Data transmission method, device, and system
11652910 · 2023-05-16
Assignee
Inventors
Cpc classification
H04L63/0428
ELECTRICITY
H04L63/0485
ELECTRICITY
H04W4/70
ELECTRICITY
International classification
Abstract
A data transmission method, device, and system are provided. The method includes: receiving a first data packet sent by an external network device; verifying an authentication header (AH) packet header of the first data packet by using a first security association (SA); and sending the first data packet to an internet of things (IoT) device if the verification succeeds. According to the embodiments of this application, storage overheads and computational overheads of the IoT device in internet of things can be reduced, to implement end-to-end secure communication between the IoT device and the external network device, and improve security of a communications system.
Claims
1. A data transmission method comprising: receiving, by a data transmission device, a data packet sent by an external network device; verifying, by the data transmission device, an authentication header (AH) packet header of the data packet by using a first security association (SA); sending, by the data transmission device, the data packet to an internet of things (IoT) device in response to the verification being successful; and separately sending, by the data transmission device, a second SA to the IoT device after sending the data packet, wherein the second SA is used by the IoT device for decrypting the data packet.
2. The method according to claim 1, wherein sending the data packet to the IoT device comprises: removing, by the data transmission device, the AH packet header of the data packet; and sending to the IoT device, by the data transmission device, the data packet from which the AH packet header is removed.
3. The method according to claim 1, wherein the second SA is used by the IoT device to parse the data packet.
4. The method according to claim 3, wherein the second SA is encrypted, by the data transmission device, using a local key of the IoT device.
5. The method according to claim 1, further comprising: receiving, by the data transmission device, the first SA and the second SA sent by the IoT device, wherein the first SA and the second SA are determined by the IoT device through negotiation with the external network device; and storing, by the data transmission device, the first SA and the second SA.
6. A data transmission method, applied to a data transmission device, the method comprising: receiving, by a data transmission device, a data packet sent by an Internet of things (IoT) device; encapsulating, by the data transmission device, an authentication header (AH) packet header of the data packet by using a first security association (SA); sending, by the data transmission device, an encapsulated data packet to an external network device; and separately sending, by the data transmission device, a second SA to the IoT device after sending the data packet, wherein the second SA is used by the IoT device for decrypting the data packet.
7. The method according to claim 6, wherein the data packet is sent by the IoT device after being encapsulated by using the second SA.
8. The method according to claim 6, further comprising: receiving, by the data transmission device, a second SA obtaining request sent by the IoT device.
9. The method according to claim 7, wherein the second SA is encrypted by using a local key of the IoT device.
10. The method according to claim 6, further comprising: receiving, by the data transmission device, the first SA and the second SA sent by the IoT device, wherein the first SA and the second SA are determined by the IoT device through negotiation with an external network device; and storing, by the data transmission device, the first SA and the second SA.
11. A data transmission device comprising: a receiver configured to cooperate with a processor to receive a data packet sent by an external network device; the processor configured to verify an authentication header (AH) packet header of the data packet by using a first security association (SA); a transmitter configured to cooperate with the processor to send the data packet to an internet of things (IoT) device in response to the verification being successful; and separately send a second SA to the IoT device after sending the data packet, wherein the second SA is used by the IoT device for decrypting the data packet.
12. The data transmission device according to claim 11, wherein the processor is further configured to remove the AH packet header of the data packet; and the transmitter is further configured to cooperate with the processor to send, to the IoT device, the data packet from which the AH packet header is removed.
13. The data transmission device according to claim 11, wherein the second SA is configured for use by the IoT device to parse the data packet.
14. The data transmission device according to claim 13, wherein the second SA is encrypted by using a local key of the IoT device.
15. The data transmission device according to claim 11, wherein the device further comprises: a memory coupled to the processor; the receiver is further configured to cooperate with the processor to receive the first SA and the second SA sent by the IoT device; and the memory is configured to store the first SA and the second SA.
16. The data transmission device according to claim 11, wherein the data transmission device is a gateway device between an external network and an IoT network, or the data transmission device is an agent node in the IoT network, and the agent node is configured to exchange data between the gateway device and the IoT device.
17. A data transmission device comprising: a receiver configured to cooperate with a processor to receive a data packet sent by an internet of things (IoT) device; the processor configured to encapsulate an authentication header (AH) packet header of the data packet by using a first security association (SA); and a transmitter configured to: send an encapsulated data packet to an external network device; and separately send, by the data transmission device, a second SA to the IoT device after sending the data packet wherein the second SA is used by the IoT device for decrypting the data packet.
18. The data transmission device according to claim 17, wherein the data packet is sent by the IoT device after being encapsulated by using a second SA.
19. The data transmission device according to claim 17, wherein the receiver is further configured to receive a second SA obtaining request sent by the IoT device.
20. The data transmission device according to claim 18, wherein the second SA is encrypted by using a local key of the IoT device.
Description
BRIEF DESCRIPTION OF DRAWINGS
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)
(14)
(15)
(16)
(17)
(18)
(19)
(20)
(21)
(22)
(23)
(24)
(25)
(26)
(27)
(28)
(29)
(30)
DESCRIPTION OF EMBODIMENTS
(31) Some terms used in implementations of this application are merely used to explain specific embodiments of this application, but are not intended to limit this application.
(32) In this application, “at least one” means one or more, and “a plurality of” means two or more. The term “and/or” describes an association relationship between associated objects and may indicate three relationships. For example, A and/or B may indicate the following cases: Only A exists, both A and B exist, and only B exists, where A and B may be singular or plural. The character “/” generally indicates an “or” relationship between the associated objects. “At least one of the following items (pieces)” or a similar expression means any combination of the items, including any combination of singular items (pieces) or plural items (pieces). For example, at least one (piece) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, and c may be singular or plural.
(33) The embodiments of this application may be applied to various types of IoT network scenarios.
(34) Because different transmission protocols are used in the IoT network scenarios, in a data transmission process, different security protocols are used in the network scenarios for data transmission. As an end-to-end security protocol, an IPsec protocol attracts much attention.
(35) The IPsec protocol is a complex protocol suite, including a key agreement (Internet Key Exchange, IKE) protocol, an authentication header (AH) protocol, an encapsulating security payload (ESP) protocol used to ensure data integrity and confidentiality, and the like. In a specific process of implementing end-to-end secure transmission by using the IPsec protocol, a security association (SA) may be generated through negotiation by using the IKE protocol or in a manual configuration manner. Different SAs may be obtained by using the different protocols.
(36) The following two cases may be specifically included. One unique SA may be obtained by using the AH protocol, a peer address of a data packet, and a security parameter index (SPI). The SA is referred to as a first SA for short in the embodiments of this application, and the first SA is used to verify an AH packet header. One unique SA may also be obtained by using the ESP protocol, a peer address of a data packet, and an SPI. The SA is referred to as a second SA for short in the embodiments of this application. The second SA is used to encrypt and encapsulate or parse a packet. Regardless of a protocol, the obtained SA includes information such as a key and a decryption algorithm or an encryption algorithm that are required in the secure transmission process. The SA is usually stored in a security policy database (SPD) and a security association database (SAD). The SPD is used to store an IPsec communication rule. The SAD is used to store a parameter used by the IPsec communication rule.
(37) It should be understood that, although terms such as “first”, “second”, and “third” may be used in the embodiments of this application to describe the SA, the SA should not be limited to these terms. The terms are merely used to distinguish the SA from one another. For example, without departing from the scope of the embodiments of this application, the first SA may also be referred to as a second SA. Likewise, the second SA may also be referred to as a first SA.
(38) When the end-to-end secure transmission is implemented by using the IPsec protocol, the first SA and/or the second SA may be used. In this case, refer to
(39) As shown in
(40) As shown in
(41) It can be learned from the solutions in
(42) However, in an IoT network, there are some power consumption-sensitive devices, for example, some smart home devices or smart sensors. The power consumption-sensitive devices are comparatively sensitive to a compute capability and a storage capability, and cannot meet the requirement on storage and computing required by the IPsec protocol. In other words, an existing end-to-end secure transmission method cannot meet a data transmission requirement of a power consumption-sensitive device for low power consumption and high security.
(43) A data transmission method provided in this application aims to resolve the foregoing technical problem in the prior art. The following solution idea is proposed: With assistance of a third-party device, storage overheads in an IPsec protocol are transferred from an IoT device, and some computational overheads for processing data by using an SA are also transferred, to reduce storage overheads and computational overheads of the IoT device, to implement end-to-end secure transmission by using the IPsec protocol.
(44) Based on the inventive concept, the following specifically describes a data transmission system constructed in the embodiments of this application with reference to the accompanying drawings.
(45)
(46) In the end-to-end communication scenario, the IoT device may be a communications device in any IoT network shown in
(47) It should be noted that the IoT device in this embodiment of this application may include but is not limited to the terminal device having the comparatively weak computational capability and storage capability in the IoT network. A terminal device having a normal or comparatively high computational capability and storage capability in the IoT network is also applicable to this solution.
(48) The external network device is a communications device in another network other than the IoT network, and is an external network relative to the IoT network to which the IoT device belongs. In a possible design, the external network may be another IoT network different from the IoT network to which the IoT device belongs. The IoT network scenario shown in
(49) As shown in
(50) In addition, in the data transmission system shown in
(51) In addition, in the data transmission system shown in
(52) Refer to a schematic architectural diagram of another data transmission system shown in
(53) In addition, in the design shown in
(54) In a possible design, one compute node (and/or one storage node) may correspond to one independent IoT device. In other words, any IoT device has the independent compute node (and/or one storage node). The IoT device, and the compute node (or the IoT device, the compute node, and the storage node) are in a one-to-one correspondence. In this case, the compute node processes only data interaction between the IoT device and an external network device. The storage node may store only a small quantity of SAs related to the IoT device, to obtain a lightweight design solution. Specifically, considering that there may be a unique pair of SAs between the IoT device and any external network device, a first SA, a second SA, and an identifier of the external network device may be correspondingly stored in the storage node.
(55) Alternatively, in another possible design, one compute node (and/or one storage node) may correspond to a plurality of IoT devices. In other words, the compute node (and/or the storage node) is used to process security processing of the plurality of IoT devices. The storage node also stores SAs between the plurality of IoT devices and other transceiver nodes. For example, in some possible implementation scenarios, one compute node and one storage node may be established for all IoT devices in an entire IoT network. When all the IoT devices in the IoT network exchange data with an external network device, security processing of the compute node is required, and an SA is requested from the storage node. In the implementation scenario, to ensure end-to-end secure communication, there may be a unique pair of SAs between any pair of IoT devices and the external network device. In this case, a first SA, a second SA, an identifier of the IoT device, and an identifier of the external network device may be correspondingly stored in the storage node.
(56) An identifier of a device is used to represent an identity of the device, and may specifically include but is not limited to an internet protocol (IP) address of the device.
(57) In addition, as described above, there may be the unique pair of SAs between any pair of IoT devices and the external network device. A manner of determining the first SA and the second SA is not specially limited in this embodiment of this application. Specifically, the pair of SAs may be manually configured by a user as required, or may be determined by the IoT device and a network device through negotiation.
(58) In consideration of a design in which a third-party storage node is used to bear storage overheads of the IoT device in this application, when the solution is specifically implemented, a first SA and a second SA may be further stored in a manner shown in
(59) S602: An IoT device negotiates with an external network device to determine the first SA and the second SA.
(60) As described above, the first SA is obtained by using the AH protocol, the peer address, and the SPI. The second SA is obtained by using the encapsulating security payload ESP protocol, the peer address, and the SPI. Details are not described again.
(61) S604: The IoT device sends the first SA and the second SA to a data transmission device.
(62) S606: The data transmission device receives the first SA and the second SA that are sent by the IoT device.
(63) S608: The data transmission device stores the first SA and the second SA.
(64) Specifically, the first SA and the second SA may be stored in a local storage location or a third-party storage location of the data transmission device.
(65) In addition, it should be noted that, an implementation shown in
(66) Further, to improve security of end-to-end data transmission, in an SA negotiation process shown in
(67) As shown in
(68) Specifically, an existing device between the IoT device and the external network device may be used to implement a function of the data transmission device. In a possible design, the data transmission device may be a gateway device between the external network and the IoT network. In this implementation, a small change is made to the existing data transmission system. The solution may be implemented only by performing software maintenance and upgrade on the gateway device and the IoT device, basically without additional consumption on hardware. Therefore, implementation costs are comparatively low, flexibility is comparatively high. Therefore, there is a promising extended application prospect.
(69) Alternatively, a node may be created between the IoT device and the external network device as a data transmission device. In a possible design, the data transmission device is an agent node in the IoT network, and the agent node is configured to exchange data between the gateway device and the IoT device.
(70) In this case,
(71) Based on any one of the foregoing architectures of the data transmission systems, the following specifically describes a data transmission solution provided in the embodiments of this application.
(72) For ease of understanding, the following specifically describes two aspects: a scenario in which the IoT device receives data by using the data transmission device (for ease of description, the scenario is referred to as an inbound scenario for short below) and a scenario in which the IoT device sends data to the external network device by using the data transmission device (for ease of description, the scenario is referred to as an outbound scenario for short below).
(73) A first aspect: the inbound scenario
(74) This is the scenario in which the external network device sends a first data packet to the IoT device by using the data transmission device. In the scenario, the data transmission device forwards the data, and performs a part of security processing. Specifically, in this application, end-to-end secure transmission is implemented by using IPsec. In a specific implementation scenario, a data transmission manner between the external network device and the data transmission device is also implemented by using the IPsec. However, based on different IPsec processing manners for the first data packet sent by the external network device, the data transmission device in this application may also use different security processing manners to bear computational overheads of the IoT. Specifically, after receiving the first data packet sent by the external network device, before performing the security processing, the data transmission device further needs to read a packet header of the first data packet, to obtain a next-hop protocol indicated by the packet header of the first data packet. Further, the data transmission device performs the security processing by using an SA corresponding to the next-hop protocol.
(75) In the inbound scenario, the security processing manners used by the data transmission device may include performing packet header verification on the first data packet by using a first SA, and/or sending a second SA to the IoT device, so that the IoT device parses the first data packet by using the second SA.
(76) Specifically, considering that the second SA is mainly used to parse the first data packet in the inbound scenario and the end-to-end secure transmission, an embodiment of this application proposes to transfer, to the data transmission device, computational overheads for verifying an AH packet header of the first data packet.
(77) In this case, refer to
(78) S802: An external network device sends a first data packet to a data transmission device.
(79) S804: The data transmission device receives the first data packet sent by the external network device.
(80) In this case, a next-hop protocol indicated by a packet header of the first data packet is an AH protocol. In this case, the first data packet received by the data transmission device is sent after the external network device encapsulates an AH packet header. For an encapsulation process of the AH header, refer to
(81) S806: The data transmission device verifies the AH packet header of the first data packet by using a first SA.
(82) A concept of the first SA is described above. An objective of the AH verification is verifying whether the first data packet is complete, and verifying whether a sending source of the first data packet is authentic.
(83) Specifically, a manner for verifying the AH packet header may be as follows: The data transmission device decrypts the AH packet header of the first data packet by using the first SA. If the decryption succeeds, the verification succeeds, and it indicates that the first data packet is complete, without being tampered with by another person, and is authentic at a transmit end of the first data packet.
(84) S808: Send the first data packet to an internet of things IoT device if the verification succeeds.
(85) Otherwise, if the verification fails, the data transmission device may directly discard the first data packet, or may further send verification failure prompt information to the external network device.
(86) S810: The IoT device receives the first data packet.
(87) In addition, in the implementation procedure shown in
(88) S805: The data transmission device obtains a first SA.
(89) Specifically, as described above, the first SA, the second SA, and the device identifiers of the transmit end and the receive end are correspondingly stored. Therefore, a unique SA or a pair of SAs is determined based on an address of the receive end (an address of the IoT device) of the first data packet, protocol information (an AH protocol or an ESP protocol), and a packet security parameter index (SPI). The protocol information is usually carried in an IP packet header of a data packet, and is used to indicate to obtain an SA corresponding to a specific protocol, for example, the first SA, a second SA, or obtain both the first SA and a second SA. The SPI is carried in an AH packet header or an ESP packet header.
(90) In addition, the first SA and the second SA are stored in a corresponding manner. Therefore, when the step is performed, in addition to obtaining one of the SAs, the data transmission device may obtain both the first SA and the second SA, to meet a use requirement in a subsequent security processing process. This helps further simplify steps, and avoids a case that the obtaining step is performed repeatedly when both the AH protocol and the ESP protocol are used for security processing.
(91) However, based on different system architectures, manners in which the data transmission device obtains the first SA are different. In the system architecture shown in
(92) In addition, in any implementation shown in
(93) In addition, in consideration of any implementation shown in
(94) In a possible design, refer to
(95) S802: An external network device sends a first data packet to a data transmission device.
(96) S804: The data transmission device receives the first data packet sent by the external network device.
(97) S805: The data transmission device obtains a first SA and a second SA.
(98) In the step, because security processing is separately performed by using an AH protocol and an ESP protocol, the first SA and the second SA may be directly obtained herein.
(99) S806: The data transmission device verifies an AH packet header of the first data packet by using the first SA.
(100) S8082: The data transmission device removes the AH packet header of the first data packet if the verification succeeds.
(101) S8084: The data transmission device sends to an internet of things IoT device, the first data packet being removed the AH packet header.
(102) S809: The data transmission device sends the second SA to the IoT device.
(103) S810: The IoT device receives the first data packet and the second SA.
(104) S812: The IoT device parses the first data packet by using the second SA.
(105) The implementation procedure shown in
(106) Specifically, in addition to the manner shown in
(107) In addition, in the implementation in which the data transmission device independently sends the first data packet and the second SA, the second SA and the first data packet may be simultaneously sent, or the second SA may be sent before or after the first data packet. This is not specifically limited in this application.
(108) In addition, the data transmission device may proactively send the second SA to the IoT device. As shown in
(109) In addition, in the inbound scenario in which the security processing is mainly performed by using the AH protocol, in the system shown in
(110) In addition, as described above, in a possible design, to ensure the end-to-end secure transmission between the IoT device and the external network device, the second SA is encrypted by using a local key of the IoT device. In this way, the second SA received by the IoT device in the step S810 is encrypted. In this way, when performing the parsing in the step S812, the IoT device further needs to first decrypt the second SA by using the local key, and if the decryption succeeds, parse the first data packet by using the decrypted second SA. In this implementation, it can be ensured that another device other than the IoT device with the local key cannot parse the first data packet, to ensure the end-to-end secure transmission.
(111) In the inbound scenario, in a possible design other than the foregoing implementation, the data transmission device may further independently send the second SA to the IoT device. In this case, refer to
(112) S1102: An external network device sends a first data packet to a data transmission device.
(113) S1104: The data transmission device receives the first data packet sent by the external network device.
(114) In this case, a next-hop protocol indicated by a packet header of the first data packet is an ESP protocol. In this case, the first data packet received by the data transmission device is sent after the external network device encapsulates the first data packet by using the second SA. For a process of encapsulating the data packet by using the second SA, refer to
(115) S1106: The data transmission device sends the first data packet and the second SA to an internet of things IoT device, so that the IoT device parses the first data packet by using the second SA.
(116) A concept of the second SA is described above, and details are not described again.
(117) A specific sending manner in the step may have a plurality of variations. For details, refer to the foregoing manner of sending the second SA and the first data packet in
(118) S1108: The IoT device receives the first data packet and the second SA.
(119) S1110: The IoT device parses the first data packet by using the second SA.
(120) In the method shown in
(121) However, in the inbound scenario, the AH packet header verification may be further performed on the first data packet. Therefore, in a possible design, the first data packet is sent by the data transmission device after the AH packet header verification is performed by using the first SA succeeds. For an implementation, refer to
(122) In another possible design, the first data packet is sent after the AH packet header is successfully verified by using the first SA and the AH packet header is removed. For an implementation, refer to
(123) Correspondingly, for an implementation in which the IoT device parses the first data packet by using the second SA after receiving the first data packet and the second SA, refer to the parsing manner in
(124) The second aspect: the outbound scenario
(125) This is the scenario in which the IoT device sends a second data packet to the external network device by using the data transmission device. In the scenario, the data transmission device forwards the data, and performs a part of security processing. Specifically, in this application, end-to-end secure transmission is implemented by using IPsec. In a specific implementation scenario, a data transmission manner between the external network device and the data transmission device is also implemented by using the IPsec. A parsing manner after the external network device receives the second data packet is not specially limited in this embodiment of this application.
(126) In the outbound scenario, the security processing manners used by the data transmission device may include encapsulating an AH packet header of the second data packet by using a first SA, and/or sending a second SA to an IoT device, so that the IoT device encapsulates the second data packet by using the second SA.
(127) As described above, considering that the second SA is mainly used to encapsulate the second data packet in the outbound scenario and the end-to-end secure transmission, an embodiment of this application proposes to transfer, to the data transmission device, computational overheads for encapsulating the AH packet header of the second data packet.
(128) In this case, refer to
(129) S1202: An IoT device sends a second data packet to the data transmission device.
(130) S1204: The data transmission device receives the second data packet sent by the IoT device.
(131) S1206: The data transmission device encapsulates an authentication header AH packet header of the second data packet by using the first SA.
(132) As described above, the first SA is obtained by using the AH protocol, the peer address, and the SPI. The data transmission device encapsulates the AH packet header of the second data packet, so that an external network device can verify, based on the AH packet header, whether an identity of the IoT device is authentic.
(133) S1208: The data transmission device sends an encapsulated second data packet to the external network device.
(134) In an implementation process shown in
(135) In addition, in a possible design, the second data packet received by the data transmission device is sent by the IoT device after being encapsulated by using a second SA. In the implementation scenario, the IoT device may not buffer the second SA. Therefore, in this implementation, the data transmission device further sends the second SA to the IoT device. An embodiment of this application provides a schematic flowchart of the implementation. Refer to
(136) S12012: An IoT device sends a second SA obtaining request to a data transmission device.
(137) S12014: The data transmission device sends a second SA to the IoT device.
(138) S12022: The IoT device encapsulates a second data packet by using the second SA.
(139) For an encapsulation process, refer to related descriptions in
(140) S12024: The IoT device sends the second data packet to the data transmission device.
(141) S1204: The data transmission device receives the second data packet sent by the IoT device.
(142) S1206: The data transmission device encapsulates an authentication header AH packet header of the second data packet by using a first SA.
(143) S1208: The data transmission device sends an encapsulated second data packet to an external network device.
(144) In addition, if the second data packet is sent by the IoT device after being encapsulated by using the second SA, in the system architecture shown in
(145) In addition, similar to the inbound scenario, the second data packet in the outbound scenario may also be a second SA encrypted by using a local key of the IoT device. Therefore, before encapsulating the second data packet by using the second SA, the IoT device further needs to decrypt the received second SA by using the local key, so that the second data packet can be encapsulated by using the second SA obtained after the decryption succeeds. This can ensure that the second data packet can be parsed out only when the external network device corresponding to the second SA receives the second data packet.
(146) On an outbound side, if the IoT device does not encapsulate the second data packet by using the second SA, the IoT device may further send a notification message to the data transmission device, to notify the data transmission device to encapsulate the AH packet header of the second data packet by using the first SA. After receiving the notification message, the data transmission device encapsulates the AH packet header.
(147) In the outbound scenario, in a possible design other than the foregoing implementation, the data transmission device may further independently send the second SA to the IoT device. In this case, refer to
(148) S1402: An IoT device encapsulates a second data packet by using the second SA.
(149) As described above, the second SA is obtained by using the encapsulating security payload ESP protocol, and is used to ensure integrity and security of the second data packet received by an external network device.
(150) Specifically, for an implementation in which the IoT device encapsulates the second data packet by using the second SA, refer to related descriptions in
(151) S1404: The IoT device sends an encapsulated second data packet to a data transmission device.
(152) S1406: The data transmission device receives the second data packet sent by the IoT device.
(153) S1408: The data transmission device sends the second data packet to the external network device.
(154) Specifically, for a manner of obtaining the second SA by the IoT device, refer to the implementation shown in
(155) In addition, in a further extension manner of the implementation shown in
(156) In addition, in the outbound scenario, as shown in
(157) Specifically, the determining process may be as follows: The IoT device determines, based on a packet header attribute of the second data packet, whether the second data packet needs to be encrypted for transmission. If the second data packet needs to be encrypted for transmission, the IoT device encapsulates the second data packet by using the second SA; or if the second data packet does not need to be encrypted for transmission, the IoT device directly sends the second data packet to the data transmission device. The packet header attribute includes at least one of a source address, a destination address, a data packet name, an upper layer port, and a protocol.
(158) During specific determining, the IoT may calculate a hash value based on content of the packet header of the second data packet, and determine a corresponding hash result based on a preset correspondence. Therefore, whether the second data packet needs to be encrypted for transmission is determined based on the hash result. A correspondence between the hash result and whether the second data packet needs to be encrypted for transmission may be preset as required. For example, if the hash result is 1, it indicates that the second data packet needs to be encrypted for transmission, and at least one type of security processing on the outbound side is performed. If the hash result is 0, it indicates that the second data packet does not need to be encrypted for transmission, and the second data packet may be directly sent.
(159) In addition, the data transmission device may also store data of the packet header attribute, the correspondence, and the SA. In this way, when hash collision occurs, to be specific, hash results of packet headers of different data packets are the same. The data transmission device may send all the results to the IoT device. The IoT device selects, from the results, an SA corresponding to a current data packet to perform an operation.
(160) It should be noted that, if the data transmission method is implemented in the system architecture shown in
(161) In this case, refer to
(162) According to any one of the foregoing implementation solutions, in the embodiments of this application, computational overheads and key storage overheads of security processing of the IoT device are transferred to the data transmission device through interaction between the data transmission device and the IoT device, to implement lightweight and low-power-consumption end-to-end secure transmission between the IoT device and the external network device.
(163) It may be understood that some or all of the steps or operations in the foregoing embodiments are merely examples. Other operations or variations of various operations may be further performed in this embodiment of this application. In addition, the steps may be performed in different sequences presented in the foregoing embodiments, and not all operations in the foregoing embodiments may need to be performed.
(164) Based on the data transmission method, the embodiments of this application further provide a corresponding data transmission device, a corresponding IoT device, and a corresponding data transmission system.
(165)
(166) The data transmission device 1700 may include one or more processors 1720. The processor 1720 may also be referred to as a processing unit, and may implement a specific control function. The processor 1720 may be a general purpose processor, a dedicated processor, or the like.
(167) In an optional design, the processor 1720 may also store an instruction. The instruction may be run by the processor 1720, so that the data transmission device 1700 performs the method performed on the data transmission device side in the method embodiments.
(168) In still another possible design, the data transmission device 1700 may include a circuit. The circuit may implement a sending function, a receiving function, or a communication function in the method embodiments.
(169) Optionally, the data transmission device 1700 may include one or more memories 1710. The memory 1710 stores an instruction or intermediate data. The instruction may be run on the processor 1720, so that the data transmission device 1700 performs the method described in the method embodiments. Optionally, the memory 1710 may further store other related data. Optionally, the processor 1710 may also store an instruction and/or data. The processor 1720 and the memory 1710 may be disposed separately, or may be integrated together.
(170) Optionally, the data transmission device 1700 may further include a transceiver 1730. The transceiver 1730 may be referred to as a transceiver unit, a transceiver, a transceiver circuit, a transceiver, or the like, and is configured to implement a transceiver function of the data transmission device 1700.
(171) As shown in
(172) The data transmission device 1700 is configured to implement operations on a data transmission device side in the embodiments corresponding to
(173) Optionally, the data transmission device 1700 may be an independent device or may be a part of a larger device.
(174)
(175) The IoT device 1800 may include one or more processors 1820. The processor 1820 may also be referred to as a processing unit, and may implement a specific control function. The processor 1820 may be a general purpose processor, a dedicated processor, or the like.
(176) In an optional design, the processor 1820 may also store an instruction. The instruction may be run by the processor 1820, so that the IoT device 1800 performs the method performed by the IoT device side described in the method embodiments.
(177) In still another possible design, the IoT device 1800 may include a circuit. The circuit may implement a sending function, a receiving function, or a communication function in the method embodiments.
(178) Optionally, the IoT device 1800 may include one or more memories 1810. The memory 1810 stores an instruction or intermediate data. The instruction may be run on the processor 1820, so that the IoT device 1800 performs the method described in the method embodiments. Optionally, the memory 1810 may further store other related data. Optionally, the processor 1810 may also store an instruction and/or data. The processor 1820 and the memory 1810 may be disposed separately, or may be integrated together.
(179) Optionally, the IoT device 1800 may further include a transceiver 1830. The transceiver 1830 may be referred to as a transceiver unit, a transceiver, a transceiver circuit, a transceiver, or the like, and is configured to implement a transceiver function of the IoT device 1800.
(180) As shown in
(181) The IoT device 1800 is configured to implement operations on an IoT device side in the embodiments corresponding to
(182) Optionally, the IoT device 1800 may be an independent device, or may be a part of a larger device.
(183)
(184) In
(185) In a possible manner, the sending module 1930 is further configured to send a second SA to the IoT device, so that the IoT device parses the first data packet by using the second SA.
(186) Further, the data transmission device 1900 further includes a storage module. The receiving module 1910 is further configured to receive a first SA and the second SA that are sent by the IoT device. The storage module is configured to store the first SA and the second SA.
(187) In a possible manner, the first SA and the second SA are determined by the IoT device and the external network device through negotiation.
(188) In another possible manner, the storage module is specifically configured to correspondingly store the first SA, the second SA, an IoT device identifier, and an external network device identifier.
(189) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(190) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(191) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(192) The data transmission device in the embodiment shown in
(193)
(194) In a possible manner, the first data packet is sent after an AH packet header is verified by using a first SA.
(195) Further, the first data packet is sent after the AH packet header is successfully verified by using the first SA and the AH packet header is removed.
(196) Further, the data transmission device 2000 further includes a storage module. The receiving module 2010 is further configured to receive the first SA and the second SA that are sent by the IoT device. The storage module is configured to store the first SA and the second SA.
(197) In a possible manner, the first SA and the second SA are determined by the IoT device and the external network device through negotiation.
(198) In another possible manner, the storage module is specifically configured to correspondingly store the first SA, the second SA, an IoT device identifier, and an external network device identifier.
(199) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(200) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(201) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(202) The data transmission device in the embodiment shown in
(203)
(204) In a possible manner, the processing module 2120 is further configured to remove the AH packet header of the first data packet. The sending module 2130 is specifically configured to send to the IoT device, the first data packet from which the AH packet header is removed.
(205) In another possible manner, the sending module 2130 is further configured to send a second SA to the IoT device, so that the IoT device parses the first data packet by using the second SA.
(206) Further, the data transmission device 2100 further includes a storage module. The receiving module 2110 is further configured to receive the first SA and the second SA that are sent by the IoT device. The storage module is configured to store the first SA and the second SA.
(207) In a possible manner, the first SA and the second SA are determined by the IoT device and the external network device through negotiation.
(208) In another possible manner, the storage module is specifically configured to correspondingly store the first SA, the second SA, an IoT device identifier, and an external network device identifier.
(209) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(210) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(211) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(212) The data transmission device in the embodiment shown in
(213)
(214) In a possible manner, the data transmission device 2200 further includes a processing module. The processing module is configured to encapsulate an authentication header AH packet header of the second data packet by using a first SA. The sending module 2220 is specifically configured to send an encapsulated second data packet to the external network device.
(215) In another possible manner, the receiving module 2210 is further configured to receive a second SA obtaining request sent by the IoT device. The sending module 2220 is further configured to send the second SA to the IoT device.
(216) Further, the data transmission device 2200 further includes a storage module. The receiving module 2210 is further configured to receive the first SA and the second SA that are sent by the IoT device. The storage module is configured to store the first SA and the second SA.
(217) In a possible manner, the first SA and the second SA are determined by the IoT device and the external network device through negotiation.
(218) In another possible manner, the storage module is specifically configured to correspondingly store the first SA, the second SA, an IoT device identifier, and an external network device identifier.
(219) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(220) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(221) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(222) The data transmission device in the embodiment shown in
(223)
(224) In a possible manner, the first data packet is sent after the data transmission device successfully verifies the AH packet header by using the first SA and removes the AH packet header.
(225) In another possible manner, the IoT device 2300 further includes a processing module. The receiving module 2310 is further configured to receive a second SA sent by the data transmission device. The SA is obtained by using an encapsulating security payload ESP protocol. The processing module is configured to parse the first data packet by using the second SA.
(226) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(227) In another possible manner, the processing module is specifically configured to decrypt the second SA by using the local key, and parse the first data packet by using the decrypted second SA.
(228) Further, the IoT device 2300 further includes a negotiation module and a sending module. The negotiation module is configured to negotiate with an external network device to determine the first SA and the second SA. The sending module is further configured to send the first SA and the second SA to the data transmission device, so that the data transmission device stores the first SA and the second SA.
(229) In another possible manner, the first SA, the second SA, an IoT device identifier, and an external network device identifier are correspondingly stored.
(230) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(231) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(232) The IoT device in the embodiment shown in
(233)
(234) In a possible manner, the first data packet is sent after the data transmission device successfully verifies an AH packet header by using a first SA.
(235) In another possible manner, the first data packet is sent after the data transmission device successfully verifies the AH packet header by using the first SA and removes the AH packet header.
(236) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(237) In another possible manner, the processing module 2420 is specifically configured to decrypt the second SA by using the local key, and parse the first data packet by using the decrypted second SA.
(238) Further, the IoT device 2400 further includes a negotiation module and a sending module. The negotiation module is configured to negotiate with an external network device to determine the first SA and the second SA. The sending module is further configured to send the first SA and the second SA to the data transmission device, so that the data transmission device stores the first SA and the second SA.
(239) In another possible manner, the first SA, the second SA, an IoT device identifier, and an external network device identifier are correspondingly stored.
(240) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(241) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(242) The IoT device in the embodiment shown in
(243)
(244) In a possible manner, the IoT device further includes a processing module. The processing module is configured to encapsulate the second data packet by using a second SA. The sending module 2510 is specifically configured to send an encapsulated second data packet to the data transmission device.
(245) In another possible manner, the IoT device further includes a receiving module. The sending module 2510 is further configured to send a second SA obtaining request to the data transmission device. The receiving module is configured to receive the second SA sent by the data transmission device.
(246) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(247) In another possible manner, the processing module is specifically configured to decrypt the second SA by using the local key, and encapsulate the second data packet by using the decrypted second SA.
(248) Further, the IoT device 2500 further includes a negotiation module. The negotiation module is configured to negotiate with the external network device to determine the first SA and the second SA. The sending module 2510 is further configured to send the first SA and the second SA to the data transmission device, so that the data transmission device stores the first SA and the second SA.
(249) In another possible manner, the first SA, the second SA, an IoT device identifier, and an external network device identifier are correspondingly stored.
(250) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(251) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(252) The IoT device in the embodiment shown in
(253)
(254) In a possible manner, the IoT device further includes a receiving module. The sending module 2620 is further configured to send a second SA obtaining request to the data transmission device. The receiving module is configured to receive the second SA sent by the data transmission device.
(255) In another possible manner, the second SA is a second SA encrypted by using a local key of the IoT device.
(256) In another possible manner, the processing module is specifically configured to decrypt the second SA by using the local key, and encapsulate the second data packet by using the decrypted second SA.
(257) Further, the IoT device 2600 further includes a negotiation module and the sending module. The negotiation module is configured to negotiate with the external network device to determine the first SA and the second SA. The sending module is further configured to send the first SA and the second SA to the data transmission device, so that the data transmission device stores the first SA and the second SA.
(258) In another possible manner, the first SA, the second SA, an IoT device identifier, and an external network device identifier are correspondingly stored.
(259) In another possible manner, the first SA and the second SA are stored in a local storage location or a third-party storage location.
(260) In another possible manner, the data transmission device is a gateway device between the external network and the IoT network, or an agent node in an IoT network. The agent node is configured to implement data exchange between the gateway device and the IoT device.
(261) The IoT device in the embodiment shown in
(262) It should be understood that division into the modules in the data transmission device shown in
(263) For example, the foregoing modules may be configured as one or more integrated circuits for implementing the foregoing method, for example, one or more application-specific integrated circuits (ASIC), one or more microprocessors (digital signal processor, DSP), or one or more field programmable gate arrays (FPGA), or the like. For yet another example, when one of the foregoing modules is implemented in a form of a processing element scheduling a program, the processing element may be a general purpose processor, for example a central processing unit (CPU) or another processor that can invoke the program. For still another example, the modules may be integrated together, and implemented in a form of a system-on-a-chip (SOC).
(264) In addition, an embodiment of this application provides a data transmission system. Specifically the following several systems are included.
(265)
(266) As shown in
(267) In a possible design, the data transmission device 1900 is further configured to remove the AH packet header of the first data packet and send, to the IoT device 2300, the first data packet from which the AH packet header is removed.
(268) In another possible design, the data transmission device 1900 is further configured to send a second SA to the IoT device 2300. The IoT device 2300 is specifically configured to parse the first data packet by using the second SA.
(269) In another possible design, the second SA is a second SA encrypted by using a local key of the IoT device 2300.
(270) In another possible design, the IoT device 2300 is specifically configured to decrypt the second SA by using the local key, and parse the first data packet by using the decrypted second SA.
(271) In another possible design, the IoT device 2300 is further configured to negotiate with the external network device to determine the first SA and the second SA, and send the first SA and the second SA to the data transmission device 1900. The data transmission device 1900 is further configured to receive the first SA and the second SA that are sent by the IoT device 2300, and store the first SA and the second SA.
(272)
(273) As shown in
(274) In a possible design, the data transmission device 2000 is further configured to verify an authentication header AH packet header of the first data packet by using a first security association SA, and send the first data packet to the IoT device 2400 after the verification succeeds.
(275) In another possible design, the data transmission device 2000 is further configured to verify an authentication header AH packet header of the first data packet by using a first security association SA, remove the AH packet header of the first data packet after the verification succeeds, and send to the IoT device 2400, the first data packet from which the AH header is removed.
(276) In another possible design, the second SA is a second SA encrypted by using a local key of the IoT device 2400.
(277) In another possible design, the IoT device 2400 is specifically configured to decrypt the second SA by using the local key, and parse the first data packet by using the decrypted second SA.
(278) In another possible design, the IoT device 2400 is further configured to negotiate with the external network device to determine the first SA and the second SA, and send the first SA and the second SA to the data transmission device 2000. The data transmission device 2000 is further configured to receive the first SA and the second SA that are sent by the IoT device 2400, and store the first SA and the second SA.
(279)
(280) As shown in
(281) In a possible design, the IoT device 2500 is further configured to encapsulate the second data packet by using a second SA, and
(282) send an encapsulated second data packet to the data transmission device 2100.
(283) In another possible design, the IoT device 2500 is further configured to send a second SA obtaining request to the data transmission device 2100. The data transmission device 2100 is further configured to receive the second SA obtaining request sent by the IoT device 2500, and send the second SA to the IoT device 2500. The IoT device 2500 is further configured to receive the second SA sent by the data transmission device 2100.
(284) In another possible design, the second SA is a second SA encrypted by using a local key of the IoT device 2500.
(285) In another possible design, the IoT device 2500 is specifically configured to decrypt the second SA by using the local key, and encapsulate the second data packet by using the decrypted second SA.
(286) In another possible design, the IoT device 2500 is further configured to negotiate with the external network device to determine the first SA and the second SA, and send the first SA and the second SA to the data transmission device 2100. The data transmission device 2100 is further configured to receive the first SA and the second SA that are sent by the IoT device 2500, and store the first SA and the second SA.
(287)
(288) As shown in
(289) In a possible design, the data transmission device 2200 is further configured to encapsulate an authentication header AH packet header of the second data packet by using a first SA, and send an encapsulated second data packet to the external network device.
(290) In another possible design, the IoT device 2600 is further configured to send a second SA obtaining request to the data transmission device 2200. The data transmission device 2200 is further configured to receive the second SA obtaining request sent by the IoT device 2600, and send the second SA to the IoT device 2600. The IoT device 2600 is further configured to receive the second SA sent by the data transmission device 2200.
(291) In another possible design, the second SA is a second SA encrypted by using a local key of the IoT device 2600.
(292) In another possible design, the IoT device 2600 is specifically configured to decrypt the second SA by using the local key, and encapsulate the second data packet by using the decrypted second SA.
(293) In another possible design, the IoT device 2600 is further configured to negotiate with the external network device to determine the first SA and the second SA, and send the first SA and the second SA to the data transmission device 2200. The data transmission device 2200 is further configured to receive the first SA and the second SA that are sent by the IoT device 2600, and store the first SA and the second SA.
(294) An embodiment of this application further provides a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program runs on a computer, the computer is enabled to perform the data transmission method according to any one of the foregoing embodiments.
(295) In addition, an embodiment of this application further provides a computer program product. The computer program product includes a computer program. When the computer program runs on a computer, the computer is enabled to perform the data transmission method according to any one of the foregoing embodiments.
(296) All or some of the foregoing embodiments may be implemented by using software, hardware, firmware, or any combination thereof. When software is used to implement the embodiments, all or some of the embodiments may be implemented in a form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the procedure or functions according to this application are all or partially generated. The computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable apparatuses. The computer instructions may be stored in a computer-readable storage medium or may be transmitted from a computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center to another website, computer, server, or data center in a wired (for example, a coaxial cable, an optical fiber, or a digital subscriber line) or wireless (for example, infrared, radio, or microwave) manner. The computer-readable storage medium may be any usable medium accessible by a computer, or a data storage node, such as a server or a data center, integrating one or more usable media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a DVD), a semiconductor medium (for example, a solid-state drive), or the like.