Electronic product for network access and corresponding three-level dual-access method

A technology for network access and electronic products, applied in the field of electronic equipment, can solve problems such as network risks, easy tampering or fraudulent use, and inability to deploy AAA servers

Active Publication Date: 2020-04-28
北京九思泰物联网科技有限公司
5 Cites 0 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0014] The present invention proposes an electronic product for network access and a corresponding three-level dual access method. In the prior art, there is a risk of fraudulent use of network equipment access, although it can be avoided through equipment authentica...
View more

Method used

[0099] The present invention is based on the system risk caused by single-request transmission and single-access device control in the existing access technology, cleverly uses three-level transmission, and separates the access request and load data after framing, compared with the existing There is a technology that preferably proposes an electronic product for network access and a corresponding three-level dual access method. In the prior art, there is a risk of fraudulent use of network equipment access, and it can be passed through equipment authentication, AAA server, etc. However, in some special cases, such as when the AAA server and system authentication server cannot be deployed, often when the key incoming frames are stolen or captured, they are easy to be tampered with or fraudulently used, causing network risks. The present invention uses three-level network access long frames to carry out data separation control. In the case of intercepting one or two frames of any three-level network access long frames, the correct undecry...
View more

Abstract

The invention provides an electronic product for network access and a corresponding three-level double-access method, and aims to solve the problem that in the prior art, network equipment access hasan illegal use risk, for example, when an AAA server cannot be arranged, duo to fact that a key network access frame is easily tampered or illegally used after being stolen or captured by capturing apacket, the network risk is caused. According to the invention, the three-level network access long frame is used for data separation control, so under the condition of intercepting one or two framesof any three-level network access long frame, a correct non-decrypted transmission load cannot be independently obtained; a transmission identification server is introduced to carry out out-of-domainauthentication; the comparison safety of the system is improved by planning and designing the transmission identifier; and then, binary separation is carried out on data transmission of the electronicequipment and the network access equipment, so all data packets are prevented from being stolen and monitored under the condition that single access equipment is cracked or broken, the data can be prevented from being cracked even under the condition that the single access equipment is cracked or broken, and the safety performance of the system is improved.

Application Domain

Wide area networks

Technology Topic

Data transmissionReal-time computing +4

Image

  • Electronic product for network access and corresponding three-level dual-access method
  • Electronic product for network access and corresponding three-level dual-access method
  • Electronic product for network access and corresponding three-level dual-access method

Examples

  • Experimental program(1)

Example Embodiment

[0057]Several embodiments and beneficial effects of an electronic product for network access and a corresponding three-level dual-access method claimed by the present invention are described in detail below, so as to facilitate more detailed examination and decomposition of the present invention.
[0058] In order to better understand the technical solutions of the present invention, the embodiments of the present invention are described in detail below with reference to the accompanying drawings.
[0059] It should be understood that the described embodiments are only some, but not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
[0060] The terms used in the embodiments of the present invention are only for the purpose of describing specific embodiments, and are not intended to limit the present invention. As used in the embodiments of the present invention and the appended claims, the singular forms "a," "the," and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise.
[0061] It should be understood that the term "and/or" used in this document is only an association relationship to describe the associated objects, indicating that there may be three kinds of relationships, for example, A and/or B, which may indicate that A exists alone, and A and B exist at the same time. B, there are three cases of B alone. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship.
[0062] It should be understood that although the terms first, second, etc. may be used in the embodiments of the present invention to describe the method and the corresponding apparatus, these keywords should not be limited to these terms. These terms are only used to distinguish keywords from one another. For example, without departing from the scope of the embodiments of the present invention, the first access device, the first transmission identification server, etc. may also be referred to as the second access device, the second transmission identification server, and similarly, the second access device The device and the second transmission identification server may also be referred to as the first access device and the first transmission identification server.
[0063] Depending on the context, the word "if" as used herein can be interpreted as "at" or "when" or "in response to determining" or "in response to detecting." Similarly, the phrases "if determined" or "if detected (the stated condition or event)" can be interpreted as "when determined" or "in response to determining" or "when detected (the stated condition or event)," depending on the context )" or "in response to detection (a stated condition or event)".
[0064] Attached to the manual figure 1 As shown, an embodiment of the access system claimed by the present invention includes:
[0065] It includes any one of the electronic devices described above, as well as a first access device, a second access device, a third access device, and a first transmission identification server.
[0066] The composition of the electronic device and the relationship with the first to third access devices and the transmission identification server will be shown below:
[0067] The electronic device includes:
[0068] The transmission identification requesting part sends a request to the first transmission identification server, and the first transmission identification server obtains the authorized transmission identification of the device,
[0069] a time-division multiplexing part, which uses time-division multiplexing with the first access device, the electronic device, and the communication channel of the second access device to perform time-division slicing with a length of t;
[0070] Fragmentation part: The fragmented channel is framed according to the period T1, T1 is an integer multiple of t, the control frame is framed according to the period T2, T2 is an integer multiple of t, and the signaling identification frame is performed according to the period T3. Framing, the signaling identification frame contains at least the authorized transmission identification of the device, T3 is an integer multiple of t, and a complete long frame consists of a payload frame, a corresponding control frame, and a signaling identification frame.
[0071] The frame cutting part cuts the long frame, and divides the load frame and the control frame data into two subframe types according to different parity bits, wherein the first type subframe includes an even bit of a load frame and a control frame even number corresponding to it. bits, and a complete signaling identification frame composition; the second type subframe includes an odd-numbered bit of a load frame and a control frame odd-numbered bit corresponding to it, and a complete signaling identification frame composition;
[0072] The first access requesting part requests first-level transmission with the first access device, and receives the first type subframe sent by the first access device, wherein the parameter X is received in the first block of the control frame 1 , X 1 Indicates the block sequence number of the signaling identification frame in the first-type subframe that needs to be acquired during the next-level communication; after the first-level transmission is completed, after sleeping for a long frame period, request the first access device to perform the second-level Transmission, receiving the second-level transmission first-type subframe sent by the first access device, based on the received parameter X in the first block 1 , determine the corresponding sequence number block in the signaling identification frame, and obtain the third-level transmission symmetric key B stored in the block; after the second-level transmission is completed, sleep X 1 After the long frame period, the first access device is requested to perform third-level transmission, and the third-level transmission long frame encrypted by the symmetric key B is sent to the first access device, wherein the load of the third-level transmission long frame is The frame contains at least network access information and access request header information, the signaling identification frame of the third-level transmission long frame contains at least the authorized transmission identification of the electronic device, and the first access device uses the key known at the local end. B performs symmetric decryption, obtains the first access information, including the first network access information and the first access request header information, and obtains the authorized transmission identifier of the electronic device from the signaling identifier frame of the third-level transmission long frame ;
[0073] The first access device obtains the authorized transmission identification of the electronic device from the first transmission identification server, and compares it with the authorized transmission identification of the electronic device obtained from the signaling identification frame of the third-level transmission long frame. The electronic device performs network access, and the first access device transmits the first access information, including the first network access information and the first access request header information, to the third access device;
[0074] The second access requesting unit requests first-level transmission with the second access device, and receives the second type subframe sent by the second access device, wherein the parameter X is received in the first block of the control frame 2 , X 2 Indicates the block sequence number of the signaling identification frame in the second-type subframe that needs to be acquired during the next-level communication; after the first-level transmission is completed, after sleeping for a long frame period, request the second access device to perform the second-level Transmission, receiving the second-level transmission second-type subframe sent by the second access device, based on the received parameter X in the first block 2 , determine the corresponding sequence number block in the signaling identification frame, and obtain the three-level transmission symmetric key K stored in the block; after the second-level transmission is completed, sleep X 2 After the long frame period, request the second access device to perform third-level transmission, and send the third-level transmission long frame encrypted by the symmetric key K to the second access device, wherein the load of the third-level transmission long frame is The frame contains at least network access information and access request header information, the signaling identification frame of the third-level transmission long frame contains at least the authorized transmission identification of the electronic device, and the second access device uses a key known to the local end. K performs symmetric decryption to obtain the second access information, including the second network access information and the second access request header information, and obtains the authorized transmission identifier of the electronic device from the signaling identifier frame of the third-level transmission long frame The second access device obtains the electronic equipment authorized transmission identification from the first transmission identification server, and compares with the electronic equipment authorized transmission identification obtained from the signaling identification frame of the third-level transmission long frame, if yes, then Allowing the electronic device to perform network access, and transmitting the second access information, including the second network access information and the second access request header information, to the third access device by the second access device; The third access device performs bit-by-bit insertion of the network access information and access request header information transmitted by the first access device and the second access device according to parity and sequence to obtain complete network access information and access request header information. The incoming request header information is performed, the network access of the electronic device is performed according to the complete network access information and the access request header information, and the electronic device is allowed to access the external network.
[0075] As another superimposable preferred embodiment, the acquiring the transmission identifier is specifically: the first transmission identifier server acquires the time stamp field of the sending request of the electronic device, and performs bitwise XOR with a preset local fixed cycle sequence, get the XOR result b 1 , the b 1 The original MAC address of the electronic device is followed by the authorized transmission identification of the device.
[0076] As another superimposable preferred embodiment, the preset local fixed cycle sequence is set as follows: a random 8-bit binary group is generated by a random number generator, and a 6-bit isolation code is subsequently inserted, a total of 14 bit, the 14-bit data is recycled until its length is equal to the send request timestamp field of the electronic device.
[0077] As another superimposable preferred embodiment, the 6-bit isolation code is specifically: 000111; or 111000.
[0078] Attached to the manual figure 2 shown in the instruction manual figure 2 A basic flow chart of a preferred embodiment of the three-level dual access method for electronic products used for network access according to the present invention is shown. The method includes the following steps:
[0079] S102: The electronic device sends a request to the first transmission identification server, and the first transmission identification server obtains the authorized transmission identification of the device,
[0080] S104: The communication channel between the electronic device and the first access device, and the electronic device and the second access device adopts time-division multiplexing to perform time-division slicing with a length of t;
[0081] S106: Perform load frame framing on the fragmented channel according to period T1, T1 is an integer multiple of t, perform control frame framing according to period T2, T2 is an integer multiple of t, and perform signaling identification frame framing according to period T3 , the signaling identification frame contains at least the authorized transmission identification of the device, T3 is an integer multiple of t, and a complete long frame is composed of a payload frame, a corresponding control frame, and a signaling identification frame.
[0082] S108: the long frame is cut, and the load frame and the control frame data are divided into two subframe types according to different parity bits, wherein, the first type subframe includes an even-numbered bit of a load frame and a control frame even-numbered bit corresponding to it, And a complete signaling identification frame is formed; the second type subframe includes an odd-numbered bit of a load frame and a control frame odd-numbered bit corresponding to it, and a complete signaling identification frame is formed;
[0083] S110: The electronic device performs first-level transmission with the first access device, and receives the first type subframe sent by the first access device, wherein the parameter X is received in the first block of the control frame 1 , X 1 Indicates the block sequence number of the signaling identification frame in the first-type subframe that needs to be acquired during the next-level communication; after the first-level transmission is completed, after sleeping for a long frame period, request the first access device to perform the second-level Transmission, receiving the second-level transmission first-type subframe sent by the first access device, based on the received parameter X in the first block 1 , determine the corresponding sequence number block in the signaling identification frame, and obtain the third-level transmission symmetric key B stored in the block; after the second-level transmission is completed, sleep X 1 After the long frame period, the first access device is requested to perform third-level transmission, and the third-level transmission long frame encrypted by the symmetric key B is sent to the first access device, wherein the load of the third-level transmission long frame is The frame contains at least network access information and access request header information, the signaling identification frame of the third-level transmission long frame contains at least the authorized transmission identification of the electronic device, and the first access device uses a key known to the local end. B performs symmetric decryption, obtains the first access information, including the first network access information and the first access request header information, and obtains the authorized transmission identifier of the electronic device from the signaling identifier frame of the third-level transmission long frame ;
[0084]S112: The first access device obtains the electronic equipment authorized transmission identification from the first transmission identification server, and compares it with the electronic equipment authorized transmission identification obtained from the signaling identification frame of the third-level transmission long frame, if yes, Then the electronic device is allowed to perform network access, and the first access device transmits the first access information, including the first network access information and the first access request header information, to the third access device ;
[0085] S114: The electronic device performs first-level transmission with the second access device, and receives the second type subframe sent by the second access device, wherein the parameter X is received in the first block of the control frame 2 , X 2 Indicates the block sequence number of the signaling identification frame in the second-type subframe that needs to be acquired during the next-level communication; after the first-level transmission is completed, after sleeping for a long frame period, request the second access device to perform the second-level Transmission, receiving the second-level transmission second-type subframe sent by the second access device, based on the received parameter X in the first block 2 , determine the corresponding sequence number block in the signaling identification frame, and obtain the three-level transmission symmetric key K stored in the block; after the second-level transmission is completed, sleep X 2 After the long frame period, request the second access device to perform third-level transmission, and send the third-level transmission long frame encrypted by the symmetric key K to the second access device, wherein the load of the third-level transmission long frame is The frame contains at least network access information and access request header information, the signaling identification frame of the third-level transmission long frame contains at least the authorized transmission identification of the electronic device, and the second access device uses a key known to the local end. K performs symmetric decryption to obtain the second access information, including the second network access information and the second access request header information, and obtains the authorized transmission identifier of the electronic device from the signaling identifier frame of the third-level transmission long frame ;
[0086] S118: The second access device obtains the electronic equipment authorized transmission identification from the first transmission identification server, and compares with the electronic equipment authorized transmission identification obtained from the signaling identification frame of the third-level transmission long frame, if yes, Then the electronic device is allowed to perform network access, and the second access device transmits the second access information, including the second network access information and the second access request header information, to the third access device ;
[0087] S120: The third access device inserts the network access information and the access request header information transmitted by the first access device and the second access device bit by bit according to parity and order to obtain complete network access information and access request header information, perform network access of the electronic device according to the complete network access information and the access request header information, and allow the electronic device to access the external network.
[0088] As another superimposable preferred embodiment, the acquiring transmission identifier is specifically:
[0089] The first transmission identification server obtains the time stamp field of the sending request of the electronic device, and performs bitwise XOR with a preset local fixed cycle sequence to obtain the XOR result b 1 , the b 1 The original MAC address of the electronic device is followed by the authorized transmission identification of the device.
[0090] Instructions attached image 3 It is an example of a preferred embodiment of a preset local canned cycle sequence structure shown in the present invention;
[0091] Refer to the attached image 3 It can be seen that, as another superimposable preferred embodiment, the preset local canned cycle sequence is set as follows:
[0092] A random number generator is used to generate a random 8-bit binary group, and a 6-bit isolation code is subsequently inserted, totaling 14 bits, and the 14-bit data is recycled until its length is equal to the sending request timestamp field of the electronic device.
[0093] As another superimposable preferred embodiment, the 6-bit isolation code is specifically:
[0094] 000111;
[0095] or 111000.
[0096] Instructions attached Figure 4 The present invention shows that the third access device performs bit-by-bit insertion of the network access information and the access request header information transmitted by the first access device and the second access device according to parity and order to obtain a complete network. A preferred embodiment of access information and access request header information;
[0097] Refer to the attached Figure 4 It can be seen that, as another superimposable preferred embodiment, the third access device processes the network access information and the access request header information transmitted by the first access device and the second access device according to the parity The complete network access information and access request header information are obtained by performing bit-by-bit insertion with the sequence, including:
[0098] Sorting according to the binary sequence of the first access information, insert it into the second access information binary sequence bit by bit, where each bit of the first access information binary sequence symbol is inserted into the corresponding bit before the symbol. Two access information two-tuple sequence symbols, which constitute complete network access information and access request header information.
[0099] Based on the system risk caused by single-request transmission and single-access device control in the existing access technology, the invention cleverly uses three-level transmission, and separates the access request and load data after framing. Jiadi proposes an electronic product for network access and a corresponding three-level dual access method. In the prior art, there is a risk of fraudulent use in network device access, which can be avoided through device authentication, AAA server, etc. However, in some special cases, such as when the AAA server and system authentication server cannot be deployed, often when key network frames are stolen or captured, they are easily tampered with or used fraudulently, causing network risks. The present invention uses the three-level network access long frame to carry out data separation control, and in the case of intercepting one or two frames of any three-level network access long frame, the correct undecrypted transmission load cannot be obtained independently, and higher security performance is provided. Moreover, by introducing a transmission identification server to perform extra-territorial authentication, and planning and designing the transmission identification, the comparison security of the system is improved. Furthermore, the present invention dualizes the data transmission between the electronic device and the network access device, so as to prevent the transmission of data from a single device. When the access device is cracked or breached, all data packets are stolen and monitored, which ensures that even if a single access device is cracked or breached, the data can be prevented from being cracked and the system security performance is improved. In all the above-mentioned embodiments, in order to achieve some special data transmission, read/write function requirements, during the operation of the above-mentioned methods and their corresponding devices, devices, modules, devices, hardware, pin connections or differences in memory and processors may be added. to extend the functionality.
[0100] Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described method, device and unit may refer to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0101] In the several embodiments provided by the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the method steps is only a logical or functional division. In actual implementation, there may be other divisions, for example, multiple units or components. May be combined or may be integrated into another system, or some features may be omitted, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
[0102] The units described as the various steps of the method and the device separation components may or may not be logically or physically separated, or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
[0103] In addition, the method steps and their implementations and functional units in the various embodiments of the present invention may be integrated in one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit . The above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
[0104] The above-mentioned methods and apparatuses may be implemented as integrated units in the form of software functional units, which may be stored in a computer-readable storage medium. The above-mentioned software functional unit is stored in a storage medium, and includes several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (Processor) to execute the methods described in the various embodiments of the present invention. some steps. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), NVRAM, magnetic disk or optical disk and other various programs that can store program codes medium.
[0105] The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the present invention. within the scope of protection.
[0106] It should be noted that the above embodiments are only used to more clearly explain and illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that : it can still modify the technical solutions recorded in the foregoing embodiments, or perform equivalent replacements on some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. spirit and scope.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products