WO2024007122A1 - Point-to-point secure communication method for internet of things - Google Patents

Point-to-point secure communication method for internet of things Download PDF

Info

Publication number
WO2024007122A1
WO2024007122A1 PCT/CN2022/103689 CN2022103689W WO2024007122A1 WO 2024007122 A1 WO2024007122 A1 WO 2024007122A1 CN 2022103689 W CN2022103689 W CN 2022103689W WO 2024007122 A1 WO2024007122 A1 WO 2024007122A1
Authority
WO
WIPO (PCT)
Prior art keywords
point
handshake
receiving terminal
key
identification code
Prior art date
Application number
PCT/CN2022/103689
Other languages
French (fr)
Chinese (zh)
Inventor
嵇旭辉
Original Assignee
嘉兴倍创网络科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 嘉兴倍创网络科技有限公司 filed Critical 嘉兴倍创网络科技有限公司
Priority to PCT/CN2022/103689 priority Critical patent/WO2024007122A1/en
Priority to CN202280019393.3A priority patent/CN116982288A/en
Publication of WO2024007122A1 publication Critical patent/WO2024007122A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the invention relates to the field of Internet of Things and information communication security, and in particular to a point-to-point secure communication method for the Internet of Things.
  • IoT terminals With the vigorous development of IoT technology, IoT terminals have entered all walks of life and thousands of households, and their number has also grown exponentially. At the same time, with the rapid development of edge computing, IoT terminal devices also have varying degrees of intelligence. Or intelligent, and the storage space is also increasing. Data information security and communication security on IoT terminals have also attracted much attention.
  • the more common methods of wireless communication between IoT terminals are Bluetooth, NFC and Wi-Fi. These wireless communication technologies have brought great benefits to people’s daily lives. It provides great convenience, but how to ensure the security of data information of Internet of Things terminal equipment and the security of data information communication has become a big problem.
  • the current method mainly ensures it by installing various anti-virus and anti-virus software on the terminal.
  • the data information stored in the IoT terminal equipment is safe, but this can only ensure that the IoT terminal equipment is safe within a certain range. How can the data information stored on the IoT terminal be read safely and quickly, or how can the data information stored on the IoT terminal be read safely and quickly?
  • the terminal performs localized control in order to achieve rapid localized data analysis and local monitoring and debugging. Especially in environments with narrow wireless network bandwidth, it becomes very important to adopt point-to-point secure data transmission.
  • the purpose of the present invention is to provide a point-to-point secure communication method for the Internet of Things in order to overcome the shortcomings of the above-mentioned existing technologies.
  • An Internet of Things point-to-point secure communication method which is used for communication between a sending terminal and a receiving terminal in an Internet of Things system, and includes the following steps:
  • the sending terminal encrypts the data information to be sent, and generates an encryption key and a key exchange protocol
  • S3 The sending terminal signs the unencrypted encryption key using the signing private key of the sending terminal to obtain signature data;
  • the sending terminal sends a communication request to the receiving terminal, and establishes a secure information channel through a three-way handshake with the receiving terminal;
  • the sending terminal sends the encrypted data information, encryption key, random key and signature data to the receiving terminal through the secure information channel;
  • S6 The receiving terminal confirms the integrity of the received data. If the confirmation is correct, the data information is decrypted to obtain unencrypted data information.
  • the encryption process specifically includes: obtaining the data content, security level and storage location of the data information to be sent in the sending terminal, packaging it into an initial data value, and encrypting the initial data value using an encryption key.
  • the three-way handshake specifically includes:
  • the first handshake includes the following steps: first, the sending terminal sends a communication request carrying its own unique device identification code to start the first handshake; then, the receiving terminal sends back its own unique device identification code while receiving the request, When the sending terminal receives the unique device identification code of the receiving terminal, the first handshake is completed;
  • the second handshake includes the following steps: first, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party; then send the identity authentication information obtained by each other to each other and compare the received identity The authentication information is parsed and the second handshake is completed;
  • the third handshake includes the following steps: the sending terminal and the receiving terminal respectively verify the received identity authentication information sent by the other party. If the verification does not match, the information transmission is terminated; if the verification matches, the third handshake is completed. Three-way handshake to establish a secure information channel.
  • the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party, which specifically includes:
  • the sending terminal and the receiving terminal respectively send the received unique device identification code of the other party to the cloud authentication center; then the cloud authentication center performs legality authentication based on the received unique device identification code. If the legality authentication If it passes, the cloud authentication center will return the identity authentication information corresponding to the unique device identification code, otherwise the authentication will be terminated.
  • the identity authentication information is verified as follows: first, parsing the own identity authentication information sent by the other party; then obtaining the own identity authentication information through the cloud authentication center and parsing it; finally Match and verify the identity authentication information sent by the other party with the content of the identity authentication information obtained through the cloud authentication center.
  • the identity authentication information includes a communication level and a secure transmission key
  • the matching verification is a verification of the communication level and the secure transmission key
  • the receiving terminal when the receiving terminal receives the request, it first verifies that the received unique device identification code does not overlap with its own unique device identification code, and then sends back its own unique device identification code. .
  • the sending terminal and the receiving terminal again send each other the obtained communication level and secure transmission key, and finally complete the third handshake and establish security. information channel.
  • the present invention has the following advantages:
  • the present invention solves the problem that the secure transmission, analysis and terminal control of real-time data cannot be realized when the Internet of Things terminal communication rate is low and the computing power is weak. It realizes point-to-point secure communication between Internet of Things terminals and can be widely used. In various IoT systems, the application prospects are extremely broad and of great significance;
  • the present invention uses the generated random key to encrypt the encryption key and the key exchange protocol, and uses the signature private key of the sending terminal to sign the unencrypted encryption key, and combines the encrypted data information with the encrypted
  • the key, random key and signature data are sent to the receiving terminal, which improves the security of the information data and can adapt to long-distance and short-distance transmission, making the secure communication of data information have a wide range of application, strong autonomy and easy management, etc. advantage;
  • the present invention establishes a secure information channel through the three-way handshake of the sending terminal and the receiving terminal, realizes the matching and security authentication of point-to-point communication between the sending terminal and the receiving terminal, and solves the current point-to-point communication problem of lack of uniqueness for the request response active party and the reply request response terminal.
  • the link verification check problem overcomes the risk of theft of responses from unknown servers in point-to-point communication.
  • Figure 1 is a schematic flow diagram of the present invention
  • Figure 2 is a schematic flow chart of the three-way handshake between the sending terminal and the receiving terminal.
  • the present invention provides a point-to-point secure communication method for the Internet of Things.
  • the method is used for communication between the sending terminal and the receiving terminal in the Internet of Things system, and includes the following steps:
  • S1 The sending terminal encrypts the data information to be sent and generates the encryption key and key exchange protocol
  • S3 The sending terminal signs the unencrypted encryption key with the sending terminal's signature private key to obtain the signature data;
  • the sending terminal sends a communication request to the receiving terminal, and establishes a secure information channel through a three-way handshake with the receiving terminal;
  • the sending terminal sends the encrypted data information, encryption key, random key and signature data to the receiving terminal through the secure information channel;
  • S6 The receiving terminal confirms the integrity of the received data. If the confirmation is correct, the data information is decrypted to obtain unencrypted data information.
  • the encryption process specifically includes: obtaining the data content, security level and storage location of the data information to be sent in the sending terminal, packaging it into an initial data value, and using the encryption key to encrypt the initial data value.
  • the encryption key and key exchange protocol are encrypted using the generated random key, and the unencrypted encryption key is signed using the signature private key of the sending terminal, and the encrypted data information, encryption key and random
  • the key and signature data are sent to the receiving terminal, which improves the security of the information data and can adapt to long-distance and short-distance transmission, making the secure communication of data information have the advantages of wide application range, strong autonomy and easy management; solved Problems such as rapid transmission, analysis and terminal control of real-time data cannot be achieved when the communication rate of IoT terminals is low and the computing power is weak. Point-to-point secure communication between IoT terminals is realized.
  • the three-way handshake specifically includes:
  • the first handshake includes the following steps: first, the sending terminal sends a communication request carrying its own unique device identification code to start the first handshake; then, the receiving terminal receives the request and returns its own unique device identification code. When the sending terminal receives the When the terminal’s unique device identification code is received, the first handshake is completed;
  • the second handshake includes the following steps: first, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party; then send the identity authentication information obtained by each other to each other and perform the received identity authentication information. Parse and complete the second handshake;
  • the third handshake includes the following steps: the sending terminal and the receiving terminal respectively verify the received identity authentication information sent by the other party. If the verification does not match, the information transmission is terminated; if the verification matches, the third handshake is completed. , establish a secure information channel.
  • the identity authentication information includes the communication level and the secure transmission key, and the matching verification is the verification of the communication level and the secure transmission key.
  • the receiving terminal when the receiving terminal receives the request, it first verifies that the unique device identification code received does not overlap with its own unique device identification code, and then sends back its own unique device identification code.
  • the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party, including:
  • the sending terminal and the receiving terminal respectively send the received unique device identification code to the cloud authentication center; then the cloud authentication center performs legality authentication based on the received unique device identification code. If the legality authentication passes, the cloud authentication center Return the identity authentication information corresponding to the unique device identification code, otherwise the authentication will be terminated.
  • the verification of the identity authentication information is as follows: first, parsing the own identity authentication information sent by the other party; then obtaining the own identity authentication information through the cloud authentication center and parsing it; finally, parsing the own identity authentication information sent by the other party.
  • the information is matched with the content of the identity authentication information obtained through the cloud authentication center.
  • the sending terminal and the receiving terminal send each other the obtained communication level and secure transmission key again, and finally complete the third handshake and establish a secure information channel.
  • a secure information channel is established through the three-way handshake between the sending terminal and the receiving terminal to realize the matching and security authentication of the point-to-point communication between the sending terminal and the receiving terminal, and solve the link verification check that lacks the uniqueness of the current point-to-point communication for the request response active party and the reply request response terminal. It overcomes the risk of theft of responses from unfamiliar servers in point-to-point communications.

Abstract

The present invention relates to a point-to-point secure communication method for the Internet of Things. The method is used for communication between a sending terminal and a receiving terminal in an Internet of Things system, and comprises the following steps: S1: encrypting data information to be sent, and generating an encryption key and a key exchange protocol; S2: generating a random key, and encrypting the encryption key and the key exchange protocol by using the random key; S3: signing the unencrypted encryption key by means of a signature private key of a sending terminal to obtain signature data; S4: sending a communication request to a receiving terminal, and establishing a secure information channel by means of a three-way handshake with the receiving terminal; S5: sending the encrypted data information and encryption key as well as the random key and the signature data to the receiving terminal by means of the secure information channel; and S6: the receiving terminal determining the integrity of the received data, and decrypting the data information. Compared with the prior art, the present invention has the advantages of improving information security and the like.

Description

一种物联网点对点安全通信方法A point-to-point secure communication method for the Internet of Things 技术领域Technical field
本发明涉及物联网和信息通信安全领域,尤其是涉及一种物联网点对点安全通信方法。The invention relates to the field of Internet of Things and information communication security, and in particular to a point-to-point secure communication method for the Internet of Things.
背景技术Background technique
随着物联网技术的蓬勃发展,物联网终端已经进入各行各业和千家万户,其数量也成几何倍数地增长;同时随着边缘计算的快速发展,物联终端设备也具有了不同程度的智慧或智能化,存储的空间也不断加大。物联网终端上的数据信息安全和通信安全也备受关注,目前物联网终端之间使用无线通信较为常见的方式是蓝牙、NFC和Wi-Fi等,这些无线通信技术为人们的日常生活带来了极大的便捷,但是如何保障保障物联网终端设备的数据信息的安全和数据信息通信时的安全,成为了一大难题,目前的方法主要通过在终端安装各类杀毒防病毒软件等来保障物联网终端设备存储的数据信息安全,但这只能保证物联网终端设备在一定范围内是安全的,存储在物联网终端上的数据信息如何被安全地、快速地读取,或者对物联网终端进行本地化的控制,以便实现快速地本地化的数据分析和本地监控和调试,特别是在无线网络带宽较窄的环境中,采用点对点的安全数据传输就变得非常重要。With the vigorous development of IoT technology, IoT terminals have entered all walks of life and thousands of households, and their number has also grown exponentially. At the same time, with the rapid development of edge computing, IoT terminal devices also have varying degrees of intelligence. Or intelligent, and the storage space is also increasing. Data information security and communication security on IoT terminals have also attracted much attention. Currently, the more common methods of wireless communication between IoT terminals are Bluetooth, NFC and Wi-Fi. These wireless communication technologies have brought great benefits to people’s daily lives. It provides great convenience, but how to ensure the security of data information of Internet of Things terminal equipment and the security of data information communication has become a big problem. The current method mainly ensures it by installing various anti-virus and anti-virus software on the terminal. The data information stored in the IoT terminal equipment is safe, but this can only ensure that the IoT terminal equipment is safe within a certain range. How can the data information stored on the IoT terminal be read safely and quickly, or how can the data information stored on the IoT terminal be read safely and quickly? The terminal performs localized control in order to achieve rapid localized data analysis and local monitoring and debugging. Especially in environments with narrow wireless network bandwidth, it becomes very important to adopt point-to-point secure data transmission.
发明内容Contents of the invention
本发明的目的就是为了克服上述现有技术存在的缺陷而提供一种物联网点对点安全通信方法。The purpose of the present invention is to provide a point-to-point secure communication method for the Internet of Things in order to overcome the shortcomings of the above-mentioned existing technologies.
本发明的目的可以通过以下技术方案来实现:The object of the present invention can be achieved through the following technical solutions:
一种物联网点对点安全通信方法,该方法用于物联网系统中发送终端和接收终端之间的通信,包括以下步骤:An Internet of Things point-to-point secure communication method, which is used for communication between a sending terminal and a receiving terminal in an Internet of Things system, and includes the following steps:
S1:所述的发送终端对待发送的数据信息进行加密处理,并生成加密密钥和密钥交换协议;S1: The sending terminal encrypts the data information to be sent, and generates an encryption key and a key exchange protocol;
S2:生成随机密钥,并利用随机密钥对加密密钥和密钥交换协议进行加密处 理;S2: Generate a random key and use the random key to encrypt the encryption key and key exchange protocol;
S3:所述的发送终端通过发送终端的签名私钥对未加密处理的加密密钥进行签名,得到签名数据;S3: The sending terminal signs the unencrypted encryption key using the signing private key of the sending terminal to obtain signature data;
S4:所述的发送终端向接收终端发送通信请求,并通过与接收终端的三次握手建立安全信息通道;S4: The sending terminal sends a communication request to the receiving terminal, and establishes a secure information channel through a three-way handshake with the receiving terminal;
S5:所述的发送终端通过安全信息通道将加密处理的数据信息和加密密钥以及随机密钥和签名数据发送至接收终端;S5: The sending terminal sends the encrypted data information, encryption key, random key and signature data to the receiving terminal through the secure information channel;
S6:所述的接收终端对接收到数据的完整性进行确认,若确认无误,则对数据信息进行解密处理,得到未加密的数据信息。S6: The receiving terminal confirms the integrity of the received data. If the confirmation is correct, the data information is decrypted to obtain unencrypted data information.
进一步地,所述的加密处理具体包括:获取发送终端内待发送的数据信息的数据内容、安全等级和存储位置,打包成初始数据值,并利用加密密钥对初始数据值进行加密。Further, the encryption process specifically includes: obtaining the data content, security level and storage location of the data information to be sent in the sending terminal, packaging it into an initial data value, and encrypting the initial data value using an encryption key.
进一步地,所述的三次握手具体包括:Further, the three-way handshake specifically includes:
第一次握手包括以下步骤:首先所述的发送终端发送携带有自身唯一设备识别码的通信请求,开始第一次握手;然后所述的接收终端接收请求的同时回传自身唯一设备识别码,当发送终端接收到接收终端的唯一设备识别码时,完成第一次握手;The first handshake includes the following steps: first, the sending terminal sends a communication request carrying its own unique device identification code to start the first handshake; then, the receiving terminal sends back its own unique device identification code while receiving the request, When the sending terminal receives the unique device identification code of the receiving terminal, the first handshake is completed;
第二次握手包括以下步骤:首先所述的发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息;然后互相发送各自获得的身份认证信息并对接收到的身份认证信息进行解析,完成第二次握手;The second handshake includes the following steps: first, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party; then send the identity authentication information obtained by each other to each other and compare the received identity The authentication information is parsed and the second handshake is completed;
第三次握手包括以下步骤:所述的发送终端和接收终端分别对接收到的对方发送的身份认证信息进行校验,若校验不匹配,则终止信息传输;若校验匹配,则完成第三次握手,建立安全信息信道。The third handshake includes the following steps: the sending terminal and the receiving terminal respectively verify the received identity authentication information sent by the other party. If the verification does not match, the information transmission is terminated; if the verification matches, the third handshake is completed. Three-way handshake to establish a secure information channel.
更进一步地,所述的第二次握手中,所述的发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息具体包括:Furthermore, in the second handshake, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party, which specifically includes:
首先所述的发送终端和接收终端分别将接收到的对方的唯一设备识别码发送至云端认证中心;然后所述的云端认证中心根据接收到的唯一设备识别码进行合法性认证,若合法性认证通过,则云端认证中心回传唯一设备识别码对应的身份认证信息,否则终止认证。First, the sending terminal and the receiving terminal respectively send the received unique device identification code of the other party to the cloud authentication center; then the cloud authentication center performs legality authentication based on the received unique device identification code. If the legality authentication If it passes, the cloud authentication center will return the identity authentication information corresponding to the unique device identification code, otherwise the authentication will be terminated.
更进一步地,所述的第三次握手中,对身份认证信息进行校验具体为:首先对对方发送的自身身份认证信息进行解析;然后通过云端认证中心获取自身身份认证 信息并进行解析;最后将对方发送的自身身份认证信息和通过云端认证中心获取自身身份认证信息的内容进行匹配校验。Furthermore, in the third handshake, the identity authentication information is verified as follows: first, parsing the own identity authentication information sent by the other party; then obtaining the own identity authentication information through the cloud authentication center and parsing it; finally Match and verify the identity authentication information sent by the other party with the content of the identity authentication information obtained through the cloud authentication center.
进一步地,所述的身份认证信息包括通信级别和安全传输密钥,所述的匹配校验为对通信级别和安全传输密钥的校验。Further, the identity authentication information includes a communication level and a secure transmission key, and the matching verification is a verification of the communication level and the secure transmission key.
更进一步地,所述的第一次握手中,当所述的接收终端接收请求时,首先验证收到的唯一设备识别码与自身唯一设备识别码不重复后,再回传自身唯一设备识别码。Furthermore, in the first handshake, when the receiving terminal receives the request, it first verifies that the received unique device identification code does not overlap with its own unique device identification code, and then sends back its own unique device identification code. .
更进一步地,所述的第三次握手中,当校验匹配时,所述的发送终端和接收终端再次互相发送各自获得的通信级别和安全传输密钥,最终完成第三次握手,建立安全信息信道。Furthermore, in the third handshake, when the verification matches, the sending terminal and the receiving terminal again send each other the obtained communication level and secure transmission key, and finally complete the third handshake and establish security. information channel.
与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:
1)本发明解决了物联网终端通信速率较低、算力较弱情形下无法实现对实时数据的安全传送、分析和终端控制等问题,实现了物联网终端间点对点的安全通信,可以广泛应用在各种物联网系统中,应用前景极为广阔,意义重大;1) The present invention solves the problem that the secure transmission, analysis and terminal control of real-time data cannot be realized when the Internet of Things terminal communication rate is low and the computing power is weak. It realizes point-to-point secure communication between Internet of Things terminals and can be widely used. In various IoT systems, the application prospects are extremely broad and of great significance;
2)本发明利用生成的随机密钥对加密密钥和密钥交换协议进行加密处理,并通过发送终端的签名私钥对未加密处理的加密密钥进行签名,将加密处理的数据信息和加密密钥以及随机密钥和签名数据发送至接收终端,使得信息数据的安全性提高,能够适应长距离和短距离的传输,使得数据信息的安全通信具有适用范围广、自主性强及便于管理等优点;2) The present invention uses the generated random key to encrypt the encryption key and the key exchange protocol, and uses the signature private key of the sending terminal to sign the unencrypted encryption key, and combines the encrypted data information with the encrypted The key, random key and signature data are sent to the receiving terminal, which improves the security of the information data and can adapt to long-distance and short-distance transmission, making the secure communication of data information have a wide range of application, strong autonomy and easy management, etc. advantage;
3)本发明通过发送终端和接收终端的三次握手建立安全信息通道,实现发送终端和接收终端点对点通信的匹配和安全认证,解决目前点对点通信对请求应答主动方、回复请求应答终端缺失唯一性的链路验证检查问题,克服了点对点通信对陌生服务器应答存在被盗风险的问题。3) The present invention establishes a secure information channel through the three-way handshake of the sending terminal and the receiving terminal, realizes the matching and security authentication of point-to-point communication between the sending terminal and the receiving terminal, and solves the current point-to-point communication problem of lack of uniqueness for the request response active party and the reply request response terminal. The link verification check problem overcomes the risk of theft of responses from unknown servers in point-to-point communication.
附图说明Description of the drawings
图1为本发明流程示意图;Figure 1 is a schematic flow diagram of the present invention;
图2为发送终端和接收终端三次握手的流程示意图。Figure 2 is a schematic flow chart of the three-way handshake between the sending terminal and the receiving terminal.
具体实施方式Detailed ways
下面结合附图和具体实施例对本发明进行详细说明。显然,所描述的实施例是 本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。The present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are some, but not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts should fall within the scope of protection of the present invention.
如图1和图2所示,本发明提供一种物联网点对点安全通信方法,该方法用于物联网系统中发送终端和接收终端之间的通信,包括以下步骤:As shown in Figures 1 and 2, the present invention provides a point-to-point secure communication method for the Internet of Things. The method is used for communication between the sending terminal and the receiving terminal in the Internet of Things system, and includes the following steps:
S1:发送终端对待发送的数据信息进行加密处理,并生成加密密钥和密钥交换协议;S1: The sending terminal encrypts the data information to be sent and generates the encryption key and key exchange protocol;
S2:生成随机密钥,并利用随机密钥对加密密钥和密钥交换协议进行加密处理;S2: Generate a random key and use the random key to encrypt the encryption key and key exchange protocol;
S3:发送终端通过发送终端的签名私钥对未加密处理的加密密钥进行签名,得到签名数据;S3: The sending terminal signs the unencrypted encryption key with the sending terminal's signature private key to obtain the signature data;
S4:发送终端向接收终端发送通信请求,并通过与接收终端的三次握手建立安全信息通道;S4: The sending terminal sends a communication request to the receiving terminal, and establishes a secure information channel through a three-way handshake with the receiving terminal;
S5:发送终端通过安全信息通道将加密处理的数据信息和加密密钥以及随机密钥和签名数据发送至接收终端;S5: The sending terminal sends the encrypted data information, encryption key, random key and signature data to the receiving terminal through the secure information channel;
S6:接收终端对接收到数据的完整性进行确认,若确认无误,则对数据信息进行解密处理,得到未加密的数据信息。S6: The receiving terminal confirms the integrity of the received data. If the confirmation is correct, the data information is decrypted to obtain unencrypted data information.
其中,加密处理具体包括:获取发送终端内待发送的数据信息的数据内容、安全等级和存储位置,打包成初始数据值,并利用加密密钥对初始数据值进行加密。Among them, the encryption process specifically includes: obtaining the data content, security level and storage location of the data information to be sent in the sending terminal, packaging it into an initial data value, and using the encryption key to encrypt the initial data value.
利用生成的随机密钥对加密密钥和密钥交换协议进行加密处理,并通过发送终端的签名私钥对未加密处理的加密密钥进行签名,将加密处理的数据信息和加密密钥以及随机密钥和签名数据发送至接收终端,使得信息数据的安全性提高,能够适应长距离和短距离的传输,使得数据信息的安全通信具有适用范围广、自主性强及便于管理等优点;解决了物联网终端通信速率较低、算力较弱情形下无法实现对实时数据的快速传送、分析和终端控制等问题,实现了物联网终端间点对点的安全通信。The encryption key and key exchange protocol are encrypted using the generated random key, and the unencrypted encryption key is signed using the signature private key of the sending terminal, and the encrypted data information, encryption key and random The key and signature data are sent to the receiving terminal, which improves the security of the information data and can adapt to long-distance and short-distance transmission, making the secure communication of data information have the advantages of wide application range, strong autonomy and easy management; solved Problems such as rapid transmission, analysis and terminal control of real-time data cannot be achieved when the communication rate of IoT terminals is low and the computing power is weak. Point-to-point secure communication between IoT terminals is realized.
如图2所示,三次握手具体包括:As shown in Figure 2, the three-way handshake specifically includes:
第一次握手包括以下步骤:首先发送终端发送携带有自身唯一设备识别码的通信请求,开始第一次握手;然后接收终端接收请求的同时回传自身唯一设备识别码,当发送终端接收到接收终端的唯一设备识别码时,完成第一次握手;The first handshake includes the following steps: first, the sending terminal sends a communication request carrying its own unique device identification code to start the first handshake; then, the receiving terminal receives the request and returns its own unique device identification code. When the sending terminal receives the When the terminal’s unique device identification code is received, the first handshake is completed;
第二次握手包括以下步骤:首先发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息;然后互相发送各自获得的身份认证信息并对接收到的身份认证信息进行解析,完成第二次握手;The second handshake includes the following steps: first, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party; then send the identity authentication information obtained by each other to each other and perform the received identity authentication information. Parse and complete the second handshake;
第三次握手包括以下步骤:发送终端和接收终端分别对接收到的对方发送的身份认证信息进行校验,若校验不匹配,则终止信息传输;若校验匹配,则完成第三次握手,建立安全信息信道。身份认证信息包括通信级别和安全传输密钥,匹配校验为对通信级别和安全传输密钥的校验。The third handshake includes the following steps: the sending terminal and the receiving terminal respectively verify the received identity authentication information sent by the other party. If the verification does not match, the information transmission is terminated; if the verification matches, the third handshake is completed. , establish a secure information channel. The identity authentication information includes the communication level and the secure transmission key, and the matching verification is the verification of the communication level and the secure transmission key.
其中,第一次握手中,当接收终端接收请求时,首先验证收到的唯一设备识别码与自身唯一设备识别码不重复后,再回传自身唯一设备识别码。Among them, in the first handshake, when the receiving terminal receives the request, it first verifies that the unique device identification code received does not overlap with its own unique device identification code, and then sends back its own unique device identification code.
第二次握手中,发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息具体包括:In the second handshake, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party, including:
首先发送终端和接收终端分别将接收到的对方的唯一设备识别码发送至云端认证中心;然后云端认证中心根据接收到的唯一设备识别码进行合法性认证,若合法性认证通过,则云端认证中心回传唯一设备识别码对应的身份认证信息,否则终止认证。First, the sending terminal and the receiving terminal respectively send the received unique device identification code to the cloud authentication center; then the cloud authentication center performs legality authentication based on the received unique device identification code. If the legality authentication passes, the cloud authentication center Return the identity authentication information corresponding to the unique device identification code, otherwise the authentication will be terminated.
第三次握手中,对身份认证信息进行校验具体为:首先对对方发送的自身身份认证信息进行解析;然后通过云端认证中心获取自身身份认证信息并进行解析;最后将对方发送的自身身份认证信息和通过云端认证中心获取自身身份认证信息的内容进行匹配校验。且当校验匹配时,发送终端和接收终端再次互相发送各自获得的通信级别和安全传输密钥,最终完成第三次握手,建立安全信息信道。In the third handshake, the verification of the identity authentication information is as follows: first, parsing the own identity authentication information sent by the other party; then obtaining the own identity authentication information through the cloud authentication center and parsing it; finally, parsing the own identity authentication information sent by the other party. The information is matched with the content of the identity authentication information obtained through the cloud authentication center. And when the verification matches, the sending terminal and the receiving terminal send each other the obtained communication level and secure transmission key again, and finally complete the third handshake and establish a secure information channel.
通过发送终端和接收终端的三次握手建立安全信息通道,实现发送终端和接收终端点对点通信的匹配和安全认证,解决目前点对点通信对请求应答主动方、回复请求应答终端缺失唯一性的链路验证检查问题,克服了点对点通信对陌生服务器应答存在被盗风险的问题。A secure information channel is established through the three-way handshake between the sending terminal and the receiving terminal to realize the matching and security authentication of the point-to-point communication between the sending terminal and the receiving terminal, and solve the link verification check that lacks the uniqueness of the current point-to-point communication for the request response active party and the reply request response terminal. It overcomes the risk of theft of responses from unfamiliar servers in point-to-point communications.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的工作人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any worker familiar with the technical field can easily think of various equivalent methods within the technical scope disclosed in the present invention. Modifications or substitutions shall be included in the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (8)

  1. 一种物联网点对点安全通信方法,其特征在于,该方法用于物联网系统中发送终端和接收终端之间的通信,包括以下步骤:A point-to-point secure communication method for the Internet of Things, characterized in that the method is used for communication between a sending terminal and a receiving terminal in an Internet of Things system, and includes the following steps:
    S1:所述的发送终端对待发送的数据信息进行加密处理,并生成加密密钥和密钥交换协议;S1: The sending terminal encrypts the data information to be sent, and generates an encryption key and a key exchange protocol;
    S2:生成随机密钥,并利用随机密钥对加密密钥和密钥交换协议进行加密处理;S2: Generate a random key and use the random key to encrypt the encryption key and key exchange protocol;
    S3:所述的发送终端通过发送终端的签名私钥对未加密处理的加密密钥进行签名,得到签名数据;S3: The sending terminal signs the unencrypted encryption key using the signing private key of the sending terminal to obtain signature data;
    S4:所述的发送终端向接收终端发送通信请求,并通过与接收终端的三次握手建立安全信息通道;S4: The sending terminal sends a communication request to the receiving terminal, and establishes a secure information channel through a three-way handshake with the receiving terminal;
    S5:所述的发送终端通过安全信息通道将加密处理的数据信息和加密密钥以及随机密钥和签名数据发送至接收终端;S5: The sending terminal sends the encrypted data information, encryption key, random key and signature data to the receiving terminal through the secure information channel;
    S6:所述的接收终端对接收到数据的完整性进行确认,若确认无误,则对数据信息进行解密处理,得到未加密的数据信息。S6: The receiving terminal confirms the integrity of the received data. If the confirmation is correct, the data information is decrypted to obtain unencrypted data information.
  2. 根据权利要求1所述的一种物联网点对点安全通信方法,其特征在于,所述的加密处理具体包括:获取发送终端内待发送的数据信息的数据内容、安全等级和存储位置,打包成初始数据值,并利用加密密钥对初始数据值进行加密。A point-to-point secure communication method for the Internet of Things according to claim 1, characterized in that the encryption process specifically includes: obtaining the data content, security level and storage location of the data information to be sent in the sending terminal, and packaging it into an initial data value and encrypt the initial data value using the encryption key.
  3. 根据权利要求1所述的一种物联网点对点安全通信方法,其特征在于,所述的三次握手具体包括:A point-to-point secure communication method for the Internet of Things according to claim 1, characterized in that the three-way handshake specifically includes:
    第一次握手包括以下步骤:首先所述的发送终端发送携带有自身唯一设备识别码的通信请求,开始第一次握手;然后所述的接收终端接收请求的同时回传自身唯一设备识别码,当发送终端接收到接收终端的唯一设备识别码时,完成第一次握手;The first handshake includes the following steps: first, the sending terminal sends a communication request carrying its own unique device identification code to start the first handshake; then, the receiving terminal sends back its own unique device identification code while receiving the request, When the sending terminal receives the unique device identification code of the receiving terminal, the first handshake is completed;
    第二次握手包括以下步骤:首先所述的发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息;然后互相发送各自获得的身份认证信息并对接收到的身份认证信息进行解析,完成第二次握手;The second handshake includes the following steps: first, the sending terminal and the receiving terminal obtain the identity authentication information of the other party based on the received unique device identification code of the other party; then send the identity authentication information obtained by each other to each other and compare the received identity The authentication information is parsed and the second handshake is completed;
    第三次握手包括以下步骤:所述的发送终端和接收终端分别对接收到的对方发送的身份认证信息进行校验,若校验不匹配,则终止信息传输;若校验匹配,则完 成第三次握手,建立安全信息信道。The third handshake includes the following steps: the sending terminal and the receiving terminal respectively verify the received identity authentication information sent by the other party. If the verification does not match, the information transmission is terminated; if the verification matches, the third handshake is completed. Three-way handshake to establish a secure information channel.
  4. 根据权利要求3所述的一种物联网点对点安全通信方法,其特征在于,所述的第二次握手中,所述的发送终端和接收终端根据收到的对方的唯一设备识别码,获取对方的身份认证信息具体包括:A point-to-point secure communication method for the Internet of Things according to claim 3, characterized in that in the second handshake, the sending terminal and the receiving terminal obtain the other party's unique device identification code based on the received other party's unique device identification code. The identity authentication information specifically includes:
    首先所述的发送终端和接收终端分别将接收到的对方的唯一设备识别码发送至云端认证中心;然后所述的云端认证中心根据接收到的唯一设备识别码进行合法性认证,若合法性认证通过,则云端认证中心回传唯一设备识别码对应的身份认证信息,否则终止认证。First, the sending terminal and the receiving terminal respectively send the received unique device identification code of the other party to the cloud authentication center; then the cloud authentication center performs legality authentication based on the received unique device identification code. If the legality authentication If it passes, the cloud authentication center will return the identity authentication information corresponding to the unique device identification code, otherwise the authentication will be terminated.
  5. 根据权利要求4所述的一种物联网点对点安全通信方法,其特征在于,所述的第三次握手中,对身份认证信息进行校验具体为:首先对对方发送的自身身份认证信息进行解析;然后通过云端认证中心获取自身身份认证信息并进行解析;最后将对方发送的自身身份认证信息和通过云端认证中心获取自身身份认证信息的内容进行匹配校验。A point-to-point secure communication method in the Internet of Things according to claim 4, characterized in that in the third handshake, verifying the identity authentication information specifically includes: first parsing the self-identity authentication information sent by the other party. ; Then obtain its own identity authentication information through the cloud authentication center and analyze it; finally, match and verify the own identity authentication information sent by the other party and the content of its own identity authentication information obtained through the cloud authentication center.
  6. 根据权利要求5所述的一种物联网点对点安全通信方法,其特征在于,所述的身份认证信息包括通信级别和安全传输密钥,所述的匹配校验为对通信级别和安全传输密钥的校验。A point-to-point secure communication method in the Internet of Things according to claim 5, wherein the identity authentication information includes a communication level and a secure transmission key, and the matching verification is a pair of the communication level and the secure transmission key. of verification.
  7. 根据权利要求3所述的一种物联网点对点安全通信方法,其特征在于,所述的第一次握手中,当所述的接收终端接收请求时,首先验证收到的唯一设备识别码与自身唯一设备识别码不重复后,再回传自身唯一设备识别码。A point-to-point secure communication method for the Internet of Things according to claim 3, characterized in that in the first handshake, when the receiving terminal receives the request, it first verifies the unique device identification code received and its own After the unique device identification code is no longer repeated, the unique device identification code will be returned.
  8. 根据权利要求6所述的一种物联网点对点安全通信方法,其特征在于,所述的第三次握手中,当校验匹配时,所述的发送终端和接收终端再次互相发送各自获得的通信级别和安全传输密钥,最终完成第三次握手,建立安全信息信道。A point-to-point secure communication method for the Internet of Things according to claim 6, characterized in that, in the third handshake, when the verification matches, the sending terminal and the receiving terminal send each other the communication obtained respectively. level and secure transmission key, and finally complete the third handshake to establish a secure information channel.
PCT/CN2022/103689 2022-07-04 2022-07-04 Point-to-point secure communication method for internet of things WO2024007122A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2022/103689 WO2024007122A1 (en) 2022-07-04 2022-07-04 Point-to-point secure communication method for internet of things
CN202280019393.3A CN116982288A (en) 2022-07-04 2022-07-04 Point-to-point secure communication method for Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/103689 WO2024007122A1 (en) 2022-07-04 2022-07-04 Point-to-point secure communication method for internet of things

Publications (1)

Publication Number Publication Date
WO2024007122A1 true WO2024007122A1 (en) 2024-01-11

Family

ID=88473533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/103689 WO2024007122A1 (en) 2022-07-04 2022-07-04 Point-to-point secure communication method for internet of things

Country Status (2)

Country Link
CN (1) CN116982288A (en)
WO (1) WO2024007122A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013062911A1 (en) * 2011-10-27 2013-05-02 Alcatel Lucent Network-assisted peer-to-peer secure communication establishment
CN103401678A (en) * 2013-07-30 2013-11-20 成都卫士通信息产业股份有限公司 Method for ensuring data transmission safety of Internet of things
CN110046906A (en) * 2019-04-18 2019-07-23 郑建建 A kind of the two-way authentication method of commerce and system of MPOS machine and server
CN111669407A (en) * 2020-06-30 2020-09-15 日照职业技术学院 Method for realizing point-to-point secure communication of Internet of things based on cloud security authentication
CN114398602A (en) * 2022-01-11 2022-04-26 国家计算机网络与信息安全管理中心 Internet of things terminal identity authentication method based on edge calculation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110784491B (en) * 2019-11-13 2022-08-16 深圳前海智安信息科技有限公司 Internet of things safety management system
CN111817846A (en) * 2020-06-17 2020-10-23 浙江睿朗信息科技有限公司 Lightweight key negotiation communication protocol
CN112713995A (en) * 2021-02-08 2021-04-27 成都杰微科技有限公司 Dynamic communication key distribution method and device for terminal of Internet of things

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013062911A1 (en) * 2011-10-27 2013-05-02 Alcatel Lucent Network-assisted peer-to-peer secure communication establishment
CN103401678A (en) * 2013-07-30 2013-11-20 成都卫士通信息产业股份有限公司 Method for ensuring data transmission safety of Internet of things
CN110046906A (en) * 2019-04-18 2019-07-23 郑建建 A kind of the two-way authentication method of commerce and system of MPOS machine and server
CN111669407A (en) * 2020-06-30 2020-09-15 日照职业技术学院 Method for realizing point-to-point secure communication of Internet of things based on cloud security authentication
CN114398602A (en) * 2022-01-11 2022-04-26 国家计算机网络与信息安全管理中心 Internet of things terminal identity authentication method based on edge calculation

Also Published As

Publication number Publication date
CN116982288A (en) 2023-10-31

Similar Documents

Publication Publication Date Title
EP2037621B1 (en) Method and device for deriving local interface key
CN113612605B (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN111935714B (en) Identity authentication method in mobile edge computing network
WO2019178942A1 (en) Method and system for performing ssl handshake
CN103621126A (en) Method and apparatus for providing machine-to-machine service
CN111756529B (en) Quantum session key distribution method and system
KR101706117B1 (en) Apparatus and method for other portable terminal authentication in portable terminal
CN105577680A (en) Key generation method, encrypted data analyzing method, devices and key managing center
CN113781678B (en) Vehicle Bluetooth key generation and authentication method and system in networking-free environment
CN113630407B (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
CN102685749A (en) Wireless safety authentication method orienting to mobile terminal
CN110401530A (en) A kind of safety communicating method of gas meter, flow meter, system, equipment and storage medium
CN112672342B (en) Data transmission method, device, equipment, system and storage medium
CN111669407A (en) Method for realizing point-to-point secure communication of Internet of things based on cloud security authentication
CN108353279A (en) A kind of authentication method and Verification System
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
CN116886288A (en) Quantum session key distribution method and device
CN103281324A (en) Safety communication method for Android client side
CN107135228B (en) Authentication system and authentication method based on central node
KR20190040443A (en) Apparatus and method for creating secure session of smart meter
CN103781026A (en) Authentication method of general authentication mechanism
WO2024007122A1 (en) Point-to-point secure communication method for internet of things
CN116318997A (en) Bidirectional identity authentication method between terminal and gateway
CN110719169A (en) Method and device for transmitting router safety information
CN111432365B (en) Financial big data processing method and system applying 5G network and block chain

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280019393.3

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22949713

Country of ref document: EP

Kind code of ref document: A1