International Core Journal of Engineering 2020-26 | Page 180

as SEEDKEY during a session.
X.509 format signature certificate and encryption certificate
are required. The signature certificate is mainly used to sign
the user information to ensure the non-repudiation of the
information. The encryption certificate is used to encrypt the
transmitted information to ensure the confidentiality and
integrity of the information. This paper follows the ASN.1
coding rules and redesigns it based on the X.509v3 standard.
The digital certificate based on SM2-with-SM3 is designed.
Step 3: The node generates a corresponding response
through the incentive sent by the coordinator, and uses the
response as an encryption key to encrypt the random number
Rand.
Node A
Coordinator B
ID B , ID A , Enc SEEDKEY ( Rand '  1)
There are two ways to generate digital certificates based
on SM2-with-SM3. One is using command line to generate
digital certificates based on national secrets through the
OpenSSL project branch, such as TaSSL of Jiangnan Tianan
and GmSSL of Peking University, etc. Another way is to
design an independent digital certificate generation tool
based on the X.509 certificate structure and ASN1 encoding
rules, using the national secret series algorithm. This paper
uses the second method to generate a digital certificate based
on SM2-with-SM3. Specific steps are as follows:
Step 1: Combine external input information (such as
issuer, validity period, subject) with system information
(such as serial number, subject public key information,
algorithm identification) to generate the certificate body. The
serial number of the subject public key information and the
identification certificate are unique.
ID A , ID B , Enc SEEDKEY ( Rand )
as
ID B , ID A , Challenge
ID A , ID B , Enc SEEDKEY ( Nonce A ),
Hash ( ID A , ID B , Enc msg )
ID B , ID A , Enc SEEDKEY ( Nonce B ),
Hash ( ID B , ID A , Enc msg )
ID A , ID B , Enc sk ( Hello )
ID A , ID B , Enc sk ( Data ),
Hash ( ID A , ID B , Enc msg )
ĂĂ
ĂĂ
Step 2: Use the SM3 algorithm to summarize the
certificate body to obtain the digest value.
Fig1. Perceptual layer security mechanism design
Step 3: Using the private key of the CA, the digest value
is signed by the SM2 algorithm to obtain the signature value
of the certificate subject.
Step 4: The coordinator uses the response extracted in
step 2 to decrypt the message to obtain Rand', then encrypts
Rand'+1 and sends it to the node. After receiving the
message, the node compares Rand' to Rand. If the two are
equal, then the identity authentication process of both parties
is completed.
Step 4: Add an algorithm identifier after the certificate
body, and divide the digest value into two parts according to
the ASN1 encoding rule, and add it to the algorithm
identifier.
Step 5: After phase 1 is completed, the node sends an
encrypted Nonce value to the coordinator for session key
negotiation, and summarizes the body of the message.
IV. G ATEWAY A RCHITECTURE D ESIGN
A. System Architecture
The IoT gateway adopts an open system architecture and
modular design to uniformly detect, filter and reorganize data
streams. It has strong encryption, high reliability and high
stability. The overall architecture of the gateway is shown in
the figure. The system is divided into four levels: driver layer,
system layer, protocol layer and application layer. The driver
layer includes a network card driver, a 4G module driver, a
USB driver, a serial port driver, etc. And an encryption
driver is designed based on libusb for communication with
the encryption chip. The system layer uses OpenWrt as the
running system. OpenWrt is an embedded Linux distribution
with powerful network components and good scalability. It is
suitable for an IoT gateway system. The protocol layer
includes protocol stacks for a variety of heterogeneous
networks, facilitating the analysis and distribution of
protocol data. At the application layer, a hybrid encryption
authentication mechanism is designed to implement secure
communication between the sensor network and the Internet.
The specific functions are divided into the following
categories: 1. System management functions, including sub-
functions such as device initialization, user login, permission
control, firmware upgrade, and factory reset; 2. The terminal
management function mainly implements functions such as
collecting and forwarding information collected by the
terminal node, and remotely controlling the terminal device;
Step 6: The coordinator sends another encrypted Nonce
value to the node, and generates a session key sk through a
key generation algorithm.
Step 7: The node obtains the session key through the
same key generation algorithm, encrypts the hello message
using the session key, and sends it to the coordinator.
Step 8: The node and the coordinator use the negotiated
session key for the secret transmission, and at the same time,
the message is integrity protected.
B. Network Layer Security Mechanism Design
Modern encryption technology relies on a secret known
to the recipient of the message. In the process of identity
authentication, there are many authentication methods based
on user name + password, pre-shared key, one-time
password, and digital certificate. The identity authentication
of the VPN device generally adopts a pre-shared key or
digital certificate. Compared with the pre-shared key, the
digital certificate is issued by a trusted third party (CA,
Certificate Authority), and its reliability and authenticity are
determined by CA. Credit guarantee is a more reliable
method of identity authentication.
The IPsec VPN technical specification stipulates that the
158