Building gateway vpn network access method, device and equipment and storage medium
By using dynamic secondary encryption verification between the building gateway and the building management platform, a VPN network tunnel is automatically established, solving the problems of low efficiency and insufficient security in building network security links and improving the security and convenience of multi-site VPN branch sides.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HITACHI BUILDING TECH GUANGZHOU CO LTD
- Filing Date
- 2022-12-21
- Publication Date
- 2026-06-05
AI Technical Summary
The existing network security links of building systems are inefficient to build, have complicated parameter configurations, are not secure enough, and require a high level of expertise from engineers, making them less adaptable.
By using dynamic secondary encryption verification between the building gateway and the building management platform, a VPN network tunnel is automatically established, reducing manual operations and confidential information management, and improving security and convenience.
It enables secure and automatic connection of building gateways to the building management platform, simplifies the expansion and on-site deployment of multi-site VPN branches, and improves security and ease of use.
Smart Images

Figure CN115955348B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the technical field of building network management, and particularly relates to VPN network access methods, devices, equipment and storage media for building gateways. Background Technology
[0002] With the accelerated integration of technologies such as cloud computing and the Internet of Things in the field of building information, while bringing broad development opportunities to smart buildings, it has also led to the continuous expansion of the access scope of building systems, making the building network structure more complex and increasing the risk of the system being attacked by networks.
[0003] To improve the network security of building systems, the network security measures mentioned in related technologies mainly focus on analyzing and detecting security vulnerabilities, and based on the detection results, deploying dedicated network security equipment (such as firewalls) and completing the corresponding security policy formulation and configuration. However, these methods have the following problems when applied to building systems:
[0004] 1) Low efficiency in building network security links
[0005] To ensure the security of the WAN-connected link between the subnet of on-site equipment and the cloud central platform, a dedicated firewall or router with VPN access capability is typically installed at the WAN entry point on the user site side to establish a secure link between the user-side subnet and the cloud central platform. However, with existing solutions, each time a new user branch site is added, multiple parameters need to be manually configured according to the new site's on-site network environment, resulting in complex on-site debugging and subsequent maintenance work, and low efficiency in building a secure link.
[0006] 2) Insufficient security of critical information deployed in the system
[0007] When building a VPN system using standard firewalls or routers, the parameters are set and saved on the firewalls or routers. Each time a new VPN branch site is added or maintenance is performed, on-site querying, inputting, and modifying are required. This makes it difficult to effectively manage highly sensitive or confidential parameters such as VPN keys and authentication credentials, which poses a serious risk of local leakage and increases the security risk of unauthorized local users / devices illegally accessing the VPN platform's central side.
[0008] 3) Safety management requires highly specialized engineering personnel but has low adaptability.
[0009] The network threats faced by the local building system at the user-side site are twofold: on the one hand, attacks from the Internet after the building system is connected to the wide area network; on the other hand, unauthorized access by devices or business access under unauthorized conditions on the building's local intranet. However, the network security devices in the relevant technologies lack integration with building services, and need to be assessed by professional network administrators (or IT personnel) based on the current network environment. This process is cumbersome and highly dependent on the professional level of the personnel. Summary of the Invention
[0010] This invention provides a VPN network access method, apparatus, device, and storage medium for building gateways to address the problems of low efficiency, insufficient security, and low adaptability of related technologies in dealing with network security of building systems.
[0011] According to a first aspect of the present invention, a VPN network access method for a building gateway is provided. The method is applied in a building gateway, wherein one building gateway corresponds to one or more building sites, each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices, and the building terminal devices access the building gateway through the building controller; the building gateway communicates with a building management platform; the method includes:
[0012] When access verification is required, the gateway device information of the building gateway itself is obtained, and an initial encryption verification request is initiated to the building management platform based on the gateway device information.
[0013] When the building management platform receives a notification that the initial encryption verification has passed based on the initial encryption verification request, the first verification information is extracted from the initial encryption verification pass notification.
[0014] Based on the first verification information, a second verification information is generated, and based on the second verification information, an encrypted secondary verification request is initiated to the building management platform;
[0015] When the building management platform receives encrypted tunnel construction information after verifying the encrypted secondary verification request, a VPN network tunnel is established between the building gateway and the building management platform based on the encrypted tunnel construction information.
[0016] According to a second aspect of the present invention, a VPN network access method for a building gateway is provided. The method is applied in a building management platform, which communicates with one or more building gateways. Each building gateway corresponds to one or more building sites, each building site including one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The method includes:
[0017] Upon receiving an encrypted initial verification request from the target building gateway that requires access verification, the encrypted initial verification request is decrypted to obtain the target gateway device information.
[0018] The target gateway device information is verified, and after the verification of the target gateway device information is successful, the first verification information is obtained;
[0019] The first verification information is encrypted to generate an encrypted initial verification pass notification, and the encrypted initial verification pass notification is sent to the target building gateway;
[0020] Receive the encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and decrypt the encrypted secondary verification request to obtain the second verification information;
[0021] The second verification information is verified. Once the verification of the second verification information is successful, the tunnel construction information corresponding to the target building gateway is obtained, and the tunnel construction information is encrypted and sent to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway.
[0022] According to a third aspect of the present invention, a VPN network access device for a building gateway is provided. The device is applied in a building gateway, wherein one building gateway corresponds to one or more building sites, each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices, and the building terminal devices access the building gateway through the building controller; the building gateway communicates with a building management platform; the device includes:
[0023] The acquisition module is used to acquire the gateway device information of the building gateway itself when access verification is required;
[0024] The first initiation module is used to initiate an initial encryption verification request to the building management platform based on the gateway device information;
[0025] The extraction module is used to extract the first verification information from the encryption initial verification pass notification returned by the building management platform based on the encryption initial verification request when it receives the encryption initial verification pass notification.
[0026] The generation module is used to generate second verification information based on the first verification information;
[0027] The second initiation module is used to initiate an encrypted secondary verification request to the building management platform based on the second verification information;
[0028] The VPN network tunnel establishment module is used to establish a VPN network tunnel between the building gateway and the building management platform based on the encrypted tunnel construction information returned by the building management platform after the building management platform has verified the encrypted secondary verification request.
[0029] According to a fourth aspect of the present invention, a VPN network access device for a building gateway is provided. The device is applied in a building management platform, which communicates with one or more building gateways. Each building gateway corresponds to one or more building sites, each building site including one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The device includes:
[0030] The decryption module is used to decrypt the encrypted initial verification request sent by the target building gateway that needs to perform access verification, and obtain the target gateway device information.
[0031] The first verification information acquisition module is used to verify the target gateway device information and acquire the first verification information after the target gateway device information is verified.
[0032] The encryption module is used to encrypt the first verification information to generate an encrypted initial verification pass notification;
[0033] The sending module is used to send the initial encryption verification to the target building gateway via a notification;
[0034] The second verification information acquisition module is used to receive the encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and to decrypt the encrypted secondary verification request to obtain the second verification information.
[0035] The execution module is used to verify the second verification information. After the verification of the second verification information is successful, it obtains the tunnel construction information corresponding to the target building gateway, encrypts the tunnel construction information, and sends it to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway.
[0036] According to a fifth aspect of the present invention, an electronic device is provided, the electronic device comprising:
[0037] At least one processor; and
[0038] A memory communicatively connected to the at least one processor; wherein,
[0039] The memory stores a computer program that can be executed by the at least one processor, which enables the at least one processor to execute a VPN network access method for a building gateway according to any embodiment of the present invention.
[0040] According to a sixth aspect of the present invention, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions, the computer instructions being configured to cause a processor to execute and implement a VPN network access method for a building gateway as described in any embodiment of the present invention.
[0041] This invention provides a VPN network access method for a building gateway. A building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. The building gateway communicates with the building management platform. When access verification is required, the gateway obtains its own gateway device information and initiates an initial encryption verification request to the building management platform based on the gateway device information for the first verification. When the building management platform returns an initial encryption verification pass notification based on the initial encryption verification pass notification, the first... The system verifies information, generates second verification information based on the first verification information, and initiates an encrypted secondary verification request to the building management platform based on the second verification information for a second verification. When the building management platform verifies the encrypted secondary verification request and returns encrypted tunnel construction information, a VPN network tunnel is established between the building gateway and the building management platform based on the encrypted tunnel construction information. Through the dynamically encrypted verification link, the building gateway can securely and automatically connect to the building management platform without relying on manual operation or human management of confidential information. This improves the security of VPN branch-side expansion when building multiple sites, and also effectively simplifies the on-site deployment and debugging of building sites, improving ease of use.
[0042] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of the present invention, nor is it intended to limit the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description
[0043] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0044] Figure 1 This is a flowchart of a VPN network access method for a building gateway according to Embodiment 1 of the present invention;
[0045] Figure 2 This is a security network architecture diagram for integrated building management provided in Embodiment 1 of the present invention;
[0046] Figure 3 This is a building gateway structure diagram provided in Embodiment 1 of the present invention;
[0047] Figure 4 This is a flowchart of a VPN network access method for a building gateway according to Embodiment 2 of the present invention;
[0048] Figure 5 This is a schematic representation of gateway device information provided in Embodiment 2 of the present invention;
[0049] Figure 6 This is a deployment information representation intent provided according to Embodiment 2 of the present invention;
[0050] Figure 7 This is a schematic diagram of a VPN network access device for a building gateway according to Embodiment 3 of the present invention;
[0051] Figure 8 This is a schematic diagram of a VPN network access device for a building gateway according to Embodiment 4 of the present invention;
[0052] Figure 9 This is a schematic diagram of the structure of an electronic device that implements a VPN network access method for a building gateway according to an embodiment of the present invention. Detailed Implementation
[0053] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.
[0054] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0055] Example 1
[0056] Figure 1 This is a flowchart of a VPN network access method for a building gateway provided in Embodiment 1 of the present invention. The method is applied in a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. The building gateway communicates with the building management platform.
[0057] This method can be executed by a VPN network access device for a building gateway, which can be implemented in hardware and / or software.
[0058] like Figure 1 As shown, this embodiment may include the following steps:
[0059] S110: When access verification is required, obtain the gateway device information of the building gateway itself, and initiate an initial encrypted verification request to the building management platform based on the gateway device information.
[0060] In this embodiment, the building management platform manages multiple building sites. From the perspective of the building management platform, each building site can be viewed as a user-side branch site. Each building gateway corresponds to one or more building sites, and the building gateway communicates with the building management platform. Each building site may contain one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices can access the building gateway through the building controller. The building management platform can be a cloud platform.
[0061] For example, refer to Figure 2 This is a security network architecture diagram for integrated building management. The building gateway needs to communicate with the building management platform, which can be achieved by connecting to a designated wide area network.
[0062] For user-local area management objects in large-scale buildings or building complexes, it consists of a building gateway deployed on the building's local area network and various business subsystems, covering business subsystems such as access control management, visitor management, lighting management, power management, air conditioning management, and elevator control management. Each type of business subsystem includes a corresponding building controller and terminal equipment. For example, Figure 2 As shown, each building site can have building terminal devices with different functions, such as door locks and authentication terminals in access control management, electricity and water meters in energy management, and environmental sensors such as temperature and humidity sensors in environmental management. These building terminal devices can be connected to the building gateway through the building controller.
[0063] Building controllers are access and local management devices for field terminals of various business subsystems in a building. They generally have abundant fieldbus and input / output interfaces, and can complete data acquisition, storage and uploading, and localized control of various terminals.
[0064] In one embodiment, some building terminal devices, management systems such as information publishing systems, and third-party systems accessed in the building site can also be directly connected to the building gateway without going through the building controller.
[0065] For the structure of building gateways, please refer to... Figure 3 This is a building gateway architecture diagram, in which devices from the building site can access the building gateway through an internal network interface. Figure 2 and Figure 3 The LAN shown is used for the building, while the building gateway can communicate with the building management platform via the external network interface. Typically, one unit is deployed in each building site, providing one side of the building site with a VPN secure tunnel based on WAN access and local subnet access control and attack protection. Simultaneously, it provides comprehensive edge support for unified management of the building's local area and the linkage of multiple subsystems.
[0066] The operation that triggers the determination that access verification is required can be the startup of the building gateway or the VPN reconnection count exceeding the limit.
[0067] When it is determined that access verification is required, the gateway device information corresponding to the building gateway can be obtained. Then, based on the gateway device information, an initial encrypted verification request can be sent to the building management platform to initiate the first verification.
[0068] In one embodiment, the gateway device information includes a gateway device identifier and gateway identity information. Obtaining the building gateway's own gateway device information in step S110 includes the following steps:
[0069] Generate an identity information retrieval request based on the gateway device identifier;
[0070] The identity information acquisition request is encrypted using a preset key, and the encrypted identity information acquisition request is sent to the building management platform;
[0071] Receive the encrypted identity information storage address returned by the building management platform based on the identity information retrieval request;
[0072] After decrypting the encrypted identity information storage address using a preset key, the corresponding encoded gateway identity information is read from the local storage based on the obtained identity information storage address.
[0073] The gateway identity information is obtained by decoding the encoded gateway identity information using a reverse algorithm of the preset encoding algorithm.
[0074] In one implementation, the gateway device identifier can be the local device number. Specifically, the local device number can be used to generate an identity information retrieval request. The identity information retrieval request can be encrypted using a default algorithm f0 and a preset key M0, and then sent to the building management platform's default port. For example, the local device number can be a string consisting of a model number and a production serial number, where the model number is represented by letters and the production serial number by numbers, with the production serial number uniquely assigned in ascending order of production, such as "G000012".
[0075] After receiving an identity information retrieval request, the building management platform returns the storage address of the encrypted identity information. Upon receiving the encrypted identity information storage address, the building gateway can read the corresponding encoded gateway identity information from its local storage according to the encrypted identity information storage address. Then, using a preset encoding algorithm fd and its corresponding reverse algorithm fdR, the encrypted gateway identity information is converted back into gateway identity information. The preset encoding algorithm is an encrypted encoding algorithm. The gateway identity information obtained after converting the encrypted gateway identity information into gateway identity information is plaintext identity information.
[0076] In one embodiment, the gateway identity information includes a time synchronization service address and a verification code. Before initiating an initial encrypted verification request to the building management platform based on the gateway device information, the following steps are also included:
[0077] Based on the time synchronization service address and verification code, a time synchronization request is initiated to the time synchronization service of the building management platform to complete the time synchronization with the building management platform.
[0078] In this embodiment, the gateway identity information can be a plaintext string, which can be in the form of S-D1-Y, used to uniquely identify the device identity of different building gateways. The building gateway can further extract the key identity information of the building management platform to which it belongs from the string S-D1-Y, namely the time synchronization service address D1 and verification code Y in S-D1-Y, and then initiate a time synchronization request to the building management platform using the time synchronization service address D1 and verification code Y. When the time synchronization request is successfully sent, a private network time synchronization connection can be established with the building management platform based on the key identity information, and the building gateway can synchronize its time with the time synchronization service of the building management platform at a given period.
[0079] In one embodiment, step S110, which involves initiating an encrypted initial verification request to the building management platform based on the gateway device information, includes the following steps:
[0080] Obtain the first real-time timestamp and generate the first dynamic key based on the first real-time timestamp;
[0081] The gateway device information is encrypted using the first dynamic key, and an initial encryption verification request is generated.
[0082] Send the initial encryption verification request to the building management platform.
[0083] In this embodiment, when it is determined that access verification is required, that is, when the building gateway is started or the VPN reconnection limit is exceeded, after obtaining the device identity information and synchronizing the time, an encrypted initial verification request can be initiated to the building management platform based on the gateway device information.
[0084] Specifically, the first real-time timestamp can be the current time of the building gateway. The building gateway can use the current time as an input parameter (such as including year / month / day / hour / minute), input the pre-set algorithm f1, and generate the first dynamic key.
[0085] Gateway device information can include gateway device identifier, device identity information, local MAC address, manufacturing date, software version, etc. The default algorithm f0 and the first dynamic key can be used to encrypt the gateway device information and generate an encryption initial verification request.
[0086] S120: When the building management platform receives a notification that the initial encryption verification has passed based on the initial encryption verification request, the first verification information is extracted from the notification.
[0087] When the building management platform receives a notification that the initial encryption verification has passed based on the initial encryption verification request, the notification can be decrypted according to the preset decryption method to restore the plaintext initial verification notification. After decryption, the first verification information can be extracted.
[0088] In one embodiment, step S120 includes the following steps:
[0089] S120-1, Update the first real-time timestamp, and update the first dynamic key based on the updated first real-time timestamp;
[0090] S120-2, the initial verification is encrypted using the updated first dynamic key and decrypted via notification to obtain the first verification information.
[0091] In this embodiment, the first dynamic key is updated based on a first real-time timestamp, meaning the first dynamic key changes dynamically over time. The first real-time timestamp has a precision of minutes. Since the time required to complete one communication session is necessarily within one minute, the precision of the first real-time timestamp can be controlled to minutes to ensure consistency with the dynamic key subsequently generated based on the timestamp. When decrypting the initial encryption verification via notification, the updated first dynamic key can be used, and the default algorithm f0 can be employed to complete the decryption.
[0092] S130: Generate second verification information based on the first verification information, and initiate an encrypted secondary verification request to the building management platform based on the second verification information.
[0093] In this embodiment, the second verification information can be generated using the first verification information as the response result. Then, the default algorithm f0 and the first dynamic key can be used to form an encrypted secondary verification request and send it to the building management platform.
[0094] In one embodiment, the first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; the gateway device information includes a gateway device identifier.
[0095] Step S130, which generates second verification information based on the first verification information, may include the following steps:
[0096] The corresponding first encryption and decryption algorithm is read from the preset encryption and decryption algorithm library according to the first encryption and decryption algorithm identifier;
[0097] Using the gateway device identifier as the key, the first random value is encrypted using the first encryption and decryption algorithm to obtain the second random value, which serves as the second verification information.
[0098] In one embodiment, the notification of successful initial encryption verification may include a random value T and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library, for example, it may be the sequence number m of the preset encryption / decryption algorithm library D.
[0099] After decryption is completed, when extracting the first verification information from the initial verification pass notification, the random value T in the initial verification pass notification can be converted into the first random value. Then, the first verification information may include the first random value and the first encryption / decryption algorithm identifier in the preset encryption / decryption algorithm library.
[0100] After determining the first encryption / decryption algorithm identifier, the corresponding first encryption / decryption algorithm can be read from the preset encryption / decryption algorithm library. For example, when the first encryption / decryption algorithm identifier is the sequence number m of the preset encryption / decryption algorithm library D, then the corresponding first encryption / decryption algorithm can be determined to be the m-th algorithm fm of the preset encryption / decryption algorithm library D.
[0101] After determining the first encryption / decryption algorithm, the gateway device identifier can be used as the key to encrypt the first random value using the first encryption / decryption algorithm to obtain the second random value, which serves as the second verification information.
[0102] In one embodiment, step S130, which involves initiating an encrypted secondary verification request to the building management platform based on the second verification information, may include the following steps:
[0103] The second random value is encrypted using a first dynamic key updated based on the first real-time timestamp to obtain an encrypted secondary verification request;
[0104] Send an encrypted two-factor authentication request to the building management platform.
[0105] Specifically, when encrypting the second random value to obtain the encryption secondary verification request, the first dynamic key used is updated based on the first real-time timestamp and is a real-time dynamic key.
[0106] S140: When the building management platform verifies the encrypted secondary verification request and returns encrypted tunnel construction information, a VPN network tunnel is established between the building gateway and the building management platform based on the encrypted tunnel construction information.
[0107] In this embodiment, after the building management platform verifies the encrypted secondary verification request, it will return encrypted tunnel construction information to the building gateway. The building gateway can decrypt the encrypted tunnel construction information to restore the plaintext tunnel construction information, thereby obtaining the tunnel construction information used to establish a VPN network tunnel between the building gateway and the building management platform.
[0108] Once the VPN network tunnel is successfully built, the building gateway and the building management platform can access resources between each other.
[0109] In one embodiment, step S140, which establishes a VPN network tunnel between the building gateway and the building management platform based on encrypted tunnel construction information, includes the following steps:
[0110] The first dynamic key is updated based on the first real-time timestamp, and the updated first dynamic key and the second random value are used as keys to decrypt the encrypted tunnel construction information to obtain building site information, business deployment information, branch-side VPN subnet construction parameters and encryption center-side VPN access parameters. The encryption center-side VPN access parameters include the first encrypted access parameters, the second encrypted access parameters, the second encryption and decryption algorithm identifier in the preset encryption and decryption algorithm library related to the first encrypted access parameters, and the third encryption and decryption algorithm identifier in the preset encryption and decryption algorithm library related to the second encrypted access parameters.
[0111] The second encryption and decryption algorithm is used to identify the corresponding second encryption and decryption algorithm. The gateway identity information is used as the key to decrypt the first encrypted access parameters and obtain the central VPN public IP and IPsec authentication parameters.
[0112] The third encryption and decryption algorithm is identified by the third encryption and decryption algorithm. The identity information storage address is used as the key to decrypt the second encrypted access parameters and obtain the IPsec tunnel mode, as well as the negotiation parameters of the first and second phases.
[0113] Based on building site information, business deployment information, branch-side VPN subnet construction parameters, central-side VPN public IP, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2, a VPN network tunnel is established between the building gateway and the building management platform.
[0114] In this embodiment, a first dynamic key updated based on a first real-time timestamp can be used. After updating the first dynamic key, the first dynamic key and a second random value can be combined as the key to decrypt the encrypted tunnel construction information. The resulting building site information and business deployment information provide the key information foundation for the building site in the subsequent second phase when implementing adaptive access security control policies. Specifically, the first dynamic key can be RES1, and the second random value can be T2. Then, the key to decrypt the encrypted tunnel construction information can be obtained by combining RES1 and T2.
[0115] Specifically, the public IP address of the central VPN and the IPsec authentication parameters (including the pre-shared key and peer ID) can be considered as the first part of sensitive confidential information. The encryption algorithm corresponding to this first part of sensitive confidential information can be extracted from the tunnel construction information. For example, if the extracted second encryption / decryption algorithm is identified as the s-th number in the preset encryption / decryption algorithm library D, then the corresponding second encryption / decryption algorithm, i.e., algorithm fs corresponding to the s-th number in the preset encryption / decryption algorithm library D, can be used to decrypt the first encrypted access parameters, and the decryption is completed using the gateway identity information as the key.
[0116] The IPsec tunnel mode and the negotiation parameters for Phase 1 and Phase 2, including the authentication method, IKE version and mode, NAT traversal, encryption / authentication / DH algorithms for Phase 1 and Phase 2, and key lifecycle, can be considered as the second part of sensitive confidential information. The encryption algorithm corresponding to the second part of sensitive confidential information can be extracted from the tunnel construction information. For example, when the extracted third encryption / decryption algorithm is identified as number t in the preset encryption / decryption algorithm library D, the corresponding third encryption / decryption algorithm, i.e., algorithm ft corresponding to number t in the preset encryption / decryption algorithm library D, can be used to decrypt the second encrypted access parameters, and the identity information storage address can be used as the key to complete the decryption.
[0117] In one implementation, after decrypting the encrypted tunnel construction information and the first and second encrypted access parameters, the site deployment information transmission (including clearing) can be performed according to the following steps to establish a VPN network tunnel between the building gateway and the building management platform:
[0118] Step 1: Store the acquired information only in the random absolute address (ADi) storage area on the temporary RAM of the building gateway;
[0119] Step 2: The VPN access-related parameters on the RAM storage area AD1 with the given absolute address, including the central VPN public IP, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2, are directly transferred to the running data area of the IPsec VPN module program in memory only. That is, the relevant parameters are not stored or transferred in the building gateway in any form that can be read or displayed in plaintext by users or external programs, such as parameter files or configuration files.
[0120] Step 3: After step 2 is completed, the building gateway will immediately and automatically clear the VPN access-related parameters stored in the random absolute address ADi storage area on the temporary storage RAM;
[0121] Step 4: The building gateway adjusts its own internal LAN interface network parameters to the corresponding network segment according to the branch-side VPN subnet segment in the IPsec VPN access parameters;
[0122] Step 5: The IPsecVPN module of the building gateway detects the tunnel establishment and operation parameters of its own IPsecVPN access parameters. These operation parameters include the public IP address of the central VPN, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2. If there are updates, the IPsec tunnel establishment request with the remote IPsecVPN center is restarted according to the new access parameters. After all the negotiation and authentication steps of Phase 1 (IKE SA) and Phase 2 (IPsec SA) of the IPsec tunnel creation between the building gateway and the central side are successfully completed, the IPsec tunnel has been established. The IPsecVPN station-to-station connection between the branch of this building site and the two subnets of the building management platform central side has been completed, thus completing the establishment of the VPN network tunnel between the building gateway and the building management platform.
[0123] This invention proposes a VPN network access method for a building gateway. A building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. The building gateway communicates with a building management platform. When access authentication is required, the gateway device information of the building gateway is obtained, and an initial encryption authentication request is initiated to the building management platform based on the gateway device information for the first authentication. When a notification of successful initial encryption authentication is received from the building management platform based on the initial encryption authentication request, the first authentication information is extracted from the notification. The system generates second verification information from the first verification information and initiates an encrypted secondary verification request to the building management platform based on the second verification information for a second verification. When the building management platform verifies the encrypted secondary verification request and returns encrypted tunnel construction information, a VPN network tunnel is established between the building gateway and the building management platform based on the encrypted tunnel construction information. Through the dynamic secondary encryption verification link, the building gateway can securely and automatically complete the VPN connection with the building management platform without relying on manual operation or human management of confidential information. This improves the security of VPN branch-side expansion when building multiple sites, and also effectively simplifies the on-site deployment and debugging of building sites, improving ease of use.
[0124] Example 2
[0125] Figure 4This is a flowchart of a VPN network access method for a building gateway provided in Embodiment 2 of the present invention. The method is applied in a building management platform, which communicates with one or more building gateways. One building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller.
[0126] The building management platform includes a VPN network access device for a building gateway. The method can be executed by a VPN network access device for a building gateway, which can be implemented in hardware and / or software.
[0127] like Figure 4 As shown, this embodiment may include the following steps:
[0128] S410, upon receiving an encrypted initial verification request from the target building gateway that requires access verification, decrypts the encrypted initial verification request to obtain the target gateway device information.
[0129] In this embodiment, the building management platform is generally deployed on a public cloud and may include a building gateway authentication module, a central VPN module, a private network time synchronization service module, and various business service modules. It provides a platform center for backend data storage, monitoring, management, and integration for each building site, and provides management services for the entire system and multiple sites for various users.
[0130] After receiving the initial encryption verification request, the building management platform can decrypt the initial encryption verification request according to the decryption method corresponding to the encryption method of the initial encryption verification request, so that the initial encryption verification request is decrypted into plaintext.
[0131] In one embodiment, the building management platform stores a gateway device information table, which records gateway device information for one or more building gateways; before step S410, the following steps are also included:
[0132] Receive the encrypted identity information acquisition request sent by the target building gateway, and decrypt the encrypted identity information acquisition request using a preset key to obtain the target gateway device identifier;
[0133] The system searches for the target gateway device identifier in the gateway device information table to obtain the corresponding identity information storage address. The identity information storage address is then encrypted using a preset key and transmitted to the target building gateway so that the target building gateway can obtain the corresponding gateway identity information based on the identity information storage address.
[0134] In one implementation, refer to Figure 5This is a gateway device information representation intention. Before the building gateway is manufactured or transported from the production site to the user's designated installation site, the gateway device information table can be imported into the building management platform in advance. In other words, even if a building gateway does not officially need to be connected to the building management platform, the relevant information of the building gateway has already been recorded in the gateway device information table stored in the building management platform.
[0135] Before sending the encrypted initial verification request, the building gateway can first send an encrypted identity information acquisition request. After receiving the encrypted identity information acquisition request, the building management platform can use a preset key to decrypt the encrypted identity information acquisition request and obtain the target gateway device identifier.
[0136] After determining the target gateway device identifier corresponding to the target building gateway, the corresponding identity information storage address can be obtained from the gateway device information table. The identity information storage address is then encrypted with a preset key and sent to the target building gateway with the encrypted identity information storage address as the content, so that the building gateway can obtain the gateway identity information.
[0137] Specifically, regarding the identity information storage address, the building gateway can convert the identity information (fd) into encrypted (Fid) using a preset encoding algorithm, and store the Fid in a randomly assigned absolute address (ADn) within the designated memory ROMn. This means that the storage address for the identity information of each building gateway is unique, and no user or external program can read or display it in plaintext. The identity information storage address can be represented as ROMn_And, where the preset encoding algorithm is an encrypted algorithm. Furthermore, the remaining parameters of the building gateway can be saved in a standard file format at a fixed address within the product's designated memory ROM1, and can be viewed through the building gateway's web management interface.
[0138] The building management platform can establish a private network time synchronization connection with the target building gateway based on key identity information. After the private network time synchronization connection is successful, the building gateway can synchronize its time with the platform time synchronization service of the building management platform at a given period.
[0139] In one embodiment, step S410, which involves decrypting the initial encryption verification request to obtain the target gateway device information, includes the following steps:
[0140] Obtain the second real-time timestamp and generate the second dynamic key based on the second real-time timestamp, wherein the precision of the second real-time timestamp is in minutes;
[0141] The second dynamic key is used to decrypt the encrypted initial verification request to obtain the target gateway device information.
[0142] In this embodiment, after receiving the initial encryption verification request, the building management platform can use the second real-time timestamp, i.e., the current time (including year / month / day / hour / minute), as the input parameter and input a pre-set algorithm f1 to generate a second dynamic key. Then, the initial encryption verification request can be decrypted into plaintext using the default algorithm f0 and the second dynamic key. To ensure that the second dynamic key is consistent with the first dynamic key generated in the building gateway, the precision of the second real-time timestamp can be limited to minutes. When the precision is in minutes, it can be ensured that the first real-time timestamp is consistent with the second real-time timestamp, thus ensuring that the first and second dynamic keys are consistent.
[0143] S420 verifies the target gateway device information, and after the verification of the target gateway device information is successful, obtains the first verification information.
[0144] In this embodiment, after decrypting the initial encryption verification request and obtaining the target gateway device information, the target gateway device information can be verified. If the verification is successful, the first verification information can be obtained; if the verification fails, the connection operation cannot continue. The first verification information may include a random value and encryption / decryption algorithm identifiers from a preset encryption / decryption algorithm library, which will be used for subsequent encryption / decryption operations required for further interaction.
[0145] In one embodiment, the target gateway device information includes a target gateway device identifier;
[0146] Step S420 verifies the target gateway device information, including the following steps:
[0147] Search the target gateway device identifier in the pre-obtained gateway device information table to obtain the corresponding previously recorded gateway device information;
[0148] If the previously recorded gateway device information matches the target gateway device information, then obtain the set of connected building gateway identifiers;
[0149] If the target gateway device identifier does not exist in the set of connected building gateway identifiers, then the verification of the target gateway device information is deemed successful.
[0150] In this embodiment, the target gateway device identifier can be found in a pre-obtained gateway device information table. The gateway device information can be determined by the target gateway device identifier. For example, the gateway device information can be recorded in advance. Figure 5Each gateway device identifier corresponds to the device identity information, device identity information storage address, manufacturing date, software version, and MAC address of that building gateway. If the gateway device information obtained through table lookup matches the received target gateway device information, and it belongs to a building gateway not connected to the building management platform (meaning the target gateway device identifier does not exist in the set of connected building gateway identifiers), and it is confirmed that the connected building gateway is not duplicated, then the verification of the target gateway device information can be considered successful.
[0151] If the above conditions for successful verification are not met, the verification will be deemed unsuccessful, and the verification connection can be disconnected.
[0152] S430 encrypts the first verification information to generate an encrypted initial verification pass notification, and sends the encrypted initial verification pass notification to the target building gateway.
[0153] In implementation, the building management platform can continue to use the default algorithm f0 and the second dynamic key to encrypt the first verification information, generate an encrypted initial verification pass notification, and send it to the target building gateway.
[0154] S440 receives an encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and decrypts the encrypted secondary verification request to obtain the second verification information.
[0155] In this embodiment, after receiving the encrypted secondary verification request, the default algorithm f0 and the second dynamic key can be used to decrypt and extract the second verification information from the response content.
[0156] S450: Verify the second verification information. Once the second verification information is verified, obtain the tunnel construction information corresponding to the target building gateway, encrypt the tunnel construction information, and send it to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway.
[0157] In this embodiment, the obtained second verification information is verified. After successful verification, tunnel construction information can be obtained based on the target gateway device identifier, and the tunnel construction information is encrypted and sent to the target building gateway.
[0158] In one embodiment, the first verification information includes a first random value and a first encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library;
[0159] Step S450 verifies the second verification information, including the following steps:
[0160] The corresponding first encryption and decryption algorithm is read from the preset encryption and decryption algorithm library according to the first encryption and decryption algorithm identifier;
[0161] Extract the target gateway device identifier from the second verification information;
[0162] Using the target gateway device identifier as the key, the first random value is encrypted using the target encryption and decryption algorithm to obtain the third verification information;
[0163] If the third verification information is consistent with the second verification information, then the verification of the second verification information is deemed to have passed.
[0164] In this embodiment, the second verification information is generated based on the first verification information. The first verification information includes a first random value and a first encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library. The corresponding first encryption / decryption algorithm can be read from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier. For example, when the first encryption / decryption algorithm identifier is the sequence number m of the preset encryption / decryption algorithm library D, then the corresponding first encryption / decryption algorithm can be determined to be the m-th algorithm fm of the preset encryption / decryption algorithm library D.
[0165] In implementation, the target gateway device identifier can be used as the key on the local machine of the building management platform to encrypt the first random value using the target encryption and decryption algorithm to obtain the third verification information. Then, the third verification information and the second verification information are compared. If they are the same, the verification is confirmed to be successful. Otherwise, the building management platform disconnects the verification connection with the building gateway.
[0166] In one embodiment, the building management platform is equipped with a deployment information table, which is used to record the tunnel construction information of each building gateway;
[0167] Step S450 obtains the tunnel construction information corresponding to the building gateway, including the following steps:
[0168] Locate the target gateway device identifier in the deployment information table to obtain the tunnel construction information corresponding to the target building gateway.
[0169] In this embodiment, reference Figure 6 This is a deployment information representation. The deployment information table contains the gateway device identifiers corresponding to each building site. The target gateway device identifier can be found in the deployment information table, and then the corresponding tunnel construction information can be obtained.
[0170] Specifically, the deployment information table can be initially created and maintained by the building management platform. As the number of building branch sites increases, the number of entries in the table will continue to increase. At the same time, when the verification request and confirmation between the building gateway and the building management platform are both successful, the building management platform will distribute the deployment information entries of the corresponding building site to the corresponding building gateway.
[0171] In one embodiment, the tunnel construction information includes building site information, service deployment information, branch-side VPN subnet construction parameters, and central-side VPN access parameters. The central-side VPN access parameters include: central-side VPN public IP address, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2.
[0172] Step S450 involves encrypting the tunnel construction information and sending it to the target building gateway, including the following steps:
[0173] The second encryption and decryption algorithm in the preset encryption and decryption algorithm library is used, with the gateway identity information as the key, to encrypt the central VPN public IP and IPsec authentication parameters to obtain the first encrypted access parameters;
[0174] The third encryption and decryption algorithm in the preset encryption and decryption algorithm library is used, with the identity information storage address as the key, to encrypt the IPsec tunnel mode and the negotiation parameters of the first and second phases to obtain the second encrypted access parameters;
[0175] The building site information, business deployment information, branch-side VPN subnet construction parameters, first encrypted access parameters, second encrypted access parameters, second encryption / decryption algorithm identifier, and third encryption / decryption algorithm identifier are encrypted using a second dynamic key updated based on a second real-time timestamp and third verification information to obtain encrypted tunnel construction information;
[0176] Send the encrypted tunnel construction information to the target building gateway.
[0177] Specifically, the first part of the sensitive confidential information can be the public IP address of the central VPN and IPsec authentication parameters. It can use a second encryption / decryption algorithm from a pre-defined encryption / decryption algorithm library. For example, the algorithm fs corresponding to the s-th number in the encryption / decryption algorithm library D can be pre-defined, and the gateway identity information can be used as the key. Specifically, the gateway identity information of the target building gateway can be a plaintext string, which can be in the form of S-D1-Y. This string S-D1-Y can be used as the key to encrypt the first part of the sensitive confidential information, i.e., the first encrypted access parameter. Here, S is a specific unique string, D1 is the platform time synchronization service address, and Y is the verification code.
[0178] In addition, the IPsec tunnel mode and the negotiation parameters of Phase 1 and Phase 2 can be regarded as the second part of sensitive confidential information. The third encryption and decryption algorithm in the preset encryption and decryption algorithm library can be used. For example, the algorithm ft corresponding to the t-th number in the preset encryption and decryption algorithm library D can be used as the key to encrypt the second part of sensitive confidential information, i.e., the second encrypted access parameters.
[0179] After determining the building site information, business deployment information, branch-side VPN subnet construction parameters, first encrypted access parameters, and second encrypted access parameters, a second dynamic key can be obtained by updating based on a second real-time timestamp. The updated second dynamic key is then combined with third verification information for encryption to obtain encrypted tunnel construction information. This encrypted tunnel construction information is then sent to the target building gateway, enabling the target building gateway to complete tunnel construction upon receiving the encrypted tunnel construction information, thereby achieving connection with the building management platform.
[0180] When building the deployment information table, each time a new building site is added, its site information must be created in the building management platform. For example, the site deployment information corresponding to this new building site will be added to the cloud platform, including the "building site information", "business deployment information", "central VPN access parameters", and "branch VPN subnet construction parameters" corresponding to this new site.
[0181] The specific content or values of "Building Site Information" and "Branch-side VPN Subnet Construction Parameters" are assigned by the building management platform in an append-only manner based on the existing building site information that has been imported into the branch-side sites, such as building site codes and branch-side VPN subnet construction parameters, to ensure uniqueness.
[0182] Regarding "central VPN access parameters", under normal circumstances, a certain number of user branch-side building sites can share a central VPN access entry. The building management platform can allocate central VPN entry and corresponding IPsec access parameters to user sites with new VPN access requests based on its total number of central VPN entry and the number of currently connected links for each VPN entry, with the principle of balanced link allocation.
[0183] For "business deployment information," it can be imported when creating site information on the building management platform, based on the equipment information and business function usage requirements of the corresponding building site. For example, it can be manually entered or generated from customer order information. Figure 6 As shown, the business deployment information may include: building gateway device number, business type, open protocol type, third-party interface address, etc.
[0184] This embodiment provides a VPN network access method for a building gateway applied to a building management platform. The building management platform communicates with one or more building gateways. Each building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. Upon receiving an encrypted initial verification request from a target building gateway requiring access verification, the encrypted initial verification request is decrypted to obtain the target gateway device information. The target gateway device information is then verified. After successful verification of the target gateway device information, first verification information is obtained for the first verification. The system encrypts and generates an initial verification pass notification, which is then sent to the target building gateway. It receives a secondary verification request from the target building gateway based on the initial verification pass notification, decrypts the request to obtain the second verification information, and verifies this information (i.e., performs a second verification). Once the second verification is successful, it obtains the tunnel construction information corresponding to the target building gateway, encrypts the tunnel construction information, and sends it to the target building gateway to establish a VPN network tunnel between the two gateways. This two-step self-service verification process enables access to the building gateway without manual intervention, improving connection security and convenience.
[0185] Example 3
[0186] Figure 7 This is a schematic diagram of a VPN network access device for a building gateway according to Embodiment 3 of the present invention. The device is applied in a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each building terminal device. The building terminal devices access the building gateway through the building controller. The building gateway communicates with a building management platform. Figure 7 As shown, the device includes:
[0187] The acquisition module 710 is used to acquire the gateway device information of the building gateway itself when access verification is required;
[0188] The first initiation module 720 is used to initiate an initial encryption verification request to the building management platform based on the gateway device information;
[0189] The extraction module 730 is used to extract the first verification information from the encryption initial verification pass notification when it receives the encryption initial verification pass notification returned by the building management platform based on the encryption initial verification request.
[0190] Generation module 740 is used to generate second verification information based on the first verification information;
[0191] The second initiation module 750 is used to initiate an encrypted secondary verification request to the building management platform based on the second verification information;
[0192] VPN network tunnel establishment module 760 is used to establish a VPN network tunnel between the building gateway and the building management platform based on the encrypted tunnel construction information returned by the building management platform after the building management platform verifies the encrypted secondary verification request and passes the verification.
[0193] In one embodiment, the gateway device information includes a gateway device identifier and gateway identity information, and the acquisition module 710 includes the following sub-modules:
[0194] An identity information acquisition request generation submodule is used to generate an identity information acquisition request based on the target gateway device identifier;
[0195] The identity information acquisition request sending submodule is used to encrypt the identity information acquisition request using a preset key and send the encrypted identity information acquisition request to the building management platform;
[0196] The encrypted identity information storage address receiving submodule is used to receive the encrypted identity information storage address returned by the building management platform based on the identity information acquisition request;
[0197] The gateway identity information reading submodule is used to decrypt the encrypted identity information storage address using a preset key, and then read the corresponding encoded gateway identity information from the local memory based on the obtained identity information storage address.
[0198] The gateway identity information determination submodule is used to decode the encoded gateway identity information using a reverse algorithm of a preset encoding algorithm to obtain the gateway identity information.
[0199] In one embodiment, the device further includes the following modules:
[0200] The time synchronization request initiation module is used to initiate a time synchronization request to the time synchronization service of the building management platform based on the time synchronization service address and the verification code, so as to complete the time synchronization with the building management platform.
[0201] In one embodiment, the first initiating module 720 includes the following sub-modules:
[0202] The first dynamic key generation submodule is used to obtain the first real-time timestamp and generate the first dynamic key based on the first real-time timestamp.
[0203] An encryption initial verification request generation submodule is used to encrypt the gateway device information using the first dynamic key and generate an encryption initial verification request.
[0204] The encryption initial verification request sending submodule is used to send the encryption initial verification request to the building management platform.
[0205] In one embodiment, the extraction module 730 includes the following sub-modules:
[0206] The first dynamic key update submodule is used to update the first real-time timestamp and update the first dynamic key based on the updated first real-time timestamp, wherein the precision of the first real-time timestamp is minutes.
[0207] The first verification information acquisition submodule is used to decrypt the encrypted initial verification notification using the updated first dynamic key to obtain the first verification information.
[0208] In one embodiment, the first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; the gateway device information includes a gateway device identifier; the generation module 740 includes the following sub-modules:
[0209] The first encryption / decryption algorithm reading submodule is used to read the corresponding first encryption / decryption algorithm from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier;
[0210] The second verification information determination submodule is used to encrypt the first random value using the gateway device identifier as the key and the first encryption / decryption algorithm to obtain a second random value as the second verification information.
[0211] In one embodiment, the second initiation module 750 includes the following sub-modules:
[0212] The second random value encryption submodule is used to encrypt the second random value using a first dynamic key updated based on a first real-time timestamp, and obtain an encryption secondary verification request.
[0213] The encrypted secondary verification request sending submodule is used to send the encrypted secondary verification request to the building management platform.
[0214] In one embodiment, the VPN network tunnel establishment module 760 is specifically used for:
[0215] The first dynamic key is updated based on the first real-time timestamp, and the updated first dynamic key and the second random value are used as keys to decrypt the encrypted tunnel construction information to obtain building site information, service deployment information, branch-side VPN subnet construction parameters and encryption center-side VPN access parameters. The encryption center-side VPN access parameters include a first encrypted access parameter, a second encrypted access parameter, a second encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library related to the first encrypted access parameter, and a third encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library related to the second encrypted access parameter.
[0216] The second encryption and decryption algorithm corresponding to the second encryption and decryption algorithm is used, and the gateway identity information is used as the key to decrypt the first encrypted access parameters to obtain the central VPN public IP and IPsec authentication parameters.
[0217] The third encryption and decryption algorithm corresponding to the third encryption and decryption algorithm identifier is used, and the identity information storage address is used as the key to decrypt the second encrypted access parameters to obtain the IPsec tunnel mode and the negotiation parameters of the first and second phases.
[0218] Based on the building site information, service deployment information, branch-side VPN subnet construction parameters, central-side VPN public IP, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2, a VPN network tunnel is established between the building gateway and the building management platform.
[0219] The VPN network access device for a building gateway provided in this embodiment of the invention can implement the VPN network access method for a building gateway provided in Embodiment 1 of the invention, and has the corresponding functional modules and beneficial effects of the method.
[0220] Example 4
[0221] Figure 8 This is a schematic diagram of a VPN network access device for a building gateway according to Embodiment 4 of the present invention. The device is applied in a building management platform, which communicates with one or more building gateways. Each building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. Figure 8 As shown, the device includes:
[0222] The decryption module 810 is used to decrypt the encrypted initial verification request after receiving the target building gateway that needs to perform access verification, and obtain the target gateway device information.
[0223] The first verification information acquisition module 820 is used to verify the target gateway device information and acquire the first verification information after the target gateway device information is verified.
[0224] Encryption module 830 is used to encrypt the first verification information to generate an encryption initial verification pass notification;
[0225] The sending module 840 is used to send the encrypted initial verification to the target building gateway via a notification;
[0226] The second verification information acquisition module 850 is used to receive the encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and to decrypt the encrypted secondary verification request to obtain the second verification information.
[0227] The execution module 860 is used to verify the second verification information. After the verification of the second verification information is successful, it obtains the tunnel construction information corresponding to the target building gateway, encrypts the tunnel construction information, and sends it to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway.
[0228] In one embodiment, the building management platform stores a gateway device information table, which is used to record gateway device information of one or more building gateways;
[0229] The device also includes the following modules:
[0230] The target gateway device identifier determination module is used to receive the encrypted identity information acquisition request sent by the target building gateway, and decrypt the encrypted identity information acquisition request using a preset key to obtain the target gateway device identifier;
[0231] The identity information storage address transmission module is used to look up the target gateway device identifier in the gateway device information table to obtain the corresponding identity information storage address, and encrypt the identity information storage address with a preset key before transmitting it to the target building gateway, so that the target building gateway can obtain the corresponding gateway identity information based on the identity information storage address.
[0232] In one embodiment, the decryption module 810 includes the following sub-modules:
[0233] The second dynamic key generation submodule is used to obtain a second real-time timestamp and generate a second dynamic key based on the second real-time timestamp, wherein the precision of the second real-time timestamp is minutes;
[0234] The target gateway device information determination submodule is used to decrypt the encrypted initial verification request using the second dynamic key to obtain the target gateway device information.
[0235] In one embodiment, the target gateway device information includes a target gateway device identifier;
[0236] The first verification information acquisition module 820 is used for:
[0237] The target gateway device identifier is searched in the pre-obtained gateway device information table to obtain the corresponding previously recorded gateway device information;
[0238] If the previously recorded gateway device information is consistent with the target gateway device information, then obtain the set of connected building gateway identifiers;
[0239] If the target gateway device identifier does not exist in the set of connected building gateway identifiers, then the verification of the target gateway device information is deemed successful.
[0240] In one embodiment, the first verification information includes a first random value and a first encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library;
[0241] The execution module 860 includes the following sub-modules:
[0242] The first encryption / decryption algorithm reading submodule is used to read the corresponding first encryption / decryption algorithm from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier;
[0243] The target gateway device identifier extraction submodule is used to extract the target gateway device identifier from the second verification information;
[0244] The third verification information determination submodule is used to encrypt the first random value using the target gateway device identifier as the key and the target encryption / decryption algorithm to obtain the third verification information;
[0245] The determination submodule is used to determine that the verification of the second verification information is successful when the third verification information is consistent with the second verification information.
[0246] In one embodiment, the building management platform includes a deployment information table, which records tunnel construction information for each building gateway; the execution module 860 is specifically used for:
[0247] The target gateway device identifier is searched in the deployment information table to obtain the tunnel construction information corresponding to the target building gateway.
[0248] In one embodiment, the tunnel construction information includes building site information, service deployment information, branch-side VPN subnet construction parameters, and central-side VPN access parameters. The central-side VPN access parameters include: central-side VPN public IP address, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2.
[0249] The execution module 860 is specifically used for:
[0250] Using the second encryption and decryption algorithm from the preset encryption and decryption algorithm library, and with the gateway identity information as the key, the central VPN public IP and the IPsec authentication parameters are encrypted to obtain the first encrypted access parameters;
[0251] The third encryption and decryption algorithm in the preset encryption and decryption algorithm library is used, with the identity information storage address as the key, to encrypt the IPsec tunnel mode and the negotiation parameters of the first and second stages to obtain the second encrypted access parameters;
[0252] The building site information, the service deployment information, the branch-side VPN subnet construction parameters, the first encrypted access parameters, the second encrypted access parameters, the second encryption / decryption algorithm identifier, and the third verification information are encrypted to obtain encrypted tunnel construction information;
[0253] The encrypted tunnel construction information is sent to the target building gateway.
[0254] The VPN network access device for a building gateway provided in this embodiment of the invention can implement the VPN network access method for a building gateway provided in Embodiment 2 of the invention, and has the corresponding functional modules and beneficial effects of the method.
[0255] Example 5
[0256] Figure 9 A schematic diagram of an electronic device 10 that can be used to implement embodiments of the present invention is shown. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.
[0257] like Figure 9 As shown, the electronic device 10 includes at least one processor 11 and a memory, such as a read-only memory (ROM) 12 or a random access memory (RAM) 13, communicatively connected to the at least one processor 11. The memory stores computer programs executable by the at least one processor. The processor 11 can perform various appropriate actions and processes based on the computer program stored in the ROM 12 or loaded from storage unit 18 into the RAM 13. The RAM 13 can also store various programs and data required for the operation of the electronic device 10. The processor 11, ROM 12, and RAM 13 are interconnected via a bus 14. An input / output (I / O) interface 15 is also connected to the bus 14.
[0258] Multiple components in electronic device 10 are connected to I / O interface 15, including: input unit 16, such as keyboard, mouse, etc.; output unit 17, such as various types of displays, speakers, etc.; storage unit 18, such as disk, optical disk, etc.; and communication unit 19, such as network card, modem, wireless transceiver, etc. Communication unit 19 allows electronic device 10 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.
[0259] Processor 11 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. Processor 11 performs the various methods and processes described above, such as a VPN network access method for a building gateway.
[0260] In some embodiments, a VPN network access method for a building gateway may be implemented as a computer program tangibly contained in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and / or installed on electronic device 10 via ROM 12 and / or communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the VPN network access method for a building gateway described above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform a VPN network access method for a building gateway by any other suitable means (e.g., by means of firmware).
[0261] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.
[0262] Computer programs used to implement the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that when executed by the processor, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be performed. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.
[0263] In the context of this invention, a computer-readable storage medium can be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus, or device. A computer-readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination thereof. Alternatively, a computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.
[0264] To provide interaction with a user, the systems and techniques described herein can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the electronic device. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).
[0265] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as data servers), or computing systems that include middleware components (e.g., application servers), or computing systems that include frontend components (e.g., user computers with graphical user interfaces or web browsers through which users can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., communication networks). Examples of communication networks include local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.
[0266] A computing system can include clients and servers. Clients and servers are generally located far apart and typically interact through communication networks. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other. The server can be a cloud server, also known as a cloud computing server or cloud host, which is a hosting product within the cloud computing service system to address the shortcomings of traditional physical hosts and VPS services, such as high management difficulty and weak business scalability.
[0267] It should be understood that the various forms of processes shown above can be used, with steps reordered, added, or deleted. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this is not limited herein.
[0268] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.
Claims
1. A VPN network access method for a building gateway, characterized in that, The method is applied to a building gateway, where one building gateway corresponds to one or more building sites. Each building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices. The building terminal devices access the building gateway through the building controller. The building gateway communicates with the building management platform; the method includes: When access verification is required, the gateway device information of the building gateway itself is obtained, and an initial encryption verification request is initiated to the building management platform based on the gateway device information. When the building management platform receives a notification that the initial encryption verification has passed based on the initial encryption verification request, the first verification information is extracted from the initial encryption verification pass notification. Based on the first verification information, a second verification information is generated, and based on the second verification information, an encrypted secondary verification request is initiated to the building management platform; When the building management platform verifies the encrypted secondary verification request and returns encrypted tunnel construction information, a VPN network tunnel between the building gateway and the building management platform is established based on the encrypted tunnel construction information. The first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; the gateway device information includes a gateway device identifier; The step of generating second verification information based on the first verification information includes: The corresponding first encryption / decryption algorithm is read from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier; Using the gateway device identifier as the key, the first random value is encrypted using the first encryption / decryption algorithm to obtain a second random value, which serves as the second verification information.
2. The method according to claim 1, characterized in that, The gateway device information includes a gateway device identifier and gateway identity information. Obtaining the building gateway's own gateway device information includes: A request to obtain identity information is generated based on the gateway device identifier; The identity information acquisition request is encrypted using a preset key, and the encrypted identity information acquisition request is sent to the building management platform; Receive the encrypted identity information storage address returned by the building management platform based on the identity information acquisition request; After decrypting the encrypted identity information storage address using a preset key, the corresponding encoded gateway identity information is read from the local memory based on the obtained identity information storage address. The gateway identity information is obtained by decoding the encoded gateway identity information using a reverse algorithm of a preset encoding algorithm.
3. The method according to claim 2, characterized in that, The gateway identity information includes a time synchronization service address and a verification code. Before initiating an initial encryption verification request to the building management platform based on the gateway device information, the method further includes: Based on the time synchronization service address and the verification code, a time synchronization request is initiated to the time synchronization service of the building management platform to complete the time synchronization with the building management platform.
4. The method according to claim 2 or 3, characterized in that, The step of initiating an encrypted initial verification request to the building management platform based on the gateway device information includes: Obtain the first real-time timestamp and generate the first dynamic key based on the first real-time timestamp; The gateway device information is encrypted using the first dynamic key to generate an initial encryption verification request; The initial encryption verification request is sent to the building management platform.
5. The method according to claim 4, characterized in that, When the building management platform receives a notification that the initial encryption verification has passed based on the initial encryption verification request, the first verification information is extracted from the notification, including: The first real-time timestamp is updated, and the first dynamic key is updated based on the updated first real-time timestamp, wherein the precision of the first real-time timestamp is minutes; The initial encryption verification is decrypted using the updated first dynamic key to obtain the first verification information.
6. The method according to claim 1, characterized in that, The step of initiating an encrypted secondary verification request to the building management platform based on the second verification information includes: The second random value is encrypted using a first dynamic key that is updated based on a first real-time timestamp to obtain an encrypted secondary verification request; Send the encrypted secondary verification request to the building management platform.
7. The method according to claim 1 or 6, characterized in that, The process of establishing a VPN network tunnel between the building gateway and the building management platform based on the encrypted tunnel construction information includes: The first dynamic key is updated based on the first real-time timestamp, and the updated first dynamic key and the second random value are used as keys to decrypt the encrypted tunnel construction information to obtain building site information, service deployment information, branch-side VPN subnet construction parameters and encryption center-side VPN access parameters. The encryption center-side VPN access parameters include a first encrypted access parameter, a second encrypted access parameter, a second encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library related to the first encrypted access parameter, and a third encryption / decryption algorithm identifier in a preset encryption / decryption algorithm library related to the second encrypted access parameter. The second encryption and decryption algorithm corresponding to the second encryption and decryption algorithm is used, and the gateway identity information is used as the key to decrypt the first encrypted access parameters to obtain the central VPN public IP and IPsec authentication parameters. The third encryption and decryption algorithm corresponding to the third encryption and decryption algorithm identifier is used, and the identity information storage address is used as the key to decrypt the second encrypted access parameters to obtain the IPsec tunnel mode and the negotiation parameters of the first and second phases. Based on the building site information, service deployment information, branch-side VPN subnet construction parameters, central-side VPN public IP, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2, a VPN network tunnel is established between the building gateway and the building management platform.
8. A VPN network access method for a building gateway, characterized in that, The method is applied in a building management platform, which communicates with one or more building gateways; one building gateway corresponds to one or more building sites, each building site including one or more building terminal devices and a building controller connected to each of the building terminal devices, the building terminal devices accessing the building gateway through the building controller; the method includes: Upon receiving an encrypted initial verification request from the target building gateway that requires access verification, the encrypted initial verification request is decrypted to obtain the target gateway device information. The target gateway device information is verified, and after the verification of the target gateway device information is successful, the first verification information is obtained; The first verification information is encrypted to generate an encrypted initial verification pass notification, and the encrypted initial verification pass notification is sent to the target building gateway; Receive the encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and decrypt the encrypted secondary verification request to obtain the second verification information; The second verification information is verified. Once the verification of the second verification information is successful, the tunnel construction information corresponding to the target building gateway is obtained, and the tunnel construction information is encrypted and sent to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway. The first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; The verification of the second verification information includes: The corresponding first encryption / decryption algorithm is read from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier; Extract the target gateway device identifier from the second verification information; Using the target gateway device identifier as the key, the first random value is encrypted using the first encryption / decryption algorithm to obtain the third verification information; If the third verification information is consistent with the second verification information, then the verification of the second verification information is deemed to have passed.
9. The method according to claim 8, characterized in that, The building management platform stores a gateway device information table, which is used to record gateway device information for one or more building gateways; Before decrypting the encrypted initial verification request and obtaining the target gateway device information after receiving the encrypted initial verification request from the target building gateway that requires access verification, the method further includes: Receive the encrypted identity information acquisition request sent by the target building gateway, and decrypt the encrypted identity information acquisition request using a preset key to obtain the target gateway device identifier; The target gateway device identifier is searched in the gateway device information table to obtain the corresponding identity information storage address. The identity information storage address is then encrypted using a preset key and transmitted to the target building gateway so that the target building gateway can obtain the corresponding gateway identity information based on the identity information storage address.
10. The method according to claim 8, characterized in that, The step of decrypting the initial encryption verification request to obtain the target gateway device information includes: Obtain a second real-time timestamp and generate a second dynamic key based on the second real-time timestamp, wherein the precision of the second real-time timestamp is in minutes; The second dynamic key is used to decrypt the encrypted initial verification request to obtain the target gateway device information.
11. The method according to claim 8 or 9, characterized in that, The target gateway device information includes the target gateway device identifier; The verification of the target gateway device information includes: The target gateway device identifier is searched in the pre-obtained gateway device information table to obtain the corresponding previously recorded gateway device information; If the previously recorded gateway device information is consistent with the target gateway device information, then obtain the set of connected building gateway identifiers; If the target gateway device identifier does not exist in the set of connected building gateway identifiers, then the verification of the target gateway device information is deemed successful.
12. The method according to claim 10, characterized in that, The building management platform includes a deployment information table, which is used to record the tunnel construction information of each building gateway. The step of obtaining the tunnel construction information corresponding to the building gateway includes: The target gateway device identifier is searched in the deployment information table to obtain the tunnel construction information corresponding to the target building gateway.
13. The method according to claim 9, characterized in that, The tunnel construction information includes building site information, service deployment information, branch-side VPN subnet construction parameters, and central-side VPN access parameters. The central-side VPN access parameters include: central-side VPN public IP address, IPsec authentication parameters, IPsec tunnel mode, and negotiation parameters for Phase 1 and Phase 2. The step of encrypting the tunnel construction information and sending it to the target building gateway includes: Using the second encryption and decryption algorithm from the preset encryption and decryption algorithm library, and with the gateway identity information as the key, the central VPN public IP and the IPsec authentication parameters are encrypted to obtain the first encrypted access parameters; The third encryption and decryption algorithm in the preset encryption and decryption algorithm library is used, with the identity information storage address as the key, to encrypt the IPsec tunnel mode and the negotiation parameters of the first and second stages to obtain the second encrypted access parameters; The building site information, the service deployment information, the branch-side VPN subnet construction parameters, the first encrypted access parameters, the second encrypted access parameters, the second encryption / decryption algorithm identifier, and the third encryption / decryption algorithm identifier are encrypted using a second dynamic key updated based on a second real-time timestamp and third verification information to obtain encrypted tunnel construction information; The encrypted tunnel construction information is sent to the target building gateway.
14. A VPN network access device for a building gateway, characterized in that, The device is applied in a building gateway, one building gateway corresponds to one or more building sites, the building site includes one or more building terminal devices and a building controller connected to each of the building terminal devices, and the building terminal devices are connected to the building gateway through the building controller; The building gateway communicates with the building management platform; the device includes: The acquisition module is used to acquire the gateway device information of the building gateway itself when access verification is required; The first initiation module is used to initiate an initial encryption verification request to the building management platform based on the gateway device information; The extraction module is used to extract the first verification information from the encryption initial verification pass notification returned by the building management platform based on the encryption initial verification request when it receives the encryption initial verification pass notification. The generation module is used to generate second verification information based on the first verification information; The second initiation module is used to initiate an encrypted secondary verification request to the building management platform based on the second verification information; The VPN network tunnel establishment module is used to establish a VPN network tunnel between the building gateway and the building management platform based on the encrypted tunnel construction information returned by the building management platform after the building management platform verifies the encrypted secondary verification request and the verification is successful. The first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; the gateway device information includes a gateway device identifier; The generation module includes the following sub-modules: The first encryption / decryption algorithm reading submodule is used to read the corresponding first encryption / decryption algorithm from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier; The second verification information determination submodule is used to encrypt the first random value using the gateway device identifier as the key and the first encryption / decryption algorithm to obtain a second random value as the second verification information.
15. A VPN network access device for a building gateway, characterized in that, The device is used in a building management platform, which communicates with one or more building gateways; each building gateway corresponds to one or more building sites, each building site including one or more building terminal devices and a building controller connected to each of the building terminal devices, the building terminal devices accessing the building gateway through the building controller; the device includes: The decryption module is used to decrypt the encrypted initial verification request sent by the target building gateway that needs to perform access verification, and obtain the target gateway device information. The first verification information acquisition module is used to verify the target gateway device information and acquire the first verification information after the target gateway device information is verified. The encryption module is used to encrypt the first verification information to generate an encrypted initial verification pass notification; The sending module is used to send the initial encryption verification to the target building gateway via a notification; The second verification information acquisition module is used to receive the encrypted secondary verification request sent by the target building gateway based on the encrypted initial verification pass notification, and to decrypt the encrypted secondary verification request to obtain the second verification information. The execution module is used to verify the second verification information. After the verification of the second verification information is successful, it obtains the tunnel construction information corresponding to the target building gateway, encrypts the tunnel construction information and sends it to the target building gateway to establish a VPN network tunnel between the target building gateway and the target building gateway. The first verification information includes a first random value and a first encryption / decryption algorithm identifier from a preset encryption / decryption algorithm library; The execution module includes the following sub-modules: The first encryption / decryption algorithm reading submodule is used to read the corresponding first encryption / decryption algorithm from the preset encryption / decryption algorithm library according to the first encryption / decryption algorithm identifier; The target gateway device identifier extraction submodule is used to extract the target gateway device identifier from the second verification information; The third verification information determination submodule is used to encrypt the first random value using the target gateway device identifier as the key and the first encryption / decryption algorithm to obtain the third verification information. The determination submodule is used to determine that the verification of the second verification information is successful when the third verification information is consistent with the second verification information.
16. An electronic device, characterized in that, The electronic device includes: At least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform a VPN network access method for a building gateway according to any one of claims 1-13.
17. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions that, when executed by a processor, implement the VPN network access method for a building gateway according to any one of claims 1-13.