阅读说明：本技术 基于国密算法的物联网安全认证方法、系统及终端 (internet of things security authentication method, system and terminal based on state cryptographic algorithm ) 是由 付勇 杨美红 王美琴 郭山清 王继志 陈丽娟 杨明 杨英 陈振娅 穆超 李冠霖 于 2019-10-24 设计创作，主要内容包括：本公开公开了基于国密算法的物联网安全认证方法、系统及终端,采集物联网终端的基本信息；将采集的物联网终端的基本信息进行加密处理,得到终端标识信息；将终端标识信息和会话密钥请求,发送给服务器；终端标识信息用于服务器对物联网终端进行有效性验证；超时判断步骤：判断是否超过设定时间段,如果超过,则返回终端标识信息制备步骤；如果未超时,则继续判断是否接收到服务器反馈的会话密钥应答消息；如果接收到服务器反馈的会话密钥应答消息,则对会话密钥应答消息进行解密并恢复出会话密钥；进入下一步；如果未接收到,则返回超时判断步骤；采用会话密钥对物联网终端的待传输的数据进行加密处理,将加密处理后的数据传输给服务器。(the utility model discloses a security authentication method, a system and a terminal of the Internet of things based on a state cryptographic algorithm, which collects the basic information of the terminal of the Internet of things; encrypting the acquired basic information of the terminal of the Internet of things to obtain terminal identification information; sending the terminal identification information and the session key request to a server; the terminal identification information is used for the server to carry out validity verification on the terminal of the Internet of things; and a timeout judging step: judging whether the set time period is exceeded or not, and if the set time period is exceeded, returning to the step of preparing the terminal identification information; if not, continuously judging whether a session key response message fed back by the server is received; if receiving the session key response message fed back by the server, decrypting the session key response message and recovering the session key; entering the next step; if not, returning to the overtime judgment step; and encrypting the data to be transmitted of the terminal of the Internet of things by adopting the session key, and transmitting the encrypted data to the server.)

1. the Internet of things security authentication method based on the state cryptographic algorithm is applied to the Internet of things terminal, and is characterized by comprising the following steps:

Acquiring basic information of an Internet of things terminal;

a terminal identification information preparation step: encrypting the acquired basic information of the terminal of the Internet of things to obtain terminal identification information;

sending the terminal identification information and the session key request to a server; the terminal identification information is used for the server to carry out validity verification on the terminal of the Internet of things;

and a timeout judging step: judging whether the set time period is exceeded or not, and if the set time period is exceeded, returning to the step of preparing the terminal identification information; if not, continuously judging whether a session key response message fed back by the server is received;

if receiving the session key response message fed back by the server, decrypting the session key response message and recovering the session key; entering the next step; if not, returning to the overtime judgment step;

and encrypting the data to be transmitted of the terminal of the Internet of things by adopting the session key, and transmitting the encrypted data to the server.

2. The method according to claim 1, wherein the acquired data to be encrypted is encrypted to obtain terminal identification information; the method comprises the following specific steps:

and operating and encrypting the random number Nounce, the unique identification of the MCU, the IMEI serial number of the NBIOT module and the root key to obtain unique terminal identification information MSG.

3. The method according to claim 1, wherein the acquired data to be encrypted is encrypted to obtain terminal identification information; the method comprises the following specific steps:

1 byte in the random number Nounce is taken as x; the high 4 bits are marked as xh, and the low 4 bits are marked as xl;

setting 16 bytes in the unique identification of the MCU as Muid;

Setting a 16-byte root key in a main control unit MCU as a rootkey;

carrying out exclusive or on the Muid and the root key byte by byte; then, circularly and leftwards shifting the result obtained by byte-by-byte XOR by xh bytes to obtain a 16-byte session KEY;

generating a 16-byte all-0 bit string which is marked as PL; filling PL starting from low byte with IMEI sequence number;

padding x to PL last byte; then, moving the xl bytes to the left circularly;

and carrying out SM4 encryption on the PL by taking the KEY as a KEY, wherein the encryption mode is an electronic code book ECB, and obtaining the terminal identification information MSG.

4. the method as claimed in claim 1, wherein the terminal identification information is used for the server to perform validity verification on the terminal of the internet of things; the method comprises the following specific steps:

After receiving a data packet sent by a terminal, a server firstly checks data;

if the check result is inconsistent with the check sum in the data packet, judging that the data packet is abnormal, and discarding the data packet;

Otherwise, taking out the first byte in the data packet;

if the first byte in the data packet is 0x60, the data packet is a communication request data packet, and validity verification is carried out on the communication request data packet; the 2 nd byte is data with fixed length of 0X14, the 3 rd byte to the 5 th byte are terminal numbers, the 6 th byte is verification method X, the 7 th to the 22 th bytes are terminal identification information MSG;

the server takes out an encrypted terminal MCU identifier CMuid and an encrypted NBIOT module identifier CIMEI corresponding to the terminal number from the database;

decrypting CMuid by using the storage key to obtain Muid ', and decrypting CIMEI to obtain IMEI'; calculating terminal identification information 1 in the same manner as the terminal identification information preparation step;

taking the high 4 bits of X as Xh and the low 4 bits as Xl;

setting a built-in 16-byte root key of the server as rootkey 1;

muid' byte-by-byte or root key rootkey 1; then, moving Xh bytes to the left circularly to obtain a session KEY KEY1 of 16 bytes;

Generating a 16 byte all 0 bit string denoted as PL 1; PL1 is padded with IMEI' starting from the low byte;

fill X to PL1 last byte; then circularly left-shift Xl bytes;

carrying out SM4 encryption on PL1 by taking KEY1 as a KEY, wherein the encryption mode is an electronic code book ECB, and obtaining terminal identification information MSG 1;

if the MSG1 is consistent with the MSG, the verification passes, otherwise the verification fails.

5. The method as claimed in claim 1, wherein the session key response message is generated by the steps of:

the server generates a 128-bit random number as a session key TKEY by using a true random number generator; encrypting the data by using a storage key and then storing the data in a database;

the server generates a 32-bit random number as a session ID by using a true random number generator and stores the session ID in a database;

The server uses a random number of 8 bits generated by a true random number generator as a verification method T, and takes high 4 bits as Th and low 4 bits as Tl;

Meanwhile, a 128-bit Nounce value required by CTR encryption and decryption is obtained; filling the Tl + i byte of the MSG into Nounce; i ∈ [0, 1, 2, …, 13 ]; filling the Nounce residual bits to 128 bits with 0, encrypting the Nounce by using a storage key, and storing the Nounce in a database;

generating a 128-bit all-0 bit string INFO; filling a terminal number of 3 bytes, a session iD of 4 bytes and a verification method T of 1 byte in sequence twice; carrying out exclusive or MSG on INFO byte by byte, and circularly moving Th byte left to obtain an encryption key INFO';

performing byte-by-byte exclusive OR on the TKEY and the rootkey, then encrypting by using INFO' as a key, and circularly moving Tl bytes to the left to obtain a session key TKEY 1; and filling a data packet according to the session key response message format and then sending the message to the terminal.

6. the method of claim 1, wherein a session key response message fed back by the server is received, and the session key response message is decrypted and the session key is recovered; the method comprises the following specific steps:

after receiving a data packet sent by a server, a terminal firstly checks data, judges that the data packet is abnormal if a check result is inconsistent with a check sum in the data packet, and discards the data packet;

Otherwise, the first byte in the data packet is taken out, if the byte is 0x61, the message is a session key response message, and decryption is needed to be performed and the session key is recovered;

The 2 nd byte is data length fixed to 0x18, and exits if the data length is not 0x 18; bytes 3 to 5 are terminal numbers, and quitting is performed if the terminal numbers are not consistent with the terminal numbers; bytes 6 to 9 are session iD; byte 10 is authentication method T1; bytes 11 to 26 are session key TKEY 1';

taking the high 4 bit of T1 as Th 'and the low 4 bit as Tl';

TKEY1 ' circularly right shifts Tl ' byte to obtain a 128-bit temporary variable TKEY0 ';

generating a 128-bit all-0 bit string INFO 1; sequentially filling a terminal number of 3 bytes, a session iD of 4 bytes and a verification method T1 of 1 byte twice; carrying out byte-by-byte exclusive or MSG on the INFO1, and circularly moving Th 'bytes left to obtain an encryption key INFO 1';

the INFO1 'is used as a key to decrypt TKEY 0', and is subjected to byte-by-byte exclusive OR with rootkey to obtain a session key TKEY;

simultaneously obtaining a Nounce value required by CTR encryption and decryption;

filling the T1% 16+ i byte of MSG into Nounce; i ∈ [0, 1, 2, …, 13 ].

7. the Internet of things security authentication method based on the state cryptographic algorithm is applied to a server and is characterized by comprising the following steps:

acquiring terminal identification information and a session key request sent by a terminal;

carrying out terminal validity verification according to terminal identification information sent by a terminal;

Encrypting the session key request of the terminal passing the validity verification to obtain a session key response message;

And feeding back the session key response message to the terminal.

8. internet of things security authentication terminal based on state cryptographic algorithm, characterized by including:

An acquisition module configured to: acquiring basic information of an Internet of things terminal;

a terminal identification information preparation module configured to: encrypting the acquired basic information of the terminal of the Internet of things to obtain terminal identification information;

a validity verification module configured to: sending the terminal identification information and the session key request to a server; the terminal identification information is used for the server to carry out validity verification on the terminal of the Internet of things;

a timeout determination module configured to: judging whether the set time period is exceeded or not, and if the set time period is exceeded, returning to the step of preparing the terminal identification information; if not, continuously judging whether a session key response message fed back by the server is received;

if receiving the session key response message fed back by the server, decrypting the session key response message and recovering the session key; entering an encryption module; if not, returning to the overtime judgment module;

an encryption module configured to: and encrypting the data to be transmitted of the terminal of the Internet of things by adopting the session key, and transmitting the encrypted data to the server.

9. Internet of things security authentication server based on state cryptographic algorithm, characterized by including:

An acquisition module configured to: acquiring terminal identification information and a session key request sent by a terminal;

a terminal validity verification module configured to: carrying out terminal validity verification according to terminal identification information sent by a terminal;

a session key reply message generation module configured to: encrypting the session key request of the terminal passing the validity verification to obtain a session key response message;

a feedback module configured to: and feeding back the session key response message to the terminal.

10. Internet of things security authentication system based on state cryptographic algorithm, characterized by including: the internet of things security authentication terminal based on the national cryptographic algorithm of claim 8 and the internet of things security authentication server based on the national cryptographic algorithm of claim 9.

Technical Field

the disclosure relates to the technical field of encryption and decryption of terminal data of the internet of things, in particular to a security authentication method, system and terminal of the internet of things based on a state cryptographic algorithm.

background

the statements in this section merely provide background information related to the present disclosure and may not constitute prior art.

At present, terminal data in the Internet of things industry of China is in an unprotected and weakly protected state, and data uploaded to a server by the Internet of things terminal is lack of an effective encryption means and low in safety.

in the course of implementing the present disclosure, the inventors found that the following technical problems exist in the prior art:

in many times, the terminal of the internet of things only has the ROM with dozens of K bytes or even a plurality of K bytes, and the RAM only has hundreds of bytes to a plurality of K bytes; meanwhile, the performance of the terminal processor of the internet of things is weaker, the dominant frequency is lower, and a considerable part of 8-bit and 16-bit single-chip machines cannot apply a complex public key cryptographic algorithm (such as SM2) to carry out key and session management; the implementation of the symmetric cipher with lower complexity at the terminal of the internet of things also has the problems of poor algorithm implementation efficiency and long encryption and decryption time consumption.

in many internet of things systems, keys are generally fixed inside a microprocessor in order to reduce system complexity, and obviously, the method is not safe.

disclosure of Invention

in order to overcome the defects of the prior art, the invention provides a security authentication method, a system and a terminal of the internet of things based on a cryptographic algorithm;

in a first aspect, the present disclosure provides a security authentication method for internet of things based on a cryptographic algorithm;

the internet of things security authentication method based on the state cryptographic algorithm is applied to the internet of things terminal and comprises the following steps:

acquiring basic information of an Internet of things terminal;

A terminal identification information preparation step: encrypting the acquired basic information of the terminal of the Internet of things to obtain terminal identification information;

sending the terminal identification information and the session key request to a server; the terminal identification information is used for the server to carry out validity verification on the terminal of the Internet of things;

and a timeout judging step: judging whether the set time period is exceeded or not, and if the set time period is exceeded, returning to the step of preparing the terminal identification information; if not, continuously judging whether a session key response message fed back by the server is received;

if receiving the session key response message fed back by the server, decrypting the session key response message and recovering the session key; entering the next step; if not, returning to the overtime judgment step;

And encrypting the data to be transmitted of the terminal of the Internet of things by adopting the session key, and transmitting the encrypted data to the server.

in a second aspect, the present disclosure also provides a security authentication method for internet of things based on a cryptographic algorithm;

The internet of things security authentication method based on the state cryptographic algorithm is applied to a server and comprises the following steps:

acquiring terminal identification information and a session key request sent by a terminal;

carrying out terminal validity verification according to terminal identification information sent by a terminal;

encrypting the session key request of the terminal passing the validity verification to obtain a session key response message;

and feeding back the session key response message to the terminal.

In a third aspect, the present disclosure further provides an internet of things security authentication terminal based on a national cryptographic algorithm;

internet of things security authentication terminal based on state cryptographic algorithm includes:

an acquisition module configured to: acquiring basic information of an Internet of things terminal;

a terminal identification information preparation module configured to: encrypting the acquired basic information of the terminal of the Internet of things to obtain terminal identification information;

A validity verification module configured to: sending the terminal identification information and the session key request to a server; the terminal identification information is used for the server to carry out validity verification on the terminal of the Internet of things;

A timeout determination module configured to: judging whether the set time period is exceeded or not, and if the set time period is exceeded, returning to the step of preparing the terminal identification information; if not, continuously judging whether a session key response message fed back by the server is received;

if receiving the session key response message fed back by the server, decrypting the session key response message and recovering the session key; entering an encryption module; if not, returning to the overtime judgment module;

an encryption module configured to: and encrypting the data to be transmitted of the terminal of the Internet of things by adopting the session key, and transmitting the encrypted data to the server.

in a fourth aspect, the present disclosure also provides a security authentication server for internet of things based on a cryptographic algorithm;

internet of things security authentication server based on state cryptographic algorithm includes:

an acquisition module configured to: acquiring terminal identification information and a session key request sent by a terminal;

A terminal validity verification module configured to: carrying out terminal validity verification according to terminal identification information sent by a terminal;

A session key reply message generation module configured to: encrypting the session key request of the terminal passing the validity verification to obtain a session key response message;

a feedback module configured to: and feeding back the session key response message to the terminal.

in a fifth aspect, the present disclosure further provides a security authentication system of the internet of things based on a cryptographic algorithm;

internet of things security authentication system based on state cryptographic algorithm includes: the internet of things security authentication terminal based on the national cryptographic algorithm in the third aspect and the internet of things security authentication server based on the national cryptographic algorithm in the fourth aspect.

compared with the prior art, the beneficial effect of this disclosure is:

The scheme mainly comprises a high-performance national secret library, a secret key, session management and communication data frame design.

1. high-performance national secret library: the SM4 algorithm is optimized and implemented for a 16-bit single-chip microcomputer (such as MSP430FR5739), and the key performance bottleneck that the data encryption and decryption speed is low is solved. Meanwhile, an advanced CTR mode is adopted to avoid the necessary data filling of modes such as ECB and CBC to improve the performance of the algorithm, and meanwhile, the data security can be effectively ensured, and the data after the same data of the same terminal is encrypted are also different.

2. key and session management: the key security is a foundation of data security, a true random number is generated by using noise and randomness data of a terminal, and the random number is ingeniously used for key generation to ensure the reliability of a system. Meanwhile, a strategy that one end is one secret and a secret key is updated regularly is designed, so that the safety of the system is further improved. Data encryption through a full data chain ensures that no plaintext is transmitted in a communication link, and data leakage can not occur even if the communication link is intercepted.

3. concise and reliable data frame design: aiming at the characteristics of terminal data of the Internet of things, a simplified data frame format and data specification are designed, and basic verification is carried out on transmission data through CRC (cyclic redundancy check) bytes at the tail of a frame.

drawings

The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application.

FIG. 1 is a flow chart of the method of the first embodiment.

Detailed Description

it should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

it is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.

interpretation of terms:

GNSS: the global navigation satellite system supports a Chinese Beidou satellite navigation system and a U.S. Global Positioning System (GPS);

NBIOT: a narrowband internet of things;

IMEI: an international mobile equipment identity;

MSG: terminal identification information;