CN109150914A - Internet of Things security architecture and its gateway reorientation method, data packet handshake method - Google Patents

Internet of Things security architecture and its gateway reorientation method, data packet handshake method Download PDF

Info

Publication number
CN109150914A
CN109150914A CN201811236518.XA CN201811236518A CN109150914A CN 109150914 A CN109150914 A CN 109150914A CN 201811236518 A CN201811236518 A CN 201811236518A CN 109150914 A CN109150914 A CN 109150914A
Authority
CN
China
Prior art keywords
gateway
resource
edge calculations
equipment
constrained devices
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811236518.XA
Other languages
Chinese (zh)
Inventor
石保亚
蒋秋明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Siic-Longchuang Smarter Energy Technology Co Ltd
Original Assignee
Shanghai Siic-Longchuang Smarter Energy Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Siic-Longchuang Smarter Energy Technology Co Ltd filed Critical Shanghai Siic-Longchuang Smarter Energy Technology Co Ltd
Priority to CN201811236518.XA priority Critical patent/CN109150914A/en
Publication of CN109150914A publication Critical patent/CN109150914A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of Internet of Things security architectures, including internal network and external network, the internal network includes resource-constrained devices, edge calculations equipment and gateway, the internal network is connect by gateway with external network, the resource-constrained devices are connect with the gateway, and the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network includes multiple remote equipments, and the remote equipment includes Cloud Server, vendor server and user terminal.Compared with prior art, edge calculations equipment and remote equipment completion are shaken hands after establishing safety communication in the present invention, security parameter is passed into proxied device by the key that it negotiates in advance with proxied resource-constrained devices, can safety transfer security parameter, so that the confidentiality, integrity, and availability of data is protected, the common attacks means such as Replay Attack, DoS attack are formed and are resisted.

Description

Internet of Things security architecture and its gateway reorientation method, data packet handshake method
Technical field
The present invention relates to Internet of Things security technology areas, reset more particularly, to a kind of Internet of Things security architecture and its gateway To method, data packet handshake method.
Background technique
In traditional network security technology, how to ensure that communication security is critically important and basic part end to end, After only secure communication security end to end, the transmission data between equipment and user just can illegally obtain to avoid by third party It takes, to ensure the privacy and safety of data as far as possible.Internet area has numerous mechanism and agreement to end-to-end at present Communication security ensured that such as IPsec, PGP, SSL/TLS, these security mechanisms only can guarantee the safety of internet, but It is that they not can be used directly in Internet of Things.
Current Internet of Things security architecture is mainly made of security architecture based on cloud with the security architecture based on gateway, but The demand for security that both frameworks cannot all meet Internet of Things well: security architecture based on cloud although ensure that resource by The data transmission security of equipment is limited, but limits the communication of resource-constrained devices and remote equipment, it is open not meet Internet of Things The characteristics of property, scalability and scale, it is unsatisfactory for the development trend of Internet of Things.By the security architecture of gateway will largely based on It calculates to hand over and entrusts to gateway, with the increase of network size, gateway can become the bottleneck of system, in addition, the secure side based on gateway Case makes gateway become high value target of attack, may cause whole network paralysis when gateway is under attack.
Therefore, more perfect security architecture is also needed for the safety problem of Internet of Things.
Summary of the invention
It is an object of the present invention to overcome the above-mentioned drawbacks of the prior art and provide a kind of Internet of Things roll-over protective structurves Structure and its gateway reorientation method, data packet handshake method.
The purpose of the present invention can be achieved through the following technical solutions:
A kind of Internet of Things security architecture, including internal network and external network, the internal network include resource-constrained set Standby, edge calculations equipment and gateway, the internal network are connect by gateway with external network, the resource-constrained devices and institute Gateway connection is stated, the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network includes multiple Remote equipment, the remote equipment include Cloud Server, vendor server and user terminal.
Preferably, the resource-constrained devices be equipped with it is multiple, the edge calculations equipment be equipped with it is multiple and less than resource by The quantity of equipment is limited, each edge calculations equipment is each responsible for the resource-constrained devices of a part of quantity.
Preferably, the addressing of the resource-constrained devices uses IPv6 technology;The transport layer protocol of the internal network makes With udp protocol, application layer uses CoAP agreement.
Preferably, the gateway is equipped with firewall.
A kind of gateway reorientation method of above-mentioned Internet of Things security architecture, comprising the following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and by the key external member of itself, key data It is sent to edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment Agent relation between resource-constrained devices;
After S4, gateway receive the data packet of external network, judge whether data packet is using data, if so, executing step Rapid S5, it is no to then follow the steps S6.
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
Preferably, judge whether data packet is process using data in the step S4 specifically: gateway reads DTLS The CONTENT_FIELD value on recording layer head, judges whether it is according to CONTENT_FIELD value using data.
A kind of data packet handshake method of above-mentioned Internet of Things security architecture, comprising the following steps:
A1, external network a remote equipment by send client hello message initiate with some resource-constrained devices Communication;
A2, gateway execute redirection after receiving client hello message, by client hello message and related later All handshake informations be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message Real destination address;
To remote equipment, message contains edge calculations equipment for one A3, edge calculations device replied checking request message The cookie of generation;
After A4, gateway receive the client hello message of remote equipment reply, whether judgement wherein includes and edge calculations The identical cookie of cookie that equipment generates, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating The client random number of communication key between remote equipment and resource-constrained devices;
A7, resource-constrained devices reply server end hello messages and give edge calculations equipment, include session id in the message And server random number, edge calculations equipment send include certificate and the server random number message to remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied Prove oneself identity, the session establishment of both sides is being calculated by client random number and server random number later On the basis of key, process terminates.
Compared with prior art, the invention has the following advantages that
1, for safety, edge calculations equipment and remote equipment completion are shaken hands after establishing safety communication, and safety is joined Number passes to proxied device by the key that it negotiates in advance with proxied resource-constrained devices, and transfer that can be safe is pacified Population parameter makes the confidentiality, integrity, and availability of data be protected, to the common attacks means such as Replay Attack, DoS attack It is formed and is resisted.
2, this framework carries out handshake operation using edge calculations equipment, can prevent gateway from becoming when network size expands The phenomenon that network bottleneck, reduces the resource consumption of handshake phase and public key calculation, this allows to use base in this framework Authentication is carried out in the DTLS agreement of public key and certificate;Furthermore more edge of table calculating can be disposed in an internal network to set It is standby, it is entire without will lead to even if also only influencing whether subnetwork node in the case that some edge calculations equipment is attacked Network paralysis.
3, this framework supports standard agreement completely, completely compatible with existing the Internet mechanisms, is conducive to the popularization of this framework It uses, can promote to interconnect between the equipment of different vendor and data fusion.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of security architecture of the present invention;
Fig. 2 is the flow chart that gateway of the invention redirects;
Fig. 3 is the handshake procedure figure of data packet transport layer of the present invention.
Specific embodiment
The present invention is described in detail with specific embodiment below in conjunction with the accompanying drawings.The present embodiment is with technical solution of the present invention Premised on implemented, the detailed implementation method and specific operation process are given, but protection scope of the present invention is not limited to Following embodiments.
Embodiment
As shown in Figure 1, the application proposes a kind of Internet of Things security architecture, including internal network and external network.Intranet Network includes resource-constrained devices, edge calculations equipment, gateway and generic network device, and internal network passes through gateway and extranets Network connection.
Resource-constrained devices are connect with gateway.Resource-constrained devices are internet-of-things terminal equipment, without storage resource and place Reason ability or ability are weaker.Resource-constrained devices in network monitor information by sensing technology and are supplied to making for needs User, while equipment itself is also possible to user, obtains data from other equipment or cloud.Resource-constrained devices and gateway are set It is attached between standby by wired or wireless communication agreement.The addressing of resource-constrained devices uses IPv6 technology.Internal network Transport layer protocol uses udp protocol, and application layer uses CoAP agreement.
Edge calculations equipment is in the inside of network, connect respectively with resource-constrained devices and gateway, it is in internet Edge provides the services such as calculating, storage, Edge intelligence and data collaborative.Edge calculations equipment can be carried out according to the scale of network Flexibly it is equipped with.If number of devices is relatively more in energy-constrained network, the edge calculations equipment of powerful, Huo Zhexuan are just matched With multiple edge calculations equipment, each edge calculations equipment is each responsible for the resource-constrained devices of a part;If resource-constrained Equipment in network number is fewer, just using gateway as edge calculations equipment.
Gateway is the bridge communicated between local network and internet, and gateway supports a variety of different communication protocols, although Some resource-constrained devices use ICP/IP protocol stack, do not need the assistance of gateway when sending data to internet, but In special circumstances, such as the data that send to resource-constrained devices of cloud may need gateway-assisted to provide 6LoWPAN fragment behaviour Make, this operation occurs between link layer and network layer, has no effect on the safety of communication.In order to protect local network to pacify Entirely, the safety measures such as firewall are disposed on gateway, and illegal communication is filtered.Gateway safeguards a resource-constrained devices and side Edge calculates the mapping table between equipment, records the agent relation between edge calculations equipment and resource-constrained nodes, logarithm It is executed according to packet and redirects operation.
External network includes Cloud Server, vendor server, general subscriber terminal and networked devices etc..Edge calculations are set Although standby have stronger storage, computing capability, as time increases, internal network can generate and accumulate a large amount of data, These data are more suitable for being sent to that cloud service center carries out storage and depth is excavated.
A kind of gateway reorientation method of above-mentioned Internet of Things security architecture, as shown in Figure 2, comprising the following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and the key external member of itself, key etc. are counted According to being sent to edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment Agent relation between resource-constrained devices;
After S4, gateway receive the data packet of external network, the CONTENT_FIELD value on DTLS recording layer head, root are read Judge whether it is according to CONTENT_FIELD value using data, if so, S5 is thened follow the steps, it is no to then follow the steps S6;The present embodiment In, indicate that data packet is using data when CONTENT_FIELD=32;
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
A kind of data packet handshake method of above-mentioned Internet of Things security architecture, as shown in Figure 3, comprising the following steps:
A1, external network a remote equipment by send client hello (ClientHello) message initiate and certain The communication of a resource-constrained devices;
A2, gateway execute redirection after receiving client hello message, by client hello message and related later All handshake informations be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message Real destination address;
To remote equipment, message includes for one A3, edge calculations device replied checking request (VerifyRequest) message The cookie that edge calculations equipment generates;
A4, gateway judge wherein whether include and edge calculations after receiving the client hello message of remote equipment reply The identical cookie of cookie that equipment generates, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating The client random number of communication key between remote equipment and resource-constrained devices;
A7, resource-constrained devices reply server end greeting (ServerHello) message and give edge calculations equipment, the message In include session id and server random number, edge calculations equipment send include certificate and the server random number message to Remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied Prove oneself identity, the session establishment of both sides is being calculated by client random number and server random number later On the basis of key, process terminates.

Claims (7)

1. a kind of Internet of Things security architecture, including internal network and external network, which is characterized in that the internal network includes money Source constrained devices, edge calculations equipment and gateway, the internal network is connect by gateway with external network, described resource-constrained Equipment is connect with the gateway, and the edge calculations equipment is connect with resource-constrained devices and gateway respectively;The external network Including multiple remote equipments, the remote equipment includes Cloud Server, vendor server and user terminal.
2. Internet of Things security architecture according to claim 1, which is characterized in that the resource-constrained devices be equipped with it is multiple, The edge calculations equipment is equipped with quantity that is multiple and being less than resource-constrained devices, and each edge calculations equipment is each responsible for one The resource-constrained devices of dosis refracta.
3. Internet of Things security architecture according to claim 1, which is characterized in that the addressing of the resource-constrained devices uses IPv6 technology;The transport layer protocol of the internal network uses udp protocol, and application layer uses CoAP agreement.
4. Internet of Things security architecture according to claim 1, which is characterized in that the gateway is equipped with firewall.
5. a kind of gateway reorientation method of any Internet of Things security architecture of Claims 1 to 4, which is characterized in that packet Include following steps:
S1, resource-constrained devices send proxy requests to edge calculations equipment, and the key external member of itself, key data are sent Give edge calculations equipment;
S2, after receiving the proxy requests of resource-constrained devices, agent relation is sent to gateway by edge calculations equipment;
The mapping table of S3, gateway maintenance resource-constrained devices and edge calculations equipment, record edge calculations equipment and money Agent relation between the constrained devices of source;
After S4, gateway receive the data packet of external network, judge data packet whether be using data, if so, then follow the steps S5, It is no to then follow the steps S6.
S5, gateway directly forward data packet to resource-constrained devices, and process terminates;
The data packet is redirected to edge calculations equipment corresponding with packet content by S6, gateway, and process terminates.
6. the gateway reorientation method of Internet of Things security architecture according to claim 5, which is characterized in that the step S4 It is middle to judge whether data packet is process using data specifically: the CONTENT_FIELD on gateway reading DTLS recording layer head Value, judges whether it is according to CONTENT_FIELD value using data.
7. a kind of data packet handshake method of any Internet of Things security architecture of Claims 1 to 4, which is characterized in that packet Include following steps:
A1, external network a remote equipment by send client hello message initiate it is logical with some resource-constrained devices Letter;
A2, gateway execute redirection after receiving client hello message, by client hello message and later relevant institute There is handshake information to be redirected to the edge calculations equipment of responsible resource-constrained devices, while it is true to enclose this message in the message Destination address;
To remote equipment, message contains the generation of edge calculations equipment for one A3, edge calculations device replied checking request message Cookie;
After A4, gateway receive the client hello message of remote equipment reply, whether judgement wherein includes and edge calculations equipment The identical cookie of the cookie of generation, if so, A6 is thened follow the steps, if it is not, thening follow the steps A5;
A5, authentication failed, terminate the handshake procedure, and process terminates;
A6, it is proved to be successful, edge calculations equipment sends messages to resource-constrained devices, and in the message comprising for calculating distal end The client random number of communication key between equipment and resource-constrained devices;
A7, resource-constrained devices reply server end hello messages and give edge calculations equipment, include session id kimonos in the message Be engaged in device random number, edge calculations equipment send include certificate and the server random number message to remote equipment;
After A8, remote equipment verifying edge calculations equipment send the authenticity of certificate, the message comprising itself certificate is replied to demonstrate,prove Oneself bright identity, the session establishment of both sides is in the key being calculated by client random number and server random number later On the basis of, process terminates.
CN201811236518.XA 2018-10-23 2018-10-23 Internet of Things security architecture and its gateway reorientation method, data packet handshake method Pending CN109150914A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811236518.XA CN109150914A (en) 2018-10-23 2018-10-23 Internet of Things security architecture and its gateway reorientation method, data packet handshake method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811236518.XA CN109150914A (en) 2018-10-23 2018-10-23 Internet of Things security architecture and its gateway reorientation method, data packet handshake method

Publications (1)

Publication Number Publication Date
CN109150914A true CN109150914A (en) 2019-01-04

Family

ID=64809038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811236518.XA Pending CN109150914A (en) 2018-10-23 2018-10-23 Internet of Things security architecture and its gateway reorientation method, data packet handshake method

Country Status (1)

Country Link
CN (1) CN109150914A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110719292A (en) * 2019-10-17 2020-01-21 中国联合网络通信集团有限公司 Connection authentication method and system for edge computing equipment and central cloud platform
WO2020143013A1 (en) * 2019-01-11 2020-07-16 Oppo广东移动通信有限公司 Method and apparatus for processing query request, computer device and storage medium
CN112637114A (en) * 2019-09-24 2021-04-09 西门子股份公司 Method and device for monitoring data exchange of industrial edge equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160261563A1 (en) * 2013-01-30 2016-09-08 Palo Alto Networks, Inc. Credentials management in large scale virtual private network deployment
CN106688218A (en) * 2014-04-15 2017-05-17 飞利浦灯具控股公司 Method and apparatus for controlling handshake in a packet transmission network
CN106790121A (en) * 2016-12-27 2017-05-31 逯帅 Power system service network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160261563A1 (en) * 2013-01-30 2016-09-08 Palo Alto Networks, Inc. Credentials management in large scale virtual private network deployment
CN106688218A (en) * 2014-04-15 2017-05-17 飞利浦灯具控股公司 Method and apparatus for controlling handshake in a packet transmission network
CN106790121A (en) * 2016-12-27 2017-05-31 逯帅 Power system service network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
马国峻等: "一种物联网端到端安全方案", 《技术研究》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020143013A1 (en) * 2019-01-11 2020-07-16 Oppo广东移动通信有限公司 Method and apparatus for processing query request, computer device and storage medium
CN112637114A (en) * 2019-09-24 2021-04-09 西门子股份公司 Method and device for monitoring data exchange of industrial edge equipment
CN112637114B (en) * 2019-09-24 2023-04-11 西门子股份公司 Method and device for monitoring data exchange of industrial edge equipment
US11652796B2 (en) 2019-09-24 2023-05-16 Siemens Aktiengesellschaft Method and arrangement for control data exchange of an industrial edge device
CN110719292A (en) * 2019-10-17 2020-01-21 中国联合网络通信集团有限公司 Connection authentication method and system for edge computing equipment and central cloud platform
CN110719292B (en) * 2019-10-17 2021-11-19 中国联合网络通信集团有限公司 Connection authentication method and system for edge computing equipment and central cloud platform

Similar Documents

Publication Publication Date Title
Belenky et al. On IP traceback
US7769994B2 (en) Content inspection in secure networks
CN102347870B (en) A kind of flow rate security detection method, equipment and system
Liyanage et al. Enhancing security of software defined mobile networks
CN104426837B (en) The application layer message filtering method and device of FTP
US9350711B2 (en) Data transmission method, system, and apparatus
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
US9876773B1 (en) Packet authentication and encryption in virtual networks
JP2008527761A (en) Method, system and software for detecting relay communication
CN107438074A (en) The means of defence and device of a kind of ddos attack
CN109150914A (en) Internet of Things security architecture and its gateway reorientation method, data packet handshake method
CN101399838A (en) Method, apparatus and system for processing packet
CN109309684A (en) A kind of business access method, apparatus, terminal, server and storage medium
CN108989039A (en) Certificate acquisition method and device
CN105577738B (en) A kind of method, apparatus and system of processing terminal information
CN107104919A (en) The processing method of firewall box, SCTP SCTP packet
Keromytis Voice over IP Security: A Comprehensive Survey of Vulnerabilities and Academic Research
CN109688115B (en) Data security transmission system
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
US10079857B2 (en) Method of slowing down a communication in a network
CN110351308B (en) Virtual private network communication method and virtual private network device
Pappas et al. Network transparency for better internet security
Ruland et al. Rejuvenation of the IEC 61850 protocol stack for MMS
Hosia Comparison between RADIUS and Diameter
CN107733931A (en) Portal authentication method, device and portal server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190104