CN106549924B - A kind of communication security protection methods, devices and systems - Google Patents
A kind of communication security protection methods, devices and systems Download PDFInfo
- Publication number
- CN106549924B CN106549924B CN201510609796.5A CN201510609796A CN106549924B CN 106549924 B CN106549924 B CN 106549924B CN 201510609796 A CN201510609796 A CN 201510609796A CN 106549924 B CN106549924 B CN 106549924B
- Authority
- CN
- China
- Prior art keywords
- information
- para
- payload
- terminal
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本发明涉及计算机技术,尤其涉及一种通信安全防护方法、装置和系统。The present invention relates to computer technology, and in particular, to a communication security protection method, device and system.
背景技术Background technique
通常,物联网公司开发开放云平台,参见图1所示,第三方应用通过http client操作开放云平台提供的资源;设备实现OneNet提供的RestFUL接口,将业务数据封装成开放平台要求的格式传输到OneNet进行存储。第三方应用需要业务数据时,通过RestFUL接口获取。Usually, IoT companies develop open cloud platforms, as shown in Figure 1, third-party applications operate the resources provided by the open cloud platform through http clients; the device implements the RestFUL interface provided by OneNet, and encapsulates business data into the format required by the open platform and transmits it to OneNet for storage. When third-party applications need business data, they can be obtained through the RestFUL interface.
参见图2所示,平台提供设备(device)、数据流(datastream)、数据点(datapoint)、触发器(trigger)、API key等资源,通过REST API可以对平台进行增删查改操作。Referring to Figure 2, the platform provides resources such as devices, data streams, data points, triggers, and API keys. The platform can be added, deleted, checked, and modified through the REST API.
每个平台用户,可以创建自己的设备列表,设定设备相关属性;每个设备下,可以创建多个数据流;数据流是某一类按时间顺序存储的数据点;数据点则是以时间戳为key,任意json数据类型为value的key-value对;针对每个数据流,可设定对数据点进行监控的触发器;Key是用来规定用户是否具有操作相关资源的权限,细化到数据流级别;使用标准HTTP方法实现资源操作。Each platform user can create its own device list and set device-related properties; under each device, multiple data streams can be created; a data stream is a certain type of data points stored in chronological order; data points are based on time The stamp is the key, and any json data type is a key-value pair of value; for each data stream, triggers for monitoring data points can be set; the key is used to specify whether the user has the authority to operate related resources, refinement to the data stream level; resource operations are implemented using standard HTTP methods.
现有技术中根据规范说明,参见图3所示,API key以“api-key:xxxx-ffff-zzzzz”的格式放在HTTP头部信息中,以明文方式发送。根据设计原理,API key是用于物联网OneNet云平台鉴别物联网终端设备身份的密钥。但该密钥通过明文方式发送,在攻击者截获相关消息时,可直接解析获得API key,进而攻击者可以使用同样的API key冒充物联网终端发送虚假消息,从而使得物联网OneNet云平台收到错误的反馈信息或者请求。According to the specification in the prior art, as shown in FIG. 3 , the API key is placed in the HTTP header information in the format of "api-key:xxxx-ffff-zzzzz" and sent in plain text. According to the design principle, the API key is the key used to identify the identity of the IoT terminal device on the IoT OneNet cloud platform. However, the key is sent in plain text. When the attacker intercepts the relevant message, he can directly parse and obtain the API key, and then the attacker can use the same API key to pretend to be an IoT terminal to send false messages, so that the IoT OneNet cloud platform receives Incorrect feedback or requests.
传统的解决方案是对API key进行加密,但是加密之后将无法解决设备识别的问题,并且会面临消息被截获后被重放的问题。The traditional solution is to encrypt the API key, but after encryption, it will not solve the problem of device identification, and will face the problem of the message being replayed after being intercepted.
或者传统的解决方案是通过挑战/响应类流程完成对用户身份的验证之后,再通过同时产生的会话密钥对后续消息进行保护。但是,这种方法将带来额外的流程与密钥的计算,将会导致设备额外的开销,对于物联网的终端这种资源受限的设备代价巨大。Or the traditional solution is to use the challenge/response process to complete the authentication of the user's identity, and then use the session key generated at the same time to protect the subsequent messages. However, this method will bring extra process and key calculation, which will lead to extra overhead of the device, which is very expensive for the resource-constrained device such as the terminal of the Internet of Things.
发明内容SUMMARY OF THE INVENTION
为解决现有存在的技术问题,本发明实施例提供一种通信安全防护方法、装置和系统。In order to solve the existing technical problems, the embodiments of the present invention provide a communication security protection method, device and system.
本发明实施例提供一种通信安全防护方法,应用于物联网,所述方法包括:An embodiment of the present invention provides a communication security protection method, which is applied to the Internet of Things, and the method includes:
终端根据预设的第一规则生成特定的参数Para;The terminal generates a specific parameter Para according to the preset first rule;
根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;According to the identification Device ID of the terminal, the Payload, the Para and the digest message, generate first information and send it to the server;
所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;The server obtains a pre-stored API Key according to the Device ID in the first information;
根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;Calculate the verification value according to the pre-stored API Key, the Payload and the Para in the first information;
将所述验证值与所述第一信息中的所述摘要消息进行对比;comparing the verification value with the digest message in the first information;
当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。When the verification value matches the digest message, it is determined that the authentication of the first information is passed.
其中,所述方法还包括:Wherein, the method also includes:
所述服务器判断所述第一信息中的所述Para是否满足预设的条件;The server determines whether the Para in the first information satisfies a preset condition;
当所述Para不满足预设的条件时,确定所述第一信息为重放的信息;When the Para does not meet the preset condition, determine that the first information is replayed information;
当所述Para满足预设的条件时,进行根据所述第一信息中的所述Device ID获取预存的API Key的步骤。When the Para meets the preset condition, the step of acquiring the pre-stored API Key according to the Device ID in the first information is performed.
其中,所述方法还包括:Wherein, the method also includes:
所述终端根据预设的第二规则生成第一随机数RAND;generating, by the terminal, a first random number RAND according to a preset second rule;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息;generating first information according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message;
所述计算得到验证值包括:The verification value obtained by the calculation includes:
根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值。The verification value is calculated and obtained according to the pre-stored API Key, the Payload, the Para and the RAND in the first information.
其中,所述方法还包括:Wherein, the method also includes:
检测所述终端的状态;detecting the state of the terminal;
当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;When the terminal is in the first state, generate a second random parameter KDF_p according to a preset third rule;
根据API Key和所述KDF_p,生成密钥;Generate a key according to the API Key and the KDF_p;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息;generating first information according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message;
所述计算得到验证值包括:The verification value obtained by the calculation includes:
根据所述预存的API Key和所述KDF_p,生成验证密钥;Generate a verification key according to the pre-stored API Key and the KDF_p;
根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值。According to the verification key, the Payload, the Para and the KDF_p in the first information, the verification value is obtained by calculation.
其中,所述生成摘要消息包括:Wherein, the generating a summary message includes:
通过HMAC函数生成摘要消息。Digest messages are generated by the HMAC function.
本发明实施例提供一种通信安全防护方法,应用于物联网,所述方法包括:An embodiment of the present invention provides a communication security protection method, which is applied to the Internet of Things, and the method includes:
终端根据预设的第一规则生成特定的参数Para;The terminal generates a specific parameter Para according to the preset first rule;
根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。According to the identification Device ID of the terminal, the Payload, the Para and the digest message, first information is generated and sent to the server; information is authenticated.
其中,所述方法还包括:Wherein, the method also includes:
所述终端根据预设的第二规则生成第一随机数RAND;generating, by the terminal, a first random number RAND according to a preset second rule;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值,以对所述第一信息进行鉴权。Generate first information according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message; so that the server can use the pre-stored API Key, the first information The Payload, the Para and the RAND in , are calculated to obtain a verification value to authenticate the first information.
其中,所述方法还包括:Wherein, the method also includes:
检测所述终端的状态;detecting the state of the terminal;
当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;When the terminal is in the first state, generate a second random parameter KDF_p according to a preset third rule;
根据API Key和所述KDF_p,生成密钥;Generate a key according to the API Key and the KDF_p;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key和所述KDF_p,生成验证密钥;并根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值,以对所述第一信息进行鉴权。Generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message; so that the server can generate the first information according to the pre-stored API Key and the KDF_p A verification key; and a verification value is calculated according to the verification key, the Payload, the Para and the KDF_p in the first information to authenticate the first information.
本发明实施例另一种通信安全防护方法,应用于物联网,所述方法包括:Another communication security protection method according to an embodiment of the present invention is applied to the Internet of Things, and the method includes:
服务器接收终端发来的第一信息;所述第一信息包括:API Key、特定的参数Para、所要传递的消息Payload和摘要消息;所述参数Para是所述终端根据预设的第一规则生成的,所述摘要消息是根据所述API Key、所述Payload以及所述Para生成的;The server receives the first information sent by the terminal; the first information includes: API Key, a specific parameter Para, the message Payload to be delivered, and a digest message; the parameter Para is generated by the terminal according to a preset first rule , the digest message is generated according to the API Key, the Payload and the Para;
根据所述第一信息中的Device ID获取预存的API Key;Acquire a pre-stored API Key according to the Device ID in the first information;
根据所述预存的API Key、所述第一信息中的Payload和Para,计算得到验证值;Calculate the verification value according to the pre-stored API Key, Payload and Para in the first information;
将所述验证值与所述第一信息中的摘要消息进行对比;comparing the verification value with the digest message in the first information;
当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。When the verification value matches the digest message, it is determined that the authentication of the first information is passed.
其中,所述方法还包括:Wherein, the method also includes:
所述服务器判断所述第一信息中的所述Para是否满足预设的条件;The server determines whether the Para in the first information satisfies a preset condition;
当所述Para不满足预设的条件时,确定所述第一信息为重放的信息;When the Para does not meet the preset condition, determine that the first information is replayed information;
当所述Para满足预设的条件时,进行根据所述第一信息中的所述Device ID获取预存的API Key的步骤。When the Para meets the preset condition, the step of acquiring the pre-stored API Key according to the Device ID in the first information is performed.
本发明实施例再一种通信安全防护系统,应用于物联网,所述系统包括终端和服务器:Another communication security protection system according to the embodiment of the present invention is applied to the Internet of Things, and the system includes a terminal and a server:
所述终端,用于根据预设的第一规则生成特定的参数Para;根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给所述服务器;The terminal is used to generate a specific parameter Para according to the preset first rule; according to the application programming interface key API Key, the message Payload to be delivered and the Para, generate a summary message; according to the identification Device of the terminal ID, the Payload, the Para and the digest message, generate first information and send it to the server;
所述服务器,用于根据所述第一信息中的所述Device ID获取预存的API Key;根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;将所述验证值与所述第一信息中的所述摘要消息进行对比;当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。The server is configured to obtain a pre-stored API Key according to the Device ID in the first information; according to the pre-stored API Key, the Payload and the Para in the first information, the calculation is verified value; compare the verification value with the digest message in the first information; when the verification value matches the digest message, it is determined that the authentication of the first information is passed.
本发明实施例提供一种终端,应用于物联网,所述终端包括:An embodiment of the present invention provides a terminal, which is applied to the Internet of Things, and the terminal includes:
第一生成单元,用于根据预设的第一规则生成特定的参数Para;a first generating unit, configured to generate a specific parameter Para according to a preset first rule;
第二生成单元,用于根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;A second generating unit, configured to generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
第三生成单元,用于根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息A third generating unit, configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para and the digest message
发送单元,用于将所述第一信息发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。A sending unit, configured to send the first information to a server; so that the server authenticates the first information according to the information in the first information.
其中,所述终端还包括:Wherein, the terminal also includes:
第四生成单元,用于根据预设的第二规则生成第一随机数RAND;a fourth generating unit, configured to generate a first random number RAND according to a preset second rule;
相应的,所述第二生成单元:用于根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Correspondingly, the second generating unit is configured to generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
所述第三生成单元:用于根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值,以对所述第一信息进行鉴权。The third generating unit: configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message; so that the server can The API Key, the Payload, the Para and the RAND in the first information are calculated to obtain a verification value to authenticate the first information.
其中,所述终端还包括:Wherein, the terminal also includes:
检测单元,用于检测所述终端的状态;a detection unit, configured to detect the state of the terminal;
第五生成单元,用于当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;根据API Key和所述KDF_p,生成密钥;a fifth generating unit, configured to generate a second random parameter KDF_p according to a preset third rule when the terminal is in the first state; generate a key according to the API Key and the KDF_p;
相应的,所述第二生成单元:用于根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Correspondingly, the second generating unit is configured to generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
所述第三生成单元:用于根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key和所述KDF_p,生成验证密钥;并根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值,以对所述第一信息进行鉴权。The third generating unit: configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message; so that the server can The API Key and the KDF_p are generated, and the verification key is generated; and the verification value is calculated according to the verification key, the Payload in the first information, the Para and the KDF_p to obtain the verification value for the first information. A message is authenticated.
本发明实施例提供一种服务器,应用于物联网,所述服务器包括:An embodiment of the present invention provides a server, which is applied to the Internet of Things, and the server includes:
接收单元,用于接收终端发来的第一信息;所述第一信息包括:API Key、特定的参数Para、所要传递的消息Payload和摘要消息;所述参数Para是所述终端根据预设的第一规则生成的,所述摘要消息是根据所述API Key、所述Payload以及所述Para生成的;a receiving unit, configured to receive the first information sent by the terminal; the first information includes: API Key, a specific parameter Para, the message Payload to be delivered, and a digest message; the parameter Para is preset by the terminal according to the Generated by the first rule, and the digest message is generated according to the API Key, the Payload, and the Para;
获取单元,用于根据所述第一信息中的Device ID获取预存的API Key;an obtaining unit, configured to obtain a pre-stored API Key according to the Device ID in the first information;
计算单元,用于根据所述预存的API Key、所述第一信息中的Payload和Para,计算得到验证值;a computing unit, configured to calculate and obtain a verification value according to the pre-stored API Key, Payload and Para in the first information;
对比单元,将所述验证值与所述第一信息中的摘要消息进行对比;a comparison unit, which compares the verification value with the digest message in the first information;
确定单元,用于当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。A determining unit, configured to determine that the authentication of the first information is passed when the verification value matches the digest message.
其中,所述服务器还包括:Wherein, the server also includes:
判断单元,用于判断所述第一信息中的所述Para是否满足预设的条件;a judging unit for judging whether the Para in the first information satisfies a preset condition;
所述确定单元,还用于当所述Para不满足预设的条件时,确定所述第一信息为重放的信息;当所述Para满足预设的条件时,控制获取单元执行根据所述第一信息中的所述Device ID获取预存的API Key的操作。The determining unit is further configured to determine that the first information is replayed information when the Para does not meet the preset condition; when the Para meets the preset condition, control the acquisition unit to execute the information according to the The operation of acquiring the pre-stored API Key by the Device ID in the first information.
由上可知,本发明实施例的技术方案包括:终端根据预设的第一规则生成特定的参数Para;根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;将所述验证值与所述第一信息中的所述摘要消息进行对比;当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。由此,本发明实施例能够有效解决APIkey被泄露的问题,保证通信安全。As can be seen from the above, the technical solutions of the embodiments of the present invention include: the terminal generates a specific parameter Para according to a preset first rule; generates a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para ; According to the identification Device ID of the terminal, the Payload, the Para and the summary message, generate the first information and send it to the server; The server obtains the pre-stored data according to the Device ID in the first information API Key; calculate a verification value according to the pre-stored API Key, the Payload and the Para in the first information; compare the verification value with the digest message in the first information ; When the verification value matches the digest message, it is determined that the authentication of the first information is passed. Therefore, the embodiments of the present invention can effectively solve the problem of API key being leaked, and ensure communication security.
附图说明Description of drawings
图1为云平台与第三方应用交互的工作原理示意图;Figure 1 is a schematic diagram of the working principle of the interaction between the cloud platform and third-party applications;
图2为云平台的工作原理示意图;Figure 2 is a schematic diagram of the working principle of the cloud platform;
图3为现有技术中API key的发送示意图;Fig. 3 is the sending schematic diagram of API key in the prior art;
图4为本发明提供的一种通信安全防护方法的第一实施例的实现流程图;Fig. 4 is the realization flow chart of the first embodiment of a communication security protection method provided by the present invention;
图5为本发明提供的一种通信安全防护方法的第二实施例的实现流程图;Fig. 5 is the realization flow chart of the second embodiment of a communication security protection method provided by the present invention;
图6为本发明提供的一种通信安全防护方法的第三实施例的实现流程图;Fig. 6 is the realization flow chart of the third embodiment of a communication security protection method provided by the present invention;
图7为本发明提供的一种通信安全防护方法的第四实施例的实现流程图;Fig. 7 is the realization flow chart of the fourth embodiment of a communication security protection method provided by the present invention;
图8为本发明提供的另一种通信安全防护方法的实施例的实现流程图;FIG. 8 is an implementation flowchart of an embodiment of another communication security protection method provided by the present invention;
图9为本发明提供的再一种通信安全防护方法的实施例的实现流程图;Fig. 9 is the realization flow chart of the embodiment of still another communication security protection method provided by the present invention;
图10为本发明提供的一种通信安全防护系统的实施例的结构示意图;10 is a schematic structural diagram of an embodiment of a communication security protection system provided by the present invention;
图11为本发明提供的一种终端的实施例的结构示意图;FIG. 11 is a schematic structural diagram of an embodiment of a terminal provided by the present invention;
图12为本发明提供的一种服务器的实施例的结构示意图;12 is a schematic structural diagram of an embodiment of a server provided by the present invention;
图13为本发明实施例提供的信息发送示意图。FIG. 13 is a schematic diagram of information sending provided by an embodiment of the present invention.
具体实施方式Detailed ways
本发明提供的一种通信安全防护方法的第一实施例,如图4所示,应用于物联网,所述方法包括:The first embodiment of a communication security protection method provided by the present invention, as shown in FIG. 4 , is applied to the Internet of Things, and the method includes:
步骤401、终端根据预设的第一规则生成特定的参数Para;Step 401, the terminal generates a specific parameter Para according to a preset first rule;
这里,本文中所述终端可以是物联网终端。Here, the terminal described herein may be an IoT terminal.
步骤402、根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Step 402, generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
具体的,可以根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,通过HMAC函数生成摘要消息。如,HMAC(Payload,API Key,Para)。Specifically, the digest message can be generated through the HMAC function according to the application programming interface key API Key, the message Payload to be delivered, and the Para. For example, HMAC (Payload, API Key, Para).
步骤403、根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;Step 403, according to the identification Device ID of the terminal, the Payload, the Para and the digest message, generate first information and send it to the server;
具体的,所述第一信息可以表示为Message(Device ID,Payload,Para,HMAC(Payload,API Key,Para))。Specifically, the first information may be represented as Message (Device ID, Payload, Para, HMAC (Payload, API Key, Para)).
这里,本文中所述服务器可以是物联网OneNet平台。Here, the server described in this article may be an IoT OneNet platform.
步骤404、所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;Step 404, the server obtains a pre-stored API Key according to the Device ID in the first information;
这里,所述Device ID可以和所述API Key对应设置。Here, the Device ID may be set corresponding to the API Key.
步骤405、根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;Step 405: Calculate the verification value according to the pre-stored API Key, the Payload and the Para in the first information;
步骤406、将所述验证值与所述第一信息中的所述摘要消息进行对比;Step 406, comparing the verification value with the digest message in the first information;
步骤407、当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。Step 407: When the verification value matches the digest message, it is determined that the authentication of the first information is passed.
由此,本发明实施例提供的技术方案能够有效解决API key被泄露的问题,保证通信安全。Therefore, the technical solutions provided by the embodiments of the present invention can effectively solve the problem of API key leakage and ensure communication security.
本发明提供的一种通信安全防护方法的第二实施例,如图5所示,应用于物联网,所述方法包括:A second embodiment of a communication security protection method provided by the present invention, as shown in FIG. 5 , is applied to the Internet of Things, and the method includes:
步骤501、终端根据预设的第一规则生成特定的参数Para;Step 501, the terminal generates a specific parameter Para according to a preset first rule;
步骤502、根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Step 502, generate a digest message according to the application programming interface key API Key, the message Payload to be delivered and the Para;
具体的,可以根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,通过HMAC函数生成摘要消息。Specifically, the digest message can be generated through the HMAC function according to the application programming interface key API Key, the message Payload to be delivered, and the Para.
步骤503、根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;Step 503, according to the identification Device ID of the terminal, the Payload, the Para and the digest message, generate first information and send it to the server;
步骤504、所述服务器判断所述第一信息中的所述Para是否满足预设的条件;当所述Para满足预设的条件时,进入步骤505;当所述Para不满足预设的条件时,进入步骤509;Step 504, the server judges whether the Para in the first information satisfies the preset condition; when the Para meets the preset condition, go to step 505; when the Para does not meet the preset condition , enter step 509;
在实际应用中,终端与服务器各自设置一个列表,终端的列表存储不同的Para,服务器的列表用于存储终端发来的通过鉴权的第一信息中的Para,服务器的列表初始为空。In practical applications, the terminal and the server each set a list, the list of the terminal stores different Para, the list of the server is used to store the Para in the first authentication information sent by the terminal, and the list of the server is initially empty.
终端依次从其列表中选取Para。当确定所述第一信息通过验证时,所述服务器按照预设的第二规则记录所述Para;The terminal in turn picks Para from its list. When it is determined that the first information passes the verification, the server records the Para according to a preset second rule;
具体的,所述判断所述第一信息中的所述Para是否满足预设的条件可以包括:Specifically, the judging whether the Para in the first information satisfies a preset condition may include:
判断所述第一信息中的所述Para与所述服务器记录的Para是否相同,当相同时,则确定是重放攻击。It is judged whether the Para in the first information is the same as the Para recorded by the server, and if they are the same, it is determined that it is a replay attack.
或者,在实际应用中,终端与服务器各自设置一个列表,终端的列表存储不同的Para,Para按照时间或者次数同步增长;服务器的列表(初始为空)用于存储终端发来的通过鉴权的第一信息中的Para。Or, in practical applications, the terminal and the server each set up a list, the list of the terminal stores different Para, and the Para grows synchronously according to time or times; Para in the first message.
终端依次从其列表中选取Para。当确定所述第一信息通过验证时,所述服务器按照预设的第二规则记录所述Para;The terminal in turn picks Para from its list. When it is determined that the first information passes the verification, the server records the Para according to a preset second rule;
具体的,所述判断所述第一信息中的所述Para是否满足预设的条件可以包括:Specifically, the judging whether the Para in the first information satisfies a preset condition may include:
判断所述第一信息中的所述Para与所述服务器记录的Para是否相同或者更小,当相同或更小时,则确定是重放攻击。It is judged whether the Para in the first information is the same as or smaller than the Para recorded by the server, and if it is the same or smaller, it is determined to be a replay attack.
步骤505、所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;Step 505, the server obtains a pre-stored API Key according to the Device ID in the first information;
步骤506、根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;Step 506: Calculate the verification value according to the pre-stored API Key, the Payload and the Para in the first information;
步骤507、将所述验证值与所述第一信息中的所述摘要消息进行对比;Step 507, comparing the verification value with the digest message in the first information;
步骤508、当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过,结束本次流程。Step 508: When the verification value matches the digest message, it is determined that the authentication of the first information is passed, and this process ends.
步骤509、确定所述第一信息为重放的信息,结束本次流程。Step 509: Determine that the first information is replayed information, and end this process.
由此,本发明实施例提供的技术方案能够根据Para快速判断所述第一信息是否是重放攻击,有效保证通信安全。Therefore, the technical solutions provided by the embodiments of the present invention can quickly determine whether the first information is a replay attack according to Para, thereby effectively ensuring communication security.
本发明提供的一种通信安全防护方法的第三实施例,应用于物联网,如图6所示,所述方法包括:A third embodiment of a communication security protection method provided by the present invention is applied to the Internet of Things. As shown in FIG. 6 , the method includes:
步骤601、终端根据预设的第一规则生成特定的参数Para;Step 601, the terminal generates a specific parameter Para according to a preset first rule;
步骤602、所述终端根据预设的第二规则生成第一随机数RAND;Step 602, the terminal generates a first random number RAND according to a preset second rule;
步骤603、根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Step 603, generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
具体的,可以根据API Key、所要传递的消息Payload、所述Para以及所述RAND,通过HMAC函数生成摘要消息。如,HMAC(Payload,API key,Para||RAND)。Specifically, the digest message can be generated by the HMAC function according to the API Key, the payload of the message to be delivered, the Para and the RAND. For example, HMAC(Payload, API key, Para||RAND).
步骤604、根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息并发送给服务器;Step 604, according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message, generate first information and send it to the server;
具体的,所述第一信息可以表示为Message(Device ID,Payload,Para||RAND,HMAC(Payload,API key,Para||RAND))。Specifically, the first information may be represented as Message(Device ID, Payload, Para||RAND, HMAC(Payload, API key, Para||RAND)).
步骤605、所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;Step 605, the server obtains a pre-stored API Key according to the Device ID in the first information;
步骤606、根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值。Step 606: Calculate the verification value according to the pre-stored API Key, the Payload, the Para, and the RAND in the first information.
步骤607、将所述验证值与所述第一信息中的所述摘要消息进行对比;Step 607, comparing the verification value with the digest message in the first information;
步骤608、当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。Step 608: When the verification value matches the digest message, it is determined that the authentication of the first information is passed.
由此,本发明实施例提供的技术方案还能够使用随机数RAND避免API key泄露,进一步保证通信安全。Therefore, the technical solutions provided by the embodiments of the present invention can also use the random number RAND to avoid API key leakage, and further ensure communication security.
本发明提供的一种通信安全防护方法的第四实施例,应用于物联网,如图7所示,所述方法包括:The fourth embodiment of a communication security protection method provided by the present invention is applied to the Internet of Things. As shown in FIG. 7 , the method includes:
步骤701、终端根据预设的第一规则生成特定的参数Para;Step 701, the terminal generates a specific parameter Para according to a preset first rule;
步骤702、检测所述终端的状态;Step 702, detecting the state of the terminal;
步骤703、当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;Step 703: When the terminal is in the first state, generate a second random parameter KDF_p according to a preset third rule;
这里,所述第一状态是指第一次发送KDF_p,即物联网终端产生第一条消息时。可以理解的是,非第一次发送KDF_p可以是第二状态,即物联网终端产生第一条之后的消息时。Here, the first state refers to sending KDF_p for the first time, that is, when the IoT terminal generates the first message. It can be understood that the KDF_p that is not sent for the first time may be in the second state, that is, when the IoT terminal generates the first and subsequent messages.
当网络侧收到第一条消息后,取出KDF_p并保存,随后,当物联网终端发送其他消息时,则利用已经保存的KDF_p进行计算。When the network side receives the first message, it takes out KDF_p and saves it. Then, when the IoT terminal sends other messages, it uses the saved KDF_p for calculation.
当网络侧收到消息后,根据消息是否保存有KDF_p判断是否为第一条消息,若无则直接取出保存的对应终端的KDF_p进行计算。When the network side receives the message, it judges whether it is the first message according to whether the message has KDF_p stored, and if not, directly fetches the stored KDF_p of the corresponding terminal for calculation.
步骤704、根据API Key和所述KDF_p,生成密钥;Step 704, generate a key according to the API Key and the KDF_p;
步骤705、根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Step 705, generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
具体的,根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,通过HMAC函数生成摘要消息,如,HMAC(Payload,f(API key,KDF_p),Para||KDF_p)。Specifically, according to the key, the message Payload to be delivered, the Para and the KDF_p, a digest message is generated through the HMAC function, for example, HMAC(Payload, f(API key, KDF_p), Para||KDF_p).
步骤706、根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息并发送给服务器;Step 706, according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message, generate first information and send it to the server;
这里,所述第一信息可以表示为Message(Device ID,Payload,Para||KDF_p,HMAC(Payload,f(API key,KDF_p),Para||KDF_p))。Here, the first information may be represented as Message(Device ID, Payload, Para||KDF_p, HMAC(Payload, f(API key, KDF_p), Para||KDF_p)).
步骤707、所述服务器判断所述第一信息中的所述Para是否满足预设的条件;当所述Para满足预设的条件时,进入步骤708;当所述Para不满足预设的条件时,进入步骤713;Step 707, the server judges whether the Para in the first information satisfies the preset condition; when the Para meets the preset condition, go to step 708; when the Para does not meet the preset condition , enter step 713;
步骤708、所述服务器根据所述第一信息中的所述Device ID获取预存的API Key;Step 708, the server obtains a pre-stored API Key according to the Device ID in the first information;
步骤709、根据所述预存的API Key和所述KDF_p,生成验证密钥;Step 709, generate a verification key according to the pre-stored API Key and the KDF_p;
步骤710、根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值。Step 710: Calculate and obtain a verification value according to the verification key, the Payload, the Para, and the KDF_p in the first information.
步骤711、将所述验证值与所述第一信息中的所述摘要消息进行对比;Step 711: Compare the verification value with the digest message in the first information;
步骤712、当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过,结束本次流程。Step 712: When the verification value matches the digest message, it is determined that the authentication of the first information is passed, and this process ends.
步骤713、确定所述第一信息为重放的信息,结束本次流程。Step 713: Determine that the first information is replayed information, and end this process.
这里,需要说明的是,当服务器收到第一条第一信息并鉴权通过后,保存其中的KDF_p,当收到所述终端随后发送的其他消息时,则利用已经保存的KDF_p计算验证密钥并计算验证值。Here, it should be noted that when the server receives the first piece of first information and passes the authentication, it saves the KDF_p in it, and when it receives other messages subsequently sent by the terminal, it uses the saved KDF_p to calculate the verification password. key and calculate the verification value.
不难理解,非第一次的第一信息为:Message(Device ID,Payload,Para,HMAC(Payload,f(API key,KDF_p),Para))It is not difficult to understand that the first information that is not the first time is: Message(Device ID, Payload, Para, HMAC(Payload, f(API key, KDF_p), Para))
由此,本发明实施例提供的技术方案还能够使用随机参数KDF_p避免API key泄露,进一步保证通信安全。Therefore, the technical solutions provided by the embodiments of the present invention can also use the random parameter KDF_p to avoid API key leakage, and further ensure communication security.
本发明提供的另一种通信安全防护方法的实施例,应用于物联网,参见图8所示,所述方法包括:Another embodiment of the communication security protection method provided by the present invention is applied to the Internet of Things, as shown in FIG. 8 , the method includes:
步骤801、终端根据预设的第一规则生成特定的参数Para;Step 801, the terminal generates a specific parameter Para according to a preset first rule;
步骤802、根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Step 802, generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
步骤803、根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。Step 803: According to the identification Device ID of the terminal, the Payload, the Para and the summary message, generate first information and send it to the server; The first information is authenticated.
在一实施例中,所述方法包括:In one embodiment, the method includes:
步骤801、终端根据预设的第一规则生成特定的参数Para;Step 801, the terminal generates a specific parameter Para according to a preset first rule;
步骤802、根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Step 802, generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
步骤803、根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。此外,所述方法还包括:Step 803: According to the identification Device ID of the terminal, the Payload, the Para and the summary message, generate first information and send it to the server; The first information is authenticated. In addition, the method also includes:
所述终端根据预设的第二规则生成第一随机数RAND;generating, by the terminal, a first random number RAND according to a preset second rule;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值,以对所述第一信息进行鉴权。Generate first information according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message; so that the server can use the pre-stored API Key, the first information The Payload, the Para and the RAND in , are calculated to obtain a verification value to authenticate the first information.
在一实施例中,所述方法包括:In one embodiment, the method includes:
步骤801、终端根据预设的第一规则生成特定的参数Para;Step 801, the terminal generates a specific parameter Para according to a preset first rule;
步骤802、根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;Step 802, generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
步骤803、根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。此外,所述方法还包括:Step 803: According to the identification Device ID of the terminal, the Payload, the Para and the summary message, generate first information and send it to the server; The first information is authenticated. In addition, the method also includes:
检测所述终端的状态;detecting the state of the terminal;
当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;When the terminal is in the first state, generate a second random parameter KDF_p according to a preset third rule;
根据API Key和所述KDF_p,生成密钥;Generate a key according to the API Key and the KDF_p;
相应的,所述生成摘要消息包括:Correspondingly, the generating a summary message includes:
根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
所述生成第一信息包括:The generating the first information includes:
根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key和所述KDF_p,生成验证密钥;并根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值,以对所述第一信息进行鉴权。Generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message; so that the server can generate the first information according to the pre-stored API Key and the KDF_p A verification key; and a verification value is calculated according to the verification key, the Payload, the Para and the KDF_p in the first information to authenticate the first information.
本发明提供的再一种通信安全防护方法的实施例,应用于物联网,参见图9所示,所述方法包括:Another embodiment of a communication security protection method provided by the present invention is applied to the Internet of Things, as shown in FIG. 9 , the method includes:
步骤901、服务器接收终端发来的第一信息;所述第一信息包括:API Key、特定的参数Para、所要传递的消息Payload和摘要消息;所述参数Para是所述终端根据预设的第一规则生成的,所述摘要消息是根据所述API Key、所述Payload以及所述Para生成的;Step 901, the server receives the first information sent by the terminal; the first information includes: API Key, a specific parameter Para, the message Payload to be delivered, and a digest message; the parameter Para is the terminal according to the preset No. Generated by a rule, the digest message is generated according to the API Key, the Payload and the Para;
步骤902、根据所述第一信息中的Device ID获取预存的API Key;Step 902, obtaining a pre-stored API Key according to the Device ID in the first information;
步骤903、根据所述预存的API Key、所述第一信息中的Payload和Para,计算得到验证值;Step 903: Calculate the verification value according to the pre-stored API Key, Payload and Para in the first information;
步骤904、将所述验证值与所述第一信息中的摘要消息进行对比;Step 904, comparing the verification value with the digest message in the first information;
步骤905、当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。Step 905: When the verification value matches the digest message, it is determined that the authentication of the first information is passed.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
所述服务器判断所述第一信息中的所述Para是否满足预设的条件;The server determines whether the Para in the first information satisfies a preset condition;
当所述Para不满足预设的条件时,确定所述第一信息为重放的信息;When the Para does not meet the preset condition, determine that the first information is replayed information;
当所述Para满足预设的条件时,进行根据所述第一信息中的所述Device ID获取预存的API Key的步骤。When the Para meets the preset condition, the step of acquiring the pre-stored API Key according to the Device ID in the first information is performed.
本发明提供的一种通信安全防护系统的实施例,应用于物联网,参见图10所示,所述系统包括终端和服务器:An embodiment of a communication security protection system provided by the present invention is applied to the Internet of Things, as shown in FIG. 10 , the system includes a terminal and a server:
所述终端1001,用于根据预设的第一规则生成特定的参数Para;根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息并发送给所述服务器;The terminal 1001 is configured to generate a specific parameter Para according to a preset first rule; generate a summary message according to the application programming interface key API Key, the message Payload to be delivered, and the Para; according to the identification of the terminal The Device ID, the Payload, the Para, and the digest message generate first information and send it to the server;
所述服务器1002,用于根据所述第一信息中的所述Device ID获取预存的APIKey;根据所述预存的API Key、所述第一信息中的所述Payload和所述Para,计算得到验证值;将所述验证值与所述第一信息中的所述摘要消息进行对比;当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。The server 1002 is configured to obtain a pre-stored APIKey according to the Device ID in the first information; according to the pre-stored API Key, the Payload and the Para in the first information, the calculation is verified value; compare the verification value with the digest message in the first information; when the verification value matches the digest message, it is determined that the authentication of the first information is passed.
本发明提供的一种终端的实施例,应用于物联网,参见图11所示,所述终端包括:An embodiment of a terminal provided by the present invention is applied to the Internet of Things, as shown in FIG. 11 , the terminal includes:
第一生成单元1101,用于根据预设的第一规则生成特定的参数Para;a first generating unit 1101, configured to generate a specific parameter Para according to a preset first rule;
第二生成单元1102,用于根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;The second generating unit 1102 is configured to generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
第三生成单元1103,用于根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息The third generating unit 1103 is configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para and the digest message
发送单元1104,用于将所述第一信息发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。The sending unit 1104 is configured to send the first information to a server, so that the server authenticates the first information according to the information in the first information.
在一实施例中,所述终端包括:In one embodiment, the terminal includes:
第一生成单元1101,用于根据预设的第一规则生成特定的参数Para;a first generating unit 1101, configured to generate a specific parameter Para according to a preset first rule;
第二生成单元1102,用于根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;The second generating unit 1102 is configured to generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
第三生成单元1103,用于根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息The third generating unit 1103 is configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para and the digest message
发送单元1104,用于将所述第一信息发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。此外,所述终端还包括:The sending unit 1104 is configured to send the first information to a server, so that the server authenticates the first information according to the information in the first information. In addition, the terminal also includes:
第四生成单元1105,用于根据预设的第二规则生成第一随机数RAND;a fourth generating unit 1105, configured to generate a first random number RAND according to a preset second rule;
相应的,所述第二生成单元:用于根据API Key、所要传递的消息Payload、所述Para以及所述RAND,生成摘要消息;Correspondingly, the second generating unit is configured to generate a digest message according to the API Key, the message Payload to be delivered, the Para and the RAND;
所述第三生成单元1103:用于根据所述终端的标识Device ID、所述Payload、所述Para、所述RAND以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key、所述第一信息中的所述Payload、所述Para和所述RAND,计算得到验证值,以对所述第一信息进行鉴权。The third generating unit 1103 is configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the RAND and the digest message; so that the server can The pre-stored API Key, the Payload, the Para and the RAND in the first information are calculated to obtain a verification value to authenticate the first information.
在一实施例中,所述终端包括:In one embodiment, the terminal includes:
第一生成单元1101,用于根据预设的第一规则生成特定的参数Para;a first generating unit 1101, configured to generate a specific parameter Para according to a preset first rule;
第二生成单元1102,用于根据应用程序编程接口密钥API Key、所要传递的消息Payload以及所述Para,生成摘要消息;The second generating unit 1102 is configured to generate a digest message according to the application programming interface key API Key, the message Payload to be delivered, and the Para;
第三生成单元1103,用于根据所述终端的标识Device ID、所述Payload、所述Para以及所述摘要消息,生成第一信息The third generating unit 1103 is configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para and the digest message
发送单元1104,用于将所述第一信息发送给服务器;以使所述服务器根据所述第一信息中的信息对所述第一信息进行鉴权。此外,所述终端还包括:The sending unit 1104 is configured to send the first information to a server, so that the server authenticates the first information according to the information in the first information. In addition, the terminal also includes:
检测单元1106,用于检测所述终端的状态;a detection unit 1106, configured to detect the state of the terminal;
第五生成单元1107,用于当所述终端处于第一状态时,根据预设的第三规则生成第二随机参数KDF_p;根据API Key和所述KDF_p,生成密钥;The fifth generating unit 1107 is configured to generate a second random parameter KDF_p according to a preset third rule when the terminal is in the first state; generate a key according to the API Key and the KDF_p;
相应的,所述第二生成单元1102:用于根据所述密钥、所要传递的消息Payload、所述Para以及所述KDF_p,生成摘要消息;Correspondingly, the second generating unit 1102 is configured to generate a digest message according to the key, the message Payload to be delivered, the Para and the KDF_p;
所述第三生成单元1103:用于根据所述终端的标识Device ID、所述Payload、所述Para、所述KDF_p以及所述摘要消息,生成第一信息;以使所述服务器能够根据所述预存的API Key和所述KDF_p,生成验证密钥;并根据所述验证密钥、所述第一信息中的所述Payload、所述Para和所述KDF_p,计算得到验证值,以对所述第一信息进行鉴权。The third generating unit 1103 is configured to generate the first information according to the identification Device ID of the terminal, the Payload, the Para, the KDF_p and the digest message; so that the server can The pre-stored API Key and the KDF_p generate a verification key; and according to the verification key, the Payload in the first information, the Para and the KDF_p, the verification value is calculated to obtain the verification value for the The first information is authenticated.
实际应用中,上述各单元可由终端中的中央处理器(CPU,Central ProcessingUnit)、数字信号处理器(DSP,Digital Signal Processor)、或现场可编程门阵列(FPGA,Field-Programmable Gate Array)实现。In practical applications, the above units may be implemented by a central processing unit (CPU, Central Processing Unit), a digital signal processor (DSP, Digital Signal Processor), or a field-programmable gate array (FPGA, Field-Programmable Gate Array) in the terminal.
本发明提供的一种服务器的实施例,应用于物联网,参见图12所示,所述服务器包括:An embodiment of a server provided by the present invention is applied to the Internet of Things, as shown in FIG. 12 , the server includes:
接收单元1201,用于接收终端发来的第一信息;所述第一信息包括:API Key、特定的参数Para、所要传递的消息Payload和摘要消息;所述参数Para是所述终端根据预设的第一规则生成的,所述摘要消息是根据所述API Key、所述Payload以及所述Para生成的;The receiving unit 1201 is configured to receive the first information sent by the terminal; the first information includes: API Key, a specific parameter Para, the message Payload to be delivered, and a digest message; the parameter Para is the terminal according to the preset The first rule is generated, and the digest message is generated according to the API Key, the Payload and the Para;
获取单元1202,用于根据所述第一信息中的Device ID获取预存的API Key;an obtaining unit 1202, configured to obtain a pre-stored API Key according to the Device ID in the first information;
计算单元1203,用于根据所述预存的API Key、所述第一信息中的Payload和Para,计算得到验证值;The calculation unit 1203 is used to calculate and obtain the verification value according to the pre-stored API Key, Payload and Para in the first information;
对比单元1204,将所述验证值与所述第一信息中的摘要消息进行对比;The comparison unit 1204 compares the verification value with the digest message in the first information;
确定单元1205,用于当所述验证值与所述摘要消息匹配时,确定所述第一信息鉴权通过。The determining unit 1205 is configured to determine that the authentication of the first information is passed when the verification value matches the digest message.
在一实施例中,所述服务器还包括:In one embodiment, the server further includes:
判断单元1206,用于判断所述第一信息中的所述Para是否满足预设的条件;Judging unit 1206, for judging whether the Para in the first information satisfies a preset condition;
所述确定单元1205,还用于当所述Para不满足预设的条件时,确定所述第一信息为重放的信息;当所述Para满足预设的条件时,控制获取单元执行根据所述第一信息中的所述Device ID获取预存的API Key的操作。The determining unit 1205 is further configured to determine that the first information is the replayed information when the Para does not meet the preset condition; when the Para meets the preset condition, control the obtaining unit to execute according to the preset condition. The operation of obtaining the pre-stored API Key from the Device ID in the first information.
实际应用中,上述各单元可由服务器中的中央处理器(CPU,Central ProcessingUnit)、数字信号处理器(DSP,Digital Signal Processor)、或现场可编程门阵列(FPGA,Field-Programmable Gate Array)实现。In practical applications, the above units can be implemented by a central processing unit (CPU, Central Processing Unit), a digital signal processor (DSP, Digital Signal Processor), or a field-programmable gate array (FPGA, Field-Programmable Gate Array) in the server.
下面结合具体实施例、应用场景和附图对本发明实施例进行进一步介绍。The embodiments of the present invention will be further introduced below with reference to specific embodiments, application scenarios and accompanying drawings.
本发明实施例涉及物联网终端,物联网OneNet平台以及相关设备。The embodiments of the present invention relate to an Internet of Things terminal, an Internet of Things OneNet platform and related equipment.
本发明实施例的主要技术方案在于改变API Key明文传递的方法,使得攻击者无法获得API key。与此同时,还能够保证OneNet平台可以有效鉴别物联网终端设备的身份。所以,在本发明实施例中在物联网终端与OneNet平台通信的时候,物联网终端通过消息中的Device ID标识终端,待发送的消息,以及利用API key直接或者间接对消息的处理摘要一并发送给网络侧。网络侧再利用同样的API key对摘要进行验证。并在随后的过程中按照同样的格式发送消息。The main technical solution of the embodiment of the present invention is to change the method for transmitting the API Key in plain text, so that the attacker cannot obtain the API key. At the same time, it can also ensure that the OneNet platform can effectively identify the identity of IoT terminal devices. Therefore, in the embodiment of the present invention, when the IoT terminal communicates with the OneNet platform, the IoT terminal identifies the terminal through the Device ID in the message, the message to be sent, and the processing summary of the message directly or indirectly by using the API key together. sent to the network side. The network side uses the same API key to verify the digest. And send messages in the same format in subsequent processes.
为此,在物联网终端设备与OneNet平台之间的消息传输方式变为:To this end, the message transmission method between the IoT terminal device and the OneNet platform becomes:
1、设定设备ID(Device ID),用Device ID标识物联网终端,同时将Device ID与终端API key绑定。1. Set the Device ID, use the Device ID to identify the IoT terminal, and bind the Device ID to the terminal API key.
2、在物联网终端与OneNet平台通信的时候,物联网终端在产生消息时,不再直接写入API key,而是:2. When the IoT terminal communicates with the OneNet platform, when the IoT terminal generates a message, it no longer directly writes the API key, but:
A、在消息中增加Device ID,A. Add Device ID to the message,
B、产生特定的参数ParaB. Generate a specific parameter Para
C、根据API key,Para,以及所要传递的消息Payload产生摘要信息C. Generate summary information according to the API key, Para, and the payload of the message to be delivered
然后终端将上述信息连同Payload一起组合成新的消息Then the terminal combines the above information together with the payload into a new message
3、终端将该消息发送至网络侧,此时,用来标记消息发送者的API key变为了Device ID。3. The terminal sends the message to the network side. At this time, the API key used to mark the sender of the message becomes the Device ID.
4、网络侧在收到消息后,需要根据取代API key标识消息来源的Device ID确定发送者,然后从本地获得对应的API key,再根据相应的规则判断消息中所携带的Para是否可以接受。如果不可以接受,即认为消息为重放的消息,中止处理过程。如果可以接受,再利用消息中的Payload和Para计算验证值,最终与消息中携带的摘要信息进行对比,相同则通过验证。并按照相应的规则记录Para。4. After receiving the message, the network side needs to determine the sender according to the Device ID that replaces the API key to identify the source of the message, and then obtains the corresponding API key locally, and then judges whether the Para carried in the message is acceptable according to the corresponding rules. If it is not acceptable, the message is considered to be a replayed message and the processing is terminated. If it is acceptable, then use the Payload and Para in the message to calculate the verification value, and finally compare it with the digest information carried in the message, if it is the same, it will pass the verification. And record Para according to the corresponding rules.
Para参数是为了保证消息不被第三方截获后重放,因此需要在摘要中附加相关的参数以避免重放攻击。The Para parameter is to ensure that the message is not replayed after being intercepted by a third party, so it is necessary to add relevant parameters to the digest to avoid replay attacks.
在消息产生过程中,API key的处理可以具有以下不同的实施例:In the message generation process, the processing of API keys can have the following different embodiments:
实施例1:利用API key直接对消息进行处理,因此消息体具体为:Example 1: The API key is used to directly process the message, so the message body is specifically:
Message(Device ID,Payload,Para,HMAC(Payload,API Key,Para))Message(Device ID, Payload, Para, HMAC(Payload, API Key, Para))
即物联网终端在产生消息时,参见图13所示,在消息中写入Device ID,产生特定的参数Para,根据API key,Para,以及所要传递的消息Payload通过HMAC函数产生摘要信息H(即H=HMAC(Payload,API Key,Para))。然后终端将上述信息连同Payload一起组合成新的消息That is, when the IoT terminal generates a message, as shown in Figure 13, the Device ID is written in the message to generate a specific parameter Para, and the summary information H is generated according to the API key, Para, and the message Payload to be transmitted through the HMAC function (ie H=HMAC(Payload, API Key, Para)). Then the terminal combines the above information together with the payload into a new message
当网络侧收到消息后,根据同样的算法计算出H’=HMAC(Payload,API Key,Para),对比H与H’,如果一致则认为消息正确,否则直接丢弃该消息When the network side receives the message, it calculates H'=HMAC(Payload, API Key, Para) according to the same algorithm, compares H and H', if they are consistent, the message is considered correct, otherwise the message is directly discarded
实施例2:为了避免API key的大量重复使用导致API key被破解,可以采用额外增加随机数的方式避免API key被泄露,因此消息体具体为:Example 2: In order to prevent the API key from being cracked due to a large number of repeated use of the API key, an additional random number can be used to prevent the API key from being leaked. Therefore, the message body is as follows:
Message(Device ID,Payload,Para||RAND,HMAC(Payload,API key,Para||RAND))Message(Device ID, Payload, Para||RAND, HMAC(Payload, API key, Para||RAND))
即物联网终端在产生消息时,在消息中写入Device ID,产生特定的参数Para,以及随机产生的随机数RAND。终端根据API key,Para,RAND以及所要传递的消息Payload通过HMAC函数产生摘要信息H。然后终端将上述信息连同Payload一起组合成新的消息。That is, when the IoT terminal generates a message, it writes the Device ID in the message, generates a specific parameter Para, and a randomly generated random number RAND. The terminal generates the summary information H through the HMAC function according to the API key, Para, RAND and the message Payload to be transmitted. The terminal then combines the above information together with the payload into a new message.
当网络侧收到消息后,根据同样的算法计算出H,对比H与H’,如果一致则认为消息正确,否则直接丢弃该消息When the network side receives the message, it calculates H according to the same algorithm, compares H and H', if they are consistent, the message is considered correct, otherwise the message is directly discarded
实施例3:为了避免API key的大量重复使用导致API key被破解,可以采用利用API key产生会话密钥并在第一次将密钥产生参数发送过去的方式避免API key被泄露,因此消息体具体为:Example 3: In order to avoid the API key being cracked due to a large number of repeated use of the API key, the session key can be generated by using the API key and the key generation parameters are sent for the first time to avoid the API key being leaked. Therefore, the message body Specifically:
第一次:Message(Device ID,Payload,Para||KDF_p,HMAC(Payload,f(API key,KDF_p),Para||KDF_p))The first time: Message(Device ID, Payload, Para||KDF_p, HMAC(Payload, f(API key, KDF_p), Para||KDF_p))
非第一次:Message(Device ID,Payload,Para,HMAC(Payload,f(API key,KDF_p),Para))Not the first time: Message(Device ID, Payload, Para, HMAC(Payload, f(API key, KDF_p), Para))
即物联网终端在产生第一条消息时,首先产生随机参数KDF_p并保存,然后利用API key和KDF_p,计算产生新的密钥f(API key,KDF_p),在消息中写入Device ID,产生特定的参数Para,以及随机产生的随机参数KDF_p。终端根据API key,Para,KDF_p,以及所要传递的消息Payload通过HMAC函数产生摘要信息H。然后终端将上述信息连同Payload一起组合成新的消息。That is, when the IoT terminal generates the first message, it first generates a random parameter KDF_p and saves it, and then uses the API key and KDF_p to calculate and generate a new key f (API key, KDF_p), and writes the Device ID in the message to generate The specific parameter Para, and the randomly generated random parameter KDF_p. The terminal generates summary information H through the HMAC function according to the API key, Para, KDF_p, and the message Payload to be transmitted. The terminal then combines the above information together with the payload into a new message.
当网络侧收到第一条消息后,取出KDF_p并保存,然后同样计算f(API key,KDF_p)根据同样的算法计算出H,对比H与H’,如果一致则认为消息正确,否则直接丢弃该消息。When the network side receives the first message, it takes out KDF_p and saves it, and then calculates f(API key, KDF_p) to calculate H according to the same algorithm, and compares H and H'. If they are consistent, the message is considered correct, otherwise it is discarded directly. the message.
随后,当物联网终端发送其他消息时,则利用已经保存的KDF_p计算产生密钥f(API key,KDF_p)并计算H。Subsequently, when the IoT terminal sends other messages, it uses the saved KDF_p to calculate and generate the key f (API key, KDF_p) and calculate H.
当网络侧收到消息后,根据消息是否保存有KDF_p判断是否为第一条消息,若无则直接取出保存的对应终端的KDF_p计算H’,对比H与H’,如果一致则认为消息正确,否则直接丢弃该消息。When the network side receives the message, it determines whether it is the first message according to whether the message has KDF_p. If not, it directly takes out the stored KDF_p of the corresponding terminal to calculate H', and compares H and H'. If they are consistent, the message is considered correct. Otherwise, the message is directly discarded.
针对抗重放攻击的参数设计,可以具有不同的实施例:The parameter design for anti-replay attack can have different embodiments:
实施例1:M2M终端与OneNet云平台各自保留一个固定长度的列表,用于存储发送过来的参数Para,并在收到新的Para与保留的参数进行对比,如果相同,则认为是重放攻击。当列表保留Para已满之后,则新接收到的不同的Para覆盖列表中最早接收到的Para,如下所示:Example 1: The M2M terminal and the OneNet cloud platform each keep a fixed-length list for storing the sent parameters Para, and compare the new Para with the reserved parameters when they are received. If they are the same, it is considered a replay attack . When the reserved Para of the list is full, the newly received Para will cover the earliest received Para in the list, as shown below:
OneNet平台(假设列表长度为5):OneNet platform (assuming a list length of 5):
接收到消息前:list(NULL,NULL,NULL,NULL,NULL)Before receiving the message: list(NULL,NULL,NULL,NULL,NULL)
接收到第一条消息:list(Para1,NULL,NULL,NULL,NULL)Received the first message: list(Para1,NULL,NULL,NULL,NULL)
接收到第二条消息:首先判断Para2<>Para1,否则判断重放,拒绝消息。然后list变为(Para1,Para2,NULL,NULL,NULL)Received the second message: first judge Para2<>Para1, otherwise judge playback and reject the message. Then list becomes (Para1,Para2,NULL,NULL,NULL)
接收到第三条消息:list(Para1,Para2,Para3,NULL,NULL)Received the third message: list(Para1,Para2,Para3,NULL,NULL)
以此类推and so on
接收到第五条消息:list(Para1,Para2,Para3,Para4,Para5)The fifth message received: list(Para1,Para2,Para3,Para4,Para5)
接收到第六条消息:list(Para6,Para2,Para3,Para4,Para5)Received the sixth message: list(Para6,Para2,Para3,Para4,Para5)
接收到第七条消息:list(Para6,Para7,Para3,Para4,Para5)Received the seventh message: list(Para6,Para7,Para3,Para4,Para5)
以此类推,此处不再赘述。And so on, and will not be repeated here.
实施例2:M2M终端与OneNet云平台各自保留一个列表,用于存储发送过来的参数Para并保留一定的时间,并在收到新的Para与保留的参数进行对比,如果相同,则认为是重放攻击。当列表保留Para时间到期,则从列表中移除。如下所示:Example 2: The M2M terminal and the OneNet cloud platform each keep a list for storing the sent parameter Para and keep it for a certain period of time, and compare the new Para and the reserved parameters when they are received. Let go of the attack. When the list retention Para time expires, it is removed from the list. As follows:
OneNet平台(假设列表设定时间为60秒):OneNet platform (assuming a list setting time of 60 seconds):
接收到消息前:list()Before receiving a message: list()
接收到第一条消息:list(Para1:60)Received the first message: list(Para1:60)
2秒后接收到第二条消息:首先判断Para2<>Para1,否则判断重放,拒绝消息。然后list变为(Para1:58,Para2:60,)The second message is received after 2 seconds: First judge Para2<>Para1, otherwise judge playback and reject the message. Then the list becomes (Para1:58,Para2:60,)
以此类推and so on
第59秒接收到第n条消息:list(Para1:1,Para2:3,…,Para_n:60)Received the nth message in the 59th second: list(Para1:1,Para2:3,…,Para_n:60)
第60秒后删除到期的参数:list(Para2:2,…,Para_n:59)Delete expired parameters after 60 seconds: list(Para2:2,...,Para_n:59)
第62秒后删除到期的参数:list(Para3:x,…,Para_n:57)Delete expired parameters after 62 seconds: list(Para3:x,…,Para_n:57)
以此类推,此处不再赘述。And so on, and will not be repeated here.
实施例3:参数Para按照时间或者次数同步增长,保留参数并用于比较,并在收到新的Para与保留的参数进行对比,如果接收到的Para比保存的相同或者更小,则认为是重放攻击。如下所示:Example 3: The parameter Para increases synchronously according to the time or the number of times, and the parameter is reserved and used for comparison, and when the new Para is received, it is compared with the reserved parameter. Let go of the attack. As follows:
OneNet平台(假设列表设定时间为60秒):OneNet platform (assuming a list setting time of 60 seconds):
接收到消息前:list()Before receiving a message: list()
接收到第一条消息:list(1)First message received: list(1)
接收到第二条消息时,首先判断Para是否大于1,如果否,则重放攻击。如果是,则list(2)When receiving the second message, first determine whether Para is greater than 1, and if not, replay the attack. If yes, list(2)
以此类推,此处不再赘述。And so on, and will not be repeated here.
本发明实施例提供的技术方案可实现通信过程中利用API key提供消息安全性,且能够保障API key不会被泄露。The technical solutions provided by the embodiments of the present invention can implement the use of the API key to provide message security in the communication process, and can ensure that the API key will not be leaked.
综上所示,本发明实施例提供的技术方案能够防止恶意攻击者非法获取到APIkey,同时能够标识对应的设备,还能够防止重放攻击。To sum up, the technical solutions provided by the embodiments of the present invention can prevent malicious attackers from illegally obtaining the API key, at the same time, can identify the corresponding device, and can also prevent replay attacks.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510609796.5A CN106549924B (en) | 2015-09-22 | 2015-09-22 | A kind of communication security protection methods, devices and systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510609796.5A CN106549924B (en) | 2015-09-22 | 2015-09-22 | A kind of communication security protection methods, devices and systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106549924A CN106549924A (en) | 2017-03-29 |
| CN106549924B true CN106549924B (en) | 2019-06-28 |
Family
ID=58364444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510609796.5A Active CN106549924B (en) | 2015-09-22 | 2015-09-22 | A kind of communication security protection methods, devices and systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106549924B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737485B (en) * | 2017-04-25 | 2021-05-11 | 中移物联网有限公司 | Method and system for operation of Internet of Things resources |
| CN110730063B (en) * | 2018-07-16 | 2022-11-11 | 中国电信股份有限公司 | Security verification method and system, internet of things platform, terminal and readable storage medium |
| CN109639672A (en) * | 2018-12-11 | 2019-04-16 | 北京首汽智行科技有限公司 | The method and system for preventing Replay Attack based on JWT data |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980121A (en) * | 2005-11-29 | 2007-06-13 | 北京书生国际信息技术有限公司 | Electronic signing mobile terminal, system and method |
| CN101854377A (en) * | 2010-01-25 | 2010-10-06 | 杭州东信北邮信息技术有限公司 | Information platform system supporting wireless terminal and implementation method thereof |
| CN103166931A (en) * | 2011-12-15 | 2013-06-19 | 华为技术有限公司 | Method, device and system of transmitting data safely |
| CN103441989A (en) * | 2013-08-05 | 2013-12-11 | 大唐移动通信设备有限公司 | Authentication and information processing method and device |
| CN103532963A (en) * | 2013-10-22 | 2014-01-22 | 中国联合网络通信集团有限公司 | IOT (Internet of Things) based equipment authentication method, device and system |
-
2015
- 2015-09-22 CN CN201510609796.5A patent/CN106549924B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980121A (en) * | 2005-11-29 | 2007-06-13 | 北京书生国际信息技术有限公司 | Electronic signing mobile terminal, system and method |
| CN101854377A (en) * | 2010-01-25 | 2010-10-06 | 杭州东信北邮信息技术有限公司 | Information platform system supporting wireless terminal and implementation method thereof |
| CN103166931A (en) * | 2011-12-15 | 2013-06-19 | 华为技术有限公司 | Method, device and system of transmitting data safely |
| CN103441989A (en) * | 2013-08-05 | 2013-12-11 | 大唐移动通信设备有限公司 | Authentication and information processing method and device |
| CN103532963A (en) * | 2013-10-22 | 2014-01-22 | 中国联合网络通信集团有限公司 | IOT (Internet of Things) based equipment authentication method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106549924A (en) | 2017-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107749848B (en) | Internet of things data processing method and device and Internet of things system | |
| CN102647461B (en) | Communication means based on HTTP, server, terminal | |
| EP3324572B1 (en) | Information transmission method and mobile device | |
| CN109309685B (en) | Information transmission method and device | |
| CN108111497B (en) | Mutual authentication method and device for camera and server | |
| US20190081795A1 (en) | Increased communication security | |
| CN107579991B (en) | Method for performing cloud protection authentication on client, server and client | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| US9602486B2 (en) | Increased communication security | |
| CN107612889B (en) | Method for preventing user information leakage | |
| CN108173662A (en) | A device authentication method and device | |
| CN104836784B (en) | A kind of information processing method, client and server | |
| CN113395406B (en) | An encryption authentication method and system based on power equipment fingerprints | |
| RU2530691C1 (en) | Method for protected remote access to information resources | |
| CN105610848A (en) | Centralized data preservation method and system with source data security guaranty mechanism | |
| US9419979B2 (en) | Increased communication security | |
| US9426148B2 (en) | Increased communication security | |
| CN104243419A (en) | Data processing method, device and system based on secure shell protocol | |
| CN104038490B (en) | A kind of communication security method of calibration and its device | |
| US20240039899A1 (en) | System and method for web-browser based end-to-end encrypted messaging and for securely implementing cryptography using client-side scripting in a web browser | |
| CN105743854A (en) | Security authentication system and method | |
| CN111740995A (en) | Authorization authentication method and related device | |
| CN106549924B (en) | A kind of communication security protection methods, devices and systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |