WO2023249320A1 - Procédé, dispositif et système de communication de dds - Google Patents

Procédé, dispositif et système de communication de dds Download PDF

Info

Publication number
WO2023249320A1
WO2023249320A1 PCT/KR2023/008241 KR2023008241W WO2023249320A1 WO 2023249320 A1 WO2023249320 A1 WO 2023249320A1 KR 2023008241 W KR2023008241 W KR 2023008241W WO 2023249320 A1 WO2023249320 A1 WO 2023249320A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
domain
nodes
authentication
information
Prior art date
Application number
PCT/KR2023/008241
Other languages
English (en)
Korean (ko)
Inventor
김동호
이동훈
허태성
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Publication of WO2023249320A1 publication Critical patent/WO2023249320A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Definitions

  • the present invention relates to a DDS communication method, device, and system for providing DDS communication in a large-scale network environment such as 5G and LTE.
  • DDS Data Distribution Service
  • ROS2 which is widely used as an operating system for robots, uses DDS as the basic communication middleware.
  • an auto-discovery function is used to automatically find participants to distribute data in real time in a distributed environment.
  • the Auto-Discovery function is a function where participants find other participants to distribute data to by periodically transmitting a PDP (Participant Discovery Protocol) message through multicast.
  • PDP Participant Discovery Protocol
  • the Auto-Discovery function provides the advantage of automatically finding and connecting to other participants through multicast. However, as more participants are added, the number of packets increases significantly, so it is difficult to expand efficiently, that is, there is a problem with availability, and there is also a problem that it cannot be used in an environment where multicast is not supported.
  • the Auto-Discovery function which allows participants to automatically participate in data distribution, has the problem that DDoS attacks such as Network Flooding attacks and Network Reflection Attacks using manipulated discovery packets are possible.
  • the current DDS communication is only used in limited and closed systems such as national defense, transportation, medicine, and robots, but there is a problem that it is difficult to apply in open and large-scale network environments such as 5G and LTE.
  • the present invention is intended to solve the above-mentioned problems, and the purpose of the present invention is to provide a DDS communication method, device, and system for providing DDS communication in a large-scale network environment such as 5G and LTE.
  • the DDS communication method includes receiving node information including identification information and domain ID from a plurality of nodes that want to connect to a gateway and participate in DDS communication, and nodes having the same domain ID among the plurality of nodes. transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID; configuring, by the gateway, a network for nodes having the domain ID to exchange packets; and, The gateway receives authentication information generated using the group key from a specific node having the domain ID, performs authentication using the authentication information, and, if the authentication is successful, sends the packet received from the specific node to the It includes transmitting to another node having a domain ID.
  • the identification information includes identification information of the participant terminal, and the identification information of the participant terminal may be a terminal unique identification number (IMEI).
  • IMEI terminal unique identification number
  • the step of receiving node information including the identification information and domain ID includes authenticating the node that transmitted the node information using the identification information and instance IDs sequentially assigned to nodes generated in the participant terminal. May include steps.
  • the step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID includes updating the group key when a new node participates in the domain corresponding to the domain ID, and updating the group key with the updated group key. It may include transmitting to nodes having the domain ID.
  • Branching may include transmitting to nodes.
  • the step of configuring a network for nodes having the same domain ID to exchange packets involves configuring the network so that only nodes having the same domain ID exchange packets and packet exchange with nodes having different domain IDs is blocked. It may include steps.
  • the step of transmitting node information of nodes having the domain ID and a group key corresponding to the domain ID includes transmitting interface information for the node to connect to the node that has successfully authenticated, and transmitting the same domain ID to the node.
  • the step of configuring the network so that only nodes with the same domain ID exchange packets and packet exchange with nodes with different domain IDs is blocked includes the step of creating a tunnel that virtually connects interfaces to which nodes with the same domain ID will connect. It can be included.
  • the authentication information may include an authentication code received from the specific node when the specific node connects to the gateway.
  • the authentication code is generated using node information of the specific node and a group key held by the specific node
  • the step of performing the authentication includes a group key corresponding to the domain ID held by the gateway and It may include authenticating the authentication code received from the specific node using node information of the specific node.
  • the authentication information may include an authentication token received from the specific node along with the packet when the specific node transmits a packet to nodes having the domain ID.
  • the authentication token is generated using node information of the specific node and a group key held by the specific node
  • the step of performing the authentication includes a group key corresponding to the domain ID held by the gateway and It may include authenticating the authentication token received from the specific node using node information of the specific node.
  • the authentication token may further include at least one of a time stamp and a sequence number.
  • transmitting the packet received from the specific node to another node having the domain ID includes transmitting the public key of the gateway to the nodes having the domain ID, and, the authentication token. If authentication is successful, it may include generating a double encryption token by encrypting the authentication token with the private key of the gateway.
  • the step of transmitting the packet received from the specific node to another node having the domain ID includes inserting the double encryption token into the packet received with the authentication token and having the domain ID. It may include transmitting to another node.
  • the DDS communication system receives node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication, and sends the domain ID to nodes having the same domain ID among the plurality of nodes.
  • a control server that transmits node information of nodes having and a group key corresponding to the domain ID, and nodes having the domain ID configure a network for exchanging packets, and the group is transferred from a specific node having the domain ID. It includes a gateway that receives authentication information generated using a key, performs authentication using the authentication information, and, when the authentication is successful, transmits a packet received from the specific node to another node having the domain ID. .
  • the identification information includes identification information of the participant terminal, and the identification information of the participant terminal may be a terminal unique identification number (IMEI).
  • IMEI terminal unique identification number
  • control server can authenticate the node that transmitted the node information using the identification information and an instance ID sequentially assigned to nodes generated in the participant terminal.
  • control server may update the group key and transmit the updated group key to nodes having the domain ID.
  • the control server may transmit node information of the new node to nodes having the domain ID.
  • the DDS communication device includes a gateway that provides a plurality of interfaces to which a plurality of nodes can connect, a communication unit that receives node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication; and a control unit that transmits node information of nodes having the domain ID and a group key corresponding to the domain ID to nodes having the same domain ID among the plurality of nodes through the communication unit, and the gateway is, Nodes having the domain ID configure a network for exchanging packets, receive authentication information generated using the group key from a specific node having the domain ID, and perform authentication using the authentication information, If authentication is successful, the packet received from the specific node can be transmitted to another node with the domain ID.
  • DDS by supporting data exchange between nodes participating in the same domain based on the policy created in the DDS communication system, DDS can be implemented without using the Auto-Discovery function and even in an environment where multicast is not supported. It can enable communication and prevent the number of packets from increasing exponentially even if the number of participant terminals or nodes increases. Accordingly, it has clear advantages in availability and scalability compared to conventional DDS communication methods, and has the advantage of enabling DDS communication even in open and large-scale network environments such as 5G and LTE.
  • Figure 1 is a block diagram for explaining a DDS communication system according to the present invention.
  • Figure 2 is a flowchart for explaining the DDS communication method of the DDS communication system according to the present invention.
  • FIG. 3 is a flowchart for explaining the overall operation of the DDS communication system and nodes. The description will be made with reference to FIGS. 2 and 3 together.
  • Figure 4 is a diagram for explaining a method for authenticating a node according to the present invention.
  • Figure 5 is a diagram to explain how a gateway configures a network.
  • Figure 6 is a diagram illustrating the primary authentication process performed when a node first connects to a gateway according to the present invention.
  • Figure 7 is a diagram illustrating a secondary authentication process performed when a node transmits a packet to another node according to the present invention.
  • Figure 8 is a diagram for explaining a DDS communication device according to another embodiment of the present invention.
  • the components may be subdivided for convenience of explanation, but these components may be implemented in one device or module, or one component may be divided into multiple devices or modules. It can also be implemented.
  • DDS communication is network middleware that simplifies complex networks and is designed to handle responses between participants.
  • the present invention provides a DDS communication system that supports DDS communication in a large-scale network environment including 5G or LTE by expanding the simplified DDS middleware design based on a software-defined boundary.
  • Figure 1 is a block diagram for explaining a DDS communication system according to the present invention.
  • the DDS communication system includes a gateway 100 and a control server 200 and can support communication between multiple nodes.
  • the gateway 100 is connected to a plurality of participant terminals 1110, 1120, and 1130 and can transmit/receive data to and from the participant terminals.
  • the participant terminal may be a terminal (or server) subscribed to a communication service (mobile communication service such as 5G or LTE, Internet service, etc.) provided by a communication service provider.
  • a communication service mobile communication service such as 5G or LTE, Internet service, etc.
  • Nodes may be driven in a plurality of participant terminals 1110, 1120, and 1130, and one or more nodes may be driven in one participant terminal.
  • a participant terminal refers to a device (hardware) such as a smartphone or PC
  • a node may refer to an operating system, application, process, program, etc. that runs on the device (hardware).
  • the entity that transmits and receives data is the node, and the gateway 100 can transmit/receive data with the node running on the participant terminal.
  • the control server 200 may communicate with the gateway 100 and a plurality of nodes connected to the gateway 100. Additionally, the control server 200 can support communication between nodes participating in the same domain and create policies to improve security even without auto-discovery. These policies are distributed to a plurality of nodes and gateways 100 connected to the DDS communication system, and each of the plurality of nodes transmits/transmits data to other nodes participating in the same domain based on the policy generated by the control server 200. can receive
  • control server 200 may include a communication unit for communicating with an external device, a control unit for controlling the overall operation of the control server, and a memory for storing programs or commands for operating the control server.
  • control unit may be expressed as a controller and may be composed of one or more processors (or microcontrollers, or microprocessors). Additionally, one or more processors (or microcontrollers, or microprocessors) may be coupled with other components of the control server 200.
  • the communication unit may be called a communicator or a communication interface, and may include one or more communication modules (or communication circuits) to transmit or receive data with devices other than the control server 200. .
  • the gateway 100 can set communication paths for multiple nodes connected to the gateway 100. Specifically, the gateway 100 may configure a network for nodes belonging to the same domain to exchange packets, based on the policy created by the control server 200. That is, the gateway 100 can create a tunnel through which packets can be exchanged between nodes belonging to the same domain among a plurality of nodes connected to the gateway 100. And this tunnel is logically created by the gateway 100 based on a policy created in the control server 200 rather than by a physical connection between ports, and may be called a virtual tunnel.
  • Figure 2 is a flowchart for explaining the DDS communication method of the DDS communication system according to the present invention.
  • the DDS communication method of the DDS communication system includes receiving node information including identification information and domain ID of the node from a plurality of nodes that want to connect to the gateway and participate in DDS communication (S210), a plurality of nodes A step of transmitting node information of nodes having domain IDs and a group key corresponding to the domain ID to nodes having the same domain ID (S220), where the gateway establishes a network for nodes having domain IDs to exchange packets.
  • Configuring step (S230) and the gateway receives authentication information generated using a group key from a specific node having a domain ID, performs authentication using the authentication information, and receives the authentication information from the specific node when authentication is successful. It may include transmitting the packet to another node having the domain ID (S240).
  • FIG. 3 is a flowchart for explaining the overall operation of the DDS communication system and nodes. The description will be made with reference to FIGS. 2 and 3 together.
  • node 1210 may transmit node information to the control server 200 (S305).
  • the node information may include identification information including identification information of the participant terminal and identification information of the node running on the participant terminal.
  • the identification information of the participant terminal is uniquely assigned to the participant terminal using the communication service.
  • the identification information of the participant terminal may be a universally unique identifier (UUID) of the participant terminal.
  • UUID universally unique identifier
  • the DDS communication system can support DDS communication in a large-scale network environment including 5G or LTE.
  • the universally unique identifier (UUID) of the participant terminal includes the terminal unique identification number (International Mobile Equipment Identity (IMEI) may be used.
  • IMEI International Mobile Equipment Identity
  • the identification information of the node may include at least one of a host ID and an app ID.
  • the host ID is uniquely assigned to the participant terminal on which the node is running, and may include, for example, a MAC address, IPv4 address, universally unique identifier (UUID), etc.
  • the App ID is used to identify a node running on a participant terminal, and may be, for example, an App ID, which is a process ID managed by an operating system (Linux, Unix, Windows, etc.).
  • node information may further include a domain ID.
  • the domain ID is identification information of the domain in which the node will participate, and the control server 200 supports communication between nodes based on the domain ID.
  • node information may further include an instance ID.
  • the instance ID is sequentially assigned to nodes that are created (starting operation) in the participant terminal. For example, when a participant terminal creates a node for the first time, it may give that node an instance ID of 0x01, and when it creates a second node, it may grant an instance ID of 0x02 to that node.
  • control server 200 may connect to the gateway 100 and receive node information including identification information and domain ID from a plurality of nodes that want to participate in DDS communication (S210).
  • control server 200 performs strict authentication because it does not trust the nodes and participant terminals. Therefore, the control server 200 can perform authentication using identification information instead of using IP or port.
  • control unit 120 can authenticate the node that transmitted the node information using the identification information of the participant terminal and the identification information of the node (S310). This will be explained with reference to Figure 4.
  • Figure 4 is a diagram for explaining a method for authenticating a node according to the present invention.
  • the control server 200 may compare the identification information of the participant terminal with the identification information of the participant terminal pre-registered in the control server 200, and if they match, determine that the identification information of the participant terminal is authenticated (S410). Additionally, the control server 200 may compare the received identification information of the node with the identification information of a plurality of nodes pre-registered in the control server 200, and if they match, determine that the identification information of the node is authenticated (S420). . And when the identification information of the node and the identification information of the participant terminal are authenticated, the control server 200 may determine that the authentication of the node that transmitted the corresponding node information was successful.
  • the control server 200 provides the node information using the identification information of the participant terminal, the node identification information, and the instance ID sequentially assigned to the nodes generated in the participant terminal.
  • the transmitting node can be authenticated (S430).
  • control server 200 can authenticate the node by checking the increase or decrease in the instance ID. More specifically, the control server 200 stores node information (app ID and instance ID) of nodes received from one participant terminal in memory, and selects the instance ID in the previously received node information and the instance in the currently received node information. You can authenticate the node using the ID.
  • node information app ID and instance ID
  • the control server 200 receives first node information including an instance ID of 1 from the node (node #1) first driven in a specific participant terminal (participant terminal #1). And, the received first node information can be stored in memory. Next, the control server 200 may receive second node information including an instance ID of 2 from a newly operated node (node #2) in the same participant terminal (participant terminal #1). Additionally, the instance ID is preset to increase by 1, and the control server 200 knows the preset increase/decrease amount (increase by 1).
  • control server 200 uses the fact that the first node information includes an instance ID of 1, the second node information includes an instance ID of 2, and the instance ID is increased by 1, to create a newly driven node ( It can be determined that authentication for node #2) was successful.
  • control server 200 may determine that authentication for the corresponding node has failed.
  • a hacker (hacker #1) who has stolen the identification information or host ID of a specific participant terminal (participant terminal #1) transmits third node information including the stolen information to the control server 200.
  • the hacker (hacker #1) cannot know the instance ID of a specific participant terminal (participant terminal #1)
  • the correct instance ID cannot be included in the node information
  • the control server 200 uses the third node information to It may be determined that authentication for the hacker has failed.
  • the control server 200 third node information can be stored in memory as a blacklist.
  • the control server 200 may update the group key of the domain in which the node participates (S310). Specifically, if the node information transmitted by the node 1210 includes a specific domain ID, the control server 200 determines that the new node 1210 has participated in the domain corresponding to the specific domain ID, and You can update the group key. In other words, the group key used in the domain can be updated whenever a new node joins the domain.
  • the group key corresponding to the domain ID may be implemented in such a way that it is periodically updated. Additionally, when the node 1210 participates in a specific domain for the first time, the control server 200 may generate a new group key corresponding to the domain ID.
  • the control server 200 may transmit first policy information to the node 1210 that succeeded in authentication (S315).
  • the first policy information may include gateway interface information that the corresponding node can access. Additionally, the interface information may include the IP and port of the gateway.
  • the control server 200 may transmit second policy information to the gateway 100 (S320).
  • the second policy information may include an updated (or newly created) group key and node information of the node 1210 that successfully authenticated.
  • the node information that the control server 200 transmits to the gateway 100 may include identification information of the participant terminal of the node that successfully authenticated, identification information of the node, and domain ID, and may additionally include the IP of the node that successfully authenticated. It can be included.
  • the control server 200 may transmit third policy information to the node 1210 that has successfully authenticated. Specifically, the control server 200 provides node information of the nodes with the same domain ID and a group key corresponding to the same domain ID to nodes with the same domain ID among a plurality of nodes that want to connect to the gateway and participate in DDS communication. Can be transmitted (S220, S325, S330). For example, if there are 1st to 100th nodes, and the 1st to 30th nodes try to join the first domain with the first domain ID, the control server 200 connects the 2nd to 30th nodes to the first node. The node information of the 29th node and the group key corresponding to the first domain may be transmitted, and the node information of the 1st to 29th nodes and the group key corresponding to the first domain may be transmitted to the 30th node.
  • the node information of other nodes transmitted by the control server 200 may include identification information of the participant terminal of the node that successfully authenticated, node identification information, and domain ID, and may additionally include the IP of the node that successfully authenticated. can do.
  • control server 200 may transmit only newly updated information to the gateway 100 or the node. For example, when a new node participates in a specific domain, the control server 200 may transmit node information of the new node to nodes having the same domain ID as the new node. Also, as described above, the group key can be updated when a new node joins the domain, and the control server 200 can transmit the updated group key to nodes with the corresponding domain ID when a new node joins the domain. there is.
  • the control server 200 updates the group key of the first domain, and the gateway 100 and the first node
  • the node information and the updated group key of the 30th node can be transmitted to the 29th to 29th nodes.
  • the node information of the 1st to 29th nodes and the updated group key must be transmitted to the newly joined 30th node.
  • a plurality of nodes and control servers 200 connected to the gateway 100 and participating in communication can perform the operations described above.
  • the control server 200 receives node information from a plurality of nodes, performs authentication for the node, and transmits information on the interface to which the node can access and a generated (updated) group key to the node that has successfully authenticated,
  • the node information of the node that successfully authenticated and the generated (updated) group key can be transmitted to the gateway 100.
  • the gateway 100 can store node information and group keys for each domain of a plurality of nodes connected to the gateway 100 and participating in communication, and the stored information can be updated each time a new node participates.
  • node information of other nodes having the same domain ID and group key corresponding to the domain ID may be stored in nodes that have successfully authenticated, and the stored information may be updated whenever a new node participates.
  • the gateway 100 can configure a network for nodes having the same domain ID to exchange packets (S230). This will be explained with reference to FIG. 5 .
  • Figure 5 is a diagram to explain how a gateway configures a network.
  • the gateway 100 may update the network policy based on the domain ID.
  • the network packet policy may include a policy for at least one of routing and switching and a firewall policy.
  • updating the network policy means configuring the network so that only nodes with the same domain ID exchange packets and packet exchange with nodes with different domain IDs is blocked, based on the node information of the newly joined node. You can.
  • the gateway 100 can set a network policy using 5 tuples (source IP, source port, destination IP, destination port, protocol) and domain ID.
  • Figure 5a shows the physical configuration of the gateway 100, and the gateway 100 has a plurality of interfaces that can be accessed by a plurality of nodes 510, 520, 530, and 540 that want to participate in DDS communication by connecting to the gateway. It may include (111, 112, 113, 114).
  • the gateway 100 is a network for the nodes 510, 520, and 540 participating in the same domain 560 (i.e., nodes with the same domain ID) to exchange packets, as shown in FIG. 5B. can be configured.
  • the network constructed here is a virtual network, and standard technologies that can create virtual networks such as IPSec VPN, SSL VPN, and Open vSwitch can be used.
  • the gateway 100 based on the interface information transmitted to the nodes 510, 520, and 540 with the same domain ID, interfaces ( A tunnel that virtually connects 111, 112, and 114) can be created.
  • This tunnel supports communication between interfaces 111, 112, and 114 connected by nodes 510, 520, and 540 with the same domain ID, and with the interface 113 connected by nodes with different domain IDs.
  • Block communication That is, since nodes with the same domain ID are connected through virtual tunneling based on the domain ID, efficient DDS communication is possible by configuring nodes with the same domain ID on the same network.
  • the gateway 100 receives authentication information generated using a group key from a specific node having the same domain ID, performs authentication using the authentication information, and, if authentication is successful, A packet received from a specific node can be transmitted to another node with the same domain ID (S240).
  • Authentication performed in S240 may include primary authentication performed when the node first connects to the gateway and secondary authentication performed when the node transmits a packet to another node through the gateway.
  • primary authentication performed when the node first connects to the gateway
  • secondary authentication performed when the node transmits a packet to another node through the gateway.
  • Figure 6 is a diagram illustrating the primary authentication process performed when a node first connects to a gateway according to the present invention.
  • the node information of the first node 510 and the group key of the domain to which the first node belongs are transmitted to the gateway 100 (S610). Additionally, node information on nodes participating in the same domain as the first node is transmitted to the gateway 100.
  • the first node 510 includes interface information of a gateway to which the first node 510 can connect, node information of another node having the same domain ID as the first node 510, and a group key corresponding to the same domain ID (S620).
  • the first node 510 may transmit an authentication code to the gateway 100 (S335, S630). Specifically, the first node 510 may generate an authentication code using node information of the first node and a group key (group key of the domain to which the first node belongs) held by the first node. For example, an authentication code can be generated using a host ID, app ID, domain ID, and group key. In this case, the first node 510 can connect to the corresponding interface using the interface information (IP and port) received from the control server 200 and transmit an authentication code to the gateway through the connected interface.
  • IP and port interface information
  • the authentication code is a message authentication code (MAC) generated by combining node information of the first node 510 and a group key held by the first node, and may be, for example, HMAC (Hashed MAC).
  • the first node 510 may generate an authentication code by encrypting the node information of the first node 510 with a group key held by the first node.
  • MAC message authentication code
  • the first node 510 may generate an authentication code by additionally using a time stamp indicating the current time along with node information and group key. Timestamps can be used to prevent replay attacks.
  • the gateway 100 may receive an authentication code from the first node 510.
  • the gateway 100 may receive an authentication code from the first node 510 when the first node 510 connects to the gateway 100.
  • the gateway 100 may perform authentication on the first node 510 using authentication information (authentication code) received from the first node 510 (S340, S640). Specifically, the gateway 100 uses the node information of the first node and a group key corresponding to the domain ID (domain ID of the domain to which the first node belongs) held by the gateway to receive information from the first node 510. You can authenticate the authentication code.
  • authentication information authentication code
  • the gateway 100 may store node information of nodes having a specific domain ID (domain ID of the domain to which the first node belongs). And the gateway 100 decrypts the authentication code received from the first node 510 using the group key (group key of the domain to which the first node belongs) held by the gateway to obtain node information of the first node 510. It can be extracted. Additionally, the gateway 100 may compare the extracted node information with the node information of the first node held by the gateway, and if they match, determine that authentication for the first node 510 was successful.
  • the gateway may determine that authentication for the first node 510 failed. If authentication fails, the first node 510 cannot participate in DDS communication.
  • the gateway 100 may transmit the gateway's public key to the first node 510 (S345, S650).
  • the gateway 100 may transmit the public key of the gateway not only to the first node 510 but also to other nodes that succeed in authentication.
  • Figure 7 is a diagram illustrating a secondary authentication process performed when a node transmits a packet to another node according to the present invention.
  • the first node 510 may generate an authentication token using node information of the first node and a group key (group key of the domain to which the first node belongs) held by the first node.
  • a group key group key of the domain to which the first node belongs
  • an authentication token can be generated using a host ID, app ID, domain ID, and group key.
  • the authentication token is a message authentication code (MAC) generated by combining node information of the first node 510 and a group key held by the first node, and may be, for example, HMAC (Hashed MAC).
  • the first node 510 may generate an authentication token by encrypting the node information of the first node 510 with a group key held by the first node.
  • MAC message authentication code
  • the first node 510 may generate an authentication token by additionally using a sequence number along with node information and group key. Sequence numbers can be used to prevent replay attacks. However, it is not limited to this, and the authentication token may include at least one of a time stamp and a sequence number.
  • the first node 510 may generate a packet containing data to be transmitted to nodes having the same domain ID. Additionally, the first node 510 may insert the generated authentication token into a packet containing data and transmit it to the gateway 100. That is, the first node 510 may transmit an authentication token along with a packet for DDS communication (S350, S710), and in this case, the authentication token may be inserted into the packet.
  • S350, S710 a packet for DDS communication
  • the gateway 100 may receive an authentication token from the first node 510. Specifically, when the first node 510 transmits a packet to nodes having the same domain ID, the gateway 100 may receive an authentication token along with the packet from the first node.
  • the gateway 100 may perform authentication for the first node 510 using authentication information (authentication token) received from the first node 510. Specifically, the gateway 100 uses the node information of the first node and a group key corresponding to the domain ID (domain ID of the domain to which the first node belongs) held by the gateway to receive information from the first node 510. Authentication tokens can be authenticated.
  • the gateway 100 extracts node information of the first node 510 by decrypting the authentication token received from the first node 510 with a group key (group key of the domain to which the first node belongs) held by the gateway. can do. Additionally, the gateway 100 may compare the extracted node information with the node information of the first node held by the gateway, and if they match, determine that authentication for the first node 510 was successful.
  • the gateway 100 may determine that authentication for the packet received with the authentication token has failed. If authentication fails, the gateway 100 may not transmit the packet and may request the control server 200 to update the group key of the domain in which the first node 510 participates.
  • the gateway 100 may generate a double encryption token by encrypting the authentication token with the gateway's private key (S355, S720). Additionally, the gateway 100 may transmit the double encryption token along with the packet transmitted by the first node 510 to other nodes having the same domain ID as the first node 510 (S360, S730). In this case, the gateway 100 may insert a double encryption token into the packet received along with the authentication token and transmit it to another node having the same domain ID as the first node 510.
  • the gateway's public key is distributed to nodes that have successfully authenticated, and accordingly, the gateway's public key is also transmitted to other nodes (1220, 520) that have the domain ID of the domain in which the first node participated.
  • nodes 1220 and 520 may receive packets and double encryption tokens from the gateway 100. Additionally, other nodes 1220 and 520 can authenticate the double encryption token using the public key of the gateway, the group key of the domain to which it belongs, and the node information of the node having the same domain ID as the node (S365, S740).
  • other nodes 1220 and 520 can authenticate the dual encryption token and extract the authentication token by decrypting the dual encryption token using the gateway's public key.
  • the other nodes 1220 and 520 may authenticate the authentication token using the group key corresponding to the domain ID and the node information of the first node. Additionally, if the node information of the first node in the authentication token matches the node information of the first node held by the other nodes (1220, 520), the other nodes (1220, 520) read the data received along with the double encryption token or You can save it.
  • decryption using the public key of the gateway held by other nodes (1220, 520) is impossible, decryption is impossible using the group key held by other nodes (1220, 520), or the node transmitted by the first node (510)
  • the information does not match the node information held by other nodes (1220, 520), or more than a preset time has elapsed from the time stamp included in the authentication token. If an error occurs in the sequence number included in the authentication token, the other nodes 1220 and 520 may determine that authentication for the dual encryption token has failed. If authentication fails, the first node 510 cannot read or store the data received with the double encryption token, and the other nodes 1220 and 520 cannot update the group key of the participating domain on the control server 200. You can request it.
  • another node 1220 may also transmit a packet to the first node 1210. That is, the other node 1220 can generate an authentication token using the node information of the other node 1220 and the group key held by the other node 1220, and transmit the authentication token along with a packet for DDS communication (S370). .
  • the gateway 100 may receive an authentication token from another node 1220, authenticate the authentication token, and then generate a double encryption token using its private key (S375). Additionally, the gateway 100 may transmit the generated double encryption token to the first node 1210 having the same domain ID as the other node 1220 (S380). The first node 1210 may receive a packet and a double encryption token from the gateway 100. Also, the first node 1210 is owned by the first node 1210. The double encryption token can be authenticated using the public key of the gateway, the group key of the domain to which the first node 1210 belongs, and the node information of the other node 1220 (S385).
  • the gateway 100 generates a double encryption token using its own private key, and the node decrypts the double encryption token using the public key received from the gateway 100, but it is not limited to this.
  • the node may decrypt the double encryption token using the shared key received from the gateway 100.
  • the gateway 100 may distribute the shared key encrypted with its own private key to the nodes while distributing the public key of the gateway 100 to the nodes in advance.
  • nodes can obtain the shared key by decrypting the encrypted shared key using a pre-distributed public key.
  • nodes can decrypt the double-encrypted token using the shared key.
  • Figure 8 is a diagram for explaining a DDS communication device according to another embodiment of the present invention.
  • FIG. 1 to 7 illustrate a DDS communication system including a control server 200 and a gateway 100.
  • the DDS communication system can be implemented as a single device. Therefore, the DDS communication device 800 can perform the operations of the DDS communication system described above.
  • the DDS communication device 800 may include a communication unit 810, a control unit 820, a memory 830, and a gateway 840.
  • the communication unit 810 includes a communication circuit for communicating with an external device, and can connect to the gateway 840 to transmit/receive data with a plurality of nodes that want to participate in DDS communication.
  • the communication unit 810 may receive node information including identification information and domain ID from a plurality of nodes that want to connect to the gateway and participate in DDS communication. Additionally, the communication unit 810, under the control of the control unit 820, may transmit node information of the nodes having the same domain ID and a group key corresponding to the same domain ID to nodes having the same domain ID among the plurality of nodes. .
  • the communication unit 810 may be called a communicator or a communication interface and includes one or more communication modules (or communication circuits) to transmit or receive data with devices other than the DDS communication device 800. can do.
  • the control unit 820 can control the overall operation of the DDS communication device 800. Additionally, the control unit 820 creates a policy and distributes it to a plurality of nodes, authenticates authentication information (authentication code, authentication token) received from the nodes, and encrypts the authentication token with the private key of the DDS communication device 800 to perform double encryption. You can generate a token and send the generated double encryption token to the node along with the packet.
  • the control unit 820 may be expressed as a controller and may be composed of one or more processors (or microcontrollers, or microprocessors). Additionally, one or more processors (or microcontrollers, or microprocessors) may be coupled with other components of the DDS communication device 800.
  • the memory 830 may store programs or commands for operating the DDS communication device 800. Additionally, the memory 830 may store node information of a plurality of nodes, group keys for each domain, node information for each domain, private key of the gateway 840, etc.
  • the gateway 840 may include a gateway control unit that controls the operation of the gateway 840 and a gateway memory that stores programs or commands for the operation of the gateway 840.
  • the gateway control unit and gateway memory may not be provided separately, in which case the control unit 820 and memory 830 described above may be used as the gateway control unit and gateway memory, respectively.
  • the gateway 840 may further include a plurality of interfaces to which a plurality of nodes can access. Additionally, the gateway 840 can configure a network for nodes with the same domain ID to exchange packets by creating a tunnel that virtually connects interfaces connected by nodes with the same domain ID. In addition, the gateway 840 receives authentication information generated using a group key from a specific node having the same domain ID, performs authentication using the authentication information, and, if authentication is successful, sends the packet received from the specific node to the same domain. It can be transmitted to another node with an ID.
  • an environment in which multicast is not supported and without using the auto-discovery function DDS communication can also be enabled, and the number of packets can be prevented from increasing exponentially even if the number of participant terminals or nodes increases. Accordingly, it has clear advantages in availability and scalability compared to conventional DDS communication methods, and has the advantage of enabling DDS communication even in open and large-scale network environments such as 5G and LTE.
  • the DDS standard which causes problems when applied to large-scale communication networks, to be expanded based on software-defined boundaries, it is possible to provide a terminal-centered open network communication system using DDS communication in large-scale wireless network environments such as 5G and LTE. there is.
  • control server and gateway since the operation of the control server and gateway replaces the existing auto-discovery function, it has the advantage that it is impossible to transmit a manipulated discovery packet, and since there is no act of searching for a participant, the network It has the advantage of preventing flooding attacks.
  • a gateway that supports data exchange between nodes with the same domain ID authenticates the authentication information received from the node, thereby determining whether the node has been hacked and whether packets are being transmitted/received by the same domain ID. It has the advantage of being able to support integrity DDS communication by verifying whether there is a replay attack.
  • the gateway by going through a double encryption process of encrypting the authentication token with the gateway's private key, it is possible to authenticate that the packet has passed through the gateway and whose integrity has been verified by the gateway. Since the double encryption token can simultaneously verify the identity of the packet sender (node) and the packet forwarder (gateway), it has the advantage of effectively preventing attacks by hackers or other intruders.
  • Computer-readable media includes all types of recording devices that store data that can be read by a computer system. Examples of computer-readable media include HDD (Hard Disk Drive), SSD (Solid State Disk), SDD (Silicon Disk Drive), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. There is. Additionally, the computer may include a control unit. Accordingly, the above detailed description should not be construed as restrictive in all respects and should be considered illustrative. The scope of the present invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the present invention are included in the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Radar Systems Or Details Thereof (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Est divulgué un procédé de communication de DDS. Selon la présente invention, le procédé de communication de DDS comprend les étapes au cours desquelles : des informations sur des nœuds contenant des informations d'identification et un ID de domaine sont reçues en provenance d'une pluralité de nœuds censés participer à une communication de DDS en accédant à une passerelle ; des informations sur des nœuds ayant le même ID de domaine et une clé de groupe correspondant à l'ID de domaine sont transmises aux nœuds ayant l'ID parmi la pluralité de nœuds ; la passerelle configure un réseau pour permettre aux nœuds ayant l'ID de domaine d'échanger des paquets ; et la passerelle reçoit d'un nœud spécifique ayant l'ID de domaine des informations d'authentification générées à l'aide de la clé de groupe, effectue une authentification à l'aide des informations d'authentification et, si l'authentification est réussie, transmet un paquet reçu du nœud spécifique à un autre nœud ayant l'ID de domaine.
PCT/KR2023/008241 2022-06-23 2023-06-15 Procédé, dispositif et système de communication de dds WO2023249320A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2022-0076755 2022-06-23
KR1020220076755A KR20240000161A (ko) 2022-06-23 2022-06-23 Dds 통신 방법, 장치 및 시스템

Publications (1)

Publication Number Publication Date
WO2023249320A1 true WO2023249320A1 (fr) 2023-12-28

Family

ID=89380187

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/008241 WO2023249320A1 (fr) 2022-06-23 2023-06-15 Procédé, dispositif et système de communication de dds

Country Status (2)

Country Link
KR (1) KR20240000161A (fr)
WO (1) WO2023249320A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070076698A1 (en) * 2005-09-30 2007-04-05 Fujitsu Limited Group communication method, communication device and management device
KR20190012079A (ko) * 2017-07-26 2019-02-08 한전케이디엔주식회사 데이터 분산 서비스를 이용한 전기차 충전 인프라 시스템
KR102021117B1 (ko) * 2017-08-25 2019-09-11 한전케이디엔 주식회사 전력계통 분야 dds 통신 미들웨어 플랫폼
KR20210064530A (ko) * 2019-11-26 2021-06-03 한국전자통신연구원 속성 기반의 그룹키를 이용한 정보 공유 방법 및 이를 위한 장치
KR20220039800A (ko) * 2020-07-09 2022-03-29 구글 엘엘씨 그룹 서명을 통한 익명 이벤트 증명

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070076698A1 (en) * 2005-09-30 2007-04-05 Fujitsu Limited Group communication method, communication device and management device
KR20190012079A (ko) * 2017-07-26 2019-02-08 한전케이디엔주식회사 데이터 분산 서비스를 이용한 전기차 충전 인프라 시스템
KR102021117B1 (ko) * 2017-08-25 2019-09-11 한전케이디엔 주식회사 전력계통 분야 dds 통신 미들웨어 플랫폼
KR20210064530A (ko) * 2019-11-26 2021-06-03 한국전자통신연구원 속성 기반의 그룹키를 이용한 정보 공유 방법 및 이를 위한 장치
KR20220039800A (ko) * 2020-07-09 2022-03-29 구글 엘엘씨 그룹 서명을 통한 익명 이벤트 증명

Also Published As

Publication number Publication date
KR20240000161A (ko) 2024-01-02

Similar Documents

Publication Publication Date Title
US9253172B2 (en) Changing group member reachability information
WO2012141555A2 (fr) Procédé et appareil pour offrir un service de communication entre machines
US7373508B1 (en) Wireless security system and method
WO2012053807A1 (fr) Procédé et appareil pour partager une connexion internet sur la base d'une configuration automatique d'une interface réseau
WO2010019020A2 (fr) Procédé de support de fonctionnement de protocole nas protégé par la sécurité dans un système de télécommunications mobiles
WO2009110703A2 (fr) Procédé de gestion d'informations d'authentification dans un réseau domestique et appareil utilisé
WO2010062045A2 (fr) Système de sécurité et procédé pour système de communication sans fil
US20080115203A1 (en) Method and system for traffic engineering in secured networks
WO2013005947A2 (fr) Appareil, procédé et système pour créer et mettre à jour une clé de chiffrement de données de multidiffusion dans un système de communication machine-machine
WO2010041915A2 (fr) Système et procédé pour le paramétrage de sécurité pour un dispositif contrôlé par un point de contrôle dans un réseau domestique
WO2010128747A1 (fr) Procédé et dispositif propres à rehausser la sécurité dans un protocole de communication sans fil zigbee
US8611358B2 (en) Mobile network traffic management
US10868806B2 (en) Secure communication network
WO2012044072A2 (fr) Procédé d'attribution de clé utilisateur dans un réseau convergent
WO2022019725A1 (fr) Procédés et systèmes pour identifier une ausf et accéder à des clés associées dans un service prose 5g
US20240195790A1 (en) Centralized management of private networks
WO2009096738A2 (fr) Procédé servant à assurer la sécurité de communications dans un réseau domestique et appareil associé
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
JP4253520B2 (ja) ネットワーク認証装置及びネットワーク認証システム
WO2016111407A1 (fr) Procédé de communication en réseau avec fonction de récupération de session de terminal
WO2024005565A1 (fr) Procédé, système, et support d'enregistrement non transitoire lisible par ordinateur de fourniture de service de messagerie
WO2023249320A1 (fr) Procédé, dispositif et système de communication de dds
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2014182013A1 (fr) Appareil et procédé d'authentification d'accès de station mobile dans un système de communication sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23827439

Country of ref document: EP

Kind code of ref document: A1