CN114245332A - DTLS connection establishment method and system of Internet of things equipment - Google Patents

DTLS connection establishment method and system of Internet of things equipment Download PDF

Info

Publication number
CN114245332A
CN114245332A CN202111599392.4A CN202111599392A CN114245332A CN 114245332 A CN114245332 A CN 114245332A CN 202111599392 A CN202111599392 A CN 202111599392A CN 114245332 A CN114245332 A CN 114245332A
Authority
CN
China
Prior art keywords
dtls
server
internet
connection
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111599392.4A
Other languages
Chinese (zh)
Inventor
***
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111599392.4A priority Critical patent/CN114245332A/en
Publication of CN114245332A publication Critical patent/CN114245332A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a DTLS connection establishing method and system for equipment of the Internet of things, and relates to the technical field of network communication. The DTLS connection establishment method of the Internet of things equipment comprises the following steps: configuring trust information between the limited Internet of things equipment and a secure connection server; establishing DTLS initial connection between the secure connection server and a server to generate DTLS initial connection information; sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information; disconnecting the DTLS initial connection established between the secure connection server and the server; and establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information. The DTLS connection establishment method of the Internet of things equipment can achieve the technical effects of reducing processing and transmission expenses of limited Internet of things equipment and reducing power consumption.

Description

DTLS connection establishment method and system of Internet of things equipment
Technical Field
The application relates to the technical field of network communication, in particular to a DTLS connection establishing method and system of Internet of things equipment.
Background
At present, the development of 5G networks, low power consumption local area/wide area wireless network technology and adaptive Internet Protocol (IP) technology rapidly promotes the emergence of a new application network, i.e., the Internet of things. In the Internet of Things, a new type of networking equipment with highly limited computing capacity, memory resources and power supply capacity, namely limited Internet of Things equipment, appears, and the equipment can be autonomously connected into the Internet of Things (IoT) based on an IP protocol.
In the prior art, in the resource-limited internet of things, the limited internet of things equipment has the following characteristics: the low computing/storage resources are connected by using a short-distance wireless network with battery power supply and low power consumption, and the IP network technology is adopted and deployed in an open environment without physical protection; a group of Internet of things equipment which is deployed in the same region and realizes a specific task forms an Internet of things local area network; the method comprises the following steps of realizing connection of different networks or heterogeneous networks by using an Internet of things gateway, and accessing an Internet of things local area network to an enterprise local area network or a server on the Internet; the server and the enterprise local area network are in a protected environment with physical protection. The use of IP technology enables a constrained device to communicate in an end-to-end manner with other constrained devices or services located in a remote network domain. For example, an IP-enabled sensor device built into the body can transparently send its collected patient's medical data to an electronic health server without any application-level interaction at the internet of things gateway. In this case, however, the transmitted information may be routed through an untrusted network infrastructure (e.g., the internet) or a wireless local area network (e.g., a bluetooth network). Therefore, in the resource-constrained internet of things, providing peer-to-peer authentication and end-to-end data protection is a key requirement to prevent eavesdropping of sensitive information or malicious triggering of harmful execution tasks.
In order to provide end-to-end secure connectivity in the internet of things, variants of conventional end-to-end IP Security protocols, such as DTLS (packet Transport Layer Security), minimum IKEv2, etc., have been proposed for use in restricted internet of things. All these protocol variants take public key cryptography into account in their protocol design; the public key cryptography technology used in the limited internet of things environment has the following disadvantages: a large amount of processing and transmission overhead is generated, large RAM and ROM are required to be occupied for implementation, and the energy consumption is high.
Disclosure of Invention
An object of the embodiments of the present application is to provide a DTLS connection establishment method and system for an internet of things device, an electronic device, and a computer-readable storage medium, which can achieve the technical effects of reducing processing and transmission overhead of a limited internet of things device and reducing power consumption.
In a first aspect, an embodiment of the present application provides a DTLS connection establishment method for an internet of things device, including:
configuring trust information between the limited Internet of things equipment and a secure connection server;
establishing DTLS initial connection between the secure connection server and a server to generate DTLS initial connection information;
sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information;
disconnecting the DTLS initial connection established between the secure connection server and the server;
and establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information.
In the implementation process, the DTLS connection establishment method of the equipment of the Internet of things is implemented in a manner that a new communication entity (namely a secure connection server) is introduced into the limited Internet of things, firstly, the DTLS initial connection between the secure connection server and the server is established, and then, the DTLS data connection between the equipment of the limited Internet of things and the server is established based on trust information between the equipment of the limited Internet of things and the secure connection server; therefore, the initial DTLS connection establishment and the application program data protection in the process of the secure communication between the limited Internet of things equipment in one management domain and the server in the other management domain are separated through the secure connection server, the purpose of dividing the process of establishing the DTLS connection between the limited Internet of things equipment and the server into two parts is realized, and the limited Internet of things equipment only having the symmetric encryption technology capability can establish the secure DTLS connection with the server through the certificate-based DTLS; therefore, the DTLS connection establishment method of the Internet of things equipment can achieve the technical effects of reducing processing and transmission expenses of the limited Internet of things equipment and reducing power consumption.
Further, before the step of configuring the trust information between the limited internet of things device and the secure connection server, the method further includes:
configuring a master symmetric key to the restricted internet of things device;
and storing the equipment information of the limited Internet of things equipment into an Internet of things equipment database of the secure connection server, wherein the equipment information comprises ID information, symmetric encryption algorithm information and the master symmetric key.
Further, the internet of things device database is a DeviceTable, and the entry content of the DeviceTable includes the IP information of the restricted internet of things device, the ID information, the shared key, and the supported CryptoSuite of symmetric encryption protocols.
Further, a communication protocol between the secure connection server and the limited internet of things device is a TCP transmission protocol.
Further, after the step of storing the device information of the limited internet of things device in the internet of things device database of the secure connection server, the method further includes:
sending a command request message to the limited Internet of things equipment through the secure connection server, decrypting the command request message and carrying out information check through the master symmetric key after the limited Internet of things equipment receives the command request message, and generating a command response message;
and sending the command response message to the secure connection server through the limited internet of things equipment, decrypting the command response message through the shared secret key after the secure connection server receives the command response message, checking information, and confirming that the limited internet of things equipment receives and executes the command request message.
Further, before the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further includes:
and sending the IP information of the server to the limited Internet of things equipment.
Further, after the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further includes:
and after the data transmission between the limited Internet of things equipment and the server is finished, disconnecting the DTLS data connection between the limited Internet of things equipment and the server.
In a second aspect, an embodiment of the present application provides a DTLS connection establishment system for an internet of things device, where the DTLS connection establishment system for the internet of things device includes:
the trust establishing module is used for configuring trust information between the limited Internet of things equipment and the secure connection server;
the initial connection establishing module is used for establishing DTLS initial connection between the secure connection server and the server and generating DTLS initial connection information;
the sending module is used for sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information;
the disconnection module is used for disconnecting the DTLS initial connection established between the secure connection server and the server;
and the DTLS data connection module is used for establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information.
Further, the DTLS connection establishment system of the internet of things device further includes:
configuring a master symmetric key to the restricted internet of things device;
and storing the equipment information of the limited Internet of things equipment into an Internet of things equipment database of the secure connection server, wherein the equipment information comprises ID information, symmetric encryption algorithm information and the master symmetric key.
Further, the DTLS connection establishment system of the internet of things device further includes:
the command request module is used for sending a command request message to the limited Internet of things equipment through the secure connection server, and the limited Internet of things equipment decrypts the command request message through the master symmetric key after receiving the command request message and carries out information check to generate a command response message;
and the command response module is used for sending the command response message to the secure connection server through the limited internet of things equipment, and the secure connection server decrypts the command response message through the shared secret key after receiving the command response message, checks information and confirms that the limited internet of things equipment receives and executes the command request message.
Further, the sending module is further configured to send the IP information of the server to the limited internet of things device.
Further, the disconnection module is further configured to disconnect the DTLS data connection between the limited internet of things device and the server after the data transmission between the limited internet of things device and the server is completed.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram of a limited internet of things application system provided in an embodiment of the present application;
fig. 2 is a schematic diagram of another limited internet of things application system provided in an embodiment of the present application;
fig. 3 is a schematic flowchart of a DTLS connection establishment method for an internet of things device according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another DTLS connection establishment method for internet of things devices according to an embodiment of the present application;
fig. 5 is a block diagram of a DTLS connection establishment system of an internet of things device according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a DTLS connection establishment method and system for equipment of the Internet of things, electronic equipment and a computer readable storage medium, and the method and system can be applied to communication connection of limited equipment of the Internet of things by adopting a symmetric cryptographic technology; the DTLS connection establishment method of the equipment of the Internet of things is characterized in that a new communication entity (namely a secure connection server) is introduced into a limited Internet of things, firstly, the DTLS initial connection between the secure connection server and a server is established, and then, the DTLS data connection between the limited Internet of things equipment and the server is established based on trust information between the limited Internet of things equipment and the secure connection server; therefore, the initial DTLS connection establishment and the application program data protection in the process of the secure communication between the limited Internet of things equipment in one management domain and the server in the other management domain are separated through the secure connection server, the purpose of dividing the process of establishing the DTLS connection between the limited Internet of things equipment and the server into two parts is realized, and the limited Internet of things equipment only having the symmetric encryption technology capability can establish the secure DTLS connection with the server through the certificate-based DTLS; therefore, the DTLS connection establishment method of the Internet of things equipment can achieve the technical effects of reducing processing and transmission expenses of the limited Internet of things equipment and reducing power consumption.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic diagram of an application system of the internet of things provided in an embodiment of the present application, and fig. 2 is a schematic diagram of another application system of the internet of things provided in the embodiment of the present application; fig. 1 is a current state description of a current application system of the internet of things, and fig. 2 is the summary of the present application, that is, a secure connection server is added to fig. 1.
Exemplarily, as shown in fig. 1, a limited Internet of things application system of a conventional scheme is composed of a limited Internet of things device (a limited Internet of things device may be included in one limited Internet of things), a server (IoT server) on a local area network or the Internet, and a Gateway (GW) interconnecting different network domains and communication endpoints; constrained internet of things devices communicate over constrained link layer technologies such as 6LoWPAN (or IEEE 802.15.4, Bluetooth, lown, etc.), with transmissions within the constrained network domain involving lossy wireless links with significant packet size constraints. The limited Internet of things equipment supports an IP protocol; the gateway acts merely as an IP packet forwarder and connects the network domain of the restricted Internet of things to the local IP network infrastructure (i.e., local area network) or the Internet via a conventional wired or wireless connection.
The DTLS connection establishment method for the Internet of things equipment can solve the following problems: the problem of how to establish DTLS secure connection based on the DTLS handshake process of the certificate when a server which is positioned in one management domain and supports the DTLS based on the certificate carries out DTLS end-to-end secure communication with resource-limited Internet of things equipment which is positioned in another management domain and only supports the symmetric encryption technology. The certificate-based DTLS protocol is the PKC-DTLS protocol.
For example, as shown in fig. 2, for a limited internet of things application system provided by the present application, an embodiment of the present application solves the above-mentioned problem by introducing a new communication entity, namely a secure connection server, into the limited internet of things application system.
Illustratively, the limited internet of things device has a trust relationship with the secure connection server; therefore, the process of establishing the DTLS connection between the limited Internet of things equipment and the server can be divided into two stages: (1) the method comprises the steps that the limited Internet of things equipment entrusts a task of DTLS handshake based on a certificate to a secure connection server, the secure connection server establishes DTLS initial connection with the server by using a DTLS handshake process based on the certificate, and context information of the DTLS initial connection is stored on the server; (2) the method comprises the steps that the limited Internet of things equipment initiates a process of recovering the DTLS initial connection to a server to obtain context information of the DTLS initial connection stored on the server, and the limited Internet of things equipment and the server establish DTLS data connection based on the context information.
Illustratively, the secure connection server and the managed restricted internet of things device are in the same administrative domain. The safe connection server is a device with rich resources and has strong calculation, storage and passing capacities; the secure connection server may be a server, a dedicated device, or embedded in other network devices, such as a gateway, in a modular manner. Alternatively, the secure connection server is deployed in an environment with physical protection, such as an office building of an enterprise.
Illustratively, the secure connection server has a trust relationship with the restricted internet of things device; the secure connection server has a trust relationship with the server; the safety connection server is connected with the server through an IP protocol; the limited Internet of things equipment is connected with the server through an IP protocol; and the gateway of the Internet of things realizes the IP routing forwarding function.
Referring to fig. 3, fig. 3 is a schematic flow chart of a DTLS connection establishment method for an internet of things device according to an embodiment of the present application, where the DTLS connection establishment method for the internet of things device includes the following steps:
s100: and configuring trust information between the limited Internet of things equipment and the secure connection server.
Illustratively, the main symmetric key can be configured and stored for the safety of the limited internet of things device, the safety connection server is initialized, the device information of the limited internet of things device to be deployed is stored in the internet of things device database of the safety connection server, the configuration of the trust information is completed, and therefore the trust relationship between the limited internet of things device and the safety connection server is established.
S200: and establishing DTLS initial connection between the secure connection server and the server to generate DTLS initial connection information.
Illustratively, S200 acts as a DTLS client for the secure connection server, initiating a DTLS handshake procedure to the server. In the process of establishing connection, the secure connection server and the server verify each other, the secure connection server performs identity verification on the server through a certificate during DTLS handshake, and the server verifies the secure connection server by using the certificate. In the handshake process of the DTLS, the secure connection server and the server use the session recovery mechanism of the DTLS provided in the present application to store the secure context information of the initial connection of the DTLS (i.e., the initial connection information of the DTLS) in the server, and transmit the device information (including the IP address) of the limited internet-of-things device to the server.
S300: and sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information.
S400: and disconnecting the DTLS initial connection established between the secure connection server and the server.
S500: and establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information.
Illustratively, the restricted internet of things device initiates a DTLS connection procedure to the server using a DTLS session recovery handshake protocol. During the DTLS session recovery handshake, the server transmits the session ticket of the DTLS initial connection information in S200 to the restricted internet of things device. The limited internet of things device verifies and reestablishes the DTLS initial connection established between the secure connection server and the server in S200 using the DTLS initial connection information, thereby establishing a DTLS data connection between the limited internet of things device and the server.
Referring to fig. 4, fig. 4 is a schematic flowchart of another DTLS connection establishment method for internet of things equipment according to an embodiment of the present application.
Exemplarily, at S100: before the step of configuring the trust information between the limited internet of things device and the secure connection server, the method further comprises the following steps:
s101: configuring a master symmetric key to the limited internet of things device;
s102: and storing the equipment information of the limited Internet of things equipment into an Internet of things equipment database of the secure connection server, wherein the equipment information comprises ID information, symmetric encryption algorithm information and a master symmetric key.
Illustratively, the master symmetric key is securely configured and stored for the restricted internet of things device before the restricted internet of things device is deployed. S101 may employ a common security method, for example: the method comprises the steps that a customer autonomously and safely generates a key and asks a device manufacturer to burn the key into the limited Internet of things device by using the safety device of the customer; a manufacturer generates a master symmetric key safely, burns the master symmetric key into the limited Internet of things equipment, and informs a customer of the master symmetric key by a safe means such as an encrypted mail.
Illustratively, the secure connection server is initialized, and device information of the limited internet of things device to be deployed is stored in an internet of things device database of the secure connection server, where the device information includes ID information of the limited internet of things device, a master symmetric key of the limited internet of things device, a symmetric encryption algorithm of the limited internet of things device, and the like. S102 may deploy the certificate for the secure connection server and configure a list of servers accessible by the secure connection server in a common manner.
Illustratively, the internet of things device database is a DeviceTable, and the entry content of the DeviceTable includes IP information, ID information, shared key and supported CryptoSuite of symmetric encryption protocols of the restricted internet of things device.
Illustratively, the entry content of the restricted internet of things device database or DeviceTable on the secure connection server may include: IP information (DevIP), ID information (DevID), shared key (DevKey) and supported symmetric encryption protocol suite CryptoSuite of restricted internet of things devices; the DevKey is a shared key between the limited Internet of things equipment and the secure connection server, the secure connection server uses information encrypted by the DevKey, and the limited Internet of things equipment can decrypt the information by using the master symmetric key. The Cryptosuite is used for negotiating the CipherSuite of both communication sides when the Cryptosuite represents that the limited Internet of things equipment establishes DTLS initial connection with the server so as to negotiate a symmetric encryption algorithm which can be supported by the limited Internet of things equipment.
Illustratively, the communication protocol between the secure connection server and the restricted internet of things device is a TCP transport protocol.
Exemplarily, at S102: after the step of storing the device information of the limited internet of things device into the internet of things device database of the secure connection server, the method further comprises the following steps:
s103: the method comprises the steps that a command request message is sent to the limited Internet of things equipment through a secure connection server, and after the limited Internet of things equipment receives the command request message, the command request message is decrypted through a master symmetric key and information inspection is carried out, so that a command response message is generated;
s104: and sending a command response message to the secure connection server through the limited Internet of things equipment, decrypting the command response message and carrying out information check through the shared secret key after the secure connection server receives the command response message, and confirming that the limited Internet of things equipment receives and executes the command request message.
In some implementation scenarios, the specific processes of S103 and S104 are as follows:
(1) the safety connection server sends a Command request message to the limited Internet of things equipment, wherein the Command request message is { Command Req, Ek (Command, Command parameter, DevID, ServerID, nonce) };
specifically, the command request message requesting the restricted internet of things device to execute is encrypted, and Ek means encrypted with DevKey of the restricted internet of things device. Where DevID denotes the device executing the Command, ServerID denotes the issuer of the Command, Command and parameters denote the Command to be executed, and Command req denotes that the data is a Command request message.
(2) And after receiving the command request message, the limited Internet of things equipment uses the master symmetric key for decryption and carries out information check. Specifically, whether the DevID in the command request message is the same as the ID information of the limited IOT device or not and whether the ServerID in the command request message is the same as the ServerID configured by the limited IOT device or not are checked.
(3) Sending a Command response message to the secure connection server, wherein the Command response message is { CommandAck, Ek (Command, Command parameter, DevID, ServerID, nonce) }; and the limited Internet of things equipment executes the instruction action in the command request message. Where CommandJack is represented as a command response message.
(4) And after receiving the command response message, the secure connection server decrypts the command response message by using the DevKey and checks the information, and confirms that the limited Internet of things equipment receives and executes the sent command request message. Specifically, it is checked whether the DevID in the command response message is the same as the DevID of the restricted internet of things device in the DeviceTable, the ServerID in the command response message is the same as the ID information of the secure connection server itself, and the nonce in the command response message is the same as the nonce in the command request message.
In the communication process, the shared key between the limited Internet of things equipment and the safe connection server plays a role in mutual identity authentication.
In some embodiments, the secure connection server sends out the following command using the above procedure to update the DTLS connection table of the restricted internet of things device:
EnableLink (IP address, port number, sessionID): the restricted internet of things device can perform DTLS communication with a server with (IP address, port number, session ID);
disableLink (IP address, port number, sessionID): the restricted internet of things device is prohibited from DTLS communication with the server S having (IP address, port number, session ID).
Exemplarily, at S500: before the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further includes:
s501: and sending the IP information of the server to the limited Internet of things equipment.
Illustratively, the limited internet of things device is enabled to find the DTLS initial connection established instead by the secure connection server according to the IP information (IP address) of the server of the initiated DTLS connection request.
In some implementation scenarios, a client _ ipaddress is added to the NewSessionsTicket, so that the server can find the DTLS initial connection established instead of the secure connection server according to the IP address of the Internet of things equipment initiating the DTLS connection request; illustratively, the code may be in the form of:
Figure BDA0003432520990000121
Figure BDA0003432520990000131
exemplarily, the embodiment of the present application specifically defines a method for calculating a ticket domain value in a DTLS protocol:
the ticket in the DTLS protocol has the following structure:
Figure BDA0003432520990000132
the method for generating each domain value in ticket by the secure connection server and the limited Internet of things equipment comprises the following steps:
for the key _ name, the key _ name is SHA-256 (Ki; IDi + sessionID), the algorithm is SHA-256, and the used key Ki is a main symmetric key of the limited Internet of things equipment;
and using the main symmetric key of the limited internet of things device as a key for encryption and integrity protection of the AES-CCM, generating encrypted _ state and CCM _ auth _ tag in ticket, and only providing integrity protection for key _ name and iv.
In some implementation scenarios, an embodiment of the present application further provides a method for verifying ticket by a device of a restricted internet of things, including the following steps:
(1) ticket integrity check;
specifically, a main symmetric key of the limited internet of things equipment is used as a key, and the MAC1 is calculated by using AES-CCM; the MAC1 is the same as ccm _ auth _ tag in ticket;
(2) the key _ name is checked for correctness.
Specifically, the main symmetric key of (1) is used as a key, and SHA-256 (Ki; IDi + sessionID) is calculated according to the information (from a DTLS connection table maintained by the main symmetric key) owned by the main symmetric key; and comparing the result with the key _ name in the ticket to confirm the correctness of the key _ name in the ticket.
(3) Context information of a DTLS previous connection is obtained.
Specifically, a main symmetric Key of the main symmetric Key is used as a Key, encrypted _ state in AES-CCM decryption ticket is used, and context information of a previous connection of DTLS is obtained, including a Master Key used for the previous connection of DTLS.
Exemplarily, at S500: after the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further includes:
s600: and after the data transmission of the limited Internet of things equipment and the server is completed, disconnecting the DTLS data connection of the limited Internet of things equipment and the server.
For example, the restricted internet of things device may periodically perform the processes of S500 and S600 according to the needs of the upper layer application.
In some implementation scenarios, the DTLS implementation of the limited Internet of things equipment is modified less, the DTLS implementation on the server is modified less, and the method in the application is implemented on the secure connection server; the whole process of establishing the DTLS data connection between the Internet of things equipment and the server based on the application is as follows:
specifically, the whole process is divided into three parts:
(1) the secure connection server represents the process of establishing DTLS initial connection between the limited Internet of things equipment and the server (the secure connection server and the server use certificate mode for bidirectional authentication);
(1.1) securely connecting a server DeviceTable, obtaining DevIP, DevKey and Cryptosuite of the limited Internet of things equipment, and using the Cryptosuite of the limited Internet of things equipment as Ciphersuite supported by a DTLS client of the secure connection server;
(1.2) secure connection server- > server:
ClientHello(ResumptionType extension=1)(empty SessionTicket extension);
here, ResumptionType extension ═ 1 indicates that the DTLS client uses a method of storing SessionTicket in the server side.
(1.3): server- > secure connection server:
HelloVerifyRequest;
(1.4): secure connection server- > server:
ClientHello(ResumptionType extension=1)(empty SessionTicket extension);
(1.5): server- > secure connection server:
ServerHello(ResumptionType extension=1)(empty SessionTicket extension);
ServerCertificate;
ServerKeyExchange;
CertificateRequest;
ServerHelloDone;
here, ServerHello (resumpttype extension ═ 1) (empty sessionpacket extension) indicates a method in which the server supports the storage of sessionpacket on the server side.
(1.6) secure connection server- > server:
ClientCertificate;
ClientKeyExchange;
CertificateVerify;
the secure connection server calculates PreMasterKey, MasterKey and SessionKey of DTLS initial connection based on a public key algorithm;
the server calculates PreMasterKey, MasterKey and SessionKey of DTLS initial connection based on public key algorithm.
(1.6.1) the secure connection server constructs a sessionpacket according to the DTLS connection establishment method and the structure of the Internet of things equipment:
NewSessionsTicket (the security connection server sends the security context of the DTLS initial connection to the server);
ChangeCipherSpec;
Finished;
(1.6.2) the server stores the received SessionTicket and the server side DTLS initial connection context information into a DTLS session table.
(1.7) Server- > secure connection Server:
ChangeCipherSpec;
Finished;
(1.8) the secure connection server disconnects the established DTLS initial link.
(2) The secure connection server sends the DTLS connection information in the step (1) to the limited Internet of things equipment by using an EnablLink command by using the method in the application; and the limited Internet of things equipment stores the received information into a DTLS connection information table in the equipment.
(3) The process of establishing DTLS data connection between the limited Internet of things equipment and the server is as follows:
(3.1) the limited Internet of things equipment searches for the DTLS connection table information to obtain the IP, the port number and the sessionID of the server;
(3.2) restricted internet of things device- > server:
ClientHello(ResumptionType extension=1)(empty SessionTicket extension);
here, ResumptionType extension ═ 1 indicates that the DTLS client uses a method of storing SessionTicket in the server side.
(3.3) server- > restricted internet of things device:
the server inquires a DTLS Session table to obtain a Session Ticket and a DTLS security connection context maintained by the server side, and calculates a new Master Key and a Session Key;
ServerHello (resumpttype extension ═ 1) (SessionTicket extension): (SensionTicket is sent to Di);
ChangeCipherSpec;
Finished;
(3.4) processing the SessionsTicket
The restricted Internet of things equipment checks the Session Ticket by using the method, obtains the Master Key and generates a new Master Key and a Session Key.
(3.5) restricted internet of things device- > server:
the method is used for constructing a new sessionTicket by the limited Internet of things equipment;
NewSessionTicket (a new SessionTicket is sent to the server for storage);
ChangeCipherSpec;
Finished;
and (3.6) the server stores the received sessionTicket and the DTLS connection security context of the server side into a DTLS session table.
(3.7) transmitting the application data encrypted on the established DTLS data connection.
And after the limited Internet of things equipment completes the application data exchange, the DTLS data connection can be disconnected. And (4) only executing the process of the part (3) when the limited internet of things equipment and the server need to exchange application data next time.
Referring to fig. 5, fig. 5 is a block diagram of a DTLS connection establishment system of an internet of things device according to an embodiment of the present application, where the DTLS connection establishment system of the internet of things device includes:
a trust establishing module 100, configured to configure trust information between the limited internet of things device and the secure connection server;
an initial connection establishing module 200, configured to establish a DTLS initial connection between the secure connection server and the server, and generate DTLS initial connection information;
a sending module 300, configured to send DTLS initial connection information to the limited internet of things device through the secure connection server and the trust information;
a disconnection module 400, configured to disconnect a DTLS initial connection established between the secure connection server and the server;
the DTLS data connection module 500 is configured to establish a DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information.
Exemplarily, the DTLS connection establishing system of the internet of things device further includes:
configuring a master symmetric key to the limited internet of things device;
and storing the equipment information of the limited Internet of things equipment into an Internet of things equipment database of the secure connection server, wherein the equipment information comprises ID information, symmetric encryption algorithm information and a master symmetric key.
Exemplarily, the DTLS connection establishing system of the internet of things device further includes:
the command request module is used for sending a command request message to the limited Internet of things equipment through the secure connection server, and the limited Internet of things equipment decrypts the command request message through the master symmetric key after receiving the command request message and carries out information check to generate a command response message;
and the command response module is used for sending a command response message to the secure connection server through the limited Internet of things equipment, decrypting the command response message through the shared key after the secure connection server receives the command response message, checking information, and confirming that the limited Internet of things equipment receives and executes the command request message.
Illustratively, the sending module 300 is further configured to send the IP information of the server to the limited internet of things device.
Illustratively, the disconnection module 400 is further configured to disconnect the DTLS data connection between the limited internet of things device and the server after the data transmission between the limited internet of things device and the server is completed.
It should be understood that the DTLS connection establishment system of the internet of things device shown in fig. 5 corresponds to the method embodiments shown in fig. 1 to fig. 4, and details are not described here again to avoid repetition.
Fig. 6 shows a block diagram of an electronic device according to an embodiment of the present disclosure, where fig. 6 is a block diagram of the electronic device. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 520 of the electronic device is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities.
The Processor 510 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, which when executed by the processor 510, enable the electronic device to perform the steps involved in the method embodiments of fig. 1-4.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 6 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 6 or have a different configuration than shown in fig. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A DTLS connection establishment method of Internet of things equipment is characterized by comprising the following steps:
configuring trust information between the limited Internet of things equipment and a secure connection server;
establishing DTLS initial connection between the secure connection server and a server to generate DTLS initial connection information;
sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information;
disconnecting the DTLS initial connection established between the secure connection server and the server;
and establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information.
2. The DTLS connection establishment method for the internet of things device of claim 1, wherein before the step of configuring the trust information between the restricted internet of things device and the secure connection server, the DTLS connection establishment method further comprises:
configuring a master symmetric key to the restricted internet of things device;
and storing the equipment information of the limited Internet of things equipment into an Internet of things equipment database of the secure connection server, wherein the equipment information comprises ID information, symmetric encryption algorithm information and the master symmetric key.
3. The DTLS connection establishment method for the IOT device as claimed in claim 2, wherein the IOT device database is a DeviceTable, and the entry content of the DeviceTable includes IP information of the restricted IOT device, the ID information, a shared key and a supported Cryptosuite of symmetric encryption protocols.
4. The DTLS connection establishment method for the IOT device of claim 1 or claim 2, wherein a communication protocol between the secure connection server and the restricted IOT device is a TCP transport protocol.
5. The DTLS connection establishment method of the IOT device of claim 4, wherein after the step of storing the device information of the limited IOT device in the IOT device database of the secure connection server, further comprising:
sending a command request message to the limited Internet of things equipment through the secure connection server, decrypting the command request message and carrying out information check through the master symmetric key after the limited Internet of things equipment receives the command request message, and generating a command response message;
and sending the command response message to the secure connection server through the limited internet of things equipment, decrypting the command response message through the shared secret key after the secure connection server receives the command response message, checking information, and confirming that the limited internet of things equipment receives and executes the command request message.
6. The DTLS connection establishment method for the internet of things device of claim 1, wherein before the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further comprises:
and sending the IP information of the server to the limited Internet of things equipment.
7. The DTLS connection establishment method for the internet of things device of claim 6, wherein after the step of establishing the DTLS data connection between the limited internet of things device and the server according to the DTLS initial connection information, the method further comprises:
and after the data transmission between the limited Internet of things equipment and the server is finished, disconnecting the DTLS data connection between the limited Internet of things equipment and the server.
8. The DTLS connection establishment system of the equipment of the Internet of things is characterized by comprising the following components:
the trust establishing module is used for configuring trust information between the limited Internet of things equipment and the secure connection server;
the initial connection establishing module is used for establishing DTLS initial connection between the secure connection server and the server and generating DTLS initial connection information;
the sending module is used for sending DTLS initial connection information to the limited Internet of things equipment through the secure connection server and the trust information;
the disconnection module is used for disconnecting the DTLS initial connection established between the secure connection server and the server;
and the DTLS data connection module is used for establishing DTLS data connection between the limited Internet of things equipment and the server according to the DTLS initial connection information.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the DTLS connection establishment method of an internet of things device as claimed in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when run on a computer, cause the computer to perform the DTLS connection establishment method for an internet of things device as claimed in any one of claims 1 to 7.
CN202111599392.4A 2021-12-24 2021-12-24 DTLS connection establishment method and system of Internet of things equipment Pending CN114245332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111599392.4A CN114245332A (en) 2021-12-24 2021-12-24 DTLS connection establishment method and system of Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111599392.4A CN114245332A (en) 2021-12-24 2021-12-24 DTLS connection establishment method and system of Internet of things equipment

Publications (1)

Publication Number Publication Date
CN114245332A true CN114245332A (en) 2022-03-25

Family

ID=80762614

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111599392.4A Pending CN114245332A (en) 2021-12-24 2021-12-24 DTLS connection establishment method and system of Internet of things equipment

Country Status (1)

Country Link
CN (1) CN114245332A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781421A (en) * 2023-08-18 2023-09-19 广东广宇科技发展有限公司 Network authentication method based on DTLS

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781421A (en) * 2023-08-18 2023-09-19 广东广宇科技发展有限公司 Network authentication method based on DTLS
CN116781421B (en) * 2023-08-18 2023-12-01 广东广宇科技发展有限公司 Network authentication method based on DTLS

Similar Documents

Publication Publication Date Title
Breiling et al. Secure communication for the robot operating system
Bonetto et al. Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples
Heer et al. Security Challenges in the IP-based Internet of Things
CN103155512B (en) System and method for providing secure access to service
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
Hameed et al. A scalable key and trust management solution for IoT sensors using SDN and blockchain technology
US9490980B2 (en) Authentication and secured information exchange system, and method therefor
CN110046507B (en) Method and device for forming trusted computing cluster
TWI479872B (en) Method for distributed identification, a station in a network
WO2018177905A1 (en) Hybrid key exchange
KR101688118B1 (en) Security communication apparatus of internet of things environment and method thereof
JP2009239919A (en) Dynamic connection to a plurality of origin servers by transcoding proxy
JP2008504782A (en) Efficient authentication system and method for medical wireless ad hoc network nodes
CN101110672A (en) Method and system for establishing ESP security alliance in communication system
Hou et al. Design and prototype implementation of a blockchain-enabled LoRa system with edge computing
CN113411187B (en) Identity authentication method and system, storage medium and processor
Srikanth et al. An efficient Key Agreement and Authentication Scheme (KAAS) with enhanced security control for IIoT systems
EP3624394B1 (en) Establishing a protected communication channel through a ttp
CN114245332A (en) DTLS connection establishment method and system of Internet of things equipment
KR101572598B1 (en) Secure User Authentication Scheme against Credential Replay Attack
JP5614465B2 (en) Encryption communication device, proxy server, encryption communication device program, and proxy server program
CN112751664B (en) Internet of things networking method, internet of things networking device and computer readable storage medium
CN116848822A (en) Method and apparatus for providing a security level for communications
Gupta et al. Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review
Patel Secure Lightweight Authentication for Multi User IoT Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination