[go: up one dir, main page]

CN115834211B - CoAP network security access method based on software defined boundary - Google Patents

CoAP network security access method based on software defined boundary

Info

Publication number
CN115834211B
CN115834211B CN202211484839.8A CN202211484839A CN115834211B CN 115834211 B CN115834211 B CN 115834211B CN 202211484839 A CN202211484839 A CN 202211484839A CN 115834211 B CN115834211 B CN 115834211B
Authority
CN
China
Prior art keywords
client
sdp
coap
gateway
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211484839.8A
Other languages
Chinese (zh)
Other versions
CN115834211A (en
Inventor
张伟
李子轩
陈云芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202211484839.8A priority Critical patent/CN115834211B/en
Publication of CN115834211A publication Critical patent/CN115834211A/en
Application granted granted Critical
Publication of CN115834211B publication Critical patent/CN115834211B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention belongs to the technical field of information security, and relates to a CoAP network security access method based on a software defined boundary. In order to alleviate the security problem of the CoAP server with limited resources, a software defined boundary technology is combined with the CoAP network, and the method comprises the following steps of introducing an SDP controller and an SDP gateway into a CoAP communication system, registering at the SDP controller when a client is on line, sending an SPA data packet containing self identity information and CoAP request context information to the SDP controller by the client, carrying out multi-factor identity authentication and multi-dimensional trust evaluation on the request by the SDP controller, and controlling the SDP gateway to forward the data of the client to the CoAP server by the trusted request. Therefore, the communication security performance of the CoAP server is improved under the condition that the resources of the CoAP server are not occupied.

Description

CoAP network security access method based on software defined boundary
Technical Field
The invention belongs to the technical field of CoAP network security access, and particularly relates to a CoAP network security access method based on a software defined boundary.
Background
With the wide application of the internet of things, the number of internet of things devices presents a rapid growth trend. The number of internet of things (Internet of Things, ioT) devices worldwide is expected to increase from 87.4 billion in 2020 to over 254 billion in 2030. A significant portion of the vast internet of things devices are small, resource-limited devices, and many of the devices' energy sources come from batteries, which can only extend their lives by conserving energy consumption as much as possible.
In view of the resource limitations and heterogeneity of internet of things devices, researchers have developed various lightweight communication protocols for the internet of things, with the most common protocol being the message queue telemetry transport protocol (Message Queuing Telemetry Transport, MQTT) and the constrained application protocol (Constrained Application Protocol, coAP). The CoAP protocol is an HTTP-like request/response protocol designed specifically for small-sized devices of the internet of things, and its transport layer adopts UDP protocol, which is mostly used in limited environments such as wireless sensor networks for web-like communication. CoAP is REST-based, the resource address of the server, like the internet, also has a URI-like format, which provides resource-oriented interactions in the client-server architecture using GET, POST, PUT and DELETE commands that are similar to HTTP. The UDP-based CoAP protocol reduces computational overhead and reduces bandwidth requirements and consumes less resources than the TCP-based MQTT protocol. After the lightweight of the internet of things devices and protocols is achieved, one major problem has to be considered, namely privacy and security issues. CoAP is an emerging internet of things protocol, faces many security threats such as resolution attacks, amplification attacks, man-in-the-middle attacks, denial of service attacks and the like, and in addition, coAP server resources are quite limited, and difficulties exist in solving security problems by adopting complex security functions.
To solve the security problem of CoAP networks, it is necessary to design a security framework based on software defined boundaries. The framework realizes safety protection by means of the SDP controller and the SDP gateway of the third party, and does not occupy the resources of the server. The SDP gateway is deployed in front of the CoAP server to hide server resources externally. The SDP controller performs identity authentication and trust evaluation on the access request. Only if the confidence level is greater than the trust threshold will the SDP controller instruct the SDP gateway to forward the communication data between the client and the server.
Disclosure of Invention
In order to alleviate the security problem of the CoAP server with limited resources, the invention combines the software definition boundary technology with the CoAP network, utilizes the SDP gateway to hide CoAP service, and utilizes the SDP controller to carry out multi-factor identity authentication and multi-dimensional trust evaluation on the client. Therefore, the communication safety of the CoAP client and the CoAP server is ensured under the condition that the resources of the CoAP server are not occupied.
In order to achieve the above purpose, the invention provides a CoAP network security access method based on a software defined boundary, which comprises the following steps:
s1, adding an SDP gateway and an SDP controller before a CoAP server;
S2, the client registers on the SDP controller;
S3, the client sends an SPA data packet to the SDP controller;
S4, the SDP controller carries out identity authentication on the client according to the information in the SPA packet, and if the identity authentication passes, the step S5 is skipped;
S5, the SDP controller performs trust calculation on the request, and if the trust value is greater than a threshold value, the step S6 is skipped;
S6, the SDP controller sends the information of the client to an SDP gateway;
s7, the client sends an SPA data packet to the SDP gateway, the SDP gateway carries out cross verification on the information in the SPA packet and the information received from the SDP controller, and if the verification is passed, the SDP gateway updates firewall rules of the SDP gateway and opens a designated service port for the client in preset time;
and S8, the user establishes a DTLS connection with the CoAP server through the gateway to communicate.
Further, the step S1 includes that the server refers to sdpid as each service or resource number, and provides resource information to the SDP controller and the SDP gateway, and the SDP controller and the SDP gateway store sdpid mapping relation with the server.
Further, the step S2 comprises the step that the client registers own user name and password to the SDP controller, the SDP controller generates a symmetrical encryption key for encrypting the SPA data packet and an HMAC key for generating the abstract for the client, and the address of the SDP gateway, the sdpid of all services and the port numbers mapped on the SDP gateway are provided for the client together.
Further, the step S3 includes that the SPA data packet sent by the client contains the IP, the user name and the password of the client, the context of the CoAP request, the abstract HMAC and the SPA packet is encrypted.
Further, the S4 includes the SDP controller decrypting the SPA packet using the symmetric key and verifying whether the IP, username, cryptographic hash, and HMAC contained in the SPA are correct.
Further, the S5 comprises the steps that the SDP controller calculates the comprehensive trust value and the trust threshold value based on the multidimensional attribute, the comprehensive trust value is larger than the trust threshold value required by the resource, and the client is trusted, otherwise, the client is not trusted.
Further, the calculation method of the trust value and the trust threshold is as follows:
the calculation of the trust value consists of two parts, namely a direct trust value DT and a comprehensive trust value CT;
The direct trust value consists of four parts, namely an initial trust degree T i of the client, a security trust degree T dtls of the DTLS, an environment trust value T e and an abnormal behavior trust evaluation value T b;
T i is set to 100 according to the initial trust score obtained after the client is subjected to identity verification;
T dtls depends on the encryption mode of the DTLS tunnel, different encryption modes correspond to different security levels sl, sl takes positive integers between [0,3], and the value of sl is 0 if the DTLS is NoSec mode, 1 if the DTLS is PRESHAREDKEY mode, 2 if the DTLS is RawPublicKey mode, and 3 if the DTLS is Certificates mode;
The calculation formula of T dtls is as follows:
T e is the number of trusted requests received by the SDP controller over the last 1 minute, assuming that the number of trusted requests is N t and the number of untrusted requests is N ut,Te, the calculation formula is as follows:
T b is the abnormal behavior proportion of the client, and assuming that the number of normal request behaviors of the client evaluated by the system is N n, the calculation formula of the abnormal request behaviors is N an,Tb is as follows:
the formula for calculating the direct trust value DT is as follows, w being the weighting coefficient of each trusted source:
DT=Ti+w1*Tdtls+w2*Te+w3*Tb
The comprehensive trust value is obtained by weighting the direct trust value and the comprehensive trust value in the last access, the SDP controller records the comprehensive trust value of the client and the generation time thereof, t i is the time of the current request, t j is the time of the last request, DT i is the direct trust value of the SDP controller for evaluating the current request, CT j is the comprehensive trust value calculated in the last request of t j, and the calculation formula CT i of the comprehensive trust value of the current request is as follows:
the calculation formula of the trust threshold T th is as follows:
Tth=MAX(Opcon*Obcon,Opint*Obint)
Ob con refers to the confidentiality of the client access target, ob int refers to the integrity of the client access target. The density and integrity of the different targets are different, the confidentiality is set to 0 for the targets such as temperature values, but the integrity is higher and set to 100, and the confidentiality is extremely high for the targets related to personal privacy, but the integrity is low.
Op is an influence factor for adding, deleting and checking confidentiality and integrity of target data by four request modes, if a client request mode is GET, a machine density influence factor Op con is 1, an integrity influence factor Op int is 0, if a client request mode is POST and PUT, a confidentiality influence factor Op con is 0.5, an integrity influence factor Op int is 0.5, and if a client request mode is DELETE, a machine density influence factor Op con is 0, and an integrity influence factor Op int is 1.
Further, the S7 comprises the steps that the SDP controller sends the SPA containing the HMAC key and the symmetric encryption key to the SDP gateway, the gateway decrypts the SPA data packet by using the symmetric encryption key, verifies the HMAC digest, compares whether information in the two SPA packets is the same, and if the information is the same, the same client is proved.
Further, the step S7 comprises the steps that the SDP gateway defaults to discard all received non-SPA data packets, and when the SDP gateway passes the verification of the client, the gateway adds a firewall rule, forwards the non-SPA data packets of the client to a corresponding server, and the rule is valid in preset time.
Compared with the prior art, the technical scheme of the invention has the following beneficial technical effects:
CoAP is an emerging internet of things protocol, faces various network security problems, and because of the lightweight characteristic, the traditional complex security function cannot be realized. The SDP technology and the CoAP are combined, a new security framework SDP-CoAP is designed to alleviate advanced security threat faced by the traditional CoAP, and the implementation of the SDP-CoAP architecture is described in detail. Although the SDP authentication process adds delay to the communication between devices, the SDP-CoAP authentication process occurs only once before a connection is established, and running the SDP component does not introduce significant computational overhead to the CoAP client, which is relatively starved of resources. In the method, scheme reference is provided for improving security capability of the lightweight internet of things protocol such as CoAP by introducing a zero trust mechanism.
Drawings
Fig. 1 is a CoAP network structure based on SDP provided in an embodiment of the present invention;
fig. 2 is a structure of an SPA packet according to an embodiment of the present invention;
Fig. 3 is a communication process of a CoAP network based on SDP according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "comprises" and "comprising" and any variations thereof, in the description and claims, are intended to cover a non-exclusive inclusion, such that a device that comprises a sequence of steps or structures is not necessarily limited to those structures or steps that are expressly listed or inherent to such process or device but may include other steps or structures not expressly listed or inherent to such process or device.
Referring to fig. 1-3, an embodiment of the present invention proposes a CoAP network security access method based on a software defined boundary, the method comprising the steps of:
1, adding an SDP gateway and an SDP controller before a CoAP server;
2, the client registers on the SDP controller;
3, the client sends SPA data packets to the SDP controller;
4, the SDP controller performs identity authentication according to the information in the SPA packet, and if the identity authentication passes, the SDP controller jumps to 5;
5, the SDP controller carries out trust evaluation on the request, and if the trust value is greater than a threshold value, the process jumps to 6;
6, the SDP controller sends the information of the client to the gateway;
The client sends an SPA data packet to the SDP gateway, the SDP gateway carries out cross verification on the information in the SPA packet and the information received from the SDP controller, after verification is passed, the SDP gateway updates firewall rules of the SDP gateway, and a designated service port is opened for the client in preset time;
and 8, establishing DTLS connection between the user and the CoAP server through the gateway.
Further, in step 1, an SDP controller and an SDP gateway are deployed in the CoAP network, as shown in fig. 1. The server numbers each service or resource, referred to as sdpid, and provides the resource information to the SDP controller and SDP gateway. Before the SDP gateway is deployed in the CoAP server, the server hides the URI of the SDP gateway, and the SDP gateway is not provided externally, and only knows the URI of the server corresponding to sdpid.
Further, in step 2, the client registers its ip address, user name and password with the SDP controller, and in order to prevent leakage, the SDP controller stores a hash value of the password instead of the password itself in the database. The controller provides the client with a symmetric encryption key for encrypting SPA packets and an HMAC key for generating message authentication codes, and provides the address of the SDP gateway, sdpid for all services.
Further, in step 3, the packet structure of the SPA is shown in fig. 2. The SPA contains 3 parts, the first part is a UDP header containing the IP information of the visitor. The second part is a basic message part, which contains a time stamp and a 32-bit random number to prevent replay attack, a user name and a password for identity authentication, wherein the password adopts a hash value to prevent password leakage in the transmission process, and the CoAP request context information comprises three information of an access mode, a resource sdpid to be accessed and a DTLS tunnel encryption mode, and the access mode comprises four kinds of GET (check), PUT (increase), POST (change) and DELETE (deletion). NoSec, presharedKey, rawPublicKey, certificates, respectively representing that DLTS connection is not established, establishing the DTLS connection by a pre-shared symmetric encryption key, forcing equipment to establish the DTLS connection by using a pre-set key list, and establishing the DTLS connection by using an asymmetric key and an X.509 certificate, wherein the security is from low to high. The third part is the HMAC digest, which is generated to verify the identity of the device. And finally, encrypting the whole SPA packet, wherein the encryption algorithm adopts a Rijndael algorithm.
Further, in step 4, the SDP controller decrypts the SPA packet using the symmetric key, and first performs identity authentication by comparing the IP, username, and password hash included in the SPA with the database. Device authentication is then performed by decrypting the digest using the HMAC key, if it can be successfully decrypted, indicating that the client device is registered. In addition, the controller records the last valid authorized SPA packet it receives to prevent an attacker from sending old packets for replay attacks. And if the identity authentication and the equipment authentication are passed and are not repeated SPA data packets, the step 5 is skipped, otherwise, nothing is done.
Further, in step 5, the SDP controller calculates a comprehensive trust value and a trust threshold based on the multidimensional attribute, the comprehensive trust value is greater than the trust threshold required by the resource, and the client terminal is trusted, otherwise, the client terminal is not trusted. The calculation of the trust value consists of two parts, namely a direct trust value DT and a comprehensive trust value CT.
The direct trust value consists of four parts, namely an initial trust degree T i of the client, a security trust degree T dtls of the DTLS, an environment trust value T e and an abnormal behavior trust evaluation value T b;
t i is set to 100 according to the initial trust score obtained by the identity verification of the main body;
t dtls depends on the encryption mode of the DTLS tunnel, different encryption modes correspond to different security levels sl, and the sl takes positive integers between [0 and 3] and takes values as shown in a table.
The calculation formula of T dtls is as follows:
T e is determined by the current network environment and is the number of trusted requests received by the SDP controller. Assuming that the number of trusted requests is N t and the number of untrusted requests is N ut,Te in all requests received within the last 1 minute, the calculation formula is as follows:
T b is the unusual behavior duty cycle of the client. Assuming that the number of normal request behaviors of the client evaluated by the system is N n times, the calculation formula of the number of abnormal request behaviors is N an,Tb is as follows.
The formula for calculating the direct trust value DT is as follows, w being the weighting coefficient of each trusted source:
DT=Ti+w1*Tdtls+w2*Te+w3*Tb
In order to consider historical factors, comprehensive trust is further introduced, and the comprehensive trust value is weighted by the direct trust value and the comprehensive trust value at the last access. The SDP controller records the comprehensive trust value of the client and the generation time of the comprehensive trust value. Assuming that t i is the time of the current request, t j is the time of the last request, DT i is the direct trust value evaluated by the SDP controller on the current request, CT j is the integrated trust value calculated at the time of the last request t j, and the integrated trust value calculation formula CT i of the current request is as follows:
θ is a gaussian decay function, and the closer the request is to the current request, the greater the reference value, and the effect of the last visit is lessened as time passes. In addition, in order to prevent an attacker from carrying out normal access for several times before carrying out attack to accumulate the trust value, the historical factors are considered only when the last comprehensive trust degree is smaller than the current trust value;
the calculation formula of the trust threshold T th is as follows:
Tth=MAX(Opcon*Obcon,Opint*Obint)
Ob con refers to the confidentiality of the client access target, ob int refers to the integrity of the client access target. The density and integrity of the different targets are different, the confidentiality is set to 0 for the targets such as temperature values, but the integrity is higher and set to 100, and the confidentiality is extremely high for the targets related to personal privacy, but the integrity is low.
Op is an influence factor for adding, deleting and checking confidentiality and integrity of target data by four request modes, if a client request mode is GET, a machine density influence factor Op con is 1, an integrity influence factor Op int is 0, if a client request mode is POST and PUT, a confidentiality influence factor Op con is 0.5, an integrity influence factor Op int is 0.5, and if a client request mode is DELETE, a machine density influence factor Op con is 0, and an integrity influence factor Op int is 1.
When the integrated trust value is greater than the trust threshold, step 6 is skipped.
Further, in step 6, the SDP controller sends the client terminal information to the SDP gateway, including the IP information of the visitor, the user name and password, the HMAC key, the Rijndael encryption key, the access mode, the resource sdpid to be accessed, and the DTLS tunnel encryption mode.
Further, in step 7, the client generates a SPA packet again, and this time sends it to the SDP gateway. The SDP gateway uses the Rijndael encryption key of the step 6 to decrypt the SPA data packet, uses the HMAC to decrypt the abstract, compares the IP, the user name, the password and the CoAP request context information contained in the SPA with those in the step 6, and if the same is the same, the SDP gateway adds a rule in the iptable to forward the data packet from the client to the CoAP server. This rule is deleted after 20 s.
Further, in step 8, the client sends a CoAP request to the server or establishes a DTLS connection, so that secure communication can be achieved.
While the invention has been described above by way of example, it will be apparent that the invention is not limited to the above embodiments, but is intended to cover various insubstantial modifications of the method concepts and technical solutions of the invention, or applications of the inventive concepts and technical solutions without modifications, as are within the scope of the invention. The protection scope of the present invention shall be subject to the protection scope defined by the claims.

Claims (8)

1.一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,该方法包括以下步骤:1. A CoAP network security access method based on software-defined boundaries, characterized in that the method comprises the following steps: S1:CoAP服务器添加SDP网关和SDP控制器;S1: CoAP server adds SDP gateway and SDP controller; S2:客户端在SDP控制器上注册;S2: The client registers on the SDP controller; S3:客户端向SDP控制器发送SPA数据包;S3: The client sends a SPA packet to the SDP controller; S4:SDP控制器根据SPA数据包中的信息对客户端进行身份认证,如果身份认证通过,则跳转到S5;S4: The SDP controller authenticates the client based on the information in the SPA data packet. If the authentication succeeds, the process jumps to S5. S5:SDP控制器对本次请求进行信任计算,如果信任值大于阈值,则跳转到S6;S5: The SDP controller performs a trust calculation on this request. If the trust value is greater than the threshold, it jumps to S6. S6:SDP控制器将客户端的信息发送到SDP网关;S6: The SDP controller sends the client information to the SDP gateway; S7:客户端向SDP网关发送SPA数据包;SDP网关将SPA数据包中的信息与从SDP控制器接收到信息进行交叉验证,若验证通过,SDP网关更新其防火墙规则,在预设时间内对该客户端开启指定的服务端口;若验证失败,则通信失败;S7: The client sends an SPA packet to the SDP gateway. The SDP gateway cross-validates the information in the SPA packet with the information received from the SDP controller. If the validation succeeds, the SDP gateway updates its firewall rules and opens the specified service port to the client within a preset time. If the validation fails, the communication fails. S8:用户通过网关与CoAP服务器建立DTLS连接进行通信;S8: The user establishes a DTLS connection with the CoAP server through the gateway for communication; 所述信任值和信任阈值的计算方法如下:The calculation method of the trust value and trust threshold is as follows: 信任值的计算由两个部分构成,分别是直接信任值DT和综合信任值CT;The calculation of trust value consists of two parts: direct trust value DT and comprehensive trust value CT; 直接信任值由四部分组成:客户端的初始可信度Ti,DTLS安全性可信度Tdtls,环境信任值Te,异常行为信任评估值TbThe direct trust value consists of four parts: the client's initial trustworthiness Ti , the DTLS security trustworthiness Tdtls , the environmental trust value Te , and the abnormal behavior trust evaluation value Tb ; Ti是根据客户端经过了身份验证后得到的初始信任分数,设置为100; Ti is the initial trust score obtained after the client has been authenticated and is set to 100; Tdtls取决于DTLS隧道的加密方式,不同的加密方式对应不同的安全级别sl,sl取[0,3]之间的正整数,如果DTLS是NoSec模式,sl取值为0;如果DTLS是PresharedKey模式,sl取值为1;如果DTLS是RawPublicKey模式,sl取值为2;如果DTLS是Certificates模式,sl取值为3;T dtls depends on the encryption method of the DTLS tunnel. Different encryption methods correspond to different security levels sl. sl is a positive integer between [0, 3]. If DTLS is in NoSec mode, sl is 0; if DTLS is in PresharedKey mode, sl is 1; if DTLS is in RawPublicKey mode, sl is 2; if DTLS is in Certificates mode, sl is 3. Tdtls的计算公式如下:The calculation formula for T dtls is as follows: Te是SDP控制器接收到的受信任的请求的数量占比,假设最近1分钟内收到的所有请求中,受信任请求数量为Nt,不可信请求的数量为Nut,Te的计算公式如下: Te is the ratio of trusted requests received by the SDP controller. Assuming that among all requests received in the last minute, the number of trusted requests is Nt and the number of untrusted requests is Nut , Te is calculated as follows: Tb是该客户端的异常行为占比,假设系统评估的该客户端正常请求行为次数为Nn次,异常请求行为次数为Nan,Tb的计算公式如下: Tb is the proportion of abnormal behaviors of the client. Assuming that the number of normal request behaviors of the client evaluated by the system is Nn and the number of abnormal request behaviors is Nan , the calculation formula of Tb is as follows: 直接信任值DT的计算公式如下,w是各信任来源的加权系数:The calculation formula of direct trust value DT is as follows, where w is the weighted coefficient of each trust source: DT=Ti+w1*Tdtls+w2*Te+w3*Tb DT=T i +w 1 *T dtls +w 2 *T e +w 3 *T b 综合信任值由直接信任值和上一次访问时的综合信任值加权得到,SDP控制器记录客户端的综合信任值及其生成时间,假设ti为本次请求的时间,tj为上一次请求的时间,DTi为SDP控制器对本次请求评估的直接信任值,CTj为上一次请求tj时计算的综合信任值,本次请求的综合信任值计算公式CTi如下:The comprehensive trust value is obtained by weighting the direct trust value and the comprehensive trust value of the last access. The SDP controller records the client's comprehensive trust value and its generation time. Assume that ti is the time of this request, tj is the time of the last request, DTi is the direct trust value evaluated by the SDP controller for this request, and CTj is the comprehensive trust value calculated at the last request tj. The formula for calculating the comprehensive trust value of this request CTi is as follows: 信任阈值Tth的计算公式如下所示:The calculation formula of the trust threshold Tth is as follows: Tth=MAX(Opcon*Obcon,Opint*Obint)T th =MAX(Op con *Ob con ,Op int *Ob int ) Obcon指客户访问目标的机密程度,Obint指客户访问目标的完整程度;Ob con refers to the confidentiality of the client's access to the target, and Ob int refers to the completeness of the client's access to the target; 如果客户请求方式是GET,那么机密度影响因子Opcon为1,完整度影响因子Opint为0;如果客户请求方式是POST和PUT,那么机密度影响因子Opcon为0.5,完整度影响因子Opint为0.5;如果客户请求方式是DELETE,那么机密度影响因子Opcon为0,完整度影响因子Opint为1。If the client request method is GET, the confidentiality impact factor Op con is 1 and the integrity impact factor Op int is 0; if the client request method is POST or PUT, the confidentiality impact factor Op con is 0.5 and the integrity impact factor Op int is 0.5; if the client request method is DELETE, the confidentiality impact factor Op con is 0 and the integrity impact factor Op int is 1. 2.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S1包括:服务器为每个服务或资源编号,称为sdpid,并将资源信息提供给SDP控制器和SDP网关,SDP控制器和SDP网关保存sdpid与服务器的映射关系。2. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that S1 includes: the server numbers each service or resource, called sdpid, and provides resource information to the SDP controller and SDP gateway, and the SDP controller and SDP gateway save the mapping relationship between sdpid and the server. 3.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S2包括:客户端向SDP控制器注册自己的用户名和密码,SDP控制器为客户端生成用于加密SPA数据包的对称加密密钥和用于生成摘要的HMAC密钥,并且,SDP网关的地址、所有服务的sdpid以及其所映射在SDP网关的端口号一起提供给客户端。3. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that S2 includes: the client registers its own username and password with the SDP controller, the SDP controller generates a symmetric encryption key for encrypting SPA data packets and an HMAC key for generating a digest for the client, and provides the client with the address of the SDP gateway, the sdpid of all services, and the port number mapped to the SDP gateway. 4.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S3包括:客户端发送的SPA数据包包含了自己的IP,用户名和密码,CoAP请求的上下文,摘要HMAC,并对SPA数据包进行加密。4. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that the S3 includes: the SPA data packet sent by the client contains its own IP, username and password, CoAP request context, digest HMAC, and the SPA data packet is encrypted. 5.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S4包括:SDP控制器使用对称密钥解密SPA数据包,并且验证SPA数据包中包含的IP、用户名、密码哈希和HMAC是否正确。5. The method for secure CoAP network access based on software-defined boundaries according to claim 1, wherein S4 comprises: the SDP controller decrypts the SPA data packet using a symmetric key and verifies whether the IP, username, password hash, and HMAC contained in the SPA data packet are correct. 6.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S5包括:SDP控制器采取基于多维属性的计算综合信任值和信任阈值,综合信任值大于资源所需的信任阈值,该客户端是可信的,否则,不可信。6. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that the S5 includes: the SDP controller calculates a comprehensive trust value and a trust threshold based on multi-dimensional attributes, and if the comprehensive trust value is greater than the trust threshold required by the resource, the client is trustworthy; otherwise, it is untrustworthy. 7.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S7包括:SDP控制器将SPA数据包中包含HMAC密钥和对称加密密钥发送给SDP网关;网关使用对称加密密钥解密SPA数据包,验证HMAC摘要,并比较两个SPA数据包中的信息是否相同,如果信息相同,则证明是同一个客户端。7. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that the S7 includes: the SDP controller sends the HMAC key and the symmetric encryption key contained in the SPA data packet to the SDP gateway; the gateway uses the symmetric encryption key to decrypt the SPA data packet, verify the HMAC digest, and compare whether the information in the two SPA data packets is the same. If the information is the same, it proves that they are the same client. 8.根据权利要求1所述的一种基于软件定义边界的CoAP网络安全访问方法,其特征在于,所述S7包括:SDP网关默认丢弃所有收到的非SPA数据包,当SDP网关对客户端的验证通过后,网关添加一条防火墙规则,将该客户端的非SPA数据包转发给对应的服务器,该规则在预设时间内有效。8. A CoAP network security access method based on software-defined boundaries according to claim 1, characterized in that S7 includes: the SDP gateway discards all received non-SPA data packets by default. When the SDP gateway verifies the client successfully, the gateway adds a firewall rule to forward the client's non-SPA data packets to the corresponding server. The rule is valid for a preset time.
CN202211484839.8A 2022-11-24 CoAP network security access method based on software defined boundary Active CN115834211B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211484839.8A CN115834211B (en) 2022-11-24 CoAP network security access method based on software defined boundary

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211484839.8A CN115834211B (en) 2022-11-24 CoAP network security access method based on software defined boundary

Publications (2)

Publication Number Publication Date
CN115834211A CN115834211A (en) 2023-03-21
CN115834211B true CN115834211B (en) 2025-09-16

Family

ID=

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SDP-CoAP: 基于软件定义边界的安全增强 CoAP 通信框架设计;张伟 等;《信息网络安全》;20230810(第8期);第17-31页 *

Similar Documents

Publication Publication Date Title
EP1359491B1 (en) Methods for remotely changing a communications password
CN115766119B (en) Communication method, device, communication system and storage medium
Alwazzeh et al. Man in the middle attacks against SSL/TLS: Mitigation and defeat
Jabbari et al. A secure and LoRaWAN compatible user authentication protocol for critical applications in the IoT environment
WO2022135388A1 (en) Identity authentication method and apparatus, device, chip, storage medium, and program
CN114726513A (en) Data transmission method, apparatus, medium, and product
CN113783693A (en) Key agreement and authentication method based on limited application protocol CoAP
CN118827063A (en) A resource access method with enhanced token security based on OAuth2.0
CN116846614A (en) Trusted computing-based MQTT protocol message security processing method and system
Khan et al. An ECC-based mutual data access control protocol for next-generation public cloud
Xia et al. A quantum-resistant identity authentication and key agreement scheme for uav networks based on kyber algorithm
CN115955320A (en) Video conference identity authentication method
Natarajan et al. Secure user authentication and data sharing for mobile cloud computing using BLAKE2 and Diffie-Hellman key exchange
Gharib et al. Scc5g: A pqc-based architecture for highly secure critical communication over cellular network in zero-trust environment
Lu et al. An anonymous SIP authenticated key agreement protocol based on elliptic curve cryptography
CN119051878A (en) Method and system for data encryption transmission
Kumar et al. Secure and efficient cache-based authentication scheme for vehicular ad-hoc networks
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
CN115834211B (en) CoAP network security access method based on software defined boundary
CN112511544A (en) Optimization method for authentication protocol in multi-server environment
Limniotis et al. Cryptography threats
CN115834211A (en) CoAP network security access method based on software defined boundary
US12395353B2 (en) Authentication process with an exposed and unregistered public certificate
US20250125970A1 (en) Network authentication process
CN117955735B (en) Data security access control method, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant