CN109150914A - Internet of Things security architecture and its gateway reorientation method, data packet handshake method - Google Patents
Internet of Things security architecture and its gateway reorientation method, data packet handshake method Download PDFInfo
- Publication number
- CN109150914A CN109150914A CN201811236518.XA CN201811236518A CN109150914A CN 109150914 A CN109150914 A CN 109150914A CN 201811236518 A CN201811236518 A CN 201811236518A CN 109150914 A CN109150914 A CN 109150914A
- Authority
- CN
- China
- Prior art keywords
- gateway
- resource
- edge calculations
- equipment
- constrained devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of Internet of Things security architectures, including internal network and external network, the internal network includes resource-constrained devices, edge calculations equipment and gateway, the internal network is connect by gateway with external network, the resource-constrained devices are connect with the gateway, and the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network includes multiple remote equipments, and the remote equipment includes Cloud Server, vendor server and user terminal.Compared with prior art, edge calculations equipment and remote equipment completion are shaken hands after establishing safety communication in the present invention, security parameter is passed into proxied device by the key that it negotiates in advance with proxied resource-constrained devices, can safety transfer security parameter, so that the confidentiality, integrity, and availability of data is protected, the common attacks means such as Replay Attack, DoS attack are formed and are resisted.
Description
Technical field
The present invention relates to Internet of Things security technology areas, reset more particularly, to a kind of Internet of Things security architecture and its gateway
To method, data packet handshake method.
Background technique
In traditional network security technology, how to ensure that communication security is critically important and basic part end to end,
After only secure communication security end to end, the transmission data between equipment and user just can illegally obtain to avoid by third party
It takes, to ensure the privacy and safety of data as far as possible.Internet area has numerous mechanism and agreement to end-to-end at present
Communication security ensured that such as IPsec, PGP, SSL/TLS, these security mechanisms only can guarantee the safety of internet, but
It is that they not can be used directly in Internet of Things.
Current Internet of Things security architecture is mainly made of security architecture based on cloud with the security architecture based on gateway, but
The demand for security that both frameworks cannot all meet Internet of Things well: security architecture based on cloud although ensure that resource by
The data transmission security of equipment is limited, but limits the communication of resource-constrained devices and remote equipment, it is open not meet Internet of Things
The characteristics of property, scalability and scale, it is unsatisfactory for the development trend of Internet of Things.By the security architecture of gateway will largely based on
It calculates to hand over and entrusts to gateway, with the increase of network size, gateway can become the bottleneck of system, in addition, the secure side based on gateway
Case makes gateway become high value target of attack, may cause whole network paralysis when gateway is under attack.
Therefore, more perfect security architecture is also needed for the safety problem of Internet of Things.
Summary of the invention
It is an object of the present invention to overcome the above-mentioned drawbacks of the prior art and provide a kind of Internet of Things roll-over protective structurves
Structure and its gateway reorientation method, data packet handshake method.
The purpose of the present invention can be achieved through the following technical solutions:
A kind of Internet of Things security architecture, including internal network and external network, the internal network include resource-constrained set
Standby, edge calculations equipment and gateway, the internal network are connect by gateway with external network, the resource-constrained devices and institute
Gateway connection is stated, the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network includes multiple
Remote equipment, the remote equipment include Cloud Server, vendor server and user terminal.
Preferably, the resource-constrained devices be equipped with it is multiple, the edge calculations equipment be equipped with it is multiple and less than resource by
The quantity of equipment is limited, each edge calculations equipment is each responsible for the resource-constrained devices of a part of quantity.
Preferably, the addressing of the resource-constrained devices uses IPv6 technology;The transport layer protocol of the internal network makes
With udp protocol, application layer uses CoAP agreement.
Preferably, the gateway is equipped with firewall.
A kind of gateway reorientation method of above-mentioned Internet of Things security architecture, comprising the following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and by the key external member of itself, key data
It is sent to edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment
Agent relation between resource-constrained devices;
After S4, gateway receive the data packet of external network, judge whether data packet is using data, if so, executing step
Rapid S5, it is no to then follow the steps S6.
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
Preferably, judge whether data packet is process using data in the step S4 specifically: gateway reads DTLS
The CONTENT_FIELD value on recording layer head, judges whether it is according to CONTENT_FIELD value using data.
A kind of data packet handshake method of above-mentioned Internet of Things security architecture, comprising the following steps:
A1, external network a remote equipment by send client hello message initiate with some resource-constrained devices
Communication;
A2, gateway execute redirection after receiving client hello message, by client hello message and related later
All handshake informations be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message
Real destination address;
To remote equipment, message contains edge calculations equipment for one A3, edge calculations device replied checking request message
The cookie of generation;
After A4, gateway receive the client hello message of remote equipment reply, whether judgement wherein includes and edge calculations
The identical cookie of cookie that equipment generates, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating
The client random number of communication key between remote equipment and resource-constrained devices;
A7, resource-constrained devices reply server end hello messages and give edge calculations equipment, include session id in the message
And server random number, edge calculations equipment send include certificate and the server random number message to remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied
Prove oneself identity, the session establishment of both sides is being calculated by client random number and server random number later
On the basis of key, process terminates.
Compared with prior art, the invention has the following advantages that
1, for safety, edge calculations equipment and remote equipment completion are shaken hands after establishing safety communication, and safety is joined
Number passes to proxied device by the key that it negotiates in advance with proxied resource-constrained devices, and transfer that can be safe is pacified
Population parameter makes the confidentiality, integrity, and availability of data be protected, to the common attacks means such as Replay Attack, DoS attack
It is formed and is resisted.
2, this framework carries out handshake operation using edge calculations equipment, can prevent gateway from becoming when network size expands
The phenomenon that network bottleneck, reduces the resource consumption of handshake phase and public key calculation, this allows to use base in this framework
Authentication is carried out in the DTLS agreement of public key and certificate;Furthermore more edge of table calculating can be disposed in an internal network to set
It is standby, it is entire without will lead to even if also only influencing whether subnetwork node in the case that some edge calculations equipment is attacked
Network paralysis.
3, this framework supports standard agreement completely, completely compatible with existing the Internet mechanisms, is conducive to the popularization of this framework
It uses, can promote to interconnect between the equipment of different vendor and data fusion.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of security architecture of the present invention;
Fig. 2 is the flow chart that gateway of the invention redirects;
Fig. 3 is the handshake procedure figure of data packet transport layer of the present invention.
Specific embodiment
The present invention is described in detail with specific embodiment below in conjunction with the accompanying drawings.The present embodiment is with technical solution of the present invention
Premised on implemented, the detailed implementation method and specific operation process are given, but protection scope of the present invention is not limited to
Following embodiments.
Embodiment
As shown in Figure 1, the application proposes a kind of Internet of Things security architecture, including internal network and external network.Intranet
Network includes resource-constrained devices, edge calculations equipment, gateway and generic network device, and internal network passes through gateway and extranets
Network connection.
Resource-constrained devices are connect with gateway.Resource-constrained devices are internet-of-things terminal equipment, without storage resource and place
Reason ability or ability are weaker.Resource-constrained devices in network monitor information by sensing technology and are supplied to making for needs
User, while equipment itself is also possible to user, obtains data from other equipment or cloud.Resource-constrained devices and gateway are set
It is attached between standby by wired or wireless communication agreement.The addressing of resource-constrained devices uses IPv6 technology.Internal network
Transport layer protocol uses udp protocol, and application layer uses CoAP agreement.
Edge calculations equipment is in the inside of network, connect respectively with resource-constrained devices and gateway, it is in internet
Edge provides the services such as calculating, storage, Edge intelligence and data collaborative.Edge calculations equipment can be carried out according to the scale of network
Flexibly it is equipped with.If number of devices is relatively more in energy-constrained network, the edge calculations equipment of powerful, Huo Zhexuan are just matched
With multiple edge calculations equipment, each edge calculations equipment is each responsible for the resource-constrained devices of a part;If resource-constrained
Equipment in network number is fewer, just using gateway as edge calculations equipment.
Gateway is the bridge communicated between local network and internet, and gateway supports a variety of different communication protocols, although
Some resource-constrained devices use ICP/IP protocol stack, do not need the assistance of gateway when sending data to internet, but
In special circumstances, such as the data that send to resource-constrained devices of cloud may need gateway-assisted to provide 6LoWPAN fragment behaviour
Make, this operation occurs between link layer and network layer, has no effect on the safety of communication.In order to protect local network to pacify
Entirely, the safety measures such as firewall are disposed on gateway, and illegal communication is filtered.Gateway safeguards a resource-constrained devices and side
Edge calculates the mapping table between equipment, records the agent relation between edge calculations equipment and resource-constrained nodes, logarithm
It is executed according to packet and redirects operation.
External network includes Cloud Server, vendor server, general subscriber terminal and networked devices etc..Edge calculations are set
Although standby have stronger storage, computing capability, as time increases, internal network can generate and accumulate a large amount of data,
These data are more suitable for being sent to that cloud service center carries out storage and depth is excavated.
A kind of gateway reorientation method of above-mentioned Internet of Things security architecture, as shown in Figure 2, comprising the following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and the key external member of itself, key etc. are counted
According to being sent to edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment
Agent relation between resource-constrained devices;
After S4, gateway receive the data packet of external network, the CONTENT_FIELD value on DTLS recording layer head, root are read
Judge whether it is according to CONTENT_FIELD value using data, if so, S5 is thened follow the steps, it is no to then follow the steps S6;The present embodiment
In, indicate that data packet is using data when CONTENT_FIELD=32;
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
A kind of data packet handshake method of above-mentioned Internet of Things security architecture, as shown in Figure 3, comprising the following steps:
A1, external network a remote equipment by send client hello (ClientHello) message initiate and certain
The communication of a resource-constrained devices;
A2, gateway execute redirection after receiving client hello message, by client hello message and related later
All handshake informations be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message
Real destination address;
To remote equipment, message includes for one A3, edge calculations device replied checking request (VerifyRequest) message
The cookie that edge calculations equipment generates;
A4, gateway judge wherein whether include and edge calculations after receiving the client hello message of remote equipment reply
The identical cookie of cookie that equipment generates, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating
The client random number of communication key between remote equipment and resource-constrained devices;
A7, resource-constrained devices reply server end greeting (ServerHello) message and give edge calculations equipment, the message
In include session id and server random number, edge calculations equipment send include certificate and the server random number message to
Remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied
Prove oneself identity, the session establishment of both sides is being calculated by client random number and server random number later
On the basis of key, process terminates.
Claims (7)
1. a kind of Internet of Things security architecture, including internal network and external network, which is characterized in that the internal network includes money
Source constrained devices, edge calculations equipment and gateway, the internal network is connect by gateway with external network, described resource-constrained
Equipment is connect with the gateway, and the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network
Including multiple remote equipments, the remote equipment includes Cloud Server, vendor server and user terminal.
2. Internet of Things security architecture according to claim 1, which is characterized in that the resource-constrained devices be equipped with it is multiple,
The edge calculations equipment is equipped with quantity that is multiple and being less than resource-constrained devices, and each edge calculations equipment is each responsible for one
The resource-constrained devices of dosis refracta.
3. Internet of Things security architecture according to claim 1, which is characterized in that the addressing of the resource-constrained devices uses
IPv6 technology;The transport layer protocol of the internal network uses udp protocol, and application layer uses CoAP agreement.
4. Internet of Things security architecture according to claim 1, which is characterized in that the gateway is equipped with firewall.
5. a kind of gateway reorientation method of any Internet of Things security architecture of Claims 1 to 4, which is characterized in that packet
Include following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and the key external member of itself, key data are sent
Give edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment and money
Agent relation between the constrained devices of source;
After S4, gateway receive the data packet of external network, judge data packet whether be using data, if so, then follow the steps S5,
It is no to then follow the steps S6.
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
6. the gateway reorientation method of Internet of Things security architecture according to claim 5, which is characterized in that the step S4
It is middle to judge whether data packet is process using data specifically: the CONTENT_FIELD on gateway reading DTLS recording layer head
Value, judges whether it is according to CONTENT_FIELD value using data.
7. a kind of data packet handshake method of any Internet of Things security architecture of Claims 1 to 4, which is characterized in that packet
Include following steps:
A1, external network a remote equipment by send client hello message initiate it is logical with some resource-constrained devices
Letter;
A2, gateway execute redirection after receiving client hello message, by client hello message and later relevant institute
There is handshake information to be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message
Destination address;
To remote equipment, message contains the generation of edge calculations equipment for one A3, edge calculations device replied checking request message
Cookie;
After A4, gateway receive the client hello message of remote equipment reply, whether judgement wherein includes and edge calculations equipment
The identical cookie of the cookie of generation, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating distal end
The client random number of communication key between equipment and resource-constrained devices;
A7, resource-constrained devices reply server end hello messages and give edge calculations equipment, include session id kimonos in the message
Be engaged in device random number, edge calculations equipment send include certificate and the server random number message to remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied to demonstrate,prove
Oneself bright identity, the session establishment of both sides is in the key being calculated by client random number and server random number later
On the basis of, process terminates.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811236518.XA CN109150914A (en) | 2018-10-23 | 2018-10-23 | Internet of Things security architecture and its gateway reorientation method, data packet handshake method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811236518.XA CN109150914A (en) | 2018-10-23 | 2018-10-23 | Internet of Things security architecture and its gateway reorientation method, data packet handshake method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109150914A true CN109150914A (en) | 2019-01-04 |
Family
ID=64809038
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811236518.XA Pending CN109150914A (en) | 2018-10-23 | 2018-10-23 | Internet of Things security architecture and its gateway reorientation method, data packet handshake method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109150914A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110719292A (en) * | 2019-10-17 | 2020-01-21 | 中国联合网络通信集团有限公司 | Connection authentication method and system for edge computing equipment and central cloud platform |
WO2020143013A1 (en) * | 2019-01-11 | 2020-07-16 | Oppo广东移动通信有限公司 | Method and apparatus for processing query request, computer device and storage medium |
CN112637114A (en) * | 2019-09-24 | 2021-04-09 | 西门子股份公司 | Method and device for monitoring data exchange of industrial edge equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160261563A1 (en) * | 2013-01-30 | 2016-09-08 | Palo Alto Networks, Inc. | Credentials management in large scale virtual private network deployment |
CN106688218A (en) * | 2014-04-15 | 2017-05-17 | 飞利浦灯具控股公司 | Method and apparatus for controlling handshake in a packet transmission network |
CN106790121A (en) * | 2016-12-27 | 2017-05-31 | 逯帅 | Power system service network |
-
2018
- 2018-10-23 CN CN201811236518.XA patent/CN109150914A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160261563A1 (en) * | 2013-01-30 | 2016-09-08 | Palo Alto Networks, Inc. | Credentials management in large scale virtual private network deployment |
CN106688218A (en) * | 2014-04-15 | 2017-05-17 | 飞利浦灯具控股公司 | Method and apparatus for controlling handshake in a packet transmission network |
CN106790121A (en) * | 2016-12-27 | 2017-05-31 | 逯帅 | Power system service network |
Non-Patent Citations (1)
Title |
---|
马国峻等: "一种物联网端到端安全方案", 《技术研究》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020143013A1 (en) * | 2019-01-11 | 2020-07-16 | Oppo广东移动通信有限公司 | Method and apparatus for processing query request, computer device and storage medium |
CN112637114A (en) * | 2019-09-24 | 2021-04-09 | 西门子股份公司 | Method and device for monitoring data exchange of industrial edge equipment |
CN112637114B (en) * | 2019-09-24 | 2023-04-11 | 西门子股份公司 | Method and device for monitoring data exchange of industrial edge equipment |
US11652796B2 (en) | 2019-09-24 | 2023-05-16 | Siemens Aktiengesellschaft | Method and arrangement for control data exchange of an industrial edge device |
CN110719292A (en) * | 2019-10-17 | 2020-01-21 | 中国联合网络通信集团有限公司 | Connection authentication method and system for edge computing equipment and central cloud platform |
CN110719292B (en) * | 2019-10-17 | 2021-11-19 | 中国联合网络通信集团有限公司 | Connection authentication method and system for edge computing equipment and central cloud platform |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Belenky et al. | On IP traceback | |
US7769994B2 (en) | Content inspection in secure networks | |
CN102347870B (en) | A kind of flow rate security detection method, equipment and system | |
Liyanage et al. | Enhancing security of software defined mobile networks | |
CN104426837B (en) | The application layer message filtering method and device of FTP | |
US9350711B2 (en) | Data transmission method, system, and apparatus | |
CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
US9876773B1 (en) | Packet authentication and encryption in virtual networks | |
JP2008527761A (en) | Method, system and software for detecting relay communication | |
CN107438074A (en) | The means of defence and device of a kind of ddos attack | |
CN109150914A (en) | Internet of Things security architecture and its gateway reorientation method, data packet handshake method | |
CN101399838A (en) | Method, apparatus and system for processing packet | |
CN109309684A (en) | A kind of business access method, apparatus, terminal, server and storage medium | |
CN108989039A (en) | Certificate acquisition method and device | |
CN105577738B (en) | A kind of method, apparatus and system of processing terminal information | |
CN107104919A (en) | The processing method of firewall box, SCTP SCTP packet | |
Keromytis | Voice over IP Security: A Comprehensive Survey of Vulnerabilities and Academic Research | |
CN109688115B (en) | Data security transmission system | |
CN115632963A (en) | Method, device, apparatus and medium for confirming tunnel connection state | |
US10079857B2 (en) | Method of slowing down a communication in a network | |
CN110351308B (en) | Virtual private network communication method and virtual private network device | |
Pappas et al. | Network transparency for better internet security | |
Ruland et al. | Rejuvenation of the IEC 61850 protocol stack for MMS | |
Hosia | Comparison between RADIUS and Diameter | |
CN107733931A (en) | Portal authentication method, device and portal server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190104 |