信息网络安全 ›› 2023, Vol. 23 ›› Issue (8): 17-31.doi: 10.3969/j.issn.1671-1122.2023.08.002

• 技术研究 • 上一篇    下一篇

SDP-CoAP:基于软件定义边界的安全增强CoAP通信框架设计

张伟1(), 李子轩1, 徐晓瑀2, 黄海平1   

  1. 1.南京邮电大学计算机学院,南京 210023
    2.江苏省联创软件研究院,南京 210003
  • 收稿日期:2023-06-25 出版日期:2023-08-10 发布日期:2023-08-08
  • 通讯作者: 张伟 E-mail:zhangw@njupt.edu.cn
  • 作者简介:张伟(1973—),男,江苏,教授,博士,CCF会员,主要研究方向为网络信息安全、恶意代码分析、社会网络分析|李子轩(1998—),男,河北,硕士研究生,主要研究方向为网络安全|徐晓瑀(1983—),男,江苏,工程师,主要研究方向为云计算|黄海平(1981—),男,福建,教授,博士,CCF会员,主要研究方向为物联网技术、网络安全、数据隐私保护技术
  • 基金资助:
    国家重点研发计划(2019YFB2101700)

SDP-CoAP: Design of Security Enhanced CoAP Communication Framework Based on Software Defined Perimeter

ZHANG Wei1(), LI Zixuan1, XU Xiaoyu2, HUANG Haiping1   

  1. 1. School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
    2. Jiangsu Lianchuang Software Research Institute, Nanjing 210003, China
  • Received:2023-06-25 Online:2023-08-10 Published:2023-08-08
  • Contact: ZHANG Wei E-mail:zhangw@njupt.edu.cn

摘要:

约束应用协议(CoAP)作为一种新兴的物联网协议,虽然考虑了安全设计,但依然不能满足新的安全需求。文章提出了一个基于软件定义边界(SDP)的安全增强CoAP通信框架(SDP-CoAP),利用单包认证(SPA)技术,客户端将认证信息、数据包传输层安全性协议(DTLS)的隧道加密方式和CoAP请求方式等信息添加到握手过程的第一个数据包中,并发送给SDP控制器,实现先认证后通信。对于通过认证的访问请求,从环境、行为等多个维度实时评估访问的可信度,结合客户端不同的请求方式,实现多维动态访问授权。文章还对SDP-CoAP架构的具体部署方式进行分析,设计了一种综合安全性能、能量消耗和处理延迟的部署方式。实验结果表明,SDP-CoAP的客户端-网关部署方式在没有引入明显能源消耗和网络延迟的情况下可以有效增强CoAP网络的安全性。

关键词: 物联网, 零信任, 软件定义边界, 单包认证

Abstract:

Constrained Application Protocol(CoAP), as a new Internet of Things(IoT) protocol, can not meet the new security requirements despite considering its security design. This paper proposed a security enhanced CoAP communication framework (SDP-CoAP) based on Software Defined Perimeter(SDP-CoAP). SDP-CoAP used Single Packet Authentication(SPA) technology. The client added authentication information, the tunnel encryption method of the Datagram Transport Layer Security(DTLS) and the CoAP request method to the first packet in the handshake process and send it to the SDP controller to achieve authentication before communication. For authenticated access requests, the credibility of the access was evaluated in real time from multiple dimensions such as environment and behavior, and multi-dimensional dynamic access authorization was realized by combining different request methods of the client. This paper also analyzed the specific deployment mode of SDP-CoAP architecture, and designed a deployment mode that integrated security performance, energy consumption and processing delay. Experiments verify that the client gateway deployment mode of SDP-CoAP can effectively enhance the security of CoAP network without introducing significant energy consumption and network delay.

Key words: Internet of Things, zero trust, software-defined perimeter, single packet authentication

中图分类号: