CN103581154B

CN103581154B - Authentication method and device in system of Internet of Things

Info

Publication number: CN103581154B
Application number: CN201210280775.XA
Authority: CN
Inventors: 任晓东; 肖青; 刘越; 赵立君; 王红梅; 阎军智; 齐旻鹏
Original assignee: China Mobile Communications Group Co Ltd
Current assignee: China Mobile Communications Group Co Ltd
Priority date: 2012-08-08
Filing date: 2012-08-08
Publication date: 2017-01-25
Anticipated expiration: 2032-08-08
Also published as: CN103581154A

Abstract

The invention discloses an authentication method and device in system of Internet of Things. When an Internet of Things terminal requests for authentication, a service platform sends the random number or the random number plus an authentication token to the Internet of Things terminal. The Internet of things terminal generates the authentication value according to the received random number or the random number plus the authentication token and returns the authentication value to the service platform. According to the received authentication value, the service platform determines whether the authentication to the Internet of Things terminal is passed. Compared with the prior art, the authentication method and device do not need to preset user names and passwords, so that the safety is improved. Moreover, no new hardware equipment needs further arranging, so that the method and device are convenient to realize.

Description

Method for authenticating in Internet of things system and device

Technical field

The present invention relates to technology of Internet of things, particularly to the method for authenticating in Internet of things system and device.

Background technology

At present, the authentication mode in Internet of things system is generally as follows:

Internet-of-things terminal utilizes preset username and password registering service platform, and business platform passes through username and password Internet-of-things terminal is authenticated.

But, the username and password in aforesaid way is easy to leak, and that is, safety is poor, if user name to be prevented And password leakage, then need to increase new hardware device etc., implement cumbersome.

Content of the invention

In view of this, the invention provides the method for authenticating in Internet of things system and device, it is possible to increase safety, and just In realization.

For reaching above-mentioned purpose, the technical scheme is that and be achieved in that:

A kind of method for authenticating in Internet of things system it is adaptable to the uicc card that uses of internet-of-things terminal for sim card scene, Including:

A, business platform receive the service authentication request from an internet-of-things terminal；

Corresponding with the described internet-of-things terminal one untapped business mirror that b, described business platform will obtain and preserve Weigh the random number in two tuples and be sent to described internet-of-things terminal, described do not issue institute using referring to random number therein State internet-of-things terminal；Wherein, service authentication two tuple includes: random number and authentication values；

Receive the corresponding authentication authenticating tlv triple generation of random number that the basis of described internet-of-things terminal return receives Value, if the service authentication binary that the random number that the authentication values receiving are received with the described internet-of-things terminal being preserved is located Authentication values in group are consistent, then authentication is passed through, and otherwise, does not pass through.

A kind of method for authenticating in Internet of things system it is adaptable to the uicc card that uses of internet-of-things terminal for usim card field Scape, comprising:

Corresponding with the described internet-of-things terminal one untapped business mirror that b, described business platform will obtain and preserve Weigh the random number+authentication-tokens in two tuples and be sent to described internet-of-things terminal, described not using referring to random number+mirror therein Power token had not issued described internet-of-things terminal；Wherein, service authentication two tuple includes: random number+authentication-tokens, and Authentication values ,+represent combination；

Receive random number+authentication-tokens corresponding authentication five-tuple life that the basis of described internet-of-things terminal return receives The authentication values becoming, if random number+authentication-tokens that the authentication values receiving are received with the described internet-of-things terminal being preserved Authentication values in service authentication two tuple being located are consistent, then authentication is passed through, and otherwise, does not pass through.

A kind of business platform it is adaptable to internet-of-things terminal use uicc card for sim card scene, comprising:

Receiver module, for receiving the service authentication request from an internet-of-things terminal, and is sent to the first authentication module；

Described first authentication module, for not making corresponding with described internet-of-things terminal one preserved in acquisition module Random number in service authentication two tuple is sent to described internet-of-things terminal, described not using referring to random number therein not Once issued described internet-of-things terminal；Wherein, service authentication two tuple includes: random number and authentication values；Receive described Internet of Things The authentication values that the random number corresponding authentication tlv triple that the basis that network termination returns receives generates, if the authentication values receiving Mirror in service authentication two tuple that the random number being received with the described internet-of-things terminal preserving in described acquisition module is located Weights are consistent, then authentication is passed through, and otherwise, does not pass through；

Acquisition module, for obtaining and preserving service authentication two tuple corresponding with described internet-of-things terminal.

A kind of business platform it is adaptable to internet-of-things terminal use uicc card for usim card scene, comprising:

Described first authentication module, for not making corresponding with described internet-of-things terminal one preserved in acquisition module Random number+authentication-tokens in service authentication two tuple are sent to described internet-of-things terminal, described not using referring to wherein Random number+authentication-tokens do not issued described internet-of-things terminal；Wherein, service authentication two tuple includes: random number+mirror Power token, and authentication values ,+represent combination；Receive random number+authentication order that the basis of described internet-of-things terminal return receives The authentication values that board corresponding authentication five-tuple generates, if the authentication values receiving are received with the described internet-of-things terminal being preserved To service authentication two tuple that is located of random number+authentication-tokens in authentication values consistent, then authentication is passed through, and otherwise, does not pass through；

A kind of internet-of-things terminal, the uicc card that it uses is sim card, comprising:

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And Before ought getting authenticating result, if receiving the random number that described business platform sends, according to this random number pair The authentication tlv triple answered generates authentication values, returns to described business platform.

A kind of internet-of-things terminal, the uicc card that it uses is usim card, comprising:

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And Before getting authenticating result, if receiving random number+authentication-tokens that described business platform sends, basis should Random number+authentication-tokens corresponding authentication five-tuple generates authentication values, returns to described business platform ,+represent combination.

It can be seen that, using scheme of the present invention, when internet-of-things terminal request authentication, business platform is sent out to internet-of-things terminal Send random number or random number+authentication-tokens, generated according to the random number receiving or random number+authentication-tokens by internet-of-things terminal Authentication values, and return to business platform, whether business platform determines the authentication to internet-of-things terminal according to the authentication values receiving Pass through, compared to prior art, scheme of the present invention need not preset username and password, thus improve safety, and, New hardware device need not be increased, facilitate implementation.

Brief description

Fig. 1 is the flow chart of the method for authenticating embodiment when the uicc card that internet-of-things terminal uses is for sim card for the present invention.

Fig. 2 is the flow process of the method for authenticating embodiment when the uicc card that internet-of-things terminal uses is for usim card for the present invention Figure.

The process that Fig. 3 obtains the corresponding service authentication of internet-of-things terminal two tuple in advance for business platform of the present invention is illustrated Figure.

Fig. 4 is the stream of the method for authenticating preferred embodiment when the uicc card that internet-of-things terminal uses is for sim card for the present invention Cheng Tu.

Fig. 5 is the stream of the method for authenticating preferred embodiment when the uicc card that internet-of-things terminal uses is for usim card for the present invention Cheng Tu.

Fig. 6 is the composition structural representation of business platform embodiment of the present invention.

Specific embodiment

For problems of the prior art, the authentication side in the Internet of things system after a kind of improvement is proposed in the present invention Case, it is possible to increase safety, and facilitate implementation.

Universal Integrated Circuit Card (uicc, the universal integrated circuit being used according to internet-of-things terminal The difference of type card), is Subscriber Identity Module (sim, subscriber identity module) or complete according to it The difference of ball Subscriber Identity Module (usim, universal subscriber identity module), scheme of the present invention Implement and would also vary from, be described below respectively.

Fig. 1 is the flow chart of the method for authenticating embodiment when the uicc card that internet-of-things terminal uses is for sim card for the present invention. As shown in figure 1, comprising the following steps:

Step 11: business platform receives the service authentication request from an internet-of-things terminal.

Step 12: corresponding with the internet-of-things terminal one untapped service authentication two that business platform will obtain and preserve Random number in tuple is sent to internet-of-things terminal, has not issued internet-of-things terminal using referring to random number therein；Its In, service authentication two tuple includes: random number and authentication values；Receive the random number that the basis of internet-of-things terminal return receives The authentication values that corresponding authentication tlv triple generates, if the authentication values receiving and the internet-of-things terminal that preserved receive with Authentication values in service authentication two tuple that machine number is located are consistent, then authentication is passed through, and otherwise, does not pass through.

It is preferred that before execution step 12, business platform can also read the configured information carrying in service authentication request, Determine in service authentication request whether carry service authentication two tuple according to configured information, if it is not, then execution step 12；As Fruit be it is determined that in service authentication request the random number that carries whether with service authentication two tuple being preserved in random Number is identical, if it is not, then execution step 12, if it is, further determining that the authentication values that carry in service authentication request whether Consistent with the authentication values in service authentication two tuple that the random number carrying in the service authentication request being preserved is located, if It is that then authentication is passed through, and otherwise, does not pass through；Wherein, the random number in each service authentication two tuple preserving in business platform is equal Different.

Correspondingly, regardless of whether authentication is passed through, business platform is required to notify authenticating result to internet-of-things terminal, and Corresponding with the internet-of-things terminal one untapped service authentication binary that business platform obtains and preserves is carried in authenticating result Random number in group；The random number carrying in service authentication request is internet-of-things terminal and gets from last authenticating result Random number, in service authentication request, the authentication values that carry are internet-of-things terminal and get according to from last authenticating result Random number corresponding authentication tlv triple generate authentication values.

Fig. 2 is the flow process of the method for authenticating embodiment when the uicc card that internet-of-things terminal uses is for usim card for the present invention Figure.As shown in Fig. 2 comprising the following steps:

Step 21: business platform receives the service authentication request from an internet-of-things terminal.

Step 22: corresponding with the internet-of-things terminal one untapped service authentication two that business platform will obtain and preserve Random number+authentication-tokens in tuple are sent to internet-of-things terminal, are not sent out using referring to random number+authentication-tokens therein Gave internet-of-things terminal；Wherein, service authentication two tuple includes: random number+authentication-tokens, and authentication values ,+expression group Close；Receive the corresponding authentication authenticating five-tuple generation of random number+authentication-tokens that the basis of internet-of-things terminal return receives Value, if the business mirror that random number+authentication-tokens that the authentication values receiving are received with the internet-of-things terminal being preserved are located The authentication values weighed in two tuples are consistent, then authentication is passed through, and otherwise, does not pass through.

It is preferred that before execution step 22, business platform can also read the configured information carrying in service authentication request, Determine in service authentication request whether carry service authentication two tuple according to configured information, if it is not, then execution step 22；As Fruit be it is determined that in service authentication request random number+authentication-tokens of carrying whether with the service authentication binary being preserved Random number+authentication-tokens in group are identical, if it is not, then execution step 22, if it is, further determining that service authentication is asked In the service authentication that whether is located with random number+authentication-tokens of carrying in the service authentication request being preserved of the authentication values that carry Authentication values in two tuples are consistent, if it is, authentication is passed through, otherwise, do not pass through；Wherein, each preserving in business platform Random number+authentication-tokens in service authentication two tuple are all different.

Correspondingly, regardless of whether authentication is passed through, business platform is required to notify authenticating result to internet-of-things terminal, and Corresponding with the internet-of-things terminal one untapped service authentication binary that business platform obtains and preserves is carried in authenticating result Random number+authentication-tokens in group；In service authentication request, random number+authentication-tokens of carrying are internet-of-things terminal from upper one Random number+the authentication-tokens getting in secondary authenticating result, the authentication values carrying in service authentication request are internet-of-things terminal The authentication values being generated according to the random number+authentication-tokens getting from last authenticating result corresponding authentication five-tuple.

As can be seen that in above-mentioned two embodiment, when internet-of-things terminal request authentication, business platform can to Internet of Things eventually End sends random number or random number+authentication-tokens, by internet-of-things terminal according to the random number receiving or random number+authentication-tokens Generate authentication values, and return to business platform, business platform determines the authentication to internet-of-things terminal according to the authentication values receiving Whether pass through, compared to prior art, scheme of the present invention need not preset username and password, thus improve safety, And, new hardware device need not be increased, facilitate implementation.

In addition, also can be by arranging configured information in service authentication request, the difference according to configured information is using different Processing mode, very flexibly, and, also can by carrying random number or random number+authentication-tokens in authenticating result so that One request of minimum need and a response can complete to authenticate, thus accelerating authority-identifying speed.

Further, in above-mentioned two embodiment, in authentication process, business platform needs are used corresponding with internet-of-things terminal Service authentication two tuple, described service authentication two tuple can authentication during need when again go obtain it is also possible to Obtain in advance, went to obtain before the service authentication receiving internet-of-things terminal is asked.Specifically, business is put down Which internet-of-things terminal platform, have be known itself have subscribed business, then, business platform can be ordered at itself for each The internet-of-things terminal of business, obtains its corresponding service authentication two tuple respectively in advance, and, in order to reduce information exchange time Number, business platform can obtain it corresponding multiple, that is, respectively in advance for each in the internet-of-things terminal that itself have subscribed business Two or more service authentication two tuple, so, in authentication process, business platform can be used directly the business mirror obtaining in advance Weighing two tuples, thus eliminating the acquisition time, and then having further speeded up authority-identifying speed.

The process that Fig. 3 obtains the corresponding service authentication of internet-of-things terminal two tuple in advance for business platform of the present invention is illustrated Figure.As shown in figure 3, comprising the following steps:

Step 31: for an internet-of-things terminal, business platform to operation management platform request authentication information, and by Internet of Things International Mobile Station Equipment Identification (imei, international mobile equipment identity) of terminal etc. is sent to Operation management platform.

Step 32: operation management platform find the corresponding international mobile subscriber identity of the imei receiving (imsi, international mobile subscriber identification number).

It is previously stored with the corresponding relation between imei and imsi of each internet-of-things terminal in operation management platform.

Step 33: operation management platform sends authentication information to hlr/auc and obtains request (send authentication Info req), wherein carry the imsi of internet-of-things terminal.

Attaching position register (hlr, home location register) and AUC (auc, Authentication centre) authentication information offer equipment is provided, hlr and auc generally closes and sets, and is represented by hlr/ auc.

Step 34:hlr/auc generates authentication tlv triple or authentication five-tuple according to the imsi receiving, and carries in authentication Operation management platform is returned in acquisition of information response (send authentication info cnf).

In 3gpp security system, core parameter ki exists only in hlr/auc, sim card and usim card, by strict Security mechanism ensureing the safety of ki, and, can in hlr/auc preset authentication tlv triple and authentication five-tuple generating algorithm Deng, generating algorithm of preset authentication tlv triple etc. in sim card, generating algorithm of preset authentication five-tuple etc. in usim card.

Specifically, the generating algorithm of authentication tlv triple is:

1st, random number (rand): produced by the randomizer of auc, the rand value generating every time is different from；

2nd, authentication parameter (sres): calculated by ki and rand by a3 algorithm；

3rd, encryption key (kc): calculated by ki and rand by a8 algorithm.

The generating algorithm of authentication five-tuple is:

2nd, authentication parameter (xres, also referred to as res are it is assumed that be expressed as xres in the present invention): by f2 algorithm by ki Calculate with rand；

3rd, encryption key (ck): calculated by ki and rand by f3 algorithm；

4th, integrity key (ik): calculated by ki and rand by f4 algorithm；

5th, authentication-tokens (autn): generating algorithm is more complicated, no direct with scheme of the present invention due to how to generate Relation, therefore be not described.

Assume to be directed to an internet-of-things terminal in the present embodiment, need disposably to return 5 service authentications to business platform Two tuples, then, hlr/auc determines, according to the imsi of the internet-of-things terminal receiving, the uicc card that internet-of-things terminal uses first For sim card or usim card, if sim card, then generate 5 authentications tlv triple (rand, kc, sres), if usim card, Then generate 5 authentications five-tuple (rand, xres, ck, ik, autn), and 5 generated authentication tlv triple or 5 are authenticated five Tuple returns to operation management platform.

Step 35～36: operation management platform generates service authentication according to the authentication tlv triple receiving or authentication five-tuple Two tuples, and return to business platform.

If operation management platform have received 5 authentication tlv triple, for each authenticate tlv triple, can respectively according to Secure Hash Algorithm 1 (sha-1, secure hash algorithm-1) calculates the cryptographic Hash (hash) of sres and kc therein Value, thus obtaining 5 result of calculations, i.e. 5 authentication values (mr), each mr=sha-1 (sres+kc), so, for each mirror Power tlv triple, you can respectively obtain its corresponding service authentication two tuple (rand, mr) that is to say, that each service authentication two Rand in tuple be its corresponding authentication tlv triple in rand, the mr in each service authentication two tuple be according to its The mr that corresponding authentication tlv triple calculates.

If operation management platform have received 5 authentication five-tuples, for each authenticate five-tuple, can respectively according to Sha-1 algorithm calculates the hash value of its ck, thus obtaining 5 result of calculations, i.e. 5 mr, each mr=sha-1 (ck), so, For each authenticate five-tuple, you can respectively obtain its corresponding service authentication two tuple (rand+autn, mr) that is to say, that Rand+autn in each service authentication two tuple is the rand+autn in its corresponding authentication five-tuple, and each business is reflected Weigh the mr that according to the mr in two tuples is, its corresponding authentication five-tuple calculates ,+represent combination, that is, splice.

Because operation management platform is Provider Equipment, it is trusty, therefore, it can authentication tlv triple and authentication five Tuple opening is to operation management platform, but business platform is usually non-Provider Equipment, is fly-by-night, therefore, for guaranteeing Authenticate the safety of tlv triple and authentication five-tuple it is impossible to tlv triple and authentication five-tuple opening will be authenticated to business platform, and Need to be transformed to service authentication two tuple, and need to ensure counter to release authentication tlv triple and mirror from service authentication two tuple Power five-tuple.

It should be noted that the above is only according to the mode that authentication tlv triple and authentication five-tuple generate authentication values lifting Example explanation, is not limited to technical scheme, if adopting alternate manner, also possible, as long as ensure that Counter can not release authentication tlv triple and authentication five-tuple from service authentication two tuple.

In order that technical scheme is clearer, clear, develop simultaneously preferred embodiment referring to the drawings, to this Bright implementing of described scheme is described in further detail.

Fig. 4 is the stream of the method for authenticating preferred embodiment when the uicc card that internet-of-things terminal uses is for sim card for the present invention Cheng Tu.As shown in figure 4, comprising the following steps:

Step 41: business platform receives the service authentication request from an internet-of-things terminal.

When internet-of-things terminal needs to initiate internet of things service, need to be authenticated initially to business platform, that is, to business Service authentication request initiated by platform, and wherein portability has configured information and service authentication two tuple etc..

In actual applications, the indicating bit f that can arrange a bit is used as configured information, if the value of f is 1, Then represent service authentication request in carry service authentication two tuple, if the value of f be 0 then it represents that service authentication request in Do not carry service authentication two tuple.

Understand according to introduction before, if carrying service authentication two tuple in service authentication request, then, this business Authenticate the random number that the random number in two tuples gets from last authenticating result for internet-of-things terminal, service authentication is asked In the authentication values that carry be internet-of-things terminal according to the random number getting from last authenticating result corresponding authentication ternary The authentication values that group generates.

For internet-of-things terminal, after the random number once carrying in authenticating result on getting, according to hlr/ In auc, identical mode generates this random number corresponding authentication tlv triple, afterwards, according to operation management platform identical side Formula, generates authentication values according to this authentication tlv triple, and then obtains service authentication two tuple.

Step 42: business platform reads the configured information carrying in service authentication request, and is determined according to this configured information Service authentication two tuple whether is carried in service authentication request, if it is not, then execution step 43, if it is, execution step 49.

Step 43: corresponding with the internet-of-things terminal one untapped business mirror that business platform is obtained in advance and preserves Weigh the random number in two tuples and be sent to internet-of-things terminal, not whole using referring to that random number therein had not issued Internet of Things End.

The number of service authentication two tuple corresponding with internet-of-things terminal that hypothesis business platform obtains in advance and preserves is 5 Individual, for ease of statement, respectively this 5 service authentication two tuples are referred to as service authentication two tuple 1, service authentication two tuple 2, industry Business authentication two tuples 3, service authentication two tuple 4 and service authentication two tuple 5, and assume service authentication two tuple 2, service authentication Two tuples 3, service authentication two tuple 4 and service authentication two tuple 5 do not use, then, in this step, business platform can select at random Select untapped service authentication two tuple, such as service authentication two tuple 2, random number therein is sent to Internet of Things eventually End.

Step 44～45: internet-of-things terminal generates authentication values according to the random number receiving corresponding authentication tlv triple, and The authentication values of generation are returned to business platform.

In this step, internet-of-things terminal is according to generate the random number receiving corresponding with identical mode in hlr/auc Authentication tlv triple, afterwards, according to operation management platform identical mode, according to this authentication tlv triple generate authentication values.

Step 46: business platform determines the random number institute that the authentication values receiving are received with the internet-of-things terminal preserving Service authentication two tuple in authentication values whether consistent, if it is, execution step 47, otherwise, execution step 48.

With reference to the citing in step 43, if the mirror in the authentication values that receive of business platform and service authentication two tuple 2 Weights are consistent, then execution step 47, otherwise, execution step 48.

Step 47: authentication is passed through, business platform sends authentication successful message to internet-of-things terminal, and the business that wherein carries is put down Random number in corresponding with internet-of-things terminal one untapped service authentication two tuple that platform obtains in advance and preserves, terminates Flow process.

With reference to the citing in step 43, due to service authentication two tuple 1 and service authentication two tuple 2 using, because In this this step, one can be randomly choosed from remaining 3 service authentication two tuples, such as service authentication two tuple 3, will wherein Random number carry and be sent to internet-of-things terminal in authentication successful message.

Step 48: authentication is not passed through, business platform sends failed authentication message to internet-of-things terminal, wherein carries business Random number in corresponding with internet-of-things terminal one untapped service authentication two tuple that platform obtains in advance and preserves, knot Line journey.

With reference to the citing in step 43, due to service authentication two tuple 1 and service authentication two tuple 2 using, because In this this step, one can be randomly choosed from remaining 3 service authentication two tuples, such as service authentication two tuple 3, will wherein Random number carry and be sent to internet-of-things terminal in failed authentication message.

Step 49: business platform determines whether the random number carrying in service authentication request is reflected with the business being preserved The random number weighed in two tuples is identical, that is, whether effectively to determine the random number carrying in service authentication request, if it is, execution Step 410, otherwise, execution step 43.

Step 410: business platform determine in service authentication request the authentication values that carry whether with the service authentication being preserved Authentication values in service authentication two tuple that the random number carrying in request is located are consistent, if it is, execution step 47, no Then, execution step 48.

Assume that the authentication values carrying in service authentication request are according to the generating random number in service authentication two tuple 1, So, if business platform determines in the authentication values carrying in service authentication request and service authentication two tuple 1 being preserved Authentication values are consistent, then execution step 47, otherwise, execution step 48.

After authentication is passed through, internet-of-things terminal and business platform can generate identical according to the authentication values used in authentication process Session key, and carry out the encrypted transmission of transaction data using this session key, with ensure internet-of-things terminal and business platform it Between contact data safety.

Fig. 5 is the stream of the method for authenticating preferred embodiment when the uicc card that internet-of-things terminal uses is for usim card for the present invention Cheng Tu.As shown in figure 5, comprising the following steps:

Step 51: business platform receives the service authentication request from an internet-of-things terminal.

Understand according to introduction before, if carrying service authentication two tuple in service authentication request, then, this business Authenticate random number+mirror that the random number+authentication-tokens in two tuples get from last authenticating result for internet-of-things terminal Power token, in service authentication request the authentication values that carry be internet-of-things terminal according to get from last authenticating result with The authentication values that machine number+authentication-tokens corresponding authentication five-tuple generates.

For internet-of-things terminal, after the random number+authentication-tokens once carrying in authenticating result on getting, press Generate this random number+authentication-tokens corresponding authentication five-tuple according to identical mode in hlr/auc, afterwards, according to operation Management platform identical mode, generates authentication values according to this authentication five-tuple, and then obtains service authentication two tuple.

Step 52: business platform reads the configured information carrying in service authentication request, and is determined according to this configured information Service authentication two tuple whether is carried in service authentication request, if it is not, then execution step 53, if it is, execution step 59.

Step 53: corresponding with the internet-of-things terminal one untapped business mirror that business platform is obtained in advance and preserves Random number+the authentication-tokens weighed in two tuples are sent to internet-of-things terminal, not using referring to random number+authentication-tokens therein not Once issued internet-of-things terminal.

The number of service authentication two tuple corresponding with internet-of-things terminal that hypothesis business platform obtains in advance and preserves is 5 Individual, for ease of statement, respectively this 5 service authentication two tuples are referred to as service authentication two tuple 1, service authentication two tuple 2, industry Business authentication two tuples 3, service authentication two tuple 4 and service authentication two tuple 5, and assume service authentication two tuple 2, service authentication Two tuples 3, service authentication two tuple 4 and service authentication two tuple 5 do not use, then, in this step, business platform can select at random Select untapped service authentication two tuple, such as service authentication two tuple 2, random number+authentication-tokens therein are sent to Internet-of-things terminal.

Step 54～55: internet-of-things terminal generates according to the random number+authentication-tokens receiving corresponding authentication five-tuple Authentication values, and the authentication values of generation are returned to business platform.

In this step, internet-of-things terminal is made according to being generated the random number+authentication receiving with identical mode in hlr/auc Board corresponding authentication five-tuple, afterwards, according to operation management platform identical mode, according to this authentication five-tuple generate authentication Value.

Step 56: the random number that the authentication values that business platform determination receives are received with the internet-of-things terminal being preserved+ Whether the authentication values in service authentication two tuple that authentication-tokens are located are consistent, if it is, execution step 57, otherwise, execution Step 58.

With reference to the citing in step 53, if the mirror in the authentication values that receive of business platform and service authentication two tuple 2 Weights are consistent, then execution step 57, otherwise, execution step 58.

Step 57: authentication is passed through, business platform sends authentication successful message to internet-of-things terminal, and the business that wherein carries is put down Random number+authentication in corresponding with internet-of-things terminal one untapped service authentication two tuple that platform obtains in advance and preserves Token, terminates flow process.

With reference to the citing in step 53, due to service authentication two tuple 1 and service authentication two tuple 2 using, because In this this step, one can be randomly choosed from remaining 3 service authentication two tuples, such as service authentication two tuple 3, will wherein Random number+authentication-tokens carry and be sent to internet-of-things terminal in authentication successful message.

Step 58: authentication is not passed through, business platform sends failed authentication message to internet-of-things terminal, wherein carries business Random number+mirror in corresponding with internet-of-things terminal one untapped service authentication two tuple that platform obtains in advance and preserves Power token, terminates flow process.

With reference to the citing in step 53, due to service authentication two tuple 1 and service authentication two tuple 2 using, because In this this step, one can be randomly choosed from remaining 3 service authentication two tuples, such as service authentication two tuple 3, will wherein Random number+authentication-tokens carry and be sent to internet-of-things terminal in failed authentication message.

Step 59: business platform determine random number+authentication-tokens of carrying in service authentication request whether with preserved Random number+authentication-tokens in one service authentication two tuple are identical, that is, determine the random number+mirror carrying in service authentication request Whether power token is effective, if it is, execution step 510, otherwise, execution step 53.

Step 510: business platform determine in service authentication request the authentication values that carry whether with the service authentication being preserved Authentication values in service authentication two tuple that the random number carrying in request+authentication-tokens are located are consistent, if it is, executing step Rapid 57, otherwise, execution step 58.

Assume that the authentication values carrying in service authentication request are according to the random number in service authentication two tuple 1+authentication order Board generates, then, if business platform determines the authentication values carrying in service authentication request and the service authentication two being preserved Authentication values in tuple 1 are consistent, then execution step 57, otherwise, execution step 58.

So far, that is, complete the introduction with regard to the inventive method embodiment.

It should be noted that in the various embodiments described above and preferred embodiment, needing in the information of contact between each network element Content to be carried, describe only the content directly related with scheme of the present invention, in addition, specifically also needs to which carries A little contents can be decided according to the actual requirements.

Based on above-mentioned introduction, Fig. 6 is the composition structural representation of business platform embodiment of the present invention.As shown in fig. 6, bag Include: receiver module, the first authentication module and acquisition module, it is preferred that also can further include: the second authentication module.

When the uicc card that internet-of-things terminal uses is for sim card, the function of each module shown in Fig. 6 is as follows respectively.

First authentication module, for the untapped business corresponding with internet-of-things terminal that will preserve in acquisition module Authenticate the random number in two tuples and be sent to internet-of-things terminal, not whole using referring to that random number therein had not issued Internet of Things End；Wherein, service authentication two tuple includes: random number and authentication values；The basis that reception internet-of-things terminal returns receives The authentication values that random number corresponding authentication tlv triple generates, if the Internet of Things preserving in the authentication values receiving and acquisition module Authentication values in service authentication two tuple that the random number that terminal receives is located are consistent, then authentication is passed through, and otherwise, does not pass through；

Acquisition module, for obtaining and preserving service authentication two tuple corresponding with internet-of-things terminal.

Wherein, receiver module can be further used for, and service authentication request is sent to the second authentication module；

Correspondingly, the second authentication module, for reading the configured information carrying in service authentication request, according to configured information Determine in service authentication request and whether carry service authentication two tuple, if it is not, then notifying the first authentication module to execute itself Function；If it is, determine the random number that carries in service authentication request whether with a business mirror preserving in acquisition module The random number weighed in two tuples is identical, if it is not, then notifying the first authentication module to execute itself function, if it is, further Determine the authentication values that carry in service authentication request whether with the service authentication request that preserves in acquisition module in carry random Authentication values in service authentication two tuple that number is located are consistent, if it is, authentication is passed through, otherwise, do not pass through；Wherein, obtain Random number in each service authentication two tuple preserving in module is all different；

First authentication module and the second authentication module can be further used for, regardless of whether authentication is passed through, all by authentication knot Fruit notifies to internet-of-things terminal, and carries corresponding with internet-of-things terminal one preserving in acquisition module in authenticating result not Random number in service authentication two tuple using；In service authentication request, the random number that carries is internet-of-things terminal from upper one The random number getting in secondary authenticating result, in service authentication request, the authentication values that carry are internet-of-things terminal according to from upper one The authentication values that the random number corresponding authentication tlv triple getting in secondary authenticating result generates.

In addition, receiver module receive service authentication request before, acquisition module can to operation management platform request with The corresponding service authentication of internet-of-things terminal two tuple, and receive service authentication two tuple of operation management platform return；Operation pipe Service authentication two tuple that platform returns is for operation management platform according to the authentication getting from authentication information offer equipment Tlv triple generates；It is preferred that the number of service authentication two tuple of operation management platform return is two or more.

When the uicc card that internet-of-things terminal uses is for usim card, the function of each module shown in Fig. 6 is as follows respectively.

First authentication module, for the untapped business corresponding with internet-of-things terminal that will preserve in acquisition module Random number+the authentication-tokens authenticating in two tuples are sent to internet-of-things terminal, not using referring to random number+authentication-tokens therein Do not issued internet-of-things terminal；Wherein, service authentication two tuple includes: random number+authentication-tokens, and authentication values ,+table Show combination；Random number+authentication-tokens corresponding authentication five-tuple that the basis that reception internet-of-things terminal returns receives generates Authentication values, if the industry that random number+authentication-tokens that the authentication values receiving are received with the internet-of-things terminal being preserved are located Authentication values in business authentication two tuples are consistent, then authentication is passed through, and otherwise, does not pass through；

Correspondingly, the second authentication module, for reading the configured information carrying in service authentication request, according to configured information Determine in service authentication request and whether carry service authentication two tuple, if it is not, then notifying the first authentication module to execute itself Function；If it is, determine random number+authentication-tokens of carrying in service authentication request whether with acquisition module in preserve one Random number+authentication-tokens in individual service authentication two tuple are identical, if it is not, then notifying the first authentication module to execute itself work( Can, if it is, further determine that the authentication values that carry in service authentication request whether with the business mirror that preserves in acquisition module Authentication values in service authentication two tuple that the random number+authentication-tokens carrying in power request are located are consistent, if it is, authentication Pass through, otherwise, do not pass through；Wherein, the random number+authentication-tokens in each service authentication two tuple preserving in acquisition module are equal Different；

First authentication module and the second authentication module can be further used for, regardless of whether authentication is passed through, all by authentication knot Fruit notifies to internet-of-things terminal, and carries corresponding with internet-of-things terminal one preserving in acquisition module in authenticating result not Random number+authentication-tokens in service authentication two tuple using；In service authentication request, random number+authentication-tokens of carrying are Random number+the authentication-tokens getting from last authenticating result for internet-of-things terminal, the mirror carrying in service authentication request Weights be internet-of-things terminal according to the random number+authentication-tokens getting from last authenticating result corresponding authenticate five yuan The authentication values that group generates.

In addition, receiver module receive service authentication request before, acquisition module can to operation management platform request with The corresponding service authentication of internet-of-things terminal two tuple, and receive service authentication two tuple of operation management platform return；Operation pipe Service authentication two tuple that platform returns is for operation management platform according to the authentication getting from authentication information offer equipment Five-tuple generates；It is preferred that the number of service authentication two tuple of operation management platform return is two or more.

The present invention discloses a kind of internet-of-things terminal embodiment, comprising: the 3rd authentication module.

When the uicc card that internet-of-things terminal uses is for sim card, the function of the 3rd authentication module is as follows.

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And Before ought getting authenticating result, if receiving the random number that business platform sends, corresponding according to this random number Authentication tlv triple generates authentication values, returns to business platform.

3rd authentication module can be further used for, and arranges configured information in service authentication request, to indicate business mirror Whether carry service authentication two tuple in power request, and be designated as in service authentication request carrying business when configured information When authenticating two tuples, service authentication request in arrange service authentication two tuple, including: from business platform send upper The random number getting in authenticating result, and according to the corresponding authentication of the random number getting from last authenticating result The authentication values that tlv triple generates.

Wherein, authentication tlv triple includes: random number, authentication parameter and encryption key；

3rd authentication module authenticates tlv triple according to generating random number, and calculates in authentication tlv triple according to pre-defined algorithm Authentication parameter and the cryptographic Hash of encryption key, using result of calculation as the authentication values in service authentication two tuple, will authenticate in ternary Random number as the random number in service authentication two tuple.

When the uicc card that internet-of-things terminal uses is for usim card, the function of the 3rd authentication module is as follows.

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And Before ought getting authenticating result, if receiving random number+authentication-tokens that business platform sends, random according to this Number+authentication-tokens corresponding authentication five-tuple generates authentication values, returns to business platform ,+represent combination.

3rd authentication module can be further used for, and arranges configured information in service authentication request, to indicate business mirror Whether carry service authentication two tuple in power request, and be designated as in service authentication request carrying business when configured information When authenticating two tuples, service authentication request in arrange service authentication two tuple, including: from business platform send upper Random number+the authentication-tokens getting in authenticating result, and random according to get from last authenticating result The authentication values that number+authentication-tokens corresponding authentication five-tuple generates.

Wherein, authentication five-tuple includes: random number, authentication parameter, encryption key, integrity key and authentication-tokens；

3rd authentication module generates authentication five-tuple according to random number+authentication-tokens, and calculates authentication according to pre-defined algorithm The cryptographic Hash of the encryption key in five-tuple, using result of calculation as the authentication values in service authentication two tuple, will authenticate five-tuple In random number+authentication-tokens as the random number+authentication-tokens in service authentication two tuple.

The specific workflow of said apparatus embodiment refer to the respective description in preceding method embodiment, herein no longer Repeat.

The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvement done etc., should be included within the scope of protection of the invention.

Claims

1. the method for authenticating in a kind of Internet of things system is it is adaptable to the Universal Integrated Circuit Card uicc that internet-of-things terminal uses is use The scene of family identification card sim is it is characterised in that include:

Corresponding with the described internet-of-things terminal one untapped service authentication two that b, described business platform will obtain and preserve Random number in tuple is sent to described internet-of-things terminal, described has not issued described thing using referring to random number therein Networked terminals；Wherein, service authentication two tuple includes: random number and authentication values；

Receive the corresponding authentication values authenticating tlv triple generation of random number that the basis of described internet-of-things terminal return receives, such as In service authentication two tuple that the random number that the authentication values that fruit receives are received with the described internet-of-things terminal being preserved is located Authentication values consistent, then authentication is passed through, and otherwise, does not pass through；

Before described step b, further include:

Described business platform reads the configured information carrying in described service authentication request, according to described configured information determines Service authentication two tuple whether is carried in service authentication request, if it is not, then execution step b；

If it is, determine the random number that carries in the request of described service authentication whether with the service authentication binary being preserved Random number in group is identical, if it is not, then execution step b, carries if it is, further determining that in described service authentication request Service authentication two tuple that whether is located with the random number that carries in the described service authentication request being preserved of authentication values in Authentication values are consistent, if it is, authentication is passed through, otherwise, do not pass through；Wherein, each business mirror preserving in described business platform The random number weighed in two tuples is all different.

2. method according to claim 1 is it is characterised in that methods described further includes:

Regardless of whether authentication is passed through, described business platform all notifies authenticating result to described internet-of-things terminal, and in described mirror Corresponding with the described internet-of-things terminal one untapped business mirror that described business platform obtains and preserves is carried in power result Weigh the random number in two tuples；The random number carrying in described service authentication request is described internet-of-things terminal from last mirror The random number that gets in power result, the authentication values carrying in described service authentication request be described internet-of-things terminal according to from The authentication values that the random number corresponding authentication tlv triple getting in last authenticating result generates.

3. method according to claim 2 is it is characterised in that the acquisition of described business platform is corresponding with described internet-of-things terminal Service authentication two tuple include:

Before receiving described service authentication request, described business platform is to operation management platform request with described Internet of Things eventually Hold corresponding service authentication two tuple, and receive service authentication two tuple that described operation management platform returns；

Service authentication two tuple that described operation management platform returns provides according to from authentication information for described operation management platform The authentication tlv triple getting in equipment generates；

The number of service authentication two tuple that described operation management platform returns is two or more.

4. method according to claim 3 it is characterised in that

Described authentication tlv triple includes: random number, authentication parameter and encryption key；

Described according to authentication tlv triple generate service authentication two tuple include: according to pre-defined algorithm calculate authentication tlv triple in mirror Weight parameter and the cryptographic Hash of encryption key, using result of calculation as the authentication values in service authentication two tuple, will authenticate in tlv triple Random number as the random number in service authentication two tuple.

5. the method according to claim 1,2 or 3 is it is characterised in that the method further includes:

If authentication is passed through, described internet-of-things terminal and described business platform are respectively according to the authentication values life used in authentication process Become identical session key, and carry out the encrypted transmission of transaction data using described session key.

6. the method for authenticating in a kind of Internet of things system is it is adaptable to the Universal Integrated Circuit Card uicc that internet-of-things terminal uses is complete The scene of ball Subscriber Identity Module usim is it is characterised in that include:

Corresponding with the described internet-of-things terminal one untapped service authentication two that b, described business platform will obtain and preserve Random number+authentication-tokens in tuple are sent to described internet-of-things terminal, described not using referring to random number therein+authentication order Described internet-of-things terminal do not issued by board；Wherein, service authentication two tuple includes: random number+authentication-tokens, and authentication Value ,+represent combination；

Receive what random number+authentication-tokens corresponding authentication five-tuple that the basis that described internet-of-things terminal returns receives generated Authentication values, if random number+authentication-tokens that the authentication values receiving are received with the described internet-of-things terminal being preserved are located Service authentication two tuple in authentication values consistent, then authentication is passed through, and otherwise, does not pass through；

Before described step b, further include:

If it is, determine random number+authentication-tokens of carrying in the request of described service authentication whether with the industry being preserved Random number+authentication-tokens in business authentication two tuples are identical, if it is not, then execution step b, if it is, further determining that institute State the random number+authentication carrying during whether the authentication values carrying in service authentication request are asked with the described service authentication being preserved Authentication values in service authentication two tuple that token is located are consistent, if it is, authentication is passed through, otherwise, do not pass through；Wherein, institute Random number+the authentication-tokens stated in each service authentication two tuple preserving in business platform are all different.

7. method according to claim 6 is it is characterised in that methods described further includes:

Regardless of whether authentication is passed through, described business platform all notifies authenticating result to described internet-of-things terminal, and in described mirror Corresponding with the described internet-of-things terminal one untapped business mirror that described business platform obtains and preserves is carried in power result Weigh the random number+authentication-tokens in two tuples；Random number+the authentication-tokens carrying in described service authentication request are described thing Random number+authentication-tokens that networked terminals get from last authenticating result, the mirror carrying in described service authentication request Weights are described internet-of-things terminal according to the corresponding authentication of random number+authentication-tokens getting from last authenticating result The authentication values that five-tuple generates.

8. method according to claim 7 is it is characterised in that the acquisition of described business platform is corresponding with described internet-of-things terminal Service authentication two tuple include:

Service authentication two tuple that described operation management platform returns provides according to from authentication information for described operation management platform The authentication five-tuple getting in equipment generates；

9. method according to claim 8 it is characterised in that

Described authentication five-tuple includes: random number, authentication parameter, encryption key, integrity key and authentication-tokens；

Described according to authentication five-tuple generate service authentication two tuple include: according to pre-defined algorithm calculate authentication five-tuple in plus The cryptographic Hash of close key, using result of calculation as the authentication values in service authentication two tuple, by the random number+mirror in authentication five-tuple Power token is as the random number+authentication-tokens in service authentication two tuple.

10. the method according to claim 6,7 or 8 is it is characterised in that the method further includes:

A kind of 11. business platforms are it is adaptable to the Universal Integrated Circuit Card uicc that internet-of-things terminal uses is Subscriber Identity Module sim's Scene is it is characterised in that include:

Described first authentication module, corresponding with described internet-of-things terminal one for preserving in acquisition module untapped Random number in service authentication two tuple is sent to described internet-of-things terminal, described is not sent out using referring to random number therein Gave described internet-of-things terminal；Wherein, service authentication two tuple includes: random number and authentication values；Receive described Internet of Things eventually The authentication values that the random number corresponding authentication tlv triple that the basis that end returns receives generates, if the authentication values receiving and institute State the authentication values in service authentication two tuple at random number place that the described internet-of-things terminal preserving in acquisition module receives Unanimously, then authentication is passed through, and otherwise, does not pass through；

Acquisition module, for obtaining and preserving service authentication two tuple corresponding with described internet-of-things terminal；

Described business platform further includes: the second authentication module；

Described receiver module is further used for, and the request of described service authentication is sent to described second authentication module；

Described second authentication module, for reading the configured information carrying in described service authentication request, according to described instruction letter Breath determines in described service authentication request whether carry service authentication two tuple, if it is not, then notifying described first authentication mould Block executes itself function；If it is, determine the random number that carries in the request of described service authentication whether with described acquisition module Random number in one service authentication two tuple of middle preservation is identical, if it is not, then notifying described first authentication module execution certainly Body function, if it is, further determine that the authentication values that carry in the request of described service authentication whether with described acquisition module in Authentication values in service authentication two tuple that the random number carrying in the described service authentication request preserving is located are consistent, if It is that then authentication is passed through, and otherwise, does not pass through；Wherein, random in each service authentication two tuple preserving in described acquisition module Number is all different.

12. business platforms according to claim 11 it is characterised in that

Described first authentication module and described second authentication module are further used for, regardless of whether authentication is passed through, all by authentication knot Fruit notify to described internet-of-things terminal, and carry in described authenticating result in described acquisition module preserve with described Internet of Things Random number in corresponding untapped service authentication two tuple of terminal；The random number carrying in described service authentication request It is the random number that described internet-of-things terminal gets from last authenticating result, the mirror carrying in described service authentication request Weights are described internet-of-things terminal according to the random number getting from last authenticating result corresponding authentication tlv triple life The authentication values becoming.

13. business platforms according to claim 12 it is characterised in that

Before described receiver module receives the request of described service authentication, described acquisition module to operation management platform request with Described internet-of-things terminal corresponding service authentication two tuple, and receive the service authentication binary that described operation management platform returns Group；

A kind of 14. business platforms are it is adaptable to the Universal Integrated Circuit Card uicc that internet-of-things terminal uses is Global Subscriber identification card The scene of usim is it is characterised in that include:

Described first authentication module, corresponding with described internet-of-things terminal one for preserving in acquisition module untapped Random number+authentication-tokens in service authentication two tuple are sent to described internet-of-things terminal, described not using refer to therein with Machine number+authentication-tokens had not issued described internet-of-things terminal；Wherein, service authentication two tuple includes: random number+authentication order Board, and authentication values ,+represent combination；Receive random number+authentication-tokens pair that the basis of described internet-of-things terminal return receives The authentication values that the authentication five-tuple answered generates, if what the authentication values receiving and the described internet-of-things terminal being preserved received Authentication values in service authentication two tuple that random number+authentication-tokens are located are consistent, then authentication is passed through, and otherwise, does not pass through；

Described second authentication module, for reading the configured information carrying in described service authentication request, according to described instruction letter Breath determines in described service authentication request whether carry service authentication two tuple, if it is not, then notifying described first authentication mould Block executes itself function；If it is, determine random number+authentication-tokens of carrying in the request of described service authentication whether with described Random number+authentication-tokens in service authentication two tuple preserving in acquisition module are identical, if it is not, then notifying described the One authentication module executes itself function, if it is, further determining that the authentication values that carry in the request of described service authentication whether The service authentication two being located with the random number+authentication-tokens carrying in the described service authentication request preserving in described acquisition module Authentication values in tuple are consistent, if it is, authentication is passed through, otherwise, do not pass through；Wherein, preserve in described acquisition module is every Random number+authentication-tokens in individual service authentication two tuple are all different.

15. business platforms according to claim 14 it is characterised in that

Described first authentication module and described second authentication module are further used for, regardless of whether authentication is passed through, all by authentication knot Fruit notify to described internet-of-things terminal, and carry in described authenticating result in described acquisition module preserve with described Internet of Things Random number+authentication-tokens in corresponding untapped service authentication two tuple of terminal；Take in described service authentication request Random number+the authentication-tokens of band are random number+authentication order that described internet-of-things terminal gets from last authenticating result Board, the authentication values carrying in described service authentication request are described internet-of-things terminal and obtain according to from last authenticating result The authentication values that the random number+authentication-tokens corresponding authentication five-tuple arriving generates.

16. business platforms according to claim 15 it is characterised in that

A kind of 17. internet-of-things terminals, the Universal Integrated Circuit Card uicc that it uses is Subscriber Identity Module sim it is characterised in that wrapping Include:

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And working as Before getting authenticating result, if receiving the random number that described business platform sends, corresponding according to this random number Authentication tlv triple generates authentication values, returns to described business platform；

Described 3rd authentication module is further used for, and arranges configured information, to indicate described industry in the request of described service authentication Whether carry service authentication two tuple in business authentication request, and be designated as described service authentication request when described configured information In when carrying service authentication two tuple, in the request of described service authentication, service authentication two tuple is set.

18. internet-of-things terminals according to claim 17 are it is characterised in that described 3rd authentication module is reflected in described business In power request, service authentication two tuple of setting includes: gets from the last authenticating result that described business platform sends Random number, and according to the random number getting from last authenticating result corresponding authentication tlv triple generate authentication values.

19. internet-of-things terminals according to claim 18 it is characterised in that

Described 3rd authentication module authenticates tlv triple according to generating random number, and calculates in authentication tlv triple according to pre-defined algorithm Authentication parameter and the cryptographic Hash of encryption key, using result of calculation as the authentication values in service authentication two tuple, will authenticate in ternary Random number as the random number in service authentication two tuple.

A kind of 20. internet-of-things terminals, the Universal Integrated Circuit Card uicc that it uses is Global Subscriber identification card usim, and its feature exists In, comprising:

3rd authentication module, for when needing to initiate internet of things service, sending service authentication request to business platform；And working as Before getting authenticating result, if receiving random number+authentication-tokens that described business platform sends, random according to this Number+authentication-tokens corresponding authentication five-tuple generates authentication values, returns to described business platform ,+represent combination；

21. internet-of-things terminals according to claim 20 are it is characterised in that described 3rd authentication module is reflected in described business In power request, service authentication two tuple of setting includes: gets from the last authenticating result that described business platform sends Random number+authentication-tokens, and according to the corresponding authentication of random number+authentication-tokens getting from last authenticating result The authentication values that five-tuple generates.

22. internet-of-things terminals according to claim 21 it is characterised in that

Described 3rd authentication module generates authentication five-tuple according to random number+authentication-tokens, and calculates authentication according to pre-defined algorithm The cryptographic Hash of the encryption key in five-tuple, using result of calculation as the authentication values in service authentication two tuple, will authenticate five-tuple In random number+authentication-tokens as the random number+authentication-tokens in service authentication two tuple.