Search

CN-122027292-A - MQTT certificate management method, device, equipment and medium of embedded Internet of things system

CN122027292ACN 122027292 ACN122027292 ACN 122027292ACN-122027292-A

Abstract

The application discloses an MQTT credential management method, device, equipment and medium of an embedded Internet of things system, relating to the field of Internet of things, comprising the steps of reading and decrypting encrypted MQTT credential data corresponding to a credential acquisition request required by MQTT connection from local storage of equipment; the method comprises the steps of obtaining new MQTT voucher data from a target server if a preset trigger condition is met, encrypting the new MQTT voucher data to obtain new encrypted MQTT voucher data, storing the new encrypted MQTT voucher data in a local storage, returning the new MQTT voucher data to a requester, clearing the corresponding encrypted MQTT voucher data in the local storage when the fact that the MQTT connection is interrupted due to the fact that the voucher has a problem is detected, obtaining the new MQTT voucher data, and establishing new MQTT connection according to the new MQTT voucher data. The application improves the safety and reliability of the MQTT communication of the embedded Internet of things equipment.

Inventors

  • LI BO

Assignees

  • 杭州麦唐科技有限公司

Dates

Publication Date
20260512
Application Date
20260213

Claims (10)

  1. 1. The MQTT certificate management method of the embedded Internet of things system is characterized by comprising the following steps of: The method comprises the steps of obtaining a credential obtaining request required by MQTT connection, reading and decrypting encrypted MQTT credential data corresponding to the credential obtaining request from local storage of target equipment by using a preset credential manager, wherein the encryption process of the MQTT credential data comprises the steps of encrypting the MQTT credential data by using a symmetric key which is randomly generated, generating corresponding integrity verification information, and encrypting the symmetric key according to an asymmetric encryption public key extracted from a client side certificate preset by the target equipment; If the preset triggering condition is met, acquiring new MQTT credential data from a target server through a secure transmission channel, wherein the preset triggering condition comprises the absence of the MQTT credential data, the damage of the MQTT credential data and the decryption failure of the MQTT credential data, and the secure transmission channel is a communication link which is established based on the client certificate and used for safely exchanging data between equipment and the server; Encrypting the new MQTT credential data to obtain new encrypted MQTT credential data, storing the new encrypted MQTT credential data in the local storage, and returning the new MQTT credential data to a requester; When the fact that the MQTT connection is interrupted due to the fact that the certificate is problematic is detected, corresponding encrypted MQTT certificate data in the local storage are cleared, new MQTT certificate data are obtained, and accordingly new MQTT connection is established according to the new MQTT certificate data.
  2. 2. The MQTT credential management method of the embedded internet of things system of claim 1, wherein the randomly generated symmetric key is a one-time cryptographically secure symmetric key; Correspondingly, the encryption process of the MQTT certificate data comprises the following steps: Randomly generating the symmetric key and an initialization vector of twelve bytes, encrypting the MQTT credential data by using the symmetric key and the initialization vector, and generating corresponding integrity verification information; encrypting the symmetric key according to an asymmetric encryption public key extracted from a client certificate preset by the target device; And combining the length of the encrypted symmetric key, the initialization vector, the integrity verification information and the encrypted MQTT credential data into a binary data packet according to a preset sequence, and taking the binary data packet as the encrypted MQTT credential data.
  3. 3. The MQTT credential management method of an embedded internet of things system of claim 1, further comprising: Comparing the integrity verification information obtained by encrypting the MQTT credential data with the integrity verification information obtained by recalculating the encrypted MQTT credential data when decrypting the encrypted MQTT credential data to obtain a comparison result; if the comparison result representation verification information is inconsistent, judging that decryption fails, and if the comparison result representation verification information is consistent, judging that data integrity verification passes and continuing to decrypt the encrypted MQTT credential data.
  4. 4. The method for MQTT credential management of an embedded internet of things system of claim 1, further comprising, after reading and decrypting the encrypted MQTT credential data corresponding to the credential acquisition request from the local storage of the target device: And if the encrypted MQTT credential data is successfully decrypted, returning the decrypted MQTT credential data plaintext to the requester.
  5. 5. The MQTT credential management method of an embedded internet of things system of claim 1, wherein the process of establishing the secure transport channel comprises: loading a client certificate preset by the target device, a private key corresponding to the client certificate and a root certificate into a network communication library running on the target device; And carrying out bidirectional transport layer security authentication with the target server by using the network communication library based on the client certificate, the private key corresponding to the client certificate and the root certificate, and establishing an encrypted communication link after the authentication is passed.
  6. 6. The method for MQTT credential management of an embedded internet of things system of claim 1, wherein when detecting that an MQTT connection is interrupted due to a credential problem, clearing the corresponding encrypted MQTT credential data in the local store and obtaining new MQTT credential data, comprises: when the interruption of the MQTT connection caused by the loss of the MQTT voucher, the damage of the MQTT voucher, the expiration of the MQTT voucher and the revocation of the MQTT voucher by the issuer is detected, the encrypted MQTT voucher data corresponding to the current invalid MQTT voucher in the local storage is cleared; And re-jumping to the step of acquiring new MQTT credential data from the target server through the secure transmission channel so as to acquire the new MQTT credential data.
  7. 7. The method for MQTT credential management of an embedded internet of things system of claim 1, wherein the storing the new encrypted MQTT credential data in the local store further comprises: If the storage fails, recording failure information of the storage failure by using the credential manager, storing the failure information in a target log area corresponding to the target equipment, and performing fault detection and repair by using the failure information.
  8. 8. An MQTT credential management device of an embedded internet of things system, comprising: The decryption module is used for acquiring a credential acquisition request required by MQTT connection, and reading and decrypting encrypted MQTT credential data corresponding to the credential acquisition request from local storage of target equipment by utilizing a preset credential manager, wherein the encryption process of the MQTT credential data comprises the steps of encrypting the MQTT credential data by utilizing a symmetric key which is randomly generated, generating corresponding integrity verification information, and encrypting the symmetric key according to an asymmetric encryption public key extracted from a client side certificate preset by the target equipment; The data acquisition module is used for acquiring new MQTT credential data from the target server through a secure transmission channel if a preset trigger condition is met, wherein the preset trigger condition comprises the absence of the MQTT credential data, the damage of the MQTT credential data and the decryption failure of the MQTT credential data, and the secure transmission channel is a communication link which is established in a manner of performing two-way authentication based on the client certificate and is used for safely exchanging data between equipment and the server; the data return module is used for encrypting the new MQTT credential data to obtain new encrypted MQTT credential data, storing the new encrypted MQTT credential data in the local storage and returning the new MQTT credential data to a requester; And the data updating module is used for clearing the corresponding encrypted MQTT credential data in the local storage when the interruption of the MQTT connection caused by the problem of the credential is detected, and acquiring new MQTT credential data so as to establish new MQTT connection according to the new MQTT credential data.
  9. 9. An electronic device, comprising: A memory for storing a computer program; A processor for executing the computer program to implement the MQTT credential management method of the embedded internet of things system of any one of claims 1 to 7.
  10. 10. A computer readable storage medium for storing a computer program which when executed by a processor implements the MQTT credential management method of the embedded internet of things system of any one of claims 1 to 7.

Description

MQTT certificate management method, device, equipment and medium of embedded Internet of things system Technical Field The application relates to the field of Internet of things, in particular to an MQTT credential management method, device, equipment and medium of an embedded Internet of things system. Background In the field of internet of things (IoT, internet of Things), the MQTT (Message Queuing Telemetry Transport, message queue telemetry transport) protocol is a mainstream protocol for communication between devices and cloud platforms due to its lightweight and efficient characteristics. To ensure communication security MQTTS (MQTT protocol based on TLS/SSL security layer; TLS, transport Layer Security, transport layer security; SSL, secure Socket Layer, secure socket layer) requires the device side to provide valid identity credentials such as client credentials, private keys, passwords, etc. In resource-constrained embedded devices, how to securely manage these sensitive credentials becomes a key challenge, especially in the context of long-term unattended devices and complex network environments. The existing MQTT credential management scheme is mainly divided into a static credential deployment scheme and a simple dynamic acquisition scheme based on configuration files. However, the credentials in the static credential deployment scheme cannot be updated dynamically in the device operation stage, when the credentials expire, are revoked or are revealed, the credentials are replaced by pushing the credentials in batches or physically contacting the devices in a remote mode, the maintenance cost is extremely high, the response is slow, the life cycle of the static credentials is consistent with that of the devices, the risk exposure window is large, safety accidents are easy to occur, the locally stored credentials are not protected by a simple dynamic acquisition scheme based on configuration files, are stored in a plaintext or simple exclusive-or encryption mode, are easy to be broken by means of reverse engineering, physical access and the like, meanwhile, an integrity verification mechanism for the stored credentials is not available, whether the credential files are tampered or not cannot be perceived, safety risks of connecting to malicious servers exist, the safety level of the credential acquisition in the scheme is inconsistent with that of the HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer safety protocol) of the devices, and a short plate exists in the system safety model. In addition, the proposal has no automatic recovery mechanism after the certificate is invalid, and the communication of the MQTT is directly interrupted when the certificate is lost, damaged or invalid, thereby seriously affecting the usability of the equipment. Disclosure of Invention In view of the above, the present application aims to provide a method, a device, and a medium for managing MQTT credentials of an embedded internet of things system, which can improve the security and reliability of MQTT communication of the embedded internet of things device. The specific scheme is as follows: in a first aspect, the present application provides a MQTT credential management method for an embedded internet of things system, including: The method comprises the steps of obtaining a credential obtaining request required by MQTT connection, reading and decrypting encrypted MQTT credential data corresponding to the credential obtaining request from local storage of target equipment by using a preset credential manager, wherein the encryption process of the MQTT credential data comprises the steps of encrypting the MQTT credential data by using a symmetric key which is randomly generated, generating corresponding integrity verification information, and encrypting the symmetric key according to an asymmetric encryption public key extracted from a client side certificate preset by the target equipment; If the preset triggering condition is met, acquiring new MQTT credential data from a target server through a secure transmission channel, wherein the preset triggering condition comprises the absence of the MQTT credential data, the damage of the MQTT credential data and the decryption failure of the MQTT credential data, and the secure transmission channel is a communication link which is established based on the client certificate and used for safely exchanging data between equipment and the server; Encrypting the new MQTT credential data to obtain new encrypted MQTT credential data, storing the new encrypted MQTT credential data in the local storage, and returning the new MQTT credential data to a requester; When the fact that the MQTT connection is interrupted due to the fact that the certificate is problematic is detected, corresponding encrypted MQTT certificate data in the local storage are cleared, new MQTT certificate data are obtained, and accordingly new MQTT connection is established according to the ne