CN119249401A

CN119249401A - Internet of Things data processing method and system based on blockchain

Info

Publication number: CN119249401A
Application number: CN202411446757.3A
Authority: CN
Inventors: 张利国; 苏意刚; 张岭
Original assignee: Jiangsu Gelingwei Network Technology Co ltd
Current assignee: Jiangsu Gelingwei Network Technology Co ltd
Priority date: 2024-10-16
Filing date: 2024-10-16
Publication date: 2025-01-03
Anticipated expiration: 2044-10-16
Also published as: CN119249401B

Abstract

The present invention provides a blockchain-based Internet of Things data processing method and system, which relates to the field of blockchain technology, including: an Internet of Things device uses a pre-stored private key to digitally sign the authentication request to generate a signed authentication request; a smart contract in a blockchain network receives the signed authentication request, and the smart contract generates an authentication token including an authentication result, a validity period and an authorization level based on the historical authentication record, a reputation score, a current timestamp and a challenge value; the Internet of Things device receives the encrypted authentication token and the smart contract address; the Internet of Things device configures its own access rights and function restrictions according to the authentication result, validity period and authorization level; and the Internet of Things device uses the smart contract address as an identity credential during the validity period for subsequent secure communication and data exchange with other Internet of Things devices or applications.

Description

Block chain-based data processing method and system for Internet of things

Technical Field

The invention relates to a blockchain technology, in particular to a blockchain-based data processing method and system of the Internet of things.

Background

With the rapid development of internet of things, the number of intelligent devices connected to a network grows exponentially. The equipment is widely applied to the fields of intelligent home, industrial control, medical health, smart city and the like, and brings great convenience to life and work of people. However, the safety problem of the internet of things equipment is also increasingly prominent, and the safety problem becomes an important factor for restricting the further development of the internet of things.

The traditional internet of things equipment security authentication method mainly relies on a centralized authentication server. This method has the following problems:

And the single-point fault risk is that once the centralized authentication server is attacked or fails, the security of the whole Internet of things system is seriously threatened. The expandability is poor, and along with the proliferation of the number of the devices of the internet of things, the processing capability of the centralized authentication server may not meet the large-scale authentication requirement. The privacy protection is insufficient, the centralized authentication server intensively stores a large amount of sensitive information, the centralized authentication server is easy to be a target of hacking, and once the information is revealed, a serious privacy disclosure problem is caused. The identity of the equipment is difficult to confirm, and in a complex Internet of things environment, the true identity of each equipment is difficult to ensure, and the risks of equipment counterfeiting and identity theft exist. The authentication process lacks transparency, and the traditional authentication process is opaque to users, is difficult to trace and audit, and is unfavorable for establishing a trust mechanism.

To solve the above problems, researchers have begun to explore the application of blockchain technology to internet of things device security authentication. The blockchain technology has the characteristics of decentralization, non-tampering, traceability and the like, and provides a new idea for the safety authentication of the Internet of things equipment. However, applying blockchain technology to internet of things device security authentication still faces the following challenges:

The performance bottleneck is that the transaction processing capacity of the blockchain system is limited, and the real-time authentication requirement of large-scale internet of things equipment is difficult to meet. The resources are limited, and most of the Internet of things equipment has limited computing capacity and storage space, so that the Internet of things equipment is difficult to directly participate in complex blockchain operation.

Privacy protection-although blockchains are anonymous, transaction information disclosure may cause device usage patterns to be analyzed, revealing user privacy. Key management, namely, key management of internet of things equipment is complex, and how to safely store and update keys is a challenge.

Therefore, a new method for securely authenticating the internet of things equipment based on the blockchain is needed, which not only can fully utilize the advantages of the blockchain technology, but also can solve the challenges, and provides an efficient, secure and extensible authentication mechanism for the internet of things equipment.

Disclosure of Invention

The embodiment of the invention provides a block chain-based data processing method and system for the Internet of things, which can solve the problems in the prior art.

In a first aspect of an embodiment of the present invention,

The data processing method of the Internet of things based on the block chain comprises the following steps:

The method comprises the steps that an internet of things device generates an authentication request, wherein the authentication request comprises a unique identifier of the internet of things device, a current time stamp and a randomly generated challenge value, the internet of things device digitally signs the authentication request by using a prestored private key to generate a signed authentication request, and the internet of things device sends the signed authentication request to an intelligent contract in a blockchain network;

The method comprises the steps of receiving a signed authentication request by an intelligent contract in a blockchain network, verifying the validity of the signed authentication request by using a prestored public key of the Internet of things equipment, inquiring a historical authentication record and a reputation score of the Internet of things equipment in the blockchain by the intelligent contract according to a unique identifier of the Internet of things equipment, generating an authentication token containing an authentication result, a validity period and an authorization level by the intelligent contract based on the historical authentication record, the reputation score, a current timestamp and a challenge value, encrypting the authentication token by using a predefined encryption algorithm to generate an encrypted authentication token, and packing the encrypted authentication token and an intelligent contract address dynamically generated based on the authentication result as an encryption data packet to be returned to the Internet of things equipment by the intelligent contract;

The method comprises the steps that an Internet of things device receives an encrypted authentication token and an intelligent contract address, the Internet of things device decrypts the encrypted authentication token by using a pre-agreed decryption algorithm to obtain an authentication result, an effective period and an authorization level, the Internet of things device configures access rights and function limits of the Internet of things device according to the authentication result, the effective period and the authorization level, the Internet of things device uses the intelligent contract address as an identity credential for subsequent secure communication and data exchange with other Internet of things devices or application programs in the effective period, the Internet of things device sends a verification request to the intelligent contract address before each data exchange, the intelligent contract verifies the current state and rights of the Internet of things device and returns a verification result, and the Internet of things device determines whether to continue data exchange according to the verification result.

In an alternative embodiment of the present invention,

The internet of things device digitally signs the authentication request using a pre-stored private key, and generating the signed authentication request includes:

the method comprises the steps that the Internet of things equipment generates an authentication request comprising an equipment unique identifier, a current timestamp and a randomly generated challenge value, and hashes the authentication request by using a cryptographic hash function to generate a hash value with a fixed length;

the Internet of things equipment uses an asymmetric encryption algorithm to encrypt the hash value to generate a digital signature;

The internet of things device combines the authentication request and the digital signature to form a signed authentication request, wherein the signed authentication request comprises an authentication request field and a signature field, the authentication request field comprises a device unique identifier, a current timestamp and a randomly generated challenge value, and the signature field comprises a digital signature generated by using a private key.

In an alternative embodiment of the present invention,

The smart contract generating an authentication token including an authentication result, a validity period, and an authorization level based on the historical authentication record, the reputation score, the current timestamp, and the challenge value includes:

The intelligent contract receives and verifies the signed authentication request sent by the Internet of things equipment, searches the historical authentication record of the Internet of things equipment in a blockchain according to the equipment unique identifier in the signed authentication request, analyzes the historical authentication record by using a time sequence analysis algorithm, and evaluates the authentication mode of the Internet of things equipment;

The intelligent contract calculates the credit score of the Internet of things equipment based on the historical authentication record, wherein the credit score is calculated by considering the ratio of successful authentication times to total authentication times, the time weight of the latest authentication action and the liveness and contribution of the Internet of things equipment in the network;

The intelligent contract verifies whether a time stamp in the signed authentication request is in a preset time window or not, checks the uniqueness of a challenge value in the authentication request, generates an authentication Token based on the authentication mode, the reputation score, the time stamp and the challenge value, wherein the authentication Token comprises an authentication result, a validity period, an authorization level, a unique identifier of equipment, token generation time and a randomly generated Token ID, the validity period is dynamically set according to the reputation score, the authorization level is determined according to the reputation score and the authentication mode, and constructs the authentication Token by using a JSON Web Token format.

In an alternative embodiment of the present invention,

The smart contract encrypts the authentication token using a predefined encryption algorithm, the generating an encrypted authentication token comprising:

Generating 256-bit advanced encryption standard keys by using a cryptographically secure random number generator by using an intelligent contract, generating 96-bit random initialization vectors, encrypting the authentication token by using the advanced encryption standard keys and the random initialization vectors and adopting a Galois/counter mode of the advanced encryption standard to generate ciphertext and an authentication tag;

The intelligent contract combines the ciphertext, the random initialization vector and the authentication tag into an encryption token structure, and performs asymmetric encryption on the advanced encryption standard key by using a prestored public key of the internet of things equipment to generate an encrypted advanced encryption standard key;

And combining the encryption token structure and the encrypted advanced encryption standard key into a final encryption data packet to serve as an encrypted authentication token.

In an alternative embodiment of the present invention,

The internet of things equipment decrypts the encrypted authentication token by using a pre-agreed decryption algorithm to obtain an authentication result, an expiration date and an authorization level, and the configuration of the access right and the function limit of the internet of things equipment according to the authentication result, the expiration date and the authorization level comprises the following steps:

The method comprises the steps that the internet of things equipment receives an encrypted data packet, wherein the encrypted data packet further comprises an encrypted authentication token structure and an encrypted advanced encryption standard key; the internet of things device extracts the encrypted advanced encryption standard key from the encrypted data packet, decrypts the encrypted advanced encryption standard key by using a pre-stored asymmetric encryption private key, and obtains a decrypted advanced encryption standard key;

The internet of things equipment extracts an initialization vector, a ciphertext and an authentication tag from the encrypted authentication token structure, creates a Galois/counter mode decryptor of an advanced encryption standard, decrypts the ciphertext by using the decrypted advanced encryption standard key and the initialization vector, verifies the integrity of a decryption result by using the authentication tag, and obtains a decrypted authentication token;

The internet of things device verifies the digital signature of the decrypted authentication token to ensure the authenticity of the decrypted authentication token, analyzes the decrypted authentication token, extracts an authentication result, an expiration time and an authorization level, compares the current time with the expiration time to determine whether the decrypted authentication token is valid or not, and configures own access right and function limit according to the authentication result and the authorization level when the decrypted authentication token is valid;

the method comprises the steps of starting a periodic checking thread, wherein the periodic checking thread compares the current time with the expiration time according to a preset time interval, triggering the Internet of things equipment to re-request a new authentication token when the current time is close to the expiration time, receiving a new encrypted data packet responding to the new authentication token request by the Internet of things equipment, and updating the access authority and the function limit of the Internet of things equipment by using information in the new encrypted data packet.

In an alternative embodiment of the present invention,

Before each data exchange, the internet of things equipment sends a verification request to the intelligent contract address, the intelligent contract verifies the current state and authority of the internet of things equipment and returns a verification result, and the internet of things equipment determines whether to continue the data exchange according to the verification result comprises the following steps:

The method comprises the steps that an internet of things device generates a verification request, wherein the verification request comprises a device identifier, a current timestamp, a requested operation type, a random number and a device signature, and the device signature is a signature of a hash value obtained by carrying out hash operation on a combination of the device identifier, the current timestamp, the requested operation type and the random number by using a private key of the internet of things device;

the internet of things device sends the verification request to an intelligent contract address;

the intelligent contract receives the verification request, verifies the validity of the device signature by using a public key of the Internet of things device, checks whether the current timestamp is in a valid time range, verifies whether the random number is unused, acquires current state information of the Internet of things device from a blockchain, and judges whether the Internet of things device has permission to execute the operation type of the verification request according to the current state information and the operation type of the verification request;

the intelligent contract generates a verification response, wherein the verification response comprises a verification result, an intelligent contract processing time stamp, an operation right and an intelligent contract signature, and the intelligent contract signature is obtained by signing a combination of the verification result, the intelligent contract processing time stamp and the operation right through the intelligent contract;

The internet of things equipment receives the verification response, verifies the validity of the intelligent contract signature, checks whether the intelligent contract processing time stamp is in the valid time range, and analyzes the verification result and the operation authority;

The internet of things equipment decides whether to continue data exchange according to the verification result, when the verification result is that the data exchange operation is passed and the operation authority contains the required authority, the internet of things equipment executes the data exchange operation, and when the verification result is that the data exchange operation is not passed or the operation authority does not contain the required authority, the internet of things equipment terminates the data exchange operation and records a log;

The method comprises the steps that the Internet of things equipment starts a continuous monitoring thread, the continuous monitoring thread repeatedly monitors at preset time intervals, and when the number of times of continuous verification failure reaches a preset threshold value, the Internet of things equipment enters a limited mode and triggers a re-authentication flow.

In a second aspect of an embodiment of the present invention,

Providing a blockchain-based internet of things data processing system, comprising:

the system comprises a first unit, an authentication request generation unit, an internet of things device, an intelligent contract generation unit and a second unit, wherein the first unit is used for generating an authentication request by the internet of things device, the authentication request comprises a unique identifier of the internet of things device, a current timestamp and a randomly generated challenge value, the internet of things device digitally signs the authentication request by using a prestored private key to generate a signed authentication request, and the internet of things device sends the signed authentication request to the intelligent contract in a blockchain network;

A second unit, configured to receive the signed authentication request by using an intelligent contract in a blockchain network, where the intelligent contract verifies validity of the signed authentication request by using a prestored public key of the internet of things device; the intelligent contract queries a historical authentication record and a reputation score of the Internet of things equipment in a blockchain according to a unique identifier of the Internet of things equipment, generates an authentication token containing an authentication result, a validity period and an authorization level based on the historical authentication record, the reputation score, a current timestamp and a challenge value, encrypts the authentication token by using a predefined encryption algorithm to generate an encrypted authentication token, and packages the encrypted authentication token and an intelligent contract address dynamically generated based on the authentication result as an encryption data packet to return to the Internet of things equipment;

The internet of things equipment receives the encrypted authentication token and the intelligent contract address, decrypts the encrypted authentication token by using a preset decryption algorithm to obtain an authentication result, an effective period and an authorization level, configures own access authority and function limit according to the authentication result, the effective period and the authorization level, uses the intelligent contract address as an identity credential in the effective period for subsequent secure communication and data exchange with other internet of things equipment or application programs, sends a verification request to the intelligent contract address before each data exchange, verifies the current state and authority of the internet of things equipment by the intelligent contract, returns a verification result, and decides whether to continue data exchange according to the verification result.

In a third aspect of an embodiment of the present invention,

There is provided an electronic device including:

A processor;

A memory for storing processor-executable instructions;

wherein the processor is configured to invoke the instructions stored in the memory to perform the method described previously.

In a fourth aspect of an embodiment of the present invention,

There is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method as described above.

The invention constructs a multi-level security authentication mechanism by combining the unique identifier of the internet of things equipment, the private key signature, the intelligent contract verification and the dynamically generated authentication token. The non-tamperable characteristic of the blockchain ensures the reliability of the authentication record, and the dynamic authorization mechanism based on the historical authentication record and the reputation score can effectively prevent the counterfeiting of the equipment identity and unauthorized access. Meanwhile, the real-time verification mechanism before each data exchange further enhances the safety of the system and effectively reduces the potential safety risk.

The invention adopts the intelligent contract to carry out authentication management, and realizes flexible authority control and identity management through the dynamically generated authentication token and intelligent contract address. The validity period and the authorization level contained in the authentication token enable the system to dynamically adjust the authority of the device according to the real-time state and the reputation of the device, and the adaptability of the system is improved. In addition, the distributed architecture based on the blockchain and the programmable characteristic of the intelligent contract enable the authentication method to have good expandability and be easily adapted to the ever-increasing equipment scale of the Internet of things.

According to the invention, the pre-stored secret key, the lightweight encryption algorithm and the intelligent contract address are used as the identity certificate, so that the calculation burden in the authentication process is reduced, and the method is suitable for the internet of things equipment with limited resources. The use of authentication tokens reduces the need for frequent authentication, while the real-time verification mechanism ensures security, with a good balance between security and efficiency. In addition, the whole authentication process is transparent to the user, manual intervention is not needed, and user experience is greatly improved. Meanwhile, based on the distributed characteristic of the blockchain, the availability and the reliability of the system are improved, and the single-point fault risk of the centralized authentication system is reduced.

Drawings

FIG. 1 is a flow chart of a block chain based data processing method for the Internet of things according to an embodiment of the invention;

FIG. 2 is a block chain based data processing system for Internet of things according to an embodiment of the present invention.

Detailed Description

The technical scheme of the invention is described in detail below by specific examples. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.

Fig. 1 is a flow chart of a block chain-based data processing method of the internet of things according to an embodiment of the invention, as shown in fig. 1, the method includes:

s101, an internet of things device generates an authentication request, wherein the authentication request comprises a unique identifier of the internet of things device, a current time stamp and a randomly generated challenge value, the internet of things device digitally signs the authentication request by using a prestored private key to generate a signed authentication request, and the internet of things device sends the signed authentication request to an intelligent contract in a blockchain network;

S102, an intelligent contract in a blockchain network receives the signed authentication request, the intelligent contract verifies the validity of the signed authentication request by using a prestored public key of the Internet of things equipment, queries a historical authentication record and a reputation score of the Internet of things equipment in the blockchain according to a unique identifier of the Internet of things equipment, generates an authentication token containing an authentication result, a validity period and an authorization level based on the historical authentication record, the reputation score, a current timestamp and a challenge value, encrypts the authentication token by using a predefined encryption algorithm to generate an encrypted authentication token, and packages the encrypted authentication token and an intelligent contract address dynamically generated based on the authentication result as an encryption data packet to return to the Internet of things equipment;

S103, the internet of things device receives the encrypted authentication token and the intelligent contract address, decrypts the encrypted authentication token by using a preset decryption algorithm, obtains an authentication result, an effective period and an authorization level, configures access authority and function limit of the internet of things device according to the authentication result, the effective period and the authorization level, uses the intelligent contract address as an identity credential for subsequent secure communication and data exchange with other internet of things devices or application programs in the effective period, sends a verification request to the intelligent contract address before each data exchange, verifies the current state and authority of the internet of things device by the intelligent contract, returns a verification result, and determines whether to continue data exchange according to the verification result.

By way of example only, and in an illustrative,

The internet of things device first generates an authentication request. The authentication request includes three key information, namely a unique identifier of the internet of things device, a current timestamp, and a randomly generated challenge value. The unique identifier may be a string, such as a MAC address or serial number, of the Device that can uniquely identify the Device, such as "IoT-Device-001". The current timestamp is in Unix timestamp format, accurate to milliseconds, such as "1623456789000". The randomly generated challenge value is a random string of 32 bytes for preventing replay attacks, e.g. "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6".

Next, the internet of things device digitally signs the authentication request using a private key pre-stored in its secure storage area. The digital signature adopts ECDSA algorithm, and the private key length is 256 bits. The signing process generates a 64 byte signature value that is appended to the original authentication request to form a signed authentication request.

And then, the internet of things equipment sends the signed authentication request to a predefined intelligent contract address in the blockchain network through an HTTPS protocol. The smart contract address is a contract address on an ethernet network, such as "0x1234567890123456789012345678901234567890".

After receiving the signed authentication request, the intelligent contract in the blockchain network firstly uses a public key corresponding to the prestored internet of things equipment to verify the validity of the digital signature. After verification is passed, the intelligent contract can analyze the unique identifier in the authentication request, and inquire the historical authentication record and reputation score of the Internet of things equipment in the blockchain. The historical authentication record contains the past authentication time, result and other information of the equipment, and the reputation score is an integer of 0-100 and reflects the credibility of the equipment.

The smart contract then generates an authentication token based on the queried historical authentication record, reputation score, in combination with the current timestamp and challenge value. The token contains the authentication result (success/failure), validity period (e.g. 24 hours) and authorization level (e.g. an integer from 1 to 5, 5 representing the highest authority). The authentication token is in JSON format, e.g., { "result": "success", "expiry":1623543189000, "level":3}.

The smart contract then encrypts the authentication token using a predefined AES-256 encryption algorithm, generating an encrypted authentication token. The encryption key is pre-agreed by the smart contract and the internet of things device. Meanwhile, the intelligent contract can dynamically generate a new intelligent contract address for subsequent interaction according to the authentication result.

The intelligent contract packages the encrypted authentication token and the newly generated intelligent contract address into an encrypted data packet, and returns the encrypted data packet to the Internet of things equipment initiating the authentication request through the blockchain network. The data packet is encoded by Base64, so that the integrity in the transmission process is ensured.

After receiving the encrypted data packet, the internet of things device decodes and restores the original data by using Base 64. And then decrypting the authentication token by using a pre-agreed AES-256 decryption algorithm and a key to acquire an authentication result, validity period and authorization level information.

The internet of things equipment configures own access authority and function limit according to the authentication result, the validity period and the authorization level obtained by decryption. For example, authorization level 3 may allow a device to access certain sensitive data, but not modify the system configuration.

And in the validity period of the authentication token, the internet of things equipment takes the new contract address returned by the intelligent contract as an identity credential for subsequent secure communication and data exchange with other internet of things equipment or application programs. Before each data exchange, the internet of things device sends an authentication request to the intelligent contract address, wherein the authentication request comprises a unique identifier and a current time stamp.

After receiving the verification request, the intelligent contract checks whether the device sending the request is in the validity period and verifies whether the current state and the authority meet the requirement of data exchange. After the verification is passed, the intelligent contract returns a Boolean value to represent the verification result.

And the internet of things equipment decides whether to continue data exchange or not according to the verification result returned by the intelligent contract. If the verification result is true, the subsequent data exchange is carried out, and if the verification result is false, the operation is terminated and the re-authentication flow is possibly triggered.

Through the steps, the block chain-based data processing method of the Internet of things realizes the safety authentication, dynamic authorization and continuous verification of the Internet of things equipment, and effectively improves the safety and the credibility of the Internet of things system.

In an alternative embodiment, the internet of things device digitally signs the authentication request using a pre-stored private key, and generating the signed authentication request includes:

When the internet of things equipment performs security authentication, firstly, a signed authentication request needs to be generated. The specific implementation process is as follows:

the internet of things device first generates an authentication request comprising a device unique identifier, a current timestamp, and a randomly generated challenge value. The device unique identifier may be a MAC address or serial number of the device, etc. for uniquely identifying the device. The current timestamp is the exact time the device generates the authentication request, which may be as accurate as milliseconds. The randomly generated challenge value is a random number used to prevent replay attacks.

For example, the device may generate the following authentication request:

Device unique identifier 00:11:22:33:44:55, current timestamp 1621234567890, random challenge value 9876543210.

Next, the internet of things device hashes the authentication request using a cryptographic hash function, generating a hash value of a fixed length. Common hash algorithms include SHA-256, SHA-3, and the like.

Then, the internet of things device needs to securely call the pre-stored private key from the hardware security module. The hardware security module may be a dedicated security chip or trusted execution environment for securely storing private keys and performing cryptographic operations.

The internet of things device uses an asymmetric encryption algorithm (such as RSA, ECDSA, etc.) to encrypt the hash value generated before, and generates a digital signature. Taking the RSA algorithm as an example, the hash value is encrypted using a private key.

And finally, combining the authentication request and the digital signature by the Internet of things equipment to form a signed authentication request. The signed authentication request includes two parts, an authentication request field and a signature field. The authentication request field contains a device unique identifier, a current timestamp, and a randomly generated challenge value, and the signature field contains a digital signature generated using a private key.

The combined signature authentication request is as follows:

{

"authRequest": {

"deviceId": "00:11:22:33:44:55",

"timestamp": 1621234567890,

"challenge": 9876543210

},

"signature": "a1b2c3d4e5f6g7h8i9j0..."

}。

Through the steps, the internet of things equipment completes the generation process of the authentication request after signing. This process ensures the authenticity and integrity of the authentication request while preventing replay attacks. After receiving the request, the authentication server may verify the signature using the public key of the device, thereby confirming that the request is indeed from a legitimate internet of things device.

In an alternative embodiment, the smart contract generates an authentication token including an authentication result, a validity period, and an authorization level based on the historical authentication record, the reputation score, the current timestamp, and the challenge value, including:

First, the smart contract receives a signed authentication request sent by the internet of things device. The request contains information such as a device unique identifier, a time stamp, and a challenge value. The smart contract verifies the validity of the signature using the public key of the device, ensuring that the request has not been tampered with and is from a legitimate device.

After the verification is passed, the intelligent contract searches the historical authentication record of the Internet of things device in the blockchain according to the unique identifier of the device. These records contain information about the time, outcome, authorization level, etc. of each authentication in the past. The smart contract uses a time series analysis algorithm, such as an autoregressive integral moving average model (ARIMA), to analyze the historical authentication data to identify authentication patterns and trends of the device. For example, analysis may find that the device typically authenticates between 9 am and 5 pm on weekdays with little authentication activity on weekends.

Next, the smart contract calculates a reputation score for the device based on the historical authentication record. The calculation takes into account (1) the ratio of the number of successful authentications to the total number of authentications, e.g., 90 times in the past 100 authentications, which is 0.9, (2) the time weight of the most recent authentication activity, giving higher weight to the authentication in the last 30 days, (3) the liveness of the device in the network, e.g., the number of times the device interacts with other devices per day in the past 7 days, and (4) the contribution of the device to the network, e.g., participation in consensus, provision of data, etc. The smart contract considers these factors together, calculates an original score between 0 and 100, and then maps it into the standard range of 0 to 100 using the min-max normalization method.

The smart contract then verifies whether the timestamp in the authentication request is within a preset time window, e.g., 5 minutes before and after the current time. And checking whether the challenge value is unique or not, and preventing replay attack. After verification is passed, the smart contract generates an authentication token based on the analysis results.

The token contains the following fields, authentication result (success/failure), validity period, authorization level, device unique identifier, token generation time and randomly generated token ID. The validity period is dynamically set according to the reputation score, e.g., reputation scores 90-100 correspond to 24 hours validity periods, 80-89 correspond to 12 hours, and so on. The authorization level is also determined based on the reputation score and the authentication mode, e.g., a device with a reputation score above 95 and conforming to the normal authentication mode can obtain the highest level of authorization.

Finally, the smart contract constructs the authentication Token using JSON Web Token (JWT) format. JWT consists of three parts, header, payload and signature. The header states the token type and the encryption algorithm used, the payload contains the authentication information described above, and the signature encrypts the header and the payload using the private key of the smart contract. The generated JWT token may be securely transmitted and verified and used by other systems.

By the method, the intelligent contract realizes a dynamic authentication mechanism based on the historical authentication record, the reputation score, the time stamp and the challenge value, and improves the security and the flexibility of the authentication of the Internet of things equipment.

In an alternative embodiment, the smart contract encrypts the authentication token using a predefined encryption algorithm, the generating the encrypted authentication token comprising:

In this embodiment, the specific procedure for encrypting the authentication token by the smart contract is as follows:

First, the smart contract generates a 256-bit Advanced Encryption Standard (AES) key using a cryptographically secure random number generator. This key is a random binary string of 256 bits in length for subsequent symmetric encryption. For example, the AES key generated is:

"1010110111000010101011011100001010101101110000101010110111000010" (for simplicity of illustration, the actual length is 256 bits);

The smart contract then generates a 96-bit random Initialization Vector (IV). IV is also a random binary string of 96 bits in length for increasing the randomness of the encryption. For example, the IV generated is:

"101011011100001010101101110000" (for simplicity of illustration, the actual length is 96 bits);

The smart contract then encrypts the authentication token using the generated AES key and IV, using a galois/counter (GCM) mode of AES. Assuming that the original authentication token is "AccessToken123", the ciphertext "En2xK8mP3q" and the authentication Tag "Tag567" are obtained after encryption.

The smart contract combines the ciphertext, IV, and authentication tag into an encrypted token structure. For example:

{

"ciphertext": "En2xK8mP3q",

"iv": "101011011100001010101101110000",

"tag": "Tag567"

}。

Next, the smart contract asymmetrically encrypts the AES key using the pre-stored internet of things device public key. Assuming that the public key of the internet of things equipment is IoTDevicePubKey, encrypting the AES key by using an RSA algorithm to obtain an encrypted AES key ENCRYPTEDAESKEY 789.

Finally, the smart contract combines the encrypted token structure and the encrypted AES key into a final encrypted data packet as an encrypted authentication token:

{

"encryptedToken": {

"ciphertext": "En2xK8mP3q",

"iv": "101011011100001010101101110000",

"tag": "Tag567"

},

"encryptedAESKey": "EncryptedAESKey789"

}。

The encrypted authentication token contains all necessary information and can be safely transmitted to the Internet of things equipment. After the internet of things device receives the encrypted data packet, the AES key may be decrypted using its own private key, and then the original authentication token is decrypted using the decrypted AES key and the IV.

The method combines symmetric encryption and asymmetric encryption in the whole process, so that the encryption efficiency is ensured, and the security of key transmission is ensured. The use of the GCM mode also provides authentication functions that can verify the integrity of the ciphertext. The multiple protection mechanism greatly improves the security of the authentication token and effectively prevents security threats such as man-in-the-middle attack, replay attack and the like.

In an optional implementation manner, the internet of things device decrypts the encrypted authentication token by using a pre-agreed decryption algorithm to obtain an authentication result, an expiration date and an authorization level, and the configuration of the access right and the function limit of the internet of things device according to the authentication result, the expiration date and the authorization level comprises:

In this embodiment, the internet of things device first receives an encrypted data packet. The encrypted data packet contains an encrypted authentication token structure and an encrypted Advanced Encryption Standard (AES) key. The internet of things device extracts an encrypted AES key from the encrypted data packet, and then decrypts the encrypted AES key by using a pre-stored asymmetric encryption private key to obtain a decrypted AES key.

Next, the internet of things device extracts the initialization vector, ciphertext, and authentication tag from the encrypted authentication token structure. The internet of things device creates an AES-GCM (galois/counter mode) decryptor using the decrypted AES key and the extracted initialization vector. And then decrypting the ciphertext by using the decryptor, verifying the integrity of the decryption result by using the authentication tag, and finally obtaining the decrypted authentication token.

In order to ensure the authenticity of the decrypted authentication token, the internet of things device verifies its digital signature. After verification is passed, the internet of things equipment analyzes the authentication token, and information such as an authentication result, expiration time and authorization level is extracted. The internet of things device compares the current system time with the expiration time and determines whether the authentication token is still valid.

If the authentication token is valid, the Internet of things equipment configures own access authority and function limit according to the authentication result and the authorization level. For example, an internet of things device may be permitted to access all functions and data for authentication results with an authorization level of "administrator", while only a portion of the functions and data may be permitted to access for authentication results with an authorization level of "normal user".

The internet of things device also initiates a periodic inspection thread that compares the current time to the expiration time of the authentication token at predetermined time intervals (e.g., every 5 minutes). When the current time approaches the expiration time (e.g., there is also an expiration of 30 minutes), the thread may trigger the internet of things device to re-request a new authentication token.

The internet of things device receives a new encrypted data packet in response to the new authentication token request. The device decrypts and verifies the new authentication token using the same method as before and then updates its own access rights and function limitations using the information in the new authentication token.

For example, assume that the internet of things device is an intelligent home controller. The initial authentication token may grant a "normal user" level of rights, allowing control of lighting and temperature, but not allowing access to the security camera. When a user is upgraded to an "advanced user" by authentication, a new authentication token may grant a higher level of rights, allowing access to more sensitive functions such as security cameras and door lock control.

In this way, the internet of things device can dynamically adjust its security policy, ensure that only properly authorized users can access specific functions, and also update authentication states in time, thereby maintaining the security and flexibility of the system.

In an alternative embodiment, before each data exchange, the internet of things device sends a verification request to the intelligent contract address, the intelligent contract verifies the current state and authority of the internet of things device, and returns a verification result, and determining whether to continue the data exchange according to the verification result includes:

When the block chain-based secure verification method for the data exchange of the Internet of things equipment is realized, the method can be carried out according to the following steps:

First, the internet of things device needs to generate a verification request. The authentication request contains a device identifier, a current timestamp, a type of operation requested, a random number, and a device signature. Wherein the device identifier may be a unique serial number of the device, such as "IOT-001". The current timestamp is in Unix timestamp format, such as "1631234567". The type of operation requested may be "read", "write", etc. The random number is a random string of sufficient length, such as "a7b3c9d2e8f1". For device signature, firstly, a device identifier, a current timestamp, a requested operation type and a random number are spliced into a character string, such as 'IOT-0011631234567 reada b3c9d2e8f 1', then the character string is subjected to SHA256 hash operation to obtain a hash value, and finally the device private key is used for carrying out ECDSA signature on the hash value to obtain the device signature.

Next, the internet of things device sends the generated authentication request to the smart contract address. The smart contract address is a unique identification of a smart contract deployed on a blockchain network, typically a 42-character hexadecimal address, such as "0x742d35Cc6634C0532925a3b844Bc454e4438f44e".

After receiving the verification request, the intelligent contract firstly uses the public key of the internet of things device to verify the validity of the device signature. The verification process is to re-concatenate the device identifier, the current timestamp, the type of operation requested, and the random number, calculate the SHA256 hash value, and then verify whether the signature matches the hash value using the ECDSA algorithm and the device public key.

The smart contract then checks whether the current timestamp is within a valid time range. For example, a 5 minute expiration date may be set, i.e., verifying that the difference between the current timestamp and the timestamp of the smart contract receipt request is less than 300 seconds.

The smart contract also needs to verify whether the random number is unused. A set of used random numbers may be maintained in the smart contract, checked for each verification if the random number is already in the set, and if not, added to the set.

Next, the smart contract obtains current state information of the internet of things device from the blockchain. The status information may include whether the device is online, disabled, etc. For example, a key value pair "IOT-001_status" may be stored on the blockchain.

And judging whether the internet of things equipment has permission to execute the requested operation according to the acquired current state information and the operation type in the verification request by the intelligent contract. For example, if the device state is "online" and the type of operation requested is "read", it is determined that there is permission to execute.

After verification is completed, the smart contract generates a verification response. The validation response includes a validation result, a smart contract processing time stamp, an operating rights, and a smart contract signature. The verification result may be "pass" or "fail". The smart contract processing time stamp is in Unix time stamp format. The operating rights may be a list of rights such as [ "read", "write" ]. The intelligent contract signature generation process is to splice the verification result, the intelligent contract processing time stamp and the operation authority into a character string, and use the private key of the intelligent contract to perform ECDSA signature on the character string.

The smart contract sends the generated authentication response to the internet of things device. And after receiving the verification response, the internet of things equipment firstly verifies the validity of the intelligent contract signature. The verification process is similar to before, ECDSA signature verification using the public key of the smart contract.

The internet of things device then checks whether the smart contract processing time stamp is within a valid time range, which may typically be set to be valid for 5 minutes.

The internet of things device analyzes the verification result and the operation authority. If the verification result is "pass" and the operation authority contains the required authority, the data exchange operation is performed. For example, if the required permission is "read" and the operation permission list contains "read", then the read operation is allowed to be performed.

If the verification result is "fail" or the operation authority does not contain the required authority, the internet of things equipment terminates the data exchange operation and records the log. The log content may include information such as the reason for the failure of verification, a time stamp, etc.

The internet of things device also needs to start a continuous monitoring thread. The thread repeatedly executes the authentication request at predetermined time intervals (e.g., every 5 minutes). The thread maintains a counter that counts the number of consecutive authentication failures. And when the number of continuous verification failures reaches a preset threshold (such as 3 times), the Internet of things equipment enters a limited mode.

In the restricted mode, the internet of things device restricts certain operations and triggers a reauthentication process. Reauthentication may require manual intervention, such as re-entering authentication information or contacting an administrator.

Through the steps, the safety verification method for the data exchange of the Internet of things equipment based on the blockchain can be realized, and the safety and reliability of the data exchange of the Internet of things equipment are improved.

FIG. 2 is a schematic structural diagram of a block chain-based data processing system of the Internet of things according to an embodiment of the present invention, as shown in FIG. 2, the system includes:

In a third aspect of an embodiment of the present invention,

There is provided an electronic device including:

A processor;

A memory for storing processor-executable instructions;

In a fourth aspect of an embodiment of the present invention,

The present invention may be a method, apparatus, system, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for performing various aspects of the present invention.

It should be noted that the above embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention.

Claims

1. A method for processing Internet of Things data based on blockchain, characterized by comprising:

The IoT device generates an authentication request, the authentication request including a unique identifier of the IoT device, a current timestamp, and a randomly generated challenge value; the IoT device digitally signs the authentication request using a pre-stored private key to generate a signed authentication request; the IoT device sends the signed authentication request to a smart contract in the blockchain network;

The smart contract in the blockchain network receives the signed authentication request, and the smart contract verifies the validity of the signed authentication request using the pre-stored public key of the IoT device; the smart contract queries the blockchain for the historical authentication record and reputation score of the IoT device based on the unique identifier of the IoT device; the smart contract generates an authentication token including the authentication result, validity period and authorization level based on the historical authentication record, reputation score, current timestamp and challenge value; the smart contract encrypts the authentication token using a predefined encryption algorithm to generate an encrypted authentication token; the smart contract packages the encrypted authentication token and a smart contract address dynamically generated based on the authentication result as an encrypted data packet and returns it to the IoT device;

The IoT device receives the encrypted authentication token and smart contract address; the IoT device decrypts the encrypted authentication token using a pre-agreed decryption algorithm to obtain the authentication result, validity period and authorization level; the IoT device configures its own access rights and functional restrictions based on the authentication result, validity period and authorization level; during the validity period, the IoT device uses the smart contract address as an identity credential for subsequent secure communication and data exchange with other IoT devices or applications; before each data exchange, the IoT device sends a verification request to the smart contract address, the smart contract verifies the current status and permissions of the IoT device, and returns the verification result; the IoT device decides whether to continue data exchange based on the verification result.

2. The method according to claim 1 is characterized in that the IoT device uses a pre-stored private key to digitally sign the authentication request, and generating the signed authentication request comprises:

The IoT device generates an authentication request including a unique device identifier, a current timestamp, and a randomly generated challenge value; the IoT device performs hash processing on the authentication request using a cryptographic hash function to generate a hash value of a fixed length;

The IoT device securely calls a pre-stored private key from the hardware security module; the IoT device encrypts the hash value using an asymmetric encryption algorithm to generate a digital signature;

The IoT device combines the authentication request and the digital signature to form a signed authentication request; wherein the signed authentication request includes an authentication request field and a signature field, the authentication request field contains a device unique identifier, a current timestamp, and a randomly generated challenge value, and the signature field contains a digital signature generated using a private key.

3. The method according to claim 1 is characterized in that the smart contract generates an authentication token including the authentication result, validity period and authorization level based on the historical authentication record, reputation score, current timestamp and challenge value, including:

The smart contract receives and verifies the signed authentication request sent by the IoT device; the smart contract retrieves the historical authentication record of the IoT device in the blockchain according to the device unique identifier in the signed authentication request; the smart contract uses a time series analysis algorithm to analyze the historical authentication record and evaluate the authentication mode of the IoT device;

The smart contract calculates the reputation score of the IoT device based on the historical authentication records, wherein the calculation of the reputation score takes into account the ratio of the number of successful authentications to the total number of authentications, the time weight of the most recent authentication behavior, and the activity and contribution of the IoT device in the network; the smart contract normalizes the reputation score and maps it to a range of 0-100;

The smart contract verifies whether the timestamp in the signed authentication request is within a preset time window, and checks the uniqueness of the challenge value in the authentication request; the smart contract generates an authentication token based on the authentication mode, the reputation score, the timestamp and the challenge value, and the authentication token includes an authentication result, a validity period, an authorization level, a device unique identifier, a token generation time and a randomly generated token ID; wherein the validity period is dynamically set according to the reputation score, and the authorization level is determined according to the reputation score and the authentication mode; the smart contract constructs the authentication token using the JSON Web Token format.

4. The method according to claim 1, wherein the smart contract encrypts the authentication token using a predefined encryption algorithm, and generating the encrypted authentication token comprises:

The smart contract generates a 256-bit advanced encryption standard key using a cryptographically secure random number generator; generates a 96-bit random initialization vector; uses the advanced encryption standard key and the random initialization vector to encrypt the authentication token using the Galois/Counter Mode of the advanced encryption standard to generate a ciphertext and an authentication tag;

The smart contract combines the ciphertext, the random initialization vector and the authentication tag into an encrypted token structure; uses a pre-stored IoT device public key to asymmetrically encrypt the advanced encryption standard key to generate an encrypted advanced encryption standard key;

The encrypted token structure and the encrypted Advanced Encryption Standard key are combined into a final encrypted data packet as an encrypted authentication token.

5. The method according to claim 1 is characterized in that the IoT device decrypts the encrypted authentication token using a pre-agreed decryption algorithm to obtain an authentication result, validity period, and authorization level; the IoT device configures its own access rights and function restrictions according to the authentication result, validity period, and authorization level, including:

The IoT device receives an encrypted data packet, wherein the encrypted data packet also includes an encrypted authentication token structure and an encrypted advanced encryption standard key; the IoT device extracts the encrypted advanced encryption standard key from the encrypted data packet; and decrypts the encrypted advanced encryption standard key using a pre-stored asymmetric encryption private key to obtain a decrypted advanced encryption standard key;

The IoT device extracts the initialization vector, ciphertext and authentication tag from the encrypted authentication token structure; the IoT device creates an advanced encryption standard Galois/counter mode decryptor, the decryptor uses the decrypted advanced encryption standard key and the initialization vector; uses the decryptor to decrypt the ciphertext, and uses the authentication tag to verify the integrity of the decryption result, thereby obtaining a decrypted authentication token;

The IoT device verifies the digital signature of the decrypted authentication token to ensure the authenticity of the decrypted authentication token; the IoT device parses the decrypted authentication token to extract the authentication result, expiration time and authorization level; the IoT device compares the current time with the expiration time to determine whether the decrypted authentication token is valid; when the decrypted authentication token is valid, the IoT device configures its own access rights and function restrictions according to the authentication result and authorization level;

A periodic check thread is started, and the periodic check thread compares the current time with the expiration time at a predetermined time interval; when the current time is close to the expiration time, the periodic check thread triggers the IoT device to re-request a new authentication token; the IoT device receives a new encrypted data packet in response to the new authentication token request; and uses the information in the new encrypted data packet to update its own access rights and functional restrictions.

6. The method according to claim 1 is characterized in that before each data exchange, the IoT device sends a verification request to the smart contract address, the smart contract verifies the current state and authority of the IoT device, and returns the verification result; the IoT device decides whether to continue the data exchange according to the verification result, including:

The IoT device generates a verification request, the verification request including a device identifier, a current timestamp, a requested operation type, a random number, and a device signature, wherein the device signature is a signature of a hash value obtained by performing a hash operation on a combination of the device identifier, the current timestamp, the requested operation type, and the random number using a private key of the IoT device;

The IoT device sends the verification request to the smart contract address;

The smart contract receives the verification request, verifies the validity of the device signature using the public key of the IoT device, checks whether the current timestamp is within the valid time range, verifies whether the random number has not been used, obtains the current status information of the IoT device from the blockchain, and determines whether the IoT device has the authority to perform the operation type of the verification request based on the current status information and the operation type of the verification request;

The smart contract generates a verification response, the verification response includes a verification result, a smart contract processing timestamp, an operation permission, and a smart contract signature, wherein the smart contract signature is obtained by the smart contract signing a combination of the verification result, the smart contract processing timestamp, and the operation permission;

The smart contract sends the verification response to the IoT device; the IoT device receives the verification response, verifies the validity of the smart contract signature, checks whether the smart contract processing timestamp is within the valid time range, and parses the verification result and the operation authority;

The IoT device decides whether to continue data exchange according to the verification result. When the verification result is passed and the operation permission includes the required permission, the IoT device performs the data exchange operation. When the verification result is not passed or the operation permission does not include the required permission, the IoT device terminates the data exchange operation and records a log.

The IoT device starts a continuous monitoring thread, which repeats monitoring at a predetermined time interval. When the number of consecutive verification failures reaches a preset threshold, the IoT device enters a restricted mode and triggers a re-authentication process.

7. A blockchain-based IoT data processing system, used to implement the method according to any one of claims 1 to 6, characterized in that it comprises:

The first unit is used for the IoT device to generate an authentication request, wherein the authentication request includes a unique identifier of the IoT device, a current timestamp, and a randomly generated challenge value; the IoT device digitally signs the authentication request using a pre-stored private key to generate a signed authentication request; and the IoT device sends the signed authentication request to a smart contract in a blockchain network;

The second unit is used for a smart contract in a blockchain network to receive the signed authentication request, and the smart contract uses a pre-stored public key of the IoT device to verify the validity of the signed authentication request; the smart contract queries the blockchain for the historical authentication record and reputation score of the IoT device according to the unique identifier of the IoT device; the smart contract generates an authentication token including the authentication result, validity period and authorization level based on the historical authentication record, reputation score, current timestamp and challenge value; the smart contract encrypts the authentication token using a predefined encryption algorithm to generate an encrypted authentication token; the smart contract packages the encrypted authentication token and a smart contract address dynamically generated based on the authentication result as an encrypted data packet and returns it to the IoT device;

The third unit is used for the IoT device to receive the encrypted authentication token and smart contract address; the IoT device uses a pre-agreed decryption algorithm to decrypt the encrypted authentication token to obtain the authentication result, validity period and authorization level; the IoT device configures its own access rights and functional restrictions according to the authentication result, validity period and authorization level; during the validity period, the IoT device uses the smart contract address as an identity credential for subsequent secure communication and data exchange with other IoT devices or applications; before each data exchange, the IoT device sends a verification request to the smart contract address, the smart contract verifies the current status and permissions of the IoT device, and returns the verification result; the IoT device decides whether to continue data exchange based on the verification result.

8. An electronic device, comprising:

processor;

a memory for storing processor-executable instructions;

The processor is configured to call the instructions stored in the memory to execute the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having computer program instructions stored thereon, wherein the computer program instructions, when executed by a processor, implement the method according to any one of claims 1 to 6.