CN113784342B - Encryption communication method and system based on Internet of things terminal - Google Patents
Encryption communication method and system based on Internet of things terminal Download PDFInfo
- Publication number
- CN113784342B CN113784342B CN202111109045.9A CN202111109045A CN113784342B CN 113784342 B CN113784342 B CN 113784342B CN 202111109045 A CN202111109045 A CN 202111109045A CN 113784342 B CN113784342 B CN 113784342B
- Authority
- CN
- China
- Prior art keywords
- private key
- message
- dynamic
- encrypted
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006854 communication Effects 0.000 title claims abstract description 33
- 238000004891 communication Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000004044 response Effects 0.000 claims description 17
- 238000012795 verification Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 4
- 230000014509 gene expression Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 12
- 230000006870 function Effects 0.000 description 10
- 238000001514 detection method Methods 0.000 description 9
- 230000006855 networking Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004992 fission Effects 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of data encryption, and discloses an encryption communication method based on an internet of things terminal, which comprises the following steps: s1, pre-storing a private key A1 imported and encrypted by using a true random algorithm; s2, carrying out hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2; s3, generating a dynamic public key A3 according to the dynamic private key A2, and updating once per minute; s4, receiving a dynamic public key A3, encrypting an original message to be sent through an elliptic curve algorithm and the dynamic public key A3, and generating an encrypted message; and S5, decrypting the encrypted message according to an elliptic curve algorithm and the dynamic private key A2 to obtain a decrypted message. The invention also provides an Internet of things terminal encryption communication system based on the elliptic curve algorithm. The invention uses public key and elliptic curve algorithm to encrypt the message, the authentication process does not need a third party system or a server database, and for the embedded CPU, the operation complexity is low and the communication efficiency is high.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to an encryption communication method and system based on an Internet of things terminal, which are used for wireless networking of embedded equipment or Internet of things equipment, wherein a public key and an elliptic curve algorithm are used for encrypting messages, a built-in private key is used for decrypting the messages, a third party system or a server database is not needed in an authentication process, and for an embedded CPU, the operation complexity is low and the communication efficiency is high.
Background
The existing data encryption modes mainly comprise two modes, namely symmetric encryption and common asymmetric encryption, and the symmetric encryption algorithm has the defects that before data transmission, a sender and a receiver must agree on a secret key, and then both sides can store the secret key. If the secret key of one party is revealed, the encrypted information is unsafe, each terminal in the asymmetric encryption algorithm needs to generate a pair of secret keys each time the asymmetric encryption algorithm is used, the secret keys comprise a public key and a private key, the private key is stored and the public key is sent to the communication counterpart, wherein each pair of secret keys needs to use a unique secret key which is unknown to other people, when the number of terminals is increased, the number of terminals which need to communicate is increased, the number of keys owned by the receiving and transmitting parties is huge, and the secret key management becomes burden of the two parties.
In order to solve the problems, the invention mainly provides an encryption communication method and system based on an Internet of things terminal. Compared with a symmetric encryption algorithm, the private key and the asymmetric encryption algorithm are solidified into the security module, the private key and the asymmetric encryption algorithm have no external interface, the security module only provides input and output interfaces of a decryption message, and the private key and the algorithm cannot be revealed in the networking communication process. And the problem that in a symmetric encryption system, all terminals have keys, and once a certain terminal key is revealed, the security of the whole system is threatened is avoided. The authentication process of the invention does not need a third party system or a server database, and has low operation complexity and high communication efficiency for the embedded CPU.
Disclosure of Invention
The invention aims to provide an encryption communication method and system based on an Internet of things terminal, which are used for wireless networking of embedded equipment or Internet of things equipment, a public key and an elliptic curve algorithm are used for encrypting a message, a security module decrypts the message by using a built-in private key, a third party system or a server database is not needed in an authentication process, and for an embedded CPU, the operation complexity is low and the communication efficiency is high.
The invention is realized by the following technical scheme: an encryption communication method based on an internet of things terminal comprises the following steps:
s1, pre-storing a private key A1 imported and encrypted by using a true random algorithm;
s2, carrying out hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2;
s3, generating a dynamic public key A3 according to the dynamic private key A2, and updating once per minute;
s4, receiving a dynamic public key A3, encrypting an original message to be sent through an elliptic curve algorithm and the dynamic public key A3, and generating an encrypted message;
and S5, decrypting the encrypted message according to an elliptic curve algorithm and the dynamic private key A2 to obtain a decrypted message.
In the technical scheme, the basic process for realizing confidential information exchange by using the elliptic curve algorithm is as follows: the first party generates a pair of secret keys and discloses the public keys, and other roles (second party) needing to send information to the first party encrypt confidential information by using the secret keys (first party's public keys) and then send the encrypted confidential information to the first party; and the first party decrypts the encrypted information by using the private key. The public key of party B is used for encrypting data, and the private key of party B is used for decrypting, when the public key of party B is used for replying to party B, the public key of party B is used for encrypting data, and the private key of party B is used for decrypting data.
To better implement the present invention, further, the true random algorithm in step S1 includes an ECC256 algorithm.
In the technical scheme, a 256-bit true random number is generated by using a true random algorithm as a private key, the algorithm adopts an ECC256 algorithm combining a 25-bit true random number and an elliptic curve algorithm, the ECC256 algorithm is built in a security module, and the confidentiality of parameters of the private key and the elliptic curve algorithm is ensured by using an encryption mechanism of the security module.
To better implement the present invention, further, the private key A1 in step S1 includes a 256-bit true random number.
In the present solution, the true random number is generated using a physical phenomenon: such random number generators are called physical random number generators, such as coin, dice, wheel, noise using electronic components, nuclear fission, etc., which employ a random number generation algorithm based on a mouse movement trajectory, which is reproduced as an irregular random series by capturing the user's mouse movement trajectory over a period of time to generate a 256-bit private key. With this method, even if the user is deliberately aimed at, the same mouse movement random sequence can hardly be copied. The security and the uniqueness of the private key are ensured by using the algorithm. The 256-bit private key using the true random algorithm is not displayed on software, but stored in an encrypted mode and directly written into the security module, and an operator cannot obtain the private key, so that the security of the private key is further ensured.
In order to better implement the present invention, further, step S2 includes the steps of:
s2.1, signing and verifying the encrypted private key A1 and the dynamic system time based on OpenSSL;
and S2.2, after the signature adding success and the signature verification success, the dynamic private key A2 is obtained through hash operation.
In the technical scheme, openSSL jointly realizes DH algorithm, ECC algorithm, DSA algorithm, elliptic curve algorithm (EC) and the like, and when the elliptic curve algorithm is used, EVP_Sign and EVP_Verify are used for digital signature and verification; and (3) performing key encryption and key exchange by using the EVP_seal and the EVP_Open to achieve the effects of encryption and decryption.
In order to better implement the present invention, further, step S2.1 includes:
s2.1.1, after receiving the signed response message and the signed response message, processing the message;
s2.1.2, dividing the signed response message and the signature verification response message into a message part and a signature part through a regular expression;
s2.1.3, obtaining a message abstract from the signed response message and the signed response message by an SHA256 algorithm;
step S2.1.4, judging whether the message digests of the signed response message in step S2.1.3 are the same, if yes, judging that the signed message passes, if not, entering step S2.1.5; judging whether the message digests of the signature verification response message messages in the step S2.1.3 are the same, if yes, judging that the signature verification passes, and if not, entering the step S2.1.5;
and S2.1.5, judging whether an external attack is detected, if so, starting an internal data self-destruction function, and if not, returning to the step S2.1.1.
In the technical scheme, the SHA256 algorithm is a hash algorithm with a hash value length of 256 bits, so that 256-bit true random number messages in the method can be compressed to a function of a message digest with a certain fixed length, meanwhile, a 256-bit private key using the true random algorithm is not displayed on software, is stored in an encryption mode and is directly written into a security module, an operator cannot obtain the private key, and the security of the private key is further ensured.
The invention also provides an encryption communication system based on the terminal of the Internet of things, which comprises a storage module, an encryption module, a dynamic key generation module, a security module and a terminal control module;
the storage module is used for pre-storing a 256-bit private key A1 imported by using a true random algorithm, and sending the private key A1 to the encryption module to encrypt the private key A1;
the encryption module is used for encrypting the private key A1; the method comprises the steps of receiving a dynamic public key A3, encrypting an original message to be sent through an elliptic curve algorithm and the dynamic public key A3, generating an encrypted message, and sending the encrypted message to a security module;
the dynamic key generation module is used for carrying out hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2; for generating a dynamic public key A3 from the dynamic private key A2; the dynamic system updating time is used for receiving the dynamic system updating time sent by the security module;
the security module is used for receiving the encrypted private key A1; the method comprises the steps of receiving an encrypted message, and decrypting the encrypted message based on an elliptic curve algorithm and a private key A1;
the terminal control module is used for updating the time every minute according to the dynamic system time and sending the time to the dynamic key generation module; the encryption module is used for sending an encrypted message encrypted by the security module; and the receiving message is used for receiving the receiving message decrypted by the security module.
In the technical scheme, the security module is connected with the CPU circuit through the SPI communication port, and the speed of the SPI communication port can reach 1MB/s at the highest speed, so that the security module is enough for encrypting and decrypting the message. The safety module is an encrypted product with high performance and high safety based on a 32-bit safety processor, and a developer can download a part of algorithms and codes in own software to the safety module for operation by adopting an IIC and SPI high-speed communication interface. The user writes the operation code. In the actual running process of the software, the program section in the security module is run by calling a function mode to obtain a running result, the result is used as input and output data for further running of the user program, the security module forms a part of a software product, the private key stored in the security module is not related to the external environment, and the possibility of key theft is radically eliminated.
When the terminals communicate, the terminal control module segments the message according to 16 bytes, and the last segment is less than 16 bytes and is complemented by 0, each segment of 16 bytes is respectively sent to the control module to be encrypted by using a public key, and a complete message consists of a message header, a message length and the encrypted message. And the control module of the terminal sends the encrypted message to other terminals.
The terminal receives the encrypted message, transmits the encrypted message to the security module through the SPI interface, the security module finishes decryption by using a built-in private key and an ECC256 encryption algorithm, and transmits the decrypted message back to the control module of the terminal through the SPI interface, and the control module obtains the original message for processing.
In order to better implement the invention, the security module (13) further comprises a bus encryption unit:
the bus encryption unit is used for signing and checking the encrypted private key A1 and the dynamic system time; for initiating an internal data self-destruction function upon detection of an external attack.
In the technical scheme, the private key is always protected in the security module in the decryption process, and the leakage risk is avoided. The safety module is internally provided with a voltage detection module for resisting high and low voltage attacks, a frequency detection module for resisting high and low frequency attacks and various detection sensors: the high-voltage and low-voltage sensors, the frequency sensor, the filter, the pulse sensor and the temperature sensor have the sensor life test function, and once the security module detects illegal detection, the internal self-destruction function is started; the bus is encrypted, and the bus is provided with a metal shielding protection layer, so that internal data is self-destroyed after external attack is detected. A series of anti-decryption measures of the security module ensures the security of the internal keys and programs. And generating a public key by using the private key and an elliptic curve algorithm, and storing the public key in a memory of the terminal. The elliptic curve algorithm ensures that even if the public key leaks, the current computer has no way to calculate the private key.
Compared with the prior art, the invention has the following advantages:
(1) The invention uses the combination of the security module and the asymmetric encryption algorithm, and embeds a part of elliptic curve algorithm into the security module as a part of encryption and decryption processes, and the security of the whole system is doubly ensured by the security module and the elliptic curve algorithm;
(2) In the use process of combining the security module and the elliptic curve algorithm, only one set of public key and private key is needed, when the number of terminals is large, multiple key pairs are not needed to be stored, the key management is completely free from burden for a singlechip or an embedded terminal, and similarly, the singlechip or a processor with low operation performance is adopted for the terminals of the Internet of things, so that the security of keys and communication messages in the communication process can be ensured, and the processor with high cost upgrading operation capability is not needed, and a balance is achieved between the security and the cost.
Drawings
The invention is further described with reference to the following drawings and examples, and all inventive concepts of the invention are to be considered as being disclosed and claimed.
Fig. 1 is a flowchart of an encryption communication method based on an internet of things terminal according to the present invention.
Fig. 2 is a schematic structural diagram of an encryption communication system based on an internet of things terminal according to the present invention.
Wherein: 10. a storage module; 11. an encryption module; 12. a dynamic key generation module; 13. a security module; 14. and a terminal control module.
Detailed Description
Example 1:
in the embodiment, as shown in fig. 1, the basic process of implementing confidential information exchange by using elliptic curve algorithm is as follows: the first party generates a pair of secret keys and discloses the public keys, and other roles (second party) needing to send information to the first party encrypt confidential information by using the secret keys (first party's public keys) and then send the encrypted confidential information to the first party; and the first party decrypts the encrypted information by using the private key. The public key of party b is used to encrypt the data, and the private key of party b is used to decrypt the data, and in the same way, when the elliptic curve algorithm is used each time, the embodiment needs to generate a pair of keys, including a public key and a private key, the private key is stored and the public key is sent to the communication counterpart, wherein each pair of keys needs to use unique keys which are unknown to other people, when the number of terminals is increased, the number of terminals which need to communicate is increased, the number of keys owned by the receiving and sending parties is huge, and the key management becomes burden of both parties.
The key generation in this embodiment adopts a true random number algorithm, so that an operator cannot see the true private key, but directly writes the true private key into the security chip, thereby reducing the risk of manually revealing the private key. The 256-bit secret key used by the invention cannot be restored by copying the mouse operation due to the adoption of the random physical phenomenon in terms of the generation mode. Whereas if broken by means of brute force operations, a256 bit length means that the combination can be raised to a power of 256. This number is now almost computationally infeasible. There are approximately billions of combinations of keys that use this type. It is virtually impossible to crack. Even if we use supercomputers, it takes several years to try and test each combination, and it is broken by brute force operation, and it takes at least 3 x 10 x 51 years to try out all combinations that 256 bit keys may produce.
Example 2:
in this embodiment, a 256-bit true random number is generated by using a true random algorithm as a private key, a specific elliptic curve parameter is selected, the private key and the elliptic curve parameter generated by the true random algorithm are built in the security module 13, and the confidentiality of the private key and the elliptic curve algorithm parameter is ensured by using an encryption mechanism of the security module 13.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 3:
this embodiment is further optimized based on the above embodiment 1, in which the true random number is generated using a physical phenomenon: such random number generators are called physical random number generators, such as coin, dice, wheel, noise using electronic components, nuclear fission, etc., which employ a random number generation algorithm based on a mouse movement trajectory, which is reproduced as an irregular random series by capturing the user's mouse movement trajectory over a period of time to generate a 256-bit private key. With this method, even if the user is deliberately aimed at, the same mouse movement random sequence can hardly be copied. The security and the uniqueness of the private key are ensured by using the algorithm. The 256-bit private key using the true random algorithm is not displayed on the software, but is stored in an encrypted mode and is directly written into the security module 13, so that an operator cannot obtain the private key, and the security of the private key is further ensured.
Other portions of the present embodiment are the same as those of the above embodiment, and thus will not be described again.
Example 4:
in this embodiment, openSSL jointly implements asymmetric encryption algorithms such as DH algorithm, ECC algorithm, DSA algorithm, elliptic curve algorithm (EC), and the like, and when using the elliptic curve algorithm, evp_sign and evp_verify are used to perform digital signature and verification; and (3) performing key encryption and key exchange by using the EVP_seal and the EVP_Open to achieve the effects of encryption and decryption.
In this embodiment, the encrypted private key A1 and the dynamic system time are signed by bool ECCSignAction (string tendata, string & string signed); the present embodiment signs the encrypted private key A1 and the dynamic system time by bool ECCVerifyAction (string tendata, string & string signed).
Other portions of the present embodiment are the same as those of the above embodiment, and thus will not be described again.
Example 5:
the embodiment is further optimized based on the above embodiment 4, in this embodiment, the SHA256 algorithm is a hash algorithm with a hash value length of 256 bits, which can compress the 256-bit true random number message in this application to a function of a message digest with a certain fixed length, and meanwhile, a 256-bit private key using the true random algorithm is not displayed on software, but is stored in an encrypted manner and is directly written into the security module 13, so that an operator cannot obtain the private key, and the security of the private key is further ensured.
In this embodiment, the returned message is divided into a request/response portion and a signature portion in JSON format by using regular expressions through public boolean verifyBySHA256WithECC (String content, string sign, string public key, string character), and in this process, in order to ensure the sequence of the original text, the returned message cannot be converted into a JSON object.
Example 6:
in this embodiment, as shown in fig. 2, the security module 13 is connected to the CPU circuit through an SPI communication port, and the speed of the SPI communication port can reach 1MB/s at the highest, which is sufficient for encrypting and decrypting the message. The security module 13 is an encrypted product with high performance and high security based on a 32-bit security processor, and a developer can download a part of algorithms and codes in own software to the security module 13 for operation by adopting an IIC and SPI high-speed communication interface. The user writes the operation code. In the actual running process of the software, the program segments in the security module 13 are run in a function calling mode to obtain a running result, the result is used as input and output data for further running of the user program, the security module 13 forms a part of a software product, the private key stored in the security module 13 is not related to the external environment, and the possibility of key theft is radically eliminated.
Compared with the improvement of a common asymmetric encryption algorithm, the elliptic curve algorithm requires that each pair of keys needs to use a unique key which is unknown to other people, and when the number of terminals is increased, the number of terminals which need to communicate is increased, the number of keys owned by a receiving party and a transmitting party is huge, and the key management becomes burden of the two parties. For example, when there are two terminals in the network, the first terminal will store two sets of keys (the private key and the public key of the first terminal, the public key of the second terminal), the number of keys is recorded as 1+ (N-1), when there are one hundred terminals, the number of keys to be stored in each terminal is 100, obviously, for terminals such as the internet of things terminal or the single chip microcomputer, storing so many keys will seriously affect the performance of the single chip microcomputer or the processor, while the storage module in this embodiment only needs to store one set of public key and private key, when there are many terminals, it is not necessary to store multiple key pairs, and there is no burden on the key management for the single chip microcomputer or the embedded terminal.
An encryption module 11, configured to encrypt the private key A1; the method is used for receiving the dynamic public key A3, encrypting the original message to be sent through an elliptic curve algorithm and the dynamic public key A3, generating an encrypted message, and sending the encrypted message to the security module 13.
The dynamic key generation module 12 is configured to perform a hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2; for generating a dynamic public key A3 from the dynamic private key A2; for receiving dynamic system update times sent by the security module 13.
When the terminals communicate, the terminal control module 14 segments the message according to 16 bytes, and the last segment is less than 16 bytes and is complemented with 0, each segment of 16 bytes is sent to the control module to be encrypted by using the public key, and a complete message is composed of the message header, the message length and the encrypted message. And the control module of the terminal sends the encrypted message to other terminals.
The terminal control module 14 receives the encrypted message, the encrypted message is transmitted to the safety module 13 through the SPI interface, the safety module 13 finishes decryption by using a built-in private key and an ECC256 encryption algorithm, the decrypted message is transmitted back to the terminal control module 14 through the SPI interface, and the terminal control module 14 obtains the original message for processing.
Other portions of the present embodiment are the same as those of the above embodiment, and thus will not be described again.
Example 7:
the present embodiment is further optimized on the basis of embodiment 6 described above, in which the private key is always protected within the security module 13 during decryption, without risk of leakage. The security module 13 has a voltage detection module for resisting high and low voltage attacks, a frequency detection module for resisting high and low frequency attacks, and various detection sensors inside: the high-voltage and low-voltage sensors, the frequency sensor, the filter, the pulse sensor and the temperature sensor have the sensor life test function, and once the security module 13 detects illegal detection, the internal self-destruction function is started; the bus is encrypted, and the bus is provided with a metal shielding protection layer, so that internal data is self-destroyed after external attack is detected. A series of anti-decryption measures of the security module 13 ensures the security of the internal keys and programs. And generating a public key by using the private key and an elliptic curve algorithm, and storing the public key in a memory of the terminal. The elliptic curve algorithm ensures that even if the public key leaks, the current computer has no way to calculate the private key.
Other portions of the present embodiment are the same as those of the above embodiment, and thus will not be described again.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification and equivalent variation of the above embodiment according to the technical matter of the present invention falls within the scope of the present invention.
Claims (5)
1. The encryption communication method based on the terminal of the Internet of things is characterized by comprising the following steps of:
s1, pre-storing a private key A1 generated and encrypted by using a true random algorithm in a security module;
s2, carrying out hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2;
s3, generating a dynamic public key A3 according to the dynamic private key A2, and updating once per minute;
s4, receiving a dynamic public key A3, encrypting an original message to be sent through an elliptic curve algorithm and the dynamic public key A3, and generating an encrypted message;
s5, decrypting the encrypted message according to an elliptic curve algorithm and a dynamic private key A2 to obtain a decrypted message;
the step S2 includes the steps of:
s2.1, signing and verifying the encrypted private key A1 and the dynamic system time based on OpenSSL;
s2.2, after the signature adding success and the signature verification success, a dynamic private key A2 is obtained through hash operation;
the step S2.1 includes:
s2.1.1, after receiving the signed response message and the signed response message, processing the message;
s2.1.2, dividing the signed response message and the signature verification response message into a message part and a signature part through a regular expression;
s2.1.3, obtaining a message abstract from the signed response message and the signed response message by an SHA256 algorithm;
step S2.1.4, judging whether the message digests of the signed response message in step S2.1.3 are the same, if yes, judging that the signed message passes, if not, entering step S2.1.5; judging whether the message digests of the signature verification response message messages in the step S2.1.3 are the same, if yes, judging that the signature verification passes, and if not, entering the step S2.1.5;
and S2.1.5, judging whether an external attack is detected, if so, starting an internal data self-destruction function, and if not, returning to the step S2.1.1.
2. The method for encrypted communication based on the terminal of the internet of things according to claim 1, wherein the true random algorithm in step S1 comprises an ECC256 algorithm.
3. The method for encrypted communication based on the terminal of the internet of things according to claim 1, wherein the private key A1 in the step S1 comprises a 256-bit true random number.
4. An encrypted communication system based on an internet of things terminal and based on the encrypted communication method according to any one of claims 1-3, characterized in that the encrypted communication system comprises a storage module (10), an encryption module (11), a dynamic key generation module (12), a security module (13) and a terminal control module (14);
the storage module (10) is used for pre-storing a 256-bit private key A1 imported by using a true random algorithm, and sending the private key A1 to the encryption module (11) to encrypt the private key A1;
an encryption module (11) for encrypting the private key A1; receiving a dynamic public key A3, encrypting an original message to be sent through an elliptic curve algorithm and the dynamic public key A3 to generate an encrypted message, and sending the encrypted message to a security module (13);
the dynamic key generation module (12) is used for carrying out hash operation according to the encrypted private key A1 and the dynamic system time to obtain a dynamic private key A2; generating a dynamic public key A3 according to the dynamic private key A2; receiving dynamic system update time sent by a security module (13);
a security module (13) for receiving the encrypted private key A1; the method comprises the steps of receiving an encrypted message, and decrypting the encrypted message based on an elliptic curve algorithm and a private key A1;
a terminal control module (14) for updating the time every minute according to the dynamic system time and transmitting the time to the dynamic key generation module (12); sending an encrypted message encrypted by a security module (13); the receiving security module (13) decrypts the received message.
5. An encrypted communication system based on terminals of the internet of things according to claim 4, characterized in that said security module (13) comprises a bus encryption unit:
the bus encryption unit is used for signing and checking the encrypted private key A1 and the dynamic system time; and starting an internal data self-destruction function when the external attack is detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109045.9A CN113784342B (en) | 2021-09-22 | 2021-09-22 | Encryption communication method and system based on Internet of things terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111109045.9A CN113784342B (en) | 2021-09-22 | 2021-09-22 | Encryption communication method and system based on Internet of things terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113784342A CN113784342A (en) | 2021-12-10 |
| CN113784342B true CN113784342B (en) | 2023-05-26 |
Family
ID=78852596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111109045.9A Active CN113784342B (en) | 2021-09-22 | 2021-09-22 | Encryption communication method and system based on Internet of things terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113784342B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826623B (en) * | 2022-06-28 | 2022-09-20 | 云账户技术(天津)有限公司 | Mock test message processing method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7940932B2 (en) * | 2004-04-08 | 2011-05-10 | Texas Instruments Incorporated | Methods, apparatus, and systems for securing SIM (subscriber identity module) personalization and other data on a first processor and secure communication of the SIM data to a second processor |
| US8184808B2 (en) * | 2008-08-08 | 2012-05-22 | Universiti Putra Malaysia | Chaotic asymmetric encryption process for data security |
| CN105550040A (en) * | 2015-12-29 | 2016-05-04 | 四川中电启明星信息技术有限公司 | KVM platform based virtual machine CPU resource reservation algorithm |
| CN106453319A (en) * | 2016-10-14 | 2017-02-22 | 北京握奇智能科技有限公司 | Data transmission system and method based on security module |
| CN104408834B (en) * | 2014-12-05 | 2017-04-19 | 湖南长城信息金融设备有限责任公司 | Method and system for controlling depositing and withdrawing safety based on safety core |
| CN107786550B (en) * | 2017-10-17 | 2019-11-05 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN110505062A (en) * | 2019-08-27 | 2019-11-26 | 杭州云象网络技术有限公司 | A kind of Dynamic Oval curve cryptographic methods applied to alliance's chain |
| CN110798311A (en) * | 2019-10-15 | 2020-02-14 | 中国电子科技集团公司第三十研究所 | One-time-one-pad IP encryption method based on quantum true random number matrix |
| CN111339542A (en) * | 2020-02-26 | 2020-06-26 | 江苏经贸职业技术学院 | A secure input method of computational data |
| CN112291230A (en) * | 2020-10-26 | 2021-01-29 | 公安部第一研究所 | A data security authentication transmission method and device for Internet of Things terminal |
| WO2021170645A1 (en) * | 2020-02-25 | 2021-09-02 | Giesecke+Devrient Gmbh | Method for directly transmitting electronic coin datasets between terminals, payment system, protection system, and monitoring unit |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340282B (en) * | 2008-05-28 | 2011-05-11 | 北京易恒信认证科技有限公司 | Generation method of composite public key |
-
2021
- 2021-09-22 CN CN202111109045.9A patent/CN113784342B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7940932B2 (en) * | 2004-04-08 | 2011-05-10 | Texas Instruments Incorporated | Methods, apparatus, and systems for securing SIM (subscriber identity module) personalization and other data on a first processor and secure communication of the SIM data to a second processor |
| US8184808B2 (en) * | 2008-08-08 | 2012-05-22 | Universiti Putra Malaysia | Chaotic asymmetric encryption process for data security |
| CN104408834B (en) * | 2014-12-05 | 2017-04-19 | 湖南长城信息金融设备有限责任公司 | Method and system for controlling depositing and withdrawing safety based on safety core |
| CN105550040A (en) * | 2015-12-29 | 2016-05-04 | 四川中电启明星信息技术有限公司 | KVM platform based virtual machine CPU resource reservation algorithm |
| CN106453319A (en) * | 2016-10-14 | 2017-02-22 | 北京握奇智能科技有限公司 | Data transmission system and method based on security module |
| CN107786550B (en) * | 2017-10-17 | 2019-11-05 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN110505062A (en) * | 2019-08-27 | 2019-11-26 | 杭州云象网络技术有限公司 | A kind of Dynamic Oval curve cryptographic methods applied to alliance's chain |
| CN110798311A (en) * | 2019-10-15 | 2020-02-14 | 中国电子科技集团公司第三十研究所 | One-time-one-pad IP encryption method based on quantum true random number matrix |
| WO2021170645A1 (en) * | 2020-02-25 | 2021-09-02 | Giesecke+Devrient Gmbh | Method for directly transmitting electronic coin datasets between terminals, payment system, protection system, and monitoring unit |
| CN111339542A (en) * | 2020-02-26 | 2020-06-26 | 江苏经贸职业技术学院 | A secure input method of computational data |
| CN112291230A (en) * | 2020-10-26 | 2021-01-29 | 公安部第一研究所 | A data security authentication transmission method and device for Internet of Things terminal |
Non-Patent Citations (4)
| Title |
|---|
| Dynamic memory-based physically unclonable function for the generation of unique identifiers and true random numbers;Christoph Keller;《2014 IEEE International Symposium on Circuits and Systems (ISCAS)》;全文 * |
| 可信计算机平台密钥管理;李新明;张功萱;施超;宋斌;;南京理工大学学报(自然科学版)(第04期);全文 * |
| 基于DSP的电力VOIP系统嵌入式安全终端设计;王良之;汤志平;黄劲松;徐双江;;计算机测量与控制(第11期);全文 * |
| 电力物联网传感装置安全接入技术;任晓龙;韩大为;杨海文;;农村电气化(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113784342A (en) | 2021-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8687800B2 (en) | Encryption method for message authentication | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| CN112702318A (en) | Communication encryption method, decryption method, client and server | |
| JP4782343B2 (en) | How to authenticate anonymous users while reducing the possibility of “middleman” fraud | |
| CN113395406B (en) | An encryption authentication method and system based on power equipment fingerprints | |
| CN112738051B (en) | Data information encryption method, system and computer readable storage medium | |
| CN112491549B (en) | Data information encryption verification method, system and computer readable storage medium | |
| CN111294203B (en) | Information transmission method | |
| US7894608B2 (en) | Secure approach to send data from one system to another | |
| US9847879B2 (en) | Protection against passive sniffing | |
| CN110855667B (en) | Block chain encryption method, device and system | |
| CN115174085A (en) | Data secure transmission method based on RSA encryption | |
| CN118157855A (en) | Information transmission encryption method and device and electronic equipment | |
| CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
| CN116633521A (en) | A data transmission method, device, equipment, and storage medium of an intelligent network card | |
| CN113784342B (en) | Encryption communication method and system based on Internet of things terminal | |
| Yue et al. | MBCT: A monero-based covert transmission approach with on-chain dynamic session key negotiation | |
| WO2025025326A1 (en) | Data transmission method for nuclear power physical protection communication, device, and medium | |
| CN111092860A (en) | Medical data safety interaction transmission module | |
| CN114374519B (en) | Data transmission method, system and equipment | |
| CN116781265A (en) | Data encryption method and device | |
| KR20150103394A (en) | Cryptography system and cryptographic communication method thereof | |
| US12107963B1 (en) | Method and apparatus for reversible tokenization with support for embeddable role-based access control | |
| CN116915401B (en) | Secret key generation method based on trusted cryptography module TCM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |