,并验证发送方身份,随后,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信息的真实性,并在验证通过时完成注册身份;The security management method of a sensor network based on distributed ledger technology according to claim 6, characterized in that, in step S21, the registration identity comprises: the sink node first sends an encrypted registration request information to the regional server The encrypted request registration information is encrypted using the private key of the sink node as the message payload, and the hash value of the payload is signed, and the identity of the sender is verified. Then, the regional server according to the entered public key of the sink node, Verify the authenticity of the requested registration information, and complete the registration identity when the verification is passed;
    在所述步骤S22中,所述接入汇聚节点,包括:传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与所述请求注册信息的加密方式相同;汇聚节点验证所述身份验证请求的真实性,并在验证通过时使传感节点接入汇聚节点。In the step S22, the access to the sink node includes: the sensor node sends an encrypted identity verification request to the sink node, and the encryption method of the identity verification request is the same as the encryption method of the requested registration information; The node verifies the authenticity of the identity verification request, and enables the sensor node to access the sink node when the verification passes.
  8. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,在所述步骤S3中,所述汇聚节点的数据验证用于校验传感器节点采集的数据来源和完整性,并在校验通过后,通过使用自身私钥签名数据负载的摘要来得到汇聚节点的数据集。The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that, in the step S3, the data verification of the sink node is used to verify the source of the data collected by the sensor node and After the verification is passed, the data set of the sink node is obtained by signing the digest of the data load with its own private key.
  9. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,在所述步骤S3中,数据验证、hash值计算和写入区块链的操作均运行所述区域服务器上的一可信执行环境中。The security management method of a sensor network based on distributed ledger technology according to claim 1, characterized in that, in the step S3, the operations of data verification, hash value calculation and writing to the blockchain all run the In a trusted execution environment on the regional server.
  10. 根据权利要求1所述的基于分布式账本技术的传感网的安全管理方法,其特征在于,所述步骤S4通过一数据共享智能合约实现,且所述数据共享的范围、时限和访问者身份可以通过使用该数据共享智能合约来预先设定。The security management method of a sensor network based on distributed ledger technology according to claim 1, wherein the step S4 is implemented by a data sharing smart contract, and the scope, time limit and visitor identity of the data sharing It can be preset by using the data sharing smart contract.
  11. 一种基于分布式账本技术的传感网的安全系统,所述传感网包括自下而上分层架构的传感节点、汇聚节点、区域服务器和顶层服务器,其特征在于,包括联盟链(1)以及部署在该联盟链(1)上的设备信任传递功能模块(2),安全存储功能模块(3)、数据访问控制功能模块(4);A security system for a sensor network based on distributed ledger technology. The sensor network includes a bottom-up hierarchical structure of sensor nodes, aggregation nodes, regional servers, and top-level servers, and is characterized in that it includes an alliance chain ( 1) And the device trust transfer function module (2), the secure storage function module (3), and the data access control function module (4) deployed on the alliance chain (1);
    所述联盟链包括联盟链节点和建立在联盟链节点之间的区块链网络,联盟链节点为选定的顶层服务器和区域服务器;The alliance chain includes alliance chain nodes and a blockchain network established between the alliance chain nodes, and the alliance chain nodes are selected top-level servers and regional servers;
    设备信任传递功能模块(2)包括非对称密钥生成器和身份管理智能合约,所述非对称密钥生成器设置为区域服务器下层的每个传感节点和汇聚节点各生成一对唯一的非对称密钥,所述身份管理智能合约设置为将汇聚节点和传感节点的公钥及其地址写入到联盟链中;The device trust transfer function module (2) includes an asymmetric key generator and an identity management smart contract. The asymmetric key generator is set to generate a pair of unique non-symmetric key generators for each sensor node and sink node in the lower layer of the regional server. A symmetric key, the identity management smart contract is set to write the public keys and addresses of the sink node and the sensor node into the alliance chain;
    所述安全存储功能模块(3)包括数据上传模块,其设置为将传感节点采集的数据上传到汇聚节点经其数据验证,得到汇聚节点的数据集,随后上传到区域服务器经其数据验证,在验证通过后将汇聚节点的数据集存储在区域服务器的一链下数据库中并加密,同时计算汇聚节点的数据集的hash值并写入联盟链作为存证;The safe storage function module (3) includes a data upload module, which is configured to upload the data collected by the sensor node to the sink node for data verification to obtain the data set of the sink node, and then upload it to the regional server for data verification. After the verification is passed, the data set of the sink node is stored in the off-chain database of the regional server and encrypted, and the hash value of the data set of the sink node is calculated and written into the alliance chain as a proof;
    所述数据访问控制功能模块(4)设置为解密所述链下数据库中的一共享数据集并计算该共享数据集的hash值,随后比对该hash值与所述步骤S3中的存证来验证该共享数据集的正确性,并返回所述共享数据集的统一资源定位符,以实现数据共享。The data access control function module (4) is configured to decrypt a shared data set in the off-chain database and calculate the hash value of the shared data set, and then compare the hash value with the evidence in step S3 Verify the correctness of the shared data set, and return the uniform resource locator of the shared data set to realize data sharing.
  12. 根据权利要求11所述的基于分布式账本技术的传感网的安全系统,其特征在于,所述安全存储功能模块(3)还包括异常上报模块,其设置为在数据上传模块进行数据验证的过程中,若发现异常,则将该信息写入联盟链。The sensor network security system based on distributed ledger technology according to claim 11, characterized in that the security storage function module (3) further comprises an abnormality reporting module, which is set to perform data verification in the data upload module In the process, if an abnormality is found, the information will be written into the alliance chain.
  13. 根据权利要求11所述的基于分布式账本技术的传感网的安全系统,其特征在于,所述联盟链(1)分为多个不同参数的独立侧链。The security system of a sensor network based on distributed ledger technology according to claim 11, characterized in that the alliance chain (1) is divided into a plurality of independent side chains with different parameters.
  14. 根据权利要求11所述的基于分布式账本技术的传感网的安全系统,其特征在于,所述身份管理智能合约包括汇聚节点身份注册模块和传感节点身份验证模块,汇聚节点身份注册模块设置为向所述传感网录入许可加入的汇聚节点的公钥和地址,并使汇聚节点在上线时向区域服务器注册身份;所述传感节点身份验证模块设置为使每个汇聚节点读取其周边的传感节点,并使传感节点在苏醒时接入汇聚节点。The sensor network security system based on distributed ledger technology according to claim 11, wherein the identity management smart contract includes a sink node identity registration module and a sensor node identity verification module, and the sink node identity registration module is set To enter into the sensor network the public key and address of the sink node that is permitted to join, and to make the sink node register its identity with the regional server when it goes online; the sensor node identity verification module is set to make each sink node read its Surrounding sensor nodes, and enable sensor nodes to access the sink node when they wake up.
  15. 根据权利要求14所述的基于分布式账本技术的传感网的安全系统,其特征在于,所述汇聚节点身份注册模块被进一步配置为:使汇聚节点首先向区域服务器发送一经过加密的请求注册信息,该经过加密的请求注册信息 采用汇聚节点的私钥进行加密,作为消息负载,并签名负载的hash值,并验证发送方身份,区域服务器根据被录入的所述汇聚节点的公钥,验证所述请求注册信息的真实性,并在验证通过时完成注册身份;The sensor network security system based on distributed ledger technology according to claim 14, wherein the sink node identity registration module is further configured to: make the sink node first send an encrypted registration request to the regional server The encrypted request registration information is encrypted with the private key of the sink node as the message payload, and the hash value of the payload is signed, and the identity of the sender is verified. The regional server verifies according to the entered public key of the sink node The authenticity of the requested registration information, and the registration identity is completed when the verification is passed;
    所述汇聚节点身份注册模块被进一步配置为:使传感节点向汇聚节点发送一经过加密的身份验证请求,该身份验证请求的加密方式与所述请求注册信息的加密方式相同,汇聚节点验证所述身份验证请求的真实性,并在验证通过时使传感节点接入汇聚节点。The sink node identity registration module is further configured to: make the sensor node send an encrypted identity verification request to the sink node, the encryption method of the identity verification request is the same as the encryption method of the requested registration information, and the sink node verifies The authenticity of the identity verification request is described, and the sensor node is connected to the sink node when the verification is passed.
PCT/CN2020/082417 2019-06-06 2020-03-31 Distributed ledger technology-based sensor network security management method and security system WO2020244295A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910492237.9 2019-06-06
CN201910492237.9A CN110445827B (en) 2019-06-06 2019-06-06 Security management method and security system of sensor network based on distributed account book technology

Publications (1)

Publication Number Publication Date
WO2020244295A1 true WO2020244295A1 (en) 2020-12-10

Family

ID=68428779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/082417 WO2020244295A1 (en) 2019-06-06 2020-03-31 Distributed ledger technology-based sensor network security management method and security system

Country Status (2)

Country Link
CN (1) CN110445827B (en)
WO (1) WO2020244295A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115550002A (en) * 2022-09-20 2022-12-30 贵州电网有限责任公司 TEE-based intelligent home remote control method and related device

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445827B (en) * 2019-06-06 2021-05-18 中国科学院上海微系统与信息技术研究所 Security management method and security system of sensor network based on distributed account book technology
CN111092882B (en) * 2019-12-12 2021-12-07 中国船舶工业系统工程研究院 Cross-domain multi-party information secure sharing method based on block chain and IPFS (Internet protocol File System)
CN111131211A (en) * 2019-12-17 2020-05-08 杭州甘道智能科技有限公司 Anti-tampering method for sharing washing machine safety
CN111162910A (en) * 2019-12-20 2020-05-15 杭州能信科技有限公司 Multi-language encryption transmission scheme for high-concurrency new energy power generation data
CN110851851B (en) * 2020-01-15 2020-11-06 蚂蚁区块链科技(上海)有限公司 Authority management method, device and equipment in block chain type account book
CN111262936A (en) * 2020-01-16 2020-06-09 天津大学 Block chain-based ocean big data sharing method
CN111404994A (en) * 2020-02-26 2020-07-10 北斗(天津)科学技术应用研究院(有限合伙) Intelligent industrial decentralized information storage node communication network system and method
CN111352968B (en) * 2020-02-28 2023-09-29 杭州云象网络技术有限公司 Intelligent manufacturing element identification method based on blockchain network
CN111327623A (en) * 2020-02-28 2020-06-23 上海哈世科技有限公司 Alliance link information transmission method, device, equipment and storage medium
CN111461710B (en) * 2020-03-06 2023-06-23 重庆邮电大学 Distributed account book access control method based on alliance chain
CN113536388B (en) * 2020-04-16 2023-02-28 中移物联网有限公司 Data sharing method and system based on block chain
CN111769952B (en) * 2020-06-29 2024-04-02 福建福链科技有限公司 Data processing system of block chain sensor
CN111836258B (en) * 2020-07-10 2024-04-23 国网冀北电力有限公司电力科学研究院 Method and device for safely accessing nodes of power distribution Internet of things
CN112016119B (en) * 2020-08-10 2022-02-15 四川九洲电器集团有限责任公司 Autonomous identity management method based on block chain
CN112199051B (en) * 2020-11-03 2022-03-04 国网山东省电力公司电力科学研究院 Power distribution main equipment distributed sensing device applying lightweight alliance chain technology
CN114065283A (en) * 2020-11-20 2022-02-18 北京邮电大学 Lightweight block chain storage method and device capable of cyclic regeneration
CN112487459B (en) * 2020-12-10 2023-08-04 浙江大学德清先进技术与产业研究院 Remote sensing metadata uplink method based on alliance chain
CN112637330B (en) * 2020-12-22 2022-05-10 山东大学 Block chain large file copy address selection method, system, equipment and storage medium
CN113032814B (en) * 2021-04-28 2022-06-24 华南理工大学 Internet of things data management method and system
CN113703373B (en) * 2021-09-06 2022-10-14 杭州瀚陆信息技术有限公司 Data storage and reading method for networking of deep sea intelligent lander
CN114501440B (en) * 2022-01-04 2024-02-09 中国人民武装警察部队工程大学 Authentication key protocol for block chain application at edge of wireless sensor network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015079620A1 (en) * 2013-11-28 2015-06-04 Toyota Jidosha Kabushiki Kaisha Communication method for data sharing system, data sharing system, and communication node
CN107249009A (en) * 2017-08-02 2017-10-13 广东工业大学 A kind of data verification method and system based on block chain
CN109034833A (en) * 2018-06-16 2018-12-18 复旦大学 A kind of product back-tracing information management system and method based on block chain
CN109510876A (en) * 2018-12-20 2019-03-22 弗洛格(武汉)信息科技有限公司 A kind of alliance's chain sharding method and corresponding alliance's chain based on PBFT
US10243748B1 (en) * 2018-06-28 2019-03-26 Jonathan Sean Callan Blockchain based digital certificate provisioning of internet of things devices
CN109688199A (en) * 2018-11-28 2019-04-26 西安电子科技大学 A kind of multiple domain layering Internet of Things alliance platform chain and its sharding method, computer
CN110445827A (en) * 2019-06-06 2019-11-12 中国科学院上海微系统与信息技术研究所 The method for managing security and security system of Sensor Network based on distributed account book technology

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018183768A1 (en) * 2017-03-29 2018-10-04 Innit International S.C.A. Trusted food traceability system and method and sensor network
CN108053239B (en) * 2017-12-11 2021-01-19 中山大学 Sensor network sharing method based on block chain
CN108684018A (en) * 2018-05-08 2018-10-19 南京邮电大学 5G mMTC aggregation node module construction methods based on block chain
CN108632381B (en) * 2018-05-14 2020-09-29 浪潮集团有限公司 Block chain-based environment supervision method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015079620A1 (en) * 2013-11-28 2015-06-04 Toyota Jidosha Kabushiki Kaisha Communication method for data sharing system, data sharing system, and communication node
CN107249009A (en) * 2017-08-02 2017-10-13 广东工业大学 A kind of data verification method and system based on block chain
CN109034833A (en) * 2018-06-16 2018-12-18 复旦大学 A kind of product back-tracing information management system and method based on block chain
US10243748B1 (en) * 2018-06-28 2019-03-26 Jonathan Sean Callan Blockchain based digital certificate provisioning of internet of things devices
CN109688199A (en) * 2018-11-28 2019-04-26 西安电子科技大学 A kind of multiple domain layering Internet of Things alliance platform chain and its sharding method, computer
CN109510876A (en) * 2018-12-20 2019-03-22 弗洛格(武汉)信息科技有限公司 A kind of alliance's chain sharding method and corresponding alliance's chain based on PBFT
CN110445827A (en) * 2019-06-06 2019-11-12 中国科学院上海微系统与信息技术研究所 The method for managing security and security system of Sensor Network based on distributed account book technology

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115550002A (en) * 2022-09-20 2022-12-30 贵州电网有限责任公司 TEE-based intelligent home remote control method and related device

Also Published As

Publication number Publication date
CN110445827A (en) 2019-11-12
CN110445827B (en) 2021-05-18

Similar Documents

Publication Publication Date Title
WO2020244295A1 (en) Distributed ledger technology-based sensor network security management method and security system
Wang et al. Chainsplitter: Towards blockchain-based industrial iot architecture for supporting hierarchical storage
Liu et al. A survey on secure data analytics in edge computing
Hu et al. A survey on data provenance in IoT
CN110032545A (en) File memory method, system and electronic equipment based on block chain
Angin et al. A blockchain-based decentralized security architecture for IoT
Varshney et al. A security framework for IOT devices against wireless threats
CN113079215B (en) Block chain-based wireless security access method for power distribution Internet of things
CN111371543B (en) Internet of things equipment access control method based on double-block chain structure
Xue et al. Research on key technologies of software-defined network based on blockchain
Bagga et al. Blockchain-envisioned access control for internet of things applications: a comprehensive survey and future directions
Cui et al. IoT data management and lineage traceability: A blockchain-based solution
Li et al. Federated hierarchical trust-based interaction scheme for cross-domain industrial IoT
Zheng et al. Microthingschain: Edge computing and decentralized iot architecture based on blockchain for cross-domain data shareing
CN117040896A (en) Internet of things management method and Internet of things management platform
CN114547698A (en) CORS service data storage system and method based on block chain
Shen et al. Design of trusted aviation data exchange platform based on blockchain
Balachandran et al. EDISON: a blockchain-based secure and auditable orchestration framework for multi-domain software defined networks
CN201557132U (en) Cross-domain management device based on PKI/PMI technology
Yan et al. Distributed authentication scheme for industry internet platform application based on consortium blockchain
CN110428215B (en) Intelligent robot data information mutual interaction safe and reliable transmission handling method and system
Adebayo et al. Blockchain Technology: A Panacea for IoT Security Challenge
Ma et al. Security of edge computing based on trusted computing
Kamaev et al. Key management schemes using routing information frames in secure wireless sensor networks
Deb et al. A metaheuristic approach for encrypting blockchain data attributes using ciphertext policy technique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20818929

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20818929

Country of ref document: EP

Kind code of ref document: A1