CN202103686U - Public key infrastructure (PKI) technology-based internet-of-things authentication system - Google Patents
Public key infrastructure (PKI) technology-based internet-of-things authentication systemDownload PDFInfo
- Publication number
- CN202103686U CN202103686UCN2010206780930UCN201020678093UCN202103686UCN 202103686 UCN202103686 UCN 202103686UCN 2010206780930 UCN2010206780930 UCN 2010206780930UCN 201020678093 UCN201020678093 UCN 201020678093UCN 202103686 UCN202103686 UCN 202103686U
- Authority
- CN
- China
- Prior art keywords
- node
- authentication
- host computer
- certificate
- sensor node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000005516engineering processMethods0.000titleclaimsabstractdescription22
- 238000000034methodMethods0.000claimsabstractdescription9
- 238000012795verificationMethods0.000claimsdescription16
- 230000000977initiatory effectEffects0.000claimsdescription12
- 230000008447perceptionEffects0.000description7
- 230000005540biological transmissionEffects0.000description5
- 238000011084recoveryMethods0.000description5
- 101000759879Homo sapiens Tetraspanin-10Proteins0.000description2
- 102100024990Tetraspanin-10Human genes0.000description2
- 230000006870functionEffects0.000description2
- 230000015572biosynthetic processEffects0.000description1
- 238000013480data collectionMethods0.000description1
- 238000007418data miningMethods0.000description1
- 238000010586diagramMethods0.000description1
- 230000009977dual effectEffects0.000description1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Description
Technical field
The utility model relates to Internet of Things, relates in particular to a kind of Internet of Things Verification System.
Background technology
PKIX (Public Key Infrastructure is called for short PKI) is meant the security infrastructure with universality of implementing and provide security service with PKI notion and technology.
Complete PKI system must have authenticating authority mechanism (CA), digital certificate storehouse, key backup and recovery system, certificate calcellation system, application interface basic comprising parts such as (API), makes up PKI and also will set about making up round this five big systems.
The PKI technology is the core of information security technology, also is the key and the basic technology of ecommerce.The basic technology of PKI comprises encryption, digital signature, data integrity mechanism, digital envelope, dual digital signature etc.Typical case, complete, an effective PKI application system should have with the lower part at least: the backup of the issue of public key certificate management, blacklist and management, key and recovery, automatically more new key, manage historical key automatically, and support cross-certification.
Certification authority (CA): i.e. the application of digital certificate and issuing authority, CA must possess authoritative characteristic;
The digital certificate storehouse: be used to store digital certificate and the PKI signed and issued, the user can obtain other required users certificate and PKI thus;
Key backup and recovery system: if user loss be used for the key of data decryption, then data can't be deciphered, this will cause legal loss of data.For avoiding this situation, PKI provides backup and the mechanism of recovering key.But must notice that the backup of key must be accomplished by believable mechanism with recovery.And key backup can only be directed against decruption key with recovery, and signature private key can not back up for guaranteeing its uniqueness.
Certificate calcellation system: certificate calcellation treatment system is the assembly of the indispensability of PKI.The same with the various identity documents in the daily life, validity period of certificate cancelled with interior also possibly the needs, and reason possibly be that the key medium is lost or user identity change etc.For realizing this point, PKI must provide a series of mechanism of calcellation certificate.
Application interface (API): the value of PKI is to make the user can use security services such as encryption, digital signature easily; Therefore a complete PKI must provide good application interface system; Make that various application can be mutual with safety, unanimity, believable mode and PKI, guarantee the integrality and the ease for use of secure network environment.
As a rule, CA is the mechanism of signing and issuing of certificate, and it is the core of PKI.As everyone knows, the core content of structure cryptographic service system is how to realize key management.Public key system relates to pair of secret keys (being private key and PKI); Private key is only independently grasped by the user; Need not transmit on the net, PKI then is disclosed, needs to transmit on the net; So the key management of public key system mainly is the problem of management to PKI, solution is a digital certificate mechanism preferably at present.
Certificate: certificate is Data Elements most important, the most basic among the PKI.The various services that PKI provides (confidentiality, integrality, non-deny or the like) all will realize through certificate.
Digital certificate generally comprises: content; Version, sequence number; The person of signing and issuing (Issuer); Certificate main body (Subject), i.e. subscriber; The term of validity; Subscriber's PKI; Algorithm sign and key; Person's's of signing and issuing (being CA) signature; Signature algorithm identifier; Signature result or the like specifically can be referring to certificate format X.509.
Internet of Things (Internet of Things) from narrow understanding, is exactly the sensing net, connects various transducers, forms a network.The bottom perception mainly is divided into four types: identity perception, state perception, image perception, location aware.And wireless sensor network is the network of a self-organizing, is fit to very much the collection of bottom perception data.
Internet of Things is that the Internet extends to bottom in fact.The formation of Internet of Things is divided into several levels: bottom is a data collection layer, and just sensing layer has four types of perception.Up be transport layer, the data of transmission perception, transmission means is divided into modes such as wired, wireless.The 3rd, transmission will be calculated data later on, data mining, and this part can use the cloud computing technology.Then, use the valid data support applications.Comprise types of applications such as municipal administration's management, security management and control, emergency disposal.
For avoiding overlapping investment, each department of government is all considering that carrying out the unified of Internet of Things builds.But how to utilize existing resources, realize the unified safety certification of Internet of Things node, it is the difficult problem that current government department considers that convenient, fast a, high-performance, high efficiency authentication mode are provided.
The utility model content
The technical problem that the utility model will solve is, a kind of Internet of Things Verification System based on the PKI technology is provided, and can carry out unified certification to the Internet of Things node, and is convenient, efficient.
In order to solve the problems of the technologies described above, the utility model proposes a kind of Internet of Things Verification System based on the PKI technology, comprising:
Be used for sending the sensor node of the heartbeat data that uses the host computer public key encryption according to preset report cycle; Said heartbeat data comprises the node PKI and with the node certificate of node encrypted private key;
Be used to receive said heartbeat data, use the host computer private key that it is deciphered, obtain the node PKI and with the node certificate of node encrypted private key; Use the said node certificate of said node PKI deciphering, obtain node certificate with the node encrypted private key; Generate the random number of this verification process, said random number is sent with said node certificate; And receive authentication result and random number, know the authentication result of the sensor node of initiating authentication according to this, the host computer of the data that the sensor node that the reception authentication is passed through reports;
Be used to receive said node certificate and said random number, said node certificate is carried out authentication, the CA of certification authority that authentication result and said random number are sent together.
Further, said system also can have following characteristics:
Also comprise heartbeat effective time in the said heartbeat data;
Said host computer is behind the deciphering heartbeat data, judges earlier whether the heartbeat in the heartbeat data that obtains is still effective effective time, if effectively, just deciphers the host computer of said node certificate with the node encrypted private key.
Further, said system also can have following characteristics:
Said host computer; Still after knowing that the sensor node authentication of initiating authentication is passed through, start timer, timing is a preset interim term of validity; Said timer then before; The heartbeat data of the sensor node that said authentication is not passed through is handled, at said timer to constantly, the host computer handled of the heartbeat data of continuation sensor node that said authentication is passed through;
The said preset interim term of validity is greater than said preset report cycle.
Further, said system also can have following characteristics:
Said host computer is when still position machine private key is deciphered in the use, if alarming processing is carried out in the deciphering failure; And/or when the authentication result of knowing the sensor node of initiating authentication is authentification failure, carry out the host computer of alarming processing.
Further, said system also can have following characteristics:
Said node certificate is to comprise: the node certificate of version number, sequence number, signature, issuer, the term of validity, main body and main body public key information.
Further, said system also can have following characteristics:
Said host computer still after knowing that the sensor node authentication is passed through, generates the more host computer of the information of the certificate of new sensor node of prompting user.
A kind of Internet of Things Verification System based on the PKI technology that the utility model provides can be carried out unified certification to the Internet of Things node, and is convenient, efficient.
Description of drawings
Fig. 1 is a kind of Internet of Things Verification System block diagram based on the PKI technology of the utility model embodiment;
Fig. 2 is a kind of Internet of Things authentication method flow chart based on the PKI technology of the utility model embodiment.
Embodiment
To combine accompanying drawing to specify the utility model embodiment below.
Referring to Fig. 1, the figure shows a kind of Internet of Things Verification System of the utility model embodiment based on the PKI technology, comprise one or more sensor node, host computer and the CA of certification authority, wherein:
Said sensor node is the sensor node that sends the heartbeat data that uses the host computer public key encryption according to preset report cycle.Said heartbeat data comprises the node PKI and with the node certificate of node encrypted private key.
Said host computer is to receive said heartbeat data, uses the host computer private key that it is deciphered, and obtains the node PKI and with the node certificate of node encrypted private key; Use the said node certificate of said node PKI deciphering, obtain node certificate with the node encrypted private key; Generate the random number of this verification process, said random number is sent to said CA with said node certificate; And receive authentication result and the random number that said CA returns, know the authentication result of the sensor node of initiating authentication according to this, the host computer of the data that the sensor node that the reception authentication is passed through reports.
Said CA is to receive node certificate and the random number that said host computer sends, and said node certificate is carried out authentication, authentication result and said random number is sent to together the CA of said host computer.
Wherein, each sensor node has the certificate of oneself, and said certificate can be signed and issued by CA.Specifically can sign and issue according to area type, perhaps sign and issue according to industry type, the utility model does not limit at this.
The utility model embodiment sends authentication request through sensor node to host computer dexterously, i.e. heartbeat data, and between host computer and sensor node, increase key protection mechanism; Host computer reports CA with it again after the correctness of confirming heartbeat data, carry out authentication; And the return authentication result gives host computer, thereby to the characteristics of Internet of Things, Using P KI technology is set up the Internet of Things authentication system dexterously; Effectively sensor node is carried out authentication, guarantee the reliability of Internet of Things data.
Preferably, in order effectively to practice thrift the resource of host computer, can also comprise heartbeat effective time in the said heartbeat data.Said host computer; Can also be behind the deciphering heartbeat data; Also can obtain the heartbeat effective time of said heartbeat data, before said node certificate with the node encrypted private key is deciphered, judge whether said heartbeat is still effective effective time earlier; If effectively, just decipher the host computer of said node certificate with the node encrypted private key.If invalid, said host computer thinks that then said heartbeat data is expired, and is no longer accurate, can abandon, and need not to carry out the decryption step to node certificate again.
Preferably, in order to practice thrift the resource of host computer, said host computer can also be after knowing that the sensor node authentication of initiating authentication is passed through; Start timer; Timing is a preset interim term of validity, said timer then before, the heartbeat data of the sensor node that said authentication is not passed through is handled; At said timer to constantly, the host computer that the heartbeat data of the sensor node that continues said authentication is passed through is handled.The said preset interim term of validity is greater than said preset report cycle.
Preferably, the utility model can also increase alarm mechanism based on the Internet of Things Verification System of PKI technology.Specifically, said host computer can also be when position machine private key is deciphered in the use, if deciphering is failed, to carry out the host computer of alarming processing; And/or said host computer can also be when the authentication result of knowing the sensor node of initiating authentication is authentification failure, to carry out the host computer of alarming processing.
The transmittability of considering sensor node is lower, and transmission speed is lower, and preferably, the utility model embodiment carries out cutting to the information in the certificate X.509, keeps key message wherein, thereby reduces data amount transmitted, makes it more to be applicable to the Internet of Things characteristics.The utility model embodiment provides a kind of node certificate at this, and it can comprise version number, sequence number, signature, issuer, the term of validity, main body and main body public key information.Wherein:
Said version number is used for the version (version 1, version 2 or version 3) of identity certificate.
Said sequence number is the unique identification by this certificate of certificate authority person distribution.
Said signature is a signature algorithm identifier symbol, adds that by object identifier relevant parameter forms, and is used to the Digital Signature Algorithm of explaining that this certificate is used.For example, the object identifier of SHA-1 and RSA just is used for explaining that this digital signature is to utilize RSA that the SHA-1 hash is encrypted.
Said issuer, the person's that is the certificate authority distinguished name (DN).
The said term of validity is the time period of validity period of certificate.Its field can be made up of " Not Before " and " NotAfter " two, and they are respectively by UTC time or general time representation (detailed time representation rule is arranged in RFC2459).
Said main body is certificate owner's a distinguished name, and this field is a non-NULL, only if another name is arranged in certificate extension.
Said main body public key information is the PKI (and algorithm identifier) of main body.
Preferably, a kind of Internet of Things Verification System based on PKI technology of the utility model embodiment cert is neatly managed, further to guarantee authenticating safety.For example, the certificate update function can be provided, when concrete the realization, can be host computer after each verification process, promptly receive authentication result after, the prompting user certificate that upgrades in time.Also can be according to the different requirement cancellation of doucment.Can also use the mode of for example OCSP online query to realize the issue of certificate revocation list.Or the like.
The utility model embodiment also provides a kind of method of utilizing said system to realize the Internet of Things authentication, and is as shown in Figure 2, comprises step:
Step S201: sensor node sends the heartbeat data that uses the host computer public key encryption according to preset report cycle to host computer; Said heartbeat data comprises the node PKI and with the node certificate of node encrypted private key;
Step S202: after host computer receives said heartbeat data, use the host computer private key to decipher, obtain the node PKI and with the node certificate of node encrypted private key; Use the said node certificate of said node PKI deciphering, obtain node certificate with the node encrypted private key; Generate the random number of this verification process, said random number is sent to the CA of certification authority with said node certificate;
Step S203: after said CA receives node certificate and random number, said node certificate is carried out authentication, authentication result and said random number are sent to said host computer together;
Step S204: said host computer is known the authentication result of the sensor node of initiating authentication according to authentication result that receives and random number.
Wherein, each sensor node has the certificate of oneself, and said certificate can be signed and issued by CA.Specifically can sign and issue according to area type, perhaps sign and issue according to industry type, the utility model does not limit at this.
Said host computer can carry out data processing according to authentication result after knowing the authentication result of sensor node, for example, can receive only the data of the sensor node that authentication passes through, thereby guarantees the reliability of data.The utility model embodiment sends authentication request through sensor node to host computer dexterously, i.e. heartbeat data, and between host computer and sensor node, increase key protection mechanism; Host computer reports CA with it again after the correctness of confirming heartbeat data, carry out authentication; And the return authentication result gives host computer; Thereby to the characteristics of Internet of Things, Using P KI technology is set up the Internet of Things authentication system dexterously, thereby guarantees the reliability of Internet of Things data.。
When execution in step S201, can also comprise heartbeat effective time in the heartbeat data that said sensor node reports.Correspondingly, when execution in step S202, said host computer also can obtain heartbeat effective time behind the heartbeat data in deciphering.Said host computer judges whether said heartbeat is still effective effective time earlier before said node certificate with the node encrypted private key is deciphered, if effectively, just decipher said node certificate with the node encrypted private key.If invalid, think that then said heartbeat data is expired, no longer accurate, can abandon, need not to carry out decryption step again, thereby effectively practice thrift the resource of host computer node certificate.
When execution in step S204, said host computer can also start timer after knowing that the sensor node authentication of initiating authentication is passed through; Timing is a preset interim term of validity; Said timer then before, the heartbeat data of the sensor node that said authentication is not passed through is handled, at said timer to constantly; Continuation is handled the heartbeat data of the sensor node that said authentication is passed through, thereby effectively practices thrift the resource of host computer.Wherein, the said preset interim term of validity is greater than said preset report cycle.
Preferably, can also increase alarm mechanism.For example, when execution in step S202, when said host computer uses the host computer private key to decipher, if the deciphering failure then can be carried out alarming processing.Again for example, when execution in step S204, when said host computer is authentification failure in the authentication result of knowing the sensor node of initiating authentication, then can carry out alarming processing.
The transmittability of considering sensor node is lower, and transmission speed is lower, and preferably, the utility model embodiment carries out cutting to the information in the certificate X.509, keeps key message wherein, thereby reduces data amount transmitted, makes it more to be applicable to the Internet of Things characteristics.The utility model embodiment provides a kind of node certificate at this, and it can comprise version number, sequence number, signature, issuer, the term of validity, main body and main body public key information.Wherein:
Said version number is used for the version (version 1, version 2 or version 3) of identity certificate.
Said sequence number is the unique identification by this certificate of certificate authority person distribution.
Said signature is a signature algorithm identifier symbol, adds that by object identifier relevant parameter forms, and is used to the Digital Signature Algorithm of explaining that this certificate is used.For example, the object identifier of SHA-1 and RSA just is used for explaining that this digital signature is to utilize RSA that the SHA-1 hash is encrypted.
Said issuer, the person's that is the certificate authority distinguished name (DN).
The said term of validity is the time period of validity period of certificate.Its field can be made up of " Not Before " and " NotAfter " two, and they are respectively by UTC time or general time representation (detailed time representation rule is arranged in RFC2459).
Said main body is certificate owner's a distinguished name, and this field is a non-NULL, only if another name is arranged in certificate extension.
Said main body public key information is the PKI (and algorithm identifier) of main body.
Preferably, the utility model embodiment cert neatly manages, further to guarantee authenticating safety.For example, the certificate update function can be provided, when concrete the realization, can be host computer after each verification process, promptly receive authentication result after, the prompting user certificate that upgrades in time.Also can be according to the different requirement cancellation of doucment.Can also use the mode of for example OCSP online query to realize the issue of certificate revocation list.Or the like.
Certainly; The utility model also can have other various embodiments; Under the situation that does not deviate from the utility model spirit and essence thereof; Those skilled in the art work as can make various corresponding changes and distortion according to the utility model, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the utility model.
Claims (5)
1. the Internet of Things Verification System based on the PKI technology is characterized in that, comprises sensor node, host computer and certification authority, wherein:
Be used for sending the sensor node of the heartbeat data that uses the host computer public key encryption according to preset report cycle; Said heartbeat data comprises the node PKI and with the node certificate of node encrypted private key;
Be used to use the host computer private key that the heartbeat data of sensor node is deciphered, obtain the node PKI and with the node certificate of node encrypted private key; Use the said node certificate of said node PKI deciphering, obtain node certificate with the node encrypted private key; Generate the host computer of the random number of this verification process; Link to each other with said certification authority, said random number is sent to said certification authority with said node certificate, and receive authentication result and random number from said certification authority; Know the authentication result of the sensor node of initiating authentication according to this; And, link to each other the data that the sensor node that passes through from said sensor node reception authentication reports with said sensor node;
Be used to receive said node certificate and said random number, said node certificate is carried out authentication, the CA of certification authority that authentication result and said random number are sent together.
2. the system of claim 1 is characterized in that:
Also comprise heartbeat effective time in the said heartbeat data;
Said host computer is behind the deciphering heartbeat data, judges earlier whether the heartbeat in the heartbeat data that obtains is still effective effective time, if effectively, just deciphers the host computer of said node certificate with the node encrypted private key.
3. according to claim 1 or claim 2 system is characterized in that:
Said host computer; Still after knowing that the sensor node authentication of initiating authentication is passed through, start timer, timing is a preset interim term of validity; Said timer then before; The heartbeat data of the sensor node that said authentication is not passed through is handled, at said timer to constantly, the host computer handled of the heartbeat data of continuation sensor node that said authentication is passed through;
The said preset interim term of validity is greater than said preset report cycle.
4. the system of claim 1 is characterized in that:
Said host computer is when still position machine private key is deciphered in the use, if alarming processing is carried out in the deciphering failure; And/or when the authentication result of knowing the sensor node of initiating authentication is authentification failure, carry out the host computer of alarming processing.
5. the system of claim 1 is characterized in that:
Said host computer still after knowing that the sensor node authentication is passed through, generates the more host computer of the information of the certificate of new sensor node of prompting user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010206780930UCN202103686U (en) | 2010-12-23 | 2010-12-23 | Public key infrastructure (PKI) technology-based internet-of-things authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010206780930UCN202103686U (en) | 2010-12-23 | 2010-12-23 | Public key infrastructure (PKI) technology-based internet-of-things authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202103686Utrue CN202103686U (en) | 2012-01-04 |
Family
ID=45389683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010206780930UExpired - LifetimeCN202103686U (en) | 2010-12-23 | 2010-12-23 | Public key infrastructure (PKI) technology-based internet-of-things authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202103686U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571338A (en)* | 2010-12-23 | 2012-07-11 | 北京时代凌宇科技有限公司 | PKI (Public Key Infrastructure)-based method and system for certifying internet of things |
- 2010
- 2010-12-23CNCN2010206780930Upatent/CN202103686U/ennot_activeExpired - Lifetime
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571338A (en)* | 2010-12-23 | 2012-07-11 | 北京时代凌宇科技有限公司 | PKI (Public Key Infrastructure)-based method and system for certifying internet of things |
| CN102571338B (en)* | 2010-12-23 | 2015-09-23 | 北京时代凌宇科技有限公司 | A kind of Internet of Things authentication method based on PKI technology and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11615060B2 (en) | Constructing a multiple entity root of trust | |
| CN102594823B (en) | Trusted system for remote secure access of intelligent home | |
| CN103795541B (en) | Secure communication method of electricity information acquisition system of 230M wireless private network channel | |
| KR102325725B1 (en) | Digital certificate management method and device | |
| US20060206433A1 (en) | Secure and authenticated delivery of data from an automated meter reading system | |
| CN113811874B (en) | Encrypted data verification method | |
| CN113868715B (en) | Signature method and system based on quantum key | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN104200154A (en) | Identity based installation package signing method and identity based installation package signing device | |
| CN102571338A (en) | PKI (Public Key Infrastructure)-based method and system for certifying internet of things | |
| US12425236B2 (en) | Certificate validation using a multiple-key-pair root certificate authority | |
| CN101984626B (en) | Method and system for safely exchanging files | |
| CN107104888B (en) | A Secure Instant Messaging Method | |
| KR20140033824A (en) | Encryption systems and methods using hash value as symmetric key in the smart device | |
| CN202103686U (en) | Public key infrastructure (PKI) technology-based internet-of-things authentication system | |
| Xingliang et al. | A new authentication scheme for wireless ad hoc network | |
| CN101471775B (en) | Authentication method for MS and BS of WiMAX system | |
| CN115174277B (en) | Data communication and file exchange method based on block chain | |
| Senthil Kumari et al. | Key derivation policy for data security and data integrity in cloud computing | |
| Li et al. | Enterprise private cloud file encryption system based on tripartite secret key protocol | |
| CN114663234A (en) | System and method for supervising abnormal transactions on block chain | |
| CN110061895B (en) | Close-range energy-saving communication method and system for quantum computing resisting application system based on key fob | |
| CN113642018A (en) | A method for key management based on blockchain | |
| KR101042834B1 (en) | Self-Authentication Signature Encryption Method for Mobile Environment | |
| Raza et al. | Design and implementation of a security manager for WirelessHART networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | Owner name:BEIJING TIMELOIT TECHNOLOGY CO., LTD. Free format text:FORMER NAME: BEIJING LOIT TECHNOLOGY CO., LTD. | |
| CP01 | Change in the name or title of a patent holder | Address after:100096 Beijing City, Haidian District Xisanqi building materials City Road No. 18 building 4 layer Bestpower Patentee after:Beijing times Polytron Technologies Inc Address before:100096 Beijing City, Haidian District Xisanqi building materials City Road No. 18 building 4 layer Bestpower Patentee before:Beijing LOIT Technology Co., Ltd. | |
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term | Granted publication date:20120104 |