[go: up one dir, main page]

TW202224378A - Iot system and privacy authorization method - Google Patents

Iot system and privacy authorization method Download PDF

Info

Publication number
TW202224378A
TW202224378A TW109143839A TW109143839A TW202224378A TW 202224378 A TW202224378 A TW 202224378A TW 109143839 A TW109143839 A TW 109143839A TW 109143839 A TW109143839 A TW 109143839A TW 202224378 A TW202224378 A TW 202224378A
Authority
TW
Taiwan
Prior art keywords
node
server
public key
certificate
privacy
Prior art date
Application number
TW109143839A
Other languages
Chinese (zh)
Other versions
TWI747659B (en
Inventor
賴昌祈
張明信
黃筱珊
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109143839A priority Critical patent/TWI747659B/en
Application granted granted Critical
Publication of TWI747659B publication Critical patent/TWI747659B/en
Publication of TW202224378A publication Critical patent/TW202224378A/en

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

A IoT system and a privacy authorization method are provided. In the method, multiple private key values are generated based on ECC. ECC includes the ECQV algorithm. A sever public key of the server is generated based on ECC through the private key value of the server. The node public key is generated based on ECC through the server public key and the private key value of the node. The sever and the node belong to the IoT of blockchain. The identification code of the server is encoded through the node public key, to generate the node certificate. The node certificate would be published on the IoT of the blockchain. Accordingly, safe privacy authorization can be implemented in the open and non-trust based IoT world.

Description

物聯網系統及隱私授權方法IoT system and privacy authorization method

本發明是有關於一種資料授權機制,且特別是有關於一種是用於區塊鏈(blockchain)的物聯網系統及隱私授權方法。The present invention relates to a data authorization mechanism, and particularly relates to an Internet of Things system and a privacy authorization method for blockchain.

根據國際研究暨顧問機構預測,2020年全球企業用物聯網(IoT)市場的端點數量將成長至58億件,較2019年增加21%。如何強化物聯網之間龐大的敏感機密資料的儲存與安全交換傳輸,如何降低物聯網的資料被竊取的風險,且如何在一個零信任的網路上建構一個安全的物聯網隱私授權與區塊鏈正確資料驗證的系統,是相關業者及研究人員的當前急迫的目標之一。According to an international research and consulting agency, the number of endpoints in the global enterprise Internet of Things (IoT) market will grow to 5.8 billion in 2020, an increase of 21% from 2019. How to strengthen the storage and secure exchange and transmission of huge sensitive and confidential data between IoTs, how to reduce the risk of IoT data theft, and how to build a secure IoT privacy authorization and blockchain on a zero-trust network A system for correct data verification is one of the current urgent goals of the relevant industry and researchers.

有鑑於此,本發明提供一種物聯網系統及隱私授權方法, 結合密碼學及區塊鏈來強化資料認證及授權。In view of this, the present invention provides an Internet of Things system and a privacy authorization method, combining cryptography and blockchain to strengthen data authentication and authorization.

本發明實施例的隱私授權方法適用於一區塊鏈的物聯網,並包括(但不僅限於)下列步驟:基於橢圓曲線密碼學(Elliptic-curve cryptography,ECC)隨機產生多個私鑰值(private key value)。橢圓曲線密碼學包括ECQV(Elliptic Curve Qu-Vanstone)演算法。基於橢圓曲線密碼學透過伺服器的私鑰值產生伺服器的伺服器公鑰(public key)。基於橢圓曲線密碼學透過伺服器公鑰及節點的私鑰值產生節點的節點公鑰。伺服器及節點屬於區塊鏈的物聯網。透過節點公鑰對伺服器的身分識別碼編碼以產生節點的節點憑證。將節點憑證公佈於區塊鏈的物聯網中。The privacy authorization method of the embodiment of the present invention is applicable to a blockchain Internet of Things, and includes (but is not limited to) the following steps: randomly generating multiple private key values (private key values) based on elliptic-curve cryptography (ECC) key value). Elliptic curve cryptography includes the ECQV (Elliptic Curve Qu-Vanstone) algorithm. Based on elliptic curve cryptography, the server public key (public key) of the server is generated through the private key value of the server. Based on elliptic curve cryptography, the node public key of the node is generated through the server public key and the node's private key value. Servers and nodes belong to the Internet of Things of the blockchain. The server's ID is encoded with the node's public key to generate the node's node certificate. Publish node credentials in the IoT of the blockchain.

本發明實施例的物聯網系統適用於區塊鏈的物聯網,並包括(但不僅限於)節點、憑證管理中心及伺服器。節點用於收集感測資料。憑證管理中心用於核發原始憑證。伺服器用於基於橢圓曲線密碼學隨機產生多個私鑰值,基於橢圓曲線密碼學透過伺服器的私鑰值產生伺服器的伺服器公鑰,基於橢圓曲線密碼學透過伺服器公鑰及節點的私鑰值產生節點的節點公鑰,透過節點公鑰對伺服器的身分識別碼編碼以產生節點的節點憑證,並將節點憑證公佈於區塊鏈的物聯網中。橢圓曲線密碼學包括ECQV演算法。The IoT system of the embodiment of the present invention is applicable to the IoT of the blockchain, and includes (but not limited to) nodes, a certificate management center, and a server. Nodes are used to collect sensing data. The certificate management center is used to issue original certificates. The server is used to randomly generate multiple private key values based on elliptic curve cryptography. Based on elliptic curve cryptography, the server public key value of the server is generated through the private key value of the server. Based on elliptic curve cryptography, the server public key and node The private key value of the node generates the node public key of the node, encodes the identity code of the server through the node public key to generate the node certificate of the node, and publishes the node certificate in the Internet of Things of the blockchain. Elliptic curve cryptography includes the ECQV algorithm.

基於上述,依據本發明實施例的物聯網系統及隱私授權方法,使用橢圓曲線密碼學分別產生伺服器公鑰及節點公鑰,使用節點公鑰以原始憑證進一步產生對應節點的節點憑證,並將結點憑證發布在區塊鏈中以供身分確認。藉此,可避免使用會話金鑰(Session Key)作為加密協商金鑰,從而避免頻繁使用金鑰交換而增加資料被破解的機會,進而防止隱私資料被竊取,並確保節點對節點資料傳遞的安全。Based on the above, according to the Internet of Things system and the privacy authorization method according to the embodiment of the present invention, the server public key and the node public key are respectively generated by using elliptic curve cryptography, and the node certificate of the corresponding node is further generated by using the node public key and the original certificate, and the Node credentials are published in the blockchain for identity confirmation. In this way, it is possible to avoid using the session key as the encryption negotiation key, thereby avoiding frequent use of key exchange and increasing the chance of data being cracked, thereby preventing private data from being stolen, and ensuring the security of node-to-node data transmission .

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more obvious and easy to understand, the following embodiments are given and described in detail with the accompanying drawings as follows.

圖1是依據本發明一實施例的物聯網的系統架構圖。請參照圖1,此系統1包括(但不僅限於)群組代理伺服器20,30、群組隱私資料庫25,35、節點40A1~40An,40B1~40Bm(m、n為正整數)、感測器41及憑證管理中心60。FIG. 1 is a system architecture diagram of the Internet of Things according to an embodiment of the present invention. Please refer to FIG. 1, the system 1 includes (but is not limited to) group proxy servers 20, 30, group privacy databases 25, 35, nodes 40A1~40An, 40B1~40Bm (m, n are positive integers), sensor The tester 41 and the credential management center 60 .

群組代理伺服器20,30可以是各類型電腦系統(例如,桌上型或筆記型電腦、伺服器、智慧型手機或平板電腦)。物聯網群組代理伺服器20,30可連線到物聯網10。在一實施例中,物聯網群組代理伺服器20,30隸屬於兩個群組。例如,物聯網群組代理伺服器20屬於群組A,物聯網群組代理伺服器30屬於群組B。The group proxy servers 20, 30 may be various types of computer systems (eg, desktop or laptop computers, servers, smartphones or tablets). The IoT group proxy servers 20 , 30 can be connected to the IoT 10 . In one embodiment, the IoT group proxy servers 20, 30 belong to two groups. For example, the IoT group proxy server 20 belongs to group A, and the IoT group proxy server 30 belongs to group B.

群組隱私資料庫25,35分別連接物聯網群組代理伺服器20,30。群組隱私資料庫25,35可以是儲存伺服器或各類型儲存器(例如,固態硬碟(SSD)、傳統硬碟(HDD)或快取記憶體)。The group privacy databases 25, 35 are connected to the IoT group proxy servers 20, 30, respectively. The group privacy databases 25, 35 may be storage servers or various types of storage (eg, solid state drives (SSD), conventional hard disk drives (HDD), or cache memory).

節點40A1~40An,40B1~40Bm可以是路由器、中繼站或交換器。節點40A1~40An,40B1~40Bm可連線到物聯網10。在一實施例中,各節點40A1~40An,40B1~40Bm分別收集對應感測器41的感測資料(例如,相關於天氣、力量、電性、聲音、其他物理、機械或軟體狀態)。在一些實施例中,節點40A1~40An屬於群組A,且節點40B1~40Bm屬於群組B。Nodes 40A1~40An, 40B1~40Bm can be routers, relay stations or switches. Nodes 40A1~40An, 40B1~40Bm can be connected to the Internet of Things 10. In one embodiment, each node 40A1 ˜ 40An, 40B1 ˜ 40Bm respectively collects sensing data (eg, related to weather, strength, electricity, sound, other physical, mechanical or software states) of the corresponding sensor 41 . In some embodiments, nodes 40A1-40An belong to group A, and nodes 40B1-40Bm belong to group B.

憑證管理中心(Certificate Authority,CA)60用於管理、認證並核發憑證,且其運作可由電腦系統實現。數位憑證的作用是證明憑證中列出的使用者合法擁有憑證中列出的公開金鑰。The Certificate Authority (CA) 60 is used to manage, authenticate and issue certificates, and its operation can be realized by a computer system. The role of the digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate.

下文中,將搭配系統1中的各項裝置說明本發明實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。Hereinafter, the method described in the embodiment of the present invention will be described in conjunction with each device in the system 1 . Each process of the method can be adjusted according to the implementation situation, and is not limited to this.

圖2是依據本發明一實施例的身分認證階段的流程圖。請參照圖2,物聯網10中的節點40A1~40An,40B1~40Bm的身分認證階段是節點40A1~40An,40B1~40Bm對可信賴的憑證系統建立身分註冊機制產生身分憑證方法的流程階段,群組隱私授權代理伺服器20,30取得憑證管理中心憑證後再以ECQV(Elliptic Curve Qu-Vanstone)或其他橢圓曲線密碼學(Elliptic-curve cryptography,ECC)相關演算法,自行產生多組公私鑰的代理憑證機制,進行再分配給物聯網10中的節點40A1~40An,40B1~40Bm使用。FIG. 2 is a flowchart of an identity authentication stage according to an embodiment of the present invention. Referring to FIG. 2 , the identity authentication stage of the nodes 40A1~40An, 40B1~40Bm in the Internet of Things 10 is the process stage of the nodes 40A1~40An, 40B1~40Bm establishing the identity registration mechanism for the trusted certificate system to generate the identity certificate method. The group privacy authorization proxy server 20, 30 obtains the certificate of the certificate management center, and then uses ECQV (Elliptic Curve Qu-Vanstone) or other elliptic curve cryptography (Elliptic-curve cryptography, ECC) related algorithms to generate multiple groups of public and private keys by itself. The proxy certificate mechanism is redistributed to the nodes 40A1~40An and 40B1~40Bm in the IoT 10 for use.

具體而言,群組隱私授權代理伺服器20,30分別向憑證管理中心60申請原始憑證請求(步驟S101)。憑證管理中心60可核發原始憑證給對應群組代理伺服器20,30(步驟S102)。節點40A1~40An,40B1~40Bm可向群組代理伺服器20,30提出註冊申請以請求加入群組(步驟S103)。群組代理伺服器20,30可依據註冊申請對節點40A1~40An,40B1~40Bm核發註冊序號及讀取隱私資料庫25,35的存取密碼(步驟S104)。Specifically, the group privacy authorization proxy servers 20 and 30 respectively apply for the original certificate request to the certificate management center 60 (step S101 ). The certificate management center 60 can issue the original certificate to the corresponding group proxy servers 20 and 30 (step S102 ). The nodes 40A1 ˜ 40An, 40B1 ˜ 40Bm can submit a registration application to the group proxy server 20 , 30 to request to join the group (step S103 ). The group proxy servers 20, 30 can issue registration serial numbers to the nodes 40A1-40An, 40B1-40Bm according to the registration application and read the access passwords of the privacy databases 25, 35 (step S104).

接著,群組代理伺服器20,30可分別利用憑證管理中心60核發之原始憑證使用ECQV或其他ECC相關演算法再自行產生多組的節點憑證給各節點40A1~40An,40B1~40Bm(步驟S105)。具體而言,圖3是依據本發明一實施例的金鑰產生階段的流程圖。請參照圖3,下文以群組代理伺服器20為例,但群組代理伺服器30可實現相同或相似程序。針對憑證申請(步驟S200),群組代理伺服器20基於ECC隨機生成多個私鑰值(private key value)(步驟S201)。ECC是一種建立公開金鑰加密的演算法,也就是非對稱加密。公鑰加密,是現代網路安全或信任鏈的基礎。公鑰加密的一大特色是通訊終端的雙方各自具有一對公私鑰,這對公私鑰有特定數學關係。此外,通訊終端各自儲存自己的私鑰,並公開自己的公鑰。即便第三方惡意取得任一者的公鑰,也無法順利解密。而ECC是將橢圓曲線上的離散對數問題引入公私鑰之間的特定數學關係。此外,除了ECQV,諸如ECDH(Elliptic Curve Diffie–Hellman)、EdDSA(Edwards-curve Digital Signature Algorithm)等演算法都是屬於ECC。Next, the group proxy servers 20 and 30 can use the original certificates issued by the certificate management center 60 to generate multiple sets of node certificates by themselves using ECQV or other ECC-related algorithms for each node 40A1-40An, 40B1-40Bm (step S105 ). ). Specifically, FIG. 3 is a flowchart of a key generation stage according to an embodiment of the present invention. Referring to FIG. 3 , the group proxy server 20 is taken as an example below, but the group proxy server 30 can implement the same or similar procedures. For the certificate application (step S200 ), the group proxy server 20 randomly generates a plurality of private key values based on the ECC (step S201 ). ECC is an algorithm that establishes public key encryption, also known as asymmetric encryption. Public key cryptography is the foundation of modern cybersecurity or chain of trust. A major feature of public key encryption is that both sides of the communication terminal each have a pair of public and private keys, which have a specific mathematical relationship between the public and private keys. In addition, each communication terminal stores its own private key and discloses its own public key. Even if a third party maliciously obtains the public key of any one, it cannot be decrypted smoothly. And ECC is to introduce the discrete logarithm problem on elliptic curve into a specific mathematical relationship between public and private keys. In addition, in addition to ECQV, algorithms such as ECDH (Elliptic Curve Diffie–Hellman) and EdDSA (Edwards-curve Digital Signature Algorithm) belong to ECC.

群組代理伺服器20可基於ECC而透過自己的私鑰值產生的伺服器公鑰(public key)(步驟S202)。例如,群組代理伺服器20對自己的私鑰值及橢圓曲線上的多個參數基點中的一者點乘運算以產生屬於伺服器的伺服器公鑰。群組代理伺服器20可傳送伺服器公鑰和自己的身分識別碼(例如,名稱、組織、國家、用途、期限等)給憑證管理中心60(步驟S203)。The group proxy server 20 may generate a server public key based on the ECC through its own private key value (step S202 ). For example, the group proxy server 20 performs a dot-multiplication operation on its own private key value and one of a plurality of parameter base points on the elliptic curve to generate a server public key belonging to the server. The group proxy server 20 can transmit the server public key and its own identification code (eg, name, organization, country, purpose, period, etc.) to the certificate management center 60 (step S203 ).

憑證管理中心60可依據ECC驗證群組代理伺服器20所產生之伺服器公鑰(步驟S204),並依據驗證結果核發原始憑證給群組代理伺服器20(步驟S205)。群組代理伺服器20可選擇群組A當中的一個節點40A1, 40A2,…或40An的私鑰值(步驟S206),並基於ECC透過伺服器公鑰及受選的節點(以節點40A1為例,但不以此為限)的私鑰值產生此節點40A1的節點公鑰(步驟S207)。例如,群組代理伺服器20對節點40A1的私鑰值及橢圓曲線上的多個參數基點中的一者點乘運算以產生屬於節點40A1的節點公鑰。The certificate management center 60 can verify the server public key generated by the group proxy server 20 according to the ECC (step S204 ), and issue the original certificate to the group proxy server 20 according to the verification result (step S205 ). The group proxy server 20 can select the private key value of a node 40A1, 40A2, . , but not limited to), generate the node public key of this node 40A1 (step S207). For example, the group proxy server 20 performs a dot product operation on the private key value of the node 40A1 and one of a plurality of parameter base points on the elliptic curve to generate the node public key belonging to the node 40A1.

群組代理伺服器20可透過此節點公鑰對屬於伺服器的身分識別碼及其他憑證所需資料編碼以產生節點40A1的節點憑證(例如,編碼所產生的憑證值)(步驟S208)。即,透過私鑰值對節點公鑰施加數位簽章以產生節點憑證。物聯網10中的所有群組與所有節點40A1~40An的節點憑證將公佈於區塊鏈的物聯網10中,以供所有節點40A1~40An,40B1~40Bm查詢以確認身分。The group proxy server 20 can generate the node certificate of the node 40A1 (eg, encode the generated certificate value) by encoding the identity code belonging to the server and other data required for the certificate through the node public key (step S208 ). That is, a digital signature is applied to the node public key through the private key value to generate the node certificate. The node credentials of all groups and all nodes 40A1~40An in the IoT 10 will be published in the IoT 10 of the blockchain for all nodes 40A1~40An, 40B1~40Bm to query to confirm their identity.

圖4是依據本發明一實施例的資料授權階段的流程圖。請參照圖4,節點40A1~40An,40B1~40Bm收集所屬感測器41偵測的感測資料可製作成隱私授權表單。隱私授權表單內容包含有授權項目、授權項目的資料內容、授權資料的感測時間、及授權項目的權限等。群組代理伺服器20,30利用申請授權的節點40A1~40An,40B1~40Bm的所屬群組代理伺服器20,30的非對稱公鑰對授權的隱私表單資料加密,將隱私授權表單寫入申請授權的節點40A1~40An,40B1~40Bm的群組授權代理伺服器20,30的隱私資料庫25, 35中,申請授權的節點40A1~40An,40B1~40Bm可以自己的註冊序號與存取密碼來解密,以達到短時間內有效率得到授權隱私資料的目的。FIG. 4 is a flowchart of a data authorization phase according to an embodiment of the present invention. Referring to FIG. 4 , the nodes 40A1 ˜ 40An, 40B1 ˜ 40Bm collect the sensing data detected by the sensors 41 to which they belong, and can make a privacy authorization form. The content of the privacy authorization form includes the authorization item, the data content of the authorization item, the sensing time of the authorization data, and the authority of the authorization item. The group proxy servers 20, 30 encrypt the authorized privacy form data by using the asymmetric public keys of the group proxy servers 20, 30 of the nodes 40A1~40An, 40B1~40Bm that apply for authorization, and write the privacy authorization form into the application In the privacy databases 25 and 35 of the group authorization proxy servers 20 and 30 of the authorized nodes 40A1 to 40An and 40B1 to 40Bm, the authorized nodes 40A1 to 40An and 40B1 to 40Bm can use their own registration numbers and access passwords to access the data. Decryption, in order to achieve the purpose of efficiently obtaining authorized private information in a short time.

舉例而言,群組A的節點40A1的感測器41偵測以取得感測資料。節點40A1將使用自己的節點憑證所作成的簽章及註冊所得的存取密碼加密感測資料後傳送至群組A的隱私資料庫25中集中儲存保管(步驟S301)。For example, the sensor 41 of the node 40A1 of group A detects to obtain sensing data. The node 40A1 encrypts the sensing data with the signature made by its own node certificate and the registered access password, and transmits it to the privacy database 25 of the group A for centralized storage (step S301 ).

假設群組B的節點40B1向群組A申請節點40A1的感測器資料的授權(即,發出存取要求)(步驟S302)。群組A的群組代理伺服器20可將節點40A1的感測器41的感測資料從群組A的隱私資料庫25中讀出,並以節點40A1的註冊所得的存取密碼解密加密的感測資料(步驟S303)。群組A的群組代理伺服器20以對應群組A的群組憑證(例如,原始憑證)與節點40A1的節點憑證對節點40A1的感測器41所取得的感測資料製作公開金鑰加密算法(例如,橢圓曲線數位簽章算法(Elliptic Curve Digital Signature Algorithm,ECDSA)、RSA加密演算法、或數位簽章算法(Digital Signature Algorithm,DSA))的簽章,並將簽章與節點40A1的感測器41的感測資料以群組B的群組代理伺服器30的非對稱(Asymmetric)加密(例如,RSA、ElGamal、或Rabin)公鑰加密,並將加密所產生的隱私授權資料傳送給群組B(步驟S304)。It is assumed that the node 40B1 of the group B applies to the group A for authorization of the sensor data of the node 40A1 (ie, issues an access request) (step S302 ). The group proxy server 20 of the group A can read the sensing data of the sensor 41 of the node 40A1 from the privacy database 25 of the group A, and decrypt the encrypted data with the access password obtained by the registration of the node 40A1. Sensing data (step S303). The group proxy server 20 of group A uses the group certificate (for example, the original certificate) corresponding to group A and the node certificate of node 40A1 to generate public key encryption for the sensing data obtained by the sensor 41 of node 40A1 algorithm (for example, Elliptic Curve Digital Signature Algorithm (ECDSA), RSA encryption algorithm, or Digital Signature Algorithm (DSA)) signature, and the signature with node 40A1 The sensing data of the sensor 41 is encrypted with the public key of asymmetric encryption (for example, RSA, ElGamal, or Rabin) of the group proxy server 30 of the group B, and the encrypted privacy authorization data is transmitted to group B (step S304).

群組B之群組代理伺服器30將群組A的節點40A1的隱私授權資料以非對稱加密私鑰(例如,RSA私鑰,並對應於步驟S304所用的RSA)解密,並從隱私區塊鏈70中讀取群組A的群組憑證與節點40A1的節點憑證,以對群組A與節點40A1的簽章進行驗證,進而確認其身分與隱私授權資料(步驟S305)。The group proxy server 30 of the group B decrypts the privacy authorization data of the node 40A1 of the group A with the asymmetric encryption private key (for example, the RSA private key, corresponding to the RSA used in step S304), and extracts the data from the privacy block The chain 70 reads the group certificate of the group A and the node certificate of the node 40A1 to verify the signatures of the group A and the node 40A1, and then confirm their identity and privacy authorization information (step S305).

最後,群組B的群組代理伺服器30可將群組A的節點40A1的隱私授權資料以節點40B1註冊的存取密碼加密後傳送給節點40B1(步驟S306)。Finally, the group proxy server 30 of the group B can encrypt the privacy authorization data of the node 40A1 of the group A with the access password registered by the node 40B1 and transmit it to the node 40B1 (step S306 ).

針對一對多授權,假設群組B的節點40B1向群組A申請節點40A1、節點40A2與節點40A3之所有感測器41的感測資料包裹的授權(步驟S307)。For the one-to-many authorization, it is assumed that the node 40B1 of the group B applies to the group A for authorization of the sensing data packages of all the sensors 41 of the node 40A1, the node 40A2 and the node 40A3 (step S307).

群組A的群組代理伺服器20將節點40A1、節點40A2與節點40A3之所有感測器41的感測資料從群組A的隱私資料庫25中讀出,並以40A1、節點40A2與節點40A3的註冊所得的存取密碼解密加密的感測資料(步驟S308)。群組A的群組代理伺服器20以對應群組A的群組憑證與節點40A1、節點40A2與節點A340各自的節點憑證分別對節點40A1、節點40A2與節點40A3的感測器41的感測資料製作公開金鑰加密算法的簽章,並分別將簽章與節點40A1、節點40A2與節點40A3的感測器41的感測資料以群組B的群組代理伺服器30的非對稱加密公鑰(例如,RSA供要)加密,並將加密所產生的隱私授權資料傳送給群組B(步驟S309)。The group proxy server 20 of the group A reads the sensing data of all the sensors 41 of the node 40A1, the node 40A2 and the node 40A3 from the privacy database 25 of the group A, and uses 40A1, the node 40A2 and the node The encrypted sensing data is decrypted by the access code obtained from the registration of 40A3 (step S308). The group proxy server 20 of group A uses the group certificate corresponding to group A and the node certificates of node 40A1, node 40A2 and node A340 to sense the sensors 41 of node 40A1, node 40A2 and node 40A3 respectively The data creates a signature of the public key encryption algorithm, and the signature and the sensing data of the sensors 41 of the node 40A1, the node 40A2 and the node 40A3 are respectively publicized by the asymmetric encryption of the group proxy server 30 of the group B. The encryption key (for example, RSA supply) is encrypted, and the privacy authorization data generated by the encryption is transmitted to the group B (step S309).

群組B之群組代理伺服器30分別將群組A的節點40A1、節點40A2與節點40A3的隱私授權資料以群組B的非對稱加密私鑰(例如,RSA私鑰)解密,並從隱私區塊鏈70中讀取群組A的群組憑證與節點40A1、節點40A2與節點40A3各自的節點憑證,以對群組A與節點40A1、節點40A2與節點40A3的簽章進行驗證,進而確認身分與隱私授權資料(步驟S310)。The group proxy server 30 of group B decrypts the privacy authorization data of node 40A1, node 40A2 and node 40A3 of group A respectively with the asymmetric encryption private key (for example, RSA private key) of group B, and extracts the data from the private key. The blockchain 70 reads the group certificate of group A and the respective node certificates of node 40A1, node 40A2 and node 40A3 to verify the signatures of group A and node 40A1, node 40A2 and node 40A3, and then confirm Identity and privacy authorization information (step S310).

最後,群組B的群組代理伺服器30可將群組A的節點40A1、節點40A2與節點40A3的隱私授權資料以節點40B1註冊的存取密碼加密後傳送給節點40B1(步驟S311)。Finally, the group proxy server 30 of the group B can encrypt the privacy authorization data of the node 40A1, the node 40A2 and the node 40A3 of the group A with the access password registered by the node 40B1 and transmit it to the node 40B1 (step S311).

綜上所述,在本發明實施例的物聯網系統及隱私授權方法中,由代理伺服器管理物聯網的節點群組,建立隱式憑證ECC相關演算法之身分驗證機制於物聯網之區塊鏈系統。物聯網節點的授權方法為使用ECC相關演算法的憑證的多重身分確認方式,並連結錨定的區塊鏈系統,使節點之間無須不斷產生會議金鑰(Session Key)來進行隱私資料的交換傳輸,從達成快速隱私資料互相存取授權與驗證的特點。To sum up, in the IoT system and the privacy authorization method of the embodiments of the present invention, the proxy server manages the IoT node group, and establishes the identity verification mechanism of the implicit certificate ECC-related algorithm in the IoT block chain system. The authorization method of IoT nodes is the multi-identity confirmation method of certificates using ECC-related algorithms, and is connected to the anchored blockchain system, so that the nodes do not need to continuously generate session keys to exchange private data. Transmission, from the characteristics of achieving fast mutual access authorization and verification of private data.

本發明實施例更包括以下特點及功效:The embodiment of the present invention further includes the following features and effects:

本發明實施例由群組代理伺服器向憑證管理中心申請發行原始憑證,再自行產生多組ECC相關演算法的節點憑證分配給節點使用的代理憑證機制。此外,所有節點的節點憑證將公布於物聯網之區塊鏈系統中。利用ECC相關演算法產生的多組節點憑證與原始憑證進行多重身分驗證,即可證實原節點授權的安全性,並具有快速授權隱私資料的優勢。In the embodiment of the present invention, the group proxy server applies to the certificate management center to issue the original certificate, and then generates multiple sets of node certificates of the ECC-related algorithm by itself and distributes them to the proxy certificate mechanism used by the nodes. In addition, the node credentials of all nodes will be published in the IoT blockchain system. Using multiple sets of node credentials generated by ECC-related algorithms and original credentials to perform multiple authentication, the security of the original node authorization can be verified, and it has the advantage of quickly authorizing private data.

本發明實施例的群組代理伺服器使用憑證管理中心簽發的憑證,對節點產生的隱私授權資料進行包裹授權。而節點透過對應節點憑證與原始憑證進行多重身分確認。本發明實施例提供多節點授權隱私資料的包裹結構,進行節點之間的身分確認與隱私資料集體授權,以達到多節點對多節點直接隱私資料授權的目的。The group proxy server in the embodiment of the present invention uses the certificate issued by the certificate management center to perform package authorization on the privacy authorization data generated by the node. The node performs multiple identity verification through the corresponding node certificate and the original certificate. The embodiment of the present invention provides a package structure for authorization of privacy data by multiple nodes, and performs identity confirmation between nodes and collective authorization of privacy data, so as to achieve the purpose of directly authorizing privacy data of multiple nodes by multiple nodes.

本發明實施例利用非對稱式密碼系統的安全特性,只要節點雙方建立身分驗證,即可以群組代理伺服器的非對稱加密公鑰,提供多次的隱私授權資料傳輸,進而減少一般使用會話金鑰來授權資料,更避免頻繁使用金鑰交換增加資料被破解的機會。藉此,可防止隱私資料被竊取,並確保節點對節點資料授權傳輸的安全。The embodiment of the present invention utilizes the security features of the asymmetric cryptographic system. As long as both nodes establish identity verification, the asymmetric encryption public key of the group proxy server can be used to provide multiple transmissions of privacy authorization data, thereby reducing the general use of session fees. key to authorize data, and avoid frequent use of key exchange to increase the chance of data being cracked. In this way, privacy data can be prevented from being stolen, and the security of node-to-node data authorization transmission can be ensured.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed above by the embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The protection scope of the present invention shall be determined by the scope of the appended patent application.

1:系統 10:物聯網 20、30:群組代理伺服器 25、35:群組隱私資料庫 40A1~40An、40B1~40Bm:節點 41:感測器 60:憑證管理中心 70:區塊鏈 S101~S105、S200~S208、S301~S311:步驟 1: System 10: The Internet of Things 20, 30: Group proxy server 25, 35: Group Privacy Database 40A1~40An, 40B1~40Bm: Node 41: Sensor 60: Credential Management Center 70: Blockchain S101~S105, S200~S208, S301~S311: Steps

圖1是依據本發明一實施例的物聯網的系統架構圖。 圖2是依據本發明一實施例的身分認證階段的流程圖。 圖3是依據本發明一實施例的金鑰產生階段的流程圖。 圖4是依據本發明一實施例的資料授權階段的流程圖。 FIG. 1 is a system architecture diagram of the Internet of Things according to an embodiment of the present invention. FIG. 2 is a flowchart of an identity authentication stage according to an embodiment of the present invention. FIG. 3 is a flowchart of a key generation stage according to an embodiment of the present invention. FIG. 4 is a flowchart of a data authorization phase according to an embodiment of the present invention.

20:群組代理伺服器 20: Group proxy server

S200~S208:步驟 S200~S208: Steps

Claims (10)

一種隱私授權方法,適用於一區塊鏈(blockchain)的物聯網(Internet of Things,IoT),包括: 基於一橢圓曲線密碼學(Elliptic-curve cryptography,ECC)隨機產生多個私鑰值(private key value),其中該橢圓曲線密碼學包括ECQV(Elliptic Curve Qu-Vanstone)演算法; 基於該橢圓曲線密碼學透過一伺服器的一該私鑰值產生該伺服器的一伺服器公鑰(public key); 基於該橢圓曲線密碼學透過該伺服器公鑰及一節點的一該私鑰值產生該節點的一節點公鑰,其中該伺服器及該節點屬於該區塊鏈的物聯網; 透過該節點公鑰對該伺服器的身分識別碼編碼以產生該節點的一節點憑證;以及 將該節點憑證公佈於該區塊鏈的物聯網中。 A privacy authorization method applicable to a blockchain (Internet of Things, IoT), including: A plurality of private key values (private key values) are randomly generated based on an elliptic-curve cryptography (ECC), wherein the elliptic-curve cryptography includes the ECQV (Elliptic Curve Qu-Vanstone) algorithm; generating a server public key of a server through a private key value of a server based on the elliptic curve cryptography; Generate a node public key of the node through the server public key and a private key value of a node based on the elliptic curve cryptography, wherein the server and the node belong to the Internet of Things of the blockchain; Encode the server's ID with the node's public key to generate a node certificate for the node; and Publish the node credentials in the IoT of the blockchain. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟包括: 對該伺服器的該私鑰值及一橢圓曲線上的多個參數基點中的一者點乘運算以產生該伺服器的該伺服器公鑰。 The privacy authorization method according to claim 1, wherein the step of generating the server public key of the server comprises: Dot multiplication of the private key value for the server and one of a plurality of parameter base points on an elliptic curve to generate the server public key for the server. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟之後,更包括: 傳送該伺服器公鑰及該身分識別碼至一憑證管理中心; 透過該憑證管理中心依據該橢圓曲線密碼學驗證該伺服器公鑰;以及 依據驗證結果核發一原始憑證給該伺服器。 The privacy authorization method according to claim 1, wherein after the step of generating the server public key of the server, the method further comprises: sending the server public key and the ID to a certificate management center; verifying, through the certificate management center, the server public key according to the elliptic curve cryptography; and Issue an original certificate to the server according to the verification result. 如請求項1所述的隱私授權方法,其中產生該伺服器的該伺服器公鑰的步驟之前,更包括: 透過該伺服器接收來自該節點的一註冊申請;以及 依據該註冊申請對該節點核發註冊序號及讀取一隱私資料庫的存取密碼。 The privacy authorization method according to claim 1, before the step of generating the server public key of the server, further comprising: receiving, through the server, a registration application from the node; and According to the registration application, a registration serial number is issued to the node and an access password for reading a privacy database is read. 如請求項4所述的隱私授權方法,其中將該節點憑證公佈於該區塊鏈的物聯網中的步驟之後,更包括: 透過該節點對所收集的感測資料以對應的該節點憑證及該存取密碼加密,並儲存在該隱私資料庫,其中該感測資料是由一感測器所取得; 反應於一存取要求,以對應該節點憑證及一群組憑證對該感測資料製作公開金鑰加密算法的簽章; 透過一非對稱(Asymmetric)加密公鑰對該簽章及該感測資料加密,以產生一隱私授權資料; 透過該非對稱加密公鑰對應的一非對稱加密私鑰解密該隱私授權資料,並透過該群組憑證及該節點憑證對該簽章驗證;以及 依據驗證結果對該隱私授權資料以發出該存取要求的另一節點的存取密碼加密。 The privacy authorization method according to claim 4, wherein after the step of publishing the node credential in the Internet of Things of the blockchain, it further comprises: Encrypting the collected sensing data through the node with the corresponding node certificate and the access password, and storing it in the privacy database, wherein the sensing data is obtained by a sensor; In response to an access request, creating a signature of the public key encryption algorithm for the sensing data corresponding to the node certificate and a group certificate; encrypting the signature and the sensing data through an asymmetric encryption public key to generate a privacy authorization data; decrypt the privacy authorization data through an asymmetric encryption private key corresponding to the asymmetric encryption public key, and verify the signature through the group certificate and the node certificate; and According to the verification result, the privacy authorization data is encrypted with the access password of the other node that issued the access request. 一種物聯網系統,適用於一區塊鏈的物聯網,包括: 一節點,用於收集一感測資料; 一憑證管理中心,用於核發一原始憑證;以及 一伺服器,用於基於一橢圓曲線密碼學隨機產生多個私鑰值,基於該橢圓曲線密碼學透過該伺服器的一該私鑰值產生該伺服器的一伺服器公鑰,基於該橢圓曲線密碼學透過該伺服器公鑰及該節點的一該私鑰值產生該節點的一節點公鑰,透過該節點公鑰對該伺服器的身分識別碼編碼以產生該節點的一節點憑證,並將該節點憑證公佈於該區塊鏈的物聯網中,其中該橢圓曲線密碼學包括ECQV演算法。 An Internet of Things system, applicable to the Internet of Things of a blockchain, includes: a node for collecting a sensing data; a certificate management center for issuing an original certificate; and a server for randomly generating a plurality of private key values based on an elliptic curve cryptography, generating a server public key of the server through a private key value of the server based on the elliptic curve cryptography, based on the elliptic curve cryptography Curve cryptography generates a node public key of the node through the server public key and a private key value of the node, and encodes the server's identity code through the node public key to generate a node certificate for the node, And publish the node credentials in the Internet of Things of the blockchain, wherein the elliptic curve cryptography includes the ECQV algorithm. 如請求項6所述的物聯網系統,其中該伺服器對該伺服器的該私鑰值及一橢圓曲線上的多個參數基點中的一者點乘運算以產生該伺服器公鑰。The Internet of Things system of claim 6, wherein the server performs a point multiplication operation on the private key value of the server and one of a plurality of parameter base points on an elliptic curve to generate the server public key. 如請求項6所述的物聯網系統,其中該伺服器傳送該伺服器公鑰及該身分識別碼至該憑證管理中心,該憑證管理中心依據該橢圓曲線密碼學驗證該伺服器公鑰,且該憑證管理中心依據驗證結果核發一原始憑證給該伺服器。The Internet of Things system of claim 6, wherein the server transmits the server public key and the identity code to the certificate management center, and the certificate management center verifies the server public key according to the elliptic curve cryptography, and The certificate management center issues an original certificate to the server according to the verification result. 如請求項6所述的物聯網系統,其中該伺服器接收來自該節點的一註冊申請,且該伺服器依據該註冊申請對該節點核發註冊序號及讀取一隱私資料庫的存取密碼。The Internet of Things system as claimed in claim 6, wherein the server receives a registration application from the node, and the server issues a registration serial number and an access password for reading a privacy database to the node according to the registration application. 如請求項9所述的物聯網系統,更包括: 一第二節點;以及 一第二伺服器,其中 該節點對所收集的該感測資料以對應的該節點憑證及該存取密碼加密,並儲存在該隱私資料庫,其中該感測資料是由一感測器所取得,反應於來自該第二節點的一存取要求,該伺服器以對應該節點憑證及一群組憑證對該感測資料製作公開金鑰加密算法的簽章,該伺服器透過一非對稱加密公鑰對該簽章及該感測資料加密以產生一隱私授權資料,該第二伺服器透過該非對稱加密公鑰對應的一非對稱加密私鑰解密該隱私授權資料並透過該群組憑證及該節點憑證對該簽章驗證,該第二伺服器依據驗證結果對該隱私授權資料以發出該存取要求的該第二節點的存取密碼加密後傳送給該第二節點。 The Internet of Things system according to claim 9, further comprising: a second node; and a second server, wherein The node encrypts the collected sensing data with the corresponding node credential and the access password, and stores it in the privacy database, wherein the sensing data is obtained by a sensor and reflects the response from the first An access request from two nodes, the server uses the corresponding node certificate and a group certificate to create a public key encryption algorithm signature for the sensing data, the server uses an asymmetric encryption public key to the signature and the sensing data is encrypted to generate a privacy authorization data, the second server decrypts the privacy authorization data through an asymmetric encryption private key corresponding to the asymmetric encryption public key, and uses the group certificate and the node certificate to decrypt the privacy authorization data. Chapter verification, the second server encrypts the privacy authorization data with the access password of the second node that issued the access request according to the verification result and transmits it to the second node.
TW109143839A 2020-12-11 2020-12-11 Iot system and privacy authorization method TWI747659B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Publications (2)

Publication Number Publication Date
TWI747659B TWI747659B (en) 2021-11-21
TW202224378A true TW202224378A (en) 2022-06-16

Family

ID=79907751

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109143839A TWI747659B (en) 2020-12-11 2020-12-11 Iot system and privacy authorization method

Country Status (1)

Country Link
TW (1) TWI747659B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2582085A1 (en) * 2011-10-10 2013-04-17 Certicom Corp. Generating implicit certificates
EP3374923B1 (en) * 2015-05-22 2021-08-25 Huawei Device Co., Ltd. Cryptographic unit for public key infrastructure (pki) operations
FR3048319B1 (en) * 2016-02-25 2018-03-09 Commissariat A L'energie Atomique Et Aux Energies Alternatives METHOD OF MANAGING IMPLIED CERTIFICATES USING DISTRIBUTED PUBLIC KEY INFRASTRUCTURE
US10924466B2 (en) * 2017-07-28 2021-02-16 SmartAxiom, Inc. System and method for IOT security
CN108390851B (en) * 2018-01-05 2020-07-03 郑州信大捷安信息技术股份有限公司 Safe remote control system and method for industrial equipment
TWI732247B (en) * 2019-07-16 2021-07-01 中華電信股份有限公司 Method to display the validation of certificate at signing time

Also Published As

Publication number Publication date
TWI747659B (en) 2021-11-21

Similar Documents

Publication Publication Date Title
Ding et al. A novel attribute-based access control scheme using blockchain for IoT
CN114710275B (en) Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment
CN108234515B (en) Self-authentication digital identity management system and method based on intelligent contract
CN108270571B (en) Blockchain-based Internet of Things identity authentication system and its method
Su et al. A financial data security sharing solution based on blockchain technology and proxy re-encryption technology
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
CN108768608A (en) The secret protection identity identifying method of thin-client is supported at block chain PKI
CN107852404A (en) Secret communication is mutually authenticated
CN109257183B (en) Arbitration quantum signature method based on quantum walk teleportation
CN113079132B (en) Mass IoT device authentication method, storage medium, information data processing terminal
CN112417494B (en) Power blockchain system based on trusted computing
CN114254284B (en) Digital certificate generation and identity authentication method, quantum CA authentication center and system
CN103780618A (en) Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
CN112202544B (en) A Smart Grid Data Security Aggregation Method Based on Paillier Homomorphic Encryption Algorithm
CN105516119A (en) Cross-domain identity authentication method based on proxy re-signature
CN113225302B (en) Data sharing system and method based on proxy re-encryption
CN108632251B (en) Trusted Authentication Method and Encryption Algorithm Based on Cloud Computing Data Service
Mao et al. BTAA: Blockchain and TEE-assisted authentication for IoT systems
CN113886781B (en) Multi-authentication encryption method, system, electronic equipment and medium based on block chain
CN114745180A (en) Access authentication method, apparatus and computer equipment
CN117278330A (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN113162907A (en) Attribute-based access control method and system based on block chain
Fan et al. Cake-puf: a collaborative authentication and key exchange protocol based on physically unclonable functions for industrial internet of things
Latif et al. Machine Learning Empowered Security and Privacy Architecture for IoT Networks with the Integration of Blockchain.
CN115865520B (en) Authentication and access control method with privacy protection in mobile cloud service environment