[go: up one dir, main page]

CN110602112A - MQTT (multiple quantum dots technique) secure data transmission method - Google Patents

MQTT (multiple quantum dots technique) secure data transmission method Download PDF

Info

Publication number
CN110602112A
CN110602112A CN201910885870.4A CN201910885870A CN110602112A CN 110602112 A CN110602112 A CN 110602112A CN 201910885870 A CN201910885870 A CN 201910885870A CN 110602112 A CN110602112 A CN 110602112A
Authority
CN
China
Prior art keywords
mqtt
sdp
host
data
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910885870.4A
Other languages
Chinese (zh)
Inventor
李世绍
袁中庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910885870.4A priority Critical patent/CN110602112A/en
Publication of CN110602112A publication Critical patent/CN110602112A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for MQTT safe data transmission, the SDP gateway verifies whether the data issued by MQTT issuing equipment is safe through identification information, the data can be effectively and safely transmitted, A Host (AH) which can be accepted and connected by an SDP controller and an SDP rejects invalid data packets, MQTT subscription equipment is prevented from being attacked, and DDoS attack can be reduced. The invention can improve the safety and stability of data transmission without any operation on MQTT subscription equipment, and has stronger practicability.

Description

MQTT (multiple quantum dots technique) secure data transmission method
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method for MQTT safe data transmission.
Background
MQTT is a proxy-based message transfer protocol. In MQTT, messages are transmitted in a subscription/publication manner, one message publisher sends data to be published to an agent, and at least one message subscriber acquires data from the agent. The MQTT protocol is widely applied to the internet of things.
In the past, the MQTT protocol was generally applied to backend networks with security guarantees. At present, taking an industrial system as an example, key devices such as a Programmable Logic Controller (PLC), a monitoring and data acquisition (SCADA), and the like are all accessed to an industrial internet. In addition, the industrial internet may be further connected to a user's mobile terminal to enable transactions to be completed over the industrial internet, all of which changes require more and more sensitive data to be transmitted over the internet.
Therefore, the development of the internet of things has higher and higher requirements on privacy and security of data transmission, and security-related functions need to be added in device-to-device (D2D) or machine-to-machine (M2M) communication. The past MQTT protocol cannot meet the requirements of the current Internet of things communication. In the known solutions, one solution is to encapsulate a protocol stack on an original protocol through identity authentication and communication encryption, perform four times of data interaction between a client and a server, generate the same session key through data and an algorithm in the protocol exchange process of the client and the server, perform identity confirmation of both parties, and complete communication handshake between the client and the server; and after the communication handshake is successful, whether the client is legal equipment is judged through the encrypted digital certificate and a corresponding digital certificate verification process. This scheme requires modification of the original protocol, multiple data interactions, and installation of certificates. In one embodiment, a method for implementing bidirectional CA security authorization using MQTT and SSL includes the following steps: authorization pushing flow: the server divides the authorization of the user into different types, and designs a theme for each type of authorization respectively; and (3) link security authentication process: adopting a standard SSL bidirectional authentication process, verifying the validity of a server by using a terminal public key certificate, and verifying the validity of a client by using a public key certificate corresponding to the terminal by using a server; data security protection: a different key is derived for each device by the device ID and the operator information, the key is written into the device when the device leaves a factory, and data communicated between the server and the device are encrypted by the key and signed simultaneously. The implementation is also relatively complex. The scheme requires a manufacturer to carry out factory derivation on the equipment, and the feasibility is not high. Moreover, the above solutions are complex to implement.
Disclosure of Invention
The SDP gateway acquires identification information obtained by MQTT releasing equipment through connection with the MQTT releasing equipment, verifies whether the data released by the MQTT releasing equipment is safe through the identification information by the SDP gateway, can effectively and safely transmit the data, and can accept a connected host (AH) to reject an invalid data packet by an SDP controller and the SDP, thereby avoiding the attack of MQTT subscribing equipment and reducing DDoS attack. The invention can improve the safety and stability of data transmission without any operation on MQTT subscription equipment, and has stronger practicability.
The invention realizes the purpose through the following technical scheme:
the method relates to an MQTT publishing device, an MQTT agent, an SDP gateway and at least one MQTT subscribing device, wherein the SDP gateway is connected with at least one MQTT subscribing device. The SDP gateway includes: an SDP host and an SDP controller. The SDP host may create a connection or accept a connection. The SDP Controller (Controller) mainly performs host authentication and policy issuing. The SDP host and the SDP controller interact with each other via a secure control channel. SDP hosts are in turn classified as either hosts that can create connections (IH) or hosts that can accept connections (AH).
The method is used for safely publishing the MQTT data to the MQTT subscribing device.
In the method, an MQTT publishing device firstly sends an SDP connection request to an MQTT proxy, wherein the SDP connection request is used for requesting to establish connection to an SDP gateway.
After receiving the SDP connection request sent from the MQTT issuing device, the MQTT proxy determines whether to allow the SDP connection request, if the SDP connection request is allowed, the MQTT proxy indicates a host (IH) gateway which can be connected by the SDP to establish a connection with the MQTT issuing device, and returns address information of the host (IH) which can be connected by the SDP to the MQTT issuing device.
After receiving the address information of the host (IH) which can establish connection by the SDP, the MQTT issuing device establishes connection to the host (IH) which can establish connection by the SDP according to the received address information of the host (IH) which can establish connection by the SDP. Optionally the connection is a secure connection, such as a VPN connection.
The MQTT issuing device sends identification information of the MQTT issuing device to a host (IH) to which the SDP can create a connection, using a connection established with the host (IH) to which the SDP can create a connection, and the SDP can send this identification information to the SDP controller. Then, the MQTT issuing device sends the issued data to the MQTT agent, wherein the load of the issued data comprises the identification information of the MQTT issuing device. The MQTT agent sends the received data to the host (IH) where the SDP can create a connection.
The SDP can create a connected host (IH) to send data to an SDP controller, and the SDP controller searches the load of the received data issued by the MQTT issuing device for the identification information of the MQTT issuing device;
if the SDP controller finds that the identification information of the MQTT publishing device is safe data, the received data published by the MQTT publishing device is sent to A Host (AH) which can be connected with the SDP, and the host (AH) which can be connected with the SDP sends the data to at least one MQTT subscribing device connected with the host (AH) which can be connected with the SDP.
Compared with the prior art, the invention has the following advantages and beneficial effects:
according to the method for safely transmitting the data through the MQTT, the SDP gateway verifies whether the data issued by the MQTT issuing equipment is safe through the identification information, the data can be effectively and safely transmitted, the SDP controller and the SDP can accept the connected host (AH) to reject invalid data packets, the MQTT subscribing equipment is prevented from being attacked, and DDoS attack can be reduced. The invention can improve the safety and stability of data transmission without any operation on MQTT subscription equipment, and has stronger practicability.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following briefly introduces the embodiments or the drawings needed to be practical in the prior art description, and obviously, the drawings in the following description are only some embodiments of the embodiments, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of publishing MQTT data to MQTT subscribing devices according to the invention.
Fig. 2 is a diagram of the SDP gateway architecture of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
In a specific embodiment, as shown in fig. 1-2, a method for MQTT secure transmission of data according to the present invention requires at least one MQTT publishing device, one MQTT broker, one SDP gateway, and one MQTT subscribing device, where the SDP gateway is connected to at least one MQTT subscribing device. The intelligent connector is MQTT releasing equipment, the server is an MQTT agent, and the mobile phone APP terminal is MQTT subscribing equipment.
After the intelligent connector is powered on and is on line, an MQTT connection is established by using a token, a user name and a server, and then an SDP connection request is sent to the server, wherein the SDP connection request is used for requesting to establish connection to an SDP gateway;
after the server receives the SDP connection request sent by the intelligent connector and agrees with the SDP connection request, the server returns the SDP gateway address information to the intelligent connector;
after receiving the SDP address information, the intelligent connector establishes connection with an SDP gateway according to the address information; the intelligent connector sends the identification information to the SDP gateway through the connection;
the intelligent connector sends the issued data to the server, the issued data information contains identification information, and the server forwards the data to the SDP gateway after receiving the data;
and after receiving the data, the SDP gateway analyzes the data, searches whether the identification information of the intelligent connector exists, and if so, the SDP gateway is safe data and issues the data to the APP end of the mobile phone. And the safety data transmission from the intelligent connector to the APP end of the mobile phone is completed.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims. It should be noted that the various technical features described in the above embodiments can be combined in any suitable manner without contradiction, and the invention is not described in any way for the possible combinations in order to avoid unnecessary repetition. In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as the disclosure of the present invention as long as it does not depart from the spirit of the present invention.

Claims (5)

1. A method for MQTT safe data transmission is characterized in that the method is used for safely publishing MQTT data to MQTT subscribing equipment;
MQTT issuing equipment firstly sends an SDP connection request to an MQTT proxy, wherein the SDP connection request is used for requesting to establish connection to an SDP gateway;
after the MQTT agent receives the SDP connection request sent from the MQTT publishing device, the MQTT agent determines whether to allow the SDP connection request, if the SDP connection request is allowed, the MQTT agent indicates a host gateway which can establish connection by the SDP to establish a connection with the MQTT publishing device, and address information of the host which can establish connection by the SDP is returned to the MQTT publishing device.
2. The method of claim 1, wherein the MQTT-publishing device sends identification information of the MQTT-publishing device to the SDP-creatable host using a connection established with the SDP-creatable host, the SDP-creatable host sending this identification information to the SDP controller. Then, the MQTT issuing device sends the issued data to the MQTT agent, wherein the load of the issued data comprises the identification information of the MQTT issuing device. The MQTT agent sends the received data to the host that the SDP can create a connection.
3. The method of claim 1, wherein if the identification information of the MQTT publishing device is found by the SDP controller to be secure data, sending the received data published by the MQTT publishing device to the SDP acceptably connected host, which sends the data to at least one MQTT subscribing device connected to the SDP acceptably connected host.
4. The method of claim 1, wherein after receiving the address information of the host that the SDP can create the connection, the MQTT publishing device establishes the connection to the host that the SDP can create the connection according to the received address information of the host that the SDP can create the connection.
5. The method of claim 1, wherein the SDP can create a connected host to send data to an SDP controller, the SDP controller searching for identifying information of MQTT publishing devices in data-receiving payloads published by the MQTT publishing devices.
CN201910885870.4A 2019-09-19 2019-09-19 MQTT (multiple quantum dots technique) secure data transmission method Pending CN110602112A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910885870.4A CN110602112A (en) 2019-09-19 2019-09-19 MQTT (multiple quantum dots technique) secure data transmission method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910885870.4A CN110602112A (en) 2019-09-19 2019-09-19 MQTT (multiple quantum dots technique) secure data transmission method

Publications (1)

Publication Number Publication Date
CN110602112A true CN110602112A (en) 2019-12-20

Family

ID=68860965

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910885870.4A Pending CN110602112A (en) 2019-09-19 2019-09-19 MQTT (multiple quantum dots technique) secure data transmission method

Country Status (1)

Country Link
CN (1) CN110602112A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111182537A (en) * 2019-12-31 2020-05-19 北京指掌易科技有限公司 Network access method, device and system for mobile application
CN114531486A (en) * 2020-10-30 2022-05-24 中移物联网有限公司 Industrial internet data processing method, device, equipment and storage medium
CN114710544A (en) * 2022-03-23 2022-07-05 新华三信息安全技术有限公司 Channel establishing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817341A (en) * 2015-11-27 2017-06-09 中国科学院沈阳计算技术研究所有限公司 A kind of Session Initiation Protocol throttling Transmission system and method towards mobile Internet
CN107852405A (en) * 2015-07-02 2018-03-27 康维达无线有限责任公司 The content security of service layer
CN109088723A (en) * 2018-10-26 2018-12-25 四川长虹电器股份有限公司 A kind of long-range control method based on MQTT agreement
WO2019127241A1 (en) * 2017-12-28 2019-07-04 Siemens Aktiengesellschaft Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107852405A (en) * 2015-07-02 2018-03-27 康维达无线有限责任公司 The content security of service layer
CN106817341A (en) * 2015-11-27 2017-06-09 中国科学院沈阳计算技术研究所有限公司 A kind of Session Initiation Protocol throttling Transmission system and method towards mobile Internet
WO2019127241A1 (en) * 2017-12-28 2019-07-04 Siemens Aktiengesellschaft Message queuing telemetry transport (mqtt) data transmission method, apparatus, and system
CN109088723A (en) * 2018-10-26 2018-12-25 四川长虹电器股份有限公司 A kind of long-range control method based on MQTT agreement

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111182537A (en) * 2019-12-31 2020-05-19 北京指掌易科技有限公司 Network access method, device and system for mobile application
CN114531486A (en) * 2020-10-30 2022-05-24 中移物联网有限公司 Industrial internet data processing method, device, equipment and storage medium
CN114531486B (en) * 2020-10-30 2023-08-15 中移物联网有限公司 A method, device, equipment, and storage medium for industrial Internet data processing
CN114710544A (en) * 2022-03-23 2022-07-05 新华三信息安全技术有限公司 Channel establishing method and device
CN114710544B (en) * 2022-03-23 2023-11-03 新华三信息安全技术有限公司 Channel establishment method and device

Similar Documents

Publication Publication Date Title
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
JP3497088B2 (en) Communication system and communication method
RU2554532C2 (en) Method and device for secure data transmission
CN111183619B (en) Data transmission, device connection method, apparatus and system
CN101496387A (en) System and method for access authentication in a mobile wireless network
EP1374533B1 (en) Facilitating legal interception of ip connections
CN106941491B (en) Safety application data link layer device and communication method of electricity information collection system
CN110602112A (en) MQTT (multiple quantum dots technique) secure data transmission method
CN110741660B (en) Data transmission between a terminal and an associated server
WO2017012142A1 (en) Dual-connection security communication method and apparatus
CN112565302A (en) Communication method, system and equipment based on security gateway
JP2001292174A (en) Method and communication device for constituting secured e-mail communication between mail domain of internet
CN113746861A (en) Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology
CN111357305B (en) Communication method, device, system and storage medium of mobile platform
CN110474922B (en) Communication method, PC system and access control router
CN114697954A (en) Method and system for realizing remote card writing by using equipment long connection
CN108259176B (en) Digital signature method, system and terminal based on mobile phone card
CN108900584B (en) Data transmission method and system for content distribution network
CN109997342B (en) Method for providing service in network device, corresponding device and storage medium
JP4619059B2 (en) Terminal device, firewall device, method for firewall device control, and program
CN119678425A (en) Improved security establishment method and system
JP2004524601A (en) System based on data network
CN110351308B (en) Virtual private network communication method and virtual private network device
JPH1132088A (en) Network system
CN115801388B (en) Message transmission method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191220