Summary of the invention
Main purpose of the present invention provides a kind of method of gateway security access, being intended to can be for different equipment and the different different safe class of application settings, effectively realize the adaptivity of gateway security access, conserve system resources, raising running efficiency of system, the maximization balance of realization system resource and information security.
The invention provides a kind of method of gateway security access, may further comprise the steps:
Safe class management platform and gateway are mutual, carry out interpolation and the authentication of gateway, and add node application identification code ID;
Terminal sends the access authentication request to described gateway;
Described gateway carries out the node access according to described node ID query node safe class according to safe connected factor corresponding to described node security grade.
Preferably, described terminal also comprises step before to the step that gateway sends the access authentication request:
The safe class management platform is received the nodal information update notification, triggers and carries out the renewal of node security grade.
Preferably, described safe class management platform is received the nodal information update notification, triggers the step of carrying out the renewal of node security grade and specifically comprises:
After described safe class management platform was received the nodal information update notification, identification needed the nodal information of renewal, and the first node information after will upgrading is kept at the nodal information tabulation;
Use the node application level that ID arranges according to described first node information with according to node, the node security grade of reappraising, and the Section Point information after will reappraising is sent to gateway.
Preferably, described safe class management platform is received the nodal information update notification, triggers the step of carrying out the renewal of node security grade and also comprises step before:
Described gateway is registered node.
Preferably, described gateway step that node is registered specifically comprises:
After the registration of node finishing equipment, the service registry request that receiving node sends, and according to node application ID, whether decision node has the adding authority; If, then to node distribution node ID and send registration confirmation;
The nodal information of described node is sent to the safe class management platform, and the node security grade according to returning after the assessment of safe class management platform configures safe connected factor corresponding to described node, and described safe connected factor is sent to node.
Preferably, the step of described safe class management platform assessment node security grade specifically comprises:
Nodal information assessment nodal community state parameter according to gateway sends gets egress level evaluation value;
According to node application level and the described node level evaluation value of correspondence, assessment node security grade.
Preferably, but gateway interval preset time sends the state information request to node, according to the state information that node returns, the safe class of node is upgraded.
The present invention also provides a kind of system of gateway security access, comprising:
The safe class management platform for mutual with gateway, is carried out interpolation and the authentication of gateway, and adds node and use ID;
Terminal is used for sending the access authentication request to described gateway;
Described gateway is used for according to node ID query node safe class, carries out the node access according to safe connected factor corresponding to described node security grade.
Preferably, described safe class management platform also is used for:
Receive the nodal information update notification, trigger and carry out the renewal of node security grade.
Preferably, described safe class management platform specifically comprises:
User interactive module for mutual with the territory administration module, is carried out interpolation and the authentication of gateway, and adds and use ID, and application level is set;
The territory administration module, after being used for receiving the nodal information update notification, identification needs the nodal information of renewal, and the first node information after will upgrading is kept at the nodal information tabulation;
The safe class administration module is used for using the node application level that ID arranges according to described first node information with according to node, the node security grade of reappraising, and the Section Point information after will reappraising is sent to described gateway.
Preferably, described gateway also is used for:
Node is registered.
Preferably, described gateway comprises:
The node administration module is used for after the registration of node finishing equipment, the service registry request that receiving node sends, and according to node application ID, whether decision node has the adding authority; If, then to node distribution node ID and send registration confirmation;
Safe access module, be used for the nodal information of described node is sent to the safe class management platform, node security grade according to returning after the assessment of safe class management platform configures safe connected factor corresponding to described node, and described safe connected factor is sent to node.
Preferably, described safe class administration module specifically comprises:
The safe class assessment unit, the nodal information that is used for sending according to gateway is assessed the nodal community state parameter, gets egress level evaluation value; According to node application level and the described node level evaluation value of correspondence, assessment node security grade;
The safe class setup unit is used for described node security grade is write the nodal information tabulation and is sent to gateway.
Preferably, but gateway interval preset time sends the state information request to node, according to the state information that node returns, the safe class of node is upgraded.
The method of gateway security of the present invention access is by triggering the method for the hierarchy method assessment node security grade of upgrading the node security grade or regularly upgrading node security grade and employing " application level-nodal information ", realized the gateway security access adaptivity, conserve system resources, raising running efficiency of system, reach the beneficial effect that system resource and information security maximize balance.
Embodiment
Further specify technical scheme of the present invention below in conjunction with Figure of description and specific embodiment.Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
With reference to Fig. 1, Fig. 1 is the method first embodiment schematic flow sheet of gateway security access of the present invention.As shown in Figure 1, the method for gateway security access of the present invention may further comprise the steps:
Step S01, safe class management platform and gateway are mutual, carry out interpolation and the authentication of gateway, and add node and use ID;
At first to carry out the authentication of gateway, gateway and safe class management platform are carried out finishing interpolation and the authentication thereof of gateway device alternately.Only set gateway, just can carry out the mutually intercommunication between the heterogeneous networks, this is the prerequisite of gateway security access mechanism.The user uses ID by safe class management platform artificial node that adds in the administration module of the territory of safe class management platform, assesses the reference of node security grade as the safe class administration module of safe class management platform.
Step S02, terminal send the access authentication request to gateway;
The node of terminal sends the access authentication request to gateway, carries out alternately with gateway, begins communication; When node sends the access authentication request to gateway, attach self node ID;
Step S03, gateway carry out the node access according to node ID query node safe class according to safe connected factor corresponding to node security grade.
Gateway obtains the node security grade according to node ID query node information list; The safe connected factor corresponding according to described node security grade, gateway and node carry out alternately, realize the authentication to node, and authorize the access of permission node, and then carry out a series of interactive operations such as transfer of data, information exchange with node.
The method of gateway security access of the present invention is upgraded the node security grade by triggering or is regularly upgraded the method for the hierarchy method assessment node security grade of node security grade and employing " application level-nodal information ", has effectively realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access.
With reference to Fig. 2, Fig. 2 is the method second embodiment schematic flow sheet of gateway security access of the present invention.As shown in Figure 2, in the method for gateway security access of the present invention, terminal also comprises step before to the step that gateway sends the access authentication request:
Step S04, safe class management platform are received the nodal information update notification, trigger and carry out the renewal of node security grade.
The safe class management platform is received the nodal information update notification, and this notice may from the safe access module in platform of user management, the gateway or the gateway interactive module in the node, trigger and carry out the renewal of node security grade.
In a preferred embodiment, described node security grade can also be carried out timing and upgrade the node security grade except above-mentioned trigger-type is upgraded.But gateway interval preset time sends the state information request to node, carries out the renewal of corresponding node security grade according to attribute and state information that node returns.Because the restriction of node self attributes, described gateway is unsuitable long to the interval preset time that node sends the state information request, because the timing of described node security grade renewal should not be too frequent.
The method of gateway security access of the present invention is received the nodal information update notification, is triggered and carry out the method that the node security grade is upgraded by the safe class management platform, has effectively realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access.
With reference to Fig. 3, Fig. 3 is that the safe class management platform is received the nodal information update notification, triggered and carry out the node security grade and upgrade an embodiment schematic flow sheet in the method for gateway security of the present invention access.As shown in Figure 3, in the method for gateway security of the present invention access, the safe class management platform receives the nodal information update notification, trigger and carry out the step that the node security grade upgrades and comprise:
Step S11, receive the nodal information update notification after, the nodal information that identification need to be upgraded, and the first node information after will upgrading is kept at nodal information and tabulates;
Territory administration module in the safe class management platform is received the nodal information update notification, and described nodal information update notification may be from platform of user management, perhaps the safe access module in the gateway, perhaps the gateway interactive module in the node.The territory administration module upgrades according to the nodal information of update notification identification needs renewal and to it, the first node information after upgrading is deposited in the nodal information tabulation in the nodal information tabulation after obtaining upgrading.
Step S12, use the node application level that ID arranges according to first node information with according to node, the node security grade of reappraising, and the Section Point information after will reappraising is sent to gateway;
Behind the nodal information list update, the node administration module in the gateway is according to described first node information list, sends immediately first node information after upgrading and the corresponding node application level safe class administration module to the safe class management platform.According to the first node information after the described renewal and corresponding node application level, the reappraise safe class of described node of the safe class administration module in the safe class management platform, and the node security grade after will assessing sends to the territory administration module immediately; Section Point information after the territory administration module will upgrade sends to gateway, and the Section Point information after the described renewal comprises new node security grade and nodal community state.
The method of gateway security access of the present invention is received the nodal information update notification, is triggered and carry out the method that the node security grade is upgraded by the safe class management platform, has effectively realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access.
With reference to Fig. 4, Fig. 4 is method the 3rd embodiment schematic flow sheet of gateway security access of the present invention.As shown in Figure 4, in the method for gateway security access of the present invention, described safe class management platform is received the nodal information update notification, triggers the step of carrying out the renewal of node security grade and also comprises step before:
S05, gateway are registered node;
When the first access network of a certain node, need to register to gateway, except basic facility registration, also need carry out service registry.In a preferred embodiment, device discovery and service discovery process in Zigbee (Internet of Things) network, the neighbor discovery process of 6Lowpan (a kind of access standard of wireless network) network all need node is registered.
In a preferred embodiment, also can all require the node of each access network to register.
The method of the method that gateway security of the present invention accesses by before receiving the nodal information update notification in execution safe class management platform, triggering the step of carrying out the renewal of node security grade node being registered realized that effectively adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security of gateway security access maximize the beneficial effect of balance.
With reference to Fig. 5, Fig. 5 is that gateway is registered an embodiment schematic flow sheet to node in the method for gateway security of the present invention access.As shown in Figure 5, in the method for gateway security access of the present invention, the step that gateway is registered node specifically comprises:
Step S21, to after the node finishing equipment registration, the service registry request that receiving node sends;
When node is registered, at first carry out the facility registration of node; Node device information comprises that node type number, joint behavior, node support node attribute and the node states such as node is online, residue energy of node, node surplus resources such as algorithm.After the registration of node finishing equipment, send the service registry request to gateway.
Step S22, use ID according to node, judge whether described node has the adding authority; If, execution in step S23 then; If not, then refuse node and add, node is registered overall process finish;
Step S23, to node distribution node ID and send registration confirmation;
Gateway is used ID according to node, judges whether described node has the adding authority.Described node is used ID and is manually set by the user; Node administration module in the gateway is used ID according to node, and application message and the decision node of the artificial described node that arranges of inquiring user add authority.If node can add then for this reason node distribution node ID, and send registration confirmation to node; Described registration confirmation mainly comprises node ID; Simultaneously node also the node administration module in the gateway send the self attributes state information, use during to node administration and security evaluation in order to follow-up.If node does not add authority, then to refuse node and add, the overall process that node is registered finishes.
Step S24, the nodal information of described node is sent to the safe class management platform, according to the node security grade of returning after the assessment of safe class management platform, configure safe connected factor corresponding to described node, and described safe connected factor is sent to node.
Gateway is to safe class management platform sending node information, and described nodal information comprises node ID, node application ID, nodal community state.The safe class management platform deposits described nodal information in the nodal information tabulation of self in.The safe class management platform is carried out security evaluation according to nodal informations such as node application level and node device attributes to node, set the safe class of described node, and described node security grade is kept in the nodal information tabulation for user's inquiry, be sent to simultaneously gateway, deposit in the nodal information tabulation in the gateway, call for gateway.The tabulation of gateway inquiry self nodal information, the node security grade of returning according to the safe class management platform configures the safe connected factor of described node, and the safe connected factor that described node is corresponding is sent to the node of terminal.The corresponding safe connected factor of each grade of described node is all configurable in gateway.
The method of gateway security of the present invention access is by carrying out facility registration and service registry and configure the safe class of described node and the method for corresponding safe connected factor to node, effectively realized the gateway security access adaptivity, conserve system resources, raising running efficiency of system, realize that system resource and information security maximize the beneficial effect of balance.
With reference to Fig. 6, Fig. 6 is safe class management platform assessment node security grade one embodiment schematic flow sheet in the method for gateway security of the present invention access.As shown in Figure 6, in the method for gateway security access of the present invention, the step of safe class management platform assessment node security grade specifically comprises:
Step S31, according to the nodal information assessment nodal community state parameter that gateway sends, get egress level evaluation value;
The safe class management platform is at first assessed each attribute status parameter of node, gets egress level evaluation value, and this is the assessment quantization stage.In a preferred embodiment, the assessment of described safe class management platform foundation is node application level and nodal information; Described node application level is that the user uses the artificial setting of ID according to node.Described nodal information comprises nodal community, node state and node data amount size and node data type, described nodal community comprises the node registration information of node registration phase, comprise node device model, node memory, node storage capacity, node support authentication, node encrytion algorithm, be mounting hardware and the software attributes of node device, as the fundamental of evaluation grade; Described node state comprises that node presence (On/Off enables/forbid), residue energy of node, node resource take situation, and node state is sent to the node administration module of gateway by node in node registration phase or node state update stage; The node real-time status has determined the ability of node processing authenticated encryption scheduling algorithm, has determined the treatment effeciency of whole system; Described node data amount size and node data type send in the node state update stage as the part of node state, system is according to size and the employed cryptographic algorithm of node data type decided of node data amount, the inefficient high algorithm of the high but inefficient authentication encryption algorithm of safety in utilization complexity or fail safe complexity in this way is by the maximization balance of this machine-processed feasible system efficient and information transmission security.
In a preferred embodiment, adopt following method assessment nodal community state parameter, get egress level evaluation value; With the third-class example that is divided into, with reference to table 1, table 1 is the residue energy of node quantified evaluation scale.
Magnitude of voltage/V |
0 |
0~2 |
2~4 |
4~5 |
Assessed value E1 |
0 |
1 |
2 |
3 |
To draw thus, if N, then N attribute status assessed value E
1, E
2, E
3E
N, again with N assessed value weighted sum, namely get egress level evaluation value.Node level evaluation value computing formula is as follows:
E
Node=C
1E
1+ C
2E
2+ ... + C
NE
N, C
1+ C
2+ ... + C
N=1; If E
i=0, then E
Node=0; C wherein
NBe weights corresponding to this attribute, its size is determined by the priority of each assessment factor; This is because the application scenario is different, then C
NArrange also different; The node level evaluation value E that obtains according to above-mentioned node level evaluation value computing formula
NodeSatisfy 0≤E
Node≤ 3, E wherein
Node=0 expression node can't be communicated by letter because of problems such as fault or depleted of energy; E
NodeUnder=3 expression perfect conditions, the ability of node temporary transient also without any consumption.
Step S32, according to node application level and the described node level evaluation value of correspondence, assessment node security grade.
In conjunction with the node application level, draw the final node safe class according to described node level evaluation value.
In a preferred embodiment, the artificial application level that arranges of user is three grades, is respectively the highest level of security A, medium level of security B, lower security rank C.With reference to table 2, table 2 is node security level evaluation tables.As shown in table 2, in conjunction with node application level and each node level evaluation value E
Node, assessment node security grade.
Above-mentioned table 2 only is node grade basic evaluation scheme, shown in the quantization level of node security grade can depend on the circumstances.The safe class of node changed as described in the change of nodal information (such as the renewal of node state) can make, but the safe class of same node can only change in the application level scope under it.
In a preferred embodiment, some attribute status of described node can't simply be assessed with quantized value, the data type of the authentication encryption algorithm that can support such as node, node transmission describedly of the same typely can't all need the safe class assessment unit of safe class administration module to be assessed in addition with the factor that quantized value carry out the simple assessment of node security grade.
The method that gateway security of the present invention accesses is passed through the method that the safe class management platform is assessed the node security grade according to nodal information and the corresponding node application level of gateway transmission, has effectively realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and information security maximization balance that gateway security accesses.
With reference to Fig. 7, Fig. 7 is system's one example structure schematic diagram of gateway security access of the present invention.As shown in Figure 7, the system of gateway security access of the present invention comprises:
Safe class management platform 01 for mutual with gateway, is carried out interpolation and the authentication of gateway, and adds node and use ID;
Terminal 02 is used for sending the access authentication request to gateway;
Gateway 03 is used for according to described node ID query node safe class, carries out the node access according to safe connected factor corresponding to node security grade.
Safe class management platform 01 is in the upper strata of system, the safety level information of all nodes in 01 pair of a certain network design of described safe class management platform manages, use application domain of distribution for each, its compass of competency can cover a plurality of heterogeneous wireless networks and gateway thereof; Safe class management platform 01 is mutual with gateway 03, carries out interpolation and the authentication of gateway 03, and when receiving the nodal information update notification, triggers the node security grade of carrying out terminal 02 and upgrade.When node IAD 03 was arranged, nodal terminal 02 carried out the authentication of the mutual and node of node and gateway 03 to gateway 03 sending node access authentication request.Gateway 03 is used ID and node ID query node information list according to node in the terminal 02, obtain the node security grade, according to described node security grade, node security connected factor corresponding to the gateway 03 described node security grade of configuration, and according to described node security connected factor, gateway 03 exchanges with the node of terminal 02, realizes the authentication to node in the terminal 02, and authorize the access of permission node, and then carry out a series of interactive operations such as transfer of data, information exchange with node.
The system of gateway security access of the present invention upgrades the node security grade by triggering or regularly upgrades the method for the hierarchy method assessment node security grade of node security grade and employing " application level-nodal information ", has effectively realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access.
With reference to Fig. 8, Fig. 8 is safe class management platform one example structure schematic diagram in the system of gateway security of the present invention access.As shown in Figure 8, in the system of gateway security access of the present invention, safe class management platform 01 specifically comprises:
User interactive module 011 for mutual with the territory administration module, is carried out interpolation and the authentication of gateway, and adds and use ID, and application level is set;
Territory administration module 012, after being used for receiving the nodal information update notification, identification needs the nodal information of renewal, and the first node information after will upgrading is kept at the nodal information tabulation;
Safe class administration module 013 is used for using the node application level that ID arranges according to first node information with according to node, the node security grade of reappraising, and the Section Point information after will reappraising is sent to gateway.
In a preferred embodiment, described territory administration module 012 comprises domain information tabulation and nodal information tabulation.
User interactive module 011 is added application ID, and corresponding application level is set, as the reference of safety management module 013 assessment node security grade; After territory administration module 012 is received the nodal information update notification, the nodal information that identification need be upgraded, and the first node information after will upgrading is kept at the nodal information tabulation; Territory administration module 012 carries out user management according to application domain and the nodal information of storage, receives the nodal information of gateway 03 transmission and corresponding node and uses ID; The node application level that nodal information after the renewal that safe class administration module 013 provides according to territory administration module 012 and gateway 03 send after upgrading, assessment node security grade writes described node security grade the nodal information tabulation and is sent to gateway 03.
The system of gateway security access of the present invention has realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access effectively by the method for the safe class administration module assessment node security grade of safe class management platform.
With reference to Fig. 9, Fig. 9 is gateway one example structure schematic diagram in the system of gateway security of the present invention access.As shown in Figure 9, in the system of gateway security access of the present invention, gateway 03 specifically comprises:
Node administration module 031 is used for to after the registration of node finishing equipment the service registry request that receiving node sends; Use ID according to node, whether decision node has the adding authority; If, then to node distribution node ID and send registration confirmation;
Safe access module 032, be used for the nodal information of described node is sent to the safe class management platform, node security grade according to returning after the assessment of safe class management platform configures safe connected factor corresponding to described node, and described safe connected factor is sent to node.
The nodal information tabulation of node administration module 031 storage gateway 03 management is carried out alternately with node, safe class management platform 01 and the safe access module 032 of terminal 02; When terminal 02 had node to register, after 031 pair of node finishing equipment registration of node administration module, the service registry request that receiving node sends was used ID according to node, and whether decision node has the adding authority; In the situation that having, described node adds authority, to described node distribution node ID and send registration confirmation; When terminal 02 had node requirement IAD 03, node administration module 031 judged whether described node has the access authority; The nodal information that the gateway Switching Module 021 of node administration module 031 receiving terminal 02 sends, and described nodal information is sent to the territory administration module 012 of safe class management platform 01; When having the node security grade to reappraise, the nodal information that has upgraded that node administration module 031 acceptance domain administration module 012 sends also safe connected factor corresponding to the safe access module 032 described node security grade of configuration notifies; The node security grade that safe access module 032 sends according to node administration module 031, the nodal information tabulation of inquiry gateway 03, the safe connected factor of configuration node, and described node security connected factor is sent to the node of terminal 02 correspondence.
The system of gateway security access of the present invention carries out facility registration and service registry to node by gateway method has realized that effectively adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security of gateway security access maximize the beneficial effect of balance.
With reference to Figure 10, Figure 10 is safe class administration module one example structure schematic diagram in the system of gateway security of the present invention access.As shown in figure 10, in the system of gateway security access of the present invention, safe class administration module 013 comprises:
Safe class assessment unit 131, the nodal information that is used for sending according to gateway is assessed the nodal community state parameter, gets egress level evaluation value; According to node application level and the described node level evaluation value of correspondence, assessment node security grade;
Safe class setup unit 132 is used for described node security grade is write the nodal information tabulation and is sent to gateway.
Safe class assessment unit 131, nodal information and corresponding node application level that territory administration module 012 is provided deposit the nodal information tabulation in, according to described nodal information tabulation assessment nodal community state parameter, get egress level evaluation value; According to node application level and the described node level evaluation value of correspondence, assessment node security grade; In a preferred embodiment, the assessment of described safe class assessment unit 131 foundation is node application level and nodal information; Safe class setup unit 132 writes described node security grade the nodal information tabulation and is sent to gateway 03.
The system of gateway security access of the present invention has realized the beneficial effect of adaptivity, conserve system resources, raising running efficiency of system, realization system resource and the information security maximization balance of gateway security access effectively by the method for the safe class administration module assessment node security grade of safe class management platform.
The system of gateway security access of the present invention is by triggering the method for the hierarchy method assessment node security grade of upgrading the node security grade or regularly upgrading node security grade and employing " application level-nodal information ", when effectively having realized setting different safe classes for distinct device and different application, gateway all can access safely and have adaptivity, the beneficial effect of conserve system resources, raising running efficiency of system, realization system resource and information security maximization balance.
The above only is the preferred embodiments of the present invention; be not so limit its claim; every equivalent structure or equivalent flow process conversion that utilizes specification of the present invention and accompanying drawing content to do; directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.